Domain 3 Flashcards
Select the vulnerabilities that can influence routing. (Select all that apply.)
Route Inection, ARP poisoning, fingerprinting
Fingerprinting is when a port scanner uses a tool such as Nmap that can reveal the presence of a router and which dynamic routing and management protocols it is running.
Route injection means that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS.
Address resolution protocol (ARP) poisoning or internet control message protocol (ICMP) redirect is tricking hosts on the subnet into routing through the attacker’s machine, rather than the legitimate default gateway. This allows the attacker to eavesdrop on communications and perform replay or man in the middle (MitM) attacks.
Management has setup a feed or subscription service to inform users on regular updates to the network and its various systems and services. The feed is only accessible from the internal network. What else can systems administrators do to limit the service to internal access?
Provission SSO access
Provisioning single sign on (SSO) access on the feed will provide access to logged in users as soon as the feed is configured on their email application or Intranet portal.
Two project managers are on the phone, discussing plans for a new site. The call changes over to video, as a way for one site manager to show a schematic on a wall. Compare types of communication services and determine which service the project managers are using.
Unified communications and or HTTPS (depending on question and answer).
The project managers are utilizing Unified Communications (UC). These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include voice, messaging, interactive whiteboards, data sharing, email, and social media.
HyperText Transfer Protocol Secure (HTTPS) is used to encrypt Transmission Control Protocol (TCP) connections. Websites for banking, email, or shopping should use HTTPS to encrypt data for protection of the data being submitted.
Consider the principles of web server hardening and determine which actions a system administrator should take when deploying a new server. (Select all that apply.)
Use SSH for uploading files, Use the configuration templates provided, secure a guest account.
Most web servers must allow access to guests. The guest account must be secured so that it cannot be used to modify any data on the server.
A secure means of uploading files and configuration changes needs to be used, such as Secure Shell (SSH).
Web servers should be deployed using configuration templates where possible. This will assist the administrator with hardening the system.
A system administrator completes a file transfer by negotiating a tunnel before the exchange of any commands. Evaluate the file transfer protocols to conclude which protocol the admin used. (Select all that apply.)
FTPES, FTPS
File Transfer Protocol over SSL (FTPS) implicitly negotiates a Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands. This mode uses the secure port 990 for the control connection.
Explicit FTP over SSL (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This negotiates a SSL/TLS tunnel explicitly and is preferred over FTPS.
In which of the following cases can Transport Layer Security (TLS) be used to provide encrypted communication of services? (Select all that apply.)
File transfer, directory services, and web
File transfer services can use the Transport Layer Security (TLS) protocol to encrypt communication such as File Transfer Protocol Secure (FTPS). A TLS tunnel is negotiated before the exchange of any FTP commands.
Directory services can encrypt traffic, for example, using the Lightweight Directory Authentication Protocol Secure (LDAPS). Credentials are encrypted when in transit to a directory service like Windows Active Directory.
Web services use TLS to encrypt traffic between users and a bank’s web site, for example. The latest TLS version 1.3 is approved as of 2018.
A network engineer is securing communication between two applications on a private network. The applications will communicate using Internet protocol security (IPSec). Recommend the settings that will provide IP header integrity and encrypted data payload. (Select all that apply.)
ESP protocol, AH protocol, and Transport mode
The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts) and adds this HMAC in its header as an Integrity Check Value (ICV).
The Encapsulation Security Payload (ESP) protocol provides confidentiality and/or authentication and integrity. It encrypts the data payload.
Transport mode secures communications between hosts on a private network (an end-to-end implementation). AH and ESP running transport mode provides confidentiality, integrity, and authentication for internal secure communication.
A developer writes code for a new application and wants to ensure protective countermeasures for SQL injection execute. What secure coding technique will provide this?
Input validation
Input validation verifies data is valid. Proper input validation uses a set of rules to validate entries in fields for proper use. In the event an entry is invalid, the application will reject the entry. It is a secure coding practice.
Repeated attempts to access a remote server at a branch office from an unknown IP address occurred. Logs from a network appliance show the same unknown traffic going to other areas of the internal network. Which of the following best provides an active and passive protection at the server level? (Select all that apply.)
HIDS and HIPS
Host Intrusion Prevention System (HIPS) is software located on the host system and has an active response to threats. In the example of an unknown IP range trying to gain access to a server, the HIPS at the server level will block the connection.
Host Intrusion Detection System (HIDS) is also software located on the host system. It can log and notify admins or users about intrusion attempts without an active response, like denying or blocking.
