Information Systems Security - C845 (PT. 2)

What is the purpose of a WIPS?

A wireless intrusion prevention system (WIPS) is used to detect rogue devices, specifically rogue wireless devices that either attempt to connect into the valid wireless network as a client or offer up a rogue connection acting like a base station. A WIPS uses a detection technique that is primarily based on monitoring MAC addresses. A list of authorized wireless devices is maintained by the WIPS, and each detected wireless device is compared to this list. Any MAC address not on the approved list is ignored and/or blocked from interacting with authorized devices. In the event of a MAC spoofing attack, the WIPS also develops a wireless signature for each device related to how it actually employs the radio frequencies for transmission. This creates a type of wireless device signature that is very difficult to mimic, thus allowing the WIPS to differentiate between the original valid device and a rogue device spoofing its MAC address.

Which of the following is an inaccurate statement about an organization's encryption policy? A Local data should always be encrypted with the user's public key. B The longer the storage, the longer the key. C Important keys should be kept in a storage location or key escrow. D Private keys should be protected at all times.

A. Data encrypted with a user's public key can be decrypted only by the user's private key. This would not normally be in an organization's encryption policy. Answers D, B, and C are all reasonable items to include in an organization's encryption policy.

What is the component of IPSec that handles key generation and distribution? A Internet Key Exchange B Authentication Header C IP Compression D Encapsulating Security Payload

A. Internet Key Exchange (IKE) is the component of IPSec that handles key generation and distribution. IKE is comprised of three components: Oakley, Secure Key Exchange MEchanism (SKEME), and Internet Security Association Key Management Protocol (ISAKMP). Oakley assists with key generation, SKEME is a mechanism to exchange keys securely, and ISAKMP maintains unique security associations for each IPSec VPN. Answer B is incorrect. Authentication Header (AH) is responsible for establishing the initial connect and the authentication of end-points. AH uses the keys managed by IKE. Answer C is incorrect. IP Compression (IPComp) is used to pre-compress data prior to being encrypted by ESP. This is to assist in speeding up the encryption process towards the goal of maintaining wire speed transmission. IPComp does not use encryption keys. Answer D is incorrect. Encapsulating Security Payload (ESP) is the bulk encryptor of an IPSec VPN. ESP uses the keys managed by IKE.

What is the primary concern for any situation involving the triggering of a disaster recovery plan (DRP)? A Preservation of human life B Reducing asset loss C Avoiding downtime D Minimizing costs

A. Preservation of human life is always the primary concern for any situation involving the triggering of a disaster recovery plan (BRP). This is often one of the overlooked elements of DRP because of the breadth and depth of response planning. However, protecting the safety of personnel is always a top priority. Anyone on a business continuity plan (BRP) or DRP development team should remind themselves and the group of the initial task of preserving human life. This helps to keep proper perspective on the other activities involved responding to breaches, violations, and disasters. Answer D is incorrect. Minimizing costs is NOT the primary concern of a DRP. Preserving human life is always a top priority for DRP. Minimizing costs is a secondary priority at best. Keep in mind that there are two types of costs to manage. First, there is the cost of not protecting the organization against disasters, which could have a cost of business ceasing to exist. Second, there is the cost of protecting the organization against disasters by implementing preparation, response, and recovery strategies. Answer C is incorrect. Avoiding downtime is NOT the primary concern of a DRP. Preserving human life is always a top priority for DRP. DRP is not specifically focused on avoiding downtime as it is on restoring functionality to mission critical processes before the maximum tolerable downtime. If DRP is triggered, there is no avoiding downtime. There is only managing it and keeping it to a minimum. Answer B is incorrect. Reducing asset loss is NOT the primary concern of a DRP. Preserving human life is always a top priority for DRP. DRP is not specifically focused on protecting assets as it is on restoring functionality to mission critical processes. This will include restoring and repairing assets toward that goal.

Which option best describes the encryption technique of a Caesar cipher? A Substitution B Diffusion C Confusion D Transportation

A. The Caesar cipher is a substitution cipher. It is the simplest and broadly known encryption technique. Substitution is the process of replacing one letter with another. The inverse substitution is performed to decipher the text. Answers B, C, and D are incorrect because they do not describe the encryption technique of a Caesar cipher. Diffusion is the process of encryption in which the entire hash output for each character modification of the original message is changed. Confusion creates the complexity of an encrypted message by modifying the key during the encryption process. Transportation transposes the letters and characters horizontally into a grid and then reads the grid virtually.

