Domain 3 Questions Flashcards
3
Which wireless configuration provides the most up-to-date and secure way of connecting wireless devices to an office or home network?
Select all that apply
PEAP
SAE
EAP-TTLS
WPA3
SAE
WPA3
Wi-Fi Protected Access 3 (WPA3) is the most up-to-date wireless specification that provides security features and mechanisms that improve the weaknesses of WPA2.
Simultaneous Authentication of Equals (SAE) is a feature of WPA3. It replaces WPA’s 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement.
3
What identifies the physical location of a device?
Geolocation
Geofencing
Content Management
Rooting
Geolocation
Geolocation is the use of network attributes to identify (or estimate) the physical position of a device.
3
Server B requests a secure record exchange from Server A. Server A returns a package along with a public key that verifies the signature. What does this scenario demonstrate?
DNS Server Cache Poisoning
DNS Spoofing
DNS Security Extensions
Dynamic Host Configuration Protocol
DNS Security Extensions
Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.
3
A Local Area Network (LAN) is set up with an Authentication, Authorization, and Account (AAA) server. The AAA server allows remote supplicants to access the LAN through a Network Access Point (NAP). Which of the following best describes the type of remote authentication solution that is set up on the LAN?
EAP
802.1x
RADIUS
PAP
RADIUS
Remote Authentication Dial-in User Service (RADIUS) is made up of an Authentication, Authorization, and Account (AAA) server, a Network Access Control (NAC) or RADIUS client, and the supplicant. A supplicant is any device that is trying to access the local network remotely.
3
A new administrator completed setting up an admin account on the network. The admin successfully logged on to a remote file server with the new credentials but not on a remote domain controller (DC) server. Determine the most likely cause for not being able to log in to a DC server.
Disabled account
Account permission
Access policy
Account audit
Access policy
Access policies determine things such as the right to log on to a computer locally or via remote desktop, install software, change the network configuration, and so on.
3
IT management wants to make it easier for users to request certificates for their devices and web services. The company has multiple intermediate certificate authorities spread out to support multiple geographic locations. In a full chain of trust, which entity would be able to handle processing certificate requests and verifying requester identity?
OCSP
RA
CA
CSR
RA
A Registration Authority (RA) is a function of certificate enrollment and its services would be combined with a Certificate Authority (CA) in a single CA hierarchy. An RA is responsible for validating and submitting a request on behalf of end users.
3
A company stages its computing power in a centralized environment. All workstations run off of one desktop hosted in the data center. When the admin makes changes at individual workstations, the changes only get saved locally, until a user signs off, and the system then reverts back to the previous state. What technology does this represent?
Type 1 hypervisor
Persistent VDE
Snapshot
Non-persistent VDE
Non-persistent VDE
Non-persistent Virtual Desktop Environments (VDE) utilizes a central desktop through a remote server. When a user accesses logs on to the desktop, changes and work completed are not saved locally long term. As soon as the user logs off, the desktop reverts back to the image on the central location.
3
A cloud customer prefers separating storage resources that hold different sets of data in virtual private clouds (VPCs). One of those data sets must comply with the Health Insurance Portability and Accountability Act (HIPAA) guidelines for patient data. How should the customer configure these VPCs to ensure the highest degree of network security?
Split segments between VPCs.
Monitor the virtual instance usage.
Use third-party next generation firewall.
Create multiple security groups.
Split segments between VPCs.
Network segmentation can assist with separating workloads for performance and load balancing, keeping data processing within an isolated segment for compliance with laws and regulations and compartmentalizing data access and processing for different departments or functional requirements.
3.0 Implementation
A systems admin deploys a new infrastructure for an organization. Examine the given descriptions and determine which applies to the technology used with the LDAP protocol.
Forward traffic from one node to another
Automatic method for network address allocation
Provides privilege management and authorization
Resolves names to IP addresses
Provides privilege management and authorization
Directory services are the principal means of providing privilege management and authorization on an enterprise network. The Lightweight Directory Access Protocol (LDAP) is a protocol used with X.500 format directories.
3
A network with two normal-working switches has several client computers connected for work and Internet access. After adding two new switches and more client computers, the new computers, as well as some of the old client computers, cannot access the network. What are most likely the cause and the solution?
Select all that apply
A loop in the network
STP
Port security
Flood guard
A loop in the network
STP
A switch loop on the network will cause network connections to drop since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.
STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.
4
Identify which tools would be used to identify suspicious network activity.
Select all that apply
tcpdump
tcpreplay
Wireshark
Metasploit
tcpdump
tcpreplay
Wireshark
tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol.
Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file.
tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data.
3
Which certificate attribute describes the computer or machine it belongs to?
Select all that apply
Certificate authority name
Common name
Company name
Subject alternate name
Common name
Subject alternate name
The common name (CN) attribute identifies the computer or machine by name, usually a fully qualified domain name (FQDN), such as www.comptia.org.
