D6 Network and Communications Security

Question 1

Chris is building an Ethernet network and knows that he needs to span a distance of more than 150 meters with his 1000BaseT network. What network technology should he use to help with this?

A. Install a repeater or a concentrator before 100 meters.

B. Use Category 7 cable, which has better shielding for higher speeds.

C. Install a gateway to handle the distance.

D. Use STP cable to handle the longer distance at high speeds.

Answer 1

A. Install a repeater or a concentrator before 100 meters.

Explanation

A repeater or concentrator will amplify the signal, ensuring that the 100‐meter distance limitation of 1000BaseT is not an issue. A gateway would be useful if network protocols were changing, while Cat7 cable is appropriate for a 10Gbps network at much shorter distances. STP cable is limited to 155 Mbps and 100 meters, which would leave Chris with network problems.

Question 2

What topology correctly describes Ethernet?

A. A ring

B. A star

C. A mesh

D. A bus

Answer 2

D. A bus

Explanation

Ethernet uses a bus topology. While devices may be physically connected to a switch in a physical topology that looks like a star, systems using Ethernet can all transmit on the bus simultaneously, possibly leading to collisions.

Question 3

During a wireless network penetration test, Susan runs aircrack‐ng against the network using a password file. What might cause her to fail in her password‐cracking efforts?

A. Use of WPA2 encryption

B. Running WPA2 in Enterprise mode

C. Use of WEP encryption

D. Running WPA2 in PSK mode

Answer 3

B. Running WPA2 in Enterprise mode

Explanation

WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lockout. WPA2 encryption will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack‐ng.

Question 4

Which OSI layer includes electrical specifications, protocols, and interface standards?

A. The Transport layer

B. The Device layer

C. The Physical layer

D. The Data Link layer

Answer 4

C. The Physical layer

Explanation

The Physical layer includes electrical specifications, protocols, and standards that allow control of throughput, handling line noise, and a variety of other electrical interface and signaling requirements. The OSI layer doesn’t have a Device layer. The Transport layer connects the Network and Session layers, and the Data Link layer packages packets from the network layer for transmission and receipt by devices operating on the Physical layer.

Question 5

Sarah is manually reviewing a packet capture of TCP traffic and finds that a system is setting the RST flag in the TCP packets it sends repeatedly during a short period of time. What does this flag mean in the TCP packet header?

A. RST flags mean “Rest.” The server needs traffic to briefly pause.

B. RST flags mean “Relay‐set.” The packets will be forwarded to the address set in the packet.

C. RST flags mean “Resume Standard.” Communications will resume in their normal format.

D. RST means “Reset.” The TCP session will be disconnected.

Answer 5

D. RST means “Reset.” The TCP session will be disconnected.

Explanation

The RST flag is used to reset or disconnect a session. It can be resumed by restarting the connection via a new three‐way handshake.

Question 6

Sue’s organization recently failed a security assessment because their network was a single flat broadcast domain, and sniffing traffic was possible between different functional groups. What solution should she recommend to help prevent the issues that were identified?

A. Use VLANs.

B. Change the subnet mask for all systems.

C. Deploy gateways.

D. Turn on port security.

Answer 6

A. Use VLANs.

Explanation

A well‐designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.

Question 7

Lauren wants to provide port‐based authentication on her network to ensure that clients must authenticate before using the network. What technology is an appropriate solution for this requirement?

A. 802.11a

B. 802.3

C. 802.15.1

D. 802.1x

Answer 7

D. 802.1x

Explanation

802.1x provides port‐based authentication and can be used with technologies like EAP, the Extensible Authentication Protocol. 802.11a is a wireless standard, 802.3 is the standard for Ethernet, and 802.15.1 was the original Bluetooth IEEE standard.

Question 8

Michelle knows that WEP is no longer used in modern wireless networks, but she needs to explain the problem with WEP to a customer who has an older wireless network still in production that must be upgraded to be secure. What issue should she explain to the customer?