Which of the following is NOT a concept in a Secure DevOps project?
Attestation
Attestation is similar to the secure boot process by checking files against a remote system. It is not a part of Secure DevOps.
A user reported the system being taken over for a few minutes (remotely) before deciding to power off the workstation. After reviewing the Network Intrusion Detection System (NIDS) during the time of the incident, there was no indication of unauthorized remote connections. What would be the benefits of installing a Host Intrusion Prevention System (HIPS) at the end points? (Select all that apply.)
Protection from zero-day attacks and prevent malicious traffic between VMs Virtual machines (VM) on a virtual stack communicate with each other immediately through a virtual switch where physical NIDS or NIPS do not exist. In this case, a Host Intrusion Prevention System (HIPS) will prevent malicious traffic between the VM.
HIPS are equipped with heuristic monitoring techniques to protect against zero-day attacks. For example, it can gauge a baseline state of the system and take immediate action when an unknown service acts maliciously.
An administrator tries to remotely access a virtual Windows 2016 server, but the connection fails. The admin pings the server and there is no packet loss. Regular services, such as file shares, still work for users. Which of the following is most likely causing the connection failures?
Windows Firewall
A Windows Firewall is a host-based firewall application that can set in-bound and out-bound rules for the system. The Windows firewall has a rule for RDP (remote desktop protocol) connections that may be disabled, therefore blocking any incoming RDP attempts.
An organization deployed a new internal Line of Business (LOB) application that contains custom code. As part of a risk assessment, it requires testing the application for threat vulnerabilities. Considering the available testing approaches, which implementation would satisfy assessment requirements?
Fuzzing
Fuzzing is a dynamic analysis technique that checks code as it is running. When using fuzzing, the system is attacked with random data to check for code vulnerabilities.
Two virtual hosts run on a stack and each host runs a virtual machine (VM). Both VMs use shared storage, and an admin must provide stateful fault tolerance. The Enterprise services running on these VMs must work on both virtual hosts and continue working if one of the virtual hosts goes offline. What cluster set up would provide the functionality the organization requires?
An Active/Active configuration consisting of n nodes.
An active/active cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.
A hacker infiltrated a commercial stock image company and found a file share full of free images that users could download via a web server. The hacker replaced each image with malicious code, hoping the free images will get downloaded onto unsuspecting users’ computers. Which of the following can prevent this attack method?
File integrity monitoring
File integrity monitoring is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image) using hashing algorithms, will flag the incident, and quarantine the files.
Users are reporting jittery video communication during routine video conferences. What can a system administrator implement to improve video quality and overall use of the network bandwidth?
Use 802.1p header
Switches that support quality of service uses the 802.1p header to prioritize frames. This will improve video conferences and make efficient use of the overall network bandwidth.
A network administrator wants to set up a load balancing cluster to manage traffic to a web server farm. The load balancer will route traffic based on the type of requests coming in from internal users. Design a solution that would provide at minimum a failover solution and proper configuration for a load balancing cluster. (Select all that apply.)
create virtual IP address, set up an active/passive topology
An active/passive topology will ensure a proper failure capability. Requests will continually flow through one load balancer and through the secondary if the primary fails.
A virtual IP address ensures a smooth transition over to the secondary load balancer if the primary fails. Users or other services will only need to know one destination IP address to reach the web server farm.
A concentrator placed on a firewall or router combines multiple sensors to gather data for processing by an intrusion detection system. Identify this device.
Collector
A collector combines multiple sensors to collect internet traffic for processing by an Intrusion Detection Systems (IDS) and other systems. Depending on where the collector is placed determines the type of traffic analyzed.
Two virtual machines have a custom application set up for active/active clustering. Each physical node has the appropriate number of network adapters for clustering, as well as service communication to clients. Cisco backs the company’s infrastructure and has also made recommendations. Which of the following will most likely support these customer services? (Select all that apply.)
VIP, GLBP
Each server node has its own IP address, but externally a load-balanced service is advertising a Virtual IP (VIP) address. Clients go to an IP address or FQDN (fully qualified domain name) and will be routed accordingly between the servers in the cluster.
Gateway Load Balancing Protocol (GLBP) is Cisco’s proprietary service to providing a load-balanced service with a VIP. The infrastructure is Cisco-based, so this service will most likely be implemented.
A user purchased a home wireless router. The user was not able to connect a laptop to the wireless router by pressing the Wi-Fi Protected Setup button. What can the user do to establish a proper connection with the wireless router? (Select all that apply.)
