CertMaster Learn Lessons Flashcards

1
Q

_______ is a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim’s computer performs IP address resolution. This is illustrated in the bank customer scenario.

A

Pharming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

__________ can make a phishing or hoax email more convincing. Used offensively, ______ means adding text that appears to have been generated by the mail system.

A

Prepending

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does an encryption algorithm protect against birthday attacks?

A

Encryption algorithms add salt when computing password hashes

A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes of passwords by dramatically decreasing the probability of collision. This will protect against birthday attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

__________ obscures the presence of a message and can be used to encode messages within TCP packet data fields to create a covert message channel for data exfiltration.

A

Steganography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?

A

Public key cryptography and hashing

Public key cryptography (public and private keys) can be used to authenticate a sender. Combine this with a hash output of the message and a secret (or private) key to create a message authentication code (MAC) to validate the integrity of the message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

_________ mitigates the risks from RSA key exchanges through the use of ephemeral session keys to maintain confidentiality.

A

Perfect forward security (PFS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Compare and contrast the modes of operation for block ciphers. Which of the following statements is true?

ECB and CBC modes allow block ciphers to behave like stream ciphers.
CTM mode allows block ciphers to behave like stream ciphers.
ECB allows block ciphers to behave like stream ciphers.
CBC and CTM modes allow block ciphers to behave like stream ciphers.

A

CTM mode allows block ciphers to behave like stream ciphers.

Explanation - Counter Mode (CTM) combines each block with a counter value, allowing each block to be processed individually and in parallel, improving performance. This parallel processing is similar to how stream ciphers operate.

Tags - Lesson 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A _____ is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, _____ are often used to verify data integrity but are not relied upon to verify data authenticity

A

Checksums

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate’s issuer. Which of the following fields would not be included in a standard public certificate?

Extensions
Public key
Endorsement key
Subject

A

Endorsement Key

Explanation - An endorsement key is not required for a digital certificate. It is part of a Trusted Platform Module (TPM) and used to create subkeys for key storage, signature, and encryption operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access.

Valid from/to
Extended key usage
Serial number
Public key

A

Extended key usage

Explanation - Set the Extended Key Usage (EKU) field of a certificate to define its usage. Applications such as virtual private network (VPN) or email clients may require specific requirements for key usage configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys.

M=1 and N=5
M=3 and N=5
M=6 and N=5
M=0 and N=5

A

M=3 and N=5

Explanation - A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key’s life cycle?

Storage
Verification
Expiration and renewal
Revocation

A

Verification

Explanation - Verification is not a stage in a key’s life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and all subdomains (to a single level). This certificate is also known as which of the following?

SAN certificate
Wildcard certificate
Root certificate
Code signing certificate

A

Wildcard certificate

Explanation - A wildcard certificate with a field entry of a wildcard domain such as *.comptia.org, means that the certificate issued to the parent domain will be accepted as valid for all subdomains (to a single level).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate?

A

26 hours

Explanation - One or two hours over the publish period is considered normal thus making 26 hours within the window.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols’ authentication processes, select the true statements. (Select the best three choices.)

TACACS+ is open source and RADIUS is a proprietary protocol from Cisco.

RADIUS uses UDP by default and TACACS+ uses TCP.

TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.

RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

A

RADIUS uses UDP by default and TACACS+ uses TCP.

TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.

RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

**Explanation - **
RADIUS uses UDP by default over ports 1812 and 1813 and TACACS+ uses TCP on port 49.

TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5.

RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges.

P.S - RADIUS is open source and TACACS + is Cisco

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)?

HOTP is not configured with a shared secret.
The server is not configured with a counter in HOTP.
Only the HOTP server computes the hash.
Tokens can be allowed to continue without expiring in HOTP.

A

Tokens can be allowed to continue without expiring in HOTP.

**Explanation **- Tokens can persist unexpired in HOTP, increasing the risk of an attacker obtaining one and decrypting data in the future. TOTP addresses this by adding a value to the shared secret derived from the device’s and server’s local timestamp. TOTP automatically expires each token after a short window of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Regarding the various tools of biometric authentication and their capabilities/limitations, which statement is accurate?

Retinal scanning is less intrusive than iris scanning.

Fingerprint scanners are the most widely used biometric authentication method.

Fingerprint scanners are more expensive but use a straightforward process.

Sensor modules are the most preferred biometric authentication method.

A

Fingerprint scanners are the most widely used biometric authentication method.

Explanation - Regarding biometric authentication, Fingerprint scanning is the most widely implemented biometric authentication method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated?

A user accesses a system by having their face scanned.

A system administrator sets up a user account for a new employee after HR sends employment verification.

An administrator sends an initial password to a new telecommuting employee through a VPN.

A user is assigned an SID.

A

A user accesses a system by having their face scanned.

