Domain 4: Network Security Flashcards

Question

Which of the following security procedures is often tied to group membership? A. Authentication B. Authorization C. Accounting D. Auditing

Answer 1

B. Authorization Authentication is the process of confirming a user's identity. Authorization defines the type of access granted to authenticated users. In many instances, the authorization process is based on the groups to which a user belongs. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.

Answer 2

B. X.509 X.509, published by the International Telecommunication Union's Standardization sector (ITU-T), defines the format of digital certificates. X.500, another standard published by the ITU-T, defines functions of directory services. IEEE 802.1X is an authentication standard, and IEEE 802.1q defines the VLAN tagging format used on many network switches.

Answer 3

C. Auditing can identify the guess patterns used by password cracking software. Auditing of authentication activities can record both successful and unsuccessful logon attempts. Large numbers of logon failures can indicate attempts to crack passwords. Auditing tracks the time of authentication attempts, sometimes enabling you to detect off-hours logons that indicate an intrusion. Auditing does not record the passwords specified during authentications, so it cannot identify patterns of unsuccessful guesses.

Answer 4

A. Public As part of a public key infrastructure (PKI), digital certificates are associated with a key pair, consisting of a public key and a private key. The public key is supplied with the certificate to any party authenticating the entity to which the certificate was issued. The private key is supplied to the entity with the certificate, but it is not distributed as part of the certificate. Preshared keys are not associated with certificates, and privileged keys do not exist.

Answer 5

A. Authentication Authentication is the process of confirming a user's identity. Smartcards are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.

Answer 6

A. Multifactor Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password (something you know) and a retinal scan (something you are) is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is another example of multifactor authentication because it requires users to supply something they know and something they have. Multisegment, multimetric, and multifiltered are not applicable terms in this context.

Answer 7

D. By permitting only devices with specified MAC addresses to connect to an access point MAC address filtering enables administrators to configure an access point to allow only devices with specific addresses to connect; all other traffic is rejected. Access points broadcast their presence using an SSID, not a MAC address. MAC address filtering protects wireless LANs when implemented in an access point, not a firewall. MAC address filtering does not call for the modification of addresses in network packets.

Answer 8

A. NAC Network Access Control is a mechanism that defines standards of equipment and configuration that systems must meet before they can connect to the network.

Answer 9

A. A cryptographic security mechanism that uses the same key for both encryption and decryption Symmetric key encryption uses only one key both to encrypt and decrypt data. Asymmetric key encryption uses public and private keys. Security mechanisms that use multiple key sets are not defined as symmetric.

Answer 10

D. Somewhere you are Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. It is therefore best described as somewhere you are. A finger gesture would be considered something you do, a password something you know, and a smartcard something you have.

Answer 11

A. Single sign-on requires the user to supply credentials only once, whereas with same sign-on, the user must supply the credentials repeatedly. Single sign-on uses one set of credentials and requires the user to supply them only once to gain access to multiple resources. Same sign-on also uses a single set of credentials, with one password, but the user must perform individual logons for each resource. Neither single sign-on nor same sign-on requires multifactor authentication.

Answer 12

C. Something you are Biometrics is a type of authentication factor that uses a physical characteristic that uniquely identifies an individual, such as a fingerprint or a retinal pattern. Biometrics is therefore best described as something you are, as opposed to something you know, have, or do.

Answer 13

B. A smartcard Something you have refers to a physical possession that serves to identify a user, such as a smartcard. This type of authentication is typically used as part of a multifactor authentication procedure, because a smartcard or other physical possession can be lost or stolen. A fingerprint would be considered something you are, a password something you know, and a finger gesture something you do.

Answer 14

D. TACACS+ was designed to provide authentication, authorization, and accounting services for network routers and switches. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. It was not designed to provide AAA services for wireless networks, Active Directory, or remote dial-in users.

Answer 15

C. Administration Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches. AAA stands for authentication, authorization, and accounting, but not administration.

Answer 16

D. Something you do The act of drawing on the screen with your finger is a gesture, which is an example of something you do. A PIN or a password is something you know; a thumbprint, or any other biometric factor, is something you are; and a smartcard is an example of something you have.

