CertMaster Learn Lessons Flashcards
_______ is a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim’s computer performs IP address resolution. This is illustrated in the bank customer scenario.
Pharming
__________ can make a phishing or hoax email more convincing. Used offensively, ______ means adding text that appears to have been generated by the mail system.
Prepending
How does an encryption algorithm protect against birthday attacks?
Encryption algorithms add salt when computing password hashes
A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes of passwords by dramatically decreasing the probability of collision. This will protect against birthday attacks.
__________ obscures the presence of a message and can be used to encode messages within TCP packet data fields to create a covert message channel for data exfiltration.
Steganography
Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?
Public key cryptography and hashing
Public key cryptography (public and private keys) can be used to authenticate a sender. Combine this with a hash output of the message and a secret (or private) key to create a message authentication code (MAC) to validate the integrity of the message.
_________ mitigates the risks from RSA key exchanges through the use of ephemeral session keys to maintain confidentiality.
Perfect forward security (PFS)
Compare and contrast the modes of operation for block ciphers. Which of the following statements is true?
ECB and CBC modes allow block ciphers to behave like stream ciphers.
CTM mode allows block ciphers to behave like stream ciphers.
ECB allows block ciphers to behave like stream ciphers.
CBC and CTM modes allow block ciphers to behave like stream ciphers.
CTM mode allows block ciphers to behave like stream ciphers.
Explanation - Counter Mode (CTM) combines each block with a counter value, allowing each block to be processed individually and in parallel, improving performance. This parallel processing is similar to how stream ciphers operate.
Tags - Lesson 5
A _____ is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, _____ are often used to verify data integrity but are not relied upon to verify data authenticity
Checksums
Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate’s issuer. Which of the following fields would not be included in a standard public certificate?
Extensions
Public key
Endorsement key
Subject
Endorsement Key
Explanation - An endorsement key is not required for a digital certificate. It is part of a Trusted Platform Module (TPM) and used to create subkeys for key storage, signature, and encryption operations.
An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access.
Valid from/to
Extended key usage
Serial number
Public key
Extended key usage
Explanation - Set the Extended Key Usage (EKU) field of a certificate to define its usage. Applications such as virtual private network (VPN) or email clients may require specific requirements for key usage configuration.
A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys.
M=1 and N=5
M=3 and N=5
M=6 and N=5
M=0 and N=5
M=3 and N=5
Explanation - A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access.
Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key’s life cycle?
Storage
Verification
Expiration and renewal
Revocation
Verification
Explanation - Verification is not a stage in a key’s life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal.
A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and all subdomains (to a single level). This certificate is also known as which of the following?
SAN certificate
Wildcard certificate
Root certificate
Code signing certificate
Wildcard certificate
Explanation - A wildcard certificate with a field entry of a wildcard domain such as *.comptia.org, means that the certificate issued to the parent domain will be accepted as valid for all subdomains (to a single level).
A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate?
26 hours
Explanation - One or two hours over the publish period is considered normal thus making 26 hours within the window.
Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols’ authentication processes, select the true statements. (Select the best three choices.)
TACACS+ is open source and RADIUS is a proprietary protocol from Cisco.
RADIUS uses UDP by default and TACACS+ uses TCP.
TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.
RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.
RADIUS uses UDP by default and TACACS+ uses TCP.
TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.
RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.
**Explanation - **
RADIUS uses UDP by default over ports 1812 and 1813 and TACACS+ uses TCP on port 49.
TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5.
RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges.
P.S - RADIUS is open source and TACACS + is Cisco
Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)?
HOTP is not configured with a shared secret.
The server is not configured with a counter in HOTP.
Only the HOTP server computes the hash.
Tokens can be allowed to continue without expiring in HOTP.
Tokens can be allowed to continue without expiring in HOTP.
**Explanation **- Tokens can persist unexpired in HOTP, increasing the risk of an attacker obtaining one and decrypting data in the future. TOTP addresses this by adding a value to the shared secret derived from the device’s and server’s local timestamp. TOTP automatically expires each token after a short window of time.
Regarding the various tools of biometric authentication and their capabilities/limitations, which statement is accurate?
Retinal scanning is less intrusive than iris scanning.
Fingerprint scanners are the most widely used biometric authentication method.
Fingerprint scanners are more expensive but use a straightforward process.
