Obj 4.X Flashcards
Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network?
VPN
UTM
DMZ
NAC
The correct answer is NAC (Network Access Control). NAC is a security solution that restricts access to the network unless a device meets certain criteria. This can include factors such as device health, user authentication, or whether it’s a known and trusted device. In this scenario, NAC would prevent unauthorized devices from accessing the corporate network simply by plugging into the wall jack.
The other choices are incorrect because they don’t directly address the problem. A VPN (Virtual Private Network) is used for secure remote access to a network, not for controlling access to a wired connection on-site. A UTM (Unified Threat Management) device is a comprehensive security solution that includes firewalls, anti-virus, and more, but it doesn’t specifically prevent a device from plugging into a network port. A DMZ (Demilitarized Zone) is a portion of the network that is exposed to untrusted users, often used for web servers, but it doesn’t stop unauthorized users from accessing the internal network.
The administrator would like to use the strongest encryption level possible using PSK without utilizing an additional authentication server. What encryption type should be implemented?
WPA2 Enterprise
WEP
WPA personal
MAC filtering
The correct answer is WPA Personal. WPA Personal, also known as WPA2-PSK (Pre-Shared Key), provides a strong level of encryption without the need for an additional authentication server. It uses AES (Advanced Encryption Standard) encryption, which is much stronger than older protocols like WEP.
The other choices are incorrect because they either require additional authentication methods or provide weaker security. WPA2 Enterprise uses a more secure authentication method involving a RADIUS server, which the question specifically says the administrator does not want to use. WEP is outdated and offers very weak encryption, making it insecure for modern networks. MAC filtering is not an encryption method; it simply restricts access based on device MAC addresses, but it can easily be bypassed and does not provide data encryption.
A technician has finished configuring AAA on a new network device. However, the technician cannot log into the device with LDAP credentials but can with a local user account. What is the MOST likely reason for the problem?
IDS is blocking RADIUS
Shared secret key is mismatched
Username is misspelled in the device configuration file
Group policy has not propagated to the device
The most likely reason for the problem is that the shared secret key is mismatched. When configuring AAA (Authentication, Authorization, and Accounting) using LDAP or any RADIUS server, both the server and the network device must have the same shared secret key for authentication to work. If this key does not match, the device will reject the LDAP credentials.
The other options are less likely. IDS blocking RADIUS would typically affect all RADIUS authentication attempts, not just LDAP. If the username were misspelled in the device configuration file, that could cause issues, but it would usually be evident when attempting to log in, as the device would indicate an invalid username. Lastly, group policy not propagating to the device could affect access, but it typically wouldn’t prevent a successful login if the LDAP credentials are correct and properly configured.
Which of the following must be added to a VLAN’s gateway to improve the security of the VLAN?
Spanning tree protocol
Access control list
Split horizon
Hold down timer
The correct answer is Access Control List (ACL). An ACL is used to define rules that control the traffic allowed to enter or leave the VLAN through the gateway. By implementing an ACL, you can restrict which devices or types of traffic are permitted to communicate with the VLAN, thereby enhancing security.
The other options are incorrect because they serve different purposes. Spanning Tree Protocol (STP) is used to prevent network loops in a switched environment but doesn’t directly improve security at the VLAN gateway. Split horizon is a routing technique used to prevent routing loops in distance-vector routing protocols, but it doesn’t affect VLAN security. A hold down timer is used in routing protocols to prevent premature route updates, but it doesn’t improve VLAN security.
You are working as a network administrator and are worried about the possibility of an insider threat. You want to enable a security feature that would remember the Layer 2 address first connected to a particular switch port to prevent someone from unplugging a workstation from the switch port and connecting their laptop to that same switch port. Which of the following security features would BEST accomplish this goal?
802.1x
NAC
ACL
Port security
The correct answer is Port security. Port security is a feature that allows a network administrator to restrict a switch port to a specific MAC address (Layer 2 address). Once a MAC address is learned or manually assigned to the port, the switch will prevent other devices with different MAC addresses from connecting to that port. This helps prevent an insider from unplugging a device and connecting their own unauthorized laptop.
The other options are incorrect because they serve different purposes. 802.1x is a network access control protocol used for authenticating devices, but it doesn’t specifically prevent MAC address spoofing or switching devices at the port level. NAC (Network Access Control) ensures that devices meet security policies before accessing the network but is more comprehensive and doesn’t focus solely on Layer 2 MAC address restrictions. An ACL (Access Control List) controls network traffic by defining rules for allowing or denying packets based on various criteria, but it doesn’t specifically address port-level device changes.