Answer 17

D. A finger gesture Something you do refers to a physical action performed by a user, such as a finger gesture, which helps to confirm his or her identity. This type of authentication is often used as part of a multifactor authentication procedure because a gesture or other action can be imitated. A fingerprint would be considered something you are, a password something you know, and a smartcard something you have.

Answer 18

C. A password Something you know refers to information you supply during the authentication process, such as a password or PIN. This is the most common type of authentication factor because it cannot be lost or stolen unless the user violates security policies. A fingerprint would be considered something you are, a finger gesture something you do, and a smartcard something you have.

Answer 19

A. A fingerprint Something you are refers to a physical characteristic that uniquely identifies an individual, such as a fingerprint or other form of biometric. This type of authentication is often used as part of a multifactor authentication procedure because a biometric element can conceivably be compromised. A finger gesture would be considered something you do, a password something you know, and a smartcard something you have.

Answer 20

B. 802.1X NAC is a set of policies that define security requirements that clients must meet before they are permitted to connect to a network. 802.1X is a basic implementation of NAC. RADIUS and TACACS+ are Authentication, Authorization, and Accounting (AAA) services. They are not NAC implementations themselves, although they can play a part in their deployment. Lightweight Directory Access Protocol (LDAP) provides directory service communications.

Answer 21

C. CA A certification authority (CA) is the service that receives requests for certificate enrollment from clients and issues the certificates when the requests are approved. Domain Name System (DNS); Authentication, Authorization, and Accounting (AAA) services; and access control lists (ACLs) do not issue certificates.

Answer 22

C. Authorizing agent An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant's identity. There is no party to the transaction called an authorizing agent.

Answer 23

B. Enrollment Enrollment is the process by which a client submits a request for a certificate from a certification authority (CA). The enrollment process can be automated and invisible to the user, or it can be a manual request generated using an application. Authorization and authentication, and certification are not terms used for certificate requests.

Answer 24

D. The supplicant is the client user or computer attempting to connect to the network. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant's identity. The supplicant is not involved in issuing certificates.

Answer 25

C. The authenticator is the network device to which the client is attempting to connect. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant's identity. The authenticator is not involved in issuing certificates.

Answer 26

C. The authentication server The authentication server role is typically performed by a Remote Authentication Dial-In User Service (RADIUS) server. In an 802.1X transaction, the supplicant is the client attempting to connect to the network, the authenticator is a switch or access point to which the supplicant is requesting access, and the authentication server verifies the client's identity.

Answer 27

B. A web page with which a user must interact before being granted access to a wireless network A captive portal is a web page displayed to a user attempting to access a public wireless network. The user typically must supply credentials, provide payment, or accept a user agreement before access is granted. A captive portal does not refer to a switch port, a secured entryway to a room, or a type of extortionate computer attack.

Answer 28

A. Captive portal A web page that prompts users for payment, authentication, or acceptance of a EULA is a captive portal. Ransomware is a type of attack that extorts payment. Port security and root guards are methods for protecting access to switch ports.

Answer 29

A. RADIUS Remote Authentication Dial-In User Service (RADIUS) was originally conceived to provide AAA services for Internet Service Providers (ISPs), which at one time ran networks with hundreds of modems providing dial-up access to subscribers. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches but not for dial-up connections. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.

Answer 30

A. Wireless access point Wireless access points (WAPs) typically include the ability to maintain an access control list, which specifies the MAC addresses of devices that are permitted to connect to the wireless network. The technique is known as MAC address filtering. RADIUS servers, domain controllers, and smartcards typically do include MAC filtering capabilities.

Answer 31

A. By default, RADIUS uses UDP, and TACACS+ uses TCP. RADIUS uses User Datagram Protocol (UDP) ports 1812 and 1813 or 1645 and 1646 for authentication, whereas TACACS+ uses TCP port 49.

Answer 32

B. TACACS+ Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. Remote Authentication Dial-In User Service (RADIUS) provides AAA services, but not for routers and switches. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.

Answer 33

C. Authorization Authorization is the process of determining what resources a user can access on a network. Typically, this is done by assessing the user's group memberships. Authentication is the process of confirming a user's identity. Accounting is the process of tracking a user's network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.