Which of the following is used when access is required and the person authorized for access is not present? A M of N control B Split knowledge C Two person rule D Dual control

A

Which of the following symmetric key algorithms utilizes 128-bit blocks? A CAST-256 B IDEA C CAST-128 D 3DES

A

If an organization experiences a disaster level event that damages its ability to perform mission critical operations, what form of emergency response plan will provide a reliable means to ensure the least amount of downtime? A Cold site B Multi-site C Warm site D Reciprocal agreement

B. If an organization experiences a disaster level event that damages its ability to perform mission critical operations, a multisite-based emergency response plan will ensure the least amount of downtime. A multi-site alternative processing plan ensures that an organization is split and divided amongst multiple physical locations instead of being housed in a single facility. In the event of a disaster, the members of the non-affected sites can absorb the work load and personnel from the damaged site while it is being repaired. This has the benefit of having minimal downtime. Answer C is incorrect. A warm site does NOT ensure the least amount of downtime among the options given. A warm site is a second location where most of the infrastructure of the primary site has been recreated. However, a warm site is not maintained at current configuration and does not have a copy of the most recent productivity data. Thus, there will be some amount of downtime while the warm site is updated and configured to current requirements. Then additional time is needed to restore data from available backups. A warm site is usually less expensive than a hot site or multi-site option, but the hours or days of downtime needed to make the site usable can be prohibitive for organizations which can only survive a short period of mission critical function downtime. Answer A is incorrect. A cold site does NOT ensure the least amount of downtime among the options given. A cold site is a second location where an organization can attempt to recreate their infrastructure when they experience a disaster. A cold site is usually just a building, but might include pre-installed utilities and may have equipment on site. However, nothing will be unpacked, connected, or running. A cold site will require days or weeks or longer to set up the infrastructure, install software, configure functions, and restore data from backup. A cold site has very low cost, but it is not a realistic option for recovery for most organizations. Answer D is incorrect. A reciprocal agreement does NOT ensure the least amount of downtime among the options given. A reciprocal agreement is a handshake between two business leaders to agree to help each other in the event of an emergency. This is rarely a written document, thus it is not an enforceable contract or legal agreement. A reciprocal agreement has no monetary cost, but the other party could decide not to help at the very moment your organization knocks on their door asking for assistance. Thus, a reciprocal agreement is an unreliable disaster recovery option. Another similar option not listed in this question is a hot site. A hot site is a mirror copy of the primary facility. It is maintained in tandem with the primary site, and even has a copy of all current data. In the event of a disaster, production shifts to the hot site with little to no downtime. The main distinction between multi-site and hot site options, other than the number of physical locations, is that a hot site is extremely expensive as compared to the moderate expense of multi-site.

When implementing LAN-based security like traffic management in a software-defined network, where are decisions about where traffic is to be sent made?

Control plane. When implementing LAN-based security like traffic management in a software-defined network, decisions about where traffic is to be sent are made in the control plane. The planes of network management are not as clear-cut as the metaphor implies. Unlike the seven protocol layers of the OSI model, the concepts of network management planes is more related to grouping of activities and actions than distinct layers of operation. The control plane is allocated the task of making routing and switch-forwarding decisions, not the actual transmission of traffic. Answer B is incorrect. User mode is NOT directly related to software-defined networking or network management planes. User mode is related to the privilege level of an operating system. Processes running in user mode are accessible to a user, but they are inherently restricted from direct hardware access, cannot demand system resources, and have a lower privileged operating state than processes in kernel mode. Answer A is incorrect. The data plane is the other network management plane. The data plane is responsible for the actual transmission of traffic to the next device along the path toward the destination. The data plane is also known as the forwarding plane. The date plane is the actual transmission of packets through a router or switch. Answer C is incorrect. Kernel mode is NOT directly related to software-defined networking or network management planes. Kernel mode is related to the privilege level of an operating system. Processes running in kernel mode are not accessible to a user and focus on maintaining the stability and functionality of the overall operating environment. Processes in kernel mode may have direct hardware access, can directly request system resources, and have a higher privileged operating state than processes in user mode. This latter item means that kernel mode processes have access to the CPU in priority to any user mode process.

What is the primary method of authentication used in a typical PKI deployment? A Smart cards B Passwords C Biometrics D Digital certificates

D. Digital certificates are used as the primary method of authentication in a typical PKI deployment. Digital certificates are a key element of PKI because secure operations of data storage and transmission depend upon reliable authentication. PKI (public key infrastructure) can be implemented based on either a public/external or a private/internal certificate authority (CA). Answers B, A, and C are incorrect. Passwords, smart cards, or biometrics are not used as a primary method of authentication in a typical PKI deployment.

What refers to the study of the techniques used to determine methods to decrypt encrypted messages, including the study of how to defeat encryption algorithms, discover keys, and break passwords?

Cryptanalysis.

Cryptology

Cryptology is a science that deals with the encryption and decryption of plaintext messages using various techniques such as hiding, encryption, disguising, diffusion, and confusion.