A home user reports to a network technician that the Internet is slow when they attempt to use their smartphone or laptop with their Wi-Fi network. The network administrator logs into the admin area of the user’s access point and discovers that multiple unknown devices are connected to it. What is MOST likely the cause of this issue?
The user is connected to a botnet
An evil twin has been implemented
The user is experiencing ARP poisoning
A successful WPS attack has occurred
The correct answer is A successful WPS attack has occurred. Wi-Fi Protected Setup (WPS) is a method for easily connecting devices to a wireless network, but it has known security vulnerabilities. Attackers can exploit WPS to gain unauthorized access to a Wi-Fi network, allowing multiple unknown devices to connect and potentially slow down the user’s internet by consuming bandwidth.
The other options are incorrect because they do not directly explain the presence of multiple unknown devices. A botnet would involve the user’s devices being compromised and used for malicious activity, but it wouldn’t necessarily result in unknown devices connecting to the Wi-Fi. An evil twin attack involves creating a fake access point to trick users into connecting, not adding unknown devices to a legitimate access point. ARP poisoning can lead to network redirection or data interception but wouldn’t cause unknown devices to connect to the Wi-Fi.
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal?
VLAN
MAC filtering
VPN
WPA2
The correct answer is VLAN (Virtual Local Area Network). Implementing VLANs allows you to segment the corporate network into separate logical networks. By creating one VLAN for corporate-owned devices (the administrative network) and another for employee-owned devices (the untrusted network), you can enhance security and manage traffic more effectively. This separation ensures that the untrusted devices do not have access to sensitive corporate resources.
The other options are incorrect for the following reasons. MAC filtering can restrict devices based on their MAC addresses, but it is not as effective or scalable as VLANs for network segmentation. VPN (Virtual Private Network) is used for secure remote access to the corporate network but does not inherently separate devices within the network. WPA2 (Wi-Fi Protected Access 2) is a security protocol for wireless networks, but it does not provide network segmentation; it primarily secures the wireless connection itself.
Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO)
NAC
Port security
GPS location
Geo-IP
The correct selections are NAC (Network Access Control) and GPS location. NAC solutions can enforce policies that restrict access to the network based on the physical location of the user, ensuring that only devices within the specified building or premises can authenticate and gain access. This can include checks on whether devices are connected to the correct network or if they meet certain compliance criteria.
GPS location can also be utilized to verify the physical location of users attempting to log in. By using GPS data, the system can determine if a user is within an acceptable geographic boundary before granting network access.
The other options are incorrect for the following reasons. Port security primarily focuses on controlling access to a network switch port by restricting the MAC addresses that can connect, rather than determining the physical location of users. Geo-IP can be used to approximate a user’s location based on their IP address, but it is not as precise as GPS for confirming that a user is in the same building, as IP addresses can sometimes be associated with a broader geographic area. Therefore, NAC and GPS location are the best choices for ensuring users are physically in the same building as the network they are attempting to access.
What is a common technique used by malicious individuals to perform an on-path attack on a wireless network?
An evil twin
Session hijacking
ARP spoofing
Amplified DNS attacks
The correct answer is an evil twin. An evil twin attack involves setting up a rogue access point that mimics a legitimate wireless network. Users may unknowingly connect to this malicious access point, allowing the attacker to intercept communications, capture sensitive data, and potentially launch further attacks on the victims.
The other options are incorrect for the following reasons. Session hijacking typically refers to taking over an active session after it has been established, often through methods like cookie theft, rather than targeting the initial connection. ARP spoofing is a technique used primarily in wired networks, where an attacker sends falsified ARP messages over a local area network to associate their MAC address with the IP address of another device, but it is not specifically a wireless attack method. Amplified DNS attacks involve using DNS servers to amplify traffic directed at a target, usually as part of a DDoS attack, and are not related to on-path attacks in a wireless context. Therefore, an evil twin is the correct answer for a common technique used to perform an on-path attack on a wireless network.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?
MAC filtering
Configure a SIEM
Create an ACL to allow access
Implement NAC
The correct answer is Implement NAC (Network Access Control).
Network Access Control (NAC) allows you to manage and enforce policies for devices connecting to a network. By implementing NAC, you can ensure that visiting business partners from CompTIA can establish a VPN connection and access the internet only through the designated Ethernet port in the conference room. At the same time, NAC can restrict access for Dion Training employees using the same port, allowing them to connect to the internal secure network.
