B.3.3 Security+ SY0-601 Domain 3: Implementation Flashcards by jazz !

For Milestone 4 (Reach Your Network), which of the following would be considered a secure protocol to use to reach your network?

SSH

How well did you know this?

Not at all

Perfectly

Which of the following file transfer protocols use SSH to provide confidentiality during the transfer? (Select two.)

SSH File Transfer Protocol (SFTP)
Secure Copy Protocol (SCP)

How well did you know this?

Not at all

Perfectly

You’ve just deployed a new Cisco router that connects several network segments in your organization.

The router is physically located in a server room that requires an ID for access. You’ve backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a username of admin and a password of P@ssW0rd. You have used the MD5 hashing algorithm to protect the password.

What should you do to increase the security of this device? (Select two.)

Use an SSH client to access the router configuration
Change the default administrative username and password

How well did you know this?

Not at all

Perfectly

You’ve just deployed a new Cisco router that connects several network segments in your organization.

The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router configuration interface from a notebook computer that is connected to the router’s console port. You’ve configured the device with the username admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password.

What should you do to increase the security of this device?

Use SCP to back up the router configuration to a remote location

How well did you know this?

Not at all

Perfectly

Which of the following protocols can be used to securely manage a network device from a remote connection?

SSH

How well did you know this?

Not at all

Perfectly

SFTP uses which mechanism to provide security for authentication and data transfer?

SSH

How well did you know this?

Not at all

Perfectly

Telnet is inherently insecure because its communications is in plaintext and easily intercepted. Which of the following is an acceptable alternative to Telnet?

SSH

How well did you know this?

Not at all

Perfectly

What is the default encryption algorithm used by SSH (Secure Shell) to protect data traffic between a client and the controlled server?

International Data Encryption Algorithm (IDEA)

How well did you know this?

Not at all

Perfectly

What is IDEA?

It’s designed to securely encrypt digital data and is used in various applications, including secure communications, financial transactions, and electronic voting systems

How well did you know this?

Not at all

Perfectly

Which of the following mechanisms can you use to add encryption to email? (Select two.)

S/MIME
PGP

How well did you know this?

Not at all

Perfectly

Which ports does LDAP use by default? (Select two.)

636
389

How well did you know this?

Not at all

Perfectly

You want to deploy SSL to protect authentication traffic with your LDAP-based directory service. Which port does this action use?

636

How well did you know this?

Not at all

Perfectly

Your LDAP directory-services solution uses simple authentication. What should you always do when using simple authentication?

Use SSL

How well did you know this?

Not at all

Perfectly

To transfer files to your company’s internal network from home, you use FTP. The administrator has recently implemented a firewall at the network perimeter and disabled as many ports as possible.

Now, you can no longer make the FTP connection. You suspect the firewall is causing the issue. Which ports need to remain open so you can still transfer the files? (Select two.)

20
21

How well did you know this?

Not at all

Perfectly

FTPS uses which mechanism to provide security for authentication and data transfer?

SSL

How well did you know this?

Not at all

Perfectly

Which of the following is a secure alternative to FTP that uses SSL for encryption?

FTPS

How well did you know this?

Not at all

Perfectly

As a network administrator, you are asked to recommend a secure method for transferring data between hosts on a network. Which of the following protocols would you recommend? (Select two.)

SFTP
SCP

How well did you know this?

Not at all

Perfectly

To increase security on your company’s internal network, the administrator has disabled as many ports as possible. However, now you can browse the internet, but you are unable to perform secure credit card transactions.

Which port needs to be enabled to allow secure transactions?

443

How well did you know this?

Not at all

Perfectly

Which of the following protocols uses port 443?

HTTPS

How well did you know this?

Not at all

Perfectly

Which TCP/IP protocol is a secure form of HTTP that uses SSL as a sub-layer for security?

HTTPS

How well did you know this?

Not at all

Perfectly

Which protocol is used to securely browse a website?

HTTPS

How well did you know this?

Not at all

Perfectly

Which utility would you MOST likely use on OS X to encrypt and decrypt data and messages?

GNU Privacy Guard (GPG)

How well did you know this?

Not at all

Perfectly

IPsec is implemented through two separate protocols. What are these protocols called? (Select two.)

Encapsulating Security Payload (ESP)
Authentication Header (AH)

How well did you know this?

Not at all

Perfectly

Which of the following network layer protocols provides authentication and encryption services for IP-based network traffic?

IPsec

How well did you know this?

Not at all

Perfectly

What is the primary function of the IKE Protocol used with IPsec?

Create a security association between communicating partners

How well did you know this?

Not at all

Perfectly

As you browse the internet, you notice that when you go to some sites, multiple additional windows are opened automatically. Many of these windows contain advertisements for products that are inappropriate for your family to view.

Which tool can you implement to prevent these windows from showing?

Pop-up blocker

How well did you know this?

Not at all

Perfectly

While using a web-based order form, an attacker enters an unusually large value in the Quantity field.

The value he or she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number.

As a result, the web application processes the order as a return instead of a purchase, and the attacker’s account is credited with a large sum of money.

Which practices would have prevented this exploit? (Select two.)

Implementing server-side validation
Implementing client-side validation

How well did you know this?

Not at all

Perfectly

You install a new Linux distribution on a server in your network. The distribution includes a Simple Mail Transfer Protocol (SMTP) daemon that is enabled by default when the system boots. The SMTP daemon does not require authentication to send email messages.

Which type of email attack is this server susceptible to?

Open SMTP relay

How well did you know this?

Not at all

Perfectly

Which of the following BEST describes an email security gateway?

It monitors emails that originate from an organization

How well did you know this?

Not at all

Perfectly

You often travel away from the office. While traveling, you would like to use your laptop computer to connect directly to a server in your office and access files.

You want the connection to be as secure as possible. Which type of connection do you need?

Remote access

How well did you know this?

Not at all

Perfectly

What does a remote access server use for authorization?

Remote access policies

How well did you know this?

Not at all

Perfectly

Which of the following app deployment and update methods allows updates to be uploaded onto Intune where they can be pushed out to users within 24 hours?

Remote management

How well did you know this?

Not at all

Perfectly

Which of the following app deployment and update methods allows an administrator to remove apps and clear all data from a device without affecting the device itself?

