CH.4 SECURING YOUR NETWORK

Question 1

A network administrator notices unusual traffic patterns on a local server that hosts financial data. The IDS flags the traffic as suspicious, but no alerts have been triggered previously for this activity. Which type of IDS would be best suited to detect this anomaly?

A) Signature-based IDS
B) Trend-based IDS
C) Host-based IDS
D) Passive IPS

Answer 1

Correct Answer: B) A trend-based IDS (anomaly-based IDS) detects suspicious activity by comparing current traffic to a baseline. This makes it ideal for identifying unusual patterns not previously seen.

A) Signature-based IDS: Requires known signatures, so it would not detect new patterns.
C) Host-based IDS: Focuses on individual hosts, not network traffic patterns.
D) Passive IPS: IPS is active, not passive, and detects attacks inline.

Question 2

Which of the following devices inspects traffic and actively prevents malicious data streams from reaching the internal network?

A) Network-Based IDS (NIDS)
B) Host-Based IDS (HIDS)
C) Intrusion Prevention System (IPS)
D) Protocol Analyzer

Answer 2

ANSWER: C) Intrusion Prevention System (IPS)
An Intrusion Prevention System actively monitors network traffic, detects malicious activities, and takes proactive actions (such as blocking or re-routing traffic) to prevent harmful data streams from reaching the internal network.

A) Network-Based IDS (NIDS)
Only monitors and detects malicious activity but does not take proactive measures to block or prevent it.

B) Host-Based IDS (HIDS)
Focuses on detecting threats on individual hosts rather than inspecting or preventing malicious network traffic.

D) Protocol Analyzer
Primarily used for capturing and analyzing network traffic for diagnostics and troubleshooting, not for preventing malicious traffic.

Question 3

An administrator is reviewing alerts from a network-based IDS and finds a significant number of false positives. What is the most likely impact of this issue on the organization’s security posture?

A) Reduced detection of actual threats
B) Increased workload for administrators
C) Network downtime
D) Higher risk of insider threats

Answer 3

ANSWER: B) Increased workload for administrators
A high number of false positives from a network-based IDS causes administrators to spend excessive time reviewing and addressing non-malicious alerts, which can lead to alert fatigue and reduced efficiency.

A) Reduced detection of actual threats
False positives do not directly reduce the detection of actual threats, but they may contribute indirectly by overwhelming administrators, leading to missed real threats.

C) Network downtime
False positives typically do not cause network downtime unless the IDS is improperly configured to block legitimate traffic.

D) Higher risk of insider threats
False positives are unrelated to insider threats, which involve malicious activities originating from within the organization.

Question 4

Which of the following is the primary difference between an IDS and an IPS?
A) An IDS blocks malicious traffic, while an IPS does not
B) An IDS is passive, while an IPS actively blocks traffic
C) An IDS monitors local resources, while an IPS only monitors network traffic
D) An IDS operates out-of-band, while an IPS operates inline

Answer 4

ANSWER: B) An IDS is passive, while an IPS actively blocks traffic
An Intrusion Detection System (IDS) passively monitors network traffic and alerts administrators to potential threats but does not take action to block them. An Intrusion Prevention System (IPS), on the other hand, actively blocks or mitigates malicious traffic in real-time.

A) An IDS blocks malicious traffic, while an IPS does not
This is incorrect because IDS does not block traffic; it only detects and alerts.

C) An IDS monitors local resources, while an IPS only monitors network traffic
This is incorrect; both IDS and IPS monitor network traffic. The distinction lies in their passive or active response.

D) An IDS operates out-of-band, while an IPS operates inline
This is partially correct but does not fully capture the primary difference, which is the passive vs. active nature of their response.

Question 5

An organization wants to ensure that their wireless network is not visible to casual users. Which method can the organization use to achieve this?

A) Enable WPA3 Personal Mode
B) Disable the SSID broadcast
C) Enable MAC filtering
D) Use Open Mode with encryption

Answer 5

ANSWER: B) Disable the SSID broadcast
Disabling the SSID (Service Set Identifier) broadcast hides the network name from being advertised, making it invisible to casual users who scan for available wireless networks.

A) Enable WPA3 Personal Mode
This provides strong encryption and authentication for securing the network but does not hide the SSID.

C) Enable MAC filtering
Restricts access to the network by allowing only devices with specified MAC addresses, but it does not hide the network from being visible.

