Implementation Flashcards
1
Q
Which IPSec mode is used to create a VPN between two gateways
A
Tunnel mode
2
Q
Who can change a resource’s category in a mandatory access control environment?
A
Administrators only
3
Q
What is the purpose of content inspection
A
To search for malicious code or behavior
4
Q
Which information do routers use to forward packets to their destinations?
A
The network address and subnet mask
5
Q
Where should you physically store mobile devices to prevent theft?
A
- Locked cabinet
* Safe
6
Q
What is Lightweight Extensible Authentication Protocol (LEAP)
A
A proprietary wireless LAN authentication method developed by Cisco Systems
7
Q
Between which two OSI layers does Secure Sockets Layer (SSL) operate?
A
- Between the OSI Transport and Application layers
* Layer 4 to Layer 7
8
Q
What is the purpose of Remote Access Dial-In User Service (RADIUS)?
A
Enables remote access users to log onto a network through a shared authentication database
9
Q
What is a TMP?
A
A dedicated processor that uses cryptographic keys to perform a variety of tasks
10
Q
What would a certification authority (CA) do if a private key associated with a certificate had been compromised?
A
Revoke the certificate
11
Q
Which settings ensure that accounts are not used beyond a certain date and/or time?
A
Account expiration
12
Q
What is the purpose of network access control (NAC)?
A
Ensures that the computer on the network meets an organization’s security policies
13
Q
What are the two modes of WPA and WPA2?
A
- Personal, aka
- Preshared Key
- WPA-PSK / WPA2-PSK
- Enterprise
14
Q
What is the name of the area that connects to a firewall and offers services to untrusted networks?
A
Demilitarized zone (DMZ)
15
Q
Which security-server application and protocol implement authentication of users from a central server over UDP?
A
Remote Authentication Dial-In User Service (RADIUS)
16
Q
What is the purpose of an aggregation switch?
A
Combine multiple streams of bandwitdh into one
17
Q
Which type of IDS detects malicious packets on a network?
A
Network intrusion detection system (NIDS)
18
Q
What is a sandbox in a secure staging deployment?
A
A test environment that is completely isolated from the rest of the network
19
Q
What does the acronym MAC denote?
A
Mandatory Access Control
20
Q
What application or service uses TCP/UDP port 3389?
A
Remote Desktop Protocol (RDP)
21
Q
Which audit category will audit all instances of users exercising their rights?
A
Audit Privilege Use audit category
22
Q
Which setting ensures that repeated attempts to guess a user’s password is not possible beyond the configured value?
A
Account lockout
23
Q
What is the purpose of BitLocker To Go?
A
Ensure that USB flash drives issued by the organization are protected by encryption
24
Q
What does the subject field in an X.509 v3 certificate contain?
A
The name of the certificate owner
25
What does the acronym RADIUS denote?
Remote Authentication Dial-In User Service
26
Which implementation of the File Transfer Protocol (FTP) provides the least security?
Trivial File Transfer Protocol (TFTP)
27
What port number does HTTP use?
Port 80
28
Which two security protocols does IP Security (IPSec) use?
* Authentication Header (AH)
| * Encapsulating Security Payload (ESP)
29
What is the purpose of load balancing?
Distribute the workload across multiple devices
30
On which standard is Lightweight Directory Access Protocol (LDAP) based?
X.500
31
What are the non-overlapping channels for 802.11g/n
Channels 1, 6, and 11
32
Which protocol provides real-time, online revocation information about certificates?
Online Certificate Status Protocol (OCSP)
33
What is the purpose of anti-spam applications or filters?
Prevent unsolicited email
34
What is the purpose of a spam filter?
Identify and block unwanted messages
35
What are the non-overlapping channels for 802.11b?
Channels 1, 6, 11, and 14
36
Certificate enrollment procedures typically require a user to provide proof of identify and which other item to a certification authority (CA)?
