CISSP OPT 3rd ED Sybex -- Wrong Only Flashcards

Question

Question 11 tb787631.CISSPPT3E.c03.060 Robert is investigating a security breach and discovers the Mimikatz tool installed on a system in his environment. What type of attack has likely taken place? A. Password cracking B. Pass the hash C. MAC spoofing D. ARP poisoning

Answer 1

B. Pass the hash The use of the Mimikatz tool is indicative of an attempt to capture user password hashes for use in a pass-the-hash attack against Microsoft Active Directory accounts.

Answer 2

C. Request a new certificate using a new key. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.

Answer 3

B. Simple Integrity Property The Simple Integrity Property states that an individual may not read a file classified at a lower security level than the individual’s security clearance.

Answer 4

C. Kyle must have a valid need to know for all information processed by the system. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.

Answer 5

C. Capacitance Capacitance motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion.

Answer 6

C. 2,000 Asymmetric cryptosystems use a pair of keys for each user. In this case, with 1,000 users, the system will require 2,000 keys.

Answer 7

D. Meet-in-the-middle The meet-in-the-middle attack uses a known plaintext message and uses both encryption of the plaintext and decryption of the ciphertext simultaneously in a brute-force manner to identify the encryption key in approximately double the time of a brute-force attack against the basic DES algorithm.

Answer 8

B. Vendor In a software as a service environment, the customer has no access to any underlying infrastructure, so firewall management is a vendor responsibility under the cloud computing shared responsibility model.

Answer 9

D. Vendor In an infrastructure as a service environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customer’s responsibility to validate that the vendor’s sanitization procedures meet their requirements prior to utilizing the vendor’s storage services.

Answer 10

D. Brewer-Nash The Brewer-Nash model allows access controls to change dynamically based upon a user’s actions. It is often used in environments like Matthew’s to implement a “Chinese wall” between data belonging to different clients.

Answer 11

D. 40 percent Data center humidity should be maintained between 40 percent and 60 percent. Values below this range increase the risk of static electricity, while values above this range may generate moisture that damages equipment.

Answer 12

A. Heartbeat sensor Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.

Answer 13

D. SHA 256 Intentional collisions have been created with MD5, and a real-world collision attack against SHA 1 was announced in early 2017. 3DES is not a hashing tool, leaving SHA 256 (sometimes called SHA 2) as the only real choice that Chris has in this list.

Answer 14

C. Aggregation In an aggregation attack, individual(s) use their access to specific pieces of information to piece together a larger picture that they are not authorized to access.

Answer 15

D. *-Integrity Property The *-Integrity Property states that a subject cannot modify an object at a higher integrity level than that possessed by the subject.

Answer 16

B. TPM The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing an encrypted drive by installing it in another computer.

Answer 17

B. Isolation breach The system can be designed in a manner that protects the confidentiality, integrity, and availability of data. The research workstations included in the grid are from internal users, minimizing the risk of distributing the data. However, an isolation breach in the distributed computing client could be catastrophic, allowing someone who compromises the controller to assume control of every device in the organization.

Answer 18

B. Zero-knowledge proof In a zero-knowledge proof, one individual demonstrates to another that they can achieve a result that requires sensitive information without actually disclosing the sensitive information.

Answer 19

A. Mantrap Mantraps use two sets of doors to control access to a facility. This may be used to prevent piggybacking by monitoring use of the mantrap to allow only a single individual to enter a facility at a time. They may also be used to allow manual inspection of individuals or perform other security screening. Mantraps are also commonly known as access control vestibules.

Answer 20

C. Move the devices to a secure and isolated network segment.. The most reasonable choice presented is to move the devices to a secure and isolated network segment. This will allow the devices to continue to serve their intended function while preventing them from being compromised. All of the other scenarios either create major new costs or deprive her organization of the functionality that the devices were purchased to provide.

