Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CompTIA A+ > Lesson 16: Configuring SOHO Network Security > Flashcards

Lesson 16: Configuring SOHO Network Security Flashcards

1
Q

‘Confidentiality’ and ‘Integrity’ are two important properties of information stored in a secure retrieval system. What is the third property?

A

‘Availability’.

Explanation: ‘availability’ is the information that is inaccessible is not of much use to authorized users. For example, a secure system must protect against ‘denial of service’ (DoS) attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or false? The level of risk from ‘zero-day’ attacks is only significant with respect to EOL systems.

A

False

Explanation: A ‘zero-day’ is a vulnerability that is unknown to the product vendor and means that no patch is available to mitigate it. This can affect currently supported as well as unsupported ‘end-of-life’ (EOL) systems.

The main difference is that there is a good chance of a patch being developed if the system is still supported, but almost no chance if it is EOL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A threat actor crafts an email addressed to a senior support technician inviting him to register for free football coaching advice. The website contains password-stealing malware. What is the name of this type of attack?

A

Phishing Attack

Explanation: A ‘phishing attack’ tries to make users authenticate with a fake resource, such as a website. Phishing emails are often sent in mass as spam. This is a variant of phishing called spear phishing because it is specifically targeted at a single person, using personal information known about the subject (his or her football-coaching volunteer work).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are assisting with the development of ‘end-user’ security awareness documentation. What is the difference between tailgating and shoulder surfing?

A

‘Tailgating’ means following someone else through a door or gateway to enter premises without authorization.

‘Shoulder surfing’ means covertly observing someone type a PIN or password or other confidential data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You discover that a threat actor has been able to harvest credentials from some visitors connecting to the company’s wireless network from the lobby. The visitors had connected to a network named ‘Internet’ and were presented with a web page requesting an email address and password to enable guest access. The company’s access point had been disconnected from the cabled network. What type of attack has been perpetrated?

A

Evil Twin Attack

Explanation: the threat actor uses social engineering techniques to persuade users to connect to an access point that spoofs a legitimate guest network service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A threat actor recovers some documents via ‘dumpster diving’ and learns that the system policy causes passwords to be configured with a random mix of different characters that are only five characters in length. To what type of ‘password cracking’ attack is this vulnerable?

A

‘Brute force’ attacks

‘Brute force’ attacks are effective against short passwords.

‘Dictionary’ attacks depend on users choosing ordinary words or phrases in a password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What type of cryptographic key is delivered in a digital certificate?

A

A ‘public key’.

A digital certificate is a wrapper for a subject’s public key. The public and private keys in an asymmetric cipher are paired. If one key is used to encrypt a message, only the other key can then decrypt it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or false? TKIP represents the best available wireless encryption and should be configured in place of AES if supported.

A

False

‘Advanced Encryption Standard’ (AES) provides stronger encryption and is enabled by selecting ‘Wi-Fi Protected Access’ (WPA) version 2 with AES/CCMP or WPA3 encryption mode. The ‘Temporal Key Integrity Protocol’ (TKIP) attempts to fix problems with the older RC4 cipher used by the first version of WPA. TKIP and WPA1 are now deprecated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or false? WPA3 personal mode is configured by selecting a passphrase shared between all users who are permitted to connect to the network.

A

True.

WPA3-Personal uses group authentication via a shared passphrase. The ‘Simultaneous Authentication of Equals’ (SAE) mechanism by which this passphrase is used to generate network encryption keys is improved compared to the older WPA2 protocol, however.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What two factors must a user present to authenticate to a wireless network secured using EAP-TLS?

A

The ‘private key’ and the ‘certificate’ + an ‘authentication’.

‘Extensible Authentication Protocol’ (EAP) allows for different types of mechanisms and credentials. The ‘Transport Layer Security’ (TLS) method uses digital certificates installed on both the server and the wireless station. The station must use its private key and its certificate to perform a handshake with the server; this is one factor; the user must authenticate to the device to allow use of this private key; this device authentication (via a password, PIN, or bio gesture) is the second factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In AAA architecture, what type of device might a RADIUS client be?

A

An ‘Access Point’.

AAA refers to ‘Authentication, Authorization, and Accounting’, and the ‘Remote Access Dial-in User Service’
(RADIUS) protocol is one way of implementing this architecture. The RADIUS server is positioned on the
internal network and processes authentication and authorization requests. The RADIUS client is the access point, and it must be configured with the IP address of the server plus a shared secret passphrase. The access point forwards authentication traffic between the end-user device (a supplicant) and the RADIUS server but cannot inspect the traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have selected a secure location for a new home router, changed the default password, and verified the WAN IP address and Internet link. What next step should you perform before configuring wireless settings?