Public key
37
What is the primary security advantage of using network address translation (NAT)?
Hides internal IP addresses from the public network
38
What does VLAN segregation accomplish?
It protects each individual segment by isolating the segments
39
Which firewall port should you enable to allow POP3 traffic to flow through the firewall?
TCP port 110
40
What is a VPN concentrator?
A device that creates a virtual private network (VPN)
41
Which type of key management does Secure Multipurpose Internet Mail Extensions (S/MIME) use: centralized or decentralized?
Centralized
42
What is the purpose of content inspection?
Search for malicious code or behavior
43
Which security protocol is best used for connection-oriented systems such as an intranet?
Secure Socket Layer/ Transport Layer Security (SSL/TLS)
44
Does the S/MIME protocol use certificates?
Yes
45
What is the purpose of MAC filtering?
To restrict the clients that can access a wireless network
46
Which category of IDS might increase logging activities, disable a service, or close a port as a response to a detected security breach?
Active detection
47
Which firewall port should you enable to allow SMTP traffic through the firewall?
Port 25
48
On which standard are certificates based?
X.509
49
What is the purpose of secure shell(SSH)?
Secure remote access
50
What is Protected Extensible Authentication Protocol (PEAP)?
A protocol that encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel
51
What is meant by the term hardware root of trust?
Highly reliable hardware, firmware, and software components that perform specific, critical security functions
52
Which authentication protocol separates authentication and authorization: TACACS+ or RADIUS?
TACACS+
53
Why is password disclosure a significant security issue in a single sign-on (SSO)network
It could compromise the entire system because authentication grants access to ANY systems on the network to which the actual user may have permission
54
Which type of IDS or IPS uses an initial database of known attack types but dynamically alerts their signatures based on learned behavior?
Heuristic
55
Which port number is used by SSH, SCP, and SFTP?
Port 22
56
Which authentication protocol uses tickets to authenticate users?
Kerberos
57
Which two chips are used to implement hardware-based encryption?
* Trusted Platform Module (TPM)
| * Hardware Security Module (HSM)
58
Which function does a single sign-on (SSO) system provide?
It allows a user to present authentication credentials once and gain access to all computers within the SSO system?
59
What is the top-most level of the LDAP hierarchy?
Root
60
What does the acronym TPM denote?
Trusted Platform Module
61
What does the acronym SMTP denote?
Simple Mail Transfer Protocol
62
Which three security features do digital certificates provide?
* Authentication
* Data integrity
* Non-repudiation
63
Which security device requires physical possession and has passwords that can only be used once?
Token
64
What is the difference between trusted platform module (TMP) chips and hardware security module (HSM) chips
* TPM chips are a part of the motherboard
| * HSM chips are part of a PCI cart that is mounted to the motherboard
65
Which type of IDS detects attacks on individual devices?
Host Intrusion Detection System (HIDS)
66
What port number does NNTP use?
TCP port 119
67
Which type of access control is the multi-level security mechanism used by the Department of Defense (DoD)?
Mandatory access control (MAC)
68
Which port number does LDAP use for communications encrypted using SSL/TLS?
Port 636
69
Which firewall port should you enable to allow IMAP4 traffic to flow through the firewall?
TCP port 143
70
What are the two major types of intrusion detection systems (IDS)?
* Network IDS (NIDS)
| * Host IDS (HIDS)
71
What defines the allowed uses for a certificate issued by a certification authority (CA)?
Certificate policy
72
What does the acronym KDC denote?
Key distribution center
73
Which port numbers are used by NetBIOS?
Ports 137-139
74
What is the most common type of system used to detect intrusions into a computer network?
Network Intrusion Detection System (NIDS)
75
Which account should you disable immediately after installing a new operating system (OS) to harden the OS?
Guest account
76
What does the acronym IDS denote?
Intrusion Detection System
77
What port number does DNS use?
Port 53
78
Does each VLAN create its own collision domain or its own broadcast domain?