**Explanation **- A face scan is also known as biometrics, which is a “something you are” authentication. This is known as physiological biometric recognition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach?

False acceptance
False rejection
A low Crossover-Error-Rate (CER)
A low throughput

A

False acceptance

Explanation - Regarding biometric authentication, a false positive is where an unauthorized person is accepted, leading to possible security breaches. This is the False Acceptance Rate (FAR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that’s acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)

Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.

The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate.

The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.

The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.

A

Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.

The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.

Explanation -
Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS).

The AS can place trust when the user’s certificate is issued by a local or third-party root certification authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?

Fingerprint scan
Retinal scan
Facial recognition
Voice recognition

A

Retinal scan

Explanation - Biometric authentication based on a retinal scan is the hardest method to fool. Retinal scanning is used to identify the patterns of blood vessels with the eye, whereas an iris scan only uses the surface of the eye.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system.

An account is created that identifies a user on the network.
A user logs into a system using a control access card (CAC) and PIN number.
An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job.
A report is reviewed that shows every successful and unsuccessful login attempt on a server.

A

A user logs into a system using a control access card (CAC) and PIN number.

Explanation - Authentication proves that a subject is who or what it claims to be when it attempts to access the resource. A CAC and pin login are examples of authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.

A control is set to force a customer to log into their account prior to reviewing and editing orders.
A control is set to cancel automatic shipments for any customer that has an expired credit card on file.
A control is set to ensure that billing and primary delivery addresses are valid.
A control is set to record the date, time, IP address, customer account number, and order details for each order.

A

A control is set to ensure that billing and primary delivery addresses are valid

Explanation - Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses are real and valid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?

Accounting
Identification
Integrity
Authentication

A

Integrity

Explanation - Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity’s identity. The four processes include Authorization, Accounting, Identification, and Authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend?

OU=Univ,DC=local,CN=user,CN=system1
CN=system1,CN=user,OU=Univ,DC=local
CN=user,DC=local,OU=Univ,CN=system1
DC=system1,OU=Univ,CN=user,DC=local

A

CN=system1,CN=user,OU=Univ,DC=local

**Explanation **- A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A Windows systems administrator needs to grant the users in the finance department with read-only access to a folder named ‘Invoices.’ What would be the proper and most manageable way to go about granting this access?

Add the security group ‘Finance’ to the NTFS permissions with ‘Read’ rights.
Add each user account in the finance department to the NTFS permissions with ‘Read’ rights.
Add the security group ‘Finance’ to the NTFS permissions with ‘Modify’ rights.
Add each user account in the finance department to the NTFS permissions with ‘Modify’ rights.

A

Add the security group ‘Finance’ to the NTFS permissions with ‘Read’ rights.

Explanation - Adding the security group ‘Finance’ with ‘Read’ permissions to the Invoice folder will allow any user that is added to the Finance group to access the folder with the proper read-only permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.)

SAML
OAuth
OpenID
LDAP

A

SAML
OAuth
OpenID

**Explanation - **
Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principal, the service provider, and the identity provider.

Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol.

OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Examine the tradeoff between traditional password policy complexity requirements and updated practical suggestions from the National Institute of Standards and Technology (NIST) and select the statement that fits both practical password management and traditional complexity requirements.

Passwords should be easy to remember and can include spaces and repetitive strings of numbers (like 987654).
Passwords should be easy to remember, but should never use spaces.
Passwords should be written in plain text in a common password repository held secure by an IT staff member.
Passwords should not contain dictionary words or contextual information, such as a username or the company name.

A

Passwords should not contain dictionary words or contextual information, such as a username or the company name

**Explanation **- Traditional password complexity rules (that is, no use of username within password and combination of at least eight upper/lower case alpha-numeric and non-alpha-numeric characters) often result in users writing down passwords. NIST recommends only blocking common passwords, such as dictionary words, repetitive strings (like 12345678), and contextual information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE?

The Network service account and the Local service account have the same privileges as the standard user account.
Any process created using the system account will have full privileges over the local computer.
The local service account creates the host processes and starts Windows before the user logs on.
The Local Service account can only access network resources as an anonymous user.

A

The local service account creates the host processes and starts Windows before the user logs on.

Explanation - The System account, not the Local Service account, creates the host processes that start Windows before the user logs on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A senior administrator is teaching a new technician how to properly develop a standard naming convention in Active Directory (AD). Examine the following responses and determine which statements are sound advice for completing this task. (Select all that apply.)

Create as many root-level containers and nest containers as deeply as needed
Consider grouping Organizational Units (OU) by location or department
Build groups based on department, and keep all accounts, both standard and administrative, in the same group
Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects

A

Consider grouping Organizational Units (OU) by location or department

Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects

**Explanation **-
Organizational Units (OUs) represent administrative boundaries. They allow the enterprise administrator to delegate administrative responsibility for users and resources in different locations or departments. An OU grouped by location will be sufficient if different IT departments are responsible for services in different geographic locations. An OU grouped by department is more applicable if different IT departments are responsible for supporting different business functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

An Internet Service Provider’s (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision?