For the exam, remember that NAC is essential for dynamic access control, providing different network access based on the user’s identity and device status. This technology is particularly useful in environments with multiple user types needing varied access levels.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
Kerberos
CHAP
TACACS+
RADIUS
The correct answer is TACACS+. TACACS+ was developed by Cisco to provide centralized authentication, authorization, and accounting (AAA) services for network devices. It offers a flexible and secure method to control user access and track their activities.
The other options are incorrect. Kerberos is a widely used protocol for network authentication that operates on a ticket-granting system, but it’s not specific to Cisco. CHAP is used for authentication over Point-to-Point Protocol (PPP) connections but doesn’t provide full AAA services. RADIUS provides AAA services as well, but it is not Cisco-developed and differs from TACACS+ in terms of encryption and protocol structure.
Your company has several small branch offices around the country, but you work as a network administrator at the centralized headquarters building. You need the capability of being able to remotely access any of the remote site’s routers to configure them without having to fly to each location in person. Your company’s CIO is worried that allowing remote access could allow an attacker to gain administrative access to the company’s network devices. Which of the following is the MOST secure way to prevent this from occurring while still allowing you to access the devices remotely?
Install an out-of-band modem
Create an out-of-band management network
Configure the remote router’s ACLs to only permit Telnet traffic
Configure the remote router’s ACLs to only permit HTTP traffic
The correct answer is to create an out-of-band management network. An out-of-band management network separates management traffic from regular network traffic, allowing you to securely access network devices remotely without exposing the management interfaces to potential attackers on the main network.
The other options are less secure. Installing an out-of-band modem can allow remote access, but it doesn’t provide the same level of security and monitoring as a dedicated out-of-band management network. Configuring ACLs to only permit Telnet traffic is insecure because Telnet sends data in plaintext, making it vulnerable to interception. Similarly, permitting HTTP traffic is insecure because it doesn’t encrypt data, leaving it open to potential attacks.
An outside organization has completed a penetration test for a company. One of the report items states that an attacker may have the ability to read TLS traffic from the webserver due to a software bug. What is the MOST likely mitigation for this reported item?
Ensure patches are deployed
Configure the firewall to block traffic on port 443
Install an IDS on the network
Implement a VPN for employees
The most likely mitigation for the reported item is to ensure patches are deployed. Software bugs that affect the security of TLS traffic can often be resolved through updates and patches provided by the software vendor. By applying these patches, the organization can fix the vulnerabilities that may allow an attacker to read encrypted traffic.
Configuring the firewall to block traffic on port 443 would not be a viable solution, as this would block all secure web traffic, impacting legitimate users. Installing an Intrusion Detection System (IDS) could help in monitoring for suspicious activity but would not directly address the software bug. Implementing a VPN might enhance security for remote users, but it wouldn’t fix the vulnerability in the web server’s TLS implementation.
A user’s smartphone is displaying text in other languages in their web browser when accessing the company’s main website. Which of the following is the MOST likely cause of the issue?
Deauthentication attack
On-path attack
Denial-of-service attack
Reflective DNS attacks
The most likely cause of the issue is an on-path attack. In this scenario, the user’s smartphone is displaying text in other languages, which suggests that an attacker may be intercepting or modifying the communication between the smartphone and the company’s website. This type of attack allows an attacker to manipulate the content being sent to the user, potentially redirecting them to a malicious version of the site or altering the data received.
A deauthentication attack typically disconnects users from a network, while a denial-of-service attack aims to make a service unavailable. Reflective DNS attacks generally involve redirecting traffic to a malicious server using DNS manipulation, but they do not specifically cause the display of different languages in web content. Therefore, the on-path attack is the most relevant explanation for the observed behavior.
A disgruntled employee executes an on-path attack on the company’s network. Layer 2 traffic destined for the gateway is now being redirected to the employee’s computer. What type of attack is this an example of?
IP spoofing
Evil twin
Reflective DNS
ARP spoofing
The attack described is an example of ARP spoofing. In this scenario, the disgruntled employee is intercepting Layer 2 traffic by sending falsified Address Resolution Protocol (ARP) messages onto the network. This allows the attacker to associate their MAC address with the IP address of the gateway, effectively redirecting traffic that should go to the gateway to their own computer instead.