Answer 34

A. Authentication Authentication is the process of confirming a user's identity by checking credentials, such as passwords, ID cards, or fingerprints. Authorization is the process of determining what resources a user can access on a network. Accounting is the process of tracking a user's network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.

Answer 35

B. Accounting Accounting is the process of tracking a user's network activity, such as when the user logged on and logged off and what resources the user accessed. Authentication is the process of confirming a user's identity by checking credentials. Authorization is the process of determining what resources a user can access on a network. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.

Answer 36

D. Open System Authentication Open System Authentication enables any user to connect to the wireless network without a password, which actually increases the security of the protocol. This is because most WEP implementations use the same secret key for both authentication and encryption. An intruder that captures the key during the authentication process might therefore penetrate the data encryption system as well. By not using the key for authentication, you reduce the chances of the encryption being compromised.

Answer 37

C. TKIP Wi-Fi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with an Advanced Encryption Standard (CCMP-AES) protocol.

Answer 38

B. WEP Wired Equivalent Privacy (WEP) was one of the first commercially available security protocols for wireless LANs. WEP requires 24 bits of the encryption key for the initialization vector, substantially weakening the encryption. WEP was soon found to be easily penetrated and was replaced by Wi-Fi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.

Answer 39

B. WPA Wi-Fi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with an Advanced Encryption Standard protocol (CCMP-AES).

Answer 40

B. EAP Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. EAP is used on wireless networks and point-to-point connections and supports dozens of different authentication methods. Wi-Fi Protected Access (WPA) is a wireless encryption standard. Temporal Key Integrity Protocol (TKIP) is an encryption algorithm. Transport Layer Security (TLS) is an encryption protocol used for Internet communications.

Answer 41

A. Authentication Extensible Authentication Protocol (EAP) and 802.1X are both components of an authentication mechanism used on many wireless networks. EAP and 802.1X do not themselves provide authorization, encryption, or accounting services.

Answer 42

B. WEP Wired Equivalent Privacy (WEP), which was one of the first commercially successful security protocols for wireless LANs, enabled administrators to choose between open and shared key authentication. The open option enabled clients to connect to the network with an incorrect key. The shared option required the correct key, but it also exposed the key to potential intruders.

Answer 43

A. WEP Wired Equivalent Privacy (WEP) was one of the first commercially available security protocols for wireless LANs, but it was soon found to be easily penetrated and was replaced by Wi-Fi Protected Access (WPA) and then WPA2. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.

Answer 44

B. TKIP WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption. It does not use Advanced Encryption Standard (AES), which eventually replaced TKIP in WPA2. Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) are both file hashing algorithms, not used for wireless network encryption.

Answer 45

A. RC4 TKIP uses the RC4 stream cipher for its encryption. Advanced Encryption Standard (AES) is used with CCMP on version 2 of the Wi-Fi Protected Access (WPA2) security protocol, not version 1 (WPA), which uses TKIP. Secure Hash Algorithm (SHA) is a file hashing algorithm, not used for wireless network encryption.

Answer 46

C. WPA2 CCMP, the full name of which is Counter Mode Cipher Block Chaining Message Authentication Code Protocol, is based on the Advanced Encryption Standard (AES) and is the encryption protocol used with the Wi-Fi Protected Access II (WPA2) security protocol on wireless networks. CCMP is not used with version 1 of the WPA protocol or with Wired Equivalent Privacy. 802.1X is an authentication protocol, not used for encryption.

Answer 47

C. AES CCMP, the full name of which is Counter Mode Cipher Block Chaining Message Authentication Code Protocol, is based on the Advanced Encryption Standard (AES) and is the encryption protocol used with the Wi-Fi Protected Access II (WPA2) security protocol on wireless networks. CCMP is not based on the Temporal Key Integrity Protocol (TKIP), which uses RC4 as its stream cipher. 802.1X is an authentication protocol, not used for encryption.

Answer 48

D. Type the SSID manually and then select WPA2 from the security protocol options provided. An SSID that is not broadcast is not detectable by clients, so you must type it in manually. Security protocols are also not detectable, so you must configure the clients to use the same protocol you selected on the client.