A

To check for a firmware update.

Using the latest firmware is important to mitigate risks from software vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are reviewing a secure deployment checklist for home router wireless configuration. Following the CompTIA A+ objectives, what additional setting should be considered along with the following four settings?
- Changing the service set identifier (SSID)
- Disabling SSID broadcast
- Encryption settings
- Changing channels

A

To disable guest access.

It might be appropriate to allow a guest network depending on the circumstances, but the general principle is that services and access methods that are not required should be disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are assisting a user with setting up Internet access to a web server on a home network. You want to configure a DHCP reservation to set the web server’s IP address, allow external clients to connect to the secure port TCP/443, but configure the web server to listen on port TCP/8080. Is this configuration possible on a typical home router?

A

Yes.

You need to configure a port-mapping rule so that the router takes requests arriving at its WAN IP for TCP/443 and forwards them to the server’s IP address on TCP/8080. Using a known IP address for the server by configuring a ‘Dynamic Host Configuration Protocol’ (DHCP) reservation simplifies this configuration. The home router’s DHCP server must be configured with the ‘media access control’ (MAC) address or hardware identifier of the web server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A different user wants to configure a multiplayer game server by using the DMZ feature of the router. Is this the best configuration option?

A

Probably not.

Using a home router’s ‘demilitarized zone’ or DMZ host option forwards traffic for all ports not covered by specific port forwarding rules to the host. It is possible to achieve a secure configuration with this option by blocking unauthorized ports and protecting the host using a personal firewall, but using specific port forwarding / mapping rules is better practice. The most secure solution is to isolate the game server in a screened subnet so that is separated from other LAN hosts, but this typically requires multiple router / firewalls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are assisting with the design of a new campus building for a multinational firm. On the recommendation of a security consultant, the architect has added closely spaced sculpted stone posts with reinforced steel cores that surround the area between the building entrance and the street. At the most recent client meeting, the building owner has queried the cost of these. Can you explain their purpose?

A

These bollards are designed to prevent vehicles from crashing into the building lobby as part of a terrorist or
criminal attack. The security consultant should only recommend the control if the risk of this type of attack
justifies the expense.

17
Q

Katie works in a high-security government facility. When she comes to work in the morning, she places her hand on a scanning device installed at a turnstile in the building lobby. The scanner reads her palmprint and compares it to a master record of her palmprint in a database to verify her identity. What type of security control is this?

A

Biometric authentication.

Biometric authentication deployed as part of a building’s entry-control system.

18
Q

The building will house a number of servers contained within a secure room and network racks. You have recommended that the provisioning requirement includes key operated chassis faceplates. What threats will this mitigate?

A

A lockable faceplate controls who can access the power button, external ports, and internal components. This mitigates the risk of someone gaining access to the server room via social engineering. It also mitigates risks from insider threat by rogue administrators, though to a lesser extent (each request for a chassis key would need to be approved and logged).

19
Q

A user wants to secure their home Wi-Fi router. Which of the following are strong security practices? (Select all that apply).

A. Content filtering
B. Disable 2.4 GHz frequency band
C. Firmware update
D. AAA

A

A. Content filtering and C. Firmware update

Content filtering means that the firewall downloads curated reputation databases that associate IP address ranges, FQDNs, and URL web addresses with sites known to host various categories of content like malware, spam, or other threats.

Users should keep the firmware and driver for the home router up to date with the latest patches. This is important because it allows the user to fix security holes and support the latest security standards, such as WPA3.

Disabling the 2.4 GHz frequency will not increase security. 2.4 GHz is one of the frequencies used and has a better range with slower speeds.

An Authentication, Authorization, and Accounting (AAA) server is not typically set up on home networks.

20
Q

A network administrator is setting up administrative access to network devices. What common solution is used for this?

A. Kerberos
B. TACACS+
C. RADIUS
D. EAP

A

B. TACACS+

TACACS+ is an AAA protocol like RADIUS, but it is typically used for device administration rather than user access to the network.

Active Directory itself is not an Authentication, Authorization, and Accounting (AAA) server. However, Kerberos can compare against the Active Directory database to validate if a user is able to log on.

Where Remote Authentication Dial-in User Service (RADIUS) is often used to authenticate connections by wireless and VPN users, TACACS+ is often used in authenticating administrative access to routers, switches, and access points.

Extensible Authentication Protocol (EAP) allows the use of different mechanisms to authenticate against a network directory.

21
Q

A network administrator analyzes the physical placement of routers or network appliances to ensure a secure location. What non-malicious threat is the administrator helping to prevent?