Sensor modules are the most preferred biometric authentication method.
Fingerprint scanners are the most widely used biometric authentication method.
Explanation - Regarding biometric authentication, Fingerprint scanning is the most widely implemented biometric authentication method.
Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated?
A user accesses a system by having their face scanned.
A system administrator sets up a user account for a new employee after HR sends employment verification.
An administrator sends an initial password to a new telecommuting employee through a VPN.
A user is assigned an SID.
A user accesses a system by having their face scanned.
**Explanation **- A face scan is also known as biometrics, which is a “something you are” authentication. This is known as physiological biometric recognition.
Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach?
False acceptance
False rejection
A low Crossover-Error-Rate (CER)
A low throughput
False acceptance
Explanation - Regarding biometric authentication, a false positive is where an unauthorized person is accepted, leading to possible security breaches. This is the False Acceptance Rate (FAR).
A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that’s acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)
Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.
The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate.
The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.
The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.
Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.
The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.
Explanation -
Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS).
The AS can place trust when the user’s certificate is issued by a local or third-party root certification authority.
Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?
Fingerprint scan
Retinal scan
Facial recognition
Voice recognition
Retinal scan
Explanation - Biometric authentication based on a retinal scan is the hardest method to fool. Retinal scanning is used to identify the patterns of blood vessels with the eye, whereas an iris scan only uses the surface of the eye.
Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system.
An account is created that identifies a user on the network.
A user logs into a system using a control access card (CAC) and PIN number.
An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job.
A report is reviewed that shows every successful and unsuccessful login attempt on a server.
A user logs into a system using a control access card (CAC) and PIN number.
Explanation - Authentication proves that a subject is who or what it claims to be when it attempts to access the resource. A CAC and pin login are examples of authentication.
Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.
A control is set to force a customer to log into their account prior to reviewing and editing orders.
A control is set to cancel automatic shipments for any customer that has an expired credit card on file.
A control is set to ensure that billing and primary delivery addresses are valid.
A control is set to record the date, time, IP address, customer account number, and order details for each order.
A control is set to ensure that billing and primary delivery addresses are valid
Explanation - Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses are real and valid.
An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?
Accounting
Identification
Integrity
Authentication
Integrity
Explanation - Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity’s identity. The four processes include Authorization, Accounting, Identification, and Authentication.
An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend?
OU=Univ,DC=local,CN=user,CN=system1
CN=system1,CN=user,OU=Univ,DC=local
CN=user,DC=local,OU=Univ,CN=system1
DC=system1,OU=Univ,CN=user,DC=local
CN=system1,CN=user,OU=Univ,DC=local
**Explanation **- A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader.
A Windows systems administrator needs to grant the users in the finance department with read-only access to a folder named ‘Invoices.’ What would be the proper and most manageable way to go about granting this access?
Add the security group ‘Finance’ to the NTFS permissions with ‘Read’ rights.
Add each user account in the finance department to the NTFS permissions with ‘Read’ rights.
Add the security group ‘Finance’ to the NTFS permissions with ‘Modify’ rights.
Add each user account in the finance department to the NTFS permissions with ‘Modify’ rights.
Add the security group ‘Finance’ to the NTFS permissions with ‘Read’ rights.
Explanation - Adding the security group ‘Finance’ with ‘Read’ permissions to the Invoice folder will allow any user that is added to the Finance group to access the folder with the proper read-only permissions.
Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.)
SAML
OAuth
OpenID
LDAP
SAML
OAuth
OpenID
**Explanation - **
Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principal, the service provider, and the identity provider.
Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol.
OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service.
Examine the tradeoff between traditional password policy complexity requirements and updated practical suggestions from the National Institute of Standards and Technology (NIST) and select the statement that fits both practical password management and traditional complexity requirements.
Passwords should be easy to remember and can include spaces and repetitive strings of numbers (like 987654).
Passwords should be easy to remember, but should never use spaces.
Passwords should be written in plain text in a common password repository held secure by an IT staff member.
Passwords should not contain dictionary words or contextual information, such as a username or the company name.
Passwords should not contain dictionary words or contextual information, such as a username or the company name
**Explanation **- Traditional password complexity rules (that is, no use of username within password and combination of at least eight upper/lower case alpha-numeric and non-alpha-numeric characters) often result in users writing down passwords. NIST recommends only blocking common passwords, such as dictionary words, repetitive strings (like 12345678), and contextual information.
Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE?
The Network service account and the Local service account have the same privileges as the standard user account.
Any process created using the system account will have full privileges over the local computer.
The local service account creates the host processes and starts Windows before the user logs on.
The Local Service account can only access network resources as an anonymous user.
The local service account creates the host processes and starts Windows before the user logs on.
Explanation - The System account, not the Local Service account, creates the host processes that start Windows before the user logs on.
A senior administrator is teaching a new technician how to properly develop a standard naming convention in Active Directory (AD). Examine the following responses and determine which statements are sound advice for completing this task. (Select all that apply.)
Create as many root-level containers and nest containers as deeply as needed
Consider grouping Organizational Units (OU) by location or department
Build groups based on department, and keep all accounts, both standard and administrative, in the same group
Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects
Consider grouping Organizational Units (OU) by location or department
Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects
**Explanation **-
Organizational Units (OUs) represent administrative boundaries. They allow the enterprise administrator to delegate administrative responsibility for users and resources in different locations or departments. An OU grouped by location will be sufficient if different IT departments are responsible for services in different geographic locations. An OU grouped by department is more applicable if different IT departments are responsible for supporting different business functions.
An Internet Service Provider’s (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision?
A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.
A blackhole makes the attack less damaging to the ISP’s other customers and continues to send legitimate traffic to the correct destination.
A blackhole routes traffic destined to the affected IP address to a different network. Here, the ISP can analyze and identify the source of the attack, to devise rules to filter it.
A blackhole is preferred, as it evaluates each packet in a multi-gigabit stream against an Access Control List (ACL) without overwhelming the processing resources.
A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.
Explanation - A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network
There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone.
DMZ
Screened host
Wireless
Guest network
Screened host
Explanation - A screened host is when a smaller network accesses the Internet using a dual-homed proxy/gateway servers.
Given knowledge of load balancing and clustering techniques, which configuration provides consistent performance and partial fault tolerance for applications like streaming audio and video services?
Active/Passive clustering
Active/Active clustering
First in, First out (FIFO) clustering
Fault tolerant clustering
Active/Passive clustering
**Explanation **- In active/passive clustering, if the active node suffers a fault, the connection can failover to the passive node, without performance degradation.
Which statement best describes the difference between session affinity and session persistence?
With persistence, once a client device establishes a connection, it remains with the node that first accepted its request, while an application-layer load balancer uses session affinity to keep a client connected by setting up a cookie.
Session affinity makes node scheduling decisions based on health checks and processes incoming requests based on each node’s load. Session persistence makes scheduling decisions on a first in, first out (FIFO) basis.
With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.
Session persistence makes scheduling decisions based on traffic priority and bandwidth considerations, while session affinity makes scheduling decisions based on which node is available next.
With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.
**Explanation **- Session affinity is a layer 4 approach to handling user sessions. When a client establishes a session, it stays with the node that first accepted the request.
Where should an administrator place an internet-facing host on the network?
DMZ
Bastion host
Extranet
Private network
DMZ
**Explanation **- Internet-facing hosts reside in one or more Demilitarized Zones (DMZs), or perimeter networks. Traffic can not pass through a DMZ, but it enables external clients to access data on private systems, such as web servers, without compromising the security of the entire internal network.
An attacker tricks a host within a subnet into routing through an attacker’s machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario.
Route injection
Denial of service
ARP poisoning
Source routing
ARP poisoning
**Explanation **- ARP poisoning occurs by tricking hosts on the subnet into routing through the attacker’s machine rather than the legitimate default gateway. This allows the attacker to eavesdrop on communications and perform replay or MitM attacks
Identify the attack that can launch by running software against the CAM table on the same switch as the target.
MAC flooding
MAC spoofing
ARP poisoning attack
LLMNR
MAC flooding
**Explanation **- MAC flooding is a variation of an ARP poisoning attack. While ARP poisoning is directed at hosts, MAC flooding is used to attack a switch.
Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.)
Visual inspection of ports and switches will prevent rogue devices from accessing the network.
Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume.
Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
Wireless monitoring can reveal whether there are unauthorized access points.
Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
Wireless monitoring can reveal whether there are unauthorized access points.
