Sec+ Chp 6-10

Question 1

What is the main weakness of a hierarchical trust model?

Answer 1

The structure depends on the integrity of the root CA.

Question 2

How does a subject go about obtaining a certificate from a CA?

Answer 2

In most cases, the subject generates a key pair then adds the public key along with subject information and certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.

Question 3

What cryptographic information is stored in a digital certificate?

Answer 3

The subject’s public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.

Question 4

What does it mean if a certificate extension attribute is marked as critical?

Answer 4

That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it should reject the certificate.

Question 5

You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?

Answer 5

A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.

Question 6

What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?

Answer 6

The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.

Question 7

What are the potential consequences if a company loses control of a private key?

Answer 7

It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.

Question 8

You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?

Answer 8

Escrow refers to archiving the key used to encrypt the customer’s backups with your company as a thirdparty. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.

Question 9

What mechanism informs clients about suspended or revoked keys?

Answer 9

Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder.

Question 10

What mechanism does HPKP implement?

Answer 10

HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.

Question 11

What type of certificate format can be used if you want to transfer your private key and certificate from one Windows host computer to another?

Answer 11

PKCS #12 / .PFX / .P12.

Question 12

What type of operation is being performed by the following command?
openssl req -nodes -new -newkey rsa:2048 -out my.csr -keyout mykey.pem

Answer 12

This generates a new RSA key pair plus a certificate signing request.

Question 13

What is the difference between authorization and authentication?

Answer 13

Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who she/he says she/he is.

Question 14

What steps should be taken to enroll a new employee on a domain network?

Answer 14

Perform checks to confirm the user’s identity, issue authentication credentials securely, assign appropriate permissions/privileges to the account, and ensure accounting mechanisms to audit the user’s activity.

Question 15

True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication.

Answer 15

False—Three-factor authentication also includes a biometric-, behavioral-, or location-based element. The password and PIN elements are the same factor (something you know).

Question 16

What methods can be used to implement location-based authentication?

Answer 16

You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.

Question 17

Why might a PIN be a particularly weak type of something you know authentication?

Answer 17

A long personal identification number (PIN) is difficult for users to remember, but a short PIN is easy to crack. A PIN can only be used safely where the number of sequential authentication attempts can be strictly limited.

Question 18

In what scenario would PAP be considered a secure authentication method?

Answer 18

PAP is a legacy protocol that cannot be considered secure because it transmits plaintext ASCII passwords and has no cryptographic protection. The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance).

Question 19

True or false? In order to create a service ticket, Kerberos passes the user’s password to the target application server for authentication.

Answer 19

False—only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user’s account details (SID) to the target application for authorization (allocation of permissions), not authentication.

Question 20

A user maintains a list of commonly used passwords in a file located deep within the computer’s directory structure. Is this secure password management?

Answer 20

No. This is security by obscurity. The file could probably be easily discovered using search tools.

Question 21

Which property of a plaintext password is most effective at defeating a brute-force attack?

Answer 21

The length of the password. If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary-based attack. A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty (LM hashes being one example).

Question 22

True or false? When implementing smart card logon, the user’s private key is stored on the smart card.

Answer 22

True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.

Question 23

You are providing consultancy to a firm to help them implement smart card authentication to premises networks and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?

Answer 23

A hardware security module (HSM) is optimized for this role and so present a smaller attack surface. It is designed to be tamper-evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.

Question 24

Which network access control framework supports smart cards?

Answer 24

Local logon providers, such as Kerberos, support smart cards, but this is not network access control as the device has already been allowed on the network. The IEEE 802.1X framework means that network access servers (switches, access points, and VPN gateways) can accept Extensible Authentication Protocols (EAP) credentials, but block any other type of network access. They act as pass-thru for an authentication server, which stores and validates the credentials. Some EAP types support smart card or machine authentication.

Question 25

What is a RADIUS client?

Answer 25

A device or server that accepts user connections, often referred to as a network access server (NAS) or as the authenticator. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it performs pass-thru to an AAA server.

Question 26

What is EAPoL?

Answer 26

A network access server that support 802.1X port-based access control can enable a port but allow only the transfer of Extensible Authentication Protocol over LAN (EAPoL) traffic. This allows the supplicant and authentication server to perform the authentication process, with the network access server acting as a pass-thru.