A. WEP does not provide encryption and instead uses hashing for security.

B. WEP uses DES encryption and is not secure because DES is easily crackable.

C. WEP provides data encryption for only part of the traffic sent to clients.

D. WEP uses an initialization vector that is too small and does not change.

Answer 8

D. WEP uses an initialization vector that is too small and does not change.

Explanation

WEP uses an initialization vector (IV) that is too short, making it relatively trivial to brute‐force. The IV is also static, meaning that key streams will repeat after a short period of time, giving attackers who have dwell time in a network sufficient opportunity to capture traffic and then crack the key. Hashes don’t work to secure traffic since they are a one‐way function. WEP uses RC4, not DES, and encrypts data traffic fully to clients, but it uses weak encryption, making it unsuitable to provide secure connectivity.

Question 9

Which one of the following protocols is commonly used to provide backend authentication services for a VPN?

A. HTTPS

B. RADIUS

C. ESP

D. AH

Answer 9

B. RADIUS

Explanation

The Remote Authentication Dial‐in User Service (RADIUS) protocol was originally designed to support dial‐up modem connections but is still commonly used for VPN‐based authentication. HTTPS is not an authentication protocol. ESP and AH are IPsec protocols but do not provide authentication services for other systems.

Question 10

Ben is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.x.x subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering?

A. 192.168.x.x is a nonroutable network and will not be carried to the Internet.

B. 192.168.1.40 is not a valid address because it is reserved by RFC 1918.

C. Double NATing is not possible using the same IP range.

D. The upstream system is unable to de‐encapsulate his packets, and he needs to use PAT instead.

Answer 10

C. Double NATing is not possible using the same IP range.

Explanation

Double NATing isn’t possible with the same IP range; the same IP addresses cannot appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.

Question 11

Susan sets up a firewall that keeps track of the status of the communication between two systems and allows a remote system to respond to a local system after the local system starts communication. What type of firewall is Susan using?

A. A static packet filtering firewall

B. An application‐level gateway firewall

C. A stateful packet inspection firewall

D. A circuit‐level gateway firewall

Answer 11

C. A stateful packet inspection firewall

Explanation

Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit‐level gateways only filter based on source, destination, and ports, whereas application‐level gateway firewalls proxy traffic for specific applications.

Question 12

What type of networking device is most commonly used to assign endpoint systems to VLANs?

A. Firewall

B. Router

C. Switch

D. Hub

Answer 12

C. Switch

Explanation

The assignment of endpoint systems to VLANs is normally performed by a network switch.

Question 13

Chris needs to design a firewall architecture that can support a DMZ, a database, and a private internal network in a secure manner that separates each function. What type of design should he use, and how many firewalls does he need?

A. A four‐tier firewall design with two firewalls

B. A two‐tier firewall design with three firewalls

C. A three‐tier firewall design with at least one firewall

D. A single‐tier firewall design with three firewalls

Answer 13

C. A three‐tier firewall design with at least one firewall

Explanation

A three‐tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single‐ and two‐tier designs don’t support the number of protected networks needed in this scenario, while a four‐tier design would provide a tier that isn’t needed.

Question 14

Which of the following is not a potential problem with active wireless scanning?

A. Accidently scanning apparent rogue devices that actually belong to guests

B. Causing alarms on the organization’s wireless IPS

C. Scanning devices that belong to nearby organizations

D. Misidentifying rogue devices

Answer 14

B. Causing alarms on the organization’s wireless IPS

Explanation

Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidentally scanning guests or neighbours or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.

Question 15

Chris is configuring an IDS to monitor for unencrypted FTP traffic. What ports should Chris use in his configuration?

A. TCP 20 and 21

B. TCP 21 only

C. UDP port 69

D. TCP port 21 and UDP port 21

Answer 15

A. TCP 20 and 21

Explanation

The File Transfer Protocol (FTP) operates on TCP ports 20 and 21. UDP port 69 is used for the Trivial File Transfer Protocol, or TFTP, while UDP port 21 is not used for any common file transfer protocol.

Question 16

During a penetration test, Lauren is asked to test the organization’s Bluetooth security. Which of the following is not a concern she should explain to her employers?

A. Bluetooth scanning can be time‐consuming.

B. Many devices that may be scanned are likely to be personal devices.

C. Bluetooth passive scans may require multiple visits at different times to identify all targets.

D. Bluetooth active scans can’t evaluate the security mode of Bluetooth devices.

Answer 16

D. Bluetooth active scans can’t evaluate the security mode of Bluetooth devices.

Explanation

Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging because of the limited range of Bluetooth and the prevalence of personally owned Bluetooth‐enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.