What refers to the study of the techniques used to determine methods to decrypt encrypted messages? A Cryptosystem B Collusion C Cryptology D Cryptanalysis

D

Which best describes a multiple-person technique for use to recover a corrupted key? A Staged multiple interaction B Multiple-key agent rule C Separation of duties D M of N

D. A set number of multiple persons (M) out of a group of persons (N) may be able to take the required action. Answer C is incorrect because separation of duties has nothing to do with multiple-person key recovery. Answer B is incorrect because there is no such thing as a multiple-man rule. Answer A is incorrect because staged multiple interaction does not exist.

A clipping level does which of the following? A Reduces noise signals on the IT infrastructure B Provides real-time monitoring C Defines a threshold of activity that, after crossed, sets off an operator alarm or alert D Removes unwanted packets

C. It is a level at which an operator is alerted.

Which option is most accurate regarding a recovery point objective? A The target time full operations should be restored after disaster B The time after which the viability of the enterprise is in question C The point at which the most accurate data is available for restoration D The point at which the least accurate data is available for restoration

C. The RPO is the location of the most accurate backup data prior to a disaster event.

How does a web of trust model provide security since it does not involve a trusted third-party? A By using fourth-party identity verification B By using pre-shared symmetric keys C Through the use of randomization in key selection D Through consistency of serial numbers of self-issued certificates

D. A web of trust model provides security through consistency of serial numbers of self-issued certificates without the involvement of a trusted third-party. In a web of trust or peer trust security model, each endpoint directly chooses to trust every other endpoint without a middle man or third party involved. Web of trust therefore does not include a solid authentication mechanism in order to absolutely prove an identity. Instead, claimed identities are maintained over time. Web-of-trust endpoints self-issue digital certificates. As long as those certificates remain valid, their serial numbers remain the same; thus endpoints can at least be confident of communications with the other endpoints as long as those serial numbers remain consistent. The actual identity of an endpoint may be unknown, but knowing that the same endpoint is at the other end of a communication is essential. Within web-of-trust environments, digital signatures and digital envelopes are still used, as the same asymmetric public key cryptography is in use. Answer B is incorrect. A web of trust is NOT based on pre-shared symmetric keys. Pre-shared symmetric keys are known as a poor security design and should be avoided. Pre-shared keys have the risk of being discovered or extracted by unauthorized entities and used to breach the security of the environment. Answer C is incorrect. Randomization in key selection is used for all forms of modern cryptography, but key randomization is not the reason that a web-of-trust model can still provide security. A web of trust is secure due to consistency of serial numbers of self-issued certificates. Answer A is incorrect. There is no concept of fourth-party identity verification in standard trust models or cryptography systems.

How is an incident response strategy triggered? A By defining a clipping level B By recording the baseline C By displaying a user warning D By an event

D. An incident response strategy is triggered by an event. An event is any activity that results in a change in the state of the environment, whether it's the network, a communication, a system, a device, software, or anything related to a business process. Generally, the incident response strategy is triggered when a violating event or incident occurs, rather than for benign or normal events. When an event is a violation, then it causes a true positive alarm and response. When an event is a benign occurrence, then it causes a false positive alarm and response. Answer A is incorrect. Incident response is NOT triggered by defining a clipping level. A clipping level is a defined threshold. Events that do not cross the threshold or clipping level are seen as either benign or insignificant to warrant a response. Events that cross the threshold or clipping level are seen as warranting a response. The act of crossing a clipping level is a trigger for an incident response strategy. However, defining the clipping level does not trigger an incident response strategy. Answer C is incorrect. Incident response is NOT triggered by displaying a user warning. The display of a warning is a possible incident response strategy, but the display itself is not the triggering of an incident response strategy. Instead, some event must have occurred which triggered the warning display, i.e. the incident response strategy. Answer B is incorrect. Incident response is NOT triggered by recording the baseline. A baseline is an established level of normal or expected events and behaviors. When events are different than the baseline, then an incident response strategy is triggered. However, the act of defining or recording the baseline does not trigger an incident response strategy. The recording or defining of a baseline is defining the events that would trigger an incident response strategy.