Answer 49

C. Geofencing Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. In wireless networking, geofencing is intended to prevent unauthorized clients outside the facility from connecting to the network. Local authentication is an application or service that triggers an authentication request to which the user must respond before access is granted. Port security is a method for protecting access to switch ports. Motion detection is a system designed to trigger a notification or alarm when an individual trespasses in a protected area.

Answer 50

A. A wireless network that allows clients to authenticate only when the signal strength of their connections exceeds a specified level. Geofencing is a mechanism that is intended to prevent unauthorized clients outside the facility from connecting to the network. The mechanism can take the form of a signal strength requirement, a GPS location requirement, or strategic placement of wireless access points. The other options listed are not descriptions of typical geofencing technologies.

Answer 51

A. WPA-Personal WPA-Personal, also known as WPA-PSK, is intended for small networks and requires a preshared key. WPA-Enterprise, also known as WPA-802.1X, uses the Extensible Authentication Protocol (EAP) to support various types of authentication factors and requires a Remote Authentication Dial-In User Service (RADIUS) server.

Answer 52

C. Certificate As part of a public key infrastructure (PKI), digital certificates are associated with a key pair, consisting of a public key and a private key. The certificate is issued to a person or computer as proof of its identity. A signature does not associate a person or computer with a key pair. An exploit is a hardware or software element that is designed to take advantage of a vulnerability. Resource records are associated with the Domain Name System (DNS).

Answer 53

C. EAP Wired Equivalent Protocol (WEP) and Wi-Fi Protected Access II (WPA2) are both wireless security protocols that control access to the network and provide encryption, using protocols like Advanced Encryption Standard (AES). These protocols do not provide authentication services, however. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. Its many variants provide support for the use of smartcards and other authentication factors, such as biometrics, in addition to traditional passwords.

Answer 54

A. MAC filtering MAC filtering takes the form of an access control list (ACL) on the wireless network's access points, listing the MAC addresses of all the devices that are to be permitted to access the network. If the MAC address of Alice's laptop is not included in the ACL, she will be unable to connect to the network. Alice has been given the SSID of the network, so she should be able to connect, even if the access points are not broadcasting the SSID. Geofencing is intended to prevent users outside the office from accessing the network, so this should not be the problem. Alice has been given the passphrase for the network, so she should be able to configure WPA2 on her laptop.

Answer 55

A. AES Wi-Fi Protected Access (WPA) is a wireless security protocol that was designed to replaces the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with the stronger CCMP-Advanced Encryption Standard (CCMP-AES). Extensible Authentication Protocol and 802.1X do not provide encryption.

Answer 56

D. TKIP eliminates the use of preshared keys. TKIP augments the existing WEP encryption key, making it longer, enabling it to be changed for every packet, and enabling WPA to be deployed without replacing network adapter or access point hardware. TKIP does continue to support the use of preshared keys.

Answer 57

B. Passphrase To use the WPA2 protocol with a preshared key, the client and the access point must both be configured with the same passphrase. The base key, the serial number, and the MAC address are all components that WPA2 uses to generate the encryption key for each packet.

Answer 58

C. Replay attacks A replay attack is one in which an attacker utilizes the encryption key found in a previously captured packet to gain access to the network. Because TKIP generates a unique encryption key for every packet, it prevents this type of attack from being successful.

Answer 59

C. WPA2 Wi-Fi Protected Access (WPA) is a wireless security protocol that was designed to replace the increasingly vulnerable Wired Equivalent Privacy (WEP). WPA added an encryption protocol called Temporal Key Integrity Protocol (TKIP). This too became vulnerable, and WPA2 was introduced, which replaced TKIP with CCMP-Advanced Encryption Standard (CCMP-AES).

Answer 60

A. WEP Wired Equivalent Privacy (WEP) was the first wireless LAN security protocol to achieve widespread use in commercial products. This protocol was soon found to be vulnerable to attack, and it was replaced by Wi-Fi Protected Access (WPA), which added a stronger encryption protocol called Temporal Key Integrity Protocol (TKIP).

Answer 61

A. CCMP-AES WPA2 adds Counter Mode Cipher Block Chaining Message Authentication Code Protocol – Advanced Encryption Standard (CCMP-AES), a new symmetric key encryption algorithm that strengthens the protocol's security.

