Sybex Book Review 3 Flashcards

1
Q

Dorothy is using a network sniffer to evaluate network connections. She focuses on the initialization of a TCP session. What is the first phase of the TCP three-way handshake sequence?

A. SYN flagged packet
B. ACK flagged packet
C. FIN flagged packet
D. SYN/ACK flagged packet

A

A. The SYN flagged packet is first sent from the initiating host to the destination host; thus it is the first step or phase in the TCP three-way handshake sequence used to establish a TCP session. The destination host then responds with a SYN/ACK flagged packet; this is the second step or phase of the TCP three-way handshake sequence. The initiating host sends an ACK flagged packet, and the connection is then established (the final or third step or phase). The FIN flag is used to gracefully shut down an established session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

UDP is a connectionless protocol that operates at the Transport layer of the OSI model and uses ports to manage simultaneous connections. Which of the following terms is also related to UDP?

A. Bits
B. Logical addressing
C. Data reformatting
D. Simplex

A

D. UDP is a simplex protocol at the Transport layer (layer 4 of the OSI model). Bits is associated with the Physical layer (layer 1). Logical addressing is associated with the Network layer (layer 3). Data reformatting is associated with the Presentation layer (layer 6).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is a means for IPv6 and IPv4 to be able to coexist on the same network? (Choose all that apply.)

A. Dual stack
B. Tunneling
C. IPsec
D. NAT-PT
E. IP sideloading

A

A, B, D. The means by which IPv6 and IPv4 can coexist on the same network is to use one or more of three primary options: dual stack, tunneling, or NAT-PT. Dual stack is to have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network Address Translation-Protocol Translation (NAT-PT) (RFC-2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses. IPsec is a standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6, but it does not enable the use of both IPv4 and IPv6 on the same system (although it doesn’t prevent it either). IP sideloading is not a real concept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security configuration guidelines issued by your CISO require that all HTTP communications be secure when communicating with internal web services. Which of the following is true in regards to using TLS? (Choose all that apply.)

A. Allows for use of TCP port 443
B. Prevents tampering, spoofing, and eavesdropping
C. Requires two-way authentication
D. Is backward compatible with SSL sessions
E. Can be used as a VPN solution

A

A, B, E. TLS allows for use of TCP port 443; prevents tampering, spoofing, and eavesdropping; and can be used as a VPN solution. The other answers are incorrect. TLS supports both one-way and two-way authentication. TLS and SSL are not interoperable or backward compatible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your network supports TCP/IP. TCP/IP is a multilayer protocol. It is primarily based on IPv4, but the organization is planning on deploying IPv6 within the next year. What is both a benefit and a potentially harmful implication of multilayer protocols?

A. Throughput
B. Encapsulation
C. Hash integrity checking
D. Logical addressing

A

B. Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols. Encapsulation allows for encryption, flexibility, and resiliency, while also enabling covert channels, filter bypass, and overstepping network segmentation boundaries. Throughput is the capability of moving data across or through a network; this is not an implication of multilayer protocols. Hash integrity checking is a common benefit of multilayer protocols because most layers include a hash function in their header or footer. Logical addressing is a benefit of multilayer protocols; this avoids the restriction of using only physical addressing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A new VoIP system is being deployed at a government contractor organization. They require high availability of five nines of uptime for the voice communication system. They are also concerned about introducing new vulnerabilities into their existing data network structure. The IT infrastructure is based on fiber optics and supports over 1 Gbps to each device; the network often reaches near full saturation on a regular basis. What option will provide the best outcome of performance, availability, and security for the VoIP service?

A. Create a new VLAN on the existing IT network for the VoIP service.
B. Replace the current switches with routers and increase the interface speed to 1,000 Mbps.
C. Implement a new, separate network for the VoIP system.
D. Deploy flood guard protections on the IT network.

A

C. In this scenario, the only viable option to provide performance, availability, and security for the VoIP service is to implement a new, separate network for the VoIP system that is independent of the existing data network. The current data network is already at capacity, so creating a new VLAN will not provide sufficient insurance that the VoIP service will be highly available. Replacing switches with routers is usually not a valid strategy for increasing network capacity, and 1,000 Mbps is the same as 1 Gbps. Flood guards are useful against DoS and some transmission errors (such as Ethernet floods or broadcast storms), but they do not add more capacity to a network or provide reliable uptime for a VoIP service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Microsegmentation is dividing up an internal network in numerous subzones, potentially as small as a single device, such as a high-value server or even a client or endpoint device. Which of the following is true in regard to microsegmentation? (Choose all that apply.)

A. It is the assignment of the cores of a CPU to perform different tasks.
B. It can be implemented using ISFWs.
C. Transactions between zones are filtered.
D. It supports edge and fog computing management.
E. It can be implemented with virtual systems and virtual networks.

A

B, C, E. Microsegmentation can be implemented using internal segmentation firewalls (ISFWs), transactions between zones are filtered, and it can be implemented with virtual systems and virtual networks. Affinity or preference is the assignment of the cores of a CPU to perform different tasks. Microsegmentation is not related to edge and fog computing management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A new startup company is designing a sensor that needs to connect wirelessly to a PC or IoT hub in order to transmit its gathered data to a local application or cloud service for data analysis. The company wants to ensure that all transferred data from the device cannot be disclosed to unauthorized entities. The device is also intended to be located within 1 meter of the PC or IoT hub it communicates with. Which of the following concepts is the best choice for this device?

A. Zigbee
B. Bluetooth
C. FCoE
D. 5G

A

A. The device in this scenario would benefit from the use of Zigbee. Zigbee is an IoT equipment communications concept that is based on Bluetooth. Zigbee has low power consumption and a low throughput rate, and it requires close proximity of devices. Zigbee communications are encrypted using a 128-bit symmetric algorithm. Bluetooth is not a good option since it is usually plaintext. Bluetooth Low Energy (BLE) might be a viable option if custom encryption was added. Fiber Channel over Ethernet (FCoE) is not a wireless technology or an IoT technology—it is a high-speed fiber optic–based storage technology. 5G is the latest mobile service technology that is available for use on mobile phones, tablets, and other equipment. Though many IoT devices may support and use 5G, it is mostly used to provide direct access to the internet rather than as a link to a local short-distance device, such as a PC or IoT hub.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

James has been hired to be a traveling repair technician. He will be visiting customers all over the country in order to provide support services. He has been issued a portable workstation with 4G and 5G data service. What are some concerns when using this capability? (Choose all that apply.)