Answer 21

C. Typing with the rhythm of Morse code Covert channels use surreptitious communications’ paths. Covert timing channels alter the use of a resource in a measurable fashion to exfiltrate information. If a user types using a specific rhythm of Morse code, this is an example of a covert timing channel. Someone watching or listening to the keystrokes could receive a secret message with no trace of the message left in logs.

Answer 22

D. Bob’s private key When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is the only one who should be able to decrypt it, thus preserving confidentiality.

Answer 23

A. They require a cryptographic key. Hash functions do not include any element of secrecy and, therefore, do not require a cryptographic key.

Answer 24

C. OWASP The Open Web Application Security Project (OWASP) produces an annual list of the top ten web application security issues that developers and security professionals around the world rely upon for education and training purposes. The OWASP vulnerabilities form the basis for many web application security testing products.

Answer 25

C. Memory address randomization Lauren has implemented address space layout randomization, a memory protection methodology that randomizes memory locations, which prevents attackers from using known address spaces and contiguous memory regions to execute code via overflow or stack smashing attacks.

Answer 26

B. 4 In an m of n control system, at least m of n possible escrow agents must collaborate to retrieve an encryption key from the escrow database.

Answer 27

A. Maintenance hook Maintenance hooks, otherwise known as backdoors, provide developers with easy access to a system, bypassing normal security controls. If not removed prior to finalizing code, they pose a significant security vulnerability if an attacker discovers the maintenance hook.

Answer 28

D. Containerization All of these terms accurately describe this use of technology. However, the use of Docker is best described as a containerization technology, so this is the best possible answer choice.

Answer 29

A. Serial number The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.

Answer 30

D. Confidentiality The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against this risk. Nonrepudiation is when the recipient of a message can prove the originator’s identity to a third party. Authentication is a means of proving one’s identity. Integrity demonstrates that information has not been modified since transmission.

Answer 31

C. *-Security Property The *-Security Property states that an individual may not write to a file at a lower classification level than that of the individual. This is also known as the confinement property.

Answer 32

A. Information flow The information flow model applies state machines to the flow of information. The Bell-LaPadula model applies the information flow model to confidentiality while the Biba model applies it to integrity.

Answer 33

A. Ring 0 The kernel lies within the central ring, Ring 0. Conceptually, Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0 through 2 run in privileged mode while Ring 3 runs in user mode. It is important to note that many modern operating systems do not fully implement this model.

Answer 34

C. Known plaintext In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext. In a chosen plaintext attack, the attacker has the ability to choose the plaintext to be encrypted. In a chosen ciphertext attack, the attacker can choose the ciphertext output. In a brute-force attack, the attacker simply tries all possible key combinations.

Answer 35

A. RSA Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities.

Answer 36

D. Preaction A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

Answer 37

C. Grant rule The grant rule allows a subject to grant rights that it possesses on an object to another subject.

Answer 38

A. Systems should be designed to operate in a secure manner if the user performs no other configuration. B. Systems should be designed to fall back to a secure state if they experience an error. C. Systems should be designed to incorporate security as a design feature. D. Systems should be designed in a manner that keeps their functionality as simple as possible. All of these statements are correct. The idea that systems should be designed to operate in a secure manner if the user performs no other configuration is the secure defaults principle. The idea that systems should be designed to fall back to a secure state if they experience an error is the fail securely principle. The idea that systems should be designed to incorporate security as a design feature is the security by design principle. The idea that systems should be designed in a manner that keeps their functionality as simple as possible is the keep it simple principle.

Answer 39

C. IP address In a zero-trust network architecture, access control decisions should never be made based upon a system’s location on the network. Therefore, an IP address should never be used and would be the least appropriate of these options. While the other options have differing levels of security (two-factor authentication is clearly stronger than a password or biometrics alone), they do not violate the principles of a zero-trust network architecture.

Answer 40

B. Diffie-Hellman The Diffie-Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network. IDEA and RSA are encryption algorithms. MD5 is a hashing function.

