Domain 3

Question 1

Secure Shell (SSH)

Answer 1

is the principal means of obtaining secure remote access to a UNIX or Linux server. The main uses of SSH are for remote administration and Secure File Transfer (SFTP).

Question 2

atomic clock

Answer 2

Top level Network Time Protocol (NTP) servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source

Question 3

A web server will utilize a directory protocol to enable users to authenticate with domain credentials. A certificate will be issued to the server to setup a secure tunnel. Which protocol is ideal for this situation?

Answer 3

Lightweight Directory Access Protocol Secure (LDAPS) uses port 636 to set up a secure channel to a directory service using a digital certificate.

Question 4

Secure Multipart Internet Message Extensions (S/MIME)

Answer 4

is used to sign and encrypt mail messages using an email certificate.

Question 5

Encapsulation Security Payload (ESP)

Answer 5

provides confidentiality and/or authentication and integrity. ESP is used with Internet Protocol Security (IPSec) over layer 3 of the Open Systems Interconnection (OSI) model.

Question 6

A network engineer is securing communication between two applications on a private network. The applications will communicate using Internet protocol security (IPSec). Recommend the settings that will provide IP header integrity and encrypted data payload.

Answer 6

The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts) and adds this HMAC in its header as an Integrity Check Value (ICV).
The Encapsulation Security Payload (ESP) protocol provides confidentiality and/or authentication and integrity. It encrypts the data payload.
Transport mode secures communications between hosts on a private network (an end-to-end implementation). AH and ESP running transport mode provides confidentiality, integrity, and authentication for internal secure communication.

Question 7

Simple Network Management Protocol (SNMP) v3

Answer 7

supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.

Question 8

SNMPv1

Answer 8

uses community names that are sent in plaintext and should not be transmitted over the network if there is any risk they could be intercepted.

Question 9

SNMPv2c

Answer 9

also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support strong user-based authentication.

Question 10

Management Information Base (MIB)

Answer 10

is the database that the SNMP agent uses. The agent is a process that runs on a switch, router, server, or SNMP compatible network device.

Question 11

Secure Post Office Protocol v3 (POP3)

Answer 11

is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient’s email client at their convenience.

Question 12

Secure Internet Message Access Protocol v4 (IMAP4)

Answer 12

is designed for dial-up access. The client contacts the server to download its messages, then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. Messages are stored and organized on the server.

Question 13

Transport Layer Security (TLS) 1.2

Answer 13

added support for the strong Secure Hash Algorithm (SHA)-256 cipher. That is the primary difference between TLS 1.1 and TLS 1.2.

Question 14

Secure Sockets Layer (SSL) 3.0

Answer 14

is less secure than any of the TLS versions and does not support SHA-256 cipher.

Question 15

Consider the principles of web server hardening and determine which actions a system administrator should take when deploying a new server.

Answer 15

Most web servers must allow access to guests. The guest account must be secured so that it cannot be used to modify any data on the server.
A secure means of uploading files and configuration changes needs to be used, such as Secure Shell (SSH).
Web servers should be deployed using configuration templates where possible. This will assist the administrator with hardening the system.

Question 16

Unified Communications (UC)

Answer 16

The project managers are utilizing Unified Communications (UC). These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include voice, messaging, interactive whiteboards, data sharing, email, and social media.

Question 17

A system administrator completes a file transfer by negotiating a tunnel before the exchange of any commands. Evaluate the file transfer protocols to conclude which protocol the admin used.

Answer 17

File Transfer Protocol over SSL (FTPS) implicitly negotiates a Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands. This mode uses the secure port 990 for the control connection.
Explicit FTP over SSL (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This negotiates a SSL/TLS tunnel explicitly and is preferred over FTPS.

Question 18

tunnel mode

Answer 18

is used by IPsec to provide encrypted communication by encrypting the entire network packet. This method is used mostly in unsecured networks.

Question 19

Which of the following would secure an endpoint and provide attestation signed by a trusted platform module (TPM)?

Answer 19

A trusted, or measured, boot process uses the trusted platform module (TPM) at each stage in the boot process to check hashes of key system state data, which then uses an attestation process to verify if the system has not been tampered with.

Question 20

endpoint detection and response (EDR)

Answer 20

product provides real-time and historical visibility into the compromise, contains the malware, and facilitates remediation of the host to its original state.

Question 21

Host intrusion prevention systems (HIPS)

Answer 21

provide threat detection and prevent those threats based on signature values, heuristic behaviors, and security policies.

Question 22

An organization deployed a new internal Line of Business (LOB) application that contains custom code. As part of a risk assessment, it requires testing the application for threat vulnerabilities. Considering the available testing approaches, which implementation would satisfy assessment requirements?