Question 17

The Windows ipconfig command displays the following information:

BC‐5F‐F4‐7B‐4B‐7D
What term describes this, and what information can usually be gathered from it?
A. The IP address, the network location of the system

B. The MAC address, the network interface card’s manufacturer

C. The MAC address, the media type in use

D. The IPv6 client ID, the network interface card’s manufacturer

Answer 17

B. The MAC address, the network interface card’s manufacturer

Explanation

Media Access Control (MAC) addresses are the hardware address the machine uses for layer 2 communications. The MAC addresses include an organizationally unique identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so this is not a guarantee of accuracy, but under normal circumstances you can tell what manufacturer made the device by using the MAC address.

Question 18

Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?

A. It can help identify rogue devices.

B. It can test the security of the wireless network via scripted attacks.

C. Their short dwell time on each wireless channel can allow them to capture more packets.

D. They can help test wireless IDS or IPS systems.

Answer 18

A. It can help identify rogue devices.

Explanation

Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.

Question 19

Lauren’s organization has deployed VoIP phones on the same switches that the desktop PCs are on. What security issue could this create, and what solution would help?

A. VLAN hopping; use physically separate switches.

B. VLAN hopping; use encryption.

C. Caller ID spoofing; MAC filtering

D. Denial‐of‐service attacks; use a firewall between networks.

Answer 19

A. VLAN hopping; use physically separate switches.

Explanation

VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won’t help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn’t specifically a VoIP issue and a firewall may not stop the problem if it’s on a port that must be allowed through.

Question 20

Which one of the following traffic types should not be blocked by an organization’s egress filtering policy?

A. Traffic destined to a private IP address

B. Traffic with a broadcast destination

C. Traffic with a source address from an external network

D. Traffic with a destination address on an external network

Answer 20

D. Traffic with a destination address on an external network

Explanation

Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.

Question 21

A denial‐of‐service (DoS) attack that sends fragmented TCP packets is known as what kind of attack?

A. Christmas tree

B. Teardrop

C. Stack killer

D. Frag grenade

Answer 21

B. Teardrop

Explanation

A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on a system handles fragment reassembly. If the attack is successful, the TCP stack fails, resulting in a denial of service. Christmas tree attacks set all of the possible TCP flags on a packet, thus “lighting it up like a Christmas tree.” Stack killer and frag grenade attacks are made‐up answers.

Question 22

Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor, and what traffic will she be able to read?

A. UDP, none. All RADIUS traffic is encrypted

B. TCP, all traffic but the passwords, which are encrypted

C. UDP, all traffic but the passwords, which are encrypted.

D. TCP, none. All RADIUS traffic is encrypted.

Answer 22

C. UDP, all traffic but the passwords, which are encrypted.

Explanation

By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.

Question 23

Segmentation, sequencing, and error checking all occur at what layer of the OSI model that is associated with SSL, TLS, and UDP?

A. The Transport layer

B. The Network layer

C. The Session layer

D. The Presentation layer

Answer 23

A. The Transport layer

Explanation

The Transport layer provides logical connections between devices, including end‐to‐end transport services to ensure that data is delivered. Transport layer protocols include TCP, UDP, SSL, and TLS.

Question 24

What type of key does WEP use to encrypt wireless communications?

A. An asymmetric key

B. Unique key sets for each host

C. A predefined shared static key

D. Unique asymmetric keys for each host

Answer 24

C. A predefined shared static key

Explanation

WEP has a weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.

Question 25

Susan is writing a best practices statement for her organizational users who need to use Bluetooth. She knows that there are many potential security issues with Bluetooth and wants to provide the best advice she can. Which of the following sets of guidance should Susan include? A. Use Bluetooth’s built‐in strong encryption, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it’s not in active use. B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it’s not in active use. C. Use Bluetooth’s built‐in strong encryption, use extended (eight digits or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it’s not in active use. D. Use Bluetooth only for those activities that are not confidential, use extended (eight digits or longer) Bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it’s not in active use.

