Domain 3 Questions

Question 1

3

Which wireless configuration provides the most up-to-date and secure way of connecting wireless devices to an office or home network?

Select all that apply

PEAP
SAE
EAP-TTLS
WPA3

Answer 1

SAE
WPA3

Wi-Fi Protected Access 3 (WPA3) is the most up-to-date wireless specification that provides security features and mechanisms that improve the weaknesses of WPA2.
Simultaneous Authentication of Equals (SAE) is a feature of WPA3. It replaces WPA’s 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement.

Question 2

3

What identifies the physical location of a device?

Geolocation
Geofencing
Content Management
Rooting

Answer 2

Geolocation

Geolocation is the use of network attributes to identify (or estimate) the physical position of a device.

Question 3

3

Server B requests a secure record exchange from Server A. Server A returns a package along with a public key that verifies the signature. What does this scenario demonstrate?

DNS Server Cache Poisoning
DNS Spoofing
DNS Security Extensions
Dynamic Host Configuration Protocol

Answer 3

DNS Security Extensions

Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.

Question 4

3

A Local Area Network (LAN) is set up with an Authentication, Authorization, and Account (AAA) server. The AAA server allows remote supplicants to access the LAN through a Network Access Point (NAP). Which of the following best describes the type of remote authentication solution that is set up on the LAN?

EAP
802.1x
RADIUS
PAP

Answer 4

RADIUS

Remote Authentication Dial-in User Service (RADIUS) is made up of an Authentication, Authorization, and Account (AAA) server, a Network Access Control (NAC) or RADIUS client, and the supplicant. A supplicant is any device that is trying to access the local network remotely.

Question 5

3

A new administrator completed setting up an admin account on the network. The admin successfully logged on to a remote file server with the new credentials but not on a remote domain controller (DC) server. Determine the most likely cause for not being able to log in to a DC server.

Disabled account
Account permission
Access policy
Account audit

Answer 5

Access policy

Access policies determine things such as the right to log on to a computer locally or via remote desktop, install software, change the network configuration, and so on.

Question 6

3

IT management wants to make it easier for users to request certificates for their devices and web services. The company has multiple intermediate certificate authorities spread out to support multiple geographic locations. In a full chain of trust, which entity would be able to handle processing certificate requests and verifying requester identity?

OCSP
RA
CA
CSR

Answer 6

RA

A Registration Authority (RA) is a function of certificate enrollment and its services would be combined with a Certificate Authority (CA) in a single CA hierarchy. An RA is responsible for validating and submitting a request on behalf of end users.

Question 7

3

A company stages its computing power in a centralized environment. All workstations run off of one desktop hosted in the data center. When the admin makes changes at individual workstations, the changes only get saved locally, until a user signs off, and the system then reverts back to the previous state. What technology does this represent?

Type 1 hypervisor
Persistent VDE
Snapshot
Non-persistent VDE

Answer 7

Non-persistent VDE

Non-persistent Virtual Desktop Environments (VDE) utilizes a central desktop through a remote server. When a user accesses logs on to the desktop, changes and work completed are not saved locally long term. As soon as the user logs off, the desktop reverts back to the image on the central location.

Question 8

3

A cloud customer prefers separating storage resources that hold different sets of data in virtual private clouds (VPCs). One of those data sets must comply with the Health Insurance Portability and Accountability Act (HIPAA) guidelines for patient data. How should the customer configure these VPCs to ensure the highest degree of network security?

Split segments between VPCs.
Monitor the virtual instance usage.
Use third-party next generation firewall.
Create multiple security groups.

Answer 8

Split segments between VPCs.

Network segmentation can assist with separating workloads for performance and load balancing, keeping data processing within an isolated segment for compliance with laws and regulations and compartmentalizing data access and processing for different departments or functional requirements.

Question 9

3.0 Implementation

A systems admin deploys a new infrastructure for an organization. Examine the given descriptions and determine which applies to the technology used with the LDAP protocol.

Forward traffic from one node to another
Automatic method for network address allocation
Provides privilege management and authorization
Resolves names to IP addresses

Answer 9

Provides privilege management and authorization

Directory services are the principal means of providing privilege management and authorization on an enterprise network. The Lightweight Directory Access Protocol (LDAP) is a protocol used with X.500 format directories.

Question 10

3

A network with two normal-working switches has several client computers connected for work and Internet access. After adding two new switches and more client computers, the new computers, as well as some of the old client computers, cannot access the network. What are most likely the cause and the solution?

Select all that apply

A loop in the network
STP
Port security
Flood guard

Answer 10

A loop in the network
STP

A switch loop on the network will cause network connections to drop since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.
STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

Question 11

4

Identify which tools would be used to identify suspicious network activity.

Select all that apply

tcpdump
tcpreplay
Wireshark
Metasploit

Answer 11

tcpdump
tcpreplay
Wireshark

tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol.
Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file.
tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data.

Question 12

3

Which certificate attribute describes the computer or machine it belongs to?

