Domain 3 Flashcards

1
Q

Secure Shell (SSH)

A

is the principal means of obtaining secure remote access to a UNIX or Linux server. The main uses of SSH are for remote administration and Secure File Transfer (SFTP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

atomic clock

A

Top level Network Time Protocol (NTP) servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A web server will utilize a directory protocol to enable users to authenticate with domain credentials. A certificate will be issued to the server to setup a secure tunnel. Which protocol is ideal for this situation?

A

Lightweight Directory Access Protocol Secure (LDAPS) uses port 636 to set up a secure channel to a directory service using a digital certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Secure Multipart Internet Message Extensions (S/MIME)

A

is used to sign and encrypt mail messages using an email certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Encapsulation Security Payload (ESP)

A

provides confidentiality and/or authentication and integrity. ESP is used with Internet Protocol Security (IPSec) over layer 3 of the Open Systems Interconnection (OSI) model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A network engineer is securing communication between two applications on a private network. The applications will communicate using Internet protocol security (IPSec). Recommend the settings that will provide IP header integrity and encrypted data payload.

A

The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts) and adds this HMAC in its header as an Integrity Check Value (ICV).
The Encapsulation Security Payload (ESP) protocol provides confidentiality and/or authentication and integrity. It encrypts the data payload.
Transport mode secures communications between hosts on a private network (an end-to-end implementation). AH and ESP running transport mode provides confidentiality, integrity, and authentication for internal secure communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Simple Network Management Protocol (SNMP) v3

A

supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SNMPv1

A

uses community names that are sent in plaintext and should not be transmitted over the network if there is any risk they could be intercepted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SNMPv2c

A

also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support strong user-based authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Management Information Base (MIB)

A

is the database that the SNMP agent uses. The agent is a process that runs on a switch, router, server, or SNMP compatible network device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Secure Post Office Protocol v3 (POP3)

A

is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient’s email client at their convenience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Secure Internet Message Access Protocol v4 (IMAP4)

A

is designed for dial-up access. The client contacts the server to download its messages, then disconnects. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. Messages are stored and organized on the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Transport Layer Security (TLS) 1.2

A

added support for the strong Secure Hash Algorithm (SHA)-256 cipher. That is the primary difference between TLS 1.1 and TLS 1.2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Secure Sockets Layer (SSL) 3.0

A

is less secure than any of the TLS versions and does not support SHA-256 cipher.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Consider the principles of web server hardening and determine which actions a system administrator should take when deploying a new server.

A

Most web servers must allow access to guests. The guest account must be secured so that it cannot be used to modify any data on the server.
A secure means of uploading files and configuration changes needs to be used, such as Secure Shell (SSH).
Web servers should be deployed using configuration templates where possible. This will assist the administrator with hardening the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Unified Communications (UC)

A

The project managers are utilizing Unified Communications (UC). These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include voice, messaging, interactive whiteboards, data sharing, email, and social media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A system administrator completes a file transfer by negotiating a tunnel before the exchange of any commands. Evaluate the file transfer protocols to conclude which protocol the admin used.

A

File Transfer Protocol over SSL (FTPS) implicitly negotiates a Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands. This mode uses the secure port 990 for the control connection.
Explicit FTP over SSL (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This negotiates a SSL/TLS tunnel explicitly and is preferred over FTPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

tunnel mode

A

is used by IPsec to provide encrypted communication by encrypting the entire network packet. This method is used mostly in unsecured networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following would secure an endpoint and provide attestation signed by a trusted platform module (TPM)?

A

A trusted, or measured, boot process uses the trusted platform module (TPM) at each stage in the boot process to check hashes of key system state data, which then uses an attestation process to verify if the system has not been tampered with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

endpoint detection and response (EDR)

A

product provides real-time and historical visibility into the compromise, contains the malware, and facilitates remediation of the host to its original state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Host intrusion prevention systems (HIPS)

A

provide threat detection and prevent those threats based on signature values, heuristic behaviors, and security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

An organization deployed a new internal Line of Business (LOB) application that contains custom code. As part of a risk assessment, it requires testing the application for threat vulnerabilities. Considering the available testing approaches, which implementation would satisfy assessment requirements?