D) Use Open Mode with encryption
This option is contradictory; Open Mode means no authentication or encryption, and it does not hide the SSID.

Question 6

A network engineer is performing a site survey for a new wireless network and needs to identify potential interference. Which of the following tools would be most helpful?

A) Wi-Fi Analyzer
B) Spectrum Analyzer
C) Heat Map
D) Protocol Analyzer

Answer 6

ANSWER: B) Spectrum Analyzer
A Spectrum Analyzer identifies and measures radio frequency (RF) interference in the environment, which is essential for detecting potential sources of interference during a wireless site survey.

A) Wi-Fi Analyzer
Monitors wireless networks and provides information such as signal strength and channel usage but does not detect RF interference from non-Wi-Fi sources.

C) Heat Map
Displays wireless coverage and signal strength in a specific area but does not identify sources of interference.

D) Protocol Analyzer
Captures and analyzes network traffic for diagnostics and troubleshooting but is not useful for detecting RF interference.

Question 7

A user reports being disconnected from the corporate wireless network multiple times during the day. Upon investigation, the security team finds that a third-party device is sending deauthentication frames to the user’s device. What type of attack is this?

A) Evil Twin
B) Jamming Attack
C) Disassociation Attack
D) Wireless Replay

Answer 7

ANSWER: C) Disassociation Attack
A Disassociation Attack involves sending deauthentication frames to a device, causing it to disconnect from a wireless network. This is a common attack method used to disrupt wireless connectivity.

A) Evil Twin
This attack involves creating a rogue access point that mimics a legitimate network, but it does not involve sending deauthentication frames.

B) Jamming Attack
This involves generating interference to disrupt wireless signals but does not target devices with deauthentication frames.

D) Wireless Replay
Involves capturing and replaying wireless packets to exploit vulnerabilities, but it does not involve sending deauthentication frames to force disconnections.

Question 8

What is the primary security benefit of WPA3 over WPA2 in a wireless network?

A) Enhanced resistance to brute force attacks using Simultaneous Authentication of Equals (SAE)
B) Full compatibility with older devices
C) The ability to operate without encryption
D) Better resistance to initialization vector (IV) attacks

Answer 8

ANSWER: A) Enhanced resistance to brute force attacks using Simultaneous Authentication of Equals (SAE)
WPA3 introduces Simultaneous Authentication of Equals (SAE), which provides robust protection against brute force attacks by ensuring that a secure handshake process is used even if weak passwords are selected.

B) Full compatibility with older devices
WPA3 may not be fully compatible with older devices, as it uses advanced protocols that older devices might not support.

C) The ability to operate without encryption
This is incorrect, as WPA3 emphasizes improved encryption and security, not operating without encryption.

D) Better resistance to initialization vector (IV) attacks
IV attacks were mitigated in WPA2, and this is not a primary enhancement of WPA3. WPA3 focuses on improved password security and encryption.

Question 9

An employee connects to the corporate network from a public Wi-Fi hotspot. To ensure the confidentiality of the data transmitted, which of the following solutions should be implemented?

A) Site-to-Site VPN
B) Always-On VPN with IPsec
C) Split Tunnel VPN
D) Open Mode Wi-Fi

Answer 9

ANSWER: B) Always-On VPN with IPsec
An Always-On VPN with IPsec ensures that all data transmitted between the employee’s device and the corporate network is encrypted, even when using public Wi-Fi, maintaining confidentiality.

A) Site-to-Site VPN
Used to connect two networks securely, but it is not designed for individual users connecting from public Wi-Fi.

C) Split Tunnel VPN
Allows some traffic to bypass the VPN, which can expose sensitive data when connected to public Wi-Fi.

D) Open Mode Wi-Fi
Offers no encryption or protection for data, making it unsuitable for maintaining confidentiality.

Question 10

Which type of VPN configuration encrypts all traffic, including traffic destined for external websites, after the user connects?

A) Full Tunnel VPN
B) Split Tunnel VPN
C) Always-On VPN
D) Transport Mode VPN

Answer 10

ANSWER: A) Full Tunnel VPN
Full Tunnel VPN encrypts all traffic, whether destined for the corporate network or external websites, ensuring comprehensive protection.

B) Split Tunnel VPN
Encrypts only the traffic destined for the corporate network, while traffic to external websites bypasses the VPN and is not encrypted.

C) Always-On VPN
Refers to a VPN configuration that stays connected at all times, but it doesn’t necessarily imply that all traffic is encrypted. It could still be split or full tunnel based on the setup.

D) Transport Mode VPN
Encrypts only the payload of IP packets, not the entire traffic or connection. It is typically used for host-to-host communications, not for routing all traffic through a VPN.

Question 11

A remote user’s VPN connection fails a health check due to an outdated antivirus definition. User is on a company owned device. Which type of network access control (NAC) solution is most likely in use?

A) Permanent Agent
B) Dissolvable Agent
C) Agentless NAC
D) Protocol Analyzer

Answer 11

ANSWER: A) Permanent Agent
With a company-owned device, a Permanent Agent is the most likely NAC solution in use. A permanent agent is software installed on the device that continuously enforces health policies, such as ensuring antivirus definitions are up-to-date, checking for patches, and verifying security compliance.

B) Dissolvable Agent
Installed temporarily and removed after the session, typically used for guest devices.

C) Agentless NAC
Agentless NAC is better suited for BYOD or guest devices where installing permanent software is not practical. For company-owned devices, a permanent agent provides more robust and persistent control.

D) Protocol Analyzer
Protocol analyzers are used for monitoring and troubleshooting network traffic. They do not enforce or check compliance with NAC policies.

Question 12

Which of the following authentication protocols is most likely to be used in a wireless network configured with WPA3 Enterprise?

A) EAP-TLS
B) PEAP
C) EAP-TTLS
D) PAP

Answer 12

ANSWER: A) EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)
EAP-TLS is the most likely authentication protocol used in a wireless network configured with WPA3 Enterprise. WPA3 Enterprise requires robust authentication methods, and EAP-TLS offers the highest security by using client and server certificates for mutual authentication.

B) PEAP (Protected Extensible Authentication Protocol):
PEAP encapsulates EAP inside a secure TLS tunnel and typically uses passwords for authentication. While it is secure, it is not as robust as EAP-TLS, which requires certificates.

C) EAP-TTLS (EAP Tunneled TLS):
Offers additional security layers but is not as commonly implemented as EAP-TLS for WPA3 Enterprise.

D) PAP (Password Authentication Protocol):
Transmits credentials in cleartext, making it unsuitable for secure networks like WPA3 Enterprise.

Question 13

A company implements 802.1X port security to ensure that only authorized devices connect to their network. Which type of server is required to support this solution?

A) DNS
B) DHCP
C) RADIUS
D) Web Server

Answer 13

ANSWER: C) RADIUS
A RADIUS (Remote Authentication Dial-In User Service) server is required to support 802.1X port security, as it handles the authentication, authorization, and accounting (AAA) functions necessary to verify and allow only authorized devices to connect to the network.

A) DNS
The Domain Name System translates domain names to IP addresses but has no role in authenticating devices.

B) DHCP
The Dynamic Host Configuration Protocol assigns IP addresses to devices on a network but does not authenticate or authorize them.

D) Web Server
A web server hosts websites and web-based applications. It does not perform authentication for network devices.

Question 14

Which authentication protocol sends passwords in cleartext, making it highly insecure for modern networks?

A) CHAP
B) PAP
C) EAP-TLS
D) TACACS+

Answer 14

ANSWER: B) PAP
Password Authentication Protocol (PAP) sends passwords in cleartext, making it vulnerable to interception.

A) CHAP
Uses a challenge-response mechanism, offering more security than PAP.

C) EAP-TLS
Employs certificates for secure authentication, not cleartext passwords.

D) TACACS+
Encrypts the entire session, including authentication credentials.

Question 15

An attacker sets up an access point with a name identical to a legitimate corporate network to intercept employee credentials. What type of attack is this?

A) Rogue AP
B) Evil Twin
C) Disassociation Attack
D) Replay Attack

Answer 15

ANSWER: B) Evil Twin
An Evil Twin attack involves setting up an access point with the same name (SSID) as a legitimate corporate network to trick users into connecting to it. Once connected, the attacker can intercept credentials and other sensitive information.

A) Rogue AP
A rogue access point is any unauthorized AP connected to the network. While it may be malicious, it does not specifically mimic an existing legitimate network to deceive users.

C) Disassociation Attack
Forces devices off a network using deauthentication frames, unrelated to mimicking networks.

D) Replay Attack
A replay attack involves capturing and retransmitting network packets to exploit vulnerabilities. It does not involve setting up a fake network.

Question 16

Which of the following would be most effective at preventing Bluesnarfing attacks?

A) Disabling Bluetooth on devices when not in use
B) Using a Faraday cage
C) Implementing WPA3
D) Using strong Bluetooth PIN codes

Answer 16

ANSWER: A) Disabling Bluetooth on devices when not in use
Disabling Bluetooth eliminates the attack vector for Bluesnarfing, which targets Bluetooth-enabled devices.

B) Using a Faraday cage
Prevents all wireless communication but is impractical for everyday device use.

C) Implementing WPA3
Improves Wi-Fi security but does not address Bluetooth threats.

D) Using strong Bluetooth PIN codes
Helps but doesn’t fully eliminate the risk if Bluetooth is enabled.

Question 17

An attacker captures and replays encrypted wireless traffic in an attempt to impersonate a valid user. Which wireless protocols are resistant to this type of attack?

A) WPA2 and WPA3
B) WEP and WPA2
C) WPA2 Personal and WPA3 SAE
D) WPA3 Enterprise and Open Mode

Answer 17

ANSWER: C) WPA2 Personal and WPA3 SAE
WPA2 Personal with a strong pre-shared key and WPA3 SAE (Simultaneous Authentication of Equals) uses a robust handshake protocol that generates unique session keys for every connection, ensuring that captured traffic cannot be reused.

A) WPA2 and WPA3
Too general; not all configurations of WPA2 resist replay attacks.

B) WEP and WPA2
WEP is highly insecure and vulnerable to replay attacks.

D) WPA3 Enterprise and Open Mode
WPA3 Enterprise resists replay attacks, but Open Mode offers no encryption, making it vulnerable.

Question 18

A financial services company sets up a honeynet to study attack patterns. During analysis, the security team finds multiple attempts to extract honeytokens from a database. What does this indicate?

A) The attackers are attempting to exfiltrate real data
B) The honeynet is vulnerable to insider threats
C) The attackers are using protocol analyzers
D) The attackers are trying to identify fake records

Answer 18

ANSWER: D) The attackers are trying to identify fake records
Honeytokens in a database are designed to act as decoys, placed specifically to detect unauthorized access or malicious activity. If attackers attempt to extract these honeytokens, it indicates they are analyzing the data to determine whether it is genuine or fake, a common step when probing a system or honeynet.

A) The attackers are attempting to exfiltrate real data
Honeytokens are not real data, so this does not apply.

B) The honeynet is vulnerable to insider threats
This scenario does not suggest insider involvement.

C) The attackers are using protocol analyzers
Protocol analyzers capture network traffic but do not directly explain the targeting of honeytokens.

Question 19

A network administrator notices frequent deauthentication frames in a wireless environment. After further investigation, they discover that legitimate access points are being overwhelmed by this traffic. What is the most likely attack being conducted?

A) Jamming Attack
B) Rogue Access Point
C) Disassociation Attack
D) Evil Twin Attack

Answer 19

ANSWER: C) Disassociation Attack
A Disassociation Attack involves sending deauthentication frames to disconnect users from legitimate access points, disrupting network services.

A) Jamming Attack
Involves overwhelming the network with noise or interference, not specifically deauthentication frames.

B) Rogue Access Point
Refers to unauthorized devices attempting to mimic legitimate access points, unrelated to deauthentication frames.

D) Evil Twin Attack
Involves creating a rogue access point with the same SSID as a legitimate one, which does not involve deauthentication frames.

Question 20

An attacker intercepts a user’s credentials by sending falsified ARP messages to redirect traffic through their device. What type of attack is this?

A) ARP Spoofing
B) DNS Poisoning
C) Man-in-the-Middle
D) Rogue Gateway

Answer 20

ANSWER: A) ARP Spoofing
ARP Spoofing involves sending falsified ARP messages to associate the attacker’s MAC address with a legitimate IP address, allowing traffic interception.

B) DNS Poisoning
Involves corrupting DNS entries to redirect traffic to malicious sites, not falsifying ARP messages.

C) Man-in-the-Middle
A broader category of attacks, ARP Spoofing is one specific method used to conduct a Man-in-the-Middle attack.

D) Rogue Gateway
Refers to setting up unauthorized gateways, which does not involve ARP manipulation.

Question 21

A company implements WPA3 in their wireless network. Which authentication method would provide the highest level of security while requiring certificates on both the server and client?

A) EAP-TTLS
B) PEAP
C) EAP-TLS
D) EAP-FAST

Answer 21

ANSWER: C) EAP-TLS
EAP-TLS uses certificates on both the client and server, providing the highest level of security in WPA3 Enterprise configurations.

A) EAP-TTLS
Requires a certificate only on the server, not the client.

B) PEAP
Encapsulates EAP in a TLS tunnel but does not require client-side certificates.

D) EAP-FAST
Uses a shared secret rather than certificates, making it less secure than EAP-TLS.

Question 22

A network administrator uses a Wi-Fi analyzer to identify overlapping channels and interference in a wireless network. What frequency ranges are most likely being analyzed?

A) 2.4 GHz and 5 GHz
B) 900 MHz and 2.4 GHz
C) 5 GHz and 6 GHz
D) 900 MHz and 6 GHz

Answer 22

ANSWER: A) 2.4 GHz and 5 GHz
Most Wi-Fi networks operate in the 2.4 GHz and 5 GHz frequency bands, which are commonly analyzed for interference and channel overlap.

B) 900 MHz and 2.4 GHz
900 MHz is not used for standard Wi-Fi communication.

C) 5 GHz and 6 GHz
6 GHz is used for Wi-Fi 6E but is not yet as commonly analyzed as 2.4 GHz and 5 GHz.

D) 900 MHz and 6 GHz
Neither 900 MHz nor 6 GHz is standard for most current Wi-Fi networks.

Question 23

Which security method ensures that only authenticated devices can access a wireless network while preventing unauthorized devices?

A) WPA3 SAE
B) 802.1X Authentication
C) MAC Filtering
D) Open Mode with Captive Portal

Answer 23

ANSWER: B) 802.1X Authentication
802.1X Authentication provides network access control by requiring devices to authenticate before connecting.

A) WPA3 SAE
Secures the handshake for personal networks but does not enforce device-level authentication.

C) MAC Filtering
Restricts access by MAC address but is easily bypassed and does not provide robust authentication.

D) Open Mode with Captive Portal
Does not authenticate devices at a secure level and primarily redirects users for basic network access.

Question 24

A HIDS reported a vulnerability on a system based on a known attack. After researching the alert from the HIDS, you identify the recommended solution and begin applying it. What type of HIDS is in use?

A. Network-based
B. Signature-based
C. Heuristic-based
D. Anomaly-based

Answer 24

ANSWER: B) Signature-based
A signature-based (sometimes called definition-based detection) HIDS detects known attacks by comparing system activity to a database of attack signatures.

A) Network-based
Monitors network traffic rather than individual host systems.

C) Heuristic-based (also called Trend-Based)
Heuristic-based systems identify potential threats by analyzing behavior patterns and using algorithms to infer suspicious activity. They are not reliant on known attack signatures.

D) Anomaly-based (also called Trend-Based)
Anomaly-based systems detect deviations from a predefined baseline of normal behavior. This is different from detecting known attacks, which rely on signatures.

Question 24

You are preparing to deploy a trend-based detection system to monitor network activity. Which of the following would you create first?

A. BPDU guard
B. Signatures
C. Baseline
D. Honeypot

Answer 24

ANSWER: C) Baseline
A trend-based detection system (also called behavior-based or anomaly-based) requires a baseline of normal network activity to identify anomalies effectively.

A) BPDU guard
Prevents BPDU (Bridge Protocol Data Units) attacks in switches but is unrelated to trend-based detection.

B) Signatures
Used in signature-based detection (also called definition-based) which uses signatures of known attack patterns to detect attacks.

D) Honeypot
A honeypot is a server designed to look valuable to an attacker and can divert attacks.

Question 25

Lenny noticed a significant number of logon failures for administrator accounts on the organization’s public website. After investigating it further, he notices that most of these attempts are from IP addresses assigned to foreign countries. He wants to implement a solution that will detect and prevent similar attacks. Which of the following is the BEST choice?

A. Implement a passive NIDS.
B. Block all traffic from foreign countries.
C. Implement an in-line NIPS.
D. Disable the administrator accounts.

Answer 25

ANSWER: C) Implement an in-line NIPS
An in-line Network Intrusion Prevention System (NIPS) can detect and block malicious login attempts in real-time. An in-line system is placed inline with the traffic, and in this scenario, it can be configured to detect the logon attempts and block the traffic from the offending IP addresses before it reaches the internal network.

A) Implement a passive NIDS
Detects attacks but cannot actively prevent them.

B) Block all traffic from foreign countries
May block legitimate users and is not a scalable or effective solution.

D) Disable the administrator accounts
This is not practical, as administrator accounts are essential for management.

Question 26

Your organization is planning to upgrade the wireless network used by employees. It will provide encrypted authentication of wireless users over TLS. Which of the following protocols are they MOST likely implementing?

A. EAP
B. PEAP
C. WPA2
D. WPA3

Answer 26

ANSWER: B) PEAP
Protected EAP (PEAP) can be used for wireless authentication and it uses Transport Layer Security (TLS) to encapsulate and encrypt the authentication conversation within a TLS tunnel.

A) EAP
EAP is a general framework. By itself, EAP doesn’t provide encryption, but it can be combined with other encryption protocols.

C) WPA2
A wireless security standard, not an authentication protocol, nor use TLS

D) WPA3
An enhanced wireless security standard, not an authentication protocol, nor use TLS

Question 26

Lisa created a document called password.txt and put the usernames of two accounts with elevated privileges. She then placed the file on her administrator account desktop on several servers. Which of the following BEST explains her actions?

A. She can use this file to retrieve the passwords if she forgets them.
B. This file will divert attackers from the live network.
C. The document is a honeyfile.
D. The file is needed by an application to run when the system starts.

Answer 26

ANSWER: C) The document is a honeyfile
A honeyfile is a decoy file with a deceptive name (such as password.txt) that will deceive an attacker and attract his attention.

A) She can use this file to retrieve the passwords if she forgets them. This is not a secure or standard practice.

B) This file will divert attackers from the live network
A honeypot or honeynet diverts attackers from the live network.

D) It is unlikely that any application needs a file named password.txt to run. Even if an application needed such a file, the file would be inaccessible if it is placed on an administrator’s desktop.

Question 27

Lisa is creating a detailed diagram of wireless access points and hotspots within your organization. What is another name for this?

A. Remote access VPN
B. Wireless footprinting
C. Channel overlap map
D. Architectural diagram

Answer 27

ANSWER: B) Wireless footprinting
Wireless footprinting creates a detailed diagram mapping access points and hotspots to understand coverage and potential vulnerabilities. It typically displays a heat map and dead spots if they exist.

A) Remote access VPN
A remote access virtual private network (VPN) provides access to a private network and is unrelated to this question.

C) Channel overlap map
Wi-Fi analyzers provide a graph showing channel overlaps but not a diagram of wireless access points.

D) Architectural diagram
An architectural diagram is typically laid on top of a heat map to create the wireless footprint document, but by itself, it shows only the building layout.

Question 27

You are assisting a small business owner in setting up a public wireless hotspot for her customers. She wants to allow customers to access the hotspot without entering a password. Which of the following is MOST appropriate for this hotspot?

A. Use Open mode.
B. Use a PSK.
C. Use Enterprise mode.
D. Disable SSID broadcast.

Answer 27

ANSWER: A) Use Open mode
Open mode allows users to connect without a password, suitable for public hotspots.

B) Use a PSK
Pre-Shared Keys require a password, which the owner wants to avoid.

C) Use Enterprise mode
Enterprise mode requires each user to authenticate and is typically enabled with a RADIUS server.

D) Disable SSID broadcast
Hides the network making it harder to find the network and does not remove the need for a password.

Question 28

A network administrator routinely tests the network looking for vulnerabilities. He recently discovered a new access point set to open. After connecting to it, he found he was able to access network resources. What is the BEST explanation for this device?

A. Evil twin
B. A Raspberry Pi device
C. Rogue AP
D. APT

Answer 28

ANSWER: C) Rogue AP
A rogue AP is not authorized (also known as shadow IT) and/or misconfigured but provides access to an internal network because it has been plugged into the network. In this scenario, the access point has no security, so someone could connect to it from the parking lot and then access the internal network.