Answer 41

A. Payment of the ransom may be illegal. B. Payment of the ransom may result in further demands for payments. Payment of a ransom often results in the release of a decryption key, but this is not guaranteed by any means. There is also no link between the payment of a ransom and a future data breach, as an attacker may choose to release confidential information regardless of whether the ransom was paid. Depending upon applicable jurisdictions, payment of a ransom may be illegal under corrupt practices laws or embargoes against terrorist organizations. For example, the U.S. Office of Foreign Assets Control (OFAC) issued an advisory in 2020 stating that ransom payments may violate sanctions. Payment of a ransom may also cause attackers to consider the victim a “mark” and demand future payments in exchange for continued access to their data.

Answer 42

C. Nonrepudiation Nonrepudiation occurs when the recipient of a message is able to demonstrate to a third party that the message came from the purported sender.

Answer 43

C. Parameter checking Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.

Answer 44

A. MD5 The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments. The AES, PGP, and WPA3 algorithms are all still considered secure.

Answer 45

C. The application plane The application plane of a software-defined network (SDN) is where applications run that use application programming interfaces (APIs) to communicate with the SDN about needed resources. The control plane receives instructions and sends them to the network. The last common plane is the devices themselves.

Answer 46

B. VLANs VLANs can be used to logically separate groups of network ports while still providing access to an uplink. Per-room VPNs would create significant overhead for support as well as create additional expenses. Port security is used to limit what systems can connect to ports, but it doesn’t provide network security between systems. Finally, while firewalls might work, they would add expense and complexity without adding any benefits over a VLAN solution.

Answer 47

C. It tunnels layer 2 connections over a layer 3 network, stretching them across the underlying layer 3 network. VXLAN tunnels layer 2 connections over a layer 3 network, in essence extending a LAN over distances or networks that it might not otherwise function over. It does not remove the distance limitations of Ethernet cables, nor does it allow multiple subnets to use the same IP space—that requires NAT or other technologies that remap addresses to avoid conflicts.

Answer 48

B. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer. Disabling SSID broadcast can help prevent unauthorized personnel from attempting to connect to the network. Since the SSID is still active, it can be discovered by using a wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used to broadcast the SSID, and it is possible to have multiple networks with the same SSID.

Answer 49

C. 1, 4, 3, 2 In order, the layers are: Application layer, Transport layer, Internet layer, and Network Access layer.

Answer 50

A. Encryption, access control, nonrepudiation and message authentication. IPsec, or Internet Protocol Security, can provide encryption, access control, nonrepudiation, and message authentication using public key cryptography. It does not provide authorization, protocol convergence, content distribution, or the other items listed.

Answer 51

A. MIME Fibre Channel over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), and Voice over Internet Protocol (VoIP) are all examples of converged protocols that combine specialized protocols with standard protocols like TCP/IP. MIME, Multipurpose Internet Mail Extensions, is not a converged protocol.

Answer 52

B. RADIUS The Remote Access Dial In User Service (RADIUS) protocol was originally designed to support dial-up modem connections but is still commonly used for VPN-based authentication. HTTPS is not an authentication protocol. ESP and AH are IPsec protocols but do not provide authentication services for other systems.

Answer 53

B. Use WPA3 in SAE mode. WPA3’s new SAE (simultaneous authentication of equals) mode improves on WPA2’s PSK mode by allowing for secure authentication between clients and the wireless network without enterprise user accounts. If Ben needed to worry about support for WPA3, which may not be available to all systems that may want to connect, he might have to choose WPA2. A captive portal is often used with open guest networks, and Enterprise mode requires user accounts.

Answer 54

C. PEAP, because it provides encryption and doesn’t suffer from the same vulnerabilities that LEAP does Of the three answers, PEAP is the best solution. It encapsulates EAP in a TLS tunnel, providing strong encryption. LEAP is a Cisco proprietary protocol that was originally designed to help deal with problems in WEP. LEAP’s protections have been defeated, making it a poor choice. EAP-TLS is secure but requires client certificates, making it difficult to deploy and manage.