Remote management

How well did you know this?

Not at all

Perfectly

Which of the following tools allow remote management of servers? (Select two.)

Telnet
SSH

How well did you know this?

Not at all

Perfectly

You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.)

Run winrm qc -q on the source computer
Run wecutil qc on the collector computer

How well did you know this?

Not at all

Perfectly

You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do?

Define a filter

How well did you know this?

Not at all

Perfectly

You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription?

Event Viewer

How well did you know this?

Not at all

Perfectly

Which two types of service accounts must you use to set up event subscriptions?

Specific user service account
Default machine account

How well did you know this?

Not at all

Perfectly

For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications?

Runtime Status

How well did you know this?

Not at all

Perfectly

Which of the following are required to configure Event Subscription for event forwarding? (Select three.)

Create a Windows firewall exception for HTTP or HTTPS on all source computers

Start Windows Event Collector service on collector computer

Start Windows Remote Management service on both the source and collector computers

How well did you know this?

Not at all

Perfectly

For source-initiated subscriptions, which tool do you use to configure event forwarding?

Group Policy

How well did you know this?

Not at all

Perfectly

You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify?

Computer group

How well did you know this?

Not at all

Perfectly

You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ?

Source-initiated

How well did you know this?

Not at all

Perfectly

Which of the following DLP implementations can be used to monitor and control access to physical devices on workstations or servers?

Endpoint DLP

How well did you know this?

Not at all

Perfectly

As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices.

You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks.

Which solution should you implement?

Host-based IDS

How well did you know this?

Not at all

Perfectly

What do host-based intrusion detection systems often rely upon to perform detection activities?

Auditing capabilities

How well did you know this?

Not at all

Perfectly

What is the most common form of host-based IDS that employs signature or pattern-matching detection methods?

Antivirus software

How well did you know this?

Not at all

Perfectly

You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling.

You want to protect the laptop from internet-based attacks. Which solution should you use?

Host-based firewall

How well did you know this?

Not at all

Perfectly

Which of the following is specifically meant to ensure that a program operates on clean, correct, and useful data?

Input validation

How well did you know this?

Not at all

Perfectly

You are implementing a new application control solution.

Prior to enforcing your application whitelist, you want to monitor user traffic for a period of time to discover user behaviors and log violations for later review.

How should you configure the application control software to handle applications not contained in the whitelist?

Flag

How well did you know this?

Not at all

Perfectly

This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this?

Whitelisting

How well did you know this?

Not at all

Perfectly

You have been receiving a lot of phishing emails sent from the domain kenyan.msn.pl. Links within these emails open new browser windows at youneedit.com.pl.

You want to make sure that these emails never reach your inbox, but you also want to make sure that emails from other senders are not affected.

What should you do?

Add kenyan.msn.pl to the email blacklist

How well did you know this?

Not at all

Perfectly

Which of the following enters random data to the inputs of an application?

Fuzzing

How well did you know this?

Not at all

Perfectly

Which fuzz testing program type defines new test data based on models of the input?

Generation-based

How well did you know this?

Not at all

Perfectly

The Application layer of the security model includes which of the following? (Select two.)

Web application security
User management

How well did you know this?

Not at all

Perfectly

Which common design feature among instant messaging clients make them less secure than other means of communicating over the internet?

Peer-to-peer networking

How well did you know this?

Not at all

Perfectly

Which type of application allows users to share and access content without using a centralized server?

Peer-to-peer software

How well did you know this?

Not at all

Perfectly

Which of the following methods did Microsoft introduce in Windows 10 to help distribute OS updates?

Peer-to-peer software

How well did you know this?

Not at all

Perfectly

Which of the following is a benefit of P2P applications?

Shared resources

How well did you know this?

Not at all

Perfectly

Which of the following actions should you take to reduce the attack surface of a server?

Disable unused services

How well did you know this?

Not at all

Perfectly

Which action would you use in a rule to disallow a connection silently?

Drop

How well did you know this?

Not at all

Perfectly

You have configured the following rules. What is the effect?

sudo iptables -A INPUT -p tcp –dport 25 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

sudo iptables -A OUTPUT -p tcp –sport 25 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow SMTP traffic

How well did you know this?

Not at all

Perfectly

Which type of packet would the sender receive if they sent a connection request to TCP port 25 on a server with the following command applied?

sudo iptables -A OUTPUT -p tcp –dport 25 -j REJECT

RST

How well did you know this?

Not at all

Perfectly

When designing a firewall, what is the recommended approach for opening and closing ports?

Close all ports; open only ports required by applications inside the DMZ

How well did you know this?

Not at all

Perfectly

You want a security solution that protects the entire hard drive and prevents access even if the drive is moved to another system. Which solution should you choose?

BitLocker

How well did you know this?

Not at all

Perfectly

Which of the following is defined as an operating system that comes hardened and validated to a specific security level as defined in the Common Criteria for Information Technology Security Evaluation (CC)?

TOS

How well did you know this?

Not at all

Perfectly

You have just purchased a new network device and are getting ready to connect it to your network. Which of the following actions should you take to increase its security? (Select two.)

Apply all patches and updates
Change default account passwords

How well did you know this?

Not at all

Perfectly

Windows Server Update Services (WSUS) is used to accomplish which part of a manageable network?

Patch management

How well did you know this?

Not at all

Perfectly

Which type of update should be prioritized even outside of a normal patching window?

Critical updates

How well did you know this?

Not at all

Perfectly

You have recently experienced a security incident with one of your servers. After some research, you determine that a new hotfix has recently been released, which would have protected the server.

Which of the following recommendations would be the BEST solution for you to follow when applying the hotfix?

Test the hotfix and then apply it to all servers

How well did you know this?

Not at all

Perfectly

Which of the following tools can you use on a Windows network to automatically distribute and install software and operating system patches on workstations? (Select two.)

WSUS
Group Policy

How well did you know this?

Not at all

Perfectly

By definition, what is the process of reducing security exposure and tightening security controls?

Hardening

How well did you know this?

Not at all

Perfectly

What is the main function of a TPM hardware chip?

Generate and store cryptographic keys

How well did you know this?

Not at all

Perfectly

Which of the following functions are performed by a TPM?

Create a hash of system components

How well did you know this?