Answer 62

B. WPA2 Wi-Fi Protected Access 2 (WPA2) will provide the maximum security for the wireless network, in part because it uses long encryption keys that change frequently.

Answer 63

C. WPA2 Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) is an encryption protocol that is used with the Wi-Fi Protected Access II security protocol. WPA was created to replace the insecure Wired Equivalent Privacy (WEP) protocol, and WPA2 was created to replace the Temporal Key Integrity Protocol (TKIP) used in the first version of WPA. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages.

Answer 64

A. CCMP-AES Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) is an encryption protocol that is used with the Wi-Fi Protected Access II (WPA2) security protocol. WPA was created to replace the insecure Wired Equivalent Privacy (WEP) protocol, and WPA2 was created to replace the Temporal Key Integrity Protocol (TKIP) used in the first version of WPA.

Answer 65

C. Using MAC filtering to create a list of devices that are permitted to access a wireless network Whitelisting is the process of using MAC filtering to specify the hardware addresses of devices that are permitted to access a wireless network. Blacklisting, by contrast, is making a list of addresses that are denied access to the network.

Answer 66

B. TKIP-RC4 Wi-Fi Protected Access (WPA) was created to replace the insecure Wired Equivalent Privacy (WEP) protocol and used Temporal Key Integrity Protocol (TKIP) with the RC4 cipher for encryption.

Answer 67

B. WPA Wi-Fi Protected Access (WPA) was created to replace the insecure Wired Equivalent Privacy (WEP) protocol and used the Temporal Key Integrity Protocol (TKIP) with the RC4 cipher.

Answer 68

B. Ransomware Ransomware is a type of attack in which a user's access to his or her data is blocked unless a certain amount of money is paid to the attacker. The blockages can vary from simple screen locks to data encryption. War driving is an attack method that consists of driving around a neighborhood with a computer scanning for unprotected wireless networks. Denial of service is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly. ARP poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches.

Answer 69

C. Logic bomb A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. War driving is an attack method that consists of driving around a neighborhood with a computer scanning for unprotected wireless networks. An evil twin is a fraudulent access point on a wireless network that mimics the SSID of a legitimate access point, in the hope of luring in users.

Answer 70

B. War chalking When a war driver locates a wireless network and marks it for other attackers, it is called war chalking. There are no such attacks as war tagging and war signing.

Answer 71

B. Bluesnarfing Bluesnarfing is an attack in which an intruder connects to a wireless device using Bluetooth, for the purpose of stealing information. Bluejacking is the process of sending unsolicited messages to a device using Bluetooth. The other options do not exist.

Answer 72

D. Bluejacking Bluejacking is the process of sending unsolicited text messages, images, or sounds to a smartphone or other device using Bluetooth. Bluesnarfing is an attack in which an intruder connects to a wireless device using Bluetooth, for the purpose of stealing information. The other options do not exist.

Answer 73

D. Permanent A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning. This can be a physical attack that actually damages the hardware, or the attacker can disable the server by altering its software or configuration settings.

Answer 74

B. A distributed DoS attack uses malware-infected computers to flood a target, whereas a reflective DoS attack takes advantage of other servers’ native functions to make them flood a target. Distributed DoS attacks use hundreds or thousands of computers that have been infected with malware, called zombies, to flood a target server with traffic, in an attempt to overwhelm it and prevent it from functioning. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses to the target. Neither attack type causes a computer to flood itself.

Answer 75

A. Amplified An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. Reflective and distributed DoS attacks use other computers to flood a target with traffic. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses to the target.

Answer 76

A. Implement a program of user education and corporate policies. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. No software or hardware solution can prevent it; the only way is to educate users of the potential dangers and establish policies that inform users what to do when they experience a social engineering attempt.

Answer 77

C. VLAN hopping enables an attacker to access different VLANs using 802.1q spoofing. VLAN hopping is a method for sending commands to switches to transfer a port from one VLAN to another. This can enable the attacker to connect his or her device to a potentially sensitive VLAN. VLAN hopping does not modify the switch's patch panel connections, only its VAN assignments. It is not possible to rename a switch's default VLAN. VLAN hopping does not enable an attacker to change a switch's native VLAN.