A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.
A blackhole makes the attack less damaging to the ISP’s other customers and continues to send legitimate traffic to the correct destination.
A blackhole routes traffic destined to the affected IP address to a different network. Here, the ISP can analyze and identify the source of the attack, to devise rules to filter it.
A blackhole is preferred, as it evaluates each packet in a multi-gigabit stream against an Access Control List (ACL) without overwhelming the processing resources.

A

A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.

Explanation - A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone.

DMZ
Screened host
Wireless
Guest network

A

Screened host

Explanation - A screened host is when a smaller network accesses the Internet using a dual-homed proxy/gateway servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Given knowledge of load balancing and clustering techniques, which configuration provides consistent performance and partial fault tolerance for applications like streaming audio and video services?

Active/Passive clustering
Active/Active clustering
First in, First out (FIFO) clustering
Fault tolerant clustering

A

Active/Passive clustering

**Explanation **- In active/passive clustering, if the active node suffers a fault, the connection can failover to the passive node, without performance degradation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which statement best describes the difference between session affinity and session persistence?

With persistence, once a client device establishes a connection, it remains with the node that first accepted its request, while an application-layer load balancer uses session affinity to keep a client connected by setting up a cookie.
Session affinity makes node scheduling decisions based on health checks and processes incoming requests based on each node’s load. Session persistence makes scheduling decisions on a first in, first out (FIFO) basis.
With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.
Session persistence makes scheduling decisions based on traffic priority and bandwidth considerations, while session affinity makes scheduling decisions based on which node is available next.

A

With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.

**Explanation **- Session affinity is a layer 4 approach to handling user sessions. When a client establishes a session, it stays with the node that first accepted the request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Where should an administrator place an internet-facing host on the network?

DMZ
Bastion host
Extranet
Private network

A

DMZ

**Explanation **- Internet-facing hosts reside in one or more Demilitarized Zones (DMZs), or perimeter networks. Traffic can not pass through a DMZ, but it enables external clients to access data on private systems, such as web servers, without compromising the security of the entire internal network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

An attacker tricks a host within a subnet into routing through an attacker’s machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario.

Route injection
Denial of service
ARP poisoning
Source routing

A

ARP poisoning

**Explanation **- ARP poisoning occurs by tricking hosts on the subnet into routing through the attacker’s machine rather than the legitimate default gateway. This allows the attacker to eavesdrop on communications and perform replay or MitM attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Identify the attack that can launch by running software against the CAM table on the same switch as the target.

MAC flooding
MAC spoofing
ARP poisoning attack
LLMNR

A

MAC flooding

**Explanation **- MAC flooding is a variation of an ARP poisoning attack. While ARP poisoning is directed at hosts, MAC flooding is used to attack a switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.)

Visual inspection of ports and switches will prevent rogue devices from accessing the network.
Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume.
Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
Wireless monitoring can reveal whether there are unauthorized access points.

A

Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.

Wireless monitoring can reveal whether there are unauthorized access points.

**Explanation - **
Intrusion detection and NAC are security suites and appliances that can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.

Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a security weakness.

A company has a single network channel.
A company has many different systems to operate one service.
A company has a habit of implementing quick fixes.
A company has a flat network architecture.

A

A company has a flat network architecture

**Explanation **- Overdependence on perimeter security occurs when the network architecture is flat. If an attacker can penetrate the network edge, the attacker will then have freedom of movement throughout the entire network.

Tags - Lesson 9

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

A hotel guest opens their computer and logs into the Wi-Fi without prompting the guest for a username and password. Upon opening an internet browser, a splash page appears that requests the guest’s room number and last name for authentication. Which type of authentication is the hotel utilizing?

Protected
Extensive
Group
Open

A

Open

**Explanation **- Mostly used on a public access point, open authentication does not require the client to authenticate, as it sends data over the link unencrypted. When combined with a secondary authentication mechanism, a browser can manage open authentication. The secondary authentication redirects the client to a captive portal or a splash page.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

A network manager suspects that a wireless network is undergoing a deauthentication attack. Applying knowledge of wireless network attacks, which scenario best supports the network manager’s suspicion?

  • A network experiences radio interference, which causes connectivity issues for users. The users disconnect from the network, and upon reauthenticating, they log on to an evil twin Access Point (AP).
  • An attacker creates an Access Point (AP) using a similar name as a legitimate AP, in an attempt to have users authenticate through the rogue AP in order to gain authentication information.
  • A rogue Access Point (AP) captures user logon attempts. The attacker uses this information to authenticate to the system and obtain critical data.
  • A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.
A

A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.

