CompTIA Security+ - Lesson 11: Implementing Secure Network Protocols (Practice Questions)
An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause? A. A server host has a poisoned arp cache. B. Some user systems have invalid hosts file entries. C. An attacker masquerades as an authoritative name server. D. The domain servers have been hijacked.
An attacker masquerades as an authoritative name server. (C) Explanation: DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information. --- An ARP cache contains entries that map IP addresses to MAC addresses. An ARP cache is not related to name resolution. Before developers created DNS, early name resolution took place using a text file named HOSTS. In this case, all users are experiencing an issue, not just some. Domain Reputation can be impacted if an attacker hijacks public servers. In this case, systems admin found invalid host records, which ruled out hijacking.
An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation. A. Domain Name System (DNS) B. DNS Security Extension C. DNS Footprinting D. Dynamic Host Configuration Protocol (DHCP)
DNS Security Extension (B) Explanation: A DNS Security Extension (DNSSEC) transaction is being simulated. This consists of the authoritative server for the zone creating a package of resource records (RRset) signed with a private key (Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can verify the signature. --- DNS is a system for resolving host names and domain labels to IP addresses. DNS footprinting means obtaining information about a private network by using its DNS server to perform a zone transfer (all of the records in a domain) to a rogue DNS. DHCP provides for an automatic method for network address allocation.
An attacker modifies the HOSTS file on a workstation to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred. A. DNS server cache poisoning B. DNS spoofing C. DNS client cache poisoning D. Typosquatting
DNS client cache poisoning (C) Explanation: The HOSTS file is checked before using Domain Name System (DNS). Its contents are loaded into a cache of known names and the client only contacts a DNS server if the name is not cached. If an attacker can place a false name, then the attacker will be able to direct traffic. --- A DNS server cache poisoning attack is a redirection attack that aims to corrupt the records held by the DNS server itself. DNS spoofing is an attack that compromises the name resolution process. Typosquatting means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference.
When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred? A. Domain hijacking B. Domain name system client cache (DNS) poisoning C. Rogue dynamic host configuration protocol (DHCP) D. Domain name system server cache (DNS) poisoning
Domain hijacking (A) Explanation: In domain hijacking (or brandjacking), the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. --- Before DNS is contacted, a text file named HOSTS is checked that may have name:IP address mappings recorded. If an attacker can place a false name:IP address mapping in the HOSTS file, poisoning the DNS cache, the attacker can redirect traffic. The Dynamic Host Configuration Protocol (DHCP) facilitates automatic network address allocation. If an attacker establishes a rogue DHCP, it can perform DoS or snoop on network information. DNS server cache poisoning corrupts records within the DNS server itself.
A security administrator employs a security method that can operate at layer 3 of the OSI model. Which of the following secure communication methods could the security administrator be using? (Select all that apply.) A. ESP B. AH C. TLS D. IKE
ESP & AH (A & B) Explanation: Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity. ESP is one of the two core protocols of IPsec. AH is another core protocol of IPsec. The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). --- Transport Layer Security is applied at the application level, either by using a separate secure port or by using commands in the application protocol to negotiate a secure connection. The Internet Key Exchange (IKE) protocol handles authentication and key exchange, referred to as Security Associations (SA).
A technician is working with a user on methods to authenticate their device to the SSH server. Knowing that there are various methods, what can NOT be enabled or disabled when using the /etc/ssh/sshd_config file? A. Public key authentication B. Kerberos C. Username/password D. Host key
Host key (D) Explanation: The server's host key is used to set up a secure channel to use for the client to submit authentication credentials but is not enabled or disabled when using the /etc/ssh/sshd_config file. --- Username/password allows the client to submit credentials that are verified by the SSH server either against a local user database or using a RADIUS/TACACS+ server. Public key authentication allows each remote user's public key is added to a list of keys authorized for each local account on the SSH server. Kerberos allows the client to submit a Ticket Granting Ticket (TGT) to the Ticket Granting Service (TGS) along with the Service Principal Name (SPN) of the SSH server that the client wants to access.
Using the STARTTLS method, a system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.) A. Port 80 should be used for message submission over implicit TLS. B. Port 143 should be used to connect clients. C. Port 25 should be used for message relay. D. Port 587 should be used by mail clients to submit messages for delivery.
Port 25 should be used for message relay. & Port 587 should be used by mail clients to submit messages for delivery. (C & D) Explanation: Port 25 is used for message relay between Simple Mail Transfer Protocol (SMTP) servers or Message Transfer Agents (MTA). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection. Port 587 is used by mail clients (Message Submission Agents) to submit messages for delivery by an SMTP server. --- Port 465, versus 80, is used by providers and mail clients for message submission over implicit Transport Layer Security (TLS). Port 143 is used by Internet Message Access Protocol (IMAP) to connect clients. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously.
A system administrator uses a Graphical User Interface (GUI) remote administration tool over TCP port 3389 to manage a server operating Windows 2016. Evaluate the types of remote administration tools to conclude which protocol the administrator is using. A. Secure Shell B. Telnet C. Dynamic Host Configuration Protocol D. Remote Desktop
Remote Desktop (D) Explanation: Remote Desktop Protocol (RDP) is Microsoft's protocol for operating remote connections to a Windows machine. RDP uses TCP port 3389. --- Secure Shell (SSH) is the principal means of obtaining secure remote access to a UNIX or Linux server. Telnet is terminal emulation software to support a remote connection to another computer and uses TCP port 23 by default. Telnet is not secure but can be used over a secure channel, such as an IPSec tunnel. The Dynamic Host Configuration Protocol (DHCP) provides an automatic method for network address allocation.