**Explanation - **
Intrusion detection and NAC are security suites and appliances that can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations.
Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a security weakness.
A company has a single network channel.
A company has many different systems to operate one service.
A company has a habit of implementing quick fixes.
A company has a flat network architecture.
A company has a flat network architecture
**Explanation **- Overdependence on perimeter security occurs when the network architecture is flat. If an attacker can penetrate the network edge, the attacker will then have freedom of movement throughout the entire network.
Tags - Lesson 9
A hotel guest opens their computer and logs into the Wi-Fi without prompting the guest for a username and password. Upon opening an internet browser, a splash page appears that requests the guest’s room number and last name for authentication. Which type of authentication is the hotel utilizing?
Protected
Extensive
Group
Open
Open
**Explanation **- Mostly used on a public access point, open authentication does not require the client to authenticate, as it sends data over the link unencrypted. When combined with a secondary authentication mechanism, a browser can manage open authentication. The secondary authentication redirects the client to a captive portal or a splash page.
A network manager suspects that a wireless network is undergoing a deauthentication attack. Applying knowledge of wireless network attacks, which scenario best supports the network manager’s suspicion?
- A network experiences radio interference, which causes connectivity issues for users. The users disconnect from the network, and upon reauthenticating, they log on to an evil twin Access Point (AP).
- An attacker creates an Access Point (AP) using a similar name as a legitimate AP, in an attempt to have users authenticate through the rogue AP in order to gain authentication information.
- A rogue Access Point (AP) captures user logon attempts. The attacker uses this information to authenticate to the system and obtain critical data.
- A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.
A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.
Explanation - A deauthentication attack, coupled with the use of a rogue AP, sends a stream of spoofed deauth frames to cause a client to deauthenticate from the AP. This may allow the attacker to interpose the rogue AP or to sniff information about the authentication process.
Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue.
ICMP
BPDU
ARP
STP
STP
Explanation - STP (Spanning Tree Protocol) is a switching protocol that prevents network loops by dynamically disabling links as needed. Since layer 2 protocol has no concept of Time To Live, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely.
Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.)
MAC filtering guards against MAC snooping.
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.
MAC filtering guards against MAC spoofing.
DAI guards against invalid MAC addresses
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.
DAI guards against invalid MAC addresses
**Explanation **- In MAC filtering, a switch will record the specified number of MACs allowed to connect to a port, but then drop any traffic from other MAC addresses.
DHCP snooping inspects traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address.
A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss?
Passive test access point (TAP)
Active test access point (TAP)
Aggregation test access point (TAP)
Switched port analyzer (SPAN)/mirror port
Passive test access point (TAP)
**Explanation **- With a passive TAP, the monitor port receives every frame—corrupt, malformed, or not—and load does not affect copying.
A ________ is a hardware device that copies network traffic between two endpoints in a network. __s are also known as Ethernet or Network _____
TAP aka Test Access Point
Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet-filtering firewall.
A firewall’s ACL only allows the minimum amount of traffic required for the operation of valid network services and no more
A firewall that maintains stateful information about the connection between two hosts
A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern
A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall
A firewall’s ACL only allows the minimum amount of traffic required for the operation of valid network services and no more
**Explanation **- An administrator configures a packet-filtering firewall by specifying a group of rules called an Access Control List (ACL). Each rule defines a specific type of data packet and the appropriate action to take when a packet matches the rule.
GUESS..THAT..FIREWALL
A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
Packet Filtering Firewall
GUESS..THAT..FIREWALL
A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls.
Each packet is analyzed independently, with no record of previously processed packets.
Stateless firewall
GUESS..THAT..FIREWALL
A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.
Stateful inspection
GUESS..THAT..FIREWALL
A Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.
Application aware firewalls
GUESS..THAT..FIREWALL
A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance’s firmware.
Appliance Firewall
GUESS..THAT..FIREWALL
A software application running on a single host and designed to protect only that host.
Host-Based Firewall
GUESS..THAT..FIREWALL
Software designed to run on a server to protect a particular application such as a web server or SQL server.
Application Firewall
GUESS..THAT..FIREWALL
A software-based firewall running on a network server OS, such as Windows or Linux, so that the server can function as a gateway or proxy for a network segment.
Network operating system (NOS) firewall