Not at all

Perfectly

You would like to implement BitLocker to encrypt data on a hard disk, even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external USB device.

What should you do?

Use a PIN instead of a startup key

How well did you know this?

Not at all

Perfectly

You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files.

What should you do?

Implement BitLocker without a TPM

How well did you know this?

Not at all

Perfectly

What is isolating a virtual machine from the physical network to allow testing to be performed without impacting the production environment called?

Sandboxing

How well did you know this?

Not at all

Perfectly

Which load balancing method distributes a workload across multiple computers?

Workload balancing

How well did you know this?

Not at all

Perfectly

Which of the following is a technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time?

Load balancing

How well did you know this?

Not at all

Perfectly

As you go through the process of making your network more manageable, you discover that employees in the sales department are on the same network segment as the human resources department.

Which of the following steps can be used to isolate these departments?

Create a separate VLAN for each department

How well did you know this?

Not at all

Perfectly

Which of the following is commonly created to segment a network into different zones?

VLANs

How well did you know this?

Not at all

Perfectly

When configuring VLANs on a switch, which type of switch ports are members of all VLANs defined on the switch?

Trunk ports

How well did you know this?

Not at all

Perfectly

Which of the following is an appropriate definition of a VLAN?

A logical grouping of devices based on service need, protocol, or other criteria

How well did you know this?

Not at all

Perfectly

A virtual LAN can be created using which of the following?

Switch

How well did you know this?

Not at all

Perfectly

When configuring VLANs on a switch, what is used to identify which VLAN a device belongs to?

Switch port

How well did you know this?

Not at all

Perfectly

You manage a network that uses a single switch. All ports within your building connect through the single switch.

In the lobby of your building are three RJ-45 ports connected to the switch. You want to allow visitors to plug into these ports to gain internet access, but they should not have access to any other devices on your private network. Employees connected throughout the rest of your building should have both private and internet access.

Which feature should you implement?

VLANs

How well did you know this?

Not at all

Perfectly

You run a small network for your business that has a single router connected to the internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer.

What should you use for this situation?

VLAN

How well did you know this?

Not at all

Perfectly

Which of the following is an example of protocol-based network virtualization?

VLAN

How well did you know this?

Not at all

Perfectly

What is a virtual LAN that runs on top of a physical LAN called?

Virtual Area Network (VAN)

How well did you know this?

Not at all

Perfectly

You have placed a File Transfer Protocol (FTP) server in your DMZ behind your firewall. The FTP server is to be used to distribute software updates and demonstration versions of your products. However, users report that they are unable to access the FTP server.

What should you do to enable access?

Open ports 20 and 21 for outbound connections.

How well did you know this?

Not at all

Perfectly

You have used firewalls to create a demilitarized zone. You have a web server that needs to be accessible to internet users. The web server must communicate with a database server for retrieving product, customer, and order information.

How should you place devices on the network to best protect the servers? (Select two.)

Put the database server on the private network
Put the web server inside the DMZ

How well did you know this?

Not at all

Perfectly

Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted internet?

DMZ

How well did you know this?

Not at all

Perfectly

In which of the following situations would you most likely implement a demilitarized zone (DMZ)?

You want to protect a public web server from attack

How well did you know this?

Not at all

Perfectly

Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks?

Bastion or sacrificial host

How well did you know this?

Not at all

Perfectly

Which of the following is another name for a firewall that performs router functions?

Screening router

How well did you know this?

Not at all

Perfectly

How many network interfaces does a dual-homed gateway typically have?

How well did you know this?

Not at all

Perfectly

In which of the following zones would a web server most likely be placed?

Low-trust zone

How well did you know this?

Not at all

Perfectly

Which of the following BEST describes zero-trust security?

Only devices that pass both authentication and authorization are trusted

How well did you know this?

Not at all

Perfectly

Your network devices are categorized into the following zone types:

No-trust zone
Low-trust zone
Medium-trust zone
High-trust zone

Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed.

Which of the following is the secure architecture concept that is being used on this network?

Network segmentation

How well did you know this?

Not at all

Perfectly

Which of the following is a privately controlled portion of a network that is accessible to some specific external entities?

Extranet

How well did you know this?

Not at all

Perfectly

Which of the following best describes the concept of a virtual LAN?

Devices on the same network logically grouped as if they were on separate networks

How well did you know this?

Not at all

Perfectly

Which of the following provides the network virtualization solution called XenServer?

Citrix

How well did you know this?

Not at all

Perfectly

Which VPN tunnel style routes only certain types of traffic?

Split

How well did you know this?

Not at all

Perfectly

Which of the following VPN protocols is no longer considered secure?

Point-to-Point Tunneling Protocol (PPTP)

How well did you know this?

Not at all

Perfectly

A group of salesmen would like to remotely access your private network through the internet while they are traveling. You want to control access to the private network through a single server.

Which solution should you implement?

VPN concentrator

How well did you know this?

Not at all

Perfectly

Which VPN implementation uses routers on the edge of each site?

Site-to-site VPN

How well did you know this?

Not at all

Perfectly

A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization’s order database.

Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports.

Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection.

Which key steps should you take when implementing this configuration? (Select two.)

Configure the browser to send HTTPS requests through the VPN connection

Configure the VPN connection to use IPsec

How well did you know this?

Not at all

Perfectly

Which statement BEST describes IPsec when used in tunnel mode?

The entire data packet, including headers, is encapsulated

How well did you know this?

Not at all

Perfectly

Which IPSec subprotocol provides data encryption?

ESP

How well did you know this?

Not at all

Perfectly

In addition to Authentication Header (AH), IPsec is comprised of what other service?

Encapsulating Security Payload (ESP)

How well did you know this?

Not at all

Perfectly

Which VPN protocol typically employs IPsec as its data encryption mechanism?

Layer 2 Tunneling Protocol (L2TP)

How well did you know this?

Not at all

Perfectly

A VPN is primarily used for which of the following purposes?

Support secured communications over an untrusted network

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST solution to allow access to private resources from the internet?

VPN

How well did you know this?

Not at all

Perfectly

The IT manager has asked you to create four new VLANs for a new department. As you are going through the VLAN configurations, you find some VLANs numbered 1002-1005. However, they are not in use.

What should you do with these VLANs?