A

Fuzzing is a dynamic analysis technique that checks code as it is running. When using fuzzing, the system is attacked with random data to check for code vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Employees have the ability to download certain applications onto their workstations to complete work functions. The CIO installed a reliable method to ensure that no modifications to the application have occurred. What method of validation did the CIO implement?

A

Code signing verifies application code has not been modified by the use of digital signatures. The certificate provided with the signature identifies the author of the application and the code’s authenticity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Code obfuscation

A

is a measure in which the developer camouflages code to make it unreadable. This a secure coding practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Dynamic analysis

A

inspects code as it is running for code quality and vulnerabilities. Fuzzing is a common technique used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Stress testing

A

attempts to simulate a production environment and focuses on the objective and threshold an application can handle while maintaining performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

static code analyzer

A

examines code quality and effectiveness without executing the code. An analyzer can be used in conjunction with development for continued code quality checks or once the code is in its finalization stages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Model verification

A

is the process of ensuring software meets its intended purpose and specifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

self-encrypting drive (SED)

A

includes both the hardware and software to encrypt data on a drive. Keys are securely stored within for decryption. SED requires credentials to be entered for decryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Full disk encryption (FDE)

A

provides encryption for a whole disk and protects the confidentiality of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Electromagnetic interference (EMI)

A

are radio frequencies emitted by external sources, such as power lines that disturb signals. EMI can be avoided by the use of shielding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

collector

A

A collector combines multiple sensors to collect internet traffic for processing by an Intrusion Detection Systems (IDS) and other systems. Depending on where the collector is placed determines the type of traffic analyzed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

aggregation switch

A

can connect multiple subnets to reduce the number of active ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Network Addressing Protocol (NAT)

A

translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Cloud engineers are considering network segmentation options that will provide the most security between services on the cloud platform. Which of the following would ensure this type of network security is within the cloud?

A

East-west traffic describes the network and platform configurations that support cloud and other Internet services where most traffic is actually between servers within the data center.
Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise. It can use micro-segmentation to apply security policies to single node like it was in its own zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Bridge Protocol Data Unit (BPDU)

A

guard setting is applied to switches. This causes a portfast-configured port that receives a BPDU to become disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Gateway Load Balancing Protocol (GLBP)

A

is Cisco’s proprietary service to providing a load-balanced service with a VIP. The infrastructure is Cisco-based, so this service will most likely be implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Common Address Redundancy Protocol (CARP)

A

is another commonly used network protocol that works in the same way as GLBP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Virtual IP (VIP)

A

Each server node has its own IP address, but externally a load-balanced service is advertising a Virtual IP (VIP) address. Clients go to an IP address or FQDN (fully qualified domain name) and will be routed accordingly between the servers in the cluster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

agentless health

A

An agentless health or posture assessment supports a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Reverse proxies

A

can publish specific applications from the corporate network to the Internet by listening for specific client requests. This will ensure other intranet services are not exposed.

42
Q

demilitarized zone (DMZ)

A

is a logical and/or physical separation of the intranet and Internet. This separation is not as granular as a proxy server for web applications.

43
Q

data loss prevention system (DLP)

A

uses algorithms to identify confidential information and prevent such information from leaving company systems.

44
Q

Sensors

A

gather information to determine if the data being passed is malicious or not. The Internet facing sensor will see all traffic and determine its Intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.

45
Q

Spanning Tree Protocol (STP)

A

is principally designed to prevent broadcast storms. These storms occur when a bridged network contains a loop and broadcast traffic is amplified by the other switches. This can disrupt the network services.

46
Q

Dynamic Host Configuration Protocol (DHCP) snooping

A

is a network setting that inspects traffic on access ports to ensure that a host is not trying to spoof its MAC address.

47
Q

Systems administrators want to set up a way for remote administration from home. The solution should use available services like a web browser, rather than installing a virtual private network agent. Which option would best support these requirements?

A

Hypertext Markup Language 5 (HTML5) Virtual Private Network (VPN) uses modern web browsers to access and manage a desktop with relatively little lag. This is also known as a clientless remote desktop gateway.

48
Q

Layer 2 Tunneling Protocol (L2TP)

A

is used with IP Security (IPSec) to provide a VPN tunnel. This will require installing a VPN agent at the client.

49
Q

Users are reporting jittery video communication during routine video conferences. What can a system administrator implement to improve video quality and overall use of the network bandwidth?