A. Eavesdropping
B. Rogue towers
C. Data speed limitations
D. Reliability of establishing a connection
E. Compatibility with cloud services
F. Unable to perform duplex communications

A

A, B, D. Cellular services, such as 4G and 5G, raise numerous security and operational concerns. Although cellular service is encrypted from device to tower, there is a risk of being fooled by a false or rogue tower. A rogue tower could offer only plaintext connections, but even if it supported encrypted transactions, the encryption only applies to the radio transmissions between the device and the tower. Once the communication is on the tower, it will be decrypted, allowing for eavesdropping and content manipulation. Even without a rogue tower, eavesdropping can occur across the cellular carrier’s interior network as well as across the internet, unless a VPN link is established between the remote mobile device and the network of the organization James works for. Being able to establish a connection can be unreliable depending on exactly where James’s travel takes him. 3G, 4G, and 5G coverage is not 100 percent available everywhere. 5G coverage is the most limited since it is the latest technology and still not universally deployed, and each 5G tower covers less area than a 4G tower. If James is able to establish a connection, 4G and 5G speeds should be sufficient for most remote technician activities, since 4G supports 100 Mbps for mobile devices and 5G supports up to 10 Gbps. If connectivity is established, there should be no issues with cloud interaction or duplex conversations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A new startup company needs to optimize delivery of high-definition media content to its customers. They are planning the deployment of resource service hosts in numerous data centers across the world in order to provide low latency, high performance, and high availability of the hosted content. What technology is likely being implemented?

A. VPN
B. CDN
C. SDN
D. CCMP

A

B. A content distribution network (CDN), or content delivery network, is a collection of resource service hosts deployed in numerous data centers across the world in order to provide low latency, high performance, and high availability of the hosted content. VPNs are used to transport communications over an intermediary medium through the means of encapsulation (i.e., tunneling), authentication, and encryption. Software-defined networking (SDN) aims at separating the infrastructure layer from the control layer on networking hardware in order to reduce management complexity. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) (Counter-Mode/CBC-MAC Protocol) is the combination of two block cipher modes to enable streaming by a block algorithm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is a true statement about ARP poisoning or MAC spoofing?

A. MAC spoofing is used to overload the memory of a switch.
B. ARP poisoning is used to falsify the physical address of a system to impersonate that of another authorized device.
C. MAC spoofing relies on ICMP communications to traverse routers.
D. ARP poisoning can use unsolicited or gratuitous replies.

A

D. The true statement is: ARP poisoning can use unsolicited or gratuitous replies—specifically, ARP replies for which the local device did not transmit an ARP broadcast request. Many systems accept all ARP replies regardless of who requested them. The other statements are false. The correct versions of those statements would be: (A) MAC flooding is used to overload the memory of a switch, specifically the CAM table stored in switch memory when bogus information will cause the switch to function only in flooding mode. (B) MAC spoofing is used to falsify the physical address of a system to impersonate that of another authorized device. ARP poisoning associates an IP address with the wrong MAC address. (C) MAC spoofing relies on plaintext Ethernet headers to initially gather valid MAC addresses of legitimate network devices. ICMP crosses routers because it is carried as the payload of an IP packet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An organization stores group project data files on a central SAN. Many projects have numerous files in common but are organized into separate project containers. A member of the incident response team is attempting to recover files from the SAN after a malware infection. However, many files are unable to be recovered. What is the most likely cause of this issue?

A. Using Fibre Channel
B. Performing real-time backups
C. Using file encryption
D. Deduplication

A

D. The most likely cause of the inability to recover files from the SAN in this scenario is deduplication. Deduplication replaces multiple copies of a file with a pointer to one copy. If the one remaining file is damaged, then all of the linked copies are damaged or inaccessible as well. File encryption could be an issue, but the scenario mentions that groups of people work on projects and typically file encryption is employed by individuals, not by groups. Whole-drive encryption would be more appropriate for group-accessed files as well as for a SAN in general. This issue is not related to what SAN technology is used, such as Fibre Channel. This problem might be solvable by restoring files from a backup, whether real-time or not, but the loss of files is not caused by performing backups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Jim was tricked into clicking on a malicious link contained in a spam email message. This caused malware to be installed on his system. The malware initiated a MAC flooding attack. Soon, Jim’s system and everyone else’s in the same local network began to receive all transmissions from all other members of the network as well as communications from other parts of the next-to-local members. The malware took advantage of what condition in the network?

A. Social engineering
B. Network segmentation
C. ARP queries
D. Weak switch configuration

A

D. In this scenario, the malware is performing a MAC flooding attack, which causes the switch to get stuck in flooding mode. This has taken advantage of the condition that the switch had weak configuration settings. The switch should have MAC limiting enabled in order to prevent MAC flooding attacks from being successful. Although Jim was initially fooled by a social engineering email, the question asked about the malware’s activity. A MAC flooding attack is limited by network segmentation to the local switch, but the malware took advantage of weak or poor configuration on the switch and was still successful. MAC flooding is blocked by routers from crossing between switched network segments. The malware did not use ARP queries in its attack. ARP queries can be abused in an ARP poisoning attack, but that was not described in this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A ______________ is an intelligent hub because it knows the hardware addresses of the systems connected on each outbound port. Instead of repeating traffic on every outbound port, it repeats traffic only out of the port on which the destination is known to exist.

A. Repeater
B. Switch
C. Bridge
D. Router

A

B. A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port. Repeaters are used to strengthen the communication signal over a cable segment as well as connect network segments that use the same protocol. A bridge is used to connect two networks together—even networks of different topologies, cabling types, and speeds—in order to connect network segments that use the same protocol. Routers are used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between the two. Routers manage traffic based on logical IP addressing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What type of security zone can be positioned so that it operates as a buffer between the secured private network and the internet and can host publicly accessible services?

A. Honeypot
B. Screened subnet
C. Extranet
D. Intranet

A

B. A screened subnet is a type of security zone that can be positioned so that it operates as a buffer network between the secured private network and the internet and can host publicly accessible services. A honeypot is a false network used to trap intruders; it isn’t used to host public services. An extranet is for limited outside partner access, not public. An intranet is the private secured network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An organization wants to use a wireless network internally, but they do not want any possibility of external access or detection. What security tool should be used?

A. Air gap
B. Faraday cage
C. Biometric authentication
D. Screen filters

A

B. A Faraday cage is an enclosure that blocks or absorbs electromagnetic fields or signals. Faraday cage containers, computer cases, rack-mount systems, rooms, or even building materials are used to create a blockage against the transmission of data, information, metadata, or other emanations from computers and other electronics. Devices inside a Faraday cage can use EM fields for communications, such as wireless or Bluetooth, but devices outside of the cage will not be able to eavesdrop on the signals of the systems within the cage. Air gaps do not contain or restrict wireless communications—in fact, for an air gap to be effective, wireless cannot even be available. Biometric authentication has nothing to do with controlling radio signals. Screen filters reduce shoulder surfing but do not address radio signals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Neo is the security manager for the southern division of the company. He thinks that deploying a NAC will assist in improving network security. However, he needs to convince the CISO of this at a presentation next week. Which of the following are goals of NAC that Neo should highlight? (Choose all that apply.)