Question 27

How does OTP protect against password guessing or sniffing attacks?

Answer 27

A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again.

Question 28

Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?

Answer 28

Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.

Question 29

How is a fingerprint reader typically implemented as hardware?

Answer 29

As a capacitive cell.

Question 30

Which type of eye recognition is easier to perform: retinal or iris scanning?

Answer 30

Iris scans are simpler.

Question 31

What two ways can biometric technologies be used other than for logon authentication?

Answer 31

For identification based on biometric features and in continuous authentication mechanisms.

Question 32

You are consulting with a company about a new approach to authenticating users. You suggest there could be cost savings and better support for multifactor authentication (MFA) if your employees create accounts with a cloud provider. That allows the company's staff to focus on authorizations and privilege management. What type of service is the cloud vendor performing?

Answer 32

The cloud vendor is acting as the identity provider.

Question 33

What is the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user?

Answer 33

Onboarding.

Question 34

What is the policy that states users should be allocated the minimum sufficient permissions?

Answer 34

Least privilege.

Question 35

What is a SOP?

Answer 35

A standard operating procedure (SOP) is a step-by-step listing of the actions that must be completed for any given task.

Question 36

What type of organizational policies ensure that at least two people have oversight of a critical business process?

Answer 36

Shared authority, job rotation, and mandatory enforced vacation/holidays.

Question 37

Recently, attackers were able to compromise the account of a user whose employment had been terminated a week earlier. They used this account to access a network share and delete important files. What account vulnerability enabled this attack?

Answer 37

While it's possible that lax password requirements and incorrect privileges may have contributed to the account compromise, the most glaring problem is that the terminated employee's account wasn't disabled. Since the account was no longer being used, it should not have been left active for a malicious user to exploit.

Question 38

For what type of account would interactive logon be disabled?

Answer 38

Interactive logon refers to starting a shell. Service accounts do not require this type of access. Default superuser accounts, such as Administrator and root, may also be disabled, or limited to use in system recovery or repair.

Question 39

What type of files most need to be audited to perform third-party credential management?

Answer 39

SSH and API keys are often unsecurely embedded in computer code or uploaded mistakenly to repositories alongside code. Also, managing shared credentials can be difficult, and many sites resort to storing them in a shared spreadsheet.

Question 40

What directory object would you use if you want to apply a different security policy to a subset of objects within the same domain?

Answer 40

Organization Unit (OU).

Question 41

Why might forcing users to change their password every month be counterproductive?

Answer 41

More users would forget their password, try to select unsecure ones, or write them down/record them in a non-secure way (like a sticky note).

Question 42

What is the name of the policy that prevents users from choosing old passwords again?

Answer 42

Enforce password history.

Question 43

In what two ways can an IP address be used for context-based authentication?

Answer 43

An IP address can represent a logical location (subnet) on a private network. Most types of public IP address can be linked to a geographical location, based on information published by the registrant that manages that block of IP address space.

Question 44

How does accounting provide non-repudiation?

Answer 44

A user's actions are logged on the system. Each user is associated with a unique computer account. As long as the user's authentication is secure and the logging system is tamper-proof, they cannot deny having performed the action.

Question 45

Which information resource is required to complete usage auditing?

Answer 45

Usage events must be recorded in a log. Choosing which events to log will be guided by an audit policy.

Question 46

What is the difference between locked and disabled accounts?

Answer 46

An account enters a locked state because of a policy violation, such as an incorrect password being entered incorrectly. Lockout is usually applied for a limited duration. An account is usually disabled manually, using the account properties. A disabled account can only be re-enabled manually.

Question 47

What are the advantages of a decentralized, discretionary access control policy over a mandatory access control policy?

Answer 47

It is easier for users to adjust the policy to fit changing business needs. Centralized policies can easily become inflexible and bureaucratic.

Question 48

What is the difference between security group- and role-based permissions management?

Answer 48

A group is simply a container for several user objects. Any organizing principle can be applied. In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permissions of one role at a time.

Question 49

In a rule-based access control model, can a subject negotiate with the data owner for access privileges? Why or why not?

Answer 49

This sort of negotiation would not be permitted under rule-based access control; it is a feature of discretionary access control.

Question 50

What is the purpose of directory services?

Answer 50

To store information about network resources and users in a format that can be accessed and updated using standard queries.