Answer 25

B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it’s not in active use. Explanation Since Bluetooth doesn’t provide strong encryption, it should only be used for activities that are not confidential. Bluetooth PINs are four‐digit codes that often default to 0000. Turning it off and ensuring that your devices are not in discovery mode can help prevent Bluetooth attacks.

Question 26

Lauren uses the ping utility to check whether a remote system is up as part of a penetration testing exercise. If she does not want to see her own ping packets, what protocol should she filter out from her packet sniffer’s logs? A. UDP B. TCP C. IP D. ICMP

Answer 26

D. ICMP Explanation Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system. Lauren simply needs to filter out ICMP to not see her pings.

Question 27

During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry: 21/open 23/open What services are likely running on those ports? A. SSH and FTP B. FTP and Telnet C. SMTP and Telnet D. POP3 and SMTP

Answer 27

B. FTP and Telnet Explanation Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.

Question 28

One of the findings that Jim made when performing a security audit was the use of non‐IP protocols in a private network. What issue should Jim point out that may result from the use of these non‐IP protocols? A. They are outdated and cannot be used on modern PCs. B. They may not be able to be filtered by firewall devices. C. They may allow Christmas tree attacks. D. IPX extends on the IP protocol and may not be supported by all TCP stacks.

Answer 28

B. They may not be able to be filtered by firewall devices. Explanation While non‐IP protocols like IPX/SPX, NetBEUI, and AppleTalk are rare in modern networks, they can present a challenge because many firewalls are not capable of filtering them. This can create risks when they are necessary for an application or system’s function because they may have to be passed without any inspection. Christmas tree attacks set all of the possible flags on a TCP packet (and are thus related to an IP protocol), IPX is not an IP‐based protocol, and while these protocols are outdated, there are ways to make even modern PCs understand them.

Question 29

What type of attack is most likely to occur after a successful ARP spoofing attempt? A. A DoS attack B. A Trojan C. A replay attack D. A man‐in‐the‐middle attack

Answer 29

D. A man‐in‐the‐middle attack Explanation ARP spoofing is often done to replace a target’s cache entry for a destination IP, allowing the attacker to conduct a man‐in‐the‐middle attack. A denial‐of‐service attack would be aimed at disrupting services rather than spoofing an ARP response, a replay attack will involve existing sessions, and a Trojan is malware that is disguised in a way that makes it look harmless.

Question 30

Jim is building a research computing system that benefits from being part of a full mesh topology between systems. In a five‐node full mesh topology design, how many connections will an individual node have? A. Two B. Three C. Four D. Five

Answer 30

C. Four Explanation A full mesh topology directly connects each machine to every other machine on the network. For five systems, this means four connections per system.

Question 31

During a security assessment of a wireless network, Jim discovers that LEAP is in use on a network using WPA. What recommendation should Jim make? A. Continue to use LEAP. It provides better security than TKIP for WPA networks. B. Use an alternate protocol like PEAP or EAP‐TLS and implement WPA2 if supported. C. Continue to use LEAP to avoid authentication issues, but move to WPA2. D. Use an alternate protocol like PEAP or EAP‐TLS, and implement Wired Equivalent Privacy to avoid wireless security issues.

Answer 31

B. Use an alternate protocol like PEAP or EAP‐TLS and implement WPA2 if supported. Explanation LEAP, the Lightweight Extensible Authentication Protocol, is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP‐TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.

Question 32

Which one of the following security tools is not capable of generating an active response to a security event? A. IPS B. Firewall C. IDS D. Antivirus software

Answer 32

C. IDS Explanation Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.

Question 33

Ben has configured his network to not broadcast an SSID. Why might Ben disable SSID broadcast, and how could his SSID be discovered? A. Disabling SSID broadcast prevents attackers from discovering the encryption key. The SSID can be recovered from decrypted packets. B. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer. C. Disabling SSID broadcast prevents issues with beacon frames. The SSID can be recovered by reconstructing the BSSID. D. Disabling SSID broadcast helps avoid SSID conflicts. The SSID can be discovered by attempting to connect to the network.