Answer 78

D. Uses a botnet to bombard the target with traffic A smurf attack does not use a botnet, which is a group of computers running a remote control malware program without their owners knowing it. The computers participating in a smurf attack are simply processing traffic as they normally would. A smurf attack involves flooding a network with the same ICMP Echo Request messages used by ping but sent to the network's broadcast address.

Answer 79

A. Spoofing Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. One way of doing this is to modify the MAC address in the packets to one that is approved by the MAC filter.

Answer 80

C. Distributed A distributed denial-of-service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called zombies, to send traffic to a single server or website, in an attempt to overwhelm it and prevent it from functioning.

Answer 81

A. Amplified An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would.

Answer 82

B. Reflective A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses to the target.

Answer 83

D. Permanent A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning. This can be a physical attack that damages the hardware, or the attacker can disable the server by altering its software or configuration settings.

Answer 84

B. Insider threats Your supervisor's concern is that the disgruntled technician might take advantage of his access to devices and facilities to sabotage the network. When an individual takes advantage of information gathered during his or her employment, it is called an insider threat.

Answer 85

C. Distributed Distributed DoS attacks use hundreds or thousands of computers that have been infected with malware, called zombies, to flood a target server with traffic, in an attempt to overwhelm it and prevent it from functioning.

Answer 86

D. DNS poisoning DNS poisoning is a type of attack in which an attacker adds fraudulent information into the cache of a DNS server. Then, when a client attempts to resolve the name of a website or other server, the DNS server supplies the incorrect IP address, causing the client to access the attacker's server instead.

Answer 87

B. Name resolution DNS poisoning is a type of attack in which an attacker adds fraudulent information into the cache of a DNS server. This can interfere with the name resolution process by causing a DNS server to supply the incorrect IP address for a specified name.

Answer 88

B. A vulnerability is a potential weakness in a system and an exploit is a hardware or software element that is designed to take advantage of a vulnerability. A vulnerability is a weakness, whether in software or hardware, of which an exploit is designed to take advantage. Neither term is specific to hardware or software.

Answer 89

C. Vulnerability A vulnerability is a potential weakness in a system that an attacker can use to his or her advantage. An exploit is a hardware or software element that is designed to take advantage of a vulnerability.

Answer 90

A. Smurf In a smurf attack, the attacker sends ping requests, which use the Internet Control Message Protocol (ICMP), to the broadcast address. The request messages are altered to appear as though sent by the designated target so that all of the replies are sent to that system.

Answer 91

D. Fraggle A fraggle attack is similar to a smurf attack in that the attacker generates a large amount of spoofed broadcast traffic that appears to have been sent by the target system. All of the replies to the broadcasts are then transmitted to the target. The difference between a fraggle and a smurf attack is that a fraggle attack uses User Datagram Protocol (UDP) traffic instead of ICMP.

Answer 92

D. Logic bomb A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. The terminated administrator might have created code designed to trigger the deletions after the administrator's departure from the company.

Answer 93

A. War driving War driving is an attack method that consists of driving around a neighborhood with a computer scanning for unprotected wireless networks.

Answer 94

B. A type of attack in which an intruder retransmits captured authentication packets to gain access to a secured resource A replay attack is one in which an attacker utilizes the information found in previously captured packets to gain access to a secured resource. In many cases, the captured packets contain authentication data. In this way, the attacker can make use of captured passwords, even when they are encrypted and cannot be read. The other options all describe valid attack methodologies, but they are not called replay attacks.

Answer 95

B. Phishing This is a classic example of a phishing scam. In all likelihood, the link in the email Ed received has taken him not to the real website of his bank, but rather a duplicate created by an attacker. By supplying his logon credentials, he is in effect giving them to the attacker, who can now gain access to his real bank account.

Answer 96

A. A computer that is remotely controllable because it has been infected by malware A zombie is a computer that has been infected by malware—usually some form of Trojan—which an attacker can control remotely, causing the computer to flood a target system with traffic. An attack using multiple zombies is known as a distributed denial-of-service (DDoS) attack. The other options are not examples of zombies.