How does S/MIME provide for verification that a received message was not modified during transit? A With a recipient's private key B By hashing the e-mail header C Using the shared symmetric key D Through a digital signature

D. S/MIME provides for verification that a received message was not modified during transit through a digital signature. S/MIME is a standard for using public key encryption to secure e-mail communications. It supports digital envelopes and digital signatures. To verify that a message was not changed during transit, a digital signature is used. A digital signature is created by crafting the hash digest of the message, then encrypting the hash digest with the sender's private key. This encrypted has is the digital signature. The recipient will decrypt the sender's hash digest from the digital signature using the sender's public key. The recipient will hash the received message and compare the before and after hashes. If the hashes are the same, then the message integrity was maintained. Answer B is incorrect. S/MIME does NOT verify that a received message was not modified by hashing the e-mail header. When a hash of an e-mail message is performed, the whole message including the header and the body is hashed as a single data set. S/MIME does not use hashing on its own; it is only used when involved in a digital signature. Answer A is incorrect. S/MIME does NOT verify that a received message was not modified with a recipient's private key. The recipient's private key is used to open a digital envelope created with the recipient's public key. This is done when the sender wishes to use symmetric encryption to protect the confidentiality of a message and thus exchanges the symmetric key within a digital envelope. The recipient's private key is not involved in verifying integrity. Answer C is incorrect. S/MIME does NOT verify that a received message was not modified using the shared symmetric key. A symmetric key is used to protect the confidentiality of a message and is exchanged securely in a digital envelope using the recipient's public key. The symmetric key is not involved in verifying integrity.

What is the composition of a cryptographic key, whether symmetric or asymmetric? A A prime number B A signed object C A complex mathematical formula D A binary value

D. The composition of a cryptographic key, whether symmetric or asymmetric, is simply a binary value. A cryptographic key is just a binary number. Each cryptographic algorithm determines the key length, which is the number of bits in the length of the key. Every value of the key between all bit positions set to zero and all bit positions set to one is the key space. The process by which a key is generated, created, derived, or crafted can be quite complex in order to avoid prediction, but the results are always just a simple binary value. Answer B is incorrect. A key is not comprised of a signed object. A key creates signed objects, which in turn can be used to verify identity. Specifically, the use of asymmetric cryptography key pairs in the form known as a digital certificate performs this operation. A digital certificate is created by a certificate authority (CA). The CA creates a digital certificate by signing a subject's public key with the CA's private key. Additional documentation and parameter data is included with the digital certificate according to the x.509 v3 certificate standard. When a sender signs a message with their private key, the recipient can verify the signature through the issuing CA. Answer C is incorrect. A cryptographic key is NOT composed of a complex mathematical formula. The process by which a key is generated, created, derived, or crafted can be quite complex in order to avoid prediction, but the results are always just a simple binary value. A cryptographic key is just a binary number. Answer A is incorrect. A cryptographic key is NOT a prime number. Some cryptographic keys are prime numbers, but only by random coincidence. Prime numbers may be used in the complex key generation process, but the result will always be a binary number. Whether or not the resultant key is itself a prime number is not relevant.

In an organization, a hardware device is installed for securing the infrastructure through filtering. What type of hardware device can be used to filter network traffic based upon an IP address?

Firewall. A firewall is added to a network to filter traffic and secure the infrastructure. Firewalls are used to protect networks from each other, most specifically an internal trusted network from an external untrusted network such as the Internet. They filter many traffic attributes, including IP address, destination and source addresses, and port address. Answer C is incorrect. A router is a networking device which enables a path between networks for connectivity. Answer A is incorrect. Bridge connects two local area networks and creates a single network. Answer D is incorrect. Gateway is a joining node in a network to join two other networks so that the devices of both the networks can communicate.

An IT security manager is struggling to keep the organization's computers in working order. He is testing updates and configuring them to be installed onto systems and making tweaks to the configuration settings to various systems as business tasks require. However, he often discovers systems which do not have the necessary updates or which are using out-of-date settings. This may be caused by systems being disconnected from the company network when taken into the field or when used for special offline projects. What technology should the IT security manager implement to help handle this complex issue?

NAC Network access control (NAC) should be implemented in this scenario. When a system is determined by NAC to lack specific configuration settings or to be missing a required update, the system will be quarantined. A NAC quarantine is an isolation triggered by a system being out of compliance. It usually involves shifting IP address assignments to place the system in a quarantine subnet where the system is only able to access the remediation server. Quarantine remediation can be performed automatically or it may require an administrator to perform manual operations. Once the system is brought into compliance, then it is returned to the production network. This technology will ensure that only systems that are current in configuration and updates are allowed to interact with the production environment. Answer C is incorrect. IEEE 802.1x is the IEEE standard known as port-based network access control, which is used to leverage authentication already present in a network to validate clients connecting over hardware devices, such as wireless access points or VPN concentrators. The purpose of IEEE 802.1x is to avoid the use of on-device static password authentication, which is a very weak form of authentication. The 802.1x standard allows existing multi-factor or otherwise robust network authentication to be ported or proxied for use onto various hardware and software connection options. Answer D is incorrect. Online Certificate Status Protocol (OCSP) is the communication query system employed by modern certificate authorities (CAs) to inform endpoints of the revocation status of digital certificates. OCSP enables end-points to obtain real-time revocation status without significant bandwidth consumption. OCSP replaced the older concept known as certificate revocation list (CRL). The CRL is the list of revoked certificate's serial numbers. Endpoints needed to download an updated CRL on a regular basis to be current on which certificates had been revoked. Because this document was always growing in size, it was a significant bandwidth cost for end-points as well as the CA. Answer A is incorrect. Network Time Protocol (NTP) synchronization is the means by which clocks on various systems are brought into alignment. It is essential that all internal systems are synchronized. It is of reasonable value to be synchronized with a world time source. This helps to ensure that all logs and audit trails are in harmony in order to make investigations and historical research into the chronological order of events easier.