Answer 22

Fuzzing is a dynamic analysis technique that checks code as it is running. When using fuzzing, the system is attacked with random data to check for code vulnerabilities.

Question 23

Employees have the ability to download certain applications onto their workstations to complete work functions. The CIO installed a reliable method to ensure that no modifications to the application have occurred. What method of validation did the CIO implement?

Answer 23

Code signing verifies application code has not been modified by the use of digital signatures. The certificate provided with the signature identifies the author of the application and the code’s authenticity.

Question 24

Code obfuscation

Answer 24

is a measure in which the developer camouflages code to make it unreadable. This a secure coding practice.

Question 25

Dynamic analysis

Answer 25

inspects code as it is running for code quality and vulnerabilities. Fuzzing is a common technique used.

Question 26

Stress testing

Answer 26

attempts to simulate a production environment and focuses on the objective and threshold an application can handle while maintaining performance.

Question 27

static code analyzer

Answer 27

examines code quality and effectiveness without executing the code. An analyzer can be used in conjunction with development for continued code quality checks or once the code is in its finalization stages.

Question 28

Model verification

Answer 28

is the process of ensuring software meets its intended purpose and specifications.

Question 29

self-encrypting drive (SED)

Answer 29

includes both the hardware and software to encrypt data on a drive. Keys are securely stored within for decryption. SED requires credentials to be entered for decryption.

Question 30

Full disk encryption (FDE)

Answer 30

provides encryption for a whole disk and protects the confidentiality of the data.

Question 31

Electromagnetic interference (EMI)

Answer 31

are radio frequencies emitted by external sources, such as power lines that disturb signals. EMI can be avoided by the use of shielding.

Question 32

collector

Answer 32

A collector combines multiple sensors to collect internet traffic for processing by an Intrusion Detection Systems (IDS) and other systems. Depending on where the collector is placed determines the type of traffic analyzed.

Question 33

aggregation switch

Answer 33

can connect multiple subnets to reduce the number of active ports.

Question 34

Network Addressing Protocol (NAT)

Answer 34

translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.

Question 35

Cloud engineers are considering network segmentation options that will provide the most security between services on the cloud platform. Which of the following would ensure this type of network security is within the cloud?

Answer 35

East-west traffic describes the network and platform configurations that support cloud and other Internet services where most traffic is actually between servers within the data center. Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise. It can use micro-segmentation to apply security policies to single node like it was in its own zone.

Question 36

Bridge Protocol Data Unit (BPDU)

Answer 36

guard setting is applied to switches. This causes a portfast-configured port that receives a BPDU to become disabled.

Question 37

Gateway Load Balancing Protocol (GLBP)

Answer 37

is Cisco's proprietary service to providing a load-balanced service with a VIP. The infrastructure is Cisco-based, so this service will most likely be implemented.

Question 38

Common Address Redundancy Protocol (CARP)

Answer 38

is another commonly used network protocol that works in the same way as GLBP.

Question 39

Virtual IP (VIP)

Answer 39

Each server node has its own IP address, but externally a load-balanced service is advertising a Virtual IP (VIP) address. Clients go to an IP address or FQDN (fully qualified domain name) and will be routed accordingly between the servers in the cluster.

Question 40

agentless health

Answer 40

An agentless health or posture assessment supports a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available.

Question 41

Reverse proxies

Answer 41

can publish specific applications from the corporate network to the Internet by listening for specific client requests. This will ensure other intranet services are not exposed.

Question 42

demilitarized zone (DMZ)

Answer 42

is a logical and/or physical separation of the intranet and Internet. This separation is not as granular as a proxy server for web applications.

Question 43

data loss prevention system (DLP)

Answer 43

uses algorithms to identify confidential information and prevent such information from leaving company systems.

Question 44

Sensors

Answer 44

gather information to determine if the data being passed is malicious or not. The Internet facing sensor will see all traffic and determine its Intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.

Question 45

Spanning Tree Protocol (STP)

Answer 45

is principally designed to prevent broadcast storms. These storms occur when a bridged network contains a loop and broadcast traffic is amplified by the other switches. This can disrupt the network services.

Question 46

Dynamic Host Configuration Protocol (DHCP) snooping

Answer 46

is a network setting that inspects traffic on access ports to ensure that a host is not trying to spoof its MAC address.

Question 47

Systems administrators want to set up a way for remote administration from home. The solution should use available services like a web browser, rather than installing a virtual private network agent. Which option would best support these requirements?