IP spoofing involves forging the source IP address of packets but does not specifically address Layer 2 traffic. An evil twin attack typically involves setting up a rogue Wi-Fi access point to trick users into connecting to it. Reflective DNS attacks manipulate DNS responses but are not related to ARP or Layer 2 traffic redirection. Therefore, ARP spoofing is the most accurate answer in this context.
Dion Training wants to implement a technology that will automatically test any wireless device that connects to their network before allowing the device full access to the corporate network and its resources. Which of the following should be implemented?
NAC
VPN
DMZ
PSK
The correct technology to implement for automatically testing any wireless device that connects to the network before granting full access is Network Access Control (NAC). NAC solutions provide a mechanism to enforce security policies on devices as they connect to the network. This includes verifying the device’s security posture, such as checking for up-to-date antivirus software or ensuring that certain security patches are installed. Based on the assessment, NAC can either grant access, limit access, or deny access to the corporate network and its resources.
A Virtual Private Network (VPN) provides a secure connection over the internet but does not test devices for compliance before granting access. A Demilitarized Zone (DMZ) is a network segment used to host public-facing services, isolating them from the internal network but is not related to device testing or access control. A Pre-Shared Key (PSK) is a method of authentication for securing wireless networks, but it does not perform any device checks before access is granted. Thus, NAC is the best choice for this scenario.
You opened your web browser and attempted to visit DionTraining.com, but you appear to have been redirected to a malicious website instead. What type of attack is being conducted?
DNS poisoning
VLAN hopping
ARP spoofing
Rogue DHCP
The type of attack being conducted in this scenario is DNS poisoning. DNS poisoning involves corrupting the DNS cache of a resolver or server, causing it to return an incorrect IP address for a domain name. When you try to visit DionTraining.com, the poisoned DNS entry leads you to a malicious website instead. This can happen if an attacker successfully alters the DNS records, either on a local machine or within the DNS server itself.
VLAN hopping is an attack where a malicious user accesses traffic from a different VLAN, which doesn’t directly relate to being redirected to a malicious website. ARP spoofing is a technique used to intercept network traffic on a local network by associating the attacker’s MAC address with the IP address of a legitimate device, but it doesn’t specifically target DNS resolution. Rogue DHCP involves an unauthorized DHCP server assigning IP addresses to devices on the network, potentially leading to similar connectivity issues but does not specifically redirect users to a malicious site. Therefore, DNS poisoning is the most fitting explanation for this scenario.
Dion Training is concerned with the threat of an attacker modifying the MAC address to IP bindings within the local area network. Which of the following could be enabled on the company’s network to prevent this from occurring?
Private VLAN
DHCP snooping
Router Advertisement Guard
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings.
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). Port mirroring, ARP inspection, and VLANs do not add any redundancy to the network. DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure. When DHCP servers are allocating IP addresses to the LAN clients, DHCP snooping can be configured on LAN switches to prevent malicious or malformed DHCP traffic or rogue DHCP servers. The IPv6 Router Advertisement Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue router advertisement guard messages that arrive at the network device platform.
A network administrator, Tamera, follows the best practices to implement firewalls, patch management, and security policies on his network. Which of the following should be performed to verify that the security controls are in place?
Single point of failure testing
Disaster recovery testing
AAA authentication testing
Penetration testing
The action Tamera should perform to verify that the security controls are in place is penetration testing. Penetration testing involves simulating attacks on the network to identify vulnerabilities and assess the effectiveness of security measures such as firewalls, patch management, and security policies. This testing helps confirm that the implemented controls can withstand real-world attacks.
Single point of failure testing examines the network’s resilience to component failures but does not assess security controls. Disaster recovery testing evaluates the organization’s ability to recover from disruptions, while AAA (Authentication, Authorization, and Accounting) authentication testing specifically checks the effectiveness of access controls, not the overall security posture. Therefore, penetration testing is the most comprehensive method to verify the effectiveness of security controls.
Barbara has connected her personal wireless router to a network jack inside her office. The router cannot get a DHCP address even though her corporate laptop can get a DHCP address when connected to the same jack. Barbara checked the router’s configuration to ensure it is set up to obtain a DHCP address. Which of the following is the MOST likely reason that the router is not getting a DHCP address?
The wireless router’s MAC address is blocklist by the network
Only allow listed MAC addresses can connect to the network
DHCP snooping is enabled on the network
DHCP requests that originate from access points are blocked
Allow lists specify MAC addresses as a security measure implemented by the administrator to only grant access to a specific user.