A. Default password
B. Power off
C. Firmware update
D. Evil twin

A

B. Power off

A non-malicious threat actor could damage or power off an appliance by accident. A malicious threat actor could use physical access to tamper with an appliance or attach unauthorized devices to network or USB ports or use the factory reset mechanism and log on with the default password.

The home router management software will prompt users to change the default password to secure the administrator account.

Users should keep the firmware and driver for the home router up to date with the latest patches.

An evil twin attack is similar to phishing but instead of an email, the attacker uses a rogue wireless access point to try to harvest credentials.

22
Q

An IT manager wants to secure a storage room with expensive server equipment. Which of the following will provide the best contactless security?

A. Badge reader
B. Electronic lock
C. Conventional lock
D. Bollard

A

A. Badge reader

A badge reader offers the most security. Some types of electronic locks work with a hardware token rather than a PIN. The token might be a basic magnetic swipe card. A more advanced type of lock works with a cryptographic contactless smart card or key fob.

An electronic lock, rather than using a key, is a lock operated by entering a PIN on an electronic keypad.

A conventional lock prevents the door handle from being operated without the use of a key.

Sites, where there is a risk of a terrorist attack, will use barricades such as bollards and security posts to prevent vehicles from crashing into the building or exploding a bomb near it.

23
Q

A network administrator sets up a network access control solution throughout the enterprise which allows them to see ports with multiple devices connected into a switch port. The administrator uses this to help identify wireless access points throughout the enterprise, especially older ones which may have been forgotten. Which of the following legacy wireless encryption mechanisms is the administrator going to change? (Select all that apply.)

A. WPA2
B. WPA
C. WPA3
D. WEP

A

B. WPA and C. WEP

The first version of Wi-Fi Protected Access (WPA) was designed to fix critical vulnerabilities in the earlier ‘wired equivalent privacy’ (WEP) standard.

Wired Equivalent Privacy (WEP) is an old legacy standard. Neither WEP nor the original WPA version is considered secure enough for continued use.

WPA2 uses the Advanced Encryption Standard (AES) cipher deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).

The main features of WPA3 are Simultaneous Authentication of Equals (SAE), updated cryptographic protocols, protected management frames, and Wi-Fi enhanced open.

24
Q

A security company was asked to help set up physical security at a massive company to identify concealed weapons coming into the building. What should the company implement?

A. Access control vestibule
B. Magnetometer
C. Bollard
D. Fencing

A

C. Magnetometer

A handheld magnetometer is a type of metal detector that is often deployed at airports and in public buildings to identify concealed weapons or other items.

An access control vestibule is where one gateway leads to an enclosed space protected by another barrier. This restricts access to one person at a time.

Sites, where there is a risk of a terrorist attack, will use barricades such as bollards and security posts to prevent vehicles from crashing into the building or exploding a bomb near it.

Fencing is generally effective, but the drawback is that it gives a building an intimidating appearance.