A system administrator needs secure remote access into a Linux server. Evaluate the types of remote administration to recommend which protocol should be used in this situation. A. Telnet B. Secure Shell (SSH) C. Remote Desktop Protocol (RDP) D. Kerberos
Secure Shell (SSH) (B) Explanation: Secure Shell (SSH) is the principal means of obtaining secure remote access to a UNIX or Linux server. The main uses of SSH are for remote administration and secure file transfer (SFTP). --- Telnet is a terminal emulation software used to support a remote connection to another computer. It does not support file transfer directly, and is not secure. Remote Desktop Protocol (RDP) is Microsoft's protocol for operating remote connections to a Windows machine. SSH uses Kerberos to allow authentication to the SSH server. Kerberos uses the Ticket Granting Ticket (TGT) method.
If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator's needs? A. Secure/Multipurpose Internet Mail Extensions (S/MIME) B. Secure Post Office Protocol v3 (POP3S) C. Internet Message Access Protocol v4 (IMAP4) D. Simple Mail Transfer Protocol (SMTP)
Secure/Multipurpose Internet Mail Extensions (S/MIME) (A) Explanation: One means of applying authentication and confidentiality on a per-message basis is an email encryption standard called Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME adds digital signatures and public key cryptography to mail communications. To use S/MIME, a sender and receiver exchange digital certificates signed by a certification authority (CA). --- POP3 is a mailbox protocol designed to store the messages delivered by SMTP on a server. When the client connects to the mailbox, POP3 downloads the messages to the recipient's email client. IMAP4 is an application protocol that allows a client to access and manage email messages stored in a mailbox on a remote server. SMTP is the basic protocol used to send mail between hosts on the Internet.
A security engineer encrypted traffic between a client and a server. Which security protocol is the best for the engineer to configure if an ephemeral key agreement is used? A. AES 256 B. TLS 1.2 C. TLS 1.3 D. SHA 384
TLS 1.3 (C) Explanation: Only ephemeral key agreement is supported in TLS 1.3. The signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384). --- Prior to TLS 1.3, Elliptic Curve Diffie-Hellman Ephemeral mode for session key agreement, RSA signatures, 128-bit AES-GCM (Galois Counter Mode) for symmetric bulk encryption, and 256-bit SHA for HMAC functions can be used. AES 256 refers to a mode of operation used by TLS to encrypt data that is communicated between systems. SHA 384 refers to a cryptographic hashing algorithm that is used for encryption by protocols such as TLS.
Transport layer security (TLS) version 1.3 improves upon a vulnerability in TLS1.2. Which statement correctly describes a remedy for this vulnerability? A. TLS version 1.3 is backward compatible with earlier versions of transport layer security. B. TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security. C. TLS version 1.3 creates a secure link between the client and server using Secure Shell (SSH) over TCP port 22. D. TLS1.3 can use more secure authentication and authorization methods, such as security assertion markup language (SAML) and open authorization (OAuth).
TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security. (B) Explanation: TLS 1.3 removes the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions. --- Configuring a TLS 1.2 server allows clients to downgrade to TLS 1.1 or 1.0 or SSL 3.0 if they do not support TLS 1.2. A man-in-the-middle can use a downgrade attack to try to force the use of a weak cipher suite and secure sockets layer (SSL)/TLS version. Secure shell file transfer protocol (SFTP) addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. The Open Authorization (OAuth) protocol is a standard for federated identity management to consider for secure application programming interfaces (APIs), not a TLS1.3 feature.
A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation. A. Tunnel mode because the whole IP packet is encrypted, and a new IP header is added. B. Transport mode because the whole IP packet is encrypted, and a new IP header is added. C. Tunnel mode because the payload is encrypted. D. Transport mode because the payload is encrypted.
Tunnel mode because the whole IP packet is encrypted, and a new IP header is added. (A) Explanation: The technician should use tunnel mode because the whole IP packet, including header and payload, is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). --- In transport mode, the IP header for each packet is not encrypted, just the data (payload). This mode is used for secure communications on a private network (an end-to-end implementation). In tunnel mode, the header and the payload are encrypted. In transport mode, the payload is encrypted but this does not provide sufficient security for a VPN.
A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Consider the various types of attacks specific to DHCP and determine which steps the system administrator should take to protect the server. (Select all that apply.) A. Use scanning and intrusion detection to pick up suspicious activity. B. Disable DHCP snooping on switch access ports to block unauthorized servers. C. Enable logging and review the logs for suspicious events. D. Disable unused ports and perform regular physical inspections to look for unauthorized devices.
Use scanning and intrusion detection to pick up suspicious activity. & Enable logging and review the logs for suspicious events. & Disable unused ports and perform regular physical inspections to look for unauthorized devices. (A, C, &D) Explanation: The system administrator should use scanning and intrusion detection to pick up suspicious activity. The system administrator should set logging to be enabled and then review the logs regularly for suspicious events. The system administrator should disable unused ports and perform regular physical inspections to ensure that unauthorized devices are not connected via unused jacks. --- The system administrator should enable DHCP snooping on switch access ports to prevent the use of unauthorized DHCP servers. DHCP snooping acts as a firewall between the server and untrusted hosts and should be enabled versus disabled.