A. Reduce social engineering threats
B. Detect rogue devices
C. Map internal private addresses to external public addresses
D. Distribute IP address configurations
E. Reduce zero-day attacks
F. Confirm compliance with updates and security settings

A

B, E, F. Network access control (NAC) involves controlling access to an environment through strict adherence to and implementation of security policy. The goals of NAC are to detect/block rogue devices, prevent or reduce zero-day attacks, confirm compliance with updates and security settings, enforce security policy throughout the network, and use identities to perform access control. NAC does not address social engineering, mapping IP addresses, or distributing IP addresses—those are handled by training, NAT, and DHCP, respectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The CISO wants to improve the organization’s ability to manage and prevent malware infections. Some of her goals are to (1) detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users, (2) collect event information and report it to a central ML analysis engine, and (3) detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs. The solution needs to be able to reduce response and remediation time, reduce false positives, and manage multiple threats simultaneously. What solution is the CISO wanting to implement?

A. EDR
B. NGFW
C. WAF
D. XSRF

A

A. Endpoint detection and response (EDR) is a security mechanism that is an evolution of traditional antimalware products. EDR seeks to detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users. It is a natural extension of continuous monitoring, focusing on both the endpoint device itself and network communications reaching the local interface. Some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution. The goal of EDR is to detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs, while optimizing the response time of incident response, discarding false positives, implementing blocking for advanced threats, and protecting against multiple threats occurring simultaneously and via various threat vectors. A next-generation firewall (NGFW) is a unified threat management (UTM) device that is based on a traditional firewall with numerous other integrated network and security services and is thus not the security solution needed in this scenario. A web application firewall (WAF) is an appliance, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and is not the security solution needed in this scenario. Cross-site request forgery (XSRF) is an attack against web-based services, not a malware defense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A(n) _________________ firewall is able to make access control decisions based on the content of communications as well as the parameters of the associated protocol and software.

A. Application-level
B. Stateful inspection
C. Circuit-level
D. Static packet filtering

A

A. An application-level firewall is able to make access control decisions based on the content of communications as well as the parameters of the associated protocol and software. Stateful inspection firewalls make access control decisions based on the content and context of communications, but are not typically limited to a single application-layer protocol. Circuit-level firewalls are able to make permit and deny decisions in regard to circuit establishment either based on simple rules for IP and port, using captive portals, requiring port authentication via 802.1X, or more complex elements such as context- or attribute-based access control. Static packet-filtering firewalls filter traffic by examining data from a message header. Usually, the rules are concerned with source and destination IP address (layer 3) and port numbers (layer 4).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is true regarding appliance firewalls? (Choose all that apply.)

A. They are able to log traffic information.
B. They are able to block new phishing scams.
C. They are able to issue alarms based on suspected attacks.
D. They are unable to prevent internal attacks.

A

A, C, D. Most appliance (i.e., hardware) firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms/alerts and even basic IDS functions. It is also true that firewalls are unable to prevent internal attacks that do not cross the firewall. Firewalls are unable to block new phishing scams. Firewalls could block a phishing scam’s URL if it was already on a block list, but a new scam likely uses a new URL that is not yet known to be malicious.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Among the many aspects of a security solution, the most important is whether it addresses a specific need (i.e., a threat) for your assets. But there are many other aspects of security you should consider as well. A significant benefit of a security control is when it goes unnoticed by users. What is this called?

A. Invisibility
B. Transparency
C. Diversion
D. Hiding in plain sight

A

B. When transparency is a characteristic of a service, security control, or access mechanism, it is unseen by users. Invisibility is not the proper term for a security control that goes unnoticed by valid users. Invisibility is sometimes used to describe a feature of a rootkit, which attempts to hide itself and other files or processes. Diversion is a feature of a honeypot but not of a typical security control. Hiding in plain sight is not a security concept; it is a mistake on the part of the observer not to notice something that they should notice. This is not the same concept as camouflage, which is when an object or subject attempts to blend into the surroundings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Extensible Authentication Protocol (EAP) is one of the three authentication options provided by Point-to-Point Protocol (PPP). EAP allows customized authentication security solutions. Which of the following are examples of actual EAP methods? (Choose all that apply.)

A. LEAP
B. EAP-VPN
C. PEAP
D. EAP-SIM
E. EAP-FAST
F. EAP-MBL
G. EAP-MD5
H. VEAP
I. EAP-POTP
J. EAP-TLS
K. EAP-TTLS

A

A, C, D, E, G, I, J, K. More than 40 EAP methods have been defined, including LEAP, PEAP, EAP-SIM, EAP-FAST, EAP-MD5, EAP-POTP, EAP-TLS, and EAP-TTLS. The other options are not valid EAP methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse?

A. Encrypting communications
B. Changing default passwords
C. Using transmission logs
D. Taping and archiving all conversations

A

B. Changing default passwords on PBX systems provides the most effective increase in security. PBX systems typically do not support encryption, although some VoIP PBX systems may support encryption in specific conditions. PBX transmission logs may provide a record of fraud and abuse, but they are not a preventive measure to stop it from happening. Taping and archiving all conversations is also a detective measure rather than a preventive one against fraud and abuse.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A phreaker has been apprehended who had been exploiting the technology deployed in your office building. Several handcrafted tools and electronics were taken in as evidence that the phreaker had in their possession when they were arrested. What was this adversary likely focusing on with their attempts to compromise the organization?

A. Accounting
B. NAT
C. PBX
D. Wi-Fi

A

C. Malicious attackers known as phreakers abuse phone systems in much the same way that attackers abuse computer networks. In this scenario, they were most likely focused on the PBX. Private branch exchange (PBX) is a telephone switching or exchange system deployed in private organizations in order to enable multistation use of a small number of external PSTN lines. Phreakers generally do not focus on accounting (that would be an invoice scam), NAT (that would be a network intrusion attack), or Wi-Fi (another type of network intrusion attack).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Multimedia collaboration is the use of various multimedia-supporting communication solutions to enhance distance collaboration (people working on a project together remotely). Often, collaboration allows workers to work simultaneously as well as across different time frames. Which of the following are important security mechanisms to impose on multimedia collaboration tools? (Choose all that apply.)

A. Encryption of communications
B. Multifactor authentication
C. Customization of avatars and filters
D. Logging of events and activities

A

A, B, D. It is important to verify that multimedia collaboration connections are encrypted, that robust multifactor authentication is in use, and that tracking and logging of events and activities is available for the hosting organization to review. Customization of avatars and filters is not a security concern.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Michael is configuring a new web server to offer instruction manuals and specification sheets to customers. The web server has been positioned in the screened subnet and assigned an IP address of 172.31.201.17, and the public side of the company’s split-DNS has associated the documents.myexamplecompany.com domain name with the assigned IP. After verifying that the website is accessible from his management station (which accesses the screened subnet via a jumpbox) as well as from several worker desktop systems, he declares the project completed and heads home. A few hours later, Michael thinks of a few additional modifications to perform to improve site navigation. However, when he attempts to connect to the new website using the FQDN, he receives a connection error stating that the site cannot be reached. What is the reason for this issue?