Select all that apply

Certificate authority name
Common name
Company name
Subject alternate name

Answer 12

Common name
Subject alternate name

The common name (CN) attribute identifies the computer or machine by name, usually a fully qualified domain name (FQDN), such as www.comptia.org.
The subject alternative name (SAN) extension field is structured to represent different types of identifiers, including domain names. This is more commonly used as the CN attribute has been deprecated.

Question 13

3

The RADIUS server is down, and employees need immediate access to Wi-Fi routers in the office building. The WAPs (Wireless Access Points) service smartphones and tablets. After disabling Enterprise mode, how will users connect to the WAPs?

Use company credentials
Use 5 GHz band
Use a pre-shared key
Set devices to 802.11n

Answer 13

Use a pre-shared key

PSK (Pre-shared Key) is the password needed to gain access to a WAP (Wireless Authentication Protocol) that is WPA2 enabled, for example.

Question 14

3

Mobile engineers are designing a phone that can support internal key-pair certificates for authentication and encryption/decryption capabilities for an internal organization or corporation. Which component may the engineers want to include in the design of this phone?

UBG OTG
SEAndroid
Tethering
MicroSD HSM

Answer 14

MicroSD HSM

Micro Secure Digital (MicroSD) Hardware Security Module (HSM) is designed to store cryptographic keys, such as a key-pair certificate, in a secure manner. It requires no extra drivers or uncommon hardware components to use.

Question 15

3

A web administrator notices a few security vulnerabilities that must be addressed on the company Intranet. The portal must force a secure browsing connection, mitigate script injection, and prevent caching on shared client devices. Determine the secure options to set on the web server’s response headers.

Select all that apply

Secure Cookies
HTTP Strict Transport Security (HSTS)
Cache-Control
Content Security Policy (CSP)

Answer 15

HTTP Strict Transport Security (HSTS)
Cache-Control
Content Security Policy (CSP)

HTTP Strict Transport Security (HSTS) is a header option that forces the browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
Content Security Policy (CSP) is a header option that mitigates clickjacking, script injection, and other client-side attacks.
Cache-Control is a header option that sets whether the browser can cache responses. Preventing data caching protects confidential and personal information where the client device is shared by multiple users.

Question 16

3

Evaluate and select the differences between WPA and WPA2.

Select all that apply

WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks.
WPA2 is much more secure than WEP, where WPA is not.
WPA2 requires entering a longer password than WPA.

Answer 16

WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA2 requires entering a longer password than WPA.

WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA and WPA2 are both much more secure than WEP (wired equivalent privacy).

Question 17

3

Which system allows a user to authenticate once to a local device and to be authenticated to other servers or services without entering credentials again?

Password vault
OAuth
Single sign-on
OpenID Connect

Answer 17

Single sign-on

A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again.

Question 18

3

A small company has set up the domain environment to prevent the installation of a list of prohibited software. Employees received this same list via email. What type of method prevents the installation of specific software on workstations?

Whitelisting
Blacklisting
Anti-malware
Application hardening

Answer 18

Blacklisting

Execution control, to prevent the use of unauthorized software, can be implemented as a blacklist. This control means that anything not on the prohibited blacklist can run.

Question 19

3

A network uses a framework for management and monitoring that uses the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES), which encrypts the contents of traps and query responses. Analyze the types of protocols available for management and monitoring, then deduce the protocol utilized.

SNMPv2c
MIB
SNMPv1
SNMPv3

Answer 19

SNMPv3

Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.

Question 20

3

Mobile Android operating system (OS) encryption software might allow encryption of which of the following?

MicroSD
SMS
Passwords
RCS

Answer 20

MicroSD

Micro Secure Digital (MicroSD) is an external media device supported by many Android devices. Built-in and third-party encryption applications on the mobile OS may encrypt these types of removable storage.

Question 21

3

A network administrator researched Secure Sockets Layer/Transport Layer Security (SSL/TLS) versions to determine the best solution for the network. Security is a top priority along with a strong cipher. Recommend the version to implement, which will meet the needs of the company.

SSL 2.0
SSL 3.0
TLS 1.1
TLS 1.2

Answer 21

TLS 1.2

Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher along with improvements to the cipher suite negotiation process and protection against known attacks.

Question 22

3

What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet?

URL Filter
Proxy
NAT
Firewall

Answer 22

NAT

Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.

Question 23

3

A network administrator can conduct a site survey to find potential placement locations of wireless access points (WAP) using which of the following?

Select all that apply

Wi-Fi Protected Setup (WPS)
Wi-Fi analyzer
Wireless controller
Heat map

Answer 23

Wi-Fi analyzer
Heat map

A Wi-Fi analyzer is software on a laptop or mobile device with a wireless network adapter. Information about the signal is obtained at regularly spaced points as the surveyor moves around.
A heat map is a visual of the information gathered from a Wi-Fi analyzer. It can show where a signal is strong (red) or weak (green/blue), and which channel is being used.

Question 24

3

Evaluate the following properties and determine which set relates to Domain Name System Security Extension (DNSSEC).

RRset, Signing key
Master key, Transport protocol
Public key, Private key
Community name, Agent

Answer 24

RRset, Signing key

DNS Security Extensions (DNSSEC) help to mitigate spoofing and poisoning attacks. When enabled, a “package” of resource records (called an RRset) is signed with a private key (the Zone Signing Key).