When a client is located behind a firewall that does not allow inbound initiated contact, which of the following will need to be used to support file transfer?

Passive FTP. Passive FTP is necessary to support file transfer when a client is located behind a firewall that does not allow inbound initiated contact. During normal or active FTP, the client initiates a connection to the FTP server on port 21, and then the FTP server initiates a connection to the client on port 20. If the client is behind a firewall and cannot accept inbound initiations, then the FTP connection will fail. Passive FTP resolves this issue by having the server respond back to the client from the server port 21 to indicate which higher order port the server will listen on for a second client connection. Once the client receives the higher port number from the server, the client initiates a connection to that higher port number. Thus, the two required channels for FTP are both initiated by the client in passive mode, while in active mode, the client and server each initiate one of the two connections. Answer D is incorrect. Client-hosted FTP is simply making the internal client system into an FTP server. If the firewall blocks inbound initiations, then no external system could initiate a connection with the client hosted FTP service. Answer B is incorrect. Active FTP does not function when the client is behind a firewall that blocks inbound connections. Answer A is incorrect. Server-initiated FTP is NOT a valid form of FTP. Additionally, if it was, an inbound connection initiation by the server to the client would be blocked by the firewall as indicated in this question.

What standards-based technology is supported on most platforms and is used as a remote authentication service?

RADIUS. Remote Authentication Dial-In User Service (RADIUS) is a standards-based technology that is supported on most platforms and is used as a remote authentication service. RADIUS has been updated to address many forms of remote connectivity beyond only dial-up. RADIUS operates over UDP port 1812. Answer C is incorrect. Kerberos is an authentication technology, but it is used only for private network authentication, not for remote authentication. Kerberos is a trusted-third party based authentication scheme, but it is not as robust as certificate-based authentication. Answer A is incorrect. Terminal Access Controller Access Control System Plus (TACACS+) is not standards-based. It is a proprietary remote authentication service from Cisco, originally based on RFC 1492. But after having gone through two custom revisions, the first being XTACACS and the latter TACACS+, it is no longer standards-related. It is a solid competitor to RADIUS, but is only available on Cisco hardware. Answer B is incorrect. New Technology LAN Manager (NTLM) is an authentication system available on Microsoft Windows. It is a proprietary Microsoft product and is only supported on Windows.

difference between the secure protocols of TLS-encrypted SMTP and the use of S/MIME for the protection of e-mail communications

S/MIME provides end-to-end protection of messages, while the TLS-encrypted SMTP only secures a local link. S/MIME supports the selection of a random symmetric key which is used to encrypt the massage. The symmetric key is then enveloped using the recipient's public key. This provides end-to-end encryption from the sender to the recipient. TLS-encrypted SMTP negotiates an encrypted link between the client and the local e-mail server. This link provides secure transmission from the client to the email server, but once it is received by the email server it is returned to plain text. Subsequent SMTP connections between the sender's e-mail server and any intermediate or end-point recipient email servers are potentially in plaintext.

Which type of firewall would be able to discard TCP segments arriving at an open port when they have the header flag of FIN enabled and they are the first packet received from the source?

Stateful inspection firewall. A stateful inspection firewall or a stateful packet inspection firewall, also known as an intelligent firewall or a smart firewall, would be able to discard these TCP packets. A stateful inspection firewall is programmed with the parameters of valid communications. When attempting to establish a TCP communication with an open port, the proper initial communication from a source is a segment with a SYN (synchronization) header flag.A TCP segment with a FIN (finish) header flag is not the proper method to initiate communications; a FIN flag is used to start the graceful shutdown of an existing session. A stateful inspection firewall will discard any initial packets or segments from a source which are not valid for initiating a new session. Note that the network communications between endpoints have different container names based on the relevant OSI layer. Physical-layer containers are bits, Data link-layer containers are frames, Network-layer containers are packets, Transport-layer containers are segments (TCP) or datagrams (UDP), and Session-, Presentation-, and Application-layer containers are payload data units (PDUs). Answer B is incorrect. A packet filter firewall is a simple set of static rules on whether a port is open or closed. A packet filtering firewall is not programmed with the details of valid vs. invalid communications. Answer A is incorrect. A circuit level firewall is a firewall which either allows or denies the connection of a circuit or session based on various parameters, such as IP address, port, and protocol. It is not programmed with the details of valid versus invalid communications. Answer D is incorrect. A Web application firewall is focused on the application layer protocols of HTTP and HTTPS, and thus does not manage traffic at the TCP level.