Question 51

True or false? The following string is an example of a distinguished name: CN=ad, DC=classroom,DC=com

Answer 51

True.

Question 52

You are working on a cloud application that allows users to log on with social media accounts over the web and from a mobile application. Which protocols would you consider and which would you choose as most suitable?

Answer 52

Security Association Markup Language (SAML) and Oauth + OpenID Connect (OIDC). OAuth with OIDC as an authentication layer offers better support for native mobile apps so is probably the best choice.

Question 53

Your company has been the victim of several successful phishing attempts over the past year. Attackers managed to steal credentials from these attacks and used them to compromise key systems. What vulnerability contributed to the success of these social engineers, and why?

Answer 53

A lack of proper user training directly contributes to the success of social engineering attempts. Attackers can easily trick users when those users are unfamiliar with the characteristics and ramifications of such deception.

Question 54

Why should an organization design role-based training programs?

Answer 54

Employees have different levels of technical knowledge and different work priorities. This means that a "one size fits all" approach to security training is impractical.

Question 55

You are planning a security awareness program for a manufacturer. Is a pamphlet likely to be sufficient in terms of resources?

Answer 55

Using a diversity of training techniques will boost engagement and retention. Practical tasks, such as phishing simulations, will give attendees more direct experience. Workshops or computer-based training will make it easier to assess whether the training has been completed.

Question 56

A recent security evaluation concluded that your company's network design is too consolidated. Hosts with wildly different functions and purposes are grouped together on the same logical area of the network. In the past, this has enabled attackers to easily compromise large swaths of network hosts. What technique(s) do you suggest will improve the security of the network's design, and why?

Answer 56

In general, you should start implementing some form of network segmentation to put hosts with the same security requirements within segregated zones. For example, the workstations in each business department can be grouped in their own subnets to prevent a compromise of one subnet from spreading to another. Likewise, with VLANs, you can more easily manage the logical segmentation of the network without disrupting the physical infrastructure (i.e., devices and cabling).

Question 57

You are discussing a redesign of network architecture with a client, and they want to know what the difference between an extranet and Internet is. How can you explain it?

Answer 57

The Internet is an external zone where none of the hosts accessing your services can be assumed trusted or authenticated. An extranet is a zone allowing controlled access to semi-trusted hosts, implying some sort of authentication. The hosts are semi-trusted because they are not under the administrative control of the organization (as they are owned by suppliers, customers, business partners, contractors, and so on).

Question 58

Why is subnetting useful in secure network design?

Answer 58

Subnet traffic is routed, allowing it to be filtered by devices such as a firewall. An attacker must be able to gather more information about the configuration of the network and overcome more barriers to launch successful attacks.

Question 59

How can an enterprise DMZ be implemented?

Answer 59

By using two firewalls (external and internal) around a screened subnet, or by using a triple-homed firewall (one with three network interfaces).

Question 60

What type of network requires the design to account for east-west traffic?

Answer 60

This is typical of a data center or server farm, where a single external request causes multiple cascading requests between servers within the data center. This is a problem for a perimeter security model, as funneling this traffic up to a firewall and then back to a server creates a performance bottleneck.

Question 61

Why might an ARP poisoning tool be of use to a threat actor performing network reconnaissance?

Answer 61

The attacker could trick computers into sending traffic through the attacker's computer (performing a MitM/on-path attack) and, therefore, examine traffic that would not normally be accessible to him (on a switched network).

Question 62

How could you prevent a malicious attacker from engineering a switching loop from a host connected to a standard switch port?

Answer 62

Enable the appropriate guards (portfast and BPDU Guard) on access ports.

Question 63

What port security feature mitigates ARP poisoning?

Answer 63

Dynamic ARP inspection—though this relies upon DHCP snooping being enabled.

Question 64

What is a dissolvable agent?

Answer 64

Some network access control (NAC) solutions perform host health checks via a local agent, running on the host. A dissolvable agent is one that is executed in the host's memory and CPU but not installed to a local disk.

Question 65

True or false? Band selection has a critical impact on all aspects of the security of a wireless network?

Answer 65

False—band selection can affect availability and performance but does not have an impact in terms of either confidentiality or integrity.

Question 66

The network manager is recommending the use of "thin" access points to implement the wireless network. What additional appliance or software is required and what security advantages should this have?