Nothing. They are reserved and cannot be used or deleted

How well did you know this?

Not at all

Perfectly

Which of the following is used as a secure tunnel to connect two networks?

VPN

How well did you know this?

Not at all

Perfectly

The IT manager has asked you to create a separate VLAN to be used exclusively for wireless guest devices to connect to.

Which of the following is the primary benefit of creating this VLAN?

You can control security by isolating wireless guest devices within this VLAN

How well did you know this?

Not at all

Perfectly

Which of the following NAC agent types is the most convenient agent type?

Permanent

How well did you know this?

Not at all

Perfectly

Which of the following NAC agent types creates a temporary connection?

Dissolvable

How well did you know this?

Not at all

Perfectly

Which of the following NAC agent types would be used for IoT devices?

Agentless

How well did you know this?

Not at all

Perfectly

Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks.

You are concerned that these computers could pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless antivirus software and the latest operating system patches are installed.

Which solution should you use?

Network Access Control (NAC)

How well did you know this?

Not at all

Perfectly

What is Cisco’s Network Access Control (NAC) solution called?

Identity Services Engine (ISE)

How well did you know this?

Not at all

Perfectly

You are configuring the security settings for your network. You have decided to configure a policy that requires any computer connecting to the network to run at least Windows 10 version 2004.
Which of the following have you configured?

NAC

How well did you know this?

Not at all

Perfectly

Which of the steps in the Network Access Control (NAC) implementation process occurs once the policies have been defined?

Apply

How well did you know this?

Not at all

Perfectly

You are part of a committee that is meeting to define how Network Access Control (NAC) should be implemented in the organization.
Which step in the NAC process is this?

Plan

How well did you know this?

Not at all

Perfectly

What are the steps in the NAC implementation process in order?

Planning
Define
Implementing
Review

How well did you know this?

Not at all

Perfectly

The IT manager has tasked you with implementing a solution that ensures that mobile devices are up to date, have anti-malware installed, and have the latest definition updates before being allowed to connect to the network.

Which of the following should you implement?

NAC

How well did you know this?

Not at all

Perfectly

Which of the following do switches and wireless access points use to control access through a device?

MAC address filtering

How well did you know this?

Not at all

Perfectly

In which of the following situations would you use port security?

You want to restrict the devices that could connect through a switch port

How well did you know this?

Not at all

Perfectly

You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the internet. Supervision of these computers has been difficult. You’ve had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the internet.

The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so that only library computers are permitted connectivity to the internet.

What can you do?

Configure port security on the switch

How well did you know this?

Not at all

Perfectly

Which protocol should you disable on the user access ports of a switch?

Dynamic Trunking Protocol (DTP)

How well did you know this?

Not at all

Perfectly

Which of the following types of proxies would you use to remain anonymous when surfing the internet?

Forward

How well did you know this?

Not at all

Perfectly

Which security mechanism can be used to detect attacks that originate on the internet or from within an internal trusted subnet?

Intrusion Detection System (IDS)

How well did you know this?

Not at all

Perfectly

Which of the following is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations?

IDS

How well did you know this?

Not at all

Perfectly

An active IDS system often performs which of the following actions? (Select two.)

Updates filters to block suspect traffic
Performs reverse lookups to identify an intruder

How well did you know this?

Not at all

Perfectly

Which of the following devices can monitor a network and detect potential security attacks?

IDS

How well did you know this?

Not at all

Perfectly

Which of the following devices is capable of detecting and responding to security threats?

Intrusion Prevention System (IPS)

How well did you know this?

Not at all

Perfectly

You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible.

Which tool should you use?

IPS

Your organization uses a web server to host an e-commerce site.

Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that analyzes the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them.

What should you do?

Implement an application-aware IPS in front of the web server

Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database?

Signature-based IDS

What does a signature-based IDS use to identify attacks?

Comparisons to known attack patterns

You have just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis?

Update the signature files

You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections.

Which type of device should you use?

Anomaly-based IDS

Which of the following best describes a stateful inspection?

Determines the legitimacy of traffic based on the state of the connection from which the traffic originated

You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use?

Circuit-level gateway

Which of the following are true of a circuit proxy-filter firewall? (Select two.)

Operates at the Session layer
Verifies sequencing of session packets

Which of the following are characteristics of a circuit-level gateway? (Select two.)

Filters based on sessions
Stateful

Which of the following are characteristics of a packet-filtering firewall? (Select two.)

Filters IP address and port
Stateless

You have just installed a packet-filtering firewall on your network. Which options are you able to set on your firewall? (Select all that apply.)

Destination address of a packet
Port number
Source address of a packet

You want to connect your small company network to the internet. Your ISP provides you with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts.
Which type of Network Address Translation (NAT) should you implement?

Dynamic

Which NAT implementation assigns two IP addresses to the public NAT interface, allowing traffic to flow in both directions?

Dynamic and static

Which device is NAT typically implemented on?

Gateway router

Which problem does NAT help address?

The shortage of IPv4 addresses

At which layer of the OSI model do NAT routers operate?

Layer 3 (Network layer)

How many concurrent connections does NAT support?

5,000

Which of the following does a NAT router use to associate a port number with a request from a private host?

Port Address Translation (PAT)

A network device is given an IP address of 172.16.0.55. Which type of network is this device on?

Class B private network

You have a small network at home that is connected to the internet. On your home network, you have a server with the IP address of 192.168.55.199/16. You have a single public address that is shared by all hosts on your private network.

You want to configure the server as a web server and allow internet hosts to contact the server to browse a personal website.

What should you use to allow access?

Static NAT

You are the network administrator for a small company that implements NAT to access the internet. However, you recently acquired five servers that must be accessible from outside your network. Your ISP has provided you with five additional registered IP addresses to support these new servers, but you don’t want the public to access these servers directly. You want to place these servers behind your firewall on the inside network, yet still allow them to be accessible to the public from the outside.

Which method of NAT translation should you implement for these servers?

Static

Which of the following is a firewall function?

Packet filtering

Which of the following is the best device to deploy to protect your private network from a public untrusted network?

Firewall

You are configuring web threat protection on the network and want to block emails coming from a specific sender. Which of the following should be configured?

Spam filter

You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ?

Content filtering

Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the BEST type of firewall for her to use?