25
A network administrator wants to enable authentication for wireless access points against an Active Directory database. Which of the following will the administrator need to use? A. LDAP B. TACACS+ C. OU D. RADIUS
**D. RADIUS** Remote Authentication Dial-in User Service (RADIUS) is a widely used authentication protocol that can be used for wireless access point authentication. RADIUS servers can authenticate users against Active Directory. While LDAP is commonly used for directory services like Active Directory, it is not a protocol typically used for wireless authentication. TACACS+ is another authentication protocol that provides AAA functionality (Authentication, Authorization, and Accounting). However, it is not typically used for wireless access point authentication. An organizational unit (OU) is a way of dividing a domain up into different administrative realms. While it can be used to manage user accounts and security groups, it is not an authentication protocol.
26
A hotel manager notices that a wireless access point with the same service set identifier (SSID) is broadcasting with higher power. What attack could this indicate? A. Whaling B. Phishing C. Footprinting D. Evil twin
**D. Evil twin** An evil twin attack is similar to phishing but instead of an email, the attacker uses a rogue wireless access point to try to harvest credentials. Whaling is an attack directed specifically against upper levels of management in the organization (CEOs and other 'big catches'). Phishing uses social engineering techniques to make spoofed electronic communications seem authentic to the victim. Footprinting is an information-gathering threat in which the attacker attempts to learn about the configuration of the network and security systems. A threat actor will perform reconnaissance and research about the target, gathering publicly available information, scanning network ports, and websites, and using social engineering techniques to try to discover vulnerabilities and ways to exploit the target.
27
A student is interning for a security team at a major company and wants to practice on their home network. They want to make sure devices are easily identified when traffic is examined. Which of the following will help them accomplish this? A. Port forward B. UPnP C. DHCP Reservation D. Port triggering
**C. DHCP Reservation** One option is to create a reservation (DHCP) for the device on the Dynamic Host Configuration Protocol (DHCP) server. This means that the DHCP server always assigns the same IP address to the host. If users want to run some sort of server application from the network and make it accessible to the internet, the user must configure a port forwarding rule. Services that require complex firewall configuration can use the Universal Plug-and-Play (UPnP) framework to send instructions to the firewall with the correct configuration parameters. Port triggering is used to set up applications that require more than one port, such as file transfer protocol (FTP) servers.
28
A human resources specialist has started working from home. The specialist is somewhat security conscious and wants to keep their home network secure. What else besides the router operating system patches should the specialist keep patched? A. Firmware B. UPnP C. Default password D. AAA
**A. Firmware** Users should keep the firmware and driver for the home router up to date with the latest patches. This is important because it allows the user to fix security holes and support the latest security standards, such as WPA3. Services that require complex firewall configuration can use the Universal Plug-and-Play (UPnP) framework to send instructions to the firewall with the correct configuration parameters. A default password is not a part of patching. The home router management software will prompt users to change the default password to secure the administrator account. An Authentication, Authorization, and Accounting (AAA) server is not typically set up on home networks.
29
A jewelry retail chain has just discovered how to create a new form of jewels that has never been seen before. They want to set up an alarm system that triggers when the case is opened and jewels are taken out. What type of alarm should the jewelry chain install to secure the glass display case containing the jewels? A. Motion Sensors B. Radio frequency ID (RFID) C. Circuit D. Duress
**C. Circuit** A circuit-based alarm sounds when the circuit opens or closes. In this context, the alarm could trigger if someone opens the glass display case, making it an ideal choice. A motion-based alarm links to a detector triggered by movement within an area. The sensors in these detectors use either microwave radio reflection or passive infrared (PIR), which detects moving heat sources. While effective for larger spaces, this may be too sensitive for a small display case. RFID tags and readers can track the movement of tagged objects within an area. While this system is versatile, it may be overkill for a localized area like a glass display case. A duress alarm could be implemented as a wireless pendant, concealed sensor, or trigger, or call contact. While useful for personal safety, it doesn't directly secure the jewels within the case.
30
A penetration tester gains access to a regular user's box. The tester wants to escalate privileges, so they call into the help desk, as the regular user, and sets up a script that will capture the help desk user's Kerberos token to be able to replay. What is this social engineering technique called? A. Dumpster diving B. Impersonation C. Shoulder surfing D. Tailgating
**B. Impersonation** Impersonation means that the penetration tester develops a pretext scenario to give themselves an opportunity to interact with an employee. Dumpster diving refers to combing through an organization's (or individual's) garbage to try to find useful documents. A shoulder surfing attack means that the threat actor learns a password or PIN (or other secure information) by watching the user type it. Tailgating is a means of entering a secure area without authorization by following closely behind the person who has been allowed to open the door or checkpoint.
31
A server administrator discovers that a server service account for a File Transfer Protocol (FTP) server was compromised. Which of the following exploits or vulnerabilities did the malicious actor use? A. XSS B. SQL injection C. Plaintext authentication D. DoS
**C. Plaintext authentication** A plaintext authentication password can be captured by obtaining a password file or by sniffing unencrypted traffic on the network. A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit. In a SQL injection attack, the threat actor modifies one of four basic functions by adding code to some input accepted by the app, causing it to execute the attacker's own set of SQL queries or parameters. A denial of service (DoS) attack causes a service at a given host to fail or to become unavailable to legitimate users.
32
