Lesson 16: Configuring SOHO Network Security Flashcards
‘Confidentiality’ and ‘Integrity’ are two important properties of information stored in a secure retrieval system. What is the third property?
‘Availability’.
Explanation: ‘availability’ is the information that is inaccessible is not of much use to authorized users. For example, a secure system must protect against ‘denial of service’ (DoS) attacks.
True or false? The level of risk from ‘zero-day’ attacks is only significant with respect to EOL systems.
False
Explanation: A ‘zero-day’ is a vulnerability that is unknown to the product vendor and means that no patch is available to mitigate it. This can affect currently supported as well as unsupported ‘end-of-life’ (EOL) systems.
The main difference is that there is a good chance of a patch being developed if the system is still supported, but almost no chance if it is EOL.
A threat actor crafts an email addressed to a senior support technician inviting him to register for free football coaching advice. The website contains password-stealing malware. What is the name of this type of attack?
Phishing Attack
Explanation: A ‘phishing attack’ tries to make users authenticate with a fake resource, such as a website. Phishing emails are often sent in mass as spam. This is a variant of phishing called spear phishing because it is specifically targeted at a single person, using personal information known about the subject (his or her football-coaching volunteer work).
You are assisting with the development of ‘end-user’ security awareness documentation. What is the difference between tailgating and shoulder surfing?
‘Tailgating’ means following someone else through a door or gateway to enter premises without authorization.
‘Shoulder surfing’ means covertly observing someone type a PIN or password or other confidential data.
You discover that a threat actor has been able to harvest credentials from some visitors connecting to the company’s wireless network from the lobby. The visitors had connected to a network named ‘Internet’ and were presented with a web page requesting an email address and password to enable guest access. The company’s access point had been disconnected from the cabled network. What type of attack has been perpetrated?
Evil Twin Attack
Explanation: the threat actor uses social engineering techniques to persuade users to connect to an access point that spoofs a legitimate guest network service.
A threat actor recovers some documents via ‘dumpster diving’ and learns that the system policy causes passwords to be configured with a random mix of different characters that are only five characters in length. To what type of ‘password cracking’ attack is this vulnerable?
‘Brute force’ attacks
‘Brute force’ attacks are effective against short passwords.
‘Dictionary’ attacks depend on users choosing ordinary words or phrases in a password.
What type of cryptographic key is delivered in a digital certificate?
A ‘public key’.
A digital certificate is a wrapper for a subject’s public key. The public and private keys in an asymmetric cipher are paired. If one key is used to encrypt a message, only the other key can then decrypt it.
True or false? TKIP represents the best available wireless encryption and should be configured in place of AES if supported.
False
‘Advanced Encryption Standard’ (AES) provides stronger encryption and is enabled by selecting ‘Wi-Fi Protected Access’ (WPA) version 2 with AES/CCMP or WPA3 encryption mode. The ‘Temporal Key Integrity Protocol’ (TKIP) attempts to fix problems with the older RC4 cipher used by the first version of WPA. TKIP and WPA1 are now deprecated.
True or false? WPA3 personal mode is configured by selecting a passphrase shared between all users who are permitted to connect to the network.
True.
WPA3-Personal uses group authentication via a shared passphrase. The ‘Simultaneous Authentication of Equals’ (SAE) mechanism by which this passphrase is used to generate network encryption keys is improved compared to the older WPA2 protocol, however.
What two factors must a user present to authenticate to a wireless network secured using EAP-TLS?
The ‘private key’ and the ‘certificate’ + an ‘authentication’.
‘Extensible Authentication Protocol’ (EAP) allows for different types of mechanisms and credentials. The ‘Transport Layer Security’ (TLS) method uses digital certificates installed on both the server and the wireless station. The station must use its private key and its certificate to perform a handshake with the server; this is one factor; the user must authenticate to the device to allow use of this private key; this device authentication (via a password, PIN, or bio gesture) is the second factor.
In AAA architecture, what type of device might a RADIUS client be?
An ‘Access Point’.
AAA refers to ‘Authentication, Authorization, and Accounting’, and the ‘Remote Access Dial-in User Service’
(RADIUS) protocol is one way of implementing this architecture. The RADIUS server is positioned on the
internal network and processes authentication and authorization requests. The RADIUS client is the access point, and it must be configured with the IP address of the server plus a shared secret passphrase. The access point forwards authentication traffic between the end-user device (a supplicant) and the RADIUS server but cannot inspect the traffic.
You have selected a secure location for a new home router, changed the default password, and verified the WAN IP address and Internet link. What next step should you perform before configuring wireless settings?
To check for a firmware update.
Using the latest firmware is important to mitigate risks from software vulnerabilities.
You are reviewing a secure deployment checklist for home router wireless configuration. Following the CompTIA A+ objectives, what additional setting should be considered along with the following four settings?
- Changing the service set identifier (SSID)
- Disabling SSID broadcast
- Encryption settings
- Changing channels
To disable guest access.
It might be appropriate to allow a guest network depending on the circumstances, but the general principle is that services and access methods that are not required should be disabled.
You are assisting a user with setting up Internet access to a web server on a home network. You want to configure a DHCP reservation to set the web server’s IP address, allow external clients to connect to the secure port TCP/443, but configure the web server to listen on port TCP/8080. Is this configuration possible on a typical home router?
Yes.
You need to configure a port-mapping rule so that the router takes requests arriving at its WAN IP for TCP/443 and forwards them to the server’s IP address on TCP/8080. Using a known IP address for the server by configuring a ‘Dynamic Host Configuration Protocol’ (DHCP) reservation simplifies this configuration. The home router’s DHCP server must be configured with the ‘media access control’ (MAC) address or hardware identifier of the web server.
A different user wants to configure a multiplayer game server by using the DMZ feature of the router. Is this the best configuration option?
Probably not.
Using a home router’s ‘demilitarized zone’ or DMZ host option forwards traffic for all ports not covered by specific port forwarding rules to the host. It is possible to achieve a secure configuration with this option by blocking unauthorized ports and protecting the host using a personal firewall, but using specific port forwarding / mapping rules is better practice. The most secure solution is to isolate the game server in a screened subnet so that is separated from other LAN hosts, but this typically requires multiple router / firewalls.
