Domain 4: Communication and Network Security

Question 1

What important factor differentiates frame relay from X.25?

a) Frame relay supports multiple PVCs over a single WAN carrier connection.
b) Frame relay os a cell-switching technology
c) Frame relay does not provide a committed information rate (CIR)
D) Frame Relay only requires a DTE on the provider side

Answer 1

A) Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet-switching technology that provides a Committed Information Rate, which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame relay requires a DTE/DCE at each connection point, with the DTE providing access to to the frame relay network, and a provider-supplied DCE, which transmits data over the network.

Question 2

Gary is deploying a wireless network and wants to deploy the fastest possible wireless technology. Due to technical constraints, he is limited to using a 2.4 GHz option. Which one of the following wireless networking standards should he use?

A) 802.11a
B) 802.11g
C) 802.11n
D) 802.11ac

Answer 2

C) He should choose 802.11n, which supports 200+ mbps in the2.4ghz or the 5 GHz frequency range. 802.11a and 802.11ac are both 5 ghz only, while 802.11g is only capable of 54mbps

Question 3

Match the numbered TCP ports listed with the associated lettered protocol provided:

A) 23
B) 25
C) 143
D) 515

1) SMTP
2) LPD
3) IMAP
4) Telnet

Answer 3

23- Telnet
25- SMPT
143- IMAP
515- LPD

These common ports are important to know, although some of the protocols are becoming less common. SMPT is the Simple Mail Transfer Protocol, IMAP is the Internet Message Access Protocol, and LPD is the Line Printer Daemon protocol used to send print jobs to printers.

Question 4

Scott is configuring an IDS to monitor for unencrypted FTP traffic. What ports should Scott use in his configuration?

A) TCP 20 and 21
B) TCP 21 only
C) UDP port 69
D) TCP port 21 and UDP port 21

Answer 4

The file transfer protocol (FTP) operates on TCP ports 20 an 21. UDP port 69 is used to for the trivial file transfer protocol, or TFTP, while UDP port 21 is not used for any common file transfer protocol.

Question 5

Scott is selecting an authentication protocol for a PPP connection. He would like to slect an option that encrypts both usernames and passwords and protect against replay using a challenge / response dialog. He would also like to re authenticate remote systems periodically.Which protocol should he use?

A) PAP
B) CHAP
C) EAP
D) LEAP

Answer 5

B) The Challenge-Handshake Authentication protocol, or CHAP is used by PPP servers to authenticate remote clients. It encrypts both the username and password and performs periodic reauthentication while connected using techniques to prevent replay attacks. LEAP provides re authentication but was designed to for WEP, while PAP sends passwords unecrypted. EAP is extensible and was used for PPP connections, but it doesn’t directly address the listed items.

Question 6

Which one of the following protocols is commonly used to provide backend authentication services for VPN?

A) HTTPS
B) RADIUS
C) ESP
D) AH

Answer 6

B) Remote Access Dial in User Service(RADIUS) protocol was designed to support dial-up modem connections but is still commonly used for VPN-based authentication. HTTPS is not an authentication protocol. ESP and AH are IPsec prtocols but do not provide authentication services for other systems.

Question 7

Which email security solution provides two major usage modes: (1) signed messages that provide integrity, sender authentication, and nonrepudiation; and (2) an enveloped message mdoe that provides integrity, sender authentication, and confidentiality?

A) S/ MIME
B) MOSS
C) PEM
D) DKIM

Answer 7

A) S/ MIME supports both signed messages and a secure envelope method. While the functionality of S/MIME can be replicated with other tools, the secure envelop is an S / MIME specific concept. MOSS or MIME Object Security Services, and PEM can also both provide authentication, confidentiality, integrity, and non repudiation, while DKIM or Domain Key Identified Mail, is a domain validation tool.

Question 8

During a security assessment, Scott discovers that the organization he is working with uses a multilayer protocol to handle SCADA systems and recently connected the SCADA network to the rest of the organization’s production network. What concern should he raise about seria data transfers carried via TCP / IP

A) SCADA devices that are now connected to the network can now be attacked over the network
B) Seria data over TCP/IP cannot be encrypted
C) Serial data cannot be carried in TCP packets
D) TCP/IP throughput can allow for easy denail of service attacks against serial devices

Answer 8

A) Multilayer protocols like DNP3 allow SCADA and other systems to use TCP/IP-based networks to communicate. Many SCADA devices were never designed to be exposed to a network, and adding them to a potentially insecure network can create significant risks. TLS or other encryption can be used on TCP packets, meaning that even serial data can be via TCP packets because TCP packets don’t care about their content; it is simply another payload. Finally, TCP / IP does not have a specific throughput as designed, so issues with throughput are device-level issues.