Answer 66

You need a wireless controller to configure and manage the access points. This makes each access point more tamper-proof as there is no local administration interface. Configuration errors should also be easier to identify.

Question 67

What is a pre-shared key?

Answer 67

This is a type of group authentication used when the infrastructure for authenticating securely (via RADIUS, for instance) is not available. The system depends on the strength of the passphrase used for the key.

Question 68

Is WPS a suitable authentication method for enterprise networks?

Answer 68

No, an enterprise network will use RADIUS authentication. WPS uses PSK and there are weaknesses in the protocol.

Question 69

You want to deploy a wireless network where only clients with domain-issued digital certificates can join the network. What type of authentication mechanism is suitable?

Answer 69

EAP-TLS is the best choice because it requires that both server and client be installed with valid certificates.

Question 70

John is given a laptop for official use and is on a business trip. When he arrives at his hotel, he turns on his laptop and finds a wireless access point with the name of the hotel, which he connects to for sending official communications. He may become a victim of which wireless threat?

Answer 70

Evil twin.

Question 71

Why are many network DoS attacks distributed?

Answer 71

Most attacks depend on overwhelming the victim. This typically requires a large number of hosts, or bots.

Question 72

What is an amplification attack?

Answer 72

Where the attacker spoofs the victim's IP in requests to several reflecting servers (often DNS or NTP servers). The attacker crafts the request so that the reflecting servers respond to the victim's IP with a large message, overwhelming the victim's bandwidth.

Question 73

What is meant by scheduling in the context of load balancing?

Answer 73

The algorithm and metrics that determine which node a load balancer picks to handle a request.

Question 74

What mechanism provides the most reliable means of associating a client with a particular server node when using load balancing?

Answer 74

Persistence is a layer 7 mechanism that works by injecting a session cookie. This is generally more reliable than the layer 4 source IP affinity mechanism.

Question 75

True or false? A virtual IP is a means by which two appliances can be put in a fault tolerant configuration to respond to requests for the same IP address?

Answer 75

True

Question 76

What field provides traffic marking for a QoS system at layer 3?

Answer 76

Layer 3 refers to the DiffServ field in the IP header.

Question 77

True or False? As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.

Answer 77

False. All firewall types can perform basic packet filtering (by IP address, protocol type, port number, and so on).

Question 78

What distinguishes host-based personal software firewall from a network firewall appliance?

Answer 78

A personal firewall software can block processes from accessing a network connection as well as applying filtering rules. A personal firewall protects the local host only, while a network firewall filters traffic for all hosts on the segment behind the firewall.

Question 79

True or false? When deploying a non-transparent proxy, you must configure clients with the proxy address and port.

Answer 79

True

Question 80

What is usually the purpose of the default rule on a firewall?

Answer 80

Block any traffic not specifically allowed (implicit deny).

Question 81

True or false? Static NAT means mapping a single public/external IP address to a single private/internal IP address.

Answer 81

True

Question 82

What is the best option for monitoring traffic passing from host-to-host on the same switch?

Answer 82

The only option for monitoring intra-switch traffic is to use a mirrored port.

Question 83

What sort of maintenance must be performed on signature-based monitoring software?

Answer 83

Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.

Question 84

What is the principal risk of deploying an intrusion prevention system with behavior-based detection?

Answer 84

Behavior-based detection can exhibit high false positive rates, where legitimate activity is wrongly identified as malicious. With automatic prevention, this will block many legitimate users and hosts from the network, causing availability and support issues.

Question 85

If a Windows system file fails a file integrity check, should you suspect a malware infection?

Answer 85

Yes—malware is a likely cause that you should investigate.

Question 86

What is a WAF?

Answer 86

A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.

Question 87

What is the purpose of SIEM?

Answer 87

Security information and event management (SIEM) products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.

Question 88

What is the difference between a sensor and a collector, in the context of SIEM?

Answer 88

A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.

Question 89

Does Syslog perform all the functions of a SIEM?

Answer 89

No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.

Question 90

You are writing a shell script to display the last 5 lines of a log file at /var/log/audit in a dashboard. What is the Linux command to do this?

Answer 90

tail /var/log/audit -n 5

Question 91

What is the principal use of grep in relation to log files?

Answer 91

grep is used to search the content of files.