It avoids a person with malicious intentions to access the corporate network. Since the router has a different MAC address, it is blocked from connecting to the wired network. Allow listed MAC addresses can be implemented automatically using different forms of port security on a network switch.
Ted, a file server administrator at Dion Training, has noticed that many sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, verifying that the workstation’s anti-malware solution is up-to-date and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?
Zero-day
Session hijacking
Impersonation
MAC spoofing
The correct answer is Zero-day. A zero-day attack exploits a vulnerability that is unknown to the software vendor or the user. In this scenario, since Ted has confirmed that the workstation’s anti-malware solution is up-to-date and the firewall is properly configured, it suggests that traditional security measures may not have detected the malicious activity. A zero-day vulnerability could have been exploited, allowing an attacker to transfer sensitive files without triggering alarms in the existing security measures.
The other options are less likely in this context. Session hijacking involves taking over an active session but does not directly account for the transfer of files unless there was a specific session established for that purpose. Impersonation typically refers to an attacker pretending to be someone else to gain unauthorized access, which does not directly explain the unauthorized file transfer to an external IP address. MAC spoofing involves altering a device’s MAC address to bypass network access controls, but it wouldn’t directly facilitate the exfiltration of files without additional vulnerabilities. Therefore, a zero-day attack is the most plausible explanation for the exfiltration in this scenario.
Which of the following open-source remote access tools allows users to connect to their desktop remotely, see what is on their screen, and control it with their mouse and keyboard?
VNC
SSH
Telnet
RDP
The correct answer is VNC. VNC (Virtual Network Computing) is an open-source remote access tool that allows users to connect to their desktop remotely, view the screen, and control it using their mouse and keyboard. It enables graphical desktop sharing, making it easy to manage a remote computer as if the user were sitting right in front of it.
The other options are not primarily designed for graphical remote desktop access. SSH (Secure Shell) is a protocol used for secure command-line access to a remote machine but does not provide a graphical interface. Telnet is also a command-line protocol that lacks encryption and is not secure for remote access. RDP (Remote Desktop Protocol) is a Microsoft proprietary protocol that allows remote access to Windows desktops, but it is not open-source like VNC. Therefore, VNC is the most suitable answer for an open-source solution for remote desktop access.
Your mother says there is something wrong with her computer, but unfortunately, she doesn’t know how to fix it. She asks if you can remotely connect to her computer and see if you can fix it. Which of the following technologies would BEST allow you to remotely access her computer and interact with her Windows 10 laptop?
RDP
VPN
SSH
Telnet
The correct answer is RDP (Remote Desktop Protocol). RDP is specifically designed for remote desktop access on Windows systems, allowing you to connect to your mother’s Windows 10 laptop, view her screen, and interact with her system as if you were physically there. It provides a graphical user interface, making it user-friendly for troubleshooting.
VPN (Virtual Private Network) is useful for securely connecting to a remote network but does not allow you to control a computer directly. SSH (Secure Shell) is primarily used for secure command-line access to a system, typically on Unix-like systems, and would not provide a graphical interface for Windows. Telnet is an older protocol that offers command-line access but lacks security features and is not suitable for remote desktop tasks. Therefore, RDP is the best option for remotely accessing and interacting with her Windows laptop.
A new network administrator is hired to replace a consultant who ran the network for several months and whose contract was just canceled. After a month of working on the network, the new network administrator realized some network issues and configuration changes in the server settings. The log files on the servers do not contain any error messages related to the issues or changes. What could be the problem?
A TACACS+ or RADIUS misconfiguration is causing logs to be erased
The server was the victim of a brute force password attack
The last ACL on the firewall is set to DENY ANY ANY
A backdoor has been installed to grant someone access to the network
The correct answer is a backdoor has been installed to grant someone access to the network. In this scenario, the lack of error messages in the log files, combined with unexplained network issues and configuration changes, strongly suggests that unauthorized access has occurred. A backdoor allows attackers to bypass standard security measures, making it difficult for the administrator to detect their presence or actions through logs.
The other options are less likely to be the cause. A TACACS+ or RADIUS misconfiguration might affect authentication but wouldn’t typically lead to unexplained configuration changes without logs being generated. While a brute force password attack could compromise a system, it usually produces some form of logging activity, particularly if successful logins are attempted. Lastly, while a DENY ANY ANY rule in an ACL could prevent traffic, it wouldn’t directly cause configuration changes on servers, which implies an unauthorized party is altering the settings. Thus, the most plausible explanation is that a backdoor has been installed, allowing unseen access and manipulation.