Answer 47

Hypertext Markup Language 5 (HTML5) Virtual Private Network (VPN) uses modern web browsers to access and manage a desktop with relatively little lag. This is also known as a clientless remote desktop gateway.

Question 48

Layer 2 Tunneling Protocol (L2TP)

Answer 48

is used with IP Security (IPSec) to provide a VPN tunnel. This will require installing a VPN agent at the client.

Question 49

Users are reporting jittery video communication during routine video conferences. What can a system administrator implement to improve video quality and overall use of the network bandwidth?

Answer 49

Switches that support quality of service uses the 802.1p header to prioritize frames. This will improve video conferences and make efficient use of the overall network bandwidth.

Question 50

web application firewall (WAF)

Answer 50

is designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.

Question 51

Internet Protocol Security (IPSec)

Answer 51

provides both confidentiality (by encrypting data packets) and integrity/anti-replay (by signing each packet). It does overhead to the data communication.

Question 52

Which of the following does NOT describe an application firewall?

Answer 52

A network-based firewall analyzes packets at the layer 2 or data link layer of the OSI (Open Systems Interconnection) model. An application firewall analyzes packets at layer 7 or the application layer.

Question 53

A company hosts its own web servers. These web servers provide multiple services that employees need while on the road. A recent security audit advised the company to find a more secure way to publish these web services to the Internet. Which of the following will accomplish this?

Answer 53

Reverse proxies can publish specific applications from the corporate network to the Internet by listening for specific client requests. This will ensure other intranet services are not exposed.

Question 54

Protected Extensible Authentication Protocol (PEAP)

Answer 54

creates an encrypted tunnel but only requires a server-side certificate. In this case, the user authentication method must use Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2) or Generic Token Card (GTC).

Question 55

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

Answer 55

is similar to PEAP but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key.

Question 56

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

Answer 56

is the most widely supported protected tunnel authentication protocol using both supplicant and server certificates.

Question 57

EAP-Tunneled TLS (EAP-TTLS)

Answer 57

is similar to PEAP and can use any inner authentication protocol (PAP or CHAP, for instance).

Question 58

EAP-MD5

Answer 58

is a secure hash of a password sent to the authenticating server. By itself, this does not provide mutual authentication from the client to the supplicant.

Question 59

RADIUS federation

Answer 59

means multiple organizations allow access to each other's users by joining their RADIUS servers into a RADIUS hierarchy. This is not required in this case and does not help the mitigation.

Question 60

controller

Answer 60

Enterprise wireless solutions implement wireless controllers for centralized management and monitoring. A controller can be a hardware appliance or a software application run on a server.

Question 61

Remote Authentication Dial-In User Service (RADIUS)

Answer 61

provides authentication, authorization, and accounting services for wireless clients. Users can use their personal accounts to gain wireless network access.

Question 62

Institute of Electrical and Electronics Engineers (IEEE) 802.1x includes which of the following wireless security standards?

Answer 62

802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access. 802.1x is configured by selecting the Wi-Fi Protected Access (WPA) setting for WPA2-Enterprise or WPA3-Enterprise as the security method on the access depending on the wireless router model type.

Question 63

A company would like to deploy a software service to monitor traffic and enforce security policies in their cloud environment. What tool should the company consider using?

Answer 63

A Cloud Access Security Broker (CASB) is a part of security as a service that monitors network traffic between a company's network and cloud provider, enforcing security policies.

Question 64

A cloud storage policy includes permission statements written in JavaScript Object Notation (JSON) strings. The action and principal fields both have an asterisk (*) or wildcard value to them. How does this policy affect the security of the cloud storage resource?

Answer 64

Cloud resource policies configure read and write access to resources. Using a wildcard that allows all users to read/write, in this case, breaks the principle of least privilege and opens it up to a high risk of exploitation.

Question 65

Which of the following provides both data loss prevention (DLP) and cloud access security broker (CASB) for client access to websites and cloud applications?

Answer 65

A next-generation secure web gateway (NSWG) includes the features of a standard SWG, as well as data loss prevention (DLP) and a cloud access security broker (CASB), to provide a wholly cloud-hosted platform for client access to websites and cloud apps.

Question 66

virtual private cloud (VPC) endpoint

Answer 66

is a publishing service that allows instances to access other instances in other VPCs, using the AWS internal network and private IP addresses.

Question 67

Cloud services are highly vulnerable to remote access. Many automated services will communicate with the cloud platform using application programing interfaces (APIs), which are at risk to external take over and other remote attacks. As a cloud administrator, enforce strong policies to mitigate these risks.