Answer 33

B. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer. xplanation Disabling SSID broadcast can help prevent unauthorized personnel from attempting to connect to the network. Since the SSID is still active, it can be discovered by using a wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used to broadcast the SSID, and it is possible to have multiple networks with the same SSID.

Question 34

When a host on an Ethernet network detects a collision and transmits a jam signal, what happens next? A. The host that transmitted the jam signal is allowed to retransmit while all other hosts pause until that transmission is received successfully. B. All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again. C. All hosts stop transmitting, and each host waits a period of time based on how recently it successfully transmitted. D. Hosts wait for the token to be passed and then resume transmitting data as they pass the token.

Answer 34

B. All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again. Explanation Ethernet networks use Carrier‐Sense Multiple Access/Collision Detection (CSMA/CD) technology. When a collision is detected and a jam signal is sent, hosts wait a random period of time before attempting retransmission.

Question 35

Kim is troubleshooting an application firewall that serves as a supplement to the organization’s network and host firewalls and intrusion prevention system, providing added protection against web‐based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company? A. High availability cluster B. Failover device C. Fail open D. Redundant disks

Answer 35

C. Fail open Explanation A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not help in this scenario because no disk failure is described.

Question 36

Chris uses a cellular hot spot (modem) to provide Internet access when he is traveling. If he leaves the hot spot connected to his PC while his PC is on his organization’s corporate network, what security issue might he cause? A. Traffic may not be routed properly, exposing sensitive data. B. His system may act as a bridge from the Internet to the local network. C. His system may be a portal for a reflected DDoS attack. D. Security administrators may not be able to determine his IP address if a security issue occurs.

Answer 36

B. His system may act as a bridge from the Internet to the local network. Explanation When a workstation or other device is connected simultaneously to both a secure and a nonsecure network like the Internet, it may act as a bridge, bypassing the security protections located at the edge of a corporate network. It is unlikely that traffic will be routed improperly leading to the exposure of sensitive data, as traffic headed to internal systems and networks is unlikely to be routed to the external network. Reflected DDoS attacks are used to hide identities rather than to connect through to an internal network, and security administrators of managed systems should be able to determine both the local and wireless IP addresses his system uses.

Question 37

Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which one of the following rules is not a best practice that Lisa can configure at her network border? A. Block packets with internal source addresses from entering the network. B. Block packets with external source addresses from leaving the network. C. Block packets with private IP addresses from exiting the network. D. Block packets with public IP addresses from entering the network.

Answer 37

D. Block packets with public IP addresses from entering the network. Explanation This question is asking you to identify the blocking rule that should not be set on the firewall. Packets with public IP addresses will routinely be allowed to enter the network, so you should not create a rule to block them, making this the correct answer. Packets with internal source addresses should never originate from outside the network, so they should be blocked from entering the network. Packets with external source addresses should never be found on the internal network, so they should be blocked from leaving the network. Finally, private IP addresses should never be used on the Internet, so packets containing private IP addresses should be blocked from leaving the network.

Question 38

Which of the following sequences properly describes the TCP three‐way handshake? A. SYN, ACK, SYN/ACK B. PSH, RST, ACK C. SYN, SYN/ACK, ACK D. SYN, RST, FIN

Answer 38

C. SYN, SYN/ACK, ACK Explanation The TCP three‐way handshake consists of initial contact via a SYN, or synchronize flagged packet; which receives a response with a SYN/ACK, or synchronize and acknowledge flagged packet; which is acknowledged by the original sender with an ACK, or acknowledge packet. RST is used in TCP to reset a connection, PSH is used to send data immediately, and FIN is used to end a connection.

Question 39

SMTP, HTTP, and SNMP all occur at what layer of the OSI model? A. Layer 4 B. Layer 5 C. Layer 6 D. Layer 7

Answer 39

D. Layer 7 Explanation Application‐specific protocols are handled at layer 7, the Application layer of the OSI model.

Question 40

Alaina wants to set up WPA2 Enterprise using an EAP‐based protocol that uses certificate‐based authentication. Which of the following EAP versions should she select? A. LEAP B. EAP‐FAST C. EAP‐TLS D. EAP‐PKI

Answer 40

C. EAP‐TLS Explanation EAP‐TLS uses certificate‐based authentication. This requires management of certificates, but is useful for security reasons due to the ease of supporting full encryption. EAP‐FAST uses Protected Access Credentials rather than certificates. The Lightweight Extensible Authentication Protocol (LEAP) uses dynamically generated WEP keys for encryption. EAP‐PKI does not exist.