The subject alternative name (SAN) extension field is structured to represent different types of identifiers, including domain names. This is more commonly used as the CN attribute has been deprecated.
3
The RADIUS server is down, and employees need immediate access to Wi-Fi routers in the office building. The WAPs (Wireless Access Points) service smartphones and tablets. After disabling Enterprise mode, how will users connect to the WAPs?
Use company credentials
Use 5 GHz band
Use a pre-shared key
Set devices to 802.11n
Use a pre-shared key
PSK (Pre-shared Key) is the password needed to gain access to a WAP (Wireless Authentication Protocol) that is WPA2 enabled, for example.
3
Mobile engineers are designing a phone that can support internal key-pair certificates for authentication and encryption/decryption capabilities for an internal organization or corporation. Which component may the engineers want to include in the design of this phone?
UBG OTG
SEAndroid
Tethering
MicroSD HSM
MicroSD HSM
Micro Secure Digital (MicroSD) Hardware Security Module (HSM) is designed to store cryptographic keys, such as a key-pair certificate, in a secure manner. It requires no extra drivers or uncommon hardware components to use.
3
A web administrator notices a few security vulnerabilities that must be addressed on the company Intranet. The portal must force a secure browsing connection, mitigate script injection, and prevent caching on shared client devices. Determine the secure options to set on the web server’s response headers.
Select all that apply
Secure Cookies
HTTP Strict Transport Security (HSTS)
Cache-Control
Content Security Policy (CSP)
HTTP Strict Transport Security (HSTS)
Cache-Control
Content Security Policy (CSP)
HTTP Strict Transport Security (HSTS) is a header option that forces the browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
Content Security Policy (CSP) is a header option that mitigates clickjacking, script injection, and other client-side attacks.
Cache-Control is a header option that sets whether the browser can cache responses. Preventing data caching protects confidential and personal information where the client device is shared by multiple users.
3
Evaluate and select the differences between WPA and WPA2.
Select all that apply
WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks.
WPA2 is much more secure than WEP, where WPA is not.
WPA2 requires entering a longer password than WPA.
WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA2 requires entering a longer password than WPA.
WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA and WPA2 are both much more secure than WEP (wired equivalent privacy).
3
Which system allows a user to authenticate once to a local device and to be authenticated to other servers or services without entering credentials again?
Password vault
OAuth
Single sign-on
OpenID Connect
Single sign-on
A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again.
3
A small company has set up the domain environment to prevent the installation of a list of prohibited software. Employees received this same list via email. What type of method prevents the installation of specific software on workstations?
Whitelisting
Blacklisting
Anti-malware
Application hardening
Blacklisting
Execution control, to prevent the use of unauthorized software, can be implemented as a blacklist. This control means that anything not on the prohibited blacklist can run.
3
A network uses a framework for management and monitoring that uses the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES), which encrypts the contents of traps and query responses. Analyze the types of protocols available for management and monitoring, then deduce the protocol utilized.
SNMPv2c
MIB
SNMPv1
SNMPv3
SNMPv3
Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.
3
Mobile Android operating system (OS) encryption software might allow encryption of which of the following?
MicroSD
SMS
Passwords
RCS
MicroSD
Micro Secure Digital (MicroSD) is an external media device supported by many Android devices. Built-in and third-party encryption applications on the mobile OS may encrypt these types of removable storage.
3
A network administrator researched Secure Sockets Layer/Transport Layer Security (SSL/TLS) versions to determine the best solution for the network. Security is a top priority along with a strong cipher. Recommend the version to implement, which will meet the needs of the company.
SSL 2.0
SSL 3.0
TLS 1.1
TLS 1.2
TLS 1.2
Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher along with improvements to the cipher suite negotiation process and protection against known attacks.
3
What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet?
URL Filter
Proxy
NAT
Firewall
NAT
Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.
3
A network administrator can conduct a site survey to find potential placement locations of wireless access points (WAP) using which of the following?
Select all that apply
Wi-Fi Protected Setup (WPS)
Wi-Fi analyzer
Wireless controller
Heat map
Wi-Fi analyzer
Heat map
A Wi-Fi analyzer is software on a laptop or mobile device with a wireless network adapter. Information about the signal is obtained at regularly spaced points as the surveyor moves around.
A heat map is a visual of the information gathered from a Wi-Fi analyzer. It can show where a signal is strong (red) or weak (green/blue), and which channel is being used.
3
Evaluate the following properties and determine which set relates to Domain Name System Security Extension (DNSSEC).
RRset, Signing key
Master key, Transport protocol
Public key, Private key
Community name, Agent
RRset, Signing key
DNS Security Extensions (DNSSEC) help to mitigate spoofing and poisoning attacks. When enabled, a “package” of resource records (called an RRset) is signed with a private key (the Zone Signing Key).