A. The jumpbox was not rebooted.
B. Split-DNS does not support internet domain name resolution.
C. The browser is not compatible with the site’s coding.
D. A private IP address from RFC 1918 is assigned to the web server.

A

D. The issue in this scenario is that a private IP address from RFC 1918 is assigned to the web server. RFC 1918 addresses are not internet routable or accessible because they are reserved for private or internal use only. So, even with the domain name linked to the address, any attempt to access it from an internet location will fail. Local access via jumpbox or LAN system likely uses an address in the same private IP address range and has no issues locally. The issue of the scenario (i.e., being unable to access a website using its FQDN) could be resolved by either using a public IP address or implementing static NAT on the screened subnet’s boundary firewall. The jumpbox would not prevent access to the website regardless of whether it was rebooted, in active use, or turned off. That would only affect Michael’s use of it from his desktop workstation. Split-DNS does support internet-based domain name resolution; it separates internal-only domain information from external domain information. A web browser should be compatible with the coding of most websites. Since there was no mention of custom coding and the site was intended for public use, it is probably using standard web technologies. Also, since Michael’s workstation and several worker desktops could access the website, the problem is probably not related to the browser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Mark is configuring the remote access server to receive inbound connections from remote workers. He is following a configuration checklist to ensure that the telecommuting links are compliant with company security policy. What authentication protocol offers no encryption or protection for logon credentials?

A. PAP
B. CHAP
C. EAP
D. RADIUS

A

A. Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It provides a means to transport the logon credentials from the client to the authentication server. CHAP protects the password by never sending it across the network; it is used in computing a response along with a random challenge number issued by the server. EAP offers some means of authentication that protects and/or encrypts credentials, but not all of the options do. RADIUS supports a range of options to protect and encrypt logon credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Some standalone automated data-gathering tools use search engines in their operation. They are able to accomplish this by automatically interacting with the human-interface web portal interface. What enables this capability?

A. Remote control
B. Virtual desktops
C. Remote node operation
D. Screen scraping

A

D. Screen scraping is a technology that allows an automated tool to interact with a human interface. Remote-control remote access grants a remote user the ability to fully control another system that is physically distant from them. Virtual desktops are a form of screen scraping in which the screen on the target machine is scraped and shown to the remote operator, but this is not related to automated tool interaction of human interfaces. Remote node operation is just another name for when a remote client establishes a direct connection to a LAN, such as with wireless, VPN, or dial-up connectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

While evaluating network traffic, you discover several addresses that you are not familiar with. Several of the addresses are in the range of addresses assigned to internal network segments. Which of the following IP addresses are private IPv4 addresses as defined by RFC 1918? (Choose all that apply.)

A. 10.0.0.18
B. 169.254.1:.119
C. 172.31.8.204
D. 192.168.6.43

A

A, C, D. The addresses in RFC 1918 are 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. Therefore, 10.0.0.18, 172.31.8.204, and 192.168.6.43 are private IPv4 addresses. The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

The CISO has requested a report on the potential communication partners throughout the company. There is a plan to implement VPNs between all network segments in order to improve security against eavesdropping and data manipulation. Which of the following cannot be linked over a VPN?

A. Two distant internet-connected LANs
B. Two systems on the same LAN
C. A system connected to the internet and a LAN connected to the internet
D. Two systems without an intermediary network connection

A

D. An intermediary network connection is required for a VPN link to be established. A VPN can be established between devices over the internet, between devices over a LAN, or between a system on the internet and a LAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What networking device can be used to create digital virtual network segments that can be altered as needed by adjusting the settings internal to the device?

A. Router
B. Switch
C. Proxy
D. Firewall

A

B. A switch is a networking device that can be used to create digital virtual network segments (i.e., VLANs) that can be altered as needed by adjusting the settings internal to the device. A router connects disparate networks (i.e., subnets) rather than creating network segments. Subnets are created by IP address and subnet mask assignment. Proxy and firewall devices do not create digital virtual network segments, but they may be positioned between network segments to control and manage traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The CISO is concerned that the use of subnets as the only form of network segments is limiting growth and flexibility of the network. They are considering the implementation of switches to support VLANs but aren’t sure VLANs are the best option. Which of the following is not a benefit of VLANs?

A. Traffic isolation
B. Data/traffic encryption
C. Traffic management
D. Reduced vulnerability to sniffers

A

B. VLANs do not impose encryption on data or traffic. Encrypted traffic can occur within a VLAN, but encryption is not imposed by the VLAN. VLANs do provide traffic isolation, traffic management and control, and a reduced vulnerability to sniffers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

The CISO has tasked you to design and implement an IT port security strategy. While researching the options, you realize there are several potential concepts that are labeled as port security. You prepare a report to present options to the CISO. Which of the following are port security concepts you should include on this report? (Choose all that apply.)

A. Shipping container storage
B. NAC
C. Transport layer
D. RJ-45 jacks

A

B, C, D. Port security can refer to several concepts, including network access control (NAC), Transport layer ports, and RJ-45 jack ports. NAC requires authentication before devices can communicate on the network. Transport-layer port security involves using firewalls to grant or deny communications to TCP and UDP ports. RJ-45 jacks should be managed so that unused ports are disabled and that when a cable is disconnected, the port is disabled. This approach prevents the connection of unauthorized devices. Shipping container storage relates to shipping ports, which is a type of port that is not specifically related to IT or typically managed by a CISO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

______________ is the oversight and management of the efficiency and performance of network communications. Items to measure include throughput rate, bit rate, packet loss, latency, jitter, transmission delay, and availability.

A. VPN
B. QoS
C. SDN
D. Sniffing

A

B. Quality of service (QoS) is the oversight and management of the efficiency and performance of network communications. Items to measure include throughput rate, bit rate, packet loss, latency, jitter, transmission delay, and availability. A virtual private network (VPN) is a communication channel between two entities across an intermediary untrusted network. Software-defined networking (SDN) aims at separating the infrastructure layer from the control layer on networking hardware in order to reduce management complexity. Sniffing captures network packers for analysis. QoS uses sniffing, but sniffing itself is not QoS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

You are configuring a VPN to provide secure communications between systems. You want to minimize the information left in plaintext by the encryption mechanism of the chosen solution. Which IPsec mode provides for encryption of complete packets, including header information?

A. Transport
B. Encapsulating Security Payload
C. Authentication Header
D. Tunnel

A

D. When IPsec is used in tunnel mode, entire packets, rather than just the payload, are encrypted. Transport mode only encrypts the original payload, not the original header. Encapsulating Security Payload (ESP) is the encrypter of IPsec, not the mode of VPN connection. Authentication Header (AH) is the primary authentication mechanism of IPsec.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Internet Protocol Security (IPsec) is a standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6. What IPsec component provides assurances of message integrity and nonrepudiation?