Hardware

You provide internet access for a local school. You want to control internet access based on the user and prevent access to specific URLs.

Which type of firewall should you install?

Application-level gateway

You connect your computer to a wireless network available at the local library. You find that you can access all of the websites you want on the internet except for two.

What might be causing the problem?

A proxy server is blocking access to the websites

Which of the following functions are performed by proxies? (Select two.)

Block employees from accessing certain websites
Cache web pages

Which of the following solutions would you implement to track which websites network users are accessing?

Proxy

Which of the following are features of an application-level gateway? (Select two.)

Stops each packet at the firewall for inspection
Reassembles entire messages

Which of the following best describes a proxy server?

Operates at Layer 7 (Application layer) of the OSI model

You are the office manager of a small financial credit business. Your company handles personal financial information for clients seeking small loans over the internet. You are aware of your obligation to secure clients records, but the budget is an issue for your company.

Which item would provide the BEST security for this situation?

All-in-one security appliance

A proxy server can be configured to do which of the following?

Restrict users on the inside of a network from getting out to the internet

You want to give all managers the ability to view and edit a certain file. To do so, you need to edit the discretionary access control list (DACL) associated with the file. You want to be able to easily add and remove managers as their job positions change.

What is the BEST way to accomplish this?

Create a security group for the managers. Add all users as members of the group. Add the group to the file’s DACL

You have a shared folder named Reports. Members of the Managers group have been given Write access to the shared folder.

Mark Mangum is a member of the Managers group. He needs access to the files in the Reports folder, but he should not have any access to the Confidential.xls file.

What should you do?

Add Mark Mangum to the ACL for the Confidential.xls file with Deny permissions

Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped?

ACL

Which security mechanism uses a unique list that meets the following specifications:

The list is embedded directly in the object itself.
The list defines which subjects have access to certain objects.
The list specifies the level or type of access allowed to certain objects.

User ACL

Which of the following should be configured on the router to filter traffic at the router level?

Access control list

Which of the following is used by Microsoft for auditing in order to identify past actions performed by users on an object?

System Access Control List (SACL)

Which of the following describes how access control lists can be used to improve network security?

An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number

Which of the following does a router use to determine where packets are forwarded to?

Routing table

Which of the following happens by default when you create and apply a new ACL on a router?

All traffic is blocked

You have configured your ACL to block outgoing traffic from a device with the IP address 192.168.1.52. Which type of ACL have you configured?

Standard

Which type of ACL should be placed as close to the source as possible?

Extended

Which command would you use to list all of the currently defined iptables rules?

sudo iptables -L

Which of the following devices can apply quality of service and traffic-shaping rules based on what created the network traffic?

Application-aware devices

You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device that is connected to a hub with three other computers. The hub is connected to a switch that is connected to the router.

When you run the software, you see frames addressed to the four workstations, but not to the router.

Which feature should you configure on the switch?

Port mirroring

Which of the following features are supplied by WPA2 on a wireless network?

Encryption

You need to secure your wireless network. Which security protocol would be the best choice?

WPA2

You need to add security for your wireless network, and you would like to use the most secure method.

Which method should you implement?

WPA2

Which of the following items would be implemented at the Data layer of the security model?

Cryptography

You need to configure a wireless network using WPA2-Enterprise. Which of the following components should be part of your design? (Select two.)

802.1x
AES encryption

Which EAP implementation is MOST secure?

EAP-TLS

You want to increase the security of your network by allowing only authenticated users to access network devices through a switch.

Which of the following should you implement?

802.1x authentication

What is 802.1x Authentication?

An authentication method used on a LAN to allow or deny access based on a port or connection to the network

Controlling access through a switch

You are adding switches to your network to support additional VLANs. Unfortunately, the new switches are from a different vendor than the current switches.

Which standard do you need to ensure that the switches are supported?

802.1Q

Which 802.1Q priority is IP phone traffic on a voice VLAN tagged with by default?

You want to implement 802.1x authentication on your wireless network. Where would you configure passwords that are used for authentication?

On a RADIUS server

You are the wireless network administrator for your organization. As the size of the organization has grown, you’ve decide to upgrade your wireless network to use 802.1x authentication instead of pre-shared keys.

To do this, you need to configure a RADIUS server and RADIUS clients. You want the server and the clients to mutually authenticate with each other.

What should you do? (Select two. Each response is a part of the complete solution.)

Configure all wireless access points with client certificates

Configure the RADIUS server with a server certificate

You want to connect a laptop computer running Windows to a wireless network.

The wireless network uses multiple access points and WPA2-Personal. You want to use the strongest authentication and encryption possible. SSID broadcast has been disabled.

What should you do?

Configure the connection with a pre-shared key and AES encryption

Which of the following devices would you use to perform a site survey?

Wi-Fi analyzer

Which of the following types of site surveys should be performed first?

Passive

You are concerned that wireless access points may have been deployed within your organization without authorization.

What should you do? (Select two. Each response is a complete solution.)

Check the MAC addresses of devices connected to your wired switch

Conduct a site survey

Which of the following is generated after a site survey and shows the Wi-Fi signal strength throughout the building?

Heat map

When setting up a new wireless access point, what is the first configuration change that should be made?

Default login

Which of the following is used on a wireless network to identify the network name?

Service Set Identifier (SSID)

Which of the following is responsible for broadcasting information and data over radio waves?

Wireless access point

Which class of wireless access point (WAP) has everything necessary to manage clients and broadcast a network already built into its functionality?

Fat

Which of the following wireless network protection methods prevents the wireless network name from being broadcast?

SSID broadcast

You have physically added a wireless access point to your network and installed a wireless networking card in two laptops that run Windows. Neither laptop can find the network. You have come to the conclusion that you must manually configure the access point (AP).

Which of the following values uniquely identifies the network AP?

SSID

You need to implement a wireless network link between two buildings on a college campus. A wired network has already been implemented within each building. The buildings are 100 meters apart.

Which type of wireless antenna should you use on each side of the link? (Select two.)

Parabolic

High-gain

The IT manager has tasked you with installing the new wireless LAN controller (WLC).

Where should you install the controller?

Network closet

Which type of wireless access point is generally used in a residential setting?

Small Office Home Office (SOHO) Router

You need to implement a solution to manage multiple access points in your organization. Which of the following would you most likely use?