WAN optimization is the collection of technologies used to maximize efficiency of network communications across long distance links. WAN optimization can include data deduplication, compression, and what other technology?

Traffic shaping. Traffic shaping is a technology that WAN optimization can include in addition to data deduplication and compression. Other common components of WAN optimization are caching, filtering of non-essential traffic, use of converged protocols, enforcement of upload and download rules. Answer A is incorrect. Periodic mid-stream re-authentication is not a component of WAN optimization. Periodic mid-stream re-authentication is used to detect session hijacking. In a hijack attack, the attacker will not have the victim's credentials. Thus, when authentication is requested mid-stream, the attacker will fail to authenticate properly and the connection will be severed. Answer B is incorrect. Account lockout is not a component of WAN optimization. Account lockout relates to authentication and attempts to guess credentials. Account lockout will disable an account once a set number of failed attempts is reached. Answer D is incorrect. Encryption is not a component of WAN optimization. While many WAN connections should use encryption to protect confidentiality, encryption is more likely to impede communications rather than optimize it.

Which of the following best describes converged network communications?

Transmission of voice and media files over a network. The convergence of network communications involves the transmission of multimedia and data on the same network.

Which of the following OSI layers is responsible for providing end-to-end and reliable communications services?

Transport

Which of the following is NOT a method by which devices are assigned to VLAN network segments?

Transport-layer port assignment. Transport-layer port assignment is NOT a method by which devices are assigned to VLAN network segments. Transport-layer ports, as related to TCP and UDP, are often used in access control lists (ACLs), rule sets, or filter lists to control or manage traffic. Port-based ACLs can be found on firewalls, wireless access point, proxies, gateway devices, remote access concentrators, and multi-layer switches. Communications that match an allow rule will be passed through the device, while any traffic matching a deny rule or failing to match any rule will be denied by default and thus dropped. Answer C is incorrect. Mimicking IP subnet configuration is a third valid means of assigning devices to a VLAN. When using either of the two other techniques, switch port configuration or MAC address management, network administrators often end up performing twice the necessary work. This is due to the fact that many organizations choose to group devices together both by IP address and subnet assignment as well as through VLAN assignment. If both the subnet and VLAN network segments contain the same devices, then performing the configuration at the IP level (i.e. OSI Network layer or Layer 3) and again on switches is essentially doubling the workload to perform the same grouping. Thus, switches can be configured to mimic the grouping of devices into subnets in order to assign devices to VLANs of the same grouping and membership. Answer B is incorrect. Switch port configuration is a valid means of assigning devices to a VLAN. This is the original and simplest method. Each port on a switch is assigned to VLAN 1 by default. Through the switch's management interface, ports can be customized to be members of other VLAN numbers. Once configured, devices plugged into a specific physical port are assigned to the VLAN of that port. Answer A is incorrect. MAC address management is another valid means of assigning devices to a VLAN. In networks where devices may be moved around and thus connect into the network via different ports, or even via wireless, MAC address VLAN assignment is essential. In this method, the MAC address of each device is registered as being a member of a specific VLAN. Therefore, no matter how or where the device connects into the network, it will be placed into its assigned VLAN.

What is the default port for TLS encrypted SMTP?

465 465 is the default TCP port for Transport Layer Security (TLS) encrypted Simple Mail Transfer Protocol (SMTP). SMTP is the e-mail protocol used to send messages from an e-mail client to an e-mail server as well as e-mail server to e-mail server communications. An e-mail client can use SMTP in its plaintext form over TCP port 25 or a TLS encrypted form over TCP port 465. TLS is the updated version of the security protocol previously known as Secure Sockets Layer (SSL). While SSL and TLS are most widely recognized as encrypting HTTP to operate over TCP port 443, each application protocol protected by TLS is assigned a unique port. In other words, TLS is not a protocol itself, but is an encryptor of other protocols. Each TLS encrypted protocol is assigned a unique port by IANA (Internet assigned numbers authority). Answer C is incorrect. 443 is the default TCP port for TLS encrypted HTTP or HTTPS. Answer A is incorrect. 80 is the default TCP port for HTTP. Answer B is incorrect. 25 is the default TCP port for SMTP.

How is a digital certificate created? A A subject's public key is signed by a CA's private key. B A Diffie-Hellman key exchange is performed. C A communication exchange of discover, offer, request, and acknowledge occurs. D A random key is encrypted by a recipient's public key.