A. Authentication Header
B. Encapsulating Security Payload
C. IP Payload Compression protocol
D. Internet Key Exchange

A

A. Authentication Header (AH) provides assurances of message integrity and nonrepudiation. Encapsulating Security Payload (ESP) provides confidentiality and integrity of payload contents. ESP also provides encryption, offers limited authentication, and prevents replay attacks. IP Payload Compression (IPComp) is a compression tool used by IPsec to compress data prior to ESP encrypting it in order to attempt to keep up with wire speed transmission. Internet Key Exchange (IKE) is the mechanism of IPsec that manages cryptography keys and is composed of three elements: OAKLEY, SKEME, and ISAKMP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

When you’re designing a security system for internet-delivered email, which of the following is least important?

A. Nonrepudiation
B. Data remanent destruction
C. Message integrity
D. Access restriction

A

B. Data remanent destruction is a security concern related to storage technologies more so than an email solution. Essential email concepts, which local systems can enforce and protect, include nonrepudiation, message integrity, and access restrictions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

You have been tasked with crafting the organization’s email retention policy. Which of the following is typically not an element that must be discussed with end users in regard to email retention policies?

A. Privacy
B. Auditor review
C. Length of retainer
D. Backup method

A

D. The backup method is not an important factor to discuss with end users regarding email retention. The details of an email retention policy may need to be shared with affected subjects, which may include privacy implications, how long the messages are maintained (i.e., length of retainer), and for what purposes the messages can be used (such as auditing or violation investigations).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Modern networks are built on multilayer protocols, such as TCP/IP. This provides for flexibility and resiliency in complex network structures. All of the following are implications of multilayer protocols except which one?

A. VLAN hopping
B. Multiple encapsulation
C. Filter evasion using tunneling
D. Static IP addressing

A

D. Static IP addressing is not an implication of multilayer protocols; it is a feature of the IP protocol when an address is defined on the local system rather than being dynamically assigned by DHCP. Multilayer protocols include the risk of VLAN hopping, multiple encapsulation, and filter evasion using tunneling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data?

A. SDN
B. PVC
C. VPN
D. SVC

A

B. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data. Software-defined networking (SDN) is a unique approach to network operation, design, and management. SDN aims at separating the infrastructure layer (hardware and hardware-based settings) from the control layer (network services of data transmission management). A virtual private network (VPN) is a communication channel between two entities across an intermediary untrusted network. A switched virtual circuit (SVC) has to be created each time it is needed using the best paths currently available before it can be used and then disassembled after the transmission is complete.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

An organization is considering creating a cloud-based federation using a third-party service to share federated identities. After it’s completed, what will people use as their login ID?

A. Their normal account
B. An account given to them from the cloud-based federation
C. Hybrid identity management
D. Single-sign on

A

A. An on-premises identity management system will provide the organization with the most control and is the best choice. A cloud-based solution is controlled by a third party. Either an on-premises or a cloud-based solution is needed. There’s no need to have both in a hybrid solution. Identity management solutions provide single sign-on (SSO), but SSO is a benefit of identity management, not a type of identity management.

42
Q

Which of the following best expresses the primary goal when controlling access to assets?

A. Preserve confidentiality, integrity, and availability of systems and data.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.

A

A. A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication are important as the first step in access control, but much more is needed to protect assets.

43
Q

Which of the following is true related to a subject?

A. A subject is always a user account.
B. The subject is always the entity that provides or hosts information or data.
C. The subject is always the entity that receives information about or data from an object.
A single entity can never change roles between subject and object

A

C. The subject is active and is always the entity that receives information about, or data from, the object. A subject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.

44
Q

Based on advice from the National Institute of Standards and Technology (NIST), when should regular users be required to change their passwords?

A. Every 30 days
B. Every 60 days
C. Every 90 days
D. Only if the current password is compromised

A

D. NIST SP 800-63B recommends users only be required to change their password if their current password is compromised. They do not recommend that users be required to change their password regularly at any interval.

45
Q

Security administrators have learned that users are switching between two passwords. When the system prompts them to change their password, they use the second password. When the system prompts them to change their password again, they use the first password. What can prevent users from rotating between two passwords?

A. Password complexity
B. Password history
C. Password length
D. Password age

A

B. Password history can prevent users from rotating between two passwords. It remembers previously used passwords. Password complexity and password length help ensure that users create strong passwords. Password age ensures that users change their password regularly.

46
Q

Which of the following best identifies the benefit of a passphrase?

A. It is short.
B. It is easy to remember.
C. It includes a single set of characters.
D. It is easy to crack.

A

B. A passphrase is a long string of characters that is easy to remember, such as IP@$$edTheCISSPEx@m. It is not short and typically includes at least three sets of character types. It is strong and complex, making it difficult to crack.

47
Q

Your organization issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

A. Synchronous token
B. Asynchronous token
C. Smartcard
D. Common access card

A

A. A synchronous token generates and displays onetime passwords that are synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the onetime password. Smartcards do not generate onetime passwords, and common access cards are a version of a smartcard that includes a picture of the user.

48
Q

What does the CER for a biometric device indicate?

A. It indicates that the sensitivity is too high.
B. It indicates that the sensitivity is too low.
C. It indicates the point where the false rejection rate equals the false acceptance rate.
D. When high enough, it indicates the biometric device is highly accurate.

A

C. The point at which the biometric false rejection rate and the false acceptance rate are equal is the crossover error rate (CER). It does not indicate that sensitivity is too high or too low. A lower CER indicates a higher-quality biometric device, and a higher CER indicates a less accurate device.

49
Q

Sally has a user account and has previously logged on using a biometric system. Today, the biometric system didn’t recognize her, so she wasn’t able to log on. What does this describe?

A. False rejection
B. False acceptance
C. Crossover error
D. Equal error

A

A. A false rejection, sometimes called a false negative authentication or a Type I error, occurs when an authentication doesn’t recognize a valid subject (Sally in this example). A false acceptance, sometimes called a false positive authentication or a Type II error, occurs when an authentication system incorrectly recognizes an invalid subject. Crossover errors and equal errors aren’t valid terms related to biometrics. However, the crossover error rate (also called equal error rate) compares the false rejection rate to the false acceptance rate and provides an accuracy measurement for a biometric system.

50
Q

Users log on with a username when accessing the company network from home. Management wants to implement a second factor of authentication for these users. They want a secure solution, but they also want to limit costs. Which of the following best meets these requirements?

A. Short Message Service (SMS)
B. Fingerprint scans
C. Authenticator app
D. Personal identification number (PIN)

A

C. An authenticator app on a smartphone or tablet device is the best solution. SMS has vulnerabilities, and NIST has deprecated its use for two-factor authentication. Biometric authentication methods, such as fingerprint scans, provide strong authentication. However, purchasing biometric readers for each employee’s home would be expensive. A PIN is in the something you know factor of authentication, so it doesn’t provide two-factor authentication when used with a password.