Question 25

3

Which of the following will reduce the risk of data exposure between containers on a cloud platform?

Select all that apply

Namespaces
Control groups
Public subnets
Secrets management

Answer 25

Namespaces
Control groups

In a container engine such as Docker, each container is isolated from others through separate namespaces. Namespaces prevent one container from reading or writing processes in another.
Control groups ensure that one container cannot overwhelm others in a DoS-type attack. Namespaces and control groups reduce the risk of data exposure between containers.

Question 26

3

The IT team has purchased a few devices that are compatible with the Trusted Computing Group Security Subsystem Class called Opal. Which of these device specifications will take advantage of Opal’s security features?

Automatic vendor updates
Operating system
Disk encryption
Registry settings

Answer 26

Disk encryption

The Opal security subsystem class is a set of specifications that defines a management interface for a host application to activate, provision, and manage encryption of user data on self-encrypting drives (SED).

Question 27

3

Using Unified Extensible Firmware Interface (UEFI) to boot a server, the system must also provide secure boot capabilities. Part of the secure boot process requires a secure boot platform key or self-signed certificate. Determine which of the following an engineer can use to generate keys within the server using an available Peripheral Component Interconnect Express (PCIe) slot.

Password vault
NFC token
Hardware security module
Trusted platform module

Answer 27

Hardware security module

A hardware security module (HSM) is an appliance designed to perform centralized public key infrastructure (PKI) management, key generation, or key escrow for devices. HSM can also be implemented as a plug-in PCIe adapter card to operate within a device.

Question 28

3

Consider conditional access to a system and determine which options fit the criteria.

Select all that apply

User Account Control (UAC)
Non-discretionary system
Sudo restrictions
Difficult to enforce

Answer 28

User Account Control (UAC)
Sudo restrictions

Conditional access is an example of rule-based access control where policies are determined by system-enforced rules. The User Account Control (UAC) is an example of conditional access.
A conditional access system monitors account or device behavior throughout a session. An example is sudo restrictions on privileged accounts.

Question 29

3

A basic installation of a web server will require which of the following to allow unauthenticated access?

User account
Guest account
Service account
Shared account

Answer 29

Guest account

A guest account is a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. Guest accounts are created when installing web services, as most web servers allow unauthenticated access.

Question 30

3

A company is looking into integrating on-premise services and cloud services with a cloud service provider (CSP) using an Infrastructure as a Service (IaaS) plan. As a cloud architect works on architectural design, which of the following statements would NOT apply in this case?

The company must establish separation of duties mechanisms.
The provider is responsible for the availability of the software.
The company is liable for legal and regulatory requirements for customer data.
The provider must update the firmware and security patches of physical servers.

Answer 30

The provider is responsible for the availability of the software.

In a Software as a Service (SaaS) plan, the provider is responsible for the availability of the software. The software may include an appliance with Windows Server 2016 already installed and available to use.

Question 31

3

The 802.1x framework establishes several ways for devices and users to be securely authenticated before they are permitted access to LAN (Local Area Network) or WLAN (Wireless LAN). Identify the actual authentication mechanism established.

AES
RSA
WPA
EAP

Answer 31

EAP

802.1x, which is the Port-based Network Access Control framework, establishes several ways for devices and users to be securely authenticated before they are permitted full network access. EAP or extensible authentication protocol is the actual authentication mechanism.

Question 32

3

Users are only allowed to work in the office. Account policies must provide login security measures. So, users are only working during normal business hours. Identify the policy that establishes the maximum amount of time an account may be logged in for at the workplace?

Time of day policy
Location-based policy
Time-based login policy
Impossible travel policy

Answer 32

Time-based login policy

A time-based login policy establishes the maximum amount of time an account may be logged in for. For example, a user with no activity will be logged off after 6 hours.

Question 33

3

Which of the following describes a device that only runs administrative protocols such as secure shell (SSH) or remote desktop protocol (RDP) to securely manage application servers in a demilitarized zone (DMZ)?

Reverse proxy server
Forward proxy server
Jump server
Hardware security module

Answer 33

Jump server

A jump server only runs the necessary administrative ports and protocols (typically SSH or RDP). Administrators connect to the jump server then use the jump server to connect to the admin interface of application servers in a demilitarized zone (DMZ).

Question 34

3

A company provides smartphones to their employees. IT administrators have the ability to deploy, secure, and remove specific applications and data from the employees’ smartphones. Analyze the selections and determine how IT can perform this type of control.

Push notifications
Content management
Baseband update
Storage segmentation

Answer 34

Storage segmentation

Storage segmentation is personal data segmented from organizational data on a mobile device. It gives IT administrators control over corporate assets on employees’ mobile devices.

Question 35

3

A private network where employees can communicate and share resources is available for authorized users only. A network perimeter provides boundary protection between it and the public internet. Which of the following does this represent?

Ad hoc
Extranet
Intranet
Guest

Answer 35

Intranet

An intranet is an internal company zone established to allow employees the ability to share content and communicate more effectively. Only authorized individuals can access the intranet.