Answer 97

C. A message appears on a user's screen, stating that system is locked and will only be released on payment of a fee. Ransomware is a type of attack in which a user's access to his or her computer or data is blocked unless a certain amount of money is paid to the attacker. The blockages can vary from simple screen locks to data encryption.

Answer 98

B. Social engineering Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. No computer equipment is required and no software or hardware solution can prevent it; the only way is to educate users of the potential dangers and establish policies that inform users what to do when they experience a social engineering attempt.

Answer 99

B. An attacker cracking a password by trying thousands of guesses A brute-force attack is one in which an attacker uses repeated guesses to find a password, an open port, or some other type of sensitive data. Brute force does not refer to a physical attack.

Answer 100

A. Evil twin An evil twin is a fraudulent access point on a wireless network, which an intruder can use to obtain passwords and other sensitive information transmitted by users.

Answer 101

C. Social engineering Social engineering is the term for a type of attack in which a smooth-talking intruder contacts a user and convinces him or her to disclose sensitive information, such as account passwords.

Answer 102

A. Distribute a list of common passwords that are insecure, such as those based on names, birth dates, etc. There are no policies that can prevent users from creating easily guessed passwords. The only action that can help is to educate users of the fact that attackers are frequently able to guess passwords by using information such as familiar names and dates.

Answer 103

C. WPA2 WPA2 is the most secure of the wireless protocols, providing the greatest degree of network device hardening.

Answer 104

C. File hashing Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) are file hashing algorithms, used to test data integrity by calculating a hash value before transmission a file over a network. After the transmission, the receiving system performs the same calculation. If the values match, then the data is intact. These two algorithms are not used for data encryption, digital signing, or wireless authentication.

Answer 105

B. Attackers can capture packets transmitted over the network and read the SSID from them. Disabling SSID broadcasts is a way of hiding the presence of a wireless network, but if an intruder knows that a network is there, it is a simple matter to capture packets transmitted by the wireless devices and read the SSID from them.

Answer 106

B. Malware Operating system updates and patches are frequently released to address newly discovered exploits that make computers vulnerable to malware infestation. Applying updates on a regular basis can help to mitigate the impact of malware.

Answer 107

C. Upgrading firmware Upgrading the UEFI or BIOS firmware on a server typically does not enhance its security, so it cannot be considered a form of server hardening.

Answer 108

B. File hashing File hashing uses a cryptographic algorithm, such as Secure Hash Algorithm (SHA) or Message Digest 5 (MD5), to generate a checksum value for a file that is transmitted along with it. When the recipient applies the same algorithm to the received file, the checksum value should be the same, indicating the file has not been modified in transit.

Answer 109

D. Passwords must meet complexity requirements. The “Passwords must meet complexity requirements” policy includes a provision that new passwords cannot include the user's account name or full name. If the full name is delimited by spaces or punctuation, the individual words cannot appear in the password either. The other options do not prevent the use of common passwords.

Answer 110

D. Deauthentication Deauthentication is a type of denial-of-service attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. It is therefore not a method for hardening an access point.

Answer 111

C. Network hardening Network hardening is a term used to describe any method of making it more difficult for intruders to penetrate. In many cases, network hardening techniques are based on education rather than technology. Compelling users to create passwords that are difficult to guess is one example of this.

Answer 112

D. DMZ A perimeter network is a segment that is separated from the internal network by a firewall and exposed to the Internet. Administrators typically use a perimeter network for servers that must be accessible by outside users, such as web and email servers. Another term for a perimeter network is a DMZ, or demilitarized zone.

Answer 113

B. Honeypot A honeypot is a computer configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access.

Answer 114

B. Man trap An entrance arrangement in which people must close one door before they can open the next one is called a man trap. Security personnel can evaluate potential entrants while they are in the vestibule and detain attempted intruders there.

Answer 115

A. Mitigation techniques A honeypot or honeynet is a type of mitigation technique that takes the form of a computer or network configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access.

Answer 116

D. Detour Honeypots and honeynets are computers and networks designed to function as lures for attackers, in the hope that they will waste their time and resources attempting to gain access to them. Therefore, detour is the best metaphor for the function of these devices.

Answer 117

C. DMZ A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a demilitarized zone (DMZ), or a perimeter network. Administrators typically use a DMZ for servers that must be accessible by outside users, such as web and email servers.