Broadcast domain
79
What is the purpose of S/MIME?
Secure encryption and digital signatures for email
80
What is the purpose of SNMP?
Routing and switching management
81
Which password attack does account lockout policy protect against?
Brute force attack
82
What does the acronym NFC denote?
Near field communication
83
What is Shinnoleth?
An identity management and federated identity-based authentication and authorization system for SAML
84
What is the default automatched key-management protocol for IPSec?
Internet Key Exchange (IKE)
85
What is the name for the data structure that maintains a list of certificates that have been revoked before their expiration date?
Certificate Revocation List (CRL)
86
Which wireless protocol provides the best security: WEP, WAP, WPA, or WPA2
WiFi Protected Access IIversion 2 (WPA2) with CCMP
87
Which security protocol was designed as an interim solution to replace WEP without requiring the replacement of legacy hardware?
Temporal Key Integrity Protocol (TKIP)
88
What is the most significant misuse of cookies?
Misuse of personal data
89
Who has the responsibility for configuring access rights in discretionary access control (DAC)?
The data owner or data custodian
90
Which type of access control was originally developed for military use?
Mandatory Access Control (MAC)
91
What is the default rule found in a firewall's access control list (ACL)?
Deny All
92
What Ethernet standard uses a wireless access point with a remote authentication dial-in user service (RADIUS) server to authenticate wireless users?
802.1x
93
Can an expired digital certificate be renewed?
No
94
Which Kerberos component holds all users' and services' cryptographic keys and generates tickets?
Key Distribution Center (KDC)
95
Which type of IDS detects malicious packets on a network?
Network Intrusion Detection System (NIDS)
96
Which three security features does Authentication Header (AH) provide?
* Integrity
* Authentication
* Anti-replay service
97
What is the name of the list of locations where software can check to see whether a user's certificate has been revoked?
CRL Distribution Point (CDP)
98
Which port number is used by SMB?
TCP port 445
99
Which type of authentication is accomplished by authenticating both the client and server sides for a connection through the encrypted exchange of credentials?
Mutual authentication
100
What type of connectivity provides a remote user the ability to safely connect to his or her corporate network while maintaining data confidentiality and integrity?
Virtual Private Network (VPN)
101
Which term is used when the amount of work that a computer has to do is divided between two or more computers so that more work is performed in the same amount of time?
Load balancing
102
What does the acronym PKI denote?
Public key infrastructure
103
What port number does DHCP use?
Port 67
104
Which port number is used by Microsoft SQL Server?
TCP port 1433
105
Which port is used for LDAP authentication?
Port 389
106
Which PKI object do you use to verify that a user sends a message is who they claim to be?
Digital certificate
107
Which technology enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic, while hiding internal addresses or address space?
Network Address Translation (NAT)
108
How many TCP/UDP ports are vulnerable to malicious attacks?
65,536 ports
109
What does the acronym RBAC denotes?
* Role Based Access Control
| * Rule Based Access Control
110
Which authentication protocol encrypts the entire packet (not just the password): TACACS+ or RADIUS?
TACACS+
111
What is the default PPTP port?
TCP port 1723
112
What does the acronym SED denote?
Self Encrypting Drive
113
What is the name for a fix that addresses a specific Windows system problem or set of problems?
Hotfix
114
Which Linux file contains encrypted user passwords that only the root user can read?
/etc/shadow
115
Which authentication protocol is an open standard: XTACACS or RADIUS?
RADIUS
116
What is the purpose of network access control (NAC)?
Ensures that the computer on the network meets an organization's security policies
117
Which devices can limit the effectiveness of sniffing attacks: switches or routers?
Switches
118
Which audit category monitors changes to user accounts and groups
Audit Account Management audit category
119
Which protocol is used by network devices to transmit error messages?
Internet Control Message Protocol (ICMP)
120
How do you ensure that data is removed from a mobile device that has been stolen?