A. A digital certificate created by a subject's public key is signed by a CA's private key. A subject will generate a random private key, then derive a correlated public key using the proper asymmetric algorithms. The subject's public key is submitted to the CA (certificate authority). The CA performs an identity verification, then builds the digital certificate. The digital certificate is created by the CA using their private key to sign the subject's public key. Additional details and parameters are defined in an attached text component as defined by the X.509 v3 certificate standard. Answer B is incorrect. A Diffie-Hellman key exchange is performed when exchanging a symmetric key over an insecure communication medium. Answer C is incorrect. A communication exchange of discover, offer, request, and acknowledge is the process of obtaining an IP address lease from a DHCP server. Answer D is incorrect. A random key that is encrypted by a recipient's public key is known as a digital envelope. It is a means of secure symmetric key exchange over an insecure medium.

What is a significant difference between the secure protocols of TLS-encrypted SMTP and the use of S/MIME for the protection of e-mail communications? A One provides end-to-end protection of messages, while the other only secures a local link. B One uses digital certificates, while the other only uses password authentications. C One is used to create digital signatures, while the other creates digital envelopes. D One uses symmetric encryption, while the other uses asymmetric encryption.

A. A significant difference between the secure protocols of TLS-encrypted SMTP and the use of S/MIME for the protection of e-mail communications is that S/MIME provides end-to-end protection of messages, while the TLS-encrypted SMTP only secures a local link. S/MIME supports the selection of a random symmetric key which is used to encrypt the massage. The symmetric key is then enveloped using the recipient's public key. This provides end-to-end encryption from the sender to the recipient. TLS-encrypted SMTP negotiates an encrypted link between the client and the local e-mail server. This link provides secure transmission from the client to the email server, but once it is received by the email server it is returned to plain text. Subsequent SMTP connections between the sender's e-mail server and any intermediate or end-point recipient email servers are potentially in plaintext. Answer D is incorrect. Both TLS-encrypted SMTP and S/MIME use both symmetric and asymmetric encryption. Answer C is incorrect. S/MIME provides support for both digital signatures and digital envelopes. TLS-encrypted SMTP does not provide for either of these mechanisms. Answer B is incorrect. Both S/MIME and TLS-encrypted SMTP use digital certificates. However, TLS-encrypted SMTP can technically be negotiated without digital certificates, but the benefit of third-party identity verification is lost when this takes place. Neither S/MIME or TLS-encrypted SMTP supports password authentication. Note: The setting up or establishing of TLS connections is based on either mutual certificate authentication, server-side certificate authentication, or no authentication. Once a TLS link is established, then any communications will be encrypted. It is common for services, such as Web sites, to then request user authentication using name and password which would benefit from the security of the established TLS protected connection.

What is the only viable method a determined attacker can attempt to compromise an encrypted file, assuming a publicly available cryptography standard was used? A Brute force guess the key B Examine the algorithms C Analyze the hash value D Reverse the encryption formula

A. An encrypted file be compromised by a determined attacker, assuming a publicly available cryptography standard was used, through brute force key guessing. A publicly available cryptography standard has typically been thoroughly evaluated and tested over time and be show to be reliable and resistant to most forms of cryptography attack. However, since all cryptography is based on a secret key (or sometimes a key pair where one is secret and one is known), the act of guessing that key is always a weakness. The length of the key would determine how much effort must be applied over time to the act of key guessing. Shorter length keys will be successfully discovered faster than longer length keys. Longer length keys have more digits in their length and thus more options in the key space. A brute force guessing attack would attempt every option in the key space until successful. However, the length of time involved in such attacks can be significant. With standard computer equipment, attempting to brute force guess the key to an encrypted file protected by a 128 bit cipher would require millions of years. Answer D is incorrect. It cannot be compromised by reversing the encryption formula. A cryptographic algorithm (or cipher or encryption formula) is comprised of a process for encryption and decryption. However, these algorithms are dependent upon a secret key. Without the secret key, the process of encryption cannot be reversed. Answer B is incorrect. It cannot be compromised by examining the algorithms. If an untested and non-publicly available cryptosystem was in use, then the chance of finding an exploitable flaw in the algorithm or encryption formula is remotely possible. However, a publicly available cryptography standard has typically been thoroughly evaluated and tested over time and should prove to be reliable and resistant to most forms of cryptography attack. Thus, exploitable algorithm flaws are improbable and key discovery remains the most likely option, even though it is very resource- and time-intensive. Answer C is incorrect. It cannot be compromised through analysis of the hash value. Knowledge of the original data's hash might be useful in recreating the data, but is highly unlikely. For example, if the data was a password of only eight characters, the activity of reverse hash matching or password cracking could easily take twenty years or more. Extending that to any standard-sized document file of a few MB in size would require efforts far beyond that of brute force key guessing. A hash value of the encrypted file would provide no useful information in regards to a means to disclose its original plain text content.