A

Switches that support quality of service uses the 802.1p header to prioritize frames. This will improve video conferences and make efficient use of the overall network bandwidth.

50
Q

web application firewall (WAF)

A

is designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.

51
Q

Internet Protocol Security (IPSec)

A

provides both confidentiality (by encrypting data packets) and integrity/anti-replay (by signing each packet). It does overhead to the data communication.

52
Q

Which of the following does NOT describe an application firewall?

A

A network-based firewall analyzes packets at the layer 2 or data link layer of the OSI (Open Systems Interconnection) model. An application firewall analyzes packets at layer 7 or the application layer.

53
Q

A company hosts its own web servers. These web servers provide multiple services that employees need while on the road. A recent security audit advised the company to find a more secure way to publish these web services to the Internet. Which of the following will accomplish this?

A

Reverse proxies can publish specific applications from the corporate network to the Internet by listening for specific client requests. This will ensure other intranet services are not exposed.

54
Q

Protected Extensible Authentication Protocol (PEAP)

A

creates an encrypted tunnel but only requires a server-side certificate. In this case, the user authentication method must use Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2) or Generic Token Card (GTC).

55
Q

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

A

is similar to PEAP but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key.

56
Q

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

A

is the most widely supported protected tunnel authentication protocol using both supplicant and server certificates.

57
Q

EAP-Tunneled TLS (EAP-TTLS)

A

is similar to PEAP and can use any inner authentication protocol (PAP or CHAP, for instance).

58
Q

EAP-MD5

A

is a secure hash of a password sent to the authenticating server. By itself, this does not provide mutual authentication from the client to the supplicant.

59
Q

RADIUS federation

A

means multiple organizations allow access to each other’s users by joining their RADIUS servers into a RADIUS hierarchy. This is not required in this case and does not help the mitigation.

60
Q

controller

A

Enterprise wireless solutions implement wireless controllers for centralized management and monitoring. A controller can be a hardware appliance or a software application run on a server.

61
Q

Remote Authentication Dial-In User Service (RADIUS)

A

provides authentication, authorization, and accounting services for wireless clients. Users can use their personal accounts to gain wireless network access.

62
Q

Institute of Electrical and Electronics Engineers (IEEE) 802.1x includes which of the following wireless security standards?

A

802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access.
802.1x is configured by selecting the Wi-Fi Protected Access (WPA) setting for WPA2-Enterprise or WPA3-Enterprise as the security method on the access depending on the wireless router model type.

63
Q

A company would like to deploy a software service to monitor traffic and enforce security policies in their cloud environment. What tool should the company consider using?

A

A Cloud Access Security Broker (CASB) is a part of security as a service that monitors network traffic between a company’s network and cloud provider, enforcing security policies.

64
Q

A cloud storage policy includes permission statements written in JavaScript Object Notation (JSON) strings. The action and principal fields both have an asterisk (*) or wildcard value to them. How does this policy affect the security of the cloud storage resource?

A

Cloud resource policies configure read and write access to resources. Using a wildcard that allows all users to read/write, in this case, breaks the principle of least privilege and opens it up to a high risk of exploitation.

65
Q

Which of the following provides both data loss prevention (DLP) and cloud access security broker (CASB) for client access to websites and cloud applications?

A

A next-generation secure web gateway (NSWG) includes the features of a standard SWG, as well as data loss prevention (DLP) and a cloud access security broker (CASB), to provide a wholly cloud-hosted platform for client access to websites and cloud apps.

66
Q

virtual private cloud (VPC) endpoint

A

is a publishing service that allows instances to access other instances in other VPCs, using the AWS internal network and private IP addresses.

67
Q

Cloud services are highly vulnerable to remote access. Many automated services will communicate with the cloud platform using application programing interfaces (APIs), which are at risk to external take over and other remote attacks. As a cloud administrator, enforce strong policies to mitigate these risks.

A

Assigning secret keys is a part of proper cloud secrets management techniques. Assigning secret keys to service accounts for use with programmatic access is ideal when working with application programming interfaces (APIs).
A third-party password manager can store account secrets keys, along with their regular account credentials so they are safe and rotated (or changed) on a regular basis.

68
Q

Which of the following makes it possible for cloud service providers (CSP) to create a virtual instance and container simultaneously?