Explanation - A deauthentication attack, coupled with the use of a rogue AP, sends a stream of spoofed deauth frames to cause a client to deauthenticate from the AP. This may allow the attacker to interpose the rogue AP or to sniff information about the authentication process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue.

ICMP
BPDU
ARP
STP

A

STP

Explanation - STP (Spanning Tree Protocol) is a switching protocol that prevents network loops by dynamically disabling links as needed. Since layer 2 protocol has no concept of Time To Live, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.)

MAC filtering guards against MAC snooping.
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.
MAC filtering guards against MAC spoofing.
DAI guards against invalid MAC addresses

A

Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.

DAI guards against invalid MAC addresses

**Explanation **- In MAC filtering, a switch will record the specified number of MACs allowed to connect to a port, but then drop any traffic from other MAC addresses.

DHCP snooping inspects traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss?

Passive test access point (TAP)
Active test access point (TAP)
Aggregation test access point (TAP)
Switched port analyzer (SPAN)/mirror port

A

Passive test access point (TAP)

**Explanation **- With a passive TAP, the monitor port receives every frame—corrupt, malformed, or not—and load does not affect copying.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

A ________ is a hardware device that copies network traffic between two endpoints in a network. __s are also known as Ethernet or Network _____

A

TAP aka Test Access Point

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet-filtering firewall.

A firewall’s ACL only allows the minimum amount of traffic required for the operation of valid network services and no more
A firewall that maintains stateful information about the connection between two hosts
A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern
A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall

A

A firewall’s ACL only allows the minimum amount of traffic required for the operation of valid network services and no more

**Explanation **- An administrator configures a packet-filtering firewall by specifying a group of rules called an Access Control List (ACL). Each rule defines a specific type of data packet and the appropriate action to take when a packet matches the rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

GUESS..THAT..FIREWALL

A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.

A

Packet Filtering Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

GUESS..THAT..FIREWALL

A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls.

Each packet is analyzed independently, with no record of previously processed packets.

A

Stateless firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

GUESS..THAT..FIREWALL

A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.

A

Stateful inspection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

GUESS..THAT..FIREWALL

A Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.

A

Application aware firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

GUESS..THAT..FIREWALL

A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance’s firmware.

A

Appliance Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

GUESS..THAT..FIREWALL

A software application running on a single host and designed to protect only that host.

A

Host-Based Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

GUESS..THAT..FIREWALL

Software designed to run on a server to protect a particular application such as a web server or SQL server.

A

Application Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

GUESS..THAT..FIREWALL

A software-based firewall running on a network server OS, such as Windows or Linux, so that the server can function as a gateway or proxy for a network segment.

A

Network operating system (NOS) firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.

A

Transparent Proxy Server

56
Q

A server that redirects requests and responses for clients configured with the proxy address and port.

A

Non-transparent Proxy server

57
Q

Maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications.

A

PAT aka Port Address Translation

58
Q

Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions?

Signature-based detection system
Active or passive test access point (TAP)
Secure web gateway (SWG)
Network-based intrusion prevention system (IPS)

A

Active or passive test access point (TAP)

A TAP is a hardware device that allows you to access and monitor data flowing across a computer network. In an active setup, it can redirect traffic if the security appliance fails, thereby ensuring data availability. In a passive setup, it can continue to pass network traffic even if the security tool fails, also contributing to data availability.

59
Q

Compare and analyze the types of firewalls available to differentiate between them. Choose the answer with the most correct description.

Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3.
An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only.
A packet filtering firewall maintains stateful information about a connection between two hosts and implements an appliance firewall as a software application running on a single host.
An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

A

An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

**Explanation **- An application firewall can inspect the contents of packets at the application layer and can analyze the HTTP headers. It also analyzes the HTML code present in HTTP packets, to try to identify code that matches a pattern in its threat database.

60
Q

Which of the following are types of log collection for SIEM? (Select all that apply.)

Log aggregation
Firewall
Agent-based
Listener/Collector

A

Agent-based
Listener/Collector

61
Q

Which of the following considerations is most important when employing a signature-based intrusion detection system?

The system may produce false positives and block legitimate activity.
The system must create a valid baseline signature of normal activity.
Signatures and rules must be kept up to date to protect against emerging threats.
Signatures and rules must be able to detect zero-day attacks.

A

Signatures and rules must be kept up to date to protect against emerging threats.

Explanation - Network behavior and anomaly detection (NBAD) engines use heuristics to generate a statistical model of baseline normal traffic. The system generates false positives and false negatives until, over time, it improves its statistical model of normal activity. A false positive is where legitimate behavior generates an alert.

62
Q

Which of the following would be the BEST way to monitor a cloud-based microservice architecture?
SNMP traps
API inspection
IPS
IPsec

A

API Inspection

API testing is a type of software testing that analyzes an application program interface (API) to verify that it meets expected functionality, security, performance, and reliability.