Question 9

What type of key does WEP use to encrypt wireless communications?

A) An asymmetric key
B) Unique key sets for each host
C) A predefined shared static key
D) Unique asymmetric keys for each host

Answer 9

C) WEP has a very weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.

Question 10

What speed and frequency range is used by 802.11n?

A) 54 mbps, 5GHz
B) 200+ Mb[s, 5 GHz
C) 200+ Mbps. 2.4 and 5 GHz
D) 1GBps, 5GHz

Answer 10

C) 802.11n can operate at speeds over 200mbps, and it can operate on both the 2.4 and 5GHz frequency range. 802.11g operates at 54 Mbps using the 2.4 GHz frequency range, and 802.11ac is capable of 1 Gbps using the 5 GHz range. 802.11a and b are both utdated and are unlikely to be encountered in modern network installations.

Question 11

Which of the following is a converged protocol that allows storage mounts over TCP, and which is frequently used as a lower cost alternative to Fibre channel?

A) MPLS
B) SDN
C) VOIP
D) ISCSI

Answer 11

D) iSCSI is a converged protocol that allows location-independent file services over traditional network technologies. It costs less than traditional network technologies. IT costs less than traditional Fibre Channel. VoIP is Voice over IP, SDN is software-defined networking, and MPLS is a multiprotocol Label Switching, a technology that uses path labels instead of network addresses.

Question 12

Sue modifies her MAC address to one that is allowed on a network that uses MAC filtering to provide security. What is the technique Sue used, and what nonsecurity issue could her action cause?

A) brodcast domain exploit, address conflict
B) Spoofing, token loss
C) Spoofing, address conflict
D) Sham EUI creation, token loss

Answer 12

C) The proces of using a fake MAC (Media Access Control) address is called spoofing, and spoofing is a MAC address already in use on the network can lead to an address collision, preventing traffic from reaching one or both systems.

Question 13

Jim’s audit of a large organization’s traditional PBX showed that Diret Inward System Access (DISA) was being abused by 3rd parties. What issue is most likely to lead to this problem?

A) The PBX was not fully patched.
B) The dial-in modem lines use unpublished numbers
C) DISA is set up to only allow local calls.
D) One or more users’ access codes have been compromised

Answer 13

D) Direct Inward System Access uses access codes assigned to users to add a control layer for external access and control of the PBX. If the codes are compromised, attackers can make calls through the PBX or even control it. Not updating a PBX can lead to a range of issues, but this question is looking for a DISA issue. Allowing only local calls and using unpublished numbers are both security controls and might help keep the PBX more secure.

Question 14

Lauren uses the ping utility to check whether a remote system is up as part of a penetration testing exercise. If she does not want to see her own ping packets, what protocol should she filter out from her packet sniffer’s log

A) UDP
B) TCP
C) IP
D) ICMP

Answer 14

D) Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system. Lauren simply needs to filter out ICMP to not see her pings.

Question 15

Scott is building the network for a remote site that only has ISDN as an option for connectivity. What type of ISDN should he look for to get maximum speed possible

A) BRI
B) BPRI
C) PRI
D) D channel

Answer 15

C) PRI, or primary rate interface, can use between 2 and 23 64 kbps channels, with a maximum potential bandwidth of 1.544 mbps. Actual speeds will be lower due to the D channel, which can’t be used for actual data transmission, but PRI beats BRI’s two B channels paired witha D channel for 144 Kbps of bandwidth

Question 16

SPIT attacks target what technology?

A) Virtualization platforms
B) Web services
C) VoIP systems
D) Secure Process Internal Transfers

Answer 16

C) SPIT stands for SPAM over Internet Telephony and targets VOIP systems.

Question 17

There are 4 common VPN protocols.Which group listed contains all of the common VPN protocols?