A server administrator wants to secure a whole rack of servers. What would be the best way to secure access to the servers? A. Kensington locks B. Chassis locks C. Fingerprint readers D. Cabinet locks
**D. Cabinet locks** Lockable rack cabinets control access to servers, switches, and routers installed in standard network racks. These can be supplied with key-operated or electronic locks. Kensington locks are used with a cable tie to secure a laptop or other device to a desk or pillar and prevent theft. Chassis locks and faceplates prevent the covers of server equipment from being opened. These can prevent access to external USB ports and prevent someone from accessing the internal fixed disks. Fingerprint readers are not commonly used to secure rack cabinets. The technology is also non-intrusive and relatively simple to use, although moisture or dirt can prevent readings, and there are hygiene issues at shared-use gateways.
33
A network manager for a growing coffee company sets up wireless access points at cafe locations for users. The manager wants to set up access to allow anyone in the vicinity to join without a password but also make it as secure as possible. Which standard introduced this ability? A. WPA3 B. WPA2 C. WPA D. WEP
**B. WPA3** In WPA2, Wi-Fi Enhanced Open traffic is unencrypted. WPA3 encrypts this traffic. This means that any station can still join the network, but traffic is protected against sniffing. WPA2 uses the Advanced Encryption Standard (AES) cipher deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). The first version of Wi-Fi Protected Access (WPA) was designed to fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Wired Equivalent Privacy (WEP) is an old legacy standard. Neither WEP nor the original WPA version is considered secure enough for continued use.
34
A network professional sets up the ability to authenticate over Extensible Authentication Protocol over Wireless (EAPoW). Which of the following will the professional need to configure? A. TACACS+ B. WPA3 C. Active directory D. MFA
**C. Active Directory** Extensible Authentication Protocol over Wireless (EAPoW) is a protocol used for wireless network authentication. It allows for a variety of authentication methods to be used over wireless networks. When implementing EAPoW, the network professional will need to configure an authentication server that supports EAP methods, and this is often done using Active Directory (AD). Active Directory is a directory service developed by Microsoft that provides centralized authentication, authorization, and directory services. It's commonly used for user authentication in enterprise environments, and it can be integrated with various EAP methods to provide secure and centralized authentication for wireless networks. WPA3: While WPA3 is a security protocol used to protect Wi-Fi networks, it's not directly related to setting up EAPoW. WPA3 enhances security features like encryption and protection against brute-force attacks. TACACS+: TACACS+ is a protocol used for centralized authentication, authorization, and accounting (AAA) services. While it can be used for network access control, it's not specifically associated with EAPoW for wireless authentication. MFA (Multi-Factor Authentication): MFA involves using multiple authentication factors (such as passwords, tokens, biometrics) to verify a user's identity. While it's a security practice, it's not the specific requirement for configuring EAPoW. EAP methods themselves can involve various authentication factors, but MFA is not exclusively tied to EAPoW configuration.
35
A server administrator for a corporation with an enterprise network was tasked with setting up a website hosted on-premise. How should the administrator set it up? A. Content filtering B. UPnP C. Port forward D. Screened subnet
**D. Screened subnet** A screened subnet can also be referred to by the deprecated terminology demilitarized zone (DMZ). The idea of a screened subnet is that some hosts are placed in a separate network segment with a different IP subnet address range than the rest of the LAN. Content filtering means that the firewall downloads curated reputation databases that associate IP address ranges, FQDNs, and URL web addresses. Services that require complex firewall configuration can use the Universal Plug-and-Play (UPnP) framework to send instructions to the firewall with the correct configuration parameters. Port forwarding means that the router takes a request from an internet host for a particular service and sends the request to a designated host on the LAN.
36
A security manager at a top-secret facility assesses the feasibility of integrating biometric authentication but has heard that it is often not accurate. Which of the following is the most accurate form of biometrics? A. Retina scanner B. Palmprint scanning C. Fingerprint readers D. Badge reader
**A. Retina scanner** Retinal scanning is one of the most accurate forms of biometrics. Retinal patterns are very secure, but the equipment required is expensive and the process is relatively intrusive and complex. Palmprint scanning is a contactless-type of camera-based scanner that uses visible and/or infrared light to record and validate the unique pattern of veins and other features in a person's hand. Fingerprint readers are usually implemented as a small capacitive cell that can detect the unique pattern of ridges making up the fingerprint. A badge reader does not fall under the category of biometrics, but it is a more secure way for door locks.
37
A vulnerability manager is ramping up the vulnerability management program at their company. Which of the following is the most important consideration for prioritizing patching? A. Actor B. Threat C. Risk D. MFA
**C. Risk** Risk is the likelihood and impact (or consequence) of a threat actor exercising a vulnerability. This is the most important aspect of the prioritization of patches. An actor is an agent that executes malicious activity on a system. In this case, there is no known actor. Threat is the potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor. An authentication technology is considered strong if it is multifactor. Multifactor authentication (MFA) means that the user must submit at least two different kinds of credentials.
38
A security analyst is looking at the overall security status of systems on the network. Which of the following represents the greatest risk? A. EOL system B. Unprotected system C. Zero-day D. Non-compliant system
**A. EOL system** A legacy or end-of-life (EOL) system is one where the software vendor no longer provides support or fixes for problems. These represent the greatest risk to the network. An unprotected system is one where at least one of these controls is either missing or improperly configured. A vulnerability that is exploited before the developer knows about it or can release a patch is called a zero-day. A non-compliant system is one that has drifted from its hardened configuration. A vulnerability scanner is a class of software designed to detect non-compliant systems.

CompTIA A+ (20 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions