CISSP Q V1.4 DOMAIN 4 Communication and Network Security

Question 1

Which of the following are the correct names for the Open Systems Interconnection (OSI) model layers 1, 6, 7, and 3?
A. Physical, application, presentation, and network B. Data link, network, application, and session
C. Physical, data link, network, and application
D. Physical, presentation, application, and network

Answer 1

D. Physical, presentation, application, and network

Question 2

Which of the following provides the best and most scalable access control for a corporate wireless network?
A. A Stateful firewall that also does Network Address Translation (NAT).
B. WPA2 Enterprise with IEEE 802.1x.
C. WPA2 Personal with long pre-shared keys.
D. A carefully monitored MAC filtering plan.

Answer 2

B. WPA2 Enterprise with IEEE 802.1x.

The best answer would be (B), as 802.1x could allow for everyone to have an unique username and password. Furthermore, it can support certificates which eliminates the threat of password attacks.

Question 3

Which statement BEST describes the functions of the data- link layer (DLL) and the presentation layer (PL)?
A. The DLL provides media access control and transmits signals as frames; the PL handles data formatting.
B. The DLL converts port numbers into signals; the PL handles data formatting.
C. The DLL provides framing; the PL converts bits into signals.
D. The DLL converts a network packet into signals; the PL
converts an application packet into a datagram.

Answer 3

A. The DLL provides media access control and transmits signals as frames; the PL handles data formatting.

Question 4

Which PKI component publishes the Certificate Revocation List (CRL)?
A. The Central Directory (CD)
B. The Registration Authority (RA)
C. The Certificate Authority (CA)
D. The Certificate Manager (CM)

Answer 4

C. The Certificate Authority (CA)

Question 5

Which of the following technologies acted as a successor to Wired Equivalent Privacy (WEP) without requiring a change in hardware?
A. Wi-Fi Protected Access II (WPA2), and it used the Advanced Encryption Standard (AES).
B. Wi-Fi Protected Access II (WPA2), and it used the Temporal Key Integrity Protocol (TKIP).
C. Wi-Fi Protected Access (WPA) and it used the Temporal Key Integrity Protocol (TKIP).
D. Wi-Fi Protected Access (WPA) and it used the Advanced Encryption Standard (AES).

Answer 5

C. Wi-Fi Protected Access (WPA) and it used the Temporal Key Integrity Protocol (TKIP).

The IEEE standards were WEP, then WPA, then WPA2. The TKIP was first used with WPA and AES was first used in WPA2. WPA2’s support of AES required a change to the hardware.

Question 6

Which answer best describes the components and purpose of a Content Distribution Network (CDN)?

1. A CDN is a large, geographically distributed system of servers.
2. CDNs provide content to end users with high availability and high
   performance.
3. CDNs pay content advertisers to deliver their content to the public,
   making money on advertisements displayed on their dynamically
   generated web pages.
4. CDN providers are used exclusively for streaming video.

A.1and2
B.2and3
C. 1and4
D. 3and4

Answer 6

A.1and2

Question 7

What is the MAIN security advantage of installing website control filters to block sites such as Facebook, or fantasy sports sites?

A. Making your employees more productive since they are not wasting time on the blocked social networking sites.
B. Deterring employees from betting on sports events.
C. Stopping leakage of personal information.
D. Avoiding malware.

Answer 7

D. Avoiding malware.

Question 8

Your company has a border router/firewall to connect its network to the Internet. It also has a 64-port switch to connect all your internal users and printers. To isolate your general users from seeing the normal, but sensitive, traffic among Human Resources (HR) employees, you place the HR employees into a separate VLAN. What risks remain with the use of the VLAN?

A. None, the data is encrypted.
B. None, the data being communication is air gapped.
C. The HR data might be exposed through VLAN leaking.
D. The HR data might be exposed through a denial of service.

Answer 8

C. The HR data might be exposed through VLAN leaking.

802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attacks allow a user on a VLAN to get unauthorized access to another VLAN. This is commonly referred to as “VLAN leaking.”

Question 9

A hacker sniffs network traffic and then uses a faked IP address and TCP header information to insert packets onto the network. Of the options below, what best illustrates this attack?

A. IP Spoofing
B. Session hijacking C. Fraggle
D. Smurf

Answer 9

B. Session hijacking

This is the classic definition of Session Hijacking. IP spoofing doesn’t typically include the TCP header and Fraggle and Smurf attacks certainly don’t.

Question 10

An unknown threat actor added a rogue Certificate Authority (CA) to your Public Key Infrastructure (PKI) cache. How would your web browser react?

A. Not trust any of the certificates the rogue CA had signed.
B. Always prompt you to reject it, as the rogue CA’s certificate is
in your browser’s cache.
C. Always trust any certificate the rogue CA had previously
signed.
D. Not cause any harm, as rogue CAs aren’t effective.

Answer 10

C. Always trust any certificate the rogue

Once a CA is in your PKI cache (normally in your browser), any Certificates that the rogue CA has signed will be trusted.

Question 11

Which attack uses options in the “ping” command to create a denial-of-service attack?

A. An Overlapping fragment attack.
B. The Fraggle attack.
C. The Smurf attack.
D. The Double Teardrop attack.

Answer 11

C. The Smurf attack.

They are describing a Smurf attack! This attack uses ping (ICMP echo replies) to overwhelm a target and cause a DoS. Fraggle is similar but it uses UDP messages instead of ICMP. Answers (A) and (D) are fragmentation attacks.

Question 12

As the result of a business merger, a root certificate authority from company A and a root certificate authority from company B need to be configured so that they will trust certificates generated by each other. Of the options below would best describe this process?

A. Subordinate CA to Subordinate CA Trust.
B. Cross-certification.
C. RA to RA Cooperation.
D. Certificate Authority Reciprocity.

Answer 12

B. Cross-certification.

Question 13

Which list contains one IP Networking port number in the “Well known” range, one in the “Registered” range, and one in the “Dynamic” range?

A. 69 1007 and 50001 B. 1443 8080 and 49152
C. 23 80 and 1443
D. 809 1812 and 53652

Answer 13

D. 809 1812 and 53652

Well known – 0 to 1,023; Registered – 1,024 to 49,151, Dynamic/ephemeral – 49,152 to 65,535.

Question 14

What are the well known port ranges?

Answer 14

Well known – 0 to 1,023;

Question 15

What are the registered port ranges?

Answer 15

Registered – 1,024 to 49,151

Question 16

What are the dynamic or ephemeral port ranges?

Answer 16

Dynamic/ephemeral – 49,152 to 65,535.

Question 17

What application layer device provides translation services for different environments?

A. A Voice over IP (VOIP) to Plain old Telephone Service (POTS) gateway.
B. An Ethernet to Token Ring bridge.
C. An ASCII to EBCDIC gateway.
D. A Router connecting two different LAN segments.

Answer 17

A. A Voice over IP (VOIP) to Plain old Telephone Service (POTS) gateway.

Since VOIP is an Layer 7 (Application), VOIP to POTS is application-layer translation.

Question 18

Which statement below BEST describes the purpose of a Software Defined Network?

A. It is used to separate traditional network traffic into three components: raw data, the way in which the data are sent, and the purpose the data serve.
B. It is used to provide redundancy in cloud environments.
C. It abstracts network traffic into three layers which are called
Application, Communications, and Interface.
D. It creatively uses TCP/IP networking standards to move data
over different paths.

Answer 18

A. It is used to separate traditional network traffic into three components: raw data, the way in which the data are sent, and the purpose the data serve.

Question 19

Which statement BEST describes the differences among different network cabling media?

A. Coaxial cable has more environmental protection than Shielded Twisted Pair (STP), but is harder to install.
B. Twisted pair copper cabling comes in two modes, Unshielded Twisted Pair (UTP) and Shielded Twisted Pair (STP).
C. Fiber Optic cabling comes in two modes, single-mode and multi-mode.
D. Shielded Twisted Pair (STP) is more expensive and harder to install than Fiber Optic.

Answer 19

A. Coaxial cable has more environmental protection than Shielded Twisted Pair (STP), but is harder to install.

Answer (A) is correct, as it correctly compared different types of cabling media. Also coaxial cabling typically includes multiple layers of shielding. Answers (B) and (C) are wrong because they do not compare different types of media, but are otherwise accurate. Answer (D) is incorrect because fiber optic cabling is more expensive and harder to install than other cabling types.

Question 20

Which of the following uses the User Datagram Protocol (UDP) to create a denial-of-service attack?

A. A Session Hijacking attack.
B. The Double Teardrop attack.
C. The Fraggle attack.
D. The Smurf attack.

Answer 20

C. The Fraggle attack.

The Fraggle attack uses UDP messages to cause a DoS. Session Hijacking is a layer 5 TCP attack. Smurf uses ICMP, and a Teardrop is a fragmentation attack (layer 3).

Question 21

Which are true regarding Software Defined Networks? (pick two)

A. Decouple the control and data planes, logically centralize network intelligence and state, and abstract the infrastructure from the applications.
B. Separate traditional network traffic into two areas: Clear-Text and Covered-Data.
C. Separate traditional network traffic in to three components: raw data, how the data is sent, and what purpose the data serves.
D. Map the data into two planes, usually called the infrastructure and communications planes.
E. It abstracts policy from the actual device configuration to create new software profiles.

Answer 21

A. Decouple the control and data planes, logically centralize network intelligence and state, and abstract the infrastructure from the applications.

C. Separate traditional network traffic in to three components: raw data, how the data is sent, and what purpose the data serves.

Question 22

Which of the following best describes IPSEC?

A. A protocol used by virtual private networks (VPNs) that can both tunnel and encrypt.
B. A protocol used by local area networks (LANs) that can both tunnel and encrypt.
C. A local area network (LAN) protocol that can encrypt but not tunnel.
D. A virtual private network (VPN) protocol that can only Tunnel.

Answer 22

A. A protocol used by virtual private networks (VPNs) that can both tunnel and encrypt.

Question 23

Which of the following are correct?

1. Ring networks often have collisions, thus lowering their throughput.
2. Wireless Ethernet systems use Carrier Sense Multiple Access /
   Collision Avoidance (CSMA/CA) to access the network.
3. Routers connect hosts and switches separate local area networks
   (LANs).
4. For heavily populated environments, the collision domain for a
   switch is smaller than that of a bridge.

A.1and4
B.3and4
C. 2and4
D. 3and4

Answer 23

C. 2and4

1 is not correct, as ring networks do not have collisions. #3 is incorrect as routers are responsible for separating local area networks, while switches connect hosts.
#2 and #4 are
completely correct

Question 24

A company has decided to adopt the CYOD (choose your own device) deployment model, where the company allows the employee to choose from a range of cellular devices. Considering this deployment model, what should the security team consider before the phones are deployed?

A. The most common set of MDM configurations will become the effective set of enterprise mobile security controls.
B. All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen architecture may unnecessarily expose private keys to adversaries.
C. Certain devices are inherently less secure than others, so compensatory controls will
be needed to address the delta between device vendors.
D. MDMs typically will not support heterogeneous deployment environments, so
multiple MDMs will need to be installed and configured.

Answer 24

C. Certain devices are inherently less secure than others, so compensatory controls will
be needed to address the delta between device vendors.

Different phones will have different security postures, features, and control mechanisms. Some may require compensatory controls.

Question 25

A 100 terabyte storage area network (SAN) needs to be deployed at your organization to support future growth. Management has dictated that you will need to use ethernet switches to minimize the cost of the installation. Which of the options below would be the most suitable for this deployment?

A. Fibre Channel
B. iSCSI
C. OSPF
D. Infiniband

Answer 25

B. iSCSI

A. FibreChannel-Requires non-ethernet dedicated Fibre Channel switches
B. iSCSI - A protocol that can go over Ethernet and is considered the cheap alternative to Fibre Channel.
C. OSPF- This is a routing protocol and has nothing to do with switches
D. Infiniband- Requires non-ethernet dedicated InfiniBand switches

If it was an answer, another valid option would have been FCoE (Fibre Channel over Ethernet)

Question 26

An employee typical uses SSH to connect and configure a remote server. Today they got this message:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WARNING: REMOTE HOST ID HAS CHANGED! xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The fingerprint for the RSA key sent by the host is
SHA: 1B8104A05A243CEE3776A81BDE2EC7DAA990D0A5. Host key verification failed. Please contact your admin.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What network attack is the employee most likely experiencing?

A. Evil twin
B. DNS poison
C. Man-in-the-middle D. MAC cloning

Answer 26

C. Man-in-the-middle

The remote device we are attempting to connect to does not have the proper SSH key. We are likely talking to a Man-in-the-Middle (MitM) who is impersonating our intended destination.

Question 27

An organization is worried that the SCADA network that controls the environmental systems could be compromised if the staff’s WiFi network was breached. What would be the best option to mitigate this threat?

A. Install a smart meter of the staff WiFi.
B. Place the environmental systems in the same DHCP scope as
the staff WiFi.
C. Implement Zigbee on the staff WiFi access points.
D. Segment the staff WiFi network from the environmental
systems network.

Answer 27

D. Segment the staff WiFi network from the environmental
systems network.

Question 28

A company has maintained highly detailed records of all of their authorized network devices and is planning to use Wi-Fi for all laptops that need network access. What could replace a pre-shared key on an access point and stop a script kiddie from being able to brute force the password?

A. WPA2-BPDU
B. WPA-EAP
C. IP filtering
D. Wi-fi Protected Setup

Answer 28

B. WPA-EAP

A. A BPDU is a type of message found in the Spanning Tree Protocol, and has nothing to do with Wi-Fi or WPA2. This is a distractor and is complete nonsense.

B. Also known as enterprise mode, or 802.1x, this would require each user to have an unique username and password. With this replacing the pre-shared key mechanism, the script kiddie would have to know the username in addition to brute forcing the password, and that would most likely be outside the scope of their ability. Alternatively or additionally, the 802.1x system allows users to authenticate with TLS certificates, and we can be sure that no script kiddie could bypass that.

C. Not a terrible answer, but this wouldn’t “replace” a pre-shared key. Also, IP filtering isn’t done on most access points. Instead they rely on MAC filtering!

D. Wi-fi Protected Setup allows users to input an eight digit pin number found on the bottom of the access point, or press a button on the access point, to allow a device to connect WITHOUT putting in the password. This mechanism does not replace a pre-shared key and is entirely unrelated to it.

Question 29

An admin is deploying access points that will use PKI for authentication. What needs to be configured for this to work?

A. HTTPS Captive portal
B. WPS – Wi-fi protected setup
C. 802.1x – Enterprise mode
D. PSK – Pre-Shared key

Answer 29

C. 802.1x – Enterprise mode

Using PKI (certificates) to authenticate into the access point will require an AAA system (a RADIUS or TACACS server must be on the network and configured properly). This process is described in the standard 802.1x, and is also referred to as “enterprise authentication/mode”.

Question 30

The OSI model starts with Application (layer 7) at the top and ends with Physical (layer 1) at the bottom. What is the correct order for the TCP/IP model, from top to bottom?

A. Application, Network, Data-link, Physical
B. Application, Presentation, Session, Transport
C. Application, Internet, Transport, Host Access
D. Application, Transport, Internet, Network Access

Answer 30

D. Application, Transport, Internet, Network Access

Question 31

A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of a power surge or other similar situations. The switch was installed on a wired network in a local office and is monitored via a cloud application. The switch is already isolated on a separate VLAN and has an automatic patching routine. Which of the following steps should also be taken to harden the smart switch?

A. Set up an air gap for the switch.
B. Change the default password for the switch.
C. Place the switch in a Faraday cage.
D. Install a cable lock on the switch.

Answer 31

B. Change the default password for the switch.

Hardening: configuring the device for least functionality and thereby increasing security. (Stop unnecessary services, close unnecessary ports, and change the default password)
Air gapping the switch (A) would cut it off from the cloud application, so this seems like a bad idea. A faraday cage (C) is used to block wireless signals, and probably isn’t very useful in this situation. A cable lock (D) will only help prevent against physical theft, and that isn’t typically part of the hardening process, nor does the question indicate we are dealing with anything physical. (B) Remains by far our strongest answer.

Question 32

A user is having problem accessing network shares. An admin investigates and finds the following on the user’s computer:

What attack has been performed on this computer?

A. Directory traversal B. Pass-the-hash
C. Mac flood
D. ARP poisoning
E. IP conflict
F. DHCP starvation attack

Answer 32

D. ARP poisoning

Two different IP addresses are associated with the same MAC addresses. This is very unusual. Since these are dynamically learned ARP entries, it is reasonable to believe this was an ARP poisoning. Device .1 is probably the default gateway and then device .11 is the MitM (man-in-the-middle).

Question 33

A computer on the company network was infected with malware and the user says they haven’t used the device for anything but browsing the internet. They did not download anything or open any emails on the infected computer. Of the options below, what might help a technician find where the malware came from?

A. The DNS logs
B. The web server logs
C. The SIP traffic logs
D. The SNMP logs

Answer 33

A. The DNS logs

Question 34

A VPN connection needs to be configured from site A to site B while also providing the following:
* Integrity
* Encryption
* Authentication
* Anti-replay

Which of the following should be enabled when configuring the VPN to meet the objectives above?

A. Encapsulated Security Payload (ESP)
B. Layer Two Tunneling Protocol (L2TP)
C. Authentication Header (AH)
D. Layer Two Forwarding (L2F)

Answer 34

A. Encapsulated Security Payload (ESP)

Question 35

A security expert has identified the following:

• www.example.com is officially hosted at 172.16.99.99.
• Based off of Netflow records, there was a day where a single corporate DNS server resolved www.example.com to 172.31.50.50.
• At present all company DNS servers resolve www.example.com to 172.16.99.99.

Of the options below, what most likely occurred?

A. A proxy was used to redirect network traffic.
B. An MITM directly corrupted the computer’s DNS cache.
C. An attacker temporarily poisoned a name server.
D. An ARP poisoning attack was successfully executed.

Answer 35

C. An attacker temporarily poisoned a name server.

Question 36

Which of the following is not a characteristic of a ZigBee network?

A. Encrypted with a 128 bit AES key
B. High data rates, such as 1Gbps
C. Can operate in a Mesh or Tree topology
D. Provides a wireless personal area network
E. Used frequently with Internet of Things devices

Answer 36

B. High data rates, such as 1Gbps

All of these are 100% true, except (B). Max data rate is defined as 250Kbps.

Question 37

This encapsulation protocol is used to tunnel Layer 2 connections through an underlying Layer 3 network. Furthermore, it provides network segmentation at the scale needed for cloud builders to support 16 million tenants. What technology is being described?

A. Point to Point over Ethernet (PPPoE)
B. Virtual Extensible Local Area Network (VXLAN)
C. Internet Protocol Security (IPSEC)
D. Fibre Channel over Ethernet (FCoE)

Answer 37

B. Virtual Extensible Local Area Network (VXLAN)

VXLAN is a technology that allows you to segment your networks (just like a VLAN), but at a scale that VLANs cannot achieve. 16 million VXLANs vs a max of 4094 VLANs. Furthermore, VXLAN supports tunneling, allowing layer 2 networks to be connected together over layer 3 boundaries. Essentially, two LANs could be connected together over a wide area network, thereby connecting two remote data centers together.