A

Dynamic resource allocation is the on-demand service capabilities that cloud service providers can provide. CSPs can create a virtual instance or container with X amount of resources any time.

69
Q

A cloud administrator wants to directly connect a cloud server instance with another cloud server instance and privately on Amazon Web Services (AWS). How can this be configured without going through an Internet gateway?

A

A virtual private cloud (VPC) endpoint is a means of publishing a service that is accessible by instances in other VPCs using the AWS internal network and private IP addresses. An interface endpoint makes use of AWS’s PrivateLink feature to allow private access.

70
Q

The root account of a Linux server can be described as which of the following types of accounts while running on a production environment?

A

A shared account is usually a privileged account that is shared for access to production servers or services. A Linux root account can be stored in a vault and shared by other admins if no other means of access to the server is possible.

71
Q

Discretionary Access Control (DAC)

A

Assigning permissions to users based on the owner’s consent involves Discretionary Access Control (DAC) since the owner enforces the rule, rather than the system.

72
Q

Role-based access control (RBAC)

A

is non-discretionary and assigns users permissions based on roles or groups to which they belong. The system, not the owner, controls RBAC permissions.

73
Q

Mandatory access control (MAC)

A

is a non-discretionary access control measure based on security clearances. Each object has a security clearance level label, which a user must have a “need to know” to access.

74
Q

Attribute-based access control (ABAC)

A

is the most fine-grained, non-discretionary method of access control. The system allocates permission, rather than the content creator or owner.

75
Q

Several businesses operating on a federated network allow access to each other’s resources through enterprise connections. How are authorization tokens secured when this type of federated network employs Security Association Markup Language (SAML)?

A

Security Association Markup Language (SAML) authorizations or tokens are written and signed with the eXtensible Markup Language (XML) signature specification; this digital signature allows the service provider to trust the identity provider.

76
Q

OpenID and OpenID Connect (OIDC)

A

are examples of user-centric identity management protocols, whereas SAML implementations are controlled by the system, or enterprise controlled. These use JavaScript Object Notation (JSON) and JSON Web Tokens (JWT) rather than eXtensible Markup Language (XML).

77
Q

How does Kerberos protect against an On-path attack?

A

Mutual authentication assures that the client and the server are authenticated to one another, and an attacker cannot intercept the communications exchanged between the two.

78
Q

Which authentication protocol provides efficient authorization methods and encrypted data packets when managing network routers?

A

Terminal Access Controller Access-Control System Plus (TACACS+) is specifically designed for network administration of routers. TACACS+ data packets are encrypted and make it easier for network admins to work with multiple routers simultaneously.

79
Q

Password Authentication Protocol (PAP)

A

is an unsophisticated authentication method used as the basic authentication mechanism in HTTP. It relies on clear-text password exchange.

80
Q

802.1X

A

Port-based Network Access Control (NAC) protocol provides the means of using an Extensible Authentication Protocol (EAP) method when a device connects to a switch port, wireless access point, or VPN gateway.

81
Q

How does forcing a system application to run in sandbox mode overcome the weakness of Discretionary Access Control (DAC)?

A

Sandbox mode is an example of a rule-based access control measure, designed to protect computer and network systems founded on discretionary access from misconfigurations that can result from DAC. Running in “sandbox” mode prevents malicious scripts on a website from circumventing the security system by using the privileges of a logged-on user. The key is to restrict access based on a rule for privileges, rather than allocating permissions based on the user’s identity.

82
Q

A system admin received a support ticket regarding a website error. Browsing to company.com in Internet Explorer, the site looks safe and trusted. However browsing to payment.company.com, the website is no longer trusted. Knowing a wildcard certificate was installed, how would the admin resolve this error?

A

Subject Alternative Name (SAN) is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.

83
Q

Which certificate format allows the transfer of private keys and is password protected?

A

A PFX, .pfx, or .p12 extension allows the export of a certificate along with its private key and is password protected. This is used to archive or transport a private key.

84
Q

P7B

A

A P7B, or .p7b extension bundles multiple certificates into a single file. It is often used to deliver a chain of certificates that must be trusted by the processing host. It does not contain a private key.

85
Q

CER

A

A CER, or .cer, extension is an certificate that can contain either binary Distinguished Encoding Rules (DER) or ASCII PEM data.