A) PPTP, LTP, L2TP, IPSEC
B) PPP, L2TP, IPSEC, VNC
C) PPTP, L2F, L2TP, IPSec
D) PPTP, L2TP, IPSEC, SPAP

Answer 17

C) PPTP, L2F, L2TP, and IPsec are the most common VPN protocols. TLS is also used for an increasingly large percentage of VPN connections and may appear at some point in the CISSP exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP is the Shiva Password Authentication protocol sometimes used with PPTP.

Question 18

What network technology is best described as a token-passing network that uses a pair of of rings with traffic flowing in opposite directions?

A) A ring topology
B) Token Ring
C) FDDI
D) Sonnet

Answer 18

C) FDDI, or fiber distributed data interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions. It can bypass broken segments by dropping the broken point and using the second, unbroken ring to continue to function Token ring also uses tokens, but it does not use a dual loop. SONET is a protocol for sending multiple optical streams over fiber, and a ring topology is a design, not a technology

Question 19

The windows ipconfig command displayes the following information:

BC-5F-F4-7B-4B-7D

What term describes this, and what information can be usually gathered from it?

A) The I{ address, the network location of the system
B) The MAC address, the network interface card’s manufacturer
C) The MAC address, the media type in use
D) The IPv6 client ID, the network interface card’s manufacturer

Answer 19

B) MAC addresses are the hardware address the machine uses for layer 2 communications. The MAC addresses include an organizationally unique identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so this is not a guarantee of accuracy, but under normal circumstances you can tell what manufacturer made the device by using the MAC address.

Question 20

Scott has been asked to choose between implementing PEAP and LEAP for wireless authentication. What should he choose and why?

A) LEAP, because it fixes problems with TKKIP resulting in stronger security
B) PEAP, because it implements CCMP for security
C) LEAP, because it implements EAP-TLS for end-to-end session encryption
D) PEAP, because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session

Answer 20

D) PEAP provides encryption for EAP methods and can provide authentication. It does not implement CCMP, which was included in the WPA2 stand. LEAP is dangerously insecure and should not be used due to attack tools that have been available since the early 2000s.

Question 21

Scott is troubleshooting a network and discovers that the NAT router he is connected to has the 192.168.xx subnet as its internal network and that its external IP is 192.168.1.40. What problem is he encountering?

Answer 21

C) Double NATing isn’t possible with the same IP range; the same IP addresses cannot appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the internet, and changing to PAT would not fix the issue.

Question 22

What type of server is running at IP address 10.1.0.26 (destination port 25, 465)?
A) Email 
B) Web
C) FTP 
D) Database

Answer 22

A) SMTP uses ports 25 and 465. The presence of an inbound rule allowing SMTP traffic indicates that this is an email server.

Question 23

Scott needs to design a firewall architecture that can support a DMZ, a database, and a private internal network in a secure manner that separates each function. What design should he use, and how many firewalls does he need?

A) A four-tier firewall design with two firewalls
B) A two-tier firewall design with three firewalls
C) A three-tier firewall design with at least one firewall
D) A single-tier firewall design with the firewalls

Answer 23

C) A three-tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single and two-tier designs don’t support the number of protected networks needed in this scenario, which a four-tier design would provide a tier that isn’t needed.

Question 24

Cable odems, ISDN, and DSL are all examples of what type of technology?

A) Baseband
B) Broadband
C) Digital
D) Broadcast

Answer 24

B) ISDN, cable modems, and DSL, and T1 T3 lines are all examples of broadband technology that can support multiple simultaneous signals. They are analog, not digital, and are not broadcast technologies.

Question 25

ICMP, RIP, and network address translation all occur at what layer of the OSI nmodel?

A) Layer 1
B) Layer 2
C) Layer 3
D) Layer 4

Answer 25

C) ICMP, RIP, and network address translation all occur at layer 3, the network layer

Question 26

The IDS that Scott is responsible for is used to monitor communications in the data center using a mirrored port on the data center switch. What traffic will Scott see once the majority of servers in the data center have been virtualized?

A) the same traffic he currently sees
B) All inter-VM traffic
C) Only traffic sent outside the VM environment
D) All inter-hypervisor traffic

Answer 26

C) One of the visibility risks of virtualization is that communication between servers and systems using virtual interfaces can occur “inside” the virtual environment. This means that visibility into traffic in the virtualization environment has to be purpose-built as part of its design. Option D is correct but incomplete because inter-hypervisor traffic isn’t the only traffic the IDS will see.