Wireless LAN Controller (WLC)

You’ve just finished installing a wireless access point for a client. What should you do to prevent unauthorized users from using the access point (AP) configuration utility?

Change the administrative password on the AP

Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on their personal tablets.

The chief information officer worries that one of these users might also use their tablet to steal sensitive information from the organization’s network. Your job is to implement a solution that prevents insiders from accessing sensitive information stored on the organization’s network from their personal devices while still giving them access to the internet.

Which of the following should you implement?

A guest wireless network that is isolated from your organization’s production network

Your organization recently purchased a mixture of iOS and Android devices for use by the organization’s management team.

What is the BEST approach to defined and enforced app whitelists for these devices?

Enroll the devices in a mobile device management (MDM) system

Which of the following app deployment and update methods can be configured to make available to specific users and groups only the apps that they have rights to access?

App catalog

Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on company-owned tablets. These tablets contain sensitive information. If one of these tablets is lost or stolen, this information could end up in the wrong hands.

The chief information officer wants you to implement a solution that can be used to keep sensitive information from getting into the wrong hands if a device is lost or stolen.

Which of the following should you implement?

A mobile device management (MDM) infrastructure

A smartphone was lost at the airport. There is no way to recover the device. Which of the following ensures data confidentiality on the device?

Remote wipe

Which of the following mobile device security considerations disables the ability to use the device after a short period of inactivity?

Screen lock

Which of the following is a solution that pushes security policies directly to mobile devices over a network connection?

Mobile device management (MDM)

Mobile device management (MDM) provides the ability to do which of the following?

Track the device

Which of the following mobile device management (MDM) solutions is hardware-agnostic and supports many different brands of mobile devices?

Enterprise Mobility Management (EMM)

Which of the following mobile device management (MDM) solutions allows an organization to manage all devices, including printers, workstations, and even IoT devices?

Unified Endpoint Management (UEM)

Mobile application management (MAM) provides the ability to do which of the following?

Remotely install and uninstall apps

Your organization recently purchased 20 Android tablets for use by the organization’s management team.

You are using a Windows domain. Which of the following should you use to push security settings to the devices?

Intune

Which of the following is the recommend Intune configuration?

Intune Standalone

Which of the following Intune portals is used by end users to manage their own account and enroll devices?

Company portal

The IT manager has tasked you with configuring Intune. You have enrolled the devices and now need to set up the Intune policies.

Where would you go to set up the Intune policies?

In the Admin portal, select Policy > Add Policy

What is the minimum number of users needed in a Windows Enterprise agreement for Intune to be included?

500

Which of the following is the first phase of the Microsoft Intune application life cycle?

Add

What are the Microsoft Intune phases in order?

Add
Deploy
Configure
Protect

In which phase of the Microsoft Intune application life cycle would you assign an app to users and/or devices you manage and monitor them on the Azure portal?

Deploy

If a user’s BYOD device (such as a tablet or phone) is infected with malware, that malware can be spread if that user connects to your organization’s network. One way to prevent this event is to use a Network Access Control (NAC) system.

How does an NAC protect your network from being infected by a BYOD device?

The NAC remediates devices before allowing them to connect to your network

Which of the following could be an example of a malicious insider attack?

A user uses the built-in microphone to record conversations

Which device deployment model gives businesses significant control over device security while allowing employees to use their devices to access both corporate and personal data?

Corporate-Owned, Personally Enables (COPE)

Which of the following are true concerning virtual desktop infrastructure (VDI)? (Select two.)

User desktop environments are centrally hosted on servers instead of on individual desktop systems

In the event of a widespread malware infection, the administrator can quickly reimage all user desktops on a few central servers

Which of the following BEST describes a virtual desktop infrastructure (VDI)?

Provides enhanced security and better data protection because most of the data processing is provided by servers in the data center rather than on the local device

Which of the following is a collection of recorded data that may include details about logons, object access, and other activities deemed important by your security policy and is often used to detect unwanted and unauthorized user activity?

Audit trail

A recreation of historical events is made possible through which of the following?

Audit trails

Which of the following is true concerning internal audits?

They are generally nonobjective

Which component of an IT security audit evaluates defense in depth and IT-related fraud?

Risk evaluation

Which type of audit is performed by either a consultant or an auditing firm employee?

External audit

Which of the following methods can cloud providers implement to provide high availability?

Replication

Google Cloud, Amazon Web Services (AWS), and Microsoft Azure are some of the most widely used cloud storage solutions for enterprises. Which of the following factors prompt companies to take advantage of cloud storage? (Select two.)

Growing demand for storage

Need to bring costs down

Which area of focus do public-facing servers, workstations, Wi-Fi networks, and personal devices fall under?

Entry points

Which of the following objects identifies a set of users with similar access needs?

Group

Which type of group can be used for controlling access to objects?

Security

Which of the following tools allows the user to set security rules for an instance of an application that interacts with one organization and different security rules for an instance of the application when interacting with another organization?

Instance awareness

Cloud storage is a virtual service, so the infrastructure is the responsibility of the storage provider. Access control should be set as a local file system would be, with no need for the provider to have access to the stored data.

You are implementing the following measures to secure your cloud storage:
Verify that security controls are the same as in a physical data center.
Use data classification policies.
Assign information into categories that determine storage, handling, and access requirements.
Assign information classification based on information sensitivity and criticality.

Which of the following is another security measure you can implement?

Configure redundancy and distribution of data

Which of the following is a network security service that filters malware from user-side internet connections using different techniques?

Secure web gateway

Which of the following is a network device that is deployed in the cloud to protect against unwanted access to a private network?

Cloud-based firewall

Which type of firewall protects against packets coming from certain IP addresses?

Packet-filtering

Which type of firewall operates at Layer 7 of the OSI model?

Application layer

Your browser has blocked you from accessing your crucial secure intranet sites. What could be the problem?

Your SSL certificate status has been revoked

Which of the following identification and authentication factors are often well known or easily discovered by others on the same network or system?

Username

What should you do to a user account if the user goes on an extended vacation?

Disable the account

Tom Plask’s user account has been locked because he entered too many incorrect passwords. You need to unlock the account.

Click the tab in the properties of the Tom Plask user object you would use to unlock his account.