51
Q

Which of the following provides authentication based on a physical characteristic of a subject?

A. Account ID
B. Biometrics
C. Token
D. PIN

A

B. Physical biometric methods such as fingerprints and iris scans provide authentication for subjects. An account ID provides identification. A token is something you have, and it creates onetime passwords, but it is not related to physical characteristics. A personal identification number (PIN) is something you know.

52
Q

Fingerprint readers match minutiae from a fingerprint with data in a database. Which of the following accurately identify fingerprint minutiae? (Choose three.)

A. Vein pattern
B. Ridges
C. Bifurcations
D. Whorls

A

B, C, D. Ridges, bifurcations, and whorls are fingerprint minutiae. Ridges are the lines in a fingerprint. Some ridges abruptly end, and some ridges bifurcate or fork into branch ridges. Whorls are a series of circles. Palm scans measure vein patterns in a palm.

53
Q

An organization wants to implement biometrics for authentication, but management doesn’t want to use fingerprints. Which of the following is the most likely reason why management doesn’t want to use fingerprints?

A. Fingerprints can be counterfeited.
B. Fingerprints can be changed.
C. Fingerprints aren’t always available.
D. Registration takes too long.

A

A. Fingerprints can be counterfeited or duplicated. It is not possible to change fingerprints. Users will always have a finger available (except for major medical events), so they will always have a fingerprint available. It usually takes less than a minute for registration of a fingerprint.

54
Q

Which of the following items are required to ensure logs accurately support accountability? (Choose two.)

A. Identification
B. Authorization
C. Auditing
D. Authentication

A

A, D. Accurate identification and authentication are required to support accountability. Logs record events, including who took an action, but without accurate identification and authentication, the logs can’t be relied on. Authorization grants access to resources after proper authentication. Auditing occurs after logs are created, but identification and authentication must occur first.

55
Q

Management wants to ensure that an IT network supports accountability. Which of the following is necessary to meet this requirement?

A. Identification
B. Integrity
C. Authentication
D. Confidentiality

A

C. Authentication is necessary to ensure a network supports accountability. Note that authentication indicates that a user claimed an identity such as with a username and proved the identity such as with a password. In other words, valid authentication includes identification. However, identification doesn’t include authentication. If users could just claim an identity without proving it’s their identity, the system doesn’t support accountability. Audit trails (not available as a possible answer) help provide accountability as long as users have authenticated. Integrity provides assurances that unauthorized entities have not modified data or system settings. Confidentiality ensures that unauthorized entities can’t access sensitive data and is unrelated to this question.

56
Q

A company’s security policy states that user accounts should be disabled during the exit interview for any employee leaving the company. Which of the following is the most likely reason for this policy?

A. To remove the account
B. To remove privileges assigned to the count
C. To prevent sabotage
D. To encrypt user data

A

C. The most likely reason (of the provided options) is to prevent sabotage. If the user’s account remains enabled, the user may log on later and cause damage. Disabling the account doesn’t remove the account or remove assigned privileges. Disabling an account doesn’t encrypt any data, but it does retain encryption keys that supervisors can use to decrypt any data encrypted by the user.

57
Q

When employees leave an organization, personnel either delete or disable accounts. In which of the following situations would they most likely delete an account?

A. An administrator who has used their account to run services left the organization.
B. A disgruntled employee who encrypted files with their account left the organization.
C. An employee has left the organization and will start a new job tomorrow.
D. A temporary employee using a shared account will not return to the organization.

A

C. The most likely reason to delete the account (of the provided options) is if an employee left the organization and will start a new job tomorrow. It would not be appropriate to delete the account for any other answer options. If an administrator used their account to run services, deleting their account would prevent the services from running. It would be appropriate to disable the account of a disgruntled employee. If this employee encrypted data with their account, deleting the account would prevent access to the encrypted data. It would be appropriate to change the password of a shared account used by temporary employees.

58
Q

Karen is taking maternity leave and will be away from the job for at least 12 weeks. Which of the following actions should be taken while she is taking this leave of absence?

A. Delete the account.
B. Reset the account’s password.
C. Do nothing.
D. Disable the account.

A

D. It’s appropriate to disable an account when an employee takes a leave of absence of 30 days or more. The account should not be deleted because the employee will return after the leave of absence. If the password is reset, someone could still log on. If nothing is done to the account, someone else may access it and impersonate the employee.

59
Q

Security investigators discovered that after attackers exploited a database server, they identified the password for the sa account. They then used this to access other servers in the network. What can be implemented to prevent this from happening in the future?

A. Account deprovisioning
B. Disabling an account
C. Account access review
D. Account revocation

A

C. Account access reviews can detect security issues for service accounts such as the sa (short for system administrator) account in Microsoft SQL Server systems. Reviews can ensure that service account passwords are strong and changed often. The other options suggest removing, disabling, or deleting the sa account, but doing so is likely to affect the database server’s performance. Account deprovisioning ensures accounts are removed when they are no longer needed. Disabling an account ensures it isn’t used, and account revocation deletes the account.

60
Q

Fred, an administrator, has been working within an organization for over 10 years. He previously maintained database servers while working in a different division. He now works in the programming department but still retains privileges on the database servers. He recently modified a setting on a database server so that a script he wrote will run. Unfortunately, his change disabled the server for several hours before database administrators discovered the change and reversed it. Which of the following could have prevented this outage?

A. A policy requiring strong authentication
B. Multifactor authentication
C. Logging
D. Account access review

A

D. A periodic account access review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions. Strong authentication methods (including multifactor authentication methods) would not have prevented the problems in this scenario. Logging records what happened, but it doesn’t prevent events.

61
Q

Which of the following best describes an implicit deny principle?

A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above.

A

B. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn’t require all actions to be denied.

62
Q

A table includes multiple objects and subjects, and it identifies the specific access each subject has to different objects. What is this table?

A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege

A

B. An access control matrix includes multiple objects and subjects. It identifies access granted to subjects (such as users) to objects (such as files). A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management (FIM) system for single sign-on (SSO). Creeping privileges refers to excessive privileges a subject gathers over time.

63
Q

You are reviewing access control models and want to implement a model that allows the owner of an object to grant privileges to other users. Which of the following meets this requirement?

A. Mandatory Access Control (MAC) model
B. Discretionary Access Control (DAC) model
C. Role-Based Access Control (RBAC) model
D. Rule-based access control model

A

B. A discretionary access control model allows the owner (or data custodian) of a resource to grant permissions at the owner’s discretion. The other answers (MAC, RBAC, and rule-based access control) are nondiscretionary models.

64
Q

Which of the following access control models allows the owner of data to modify permissions?