63
Q

Which of the following would be the BEST method of sending data to a specific port number on a remote device?

netcat
dig
route
traceroute

A

netcat

The netcat command, also known as nc, is a command-line utility that allows users to read and write data over a network connection

nc -l -p 1234 >output.txt

64
Q

Which security framework is mandatory for US federal agencies and includes a six step process?
SSAE SOC 2 Type I/II
CIS CSC
CSA CCM
NIST RMF

A

NIST RMF

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 6-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk

65
Q

Which of these features is available when using MAM?
FDE
Automated failover
Encrypted tunnels
Multiple authentication factors
Enterprise app catalog

A

Enterprise App Catalog

66
Q

A system administrator would like to identify all known vulnerabilities on a remote device. Which of the following would be the BEST choice for this task?

Nessus
dnsenum
theHarvester
scanless
Cuckoo

A

Nessus

67
Q

While you can use tools such as dig and whois to query name records and hosting details and to check that external DNS services are not leaking too much information, a tool such as _______ packages a number of tests into a single query

A

dnsenum

68
Q

Utility for command-line manipulation of URL-based protocol requests.

A

curl

69
Q

Utility for gathering results from open source intelligence queries.

A

theHarvester

70
Q

A command-line packet sniffing utility.

  • for linux
A

tcpdump

71
Q

_________ is an open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs.

A

hping

72
Q

a framework designed for penetration test reporting and evidence gathering. It can integrate with other tools such as Metasploit and Nikto to run automated suites of tests. Results can be displayed as web reports.

A

Sn1per

73
Q

A host or network account that is designed to run a background service, rather than to log on interactively.

A

service account

74
Q

An account with no credential (guest) or one where the credential is known to multiple persons.

A

shared account

75
Q

A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.

A

Application Programming Interface (API)

76
Q

The value assigned to an account by Windows and that is used by the operating system to identify that account.

A

Security Identifier (SID)

77
Q

An attacker has circumvented a security control by modifying their MAC address. Which of the following would describe this attack type?
Malicious script
Denial of service
Rogue access point
Cloning
Jamming

A

Cloning

78
Q

A data center optimizes the cooling process by specifying the orientation of equipment during installation. Which of the following would describe this technique?
Air gap
Hot and cold aisles
Faraday cage
Dual power supplies
USB data blocker

A

Hot and cold aisles

79
Q

A security engineer would like to connect a private cloud subnet to other cloud services. Which of the following would be the BEST choice?
SSL VPN
Container
WPA3
VPC gateway
Default route

A

VPC gateway

A VPC (Virtual Private Cloud) gateway is a service that allows communication between instances in a VPC and the internet. A VPC gateway endpoint is a gateway that is a target for a specified route in the route table,

80
Q

Which of the following would be MOST associated with AIS?
0-day attacks
Encrypted tunnel
Syslog
Data exfiltration
STIX and TAXII

A

STIX and TAXII

81
Q

A database has been modified so that every person listed in the database has been replaced with a completely different first and last name. Which of the following would BEST describe this modification?
OSINT
Pseudonymization
Intelligence fusion
Proxy
Fake telemetry

A

Pseudonymization

Anonymization takes PII and makes it so it can’t be used to identify anyone, while Pseudonymization replaces information with a pseudonym as if it were a CIA spy. Tokenization is like pseudonymization on steroids, encrypting your PII and replacing your pseudonym with an unrecognizable token.

82
Q

A user inputs a PIN during the login process. Which of the following would describe this authentication method?
TOTP
Push notification
Static code
Attestation
Federation

A

Static code

83
Q

Which of these best describes authentication that is genuine with high confidence?
Counterintelligence
Non-repudiation
Integrity
E-discovery
Hashing

A

Non-repudiation

84
Q

Which of the following would be the BEST example of a detective security control?

Backup
IPS
Security policy
Hot site
Fence

A

IPS

85
Q

Which of these would BEST describe a ZIP bomb?

Directory traversal
NULL pointer dereference
API attack
Resource exhaustion
Memory leak

A

Resource exhaustion

A zip bomb is a malicious archive file that can crash or disable a program or system when unpacked. It’s also known as a decompression bomb, compression bomb, archive bomb, or zip of death

86
Q

Which of the following would be the best way to prevent a worm entering the network through a USB flash drive?

Screened subnet
SIEM
DLP
NGFW
DNS sinkhole

A

DLP

DLP stands for Data Loss Prevention. DLP is a cybersecurity solution that prevents data breaches by blocking the extraction of sensitive data. DLP can also be used for internal security and regulatory compliance.
USB blocking is a data loss prevention technique that helps to ensure the security of data.

87
Q

Which of the following is commonly used to verify device drivers during Windows startup?

802.1X
TPM
ELAM
HSM
RBAC

A

ELAM

Early Launch Anti-Malware (ELAM) is a Windows 8 security technology that evaluates non-Microsoft Windows boot time device/application drivers for malicious code.