Answer 55

B. A captive portal A captive portal is a popular solution that you may be familiar with from hotels and coffee shops. They combine the ability to gather data from customers with an open network, so customer data will not be encrypted. This avoids the need to distribute network passwords but means that customers must ensure their own traffic is encrypted if they are worried about security.

Answer 56

A. SCADA devices that are now connected to the network can now be attacked over the network. Multilayer protocols like DNP3 allow SCADA and other systems to use TCP/IP-based networks to communicate. Many SCADA devices were never designed to be exposed to a network, and adding them to a potentially insecure network can create significant risks. TLS or other encryption can be used on TCP packets, meaning that even serial data can be protected. Serial data can be carried via TCP packets because TCP packets don’t care about their content; it is simply another payload. Finally, TCP/IP does not have a specific throughput as designed, so issues with throughput are device-level issues.

Answer 57

B. VXLAN VXLAN is an encapsulation protocol that carries VLANs across routable networks, making two different network locations appear to be on the same segment despite distance and network differences. SD-WAN is a software-defined wide area network, a way to manage and control wide area network connections. iSCSI is a storage protocol over IP, and VMWAN was made up for this question.

Answer 58

B. A two-tier firewall The firewall in the diagram has two protected zones behind it, making it a two-tier firewall design.

Answer 59

B. CHAP The Challenge-Handshake Authentication Protocol, or CHAP, is used by PPP servers to authenticate remote clients. It encrypts both the username and password and performs periodic reauthentication while connected using techniques to prevent replay attacks. LEAP provides reauthentication but was designed for WEP, while PAP sends passwords unencrypted. EAP is extensible and was used for PPP connections, but it doesn’t directly address the listed items.

Answer 60

B. Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported. LEAP, the Lightweight Extensible Authentication Protocol, is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.

Answer 61

B. Enhanced subscriber identity protection C. Mutual authentication capabilities 5G technology includes both a new mutual authentication capability and additional protections for subscriber identities. It does not have specific anti-jamming security features and does not specifically use multifactor authentication.

Answer 62

D. A broken network cable A broken network cable is a layer 1 problem. If you encounter a problem like this and aren’t sure, look for the answer that has a different situation or set of assumptions. Here you have three questions that occur at the network (layer 3), all of which have software or protocol implications. A broken network cable is a completely different type of issue and should stand out. Be careful, though! The exam is likely to give you two potentially valid answers to choose from, so work to get rid of the two least likely answers and spend your time on the remaining options.

Answer 63

C. AES WPA2’s CCMP encryption scheme is based on AES. As of the writing of this book, there have not been any practical real-world attacks against WPA2. DES has been successfully broken, and neither 3DES nor TLS is used for WPA2.

Answer 64

C. PPTP, L2F, L2TP, IPsec PPTP, L2F, L2TP, and IPsec are the most common VPN protocols. TLS is also used for an increasingly large percentage of VPN connections and may appear at some point in the CISSP exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP is the Shiva Password Authentication Protocol sometimes used with PPTP.

Answer 65

C. CAM table flooding Valerie is most likely trying to prevent CAM table flooding by preventing large numbers of MAC addresses from being used on a single port. If CAM table flooding is successful, switches will not know where to send traffic and resort to sending all traffic to every port, potentially exposing traffic to attackers. IP spoofing and VLAN hopping are not prevented by port security, which focuses on hardware (MAC) addresses. MAC aggregation was made up for this question.

Answer 66

B. AES encryption Zigbee uses AES to protect network traffic, providing integrity and confidentiality controls. It does not use 3DES, and ROT13 is a simple rotational cipher you might find in a cereal box or secret decoder ring.