A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Rule-based access control
D. Risk-based access control

A

A. The DAC model allows the owner of data to modify permissions on the data. In the DAC model, objects have owners, and the owners can grant or deny access to objects that they own. The MAC model uses labels to assign access based on a user’s need to know and organization policies. A rule-based access control model uses rules to grant or block access. A risk-based access control model examines the environment, the situation, and policies coded in software to determine access.

65
Q

A central authority determines which files a user can access based on the organization’s hierarchy. Which of the following best describes this?

A. DAC model
B. An access control list (ACL)
C. Rule-based access control model
D. RBAC model

A

D. A role-based access control (RBAC) model can group users into roles based on the organization’s hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

66
Q

Which of the following statements is true related to the RBAC model?

A. A RBAC model allows users membership in multiple groups.
B. A RBAC model allows users membership in a single group.
C. A RBAC model is nonhierarchical.
D. A RBAC model uses labels.

A

A. The role-based access control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control (MAC) model uses assigned labels to identify access.

67
Q

You are reviewing different access control models. Which of the following best describes a rule-based access control model?

A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally.

A

D. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally or to individual users.

68
Q

Your organization is considering deploying a software-defined network (SDN) in the data center. Which of the following access control models is commonly used in a SDN?

A. Mandatory Access Control (MAC) model
B. Attribute-Based Access Control (ABAC) model
C. Role-Based Access Control (RBAC) model
D. Discretionary Access Control (DAC) model

A

B. The ABAC model is commonly used in SDNs. None of the other answers are normally used in SDNs. The MAC model uses labels to define access, and the RBAC model uses groups. In the DAC model, the owner grants access to others.

69
Q

The MAC model supports different environment types. Which of the following grants users access using predefined labels for specific labels?

A. Compartmentalized environment
B. Hierarchical environment
C. Centralized environment
D. Hybrid environment

A

B. In a hierarchical environment, the various classification labels are assigned in an ordered structure from low security to high security. The mandatory access control (MAC) model supports three environments: hierarchical, compartmentalized, and hybrid. A compartmentalized environment ignores the levels, and instead only allows access for individual compartments on any level. A hybrid environment is a combination of a hierarchical and compartmentalized environment. A MAC model doesn’t use a centralized environment.

70
Q

Which of the following access control models identifies the upper and lower bounds of access for subjects with labels?

A. Nondiscretionary access control
B. Mandatory Access Control (MAC)
C. Discretionary Access Control (DAC)
D. Attribute-Based Access Control (ABAC)

A

B. The MAC model uses labels to identify the upper and lower bounds of classification levels, and these define the level of access for subjects. MAC is a nondiscretionary access control model that uses labels. However, not all nondiscretionary access control models use labels. DAC and ABAC models do not use labels.

71
Q

Which of the following access control models uses labels and is commonly referred to as a lattice-based model?

A. DAC
B. Nondiscretionary
C. MAC
D. RBAC

A

C. Mandatory access control (MAC) models rely on the use of labels for subjects and objects. They look similar to a lattice when drawn, so the MAC model is often referred to as a lattice-based model. None of the other answers use labels. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management, such as a rule-based access control model deployed on a firewall. Role-based access control (RBAC) models define a subject’s access based on job-related roles.

72
Q

Management wants users to use multifactor authentication any time they access cloud-based resources. Which of the following access control models can meet this requirement?

A. Risk-based access control
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Discretionary Access Control (DAC)

A

A. A risk-based access control model can require users to authenticate with multifactor authentication. None of the other access control models listed can evaluate how a user has logged on. A MAC model uses labels to grant access. An RBAC model grants access based on job roles or groups. In a DAC model, the owner grants access to resources.

73
Q

Which of the following access control models determines access based on the environment and the situation?

A. Risk-based access control
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Attribute-Based Access Control (ABAC)

A

A. A risk-based access control model evaluates the environment and the situation and then makes access decisions based on coded policies. A MAC model grants access using labels. An RBAC model uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs).

74
Q

A cloud-based provider has implemented an SSO technology using JSON Web Tokens. The tokens provide authentication information and include user profiles. Which of the following best identifies this technology?

A. OIDC
B. OAuth
C. SAML
D. OpenID

A

A. OpenID Connect (OIDC) uses a JavaScript Object Notation (JSON) Web Token (JWT) that provides both authentication and profile information for internet-based single sign-on (SSO). None of the other answers use tokens. OIDC is built on the OAuth 2.0 framework. OpenID provides authentication but doesn’t include profile information

75
Q

Some users in your network are having problems authenticating with a Kerberos server. While troubleshooting the problem, you verified you can log on to your regular work computer. However, you are unable to log on to the user’s computer with your credentials. Which of the following is most likely to solve this problem?

A. Advanced Encryption Standard (AES)
B. Network Access Control (NAC)
C. Security Assertion Markup Language (SAML)
D. Network Time Protocol (NTP)

A

D. Configuring a central computer to synchronize its time with an external NTP server and all other systems to synchronize their time with the NTP will likely solve the problem and is the best choice of the available options. Kerberos requires computer times to be within 5 minutes of each other and the scenario, along with the available answers, suggested the user’s computer is not synchronized with the Kerberos server. Kerberos uses AES. However, because a user successfully logs on to one computer, it indicates Kerberos is working, and AES is installed. NAC checks a system’s health after the user authenticates. NAC doesn’t prevent a user from logging on. Some federated systems use SAML, but Kerberos doesn’t require SAML.

76
Q

Your organization has a large network supporting thousands of employees, and it utilizes Kerberos. Of the following choices, what is the primary purpose of Kerberos?

A. Confidentiality
B. Integrity
C. Authentication
D. Accountability

A

C. The primary purpose of Kerberos is authentication, since it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

77
Q

What is the function of the network access server within a RADIUS architecture?

A. Authentication server
B. Client
C. AAA server
D. Firewall

A

B. The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server, and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t the primary function.

78
Q

Larry manages a Linux server. Occasionally, he needs to run commands that require root-level privileges. Management wants to ensure that an attacker cannot run these commands if the attacker compromises Larry’s account. Which of the following is the best choice?

A. Grant Larry sudo access.
B. Give Larry the root password.
C. Add Larry’s account to the administrator’s group.
D. Add Larry’s account to the LocalSystem account.

A

B. The best choice is to give the administrator the root password. The administrator would enter it manually when running commands that need elevated privileges by running the su command. If the user is granted sudo access, it would allow the user to run commands requiring root-level privileges, under the context of the user account. If an attacker compromised the user account, the attacker could run the elevated commands with sudo. Linux systems don’t have an administrator group or a LocalSystem account.

79
Q

An attacker used a tool to exploit a weakness in NTLM. They identified an administrator’s user account. Although the attacker didn’t discover the administrator’s password, they did access remote systems by impersonating the administrator. Which of the following best identifies this attack?