Use a remote wipe or sanitation program
121
Which access control model has the lowest cost?
Role-Based Access Control (RBAC)
122
If a user needs administrative-level access, how many user accounts should be issued to the user?
Two accounts
* One for normal tasks
* One for admin level tasks
123
Which security server application and protocol implements authentication and authorization of users from a central server over TCP?
Terminal Access Controller Access Control System Plus (TACACS+)
124
What port does NTP use?
Port 123
125
Which wireless mode ensures that wireless clients can only communicate with the wireless access point and not with other wireless clients?
Isolation mode?
126
What is the name for a small piece of information that is saved on a client machine on the hard disk to enable tracking of user information for future Web visits?
Cookie
127
What is the purpose of domain name system security extension (DNSSEC)?
Secure domain name resolution
128
What is the purpose of lightweight dictionary application protocol secure (LDAPS)?
Secure directory services
129
What is the name of the top-most level certification authority (CA)?
* Root authority
| * Root CA
130
What portion(s) of the IP packet are encrypted in IPSec transport mode?
The payload
131
Which certification authority (CA) has the highest level of trust in a trust hierarchy?
Root CA
132
What are flood guards?
Devices that protect against Denial of Service (DoS) attacks
133
Which Layer 3 device allows different logical networks to communicate?
Router
134
Which security standard is an enhanced version of Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
135
What do you use to control traffic from the Internet to the LAN (local area network) by controlling the packets that are allowed to enter the LAN?
Firewall
136
What does the acronym SRTP denote
Secure Real Time Transport Protocol
137
If the user is NOT prompted for credentials when connected to a Network Access Control (NAC) server, what is the user's computer missing?
Authentication agent
138
What does the acronym WAF
Web application firewall
139
What does the acronym POP denote?
Post Office Protocol
140
What port number does SSH use?
Port 22
141
Which term is used to describe a product that provides network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data leak prevention and on-appliance reporting?
Unified Threat Management (UTM)
142
Which IPSec mode is used mostly in host-to-host communications?
Transport mode
143
What is the name for the process of tracking user activities by recording selected events in the server activity logs?
Auditing
144
Which two modes does IP Security (IPSec) provide to ensure confidentiality?
* Tunnel mode
| * Transport mode
145
What is the default L2TP port?
UDP port 1701
146
What is ANT when used in mobile devices?
A proprietary network technology used for the Internet of Things (IoT)
147
What is the name for a collection of hotfixes that have been combined into a single patch?
Service pack
148
What is a trusted OS?
An operating system that provides support for multilevel security
149
When should an administrative account be used?
When performing admin-level tasks
150
At which OSI layer does IP Security (IPSec) operate?
Network Layer (Layer 3)
151
Which intrusion detection system (IDS) watches for intrusions that match a known identity?
Signature-based IDS
152
What two ports does FTP use?
Ports 20 and 21
153
What does the acronym SAML denote?
Security Assertion Markup Language
154
Why is GPS tracking often disabled?
It is considered a security threat. As long as GPS tracking is enabled and the mobile devie is powered on, the device (and possibly its user) can be located
155
What is the purpose of secure real-time transport protocol (SRTP)?
Secure voice and video
156
What is the term for a device that acts as a concentrator for a wireless LAN?
Wireless Access Point (WAP)
157
What does the acronym FDE denote?
Full Disk Encryption
158
What are the three protocols that can be used for wireless networks?
* Wired Equivalent Privacy (WEP)
* WiFi Protected Access Version 1 (WPAv1)
* WiFi Protected Access Version 2(WPAv2)
159
What is a file considered in a mandatory access control environment?
An object
160
Which type of access control is most suitable for top-secret information?
Mandatory Access Control (MAC)
161
Which type of authentication combines two or more authentication methods, like something that a person knows (such as a password), something that a person owns (such as a smart card), and a characteristic about the person (such as a fingerprint)?