88
Q

A pentester is gathering OSINT prior to a scheduled test. Which of the following would be the BEST choice for this task?
Nmap
curl
Nessus
theHarvester
Cuckoo

A

theHarvester

89
Q

A prospective employee was dropped from a job consideration after receiving the results of a background check. Which of the following describes this process?
Offboarding
NDA
PII
Adverse action
Contingency planning

A

Adverse action

90
Q

Which of the following would use rules to limit API communication?
TLS
VPN
WAF
SSH
NAT

A

WAF

A web application firewall (WAF) is a type of firewall that protects web applications by filtering and monitoring HTTP traffic between a web application and the internet. WAFs can protect web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.

91
Q

Which of the following allows the browser to check for certificate revocation?
CA
TLS
CN
CSR
OCSP

A

OCSP

OCSP or Online Certificate Status Protocol is an internet protocol that checks the validity status of a certificate in real-time. It is an alternative to CRL or Certificate Revocation Lists.

92
Q

Which of the following provides a knowledge base of adversary tactics and techniques?

MITRE ATT&CK framework

SSAE SOC 2

ISO 31000

EAP-TTLS

Diamond model

A

MITRE ATT&CK framework

93
Q

Which security control would be MOST associated with a backup generator?

Compensating

Detective

Physical

Managerial

Preventive

A

Compensating

94
Q

Which of the following would be the BEST way to randomize multiple hashes of the same data?
VPN
SDN
Salt
FDE
Key exchange

A

Salt

95
Q

Which of the following would determine which laws would apply to stored data?

Diffusion
Data-at-rest
Sovereignty
Masking
Information Rights Management

A

Sovereignty

96
Q

Which of the following would be the MOST secure way of viewing traffic statistics from a router?

SMB
RDP
Telnet
FTPS
SNMPv3

A

SNMPv3

Unlike SNMPv1 and SNMPv2c, SNMP version 3 supports authentication and encryption. This means that SNMP data cannot be read after capture, and only authorized users can access specific object identifiers. However, the additional security methods make SNMPv3 more complex and challenging to configure

97
Q

A security administrator would like to restrict application use to a predefined set of apps. Which of the following would BEST describe this security type?
Deny list
DLP
Quarantine
Approved list
Segmentation

A

Approved list

98
Q

A company has determined that laptops valued at $50,000 have been stolen over the last calendar year. Which of the following would describe this value?
Inherent risk
SLE
ARO
Risk appetite
ALE

A

ALE

99
Q

An EAP method developed by Cisco as a replacement for LEAP. ______ does not require a certificate authority while aiming to provide a higher level of security.

The problem with _____ is in distributing (provisioning) the PAC securely to each user requiring access

A

EAP-FAST

100
Q

An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate

uses a server-side certificate to establish a protected tunnel through which the user’s authentication credentials can be transmitted to the authentication server..

A

EAP-Tunneled TLS (EAP-TTLS)

101
Q

EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.

an encrypted tunnel is established between the supplicant and authentication server, but ______ only requires a server-side public key certificate.

A

Protected Extensible Authentication Protocol (PEAP)

102
Q

A ____________ occurs when two processes occur at similar times, usually
with unexpected results. The file system problem is usually fixed before
a reboot, but a reboot is occurring before the fix can be applied. This has
created a race condition that results in constant reboots.

A

Race Condition

103
Q

A ______ exercise usually consists of a meeting where members of a
recovery team or disaster recovery talk through a disaster scenario.

A

tabletop

104
Q

Mobile device ______ allows an organization to securely
separate user data from company data on a mobile device. Implementing
this strategy usually requires a mobile device manager (MDM), and
______ alone won’t address all of the required security policies.

A

Containerization

105
Q

is a technique that uses a misspelling of a domain name to
convince victims they are visiting a legitimate website.

A

Typosquatting

106
Q

A ________ is used to manage compliance
with security policies when using cloud-based applications.

A

CASB

107
Q

Means that the manufacturer no longer supports hardware. ____ equipment may still receive some level of support from the manufacturer.

A

EOL

108
Q

Means that software will no longer receive updates from the manufacturer. ____ software will not be supported or serviced, and will not receive security updates.

A

EOS

109
Q

A _____ file contains the contents of system memory. In Windows, this
file can be created from the Task Manager

A

Dump

110
Q

________ logs will document web pages that were accessed, but it doesn’t
show what information may be contained in the system RAM.

A

Web Server

111
Q

_______ server logs can show which domain names
were accessed by internal systems, and this information can help identify
systems that may be infected. However, the ____ log doesn’t include any
information about the memory contents of a server.