Enter pin manually, use compatible NIC
Wi-Fi protected access (WPS) works with applicable devices that are compatible. WPS is dependent on the type of wireless interface card (NIC) on the printer or laptop.
The user can connect to the wireless router without WPS using a passphrase or PIN that is printed on the router device. The user selects the wireless router in the laptop’s desktop, and enters the passphrase or PIN when prompted.
A network administrator placed three wireless access points (WAPs) on a single floor in a high-rise building. The floor has approximately 20 rooms with some offices separated by walls. What are some appropriate strategies to ensure all users have secure, uninterrupted access to the wireless network? (Select all that apply.)
separate channels by 20 MHZ, configure WPA3-enterprize security
Channels have ~5 MHz spacing, but Wi-Fi requires 20 MHz of channel space. Providing adequate spacing ensures maximum network bandwidth and minimum interference.
Wi-Fi Protected Access version 3 (WPA3) with enterprise security allows users to log in to a wireless access point using their own credentials. This passes authentication to a RADIUS server, for example, before allowing the user access.
A network administrator enables Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) on a Cisco Wireless Local Area Network (LAN) Controller. 802.1x is also enabled. How will the network admin complete setup for Enterprise mode?
Enter secret key for RADIUS server
A Remote Access Dial-in User Server (RADIUS) is required to complete the 802.1x setup. The wireless controller connects to the RADIUS server with a shared secret key, then credentials can be properly authenticated.
Which authentication protocol requires both a server and client-side public certificate?
EAP-TLS
Extensible Authentication Protocol with Transport Layer Security (EAP-TLS) requires a server and client-side public key certificate. An encrypted TLS tunnel is established between the supplicant and authentication server using this method.
What are the benefits of using Wi-Fi heat maps for wireless networks? (Select all that apply.)
Find location of strong signals, determine where to place access points, survey for signal strength, determine which channels overlap
A heat map can show where a signal is strong (red) or weak (green/blue), and which channel is being used and how they overlap.
A site survey is used to measure signal strength and channel usage throughout an area. This can be determined by using a heat map. A site survey starts with an architectural map of the site.
Wi-Fi requires 20 MHz of channel space. Reading the heat map can ensure adequate channel spacing between each access point to reduce channel interference.
Location of access points, especially those using the same channel, will compete for bandwidth. A heat map can determine weak spots so devices can be physically spaced out.
A company using Wi-Fi Protected Access (WPA) wireless security on their Wireless Access Points (WAPs) uses Lightweight EAP (LEAP) to authenticate users to the network. LEAP is vulnerable to password cracking. What other options does the company have to mitigate this vulnerability? (Select all that apply.)
PEAP and EAP FAST
Flexible Authentication via Secure Tunneling (EAP-FAST) is Cisco’s replacement for LEAP. It addresses LEAP vulnerabilities using Transport Layer Security (TLS) with Protected Access Credential (PAC) instead of certificates.
Protected Extensible Authentication Protocol (PEAP) uses a server-side public key certificate to create an encrypted tunnel between the supplicant and authentication server. This an industry standard.
A retail company would like to have a coupon automatically sent to smartphones located within 500 feet of their store entrance. Recommend the technology that can achieve this function.
Geofencing
Geofencing is the practice of creating a virtual boundary based on real-world geography. An organization may use geofencing to create a perimeter around its office property.
A company uses AirWatch for a complete management of corporate-owned and personal devices, such as iPhones and laptops. They want the ability to approve which applications employees can install, secure the data if the laptop is stolen, and keep personal data separate from corporate data on personal phones. Which features of AirWatch benefit the company? (Select all that apply).
Full Drive Encryption (FDE), Application management, Containerization
AirWatch can set policies that say which applications on the mobile phone a user can use. It can also restrict the use of the App store icon on iPhone devices.
AirWatch with Windows 10 can manage and deploy full drive encryption that is beneficial for laptops. Hackers will not be able to decrypt the stolen laptop or hard drive without a recovery password or key.
Containerization allows the employer to manage and maintain the portion of an employee’s personal device that interfaces with the corporate network. An example of this is the use of Workspace One apps from VMware for mobile devices.
Risks can occur when using Wi-Fi from users connecting to certain access points. Which of the following illustrate this? (Select all that apply.)
Rogue access and open access
The risks from Wi-Fi come from users connecting to open access points or possibly a rogue access point imitating a corporate network. These allow the access point owner to launch any number of attacks, even potentially compromising sessions with secure servers (using an SSL stripping attack, for instance).