Multi-Factor Authentication
162
What is the purpose of GPS tracking on a mobile device?
Allows a mobile device to be located
163
Would a certification authority (CA) revoke a certificate if the certificate owner's private key were exposed?
Yes
164
Do certificates provide encryption?
No
165
According to CompTIA, why should you disable the SSID broadcast of your wireless router?
Improve network security
166
What does the acronym L2TP denote?
Layer 2 Tunneling Protocol
167
Which standard developed by RSA offers encryption of email messages and authentication to recieve email using digital signatures?
S/MIME
168
Using role-based access control (RBAC), which entities are assigned roles?
Users or subjects
169
What is a proxy server?
A server that caches and filters content
170
Which Internet protocol based on X.500 is used to access the data stored in a network directory?
Lightweight Directory Access Protocol (LDAP)
171
Is a DHCP server normally placed inside a DMZ?
No
172
What is the purpose of remote access dial-in user service (RADIUS)?
Enables remote access users to log on to a network through a shared authentication database
173
Which audit category tracks access to all objects outside Active Directory?
Audit Object Access audit category
174
Which TCP port number does secure socket layer (SSL) use?
Port 443
175
Which port should you block at your network firewall to prevent Telnet access?
Port 23
176
What is the purpose of mobile device encryption?
Ensure that the contents of the mobile device are confidential
177
Which port number does LDAP use when communications are NOT secured using SSL/TLS?
Port 389
178
What is a good solution if you need to separate two departments into separate networks?
VLAN segregation
179
Which port number is used by SSL, FTPS, and HTTPS?
TCP port 443
180
What defines the way in which a certification authority (CA) implements the creation of certificates?
Certificate practice statement
181
What port number is used by TFTP?
UDP port 69
182
Which protocol provides connectionless integrity, data origin authentication, replay protection, and confidentiality (encryption) using Authentication Header (AH) and Encapsulating Security Payload (ESP)?
Internet Protocol Security (IPSec)
183
Which setting ensures that users periodically change their account passwords?
Password expiration
184
What does the acronym OAUTH denote
Open Authentication
185
What occurs when a user provides a password or proof of identity to a system?
Authentication
186
What does the acronym HSM denote?
Hardware Security Module
187
What is a web security gateway?
A device that filters web content
188
What is key escrow?
When you maintain a secured copy of a user's private key to ensure that you can recover the lost key
189
What is the term for an unauthorized access that a network-based intrusion detection system (NIDS) fails to detect?
* Missed detection
| * False negative
190
What does the acronym UTM denote?
Unified Threat Management
191
What does the acronym TACACS denote?
Terminal Access Controller Access Control System
192
What are the two advantages of single sign-on (SSO)?
* Convenience
| * Centralized administration
193
What is the primary functionality of lightweight directory access protocol (LDAP)?
Controls client access to directories
194
What is an entity that issues and manages certificates?
Certification Authority (CA)
195
What is the purpose of audit logs?
To document actions taken on a computer network and the party responsible for those actions
196
What is another term used for layered security
Defense in depth
197
Which services are usually provided by all-in-one security devices?
* URL filtering
* Content insepction
* Malware inspection
198
Which security protocol is the standard encryption protocol for use with the WPA2 standard?
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP)
199
Which directory protocol does Directory-Enabled Networking (DEN) use?
Lightweight Directory Access Protocol (LDAP)
200
Which audit category tracks all attempts to log on with a domain user account when enabled on domain controllers?
Audit Account Logon Events audit category
201
What is the purpose of screen locks on mobile devices?
To prevent users from accessing the mobile device until a password or other factor is entered
202
What does the acronym DAC denote?
Discretionary Access Control
203
Which authentication protocol uses UDP: TACACS+ or RADIUS?
RADIUS
204
What is the main difference between an IDS and an IPS?
* IDS detects intrusions
| * IPS prevents intrusions
205
Which port number does SNMP use?
UDP port 161