Question 41

Mikayla’s organization uses virtual machines as their primary deployment method for servers and wants to add intrusion prevention capabilities inside their data center. Mikayla wants to be able to deploy the IPS devices to cover each of multiple clusters of machines based on their purpose, hosted in their VMware cluster. What deployment location will minimize latency, maximize network bandwidth, and allow the maximum degree of flexibility through automation for deployments? A. The IPSs should be inline with the VMware servers. B. The IPSs should be physical devices to handle the throughput required. C. The IPSs should be virtual, just like the VMware virtual machines. D. The IPSs should be software based and placed on each virtual machine.

Answer 41

C. The IPSs should be virtual, just like the VMware virtual machines. Explanation Using virtual appliances in a deployment where they can protect virtual machines in the same infrastructure allows Mikayla to easily manage the devices using the same tools she uses for the other machines. At the same time, she can take advantage of virtual network fabrics for high‐speed connectivity and flexibility. Inline placement is useful for IPS and firewall systems that are protecting specific devices and is often used for physical devices, but physical devices require either physical network changes or changes done in a separate management layer, making them take extra steps when flexibility and ease of management are important. Software‐based IPS might work, but placing them on each virtual machine does not allow the IPS devices to cover clusters of systems since each is running on a single host.

Question 42

Charles is reviewing data communications for cellular‐enabled devices in his organization’s field locations. He wants to ensure that traffic is encrypted between the data collection devices and his company’s data logging service. What should he note about the connection if he knows that the devices are connecting via LTE (4G) cellular connections from a commercial carrier? A. The connections will be encrypted from end to end between the device and the server. B. The connections will be encrypted between the device and the cellular base station. C. The connections will not be encrypted by default. D. The connections will be encrypted and then decrypted and re‐encrypted at each hop in the cellular network.

Answer 42

B. The connections will be encrypted between the device and the cellular base station. Explanation 4G networks encrypt traffic between the cellular device and the base station but do not provide encryption after that point. If Charles wanted to provide end‐to‐end encryption, he would need to use a technology such as TLS to encrypt data at the device and then decrypt it once it reaches his servers.

Question 43

Henry wants to create a custom rule for his web application firewall that will prevent attackers from deleting data from his database. Which of the following rules is best suited to stop that type of attack? A. Block all queries that include the string UNION. B. Block all queries that include the string DROP. C. Block all queries that contain the string +OR+1=1. D. Block all queries that include the string SELECT.

Answer 43

B. Block all queries that include the string DROP. Explanation SQL injection attacks use valid SQL code added to existing queries. The DROP command can be used to drop (delete) data from a database. While the other commands could be used as part of an attack, DROP is the only command that specifically threatens to perform data deletion like Henry is concerned about.

Question 44

Yuri wants to protect his organization’s IoT devices. They connect to a wireless WiFi network using WPA2, but do not support enterprise mode, so they have to use PSK mode. Which of the following techniques will best help to protect the IoT devices from attacks? A. Switch to WEP to ensure that a more secure protocol is used. B. Regularly change the preshared key to prevent attackers from brute‐forcing it. C. Place the IoT devices on a separate wireless VLAN from other users and devices. D. Force all traffic from the devices to use TLS so that the traffic remains secure even if the wireless key is compromised.

Answer 44

C. Place the IoT devices on a separate wireless VLAN from other users and devices. Explanation Internet of Things (IoT) devices often have limitations on their capabilities, and it isn’t uncommon to have devices on a network that cannot handle enterprise authentication modes for WPA2 or WPA3. That means segmenting those devices onto a separate VLAN to keep them away from other users and devices is a common best practice. WEP is less secure and older than WPA and should not be used. Changing the preshared key on a regular basis could create a massive amount of additional work to reconfigure devices that may not allow central or enterprise management. Forcing all traffic to use TLS may also be challenging since the devices may not support TLS for all data traffic or may not even use HTTPS as their primary communication mode.