A

DNS (Domain Name System)

112
Q

Which part of the PC startup process verifies the digital signature of the
OS kernel?
❍ A. Measured Boot
❍ B. Trusted Boot
❍ C. Secure Boot
❍ D. POST

A

Trusted Boot

The Trusted Boot portion of the startup process verifies the operating
system kernel signature and starts the ELAM (Early Launch
Anti-Malware) process.

113
Q

Which of the following would be the BEST way to confirm the secure
baseline of a deployed application instance?
❍ A. Compare the production application to the sandbox
❍ B. Perform an integrity measurement
❍ C. Compare the production application to the previous version
❍ D. Perform QA testing on the application instance

A

Perform an integrity measurement
An integrity measurement is designed to check for the secure baseline
of firewall settings, patch levels, operating system versions, and any other
security components associated with the application. These secure baselines
may vary between different application versions.

114
Q

A member of the accounting team was out of the office for two weeks,
and an important financial transfer was delayed until they returned.
Which of the following would have prevented this delay?
❍ A. Split knowledge
❍ B. Least privilege
❍ C. Job rotation
❍ D. Dual control

A

Job rotation

Job rotation moves employees through different job roles as part of their
normal work environment. This policy limits the potential for fraud and

115
Q

A security analyst has identified a number of sessions from a single IP
address with a TTL equal to zero. One of the sessions has a destination of
the Internet firewall, and a session immediately after has a destination of
your DMZ server. Which of the following BEST describes this
log information?
❍ A. Someone is performing a vulnerability scan against the
firewall and DMZ server
❍ B. Users are performing DNS lookups
❍ C. A remote user is grabbing banners of the firewall and DMZ server
❍ D. Someone is performing a traceroute to the DMZ server

A

Someone is performing a traceroute to the DMZ server
A traceroute maps each hop by slowly incrementing the TTL (Time
to Live) value during each request. When the TTL reaches zero, the
receiving router drops the packet and sends an ICMP (Internet Control
Message Protocol) TTL Exceeded message back to the original station.

116
Q

A company encourages users to encrypt all of their confidential materials
on a central server. The organization would like to enable key escrow as a
backup. Which of these keys should the organization place into escrow?
❍ A. Private
❍ B. CA
❍ C. Session
❍ D. Public

A

Private
With asymmetric encryption, the private key is used to decrypt
information that has been encrypted with the public key. To ensure
continued access to the encrypted data, the company must have a copy of
each private key.

117
Q

A manufacturing company would like to use an existing router to
separate a corporate network and a manufacturing floor that use the same
physical switch. The company does not want to install any additional
hardware. Which of the following would be the BEST choice for this
segmentation?
❍ A. Connect the corporate network and the manufacturing floor
with a VPN
❍ B. Build an air gapped manufacturing floor network
❍ C. Use personal firewalls on each device
❍ D. Create separate

A

Create separate VLANs for the corporate network and
the manufacturing floor

Creating VLANs (Virtual Local Area Networks) will segment a network
without requiring additional switches.

118
Q

When a home user connects to the corporate VPN, they are no longer
able to print to their local network printer. Once the user disconnects
from the VPN, the printer works normally. Which of the following would
be the MOST likely reason for this issue?
❍ A. The VPN uses IPSec instead of SSL
❍ B. Printer traffic is filtered by the VPN client
❍ C. The VPN is stateful
❍ D. The VPN tunnel is configured for full tunnel

A

The VPN tunnel is configured for full tunnel
A split tunnel is a VPN (Virtual Private Network) configuration that
only sends a portion of the traffic through the encrypted tunnel. A split
tunnel would allow work-related traffic to securely traverse the VPN, and
all other traffic would use the non-tunneled option. In this example, the
printer traffic is being redirected through the VPN instead of the local
home network because of the non-split/full tunnel.

119
Q

The _____ manages the operational use of the data, but not the
rights and permissions to the information.

A

data processor

120
Q

The __________ manages access rights and sets security controls
to the data.

A

Data Custodian

121
Q

A ______ sets privacy policies and implements privacy processes
and procedures.

A

Privacy officer

122
Q

A corporate security team would like to consolidate and protect the
private keys across all of their web servers. Which of these would be the
BEST way to securely store these keys?
❍ A. Use an HSM
❍ B. Implement full disk encryption on the web servers
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS

A

Use an HSM

An HSM (Hardware Security Module) is a high-end cryptographic
hardware appliance that can securely store keys and certificates for all
devices.