Answer 67

Assigning secret keys is a part of proper cloud secrets management techniques. Assigning secret keys to service accounts for use with programmatic access is ideal when working with application programming interfaces (APIs). A third-party password manager can store account secrets keys, along with their regular account credentials so they are safe and rotated (or changed) on a regular basis.

Question 68

Which of the following makes it possible for cloud service providers (CSP) to create a virtual instance and container simultaneously?

Answer 68

Dynamic resource allocation is the on-demand service capabilities that cloud service providers can provide. CSPs can create a virtual instance or container with X amount of resources any time.

Question 69

A cloud administrator wants to directly connect a cloud server instance with another cloud server instance and privately on Amazon Web Services (AWS). How can this be configured without going through an Internet gateway?

Answer 69

A virtual private cloud (VPC) endpoint is a means of publishing a service that is accessible by instances in other VPCs using the AWS internal network and private IP addresses. An interface endpoint makes use of AWS's PrivateLink feature to allow private access.

Question 70

The root account of a Linux server can be described as which of the following types of accounts while running on a production environment?

Answer 70

A shared account is usually a privileged account that is shared for access to production servers or services. A Linux root account can be stored in a vault and shared by other admins if no other means of access to the server is possible.

Question 71

Discretionary Access Control (DAC)

Answer 71

Assigning permissions to users based on the owner's consent involves Discretionary Access Control (DAC) since the owner enforces the rule, rather than the system.

Question 72

Role-based access control (RBAC)

Answer 72

is non-discretionary and assigns users permissions based on roles or groups to which they belong. The system, not the owner, controls RBAC permissions.

Question 73

Mandatory access control (MAC)

Answer 73

is a non-discretionary access control measure based on security clearances. Each object has a security clearance level label, which a user must have a "need to know" to access.

Question 74

Attribute-based access control (ABAC)

Answer 74

is the most fine-grained, non-discretionary method of access control. The system allocates permission, rather than the content creator or owner.

Question 75

Several businesses operating on a federated network allow access to each other's resources through enterprise connections. How are authorization tokens secured when this type of federated network employs Security Association Markup Language (SAML)?

Answer 75

Security Association Markup Language (SAML) authorizations or tokens are written and signed with the eXtensible Markup Language (XML) signature specification; this digital signature allows the service provider to trust the identity provider.

Question 76

OpenID and OpenID Connect (OIDC)

Answer 76

are examples of user-centric identity management protocols, whereas SAML implementations are controlled by the system, or enterprise controlled. These use JavaScript Object Notation (JSON) and JSON Web Tokens (JWT) rather than eXtensible Markup Language (XML).

Question 77

How does Kerberos protect against an On-path attack?

Answer 77

Mutual authentication assures that the client and the server are authenticated to one another, and an attacker cannot intercept the communications exchanged between the two.

Question 78

Which authentication protocol provides efficient authorization methods and encrypted data packets when managing network routers?

Answer 78

Terminal Access Controller Access-Control System Plus (TACACS+) is specifically designed for network administration of routers. TACACS+ data packets are encrypted and make it easier for network admins to work with multiple routers simultaneously.

Question 79

Password Authentication Protocol (PAP)

Answer 79

is an unsophisticated authentication method used as the basic authentication mechanism in HTTP. It relies on clear-text password exchange.

Question 80

802.1X

Answer 80

Port-based Network Access Control (NAC) protocol provides the means of using an Extensible Authentication Protocol (EAP) method when a device connects to a switch port, wireless access point, or VPN gateway.

Question 81

How does forcing a system application to run in sandbox mode overcome the weakness of Discretionary Access Control (DAC)?

Answer 81

Sandbox mode is an example of a rule-based access control measure, designed to protect computer and network systems founded on discretionary access from misconfigurations that can result from DAC. Running in "sandbox" mode prevents malicious scripts on a website from circumventing the security system by using the privileges of a logged-on user. The key is to restrict access based on a rule for privileges, rather than allocating permissions based on the user's identity.

Question 82

A system admin received a support ticket regarding a website error. Browsing to company.com in Internet Explorer, the site looks safe and trusted. However browsing to payment.company.com, the website is no longer trusted. Knowing a wildcard certificate was installed, how would the admin resolve this error?

Answer 82

Subject Alternative Name (SAN) is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.

Question 83

Which certificate format allows the transfer of private keys and is password protected?

Answer 83

A PFX, .pfx, or .p12 extension allows the export of a certificate along with its private key and is password protected. This is used to archive or transport a private key.

Question 84

P7B

Answer 84

A P7B, or .p7b extension bundles multiple certificates into a single file. It is often used to deliver a chain of certificates that must be trusted by the processing host. It does not contain a private key.