Answer 118

D. An organization hires an outside consultant who attempts to compromise the network's security measures. Penetration testing is when an outside consultant is engaged to attempt an unauthorized access to protected network resources. Testing by an internal administrator familiar with the security barriers would not be a valid test.

Answer 119

D. DHCP snooping DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. The other options are all techniques that are applicable to servers.

Answer 120

D. MAC addresses Wireless access points use the layer 2 MAC addresses coded into devices in their access control lists. Usernames, IP addresses, and device names can easily be impersonated.

Answer 121

B. Hubs ACLs restrict access to network devices by filtering usernames, MAC addresses, IP addresses, or other criteria. Routers, switches, and wireless access points all use ACLs to control access to them. Hubs are purely physical layer devices that relay electrical or optical signals. They have no way of controlling access to them.

Answer 122

B. Authorization ACLs define the type of access granted to authenticated users. This process is known as authorization. Authentication is the confirmation of a user's identity. Accounting and auditing are both methods of tracking and recording a user's activities on a network.

Answer 123

C. Role separation Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network.

Answer 124

B. Servers Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Switches, routers, and access points do not use this technique.

Answer 125

D. DHCP snooping prevents DNS cache poisoning. DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. Although DHCP snooping can prevent DHCP clients from being assigned an incorrect IP address, it does not directly prevent the poisoning of DNS server caches with erroneous information.

Answer 126

A. Data link Although DHCP is an application layer service, which uses the UDP transport layer protocol to assign network layer IP addresses, DHCP snooping is a data link layer process in which a network switch examines incoming DHCP traffic to determine whether it originates from an authorized server and is arriving over the correct port.

Answer 127

B. Denial of service One of the most common ways to stop a server from functioning properly is to flood it with traffic of a particular type. Denial-of-service attacks frequently use floods of ping messages or TCP SYN packets to attack a server. A flood guard is a filter implemented in a firewall or a standalone device to prevent the flood of traffic from reaching the intended target.

Answer 128

C. MAC flooding By flooding a switch with frames containing many different false MAC addresses, an attacker can cause the legitimate entries in the switch's MAC table to be aged out of the device and replaced with bogus entries. When the destinations of incoming frames are not found in the table, the switch broadcasts them throughout the network, where they can be more readily captured and compromised. A flood guard is a mechanism that prevents confirmed MAC address in the table from being replaced.

Answer 129

B. STP A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric.

Answer 130

A. Double-tagged packets are prevented. To join ports on different switches into one VLAN, you designate a trunk port on each switch for the traffic between switches. Initially, the native VLAN uses the default VLAN1 for trunk traffic, and that traffic is left untagged. Untagged traffic is susceptible to attacks using double-tagged packets. When you configure the native VLAN to use tagging, this makes it impervious to double-tagging.

Answer 131

C. IEEE 802.1q The IEEE 802.1q protocol is responsible for VLAN tagging, a procedure that enables network switches to support virtual LANs (VLANs). Through the insertion of VLAN identifier tags into frames, switches can determine which VLAN each packet is destined for and forward it to the correct ports.

Answer 132

B. By preventing double-tagged packets When in-band switch management traffic, such as that generated by a Secure Shell (SSH) connection to a switch, uses the native VLAN, it is untagged by default. This is because the native VLAN is at first the default VLAN1, which is not tagged by the 802.1q protocol, leaving it open to certain types of double-tagging attacks. When you tag the native VLAN traffic, it is rendered immune to double-tagging.

Answer 133

A. File integrity monitoring File integrity monitoring (FIM) is a process that typically consists of a comparison of files in their current state to a known baseline copy stored elsewhere. The comparison can be direct, or it could involve the calculation of checksums or other types of file hashes. The object of the comparison is to detect changes in documents, both in content and in sensitive areas, such as credentials, privileges, and security settings, which might indicate the presence of a potential or actual security breach.

Answer 134

C. Segmentation Digital signatures can be used for the following functions: authentication, to confirm that data originated from a specific individual; nonrepudiation, to prevent the sender from denying the data's origin; and integrity, to confirm that the data has not been modified in transit. Segmentation is not a function of digital signatures.