123
Q

A80. Jennifer is reviewing this security log from her IPS:
ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String “-“
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token=”

" key="key7" value="
alert(2)
"
Which of the following can be determined from this log information?
(Select TWO)
❍ A. The alert was generated from a malformed User Agent header
❍ B. The alert was generated from an embedded script
❍ C. The attacker’s IP address is 222.43.112.74
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid client port number
A

B. The alert was generated from an embedded script and
C. The attacker’s IP address is 222.43.112.74
The details of the IPS (Intrusion Prevention System) alert show a script
value embedded into JSON (JavaScript Object Notation) data. The IPS
log also shows the flow of the attack with an arrow in the middle. The
attacker was IP address 222.43.112.74

124
Q

A user has opened a helpdesk ticket complaining of poor system
performance, excessive pop up messages, and the cursor moving
without anyone touching the mouse. This issue began after they opened
a spreadsheet from a vendor containing part numbers and pricing
information. Which of the following is MOST likely the cause of this
user’s issues?
❍ A. On-path
❍ B. Worm
❍ C. RAT
❍ D. Logic bomb

A

C. RAT
A RAT (Remote Access Trojan) is malware that can control a computer
using desktop sharing and other administrative functions. Because the
installation program is often disguised as something else, the victim often
doesn’t realize they’re installing malware. Once the RAT is installed, the
attacker can control the desktop, capture screenshots, reboot the computer,
and many other administrative functions.

125
Q

A company’s outgoing email server currently uses SMTP with no
encryption. The security administrator would like to implement
encryption between email clients without changing the existing
server-to-server communication. Which of the following would be the
BEST way to implement this requirement?
❍ A. Implement Secure IMAP
❍ B. Require the use of S/MIME
❍ C. Install an SSL certificate on the email server
❍ D. Use a VPN tunnel between email clients

A

Require the use of S/MIME

S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way
to integrate public key encryption and digital signatures into most modern
email clients. This would encrypt all email information from client to
client, regardless of the communication used between email servers.

126
Q

A company would like to securely deploy applications without the
overhead of installing a virtual machine for each system. Which of the
following would be the BEST way to deploy these applications?
❍ A. Containerization
❍ B. IaaS
❍ C. Proxies
❍ D. CASB

A

Containerization
Application containerization uses a single virtual machine to use as a
foundation for separate application “containers.” These containers are
implemented as isolated instances, and an application in one container is
not inherently accessible from other containers on the system.

127
Q

If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator’s needs?

Secure/Multipurpose Internet Mail
Extensions (S/MIME)

Secure Post Office Protocol v3 (POP3S)

Internet Message Access Protocol v4 (IMAP4)

Simple Mail Transfer Protocol (SMTP)

A

Secure/Multipurpose Internet Mail Extensions (S/MIME)

One means of applying authentication and confidentiality on a per-message basis is an email encryption standard called Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME adds digital signatures and public key cryptography to mail communications. To use S/MIME, a sender and receiver exchange digital certificates signed by a certification authority (CA).

128
Q

An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause?

A server host has a poisoned arp cache.
Some user systems have invalid hosts file entries.
An attacker masquerades as an authoritative name server.
The domain servers have been hijacked.

A

An attacker masquerades as an authoritative name server.

DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information.

129
Q

A security engineer encrypted traffic between a client and a server. Which security protocol is the best for the engineer to configure if an ephemeral key agreement is used?

AES 256
TLS 1.2
TLS 1.3
SHA 384

A

TLS 1.3

Only ephemeral key agreement is supported in TLS 1.3. The signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384).

130
Q

A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation.

Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.
Transport mode because the whole IP packet is encrypted, and a new IP header is added.
Tunnel mode because the payload is encrypted.
Transport mode because the payload is encrypted.

A

Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.

131
Q

An attacker modifies the HOSTS file on a workstation to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred.

DNS server cache poisoning
DNS spoofing
DNS client cache poisoning
Typosquatting

A

DNS client cache poisoning

The HOSTS file is checked before using Domain Name System (DNS). Its contents are loaded into a cache of known names and the client only contacts a DNS server if the name is not cached. If an attacker can place a false name, then the attacker will be able to direct traffic.

132
Q

An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation.

Domain Name System (DNS)
DNS Security Extension
DNS Footprinting
Dynamic Host Configuration Protocol (DHCP)

A

DNS Security Extension

A DNS Security Extension (DNSSEC) transaction is being simulated. This consists of the authoritative server for the zone creating a package of resource records (RRset) signed with a private key (Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can verify the signature.

133
Q

A technician is working with a user on methods to authenticate their device to the SSH server. Knowing that there are various methods, what can NOT be enabled or disabled when using the /etc/ssh/sshd_config file?

Public key authentication
Kerberos
Username/password
Host key

A

Host key

The server’s host key is used to set up a secure channel to use for the client to submit authentication credentials but is not enabled or disabled when using the /etc/ssh/sshd_config file.

134
Q

Utility that runs port scans through third-party websites to evade detection.

A

Scanless

135
Q

Security information and event management (SIEM) collect data inputs from multiple sources. Which of the following is NOT one of the main types of log collection for SIEM?

Agent-based
Listener/collector
Sensor (sniffer)
Artificial intelligence (AI)

A

Artificial intelligence (AI)

Explanation - AI and machine learning can drive correlation efforts for automated analysis.