Question 85

CER

Answer 85

A CER, or .cer, extension is an certificate that can contain either binary Distinguished Encoding Rules (DER) or ASCII PEM data.

Question 86

Distinguished Encoding Rules (DER)

Answer 86

All certificates use an encoding scheme called Distinguished Encoding Rules (DER) to create a binary representation of the information in the certificate.

Question 87

A company with multiple types of archived encrypted data is looking to archive the keys needed to decrypt the data. However, the company wants to separate the two in order to heavily guard these keys. Analyze the scenario to determine the most likely key placement.

Answer 87

Key escrow refers to the archiving of a key (or keys) with a third party. This is a useful solution for organizations that do not have the capability to store keys securely but are able to fully trust the third party.

Question 88

A company has two web servers using a load-balance configuration. Users report having periodic trust errors connecting to the website. Both servers are using server-only certificates. Which of the following actions would most likely resolve the issue?

Answer 88

The certification path, also known as "certificate chaining" or a "chain of trust," is a verifiable path of the leaf certificate to the root Certificate Authority (CA). Both web certificates must show the same path.

Question 89

A Public Key Infrastructure (PKI) can produce many types of certificates with private/public key pairs. In contrast to a self-signed certificate, how does a wildcard certificate benefit an organization?

Answer 89

A wildcard certificate is issued to the parent domain and will be accepted as valid for all subdomains because all are listed in one. These will reduce work to produce individual certificates for each.

Question 90

In a Public Key Infrastructure (PKI), which option best describes how users and multiple Certificate Authorities (CA) share information and exchange certificates?

Answer 90

The trust model is a concept of the Public Key Infrastructure (PKI) to show how users and different Certificate Authorities (CA) can trust one another. This is detailed in a certificate's certification path leading back to the root CA.

Question 91

Many certificates are used to verify identity. Which type of certificate could be issued to network appliances?

Answer 91

Regardless of function, it may be necessary to issue certificates to machines such as servers, PCs, smartphones, and tablets. Machine certificates may be issued to network appliances, such as routers, switches, and firewalls.

Question 92

Extended Validation (EV)

Answer 92

is a process requiring more rigorous checks on the subject's legal identity and control over the domain or software being signed.

Question 93

registration authority

Answer 93

is a server assigned the task of completing an identity check and submitting Certificate Signing Requests (CSRs) on behalf of end users. However, registration authorities do not sign or issue certificates.

Question 94

Certificate registration

Answer 94

is commonly initiated with a Certificate Signing Request (CSR). This is a common process for internal and public CAs, but a Certificate Signing Request (CSR) was not mentioned in this case.

Question 95

A company developed new software and would like the software to be validated. Which certificate should the company request?

Answer 95

code signing certificate is issued to a software publisher, following an identity check and validation process by the CA. The publisher then signs the executables or DLLs that make up the program to guarantee the validity of a software application or browser plug-in

Question 96

Subject Alternative Name (SAN)

Answer 96

is an extension field on a web server certificate and supports the identification of the server by multiple subdomain labels.

Question 97

An independent penetration company is invited to test the company's new banking application in development for Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. Penetrations tests reveal the connections with clients were vulnerable to an On-path attack. How can the company prevent this from happening in the public Internet?

Answer 97

Pinning refers to several techniques to ensure it is inspecting the proper certificate when a client inspects the certificate presented by a server or a code-signed application. An example of this is submitting multiple public keys to an HTTP browser.

Question 98

There are various formats for encoding a certificate as a digital file for exchange between different systems. One difference is storing both public and private keys versus only storing a public key. Which of the following stores both public and private keys?

Answer 98

The Public Key Cryptography Standards (PKCS) #12 or .P12 format allows the export of the private key with the certificate. This would be used either to transfer a private key to a host that could not generate its own keys, or to back up/archive a private key. The .PFX extension uses the same binay format as .P12 and is commonly used in Windows. MacOS and iOS commonly use the .P12 extension.

Question 99

A security engineer must install a X.509 certificate to a computer system, but it is not accepted. The system requires a Base64 encoded format. What must the security engineer execute to properly install this certificate?

Answer 99

A DER-encoded binary file can be represented as ASCII characters using Base64 Privacy-enhanced Electronic Mail (PEM) encoding. PEM files support other extensions like .key, .cer, and .cert.

Question 100

A company wants to ensure users can validate the website's certificate and establish a secure connection to mitigate Man-in-the-Middle (MitM) attacks on their public website. If a hacker compromises a certificate, which of the following will most likely circumvent the attack?

Answer 100

HTTP Public Key Pinning (HPKP) is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.