86
Q

Distinguished Encoding Rules (DER)

A

All certificates use an encoding scheme called Distinguished Encoding Rules (DER) to create a binary representation of the information in the certificate.

87
Q

A company with multiple types of archived encrypted data is looking to archive the keys needed to decrypt the data. However, the company wants to separate the two in order to heavily guard these keys. Analyze the scenario to determine the most likely key placement.

A

Key escrow refers to the archiving of a key (or keys) with a third party. This is a useful solution for organizations that do not have the capability to store keys securely but are able to fully trust the third party.

88
Q

A company has two web servers using a load-balance configuration. Users report having periodic trust errors connecting to the website. Both servers are using server-only certificates. Which of the following actions would most likely resolve the issue?

A

The certification path, also known as “certificate chaining” or a “chain of trust,” is a verifiable path of the leaf certificate to the root Certificate Authority (CA). Both web certificates must show the same path.

89
Q

A Public Key Infrastructure (PKI) can produce many types of certificates with private/public key pairs. In contrast to a self-signed certificate, how does a wildcard certificate benefit an organization?

A

A wildcard certificate is issued to the parent domain and will be accepted as valid for all subdomains because all are listed in one. These will reduce work to produce individual certificates for each.

90
Q

In a Public Key Infrastructure (PKI), which option best describes how users and multiple Certificate Authorities (CA) share information and exchange certificates?

A

The trust model is a concept of the Public Key Infrastructure (PKI) to show how users and different Certificate Authorities (CA) can trust one another. This is detailed in a certificate’s certification path leading back to the root CA.

91
Q

Many certificates are used to verify identity. Which type of certificate could be issued to network appliances?

A

Regardless of function, it may be necessary to issue certificates to machines such as servers, PCs, smartphones, and tablets. Machine certificates may be issued to network appliances, such as routers, switches, and firewalls.

92
Q

Extended Validation (EV)

A

is a process requiring more rigorous checks on the subject’s legal identity and control over the domain or software being signed.

93
Q

registration authority

A

is a server assigned the task of completing an identity check and submitting Certificate Signing Requests (CSRs) on behalf of end users. However, registration authorities do not sign or issue certificates.

94
Q

Certificate registration

A

is commonly initiated with a Certificate Signing Request (CSR). This is a common process for internal and public CAs, but a Certificate Signing Request (CSR) was not mentioned in this case.

95
Q

A company developed new software and would like the software to be validated. Which certificate should the company request?

A

code signing certificate is issued to a software publisher, following an identity check and validation process by the CA. The publisher then signs the executables or DLLs that make up the program to guarantee the validity of a software application or browser plug-in

96
Q

Subject Alternative Name (SAN)

A

is an extension field on a web server certificate and supports the identification of the server by multiple subdomain labels.

97
Q

An independent penetration company is invited to test the company’s new banking application in development for Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. Penetrations tests reveal the connections with clients were vulnerable to an On-path attack. How can the company prevent this from happening in the public Internet?

A

Pinning refers to several techniques to ensure it is inspecting the proper certificate when a client inspects the certificate presented by a server or a code-signed application. An example of this is submitting multiple public keys to an HTTP browser.

98
Q

There are various formats for encoding a certificate as a digital file for exchange between different systems. One difference is storing both public and private keys versus only storing a public key. Which of the following stores both public and private keys?

A

The Public Key Cryptography Standards (PKCS) #12 or .P12 format allows the export of the private key with the certificate. This would be used either to transfer a private key to a host that could not generate its own keys, or to back up/archive a private key.
The .PFX extension uses the same binay format as .P12 and is commonly used in Windows. MacOS and iOS commonly use the .P12 extension.

99
Q

A security engineer must install a X.509 certificate to a computer system, but it is not accepted. The system requires a Base64 encoded format. What must the security engineer execute to properly install this certificate?

A

A DER-encoded binary file can be represented as ASCII characters using Base64 Privacy-enhanced Electronic Mail (PEM) encoding. PEM files support other extensions like .key, .cer, and .cert.

100
Q

A company wants to ensure users can validate the website’s certificate and establish a secure connection to mitigate Man-in-the-Middle (MitM) attacks on their public website. If a hacker compromises a certificate, which of the following will most likely circumvent the attack?

A

HTTP Public Key Pinning (HPKP) is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.