Answer 67

C. The session initialization connection is unencrypted and could be viewed. This diagram shows the use of SIP instead of SIPS, meaning that the session initialization protocol is not encrypted. Fortunately, the voice data via secure real-time transport protocol, or SRTP is encrypted. Mikayla should look into using SIPS in addition to SRTP.

Answer 68

C. An IPS, location B An intrusion protection system can scan traffic and stop both known and unknown attacks. A web application firewall, or WAF, is also a suitable technology, but placing it at location C would only protect from attacks via the organization’s VPN, which should only be used by trusted users. A firewall typically won’t have the ability to identify and stop cross-site scripting attacks, and IDS systems only monitor and don’t stop attacks.

Answer 69

C. SIPS SIPS, the secure version of the Session Initialization Protocol for VoIP, adds TLS encryption to keep the session initialization process secure. SVOIP and PBSX are not real protocols, but SRTP is the secure version of RTP, the Real time Transport Protocol.

Answer 70

B. A virtual network A virtual network can be used to combine existing networks or to divide a network into multiple segments. Melissa can use a virtual network to combine existing networks and then use software-defined networking capabilities to allocate and manage network resources. iSCSI is a converged storage protocol. An SD-WAN is a software-defined wide area network, and this question does not specify LAN or WAN technologies. A CDN is a content distribution network and helps with load and denial-of-service attacks.

Answer 71

A. S/MIME S/MIME supports both signed messages and a secure envelope method. While the functionality of S/MIME can be replicated with other tools, the secure envelope is an S/MIME-specific concept. MOSS, or MIME Object Security Services, and PEM can also both provide authentication, confidentiality, integrity, and nonrepudiation, while DKIM, or Domain Keys Identified Mail, is a domain validation tool.

Answer 72

A. Use a dedicated VLAN for VoIP phones and devices. B. Require the use of SIPS and SRTP. Wayne should consider the use of a dedicated VLAN for VoIP devices to help separate them from other networked devices, and he should also require the use of SIPS and SRTP, both secure protocols that will keep his VoIP traffic encrypted. Requiring the use of VPN for all remote VoIP devices is not necessary if SIPS and SRTP are in use, and a specific IPS for VoIP is not a typical deployment in most organizations.

Answer 73

B. Implement and use a locally hosted service. If a business need requires messaging, using a local messaging server is the best option. This prevents traffic from traveling to a third-party server and can offer additional benefits such as logging, archiving, and control of security options like the use of encryption.

Answer 74

B. BitTorrent BitTorrent is an example of a peer-to-peer (P2P) content delivery network. It is commonly used for legitimate purposes to distribute large files like Linux ISOs and other freely distributed software packages and files in addition to its less legitimate uses. CloudFlare, CloudFront, and Akamai’s Edge are all hosted CDNs.

Answer 75

A. The network uses predefined rules to optimize performance. B. The network conducts continuous monitoring to support better performance. C. The network uses self-learning techniques to respond to changes in the network. SD-WAN implementations typically perform all of these functions, combining active data collection via monitoring and response via self-learning and machine intelligence techniques, and then applying predefined rules to take action to make the network perform as desired. SD-WAN does not imply or require that all connections are managed by the organization’s primary internet service provider. In fact, SD-WANs are often used to handle multiple ISPs to allow for failover and redundancy.

Answer 76

B. Zigbee Zigbee is designed for this type of low-power, Internet of Things network, and would be the best option for Chris. Some versions of Bluetooth are designed to operate in low-power mode as well, but Bluetooth isn’t in this list of answers. WiFi requires more power, NFC is very short range and would not work across a building or room, and infrared requires line of sight and is rarely used for that reason.

Answer 77

D. PEAP, because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session PEAP provides encryption for EAP methods and can provide authentication. It does not implement CCMP, which was included in the WPA2 standard. LEAP is dangerously insecure and should not be used due to attack tools that have been available since the early 2000s.