Account

Tom Plask was recently transferred to the Technical Support Department. He now needs access to the network resources used by tech support employees.

To grant him access, you need to add Tom Plask’s user account to the Support group in the Active Directory domain.

Click the tab in the properties of the Tom Plask user object you would use to accomplish this.

Member Of

You are creating a new Active Directory domain user account for the Rachel McGaffey user account. During the account setup process, you assigned a password to the new account.

However, you know that the system administrator should not know any user’s password for security reasons. Only the user should know his or her own password.

Click the option you would use in the New Object - User dialog to remedy this situation.

User must change password at next logon

One of your users, Karen Scott, has recently married and is now Karen Jones. She has requested that her username be changed from kscott to kjones with no other values changed.
Which of the following commands would accomplish this?

usermod -l kjones kscott

An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory.

Which of the following commands would produce the required outcome? (Select two.)

userdel bsmith;rm -rf /home/bsmith
userdel -r bsmith

Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company’s customer database.

Which action should you take? (Select two. Each response is part of a complete solution.)

Delete the account that the sales employees are currently using

Train sales employees to use their own user accounts to update the customer database

Mary, a user, is attempting to access her OneDrive from within Windows and is unable to.

Which of the following would be the MOST likely cause?

Mary needs to log in with a Microsoft account

Which of the following account types uses a single sign-on system that lets you access Windows, Office 365, Xbox Live, and more?

Microsoft

John, a user, is attempting to install an application but receives an error that he has insufficient privileges. Which of the following is the MOST likely cause?

John has a local standard user account

Which of the following account types is a cloud-based identity and access management service that provides access to both internal and external resources?

Azure AD

You’ve just deployed a new Cisco router that connects several network segments in your organization.

The router is physically located in a server room that requires an ID card to gain access. You’ve backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer by connecting it to the console port on the router. You’ve configured the management interface with a username of admin and a password of password.

What should you do to increase the security of this device?

Use a stronger administrative password

Which of the following are characteristics of a complex password? (Select two.)

Has a minimum of eight characters

Consists of letters, numbers, and symbols

You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days.

What should you do?

Configure account policies in Group Policy

You are configuring the Local Security Policy of a Windows system. You want to require users to create passwords that are at least ten characters in length. You also want to prevent login after three unsuccessful login attempts.

Which policies should you configure? (Select two.)

Account lockout threshold

Minimum password length

You are teaching new users about security and passwords.

Which of the following is the BEST example of a secure password?

T1a73gZ9!

John, a network administrator, is looking to implement a new authentication method for his company’s secure server room. He wants a solution that does not require physical contact with the reader device and uses Radio Frequency Identification (RFID) technology.

Which type of smart card should John implement?

Contactless smart cards

Sarah, a cybersecurity analyst, is conducting a risk assessment on the use of smart cards in her organization. She is particularly concerned about a type of attack that deliberately induces malfunctions in the card.

Which of the following weaknesses of smart cards is Sarah worried about?

Fault generation

A user named Bob Smith has been assigned a new desktop workstation to complete his day-to-day work.

When provisioning Bob’s user account in your organization’s domain, you assigned an account name of BSmith with an initial password of bw2Fs3d.

On first login, Bob is prompted to change his password. He changes it to the name of his dog, Fido.

What should you do to increase the security of Bob’s account? (Select two.)

Use Group Policy to require strong passwords on user accounts

Train users not to use passwords that are easy to guess

You are configuring the Local Security Policy of a Windows system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least five days before changing it again.

Which policies should you configure? (Select two.)

Minimum password age
Enforce password history

What is the effect of the following command?

chage -M 60 -W 10 jsmith

Sets the password for jsmith to expire after 60 days and gives a warning 10 days before expiration

You have just configured the password policy and set the minimum password age to 10.

What is the effect of this configuration?

Users cannot change the password for 10 days

Which chage option keeps a user from changing their password every two weeks?

-m 33

You have hired ten new temporary employees to be with the company for three months.

How can you make sure that these users can only log on during regular business hours?

Configure day/time restrictions in user accounts

Recently, a serious security breach occurred in your organization. An attacker was able to log in to the internal network and steal data through a VPN connection using the credentials assigned to a vice president in your organization.

For security reasons, all individuals in upper management in your organization have unlisted home phone numbers and addresses. However, security camera footage from the vice president’s home recorded someone rummaging through her garbage cans prior to the attack. The vice president admitted to writing her VPN login credentials on a sticky note that she subsequently threw away in her household trash. You suspect the attacker found the sticky note in the trash and used the credentials to log in to the network.

You’ve reviewed the vice president’s social media pages. You found pictures of her home posted, but you didn’t notice anything in the photos that would give away her home address. She assured you that her smartphone was never misplaced prior to the attack.

Which security weakness is the MOST likely cause of the security breach?

Geotagging was enabled on her smartphone

You have hired 10 new temporary workers who will be with the company for three months. You want to make sure that the user accounts cannot be used for login after that time period. What should you do?

Configure account expiration in the user accounts

There are registry-based settings that can be configured within a GPO to control the computer and the overall user experience, such as:

Use Windows features such as BitLocker, Offline Files, and Parental Controls
Customize the Start menu, taskbar, or desktop environment
Control notifications
Restrict access to Control Panel features
Configure Internet Explorer features and options

What are these settings known as?

Administrative templates

You want to ensure that all users in the Development OU have a common set of network communication security settings applied.

Which action should you take?

Create a GPO computer policy for the computers in the Development OU

You have several computers running Windows 10. The computers are members of a domain.

For all computers, you want to remove access to administrative tools from the Start menu and hide notifications from the system tray. What should you do?

Use Group Policy

A user has complained about not being able to remove a program that is no longer needed on a computer. The Programs and Features page is not available in Control Panel.

You suspect that a policy is enabled that hides this page from the user. But after opening the Local Group Policy Editor, you see that the Hide Programs and Features page is set to Not configured. You know that other users in this domain can access the Programs and Features page.

To determine whether the policy is enabled, where should you look next?

GPOs linked to organizational units that contain this user’s object

The Hide Programs and Features page setting is configured for a specific user as follows:

Policy Setting

Local Group Policy Enabled

Default Domain Policy GPO Not configured

GPO linked to the user’s
organizational unit Disabled

After logging in, the user is able to see the Programs and Features page. Why does this happen?