A) Evil twin
Mimics a legitimate AP with the same or similar service set identifier (SSID) to deceive users but does not match the scenario described.

B) A Raspberry Pi device
A Raspberry Pi is a low-cost, single-board computer (SBC) that’s mainly designed to teach people how to program and use computers. It is highly unlikely someone would configure it as an ap.

D) APT
An advanced persistent threat (APT) attacks from external locations and are prolonged cyberattacks. It is unlikely to connect to a physical wireless AP inside a network.

Question 29

You are an administrator at a small organization. Homer contacted you today and reported the following:

• He logged on normally on Monday morning and accessed network shares.
• Later, when he tried to access the Internet, a pop-up window with the organization’s wireless SSID prompted him to log on.
• After doing so, he could access the Internet but no longer had access to the network shares.
• Three days later, his bank notified him of suspicious activity on his account.

Which of the following indicates the MOST likely explanation for this activity?

A. An evil twin
B. A rogue access point
C. A DDoS attack
D. A captive portal

Answer 29

ANSWER: A) An evil twin
Normally, a user shouldn’t have to log on again to access the Internet. Because he lost access to network resources after logging on, it indicates he didn’t log on to a corporate access point (AP) but instead logged on to an unauthorized AP. An evil twin attack creates a fake SSID to steal user credentials and redirect traffic, explaining Homer’s experience.

B) A rogue access point
A rogue access point can be an evil twin with the same or similar SSID as a legitimate AP, so an evil twin is a more accurate description. They also do not necessarily involve stealing credentials.

C) A DDoS attack
Disrupts availability but does not involve credential theft.

D) A captive portal
A captive portal forces web browser users to complete a specific process, such as agreeing to an acceptable use policy, before it allows them access to a network.

Question 30

Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but they don’t have any problems on other days. You suspect this is due to an attack. Which of the following attacks is MOST likely to cause these symptoms?

A. Wireless jamming attack
B. IV attack
C. Replay attack
D. Bluesnarfing attack

Answer 30

ANSWER: A) Wireless jamming attack
A wireless jamming attack is a type of denial-of-service (DoS) attack that can cause wireless devices to lose their association with access points and disconnect them from the network. It transmits noise or another radio signal on the same frequency used by the existing wireless network.

B) IV attack
An Initialization Vector (IV) attack targets weaknesses in wireless encryption protocols like WEP, attempting to decrypt traffic, like passphrase. It does not cause intermittent connectivity issues.

C) Replay attack
Involves capturing and retransmitting network traffic to impersonate a user or disrupt authentication. It does not directly cause connectivity issues.

D) Bluesnarfing attack
Refers to unauthorized access to data on Bluetooth-enabled devices. This is unrelated to Wi-Fi connectivity problems.

Question 31

An attacker can access email contact lists on your smartphone. What type of attack is this?

A. Bluesnarfing
B. Bluejacking
C. Captive portal
D. WPS

Answer 31

ANSWER: A) Bluesnarfing
Bluesnarfing is an attack where an attacker gains unauthorized access to data on a Bluetooth-enabled device, such as email contact lists, text messages, or other sensitive information.

B) Bluejacking
Sends unsolicited messages but does not access contact lists.

C) Captive portal
Refers to a web page that requires users to authenticate or agree to terms before accessing a network, unrelated to accessing contact lists.

D) WPS
A Wi-Fi Protected Setup (WPS) attack attempts to discover an access point WPS PIN by guessing PIN numbers.

Question 32

Your organization plans to implement a connection between the main site and a remote office giving remote employees on-demand access to resources at headquarters. The chief information officer (CIO) wants to use the Internet for this connection. Which of the following solutions will BEST support this requirement?

A. Remote access VPN
B. Site-to-site VPN
C. Full tunnel VPN
D. Split tunnel VPN

Answer 32

ANSWER: B) Site-to-site VPN
A site-to-site virtual private network (VPN) includes two VPN servers that act as gateways for two networks separated geographically, such as a main site network and a remote office network.

A) Remote access VPN
Designed for individual users to connect securely to the network, not for connecting entire office networks.

C) Full tunnel VPN
Refers to a VPN configuration where all traffic from the client device is encrypted and routed through the VPN. This is a feature of remote access VPNs, not site-to-site connections.