Question 27

The VM administrators recommend enabling cut and paste between virtual machines. What security concern should Ben raid about this practice?

A) It can cause a denial of service condition
B) It can serve as a covert channel
C) It can allow viruses to spread
D) IT can bypass authentication controls

Answer 27

B) Cut and paste between virtual machines can bypass normal network-based DLP toolsand monitoring tools like an IDS or IPS. Thus, it can act as a covert channel, allowing the transport of data between security zones. So far, cut and paste has not been used as a method for malware spread in virtual environments and has not been associated with DoS attacks. Cut and paste requires users to be logged in and does not bypass authentication requirements.

Question 28

Scott is concerned about exploits that allow VM escape. What option should Scott suggest to help limit the impact of the VM escape exploits?

A) Separate virtual machines onto separate physical hardware based on task or data types
B) Use VM escape detection tools on the underlying hypervisor
C) Restore machines to their original snapshots on a regular basis.
D) Use a utility like Tripwire to look for changes in the Virtual machines.

Answer 28

A) While machine escape has only been demonstrated in lab environments, the threat is best dealt with by limiting what access to the underlying hypervisor can prove to a successful tracker. Segmeting by data types or access levels can limit the potential impact of a hypervisor compromise. If attackers an access the underlying system, restricting the breach to only similar data types or systems will limit the impact. Escape detection tools are not available on the market, restoring machines to their original snapshots will not prevent the exploit from occuring again, and Tripwire detects file changes and is unlikely to catch exploits that escape the virtual machines themselves.

Question 29

When a host on an Ethernet network detects a collission and transmits a jam signal, what happens next?

A) The host that transmitted the jam signal is allowed to retransmit while all other hosts pause until that transmission is recieved
B) All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again.
C) All hosts stop transmitting, and each host waits a period of time based on how recently it successfully transmitted.
D) Hosts wait for the token to be passed and then resume transmitting data as they pass the token.

Answer 29

B) Ethernet networks use carrier-sense multiple access with collision detection (CSMA/CD) technology. When a collision is detected and a jam signal is sent, hosts wait a random period of time before attempting re transmission

Question 30

What challenge is most common for endpoint security system deployments?

A) Comromises
B) The volume of data
C) Monitoring encrypted traffic on the network
D) Handeling non-TCP protocols

Answer 30

B) Endpoint security solutions face challenges due to the sheer volume of data that they can create. When each workstation is generating data about an event, this can be a massive amount of data. Endpoint security solutions should reduce the number of compromises when properly implemented, and they can also help by monitoring traffic after it is decrypted on the local host. Finally, non TCP protocols are relatively uncommon on modern networks, making this a relatively rare concern for endpoint security system implementations.

Question 31

What type of addres is 127.0.0.1?

A) A public IP address
B) An RFC 1918 address
C) An APIPA address
D) A loopback address

Answer 31

d) The IP address 127.0.0.1 is a loop back address and will resolve to the local machine. Public addresses are non RFC 1918, non-reserved addresses. RFC 1918 addresses are reserved, and include ranges like 10.x.x.x.. An APIPA address is a self-assigned address used when a DHCP server cannot be found.

Question 32

Susan is writing a best practices statement for organization users who need to use Bluetooth. She knows that there are many potential securtiy issues with Bluetooth and wants to provide the best advice she can. Which of the following sets of guidance should Susan include?

A) Use Bluetooth’s built-in strong encryption, change the default pin on your device, turn off discovery mode, and turn off bluetooth when it’s not in active use.

b) Use bluetooth only for those activites that are not confidential, change the the default PIN on your device, turn off discovery mode, and turn off bluetooth when it’s not in active use.

C) Use bluetooth’s built-in strong encyrption use extended (8 digit or longer) bluetooth PINs, turn off discovery mode, and turn off Bluetooth when it’s not in active use.

d) Use Bluetooth only for those activities that are not confidential, use extended (8 digit or longer) bluetooth PINs, turn off discovry mode, an turn off Bluetooth when it’s not in active use.