Answer 78

B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it’s not in active use. Since Bluetooth doesn’t provide strong encryption, it should only be used for activities that are not confidential. Bluetooth PINs are four-digit codes that often default to 0000. Turning it off and ensuring that your devices are not in discovery mode can help prevent Bluetooth attacks.

Answer 79

A. VLAN hopping; use physically separate switches. VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won’t help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn’t specifically a VoIP issue and a firewall may not stop the problem if it’s on a port that must be allowed through.

Answer 80

A. The Transport layer The Transport layer provides logical connections between devices, including end-to-end transport services to ensure that data is delivered. Transport layer protocols include TCP, UDP, SSL, and TLS.

Answer 81

B. The volume of data Endpoint security solutions face challenges due to the sheer volume of data that they can create. When each workstation is generating data about events, this can be a massive amount of data. Endpoint security solutions should reduce the number of compromises when properly implemented, and they can also help by monitoring traffic after it is decrypted on the local host. Finally, non-TCP protocols are relatively uncommon on modern networks, making this a relatively rare concern for endpoint security system implementations.

Answer 82

C. JPEG, ASCII, and MIDI Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.

Answer 83

A. NFS, SQL, and RPC Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.

Answer 84

B. TCP, UDP, and TLS Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.

Answer 85

D. HTTP, FTP, and SMTP Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.

Answer 86

Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data.

Answer 87

C. A collision domain A collision domain is the set of systems that could cause a collision if they transmitted at the same time. Systems outside a collision domain cannot cause a collision if they send at the same time. This is important, as the number of systems in a collision domain increases the likelihood of network congestion due to an increase in collisions. A broadcast domain is the set of systems that can receive a broadcast from each other. A subnet is a logical division of a network, while a supernet is made up of two or more networks.

Answer 88

D. VPN users should only connect from managed PCs. Remote PCs that connect to a protected network need to comply with security settings and standards that match those required for the internal network. The VPN concentrator logically places remote users in the protected zone behind the firewall, but that means user workstations (and users) must be trusted in the same way that local workstations are.

Answer 89

D. 802.11ac He should choose 802.11ac, which supports theoretical speeds up to 3.4 Gbps. 802.11n supports up to 600 Mbps, 802.11g and 802.11 a are only capable of 54 Mbps.

Answer 90

C. SMS messages may be received by more than one phone. SMS messages are not encrypted, meaning that they could be sniffed and captured. While using two factors is more secure than a single factor, SMS is one of the less secure ways to implement two-factor authentication because of this. SMS messages can be spoofed, can be received by more than one phone, and are typically stored on the recipient’s phone. The primary threat here, however, is the unencrypted message itself.

Answer 91

A. IP address conflicts Using the same IP range for an on-site and cloud-hosted data center can be helpful when designing a flat network, but addresses must be carefully managed and allocated even in a space as big as the 10.0.0.0/24 range. If addresses are not properly managed, conflicts may arise that could disrupt production services. MAC address conflicts should not arise unless addresses are manually changed or virtual machines are replicated without changing their MAC addresses. There is nothing in the problem to suggest routing issues.

Answer 92

C. Use TLS for all traffic for the collaboration platform. Most modern applications support TLS throughout their communications allowing clients to securely connect to the service and to encrypt communications. VPN, either in software or hardware form, will be more complex and unwieldy. Software-based VPN would be more flexible, and hardware-based VPN would be more expensive and more complex. SIPS and SRTP are appropriate for a VoIP environment, but are not generally a complete solution for a modern multimedia collaboration platform like Microsoft Teams, Zoom, or WebEx.

Answer 93

D. WPA3 WPA3, the replacement for WPA2, adds security features including a new mode called simultaneous authentication of equals that replaces the pre-shared key mode from WPA2 with a more secure option. Overall, it provides security improvements, but may not be immediately implemented due to time for hardware and software to fully support it. WPA2 has been the most commonly deployed wireless security standard having replaced WPA and WEP.