A. Pass the ticket
B. Golden ticket
C. Rainbow table
D. Pass the hash

A

D. NTLM is known to be susceptible to pass-the-hash attacks, and this scenario describes a pass-the-hash attack. Kerberos attacks attempt to manipulate tickets, such as in pass-the-ticket and golden ticket attacks, but these are not NTLM attacks. A rainbow table attack uses a rainbow table in an offline brute-force attack.

80
Q

Your organization recently suffered a major data breach. After an investigation, security analysts discovered that attackers were using golden tickets to access network resources. Which of the following did the attackers exploit?

A. RADIUS
B. SAML
C. Kerberos
D. OIDC

A

C. Attackers can create golden tickets after successfully exploiting Kerberos and obtaining the Kerberos service account (KRBTGT). Golden tickets are not associated with Remote Authentication Dial-in User Service (RADIUS), Security Assertion Markup Language (SAML), or OpenID Connect (OIDC).

81
Q

Which one of the following tools is used primarily to perform network discovery scans?

A. Nmap
B. OpenVAS
C. Metasploit Framework
D. lsof

A

A. Nmap is a network discovery scanning tool that reports the open ports on a remote system and the firewall status of those ports. OpenVAS is a network vulnerability scanning tool. Metasploit Framework is an exploitation framework used in penetration testing. lsof is a Linux command used to list open files on a system.

82
Q

Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker’s perspective on the scan. Which one of the following results is the greatest cause for alarm?

A. 80/open
B. 22/filtered
C. 443/open
D. 1433/open

A

D. Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network. Port 22 is used for the Secure Shell protocol (SSH), and the filtered status indicates that nmap can’t determine whether it is open or closed. This situation does require further investigation, but it is not as alarming as a definitely exposed database server port.

83
Q

Which one of the following factors should not be taken into consideration when planning a security testing schedule for a particular system?

A. Sensitivity of the information stored on the system
B. Difficulty of performing the test
C. Desire to experiment with new testing tools
D. Desirability of the system to attackers

A

C. The sensitivity of information stored on the system, difficulty of performing the test, and likelihood of an attacker targeting the system are all valid considerations when planning a security testing schedule. The desire to experiment with new testing tools should not influence the production testing schedule.

84
Q

Which one of the following is not normally included in a security assessment?

A. Vulnerability scan
B. Risk assessment
C. Mitigation of vulnerabilities
D. Threat assessment

A

C. Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities.

85
Q

Who is the intended audience for a security assessment report?

A. Management
B. Security auditor
C. Security professional
D. Customers

A

A. Security assessment reports should be addressed to the organization’s management. For this reason, they should be written in plain English and avoid technical jargon.

86
Q

Wendy is considering the use of a vulnerability scanner in her organization. What is the proper role of a vulnerability scanner?

A. They actively scan for intrusion attempts.
B. They serve as a form of enticement.
C. They locate known security holes.
D. They automatically reconfigure a system to a more secured state.

A

C. Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. They are not active detection tools for intrusion, they offer no form of enticement, and they do not configure system security. In addition to testing a system for security weaknesses, they produce evaluation reports and make recommendations.

87
Q

Alan ran a nmap scan against a server and determined that port 80 is open on the server. What tool would likely provide him the best additional information about the server’s purpose and the identity of the server’s operator?

A. SSH
B. Web browser
C. Telnet
D. Ping

A

B. The server is likely running a website on port 80. Using a web browser to access the site may provide important information about the site’s purpose.

88
Q

What port is typically used to accept administrative connections using the SSH utility?

A. 20
B. 22
C. 25
D. 80

A

B. The SSH protocol uses port 22 to accept administrative connections to a server.

89
Q

Which one of the following tests provides the most accurate and detailed information about the security state of a server?

A. Unauthenticated scan
B. Port scan
C. Half-open scan
D. Authenticated scan

A

D. Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

90
Q

What type of network discovery scan only uses the first two steps of the TCP handshake?

A. TCP connect scan
B. Xmas scan
C. TCP SYN scan
D. TCP ACK scan

A

C. The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.

91
Q

Matthew would like to test systems on his network for SQL injection vulnerabilities. Which one of the following tools would be best suited to this task?

A. Port scanner
B. Network vulnerability scanner
C. Network discovery scanner
D. Web vulnerability scanner

A

D. SQL injection attacks are web vulnerabilities, and Matthew would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to be successful.

92
Q

Badin Industries runs a web application that processes e-commerce orders and handles credit card transactions. As such, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application and it had no unsatisfactory findings. How often must Badin rescan the application?

A. Only if the application changes
B. At least monthly
C. At least annually
D. There is no rescanning requirement.

A

C. PCI DSS requires that Badin rescan the application at least annually and after any change in the application.

93
Q

Grace is performing a penetration test against a client’s network and would like to use a tool to assist in automatically executing common exploits. Which one of the following security tools will best meet her needs?

A. nmap
B. Metasploit Framework
C. OpenVAS
D. Nikto

A

B. Metasploit Framework is an automated exploit tool that allows attackers to easily execute common attack techniques. Nmap is a port scanning tool. OpenVAS is a network vulnerability scanner and Nikto is a web application scanner. While these other tools might identify potential vulnerabilities, they do not go as far as to exploit them.

94
Q

Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform?

A. Code review
B. Application vulnerability review
C. Mutation fuzzing
D. Generational fuzzing

A

C. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.

95
Q

Users of a banking application may try to withdraw funds that don’t exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it?

A. Misuse case testing
B. SQL injection testing
C. Fuzzing
D. Code review

A

A. Misuse case testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code.

96
Q

What type of interface testing would identify flaws in a program’s command-line interface?

A. Application programming interface testing
B. User interface testing
C. Physical interface testing
D. Security interface testing

A

B. User interface testing includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.

97
Q

During what type of penetration test does the tester always have access to system configuration information?

A. Black-box penetration test
B. White-box penetration test
C. Gray-box penetration test
D. Red-box penetration test

A

B. During a white-box penetration test, the testers have access to detailed configuration information about the system being tested.

98
Q

What port is typically open on a system that runs an unencrypted HTTP server?

A. 22
B. 80
C. 143
D. 443

A

B. Unencrypted HTTP communications take place over TCP port 80 by default.

99
Q

Robert recently completed a SOC engagement for a customer and is preparing a report that describes his firm’s opinion on the suitability and effectiveness of security controls after evaluating them over a six-month period. What type of report is he preparing?

A. Type I
B. Type II
C. Type III
D. Type IV

A

B. There are only two types of SOC report: Type I and Type II. Both reports provide information on the suitability of the design of security controls. Only a Type II report also provides an opinion on the operating effectiveness of those controls over an extended period of time.

100
Q

What information security management task ensures that the organization’s data protection requirements are met effectively?

A. Account management
B. Backup verification
C. Log review
D. Key performance indicators

A

B. The backup verification process ensures that backups are running properly and thus meeting the organization’s data protection objectives.