Answer 32

B) Since Bluetoth does not provide strong encyrption,it should only be used for activities that are not confidential. Bluetooth PINs are four digit codes that often default to 0000. Turning it off and ensuring that your devices are not in discover mode can help prevent bluetooth attack.

Question 33

Steve has been tasked with implementing a network storage protocol over an IP network. What storage centric convered protocol is he likely to use in his implementation?

A) MPLs
B) FCoE
C) SDN
D) VoIP

Answer 33

B) Fibre channel over ethernet allows fibre channel communications over Ethernet networks, allowing existing high-speed networks to be used to carry storage traffic. This avoids the cost of a customer cable plant for a Fibre channel implementation. MPLS, or multiprotocol Label switching, is used for high performance networking; VOIP is Voice over IP; and SDN is software-defined networking

Question 34

A DoS attack that sends fragmented TCP packets is known as what kind of attack?

A) Christmas tree
B) Teardrop
C) Stack killer
D) Frag grenade

Answer 34

B) A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on a system handles fragment reassembly. If the attack is successful, the TCP stack fails, resulting in denial of service. Christmas tree attacks set all of the possible TCP flags on a packet, thus “lighting it up like a christmas tree.” Stack killer and frag grenade attacks are made-up answers.

Question 35

Phillip maintains a modem bank in support of several legacy services used by his organization. Which one of the following protocols is most appropriate for this purpose?

A) SLIP
B) SLAP
C) PPTP
D) PPP

Answer 35

D) The point-to-point (PPP) protocol is used for dial-up connections for modems, IDSN, Frame realy, and other technologies. It replaced SLIP in almost all cases. PPTP is the point to point tunneling protocol used for VPNS, and SLAP is not a protocol at all.

Question 36

Angela needs to choose between EAP, PEAP, and LEAP for secure authentication. Which authentication protocol should she choose and why?

A) EAP, because it provides strong encryption by default
B) LEAP, because it provides frequent reauthentication and changing of WEP keys.
C) PEAP, necause it provides encryption and does not suffer from the same vulnerabilities that LEAP does
D) None of these options provide secure authentication, and an alternate solution should be chosen,

Answer 36

C) Of these answers, PEAP is the best solution. It encapsultates EAP in a TLS tunnel, providing strong encryption. LEAP is a Cisco proprietary protocol that was originally designed to help deal with the problems in WEP. LEAP’s protections have been defeated, making it a poor choice.

Question 37

What type of attack is most likely to occur after a successful ARP spoofing attempt?

A) DoS attack
B) Trojan
C) A replay attack
D) A man-in-the-middle attack

Answer 37

D) ARP spoofing is often done to replace a target’s cache entry for a destination IP, allowing the attacker to conducta man-in-the-middle attack. A denial of service attack would be aimed at disrupting services rather than spoofing and APR response, replay attack will involve eisting essions, and a trojan is malware that is disguised in a way that makes it looks harmless.

Question 38

What speed is category 3 UTP cable rated for?

A) 5 mbps
B) 10mgbs
C) 100mbps
D) 1000 mbps

Answer 38

Category 3 UTP cable is primarily used for phone cables and was also used for early Ethernet networks where it is provided 10 Mbps of throughput. Cat 5 cables provides 100 Mbps (and 1000 Mbps if it is Cat 5e). Cat 6 cable can also provide 1000 Mbps.

Question 39

What two key issues withe implementation of RC4 make Wires equivalent Privacy (WEP) even weaker than it might otherwise be?

A) Its use of a static common key and client-set algorithms
B) Its use of a static common key and a limited number of initialization vectors
C) Its use of weak asymmetric keys and a limited number of initialization vectors
D) Its use of a weak asymmetric key and client-set encryption algorithms

Answer 39

B) WEP’s implementation of RC4 is weakened by its use of a static common key and a limited number of initialization vectors. It does not use asymmetric encryption, and clients do not select encryption algorithms.

Question 40

Ben knows that his organization wants to be able to validate the identity of other organizations based on their domain name when recieving and sending email. What tool should Ben recommend

A) PEM
B) S/MIME
C) DKIM
D) MOSS

Answer 40

C) Domain Keys Identified mail, or DKIM, is designed to allow assertions of domain identity to validate email.S/MIME, PEM, and MOSS are all solutions that can provide authentication, integrity, nonrepudiation, and confidentiality, depedning on how they are used.