D) Split tunnel VPN
Routes only specific traffic through the VPN while other traffic goes directly to the Internet. This is not suitable for connecting two office networks. This scenario didn’t provide any directions related to a full-tunnel or a split-tunnel VPN.

Question 33

An organization is hosting a VPN that employees are using while working from home. Management wants to ensure that all VPN clients are using up-to-date operating systems and antivirus software. Which of the following would BEST meet this need?

A. NAT
B. NAC
C. VLAN
D. Screened subnet

Answer 33

ANSWER: B) NAC
Network Access Control (NAC) is the best solution for ensuring that VPN clients comply with security policies, such as having up-to-date operating systems and antivirus software. NAC can evaluate devices’ compliance and enforce restrictions if they do not meet security requirements.

A) NAT
Network Address Translation (NAT) is used to map private IP addresses to public ones and manage traffic between networks. It does not enforce compliance with security policies.

C) VLAN
A virtual local area network (VLAN) can segment clients, but not inspect them for compliance.

D) Screened subnet
A screened subnet provides a layer of protection for Internet-facing servers, putting them in a buffer zone between the Internet and an internal network. It doesn’t ensure endpoint security.

Question 34

Your organization recently implemented a BYOD policy. However, management wants to ensure that mobile devices meet minimum standards for security before they can access any network resources. Which of the following would the NAC MOST likely use?

A. Permanent
B. Health
C. RADIUS
D. Agentless

Answer 34

ANSWER: D) Agentless
In a BYOD environment, where employees bring their own personal devices, it is often impractical to require a permanent agent (software) to be installed on each device. Agentless NAC is commonly used in such scenarios because it allows the network to check the compliance of devices (e.g., ensuring antivirus is installed and updated, the OS is up-to-date, etc.) without requiring any installation of software on the devices.

A) Permanent
A permanent agent is software installed on a device to enforce NAC policies. While effective for corporate-owned devices, this is not practical for a BYOD policy, where this might cause problems for employee-owned devices.

B) Health
Health checks are a part of the NAC process to evaluate whether a device complies with security policies.

C) RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a protocol for authentication, authorization, and accounting, often used with NAC. However, it does not enforce device compliance or directly address minimum security standards.

Question 35

Your organization is allowing more employees to work from home, and they want to upgrade their VPN. Management wants to ensure that after a VPN client connects to the VPN server, all traffic from the VPN client is encrypted. Which of the following would BEST meet this goal?

A. Split tunnel
B. Full tunnel
C. IPsec using Tunnel mode
D. IPsec using Transport mode

Answer 35

ANSWER: B) Full tunnel
A full tunnel VPN ensures that all traffic from the VPN client is encrypted and routed through the VPN connection after connecting to the VPN server. This is the best option to ensure complete encryption of all client traffic.

A) Split tunnel
In a split tunnel VPN, only traffic destined for the corporate network is routed and encrypted through the VPN, while other traffic (e.g., accessing external websites) bypasses the VPN and is not encrypted.

C) IPsec using Tunnel mode
While Tunnel mode encrypts the entire IP packet for secure communication, it is a protocol used to secure traffic within a VPN and does not inherently define whether all or some traffic is routed through the VPN. Full tunnel refers to the configuration, not just the protocol.

D) IPsec using Transport mode
IPsec Transport mode only encrypts the payload and is used within private networks, instead of for VPN traffic.

Question 36

A company has implemented a Bring Your Own Device (BYOD) policy for guest users and contractors. Before granting network access, the company wants to ensure these devices meet security requirements, such as having an updated operating system and antivirus software. However, they do not want to require software to remain on the devices after the session ends. Which type of network access control (NAC) solution is most appropriate?

A) Permanent Agent
B) Dissolvable Agent
C) Agentless NAC
D) RADIUS

Answer 36

Correct Answer: B) Dissolvable Agent
A dissolvable agent is downloaded temporarily onto the guest or contractor’s device during the session, performs the necessary health checks, and is removed after the session ends. This approach ensures security compliance without leaving software permanently installed on devices.

A) Permanent Agent:
Permanent agents are better suited for corporate-owned devices where continuous monitoring is required.

C) Agentless NAC:
While this can be used for some checks, it lacks the deeper scanning capabilities of an agent for tasks like verifying antivirus or system patch levels.

D) RADIUS:
RADIUS handles authentication but does not perform device health checks.