The GPO linked to the user’s organizational unit is applied last, so this setting takes precedence

Which statement is true regarding the application of GPO settings?

If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting is applied

Group Policy Objects (GPOs) are applied in which of the following orders?

Local Group Policy, GPO linked to site, GPO linked to domain, GPO linked to organizational unit (highest to lowest)

Which of the following identifies the type of access that is allowed or denied for an object?

Permissions

You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain, but you want users in the Administrators OU to have a different set of internet options.

What should you do?

Create a GPO user policy for the Administrators OU

You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company.

Which command can you use to disable this account?

usermod -L joer

Which of the following terms identifies the process of reviewing log files for suspicious activity and threshold compliance?

Auditing

For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within ten minutes.

What should you do?

Configure account lockout policies in Group Policy

Which of the following utilities could you use to lock a user account? (Select two.)

usermod
passwd

In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?

You suspect that the gshant user account is locked.

Enter the command you would use in a shell to show the status of the user account.

passwd -S gshant

A manager has told you she is concerned about her employees writing their passwords for websites, network files, and database resources on sticky notes. Your office runs exclusively in a Windows environment.

Which tool could you use to prevent this behavior?

Credential Manager

KWalletManager is a Linux-based credential management system that stores encrypted account credentials for network resources.

Which encryption methods can KWalletManager use to secure account credentials? (Select two.)

Blowfish
GPG

You want to protect the authentication credentials you use to connect to the LAB server in your network by copying them to a USB drive.

Click the option you use in Credential Manager to protect your credentials.

Back Up Credentials

Which remote access authentication protocol allows for the use of smart cards for authentication?

EAP

Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?

Mutual authentication

CHAP performs which of the following security functions?

Periodically verifies the identity of a peer using a three-way handshake

RADIUS is primarily used for what purpose?

Authenticating remote clients before access to the network is granted

You want to implement 802.1x authentication on your wireless network. Which of the following is required?

RADIUS

You are replacing a wired business network with an 802.11g wireless network. You currently use Active Directory on the company network as your directory service. The new wireless network has multiple wireless access points, and you want to use WPA2 on the network. What should you do to configure the wireless network? (Select two.)

Configure devices to run in infrastructure mode

Install a RADIUS server and use 802.1x authentication

Which of the following are characteristics of TACACS+? (Select two.)

Allows three different servers (one each for authentication, authorization, and accounting)

Uses TCP

Which of the following are differences between RADIUS and TACACS+?

RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers

Which of the following is a characteristic of TACACS+?

Encrypts the entire packet, not just authentication packets

Which of the following ports are used with TACACS?

When using Kerberos authentication, which of the following terms is used to describe the token that verifies the user’s identity to the target system?

Ticket

You want to use Kerberos to protect LDAP authentication. Which authentication mode should you choose?

Simple Authentication and Security Layer (SASL)

A user has just authenticated using Kerberos. Which object is issued to the user immediately following login?

Ticket-granting ticket

Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?

Attribute-Based Access Control (ABAC)

Which form of access control is based on job descriptions?

Role-Based Access Control (RBAC)

You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is being used?

Role-Based Access Control (RBAC)

Which of the following is an example of rule-based access control?

Router access control lists that allow or deny traffic based on the characteristics of an IP packet

Which type of access control focuses on assigning privileges based on security clearance and data sensitivity?

Mandatory Access Control (MAC)

In which form of access control environment is access controlled by rules rather than identity?

MAC

Which form of access control enforces security based on user identities and allows individual users to define access controls over owned resources?

Discretionary Access Control (DAC)

You have a system that allows the owner of a file to identify users and their permissions to the file. Which type of access control model is implemented?

DAC

Which of the following is a privilege or action that can be taken on a system?

User rights

You have a file server named Srv3 that holds files used by the development department. You want to allow users to access the files over the network and control access to files accessed through the network or through a local logon.

Which solution should you implement?

NTFS permissions and share permissions

If Mark has a read-write permission to the share \fileserver\securefiles and a read-only permission to the file coolstuff.docx on the NTFS file system shared by the file share, he is able to perform which action?

Read the file

Which of the following items are contained in a digital certificate? (Select two.)

Public key

Validity period

Which aspect of a certificate makes it a reliable and useful mechanism for proving the identity of a person, system, or service on the internet?

It is a trusted third party

An SSL client has determined that the certificate authority (CA) issuing a server’s certificate is on its list of trusted CAs. What is the next step in verifying the server’s identity?

The CA’s public key must validate the CA’s digital signature on the server certificate

Which of the following is an entity that accepts and validates information contained within a request for a certificate?

Registration authority

Certificates can be invalidated by the trusted third party that originally issued the certificate. What is the name of the mechanism that is used to distribute information about invalid certificates?

Certificate Revocation List (CRL)

Which of the following best describes the contents of the CRL?

A list of all revoked certificates

Which of the following would require that a certificate be placed on the CRL?

The private key is compromised

To obtain a digital certificate and participate in a public key infrastructure (PKI), what must be submitted and where?

Identifying data and a certification request to the registration authority (RA)

A private key has been stolen. Which action should you take to deal with this crisis?

Add the digital certificate to the CRL

Which action is taken when the private key associated with a digital certificate becomes compromised?

The certificate is revoked and added to the Certificate Revocation List

Which technology was developed to help improve the efficiency and reliability of checking the validity status of certificates in large, complex environments?

Online Certificate Status Protocol

A PKI is an implementation for managing which type of encryption?

Asymmetric

Which of the following is a mechanism for granting and validating certificates?

PKI

You have just finished developing a new application. Before putting it on the website for users to download, you want to provide a checksum to verify that the object has not been modified.

Which of the following would you implement?

Code signing

In the certificate authority trust model known as a hierarchy, where does trust start?

Root CA

Which standard is most widely used for certificates?

X.509

What is the purpose of key escrow?

To provide a means for legal authorities to access confidential data

You are concerned that if a private key is lost, all documents encrypted with your private key will be inaccessible. Which service should you use to solve this problem?

Key escrow

Brainscape's Knowledge GenomeTM

B.3.3 Security+ SY0-601 Domain 3: Implementation Flashcards

338 questions (plus some of my own)

Brainscape's Knowledge Genome^TM