A disaster recovery plan (DRP) should focus on restoring mission critical services. Part of the DRP is to ensure that recent data is available for processing once mission critical services are restored. How is data loss addressed in DRP? A Through understanding the RPO B By minimizing recovery time with a small RTO C By implementing redundancies D By avoiding failure with RAID

A. Data loss is addressed in DRP through understanding the recovery point objective (RPO). RPO is the amount of data loss than can be experienced before the loss is too great to survive as an organization. It is a type of maximum tolerable downtime (MTD) but in terms of data instead of mission critical process downtime. RPO is still measured in time, such as a loss of 3 hours, 3 days, or 3 weeks of data. Whatever the organization's RPO is, a backup and recovery scheme should be designed and implemented to ensure that recovery efforts can restore data to a point less than the RPO. Answer B is incorrect. Data loss in a DRP is NOT addressed by minimizing recovery time with a small recovery time objective (RTO). RTO is the length of time allocated by the disaster recovery policy to complete the activities necessary to restore normal operations to an organization affected by a disaster. The RTO should be at least 20% smaller than the predicted MTD to account for mistakes, oversights, or unforeseen issues that may delay the recovery efforts. The RTO can be as short a time frame as the organization wishes, as long as they are willing to expend the funds to ensure quicker recovery. Shorter RTO usually requires more expenditure related to disaster prevention and robust real-time backups. Answer D is incorrect. Data loss in a DRP is NOT addressed by avoiding failure with RAID. Redundant Array of Independent Disks (RAID) is a disk storage scheme aimed at avoiding downtime, resource loss, or data loss due to storage device failure. Different types of RAID provide varying levels of drive failure tolerance. RAID may be part of a plan to help minimize data loss in the event of problems or disasters, but it is the RPO which is the primary concern and driving factor behind any data protection and recovery scheme related to disasters. Answer C is incorrect. Data loss in a DRP is NOT addressed by implementing redundancies. Redundancies are used to avoid single points of failure and increase uptime. This is an important element in security implementation and avoiding disasters. However, it is not how DRP addresses data loss.

Why are initialization vectors used as common components of encryption algorithms? A They increase the chaos in encrypted output. B They set the speed of the encryption process. C They start the encryption process at a common point. D They determine the range of values into which a block can resolve.

A. Initialization vectors (IV) are used as common components of encryption algorithms because they increase the chaos in encrypted output. An IV is a random number, or at least a function call in an encryption algorithm that calls upon a random number, to be produced which is then used to complete the processing of the algorithm. The addition of randomness into encryption improves the security of the resulting ciphertext. Anyone attempting to break the security of an encrypted data set would have to guess both the key and the IV to decrypt the content. Answer C is incorrect. Starting the encryption process at a common point is NOT related to IVs. The start of an encryption process is the first block of the plaintext data. The IV is applied to the first block of the data by combining the data and IV with an XOR operation. It does not matter what the actual value of the IV is; the starting point is always the first block of data. Answer D is incorrect. Determining the range of values into which a block can resolve is NOT related to IVs. An IV helps to add randomness and thus more chaos into the resulting ciphertext output, but the IV does not determine the range of that output. Answer B is incorrect. Setting the speed of the encryption process is NOT related to IVs. The speed of encryption is determined by the capabilities of the processor, the amount of RAM available, the amount of data to be encrypted, the complexity of the algorithm, and the length of the key. The use of an IV by an algorithm compared to algorithms that do not use an IV might show some speed variation, but the value of the IV does not speed up or slow down the encryption nor decryption processes.

How does PGP provide e-mail confidentiality? A Through random symmetric keys and the use of public keys B By encrypting the body of a message and sending it as an attachment C Through adopting e-mail standards D Through digital signatures

A. Pretty Good Privacy (PGP) provides for e-mail confidentiality through random symmetric keys and use of public keys. PGP is an add-on to e-mail clients (and Web based e-mail as well) which enables the use of digital signatures and digital envelopes. To gain e-mail confidentiality, a random symmetric key is generated, used to encrypt the message, and then enveloped using the recipient's public key. This is the standard process for providing for communications confidentiality through the use of asymmetric public key cryptography and symmetric cryptography. Answer D is incorrect. Digital signatures do not provide for confidentiality, instead they provide for integrity, authentication, and non-repudiation. To gain confidentiality, a symmetric encryption scheme must be used. Answer B is incorrect. While PGP does use symmetric encryption to protect the confidentiality of the data, PGP does not send the encrypted message as an attachment. Instead, PGP encodes the encrypted data into the body of a e-mail message. Answer C is incorrect. PGP was designed using techniques and concepts that were not standards. In fact, even the current official standards do not use the same techniques and methods as PGP. The digital certificates created by PGP are proprietary, although they have been adopted by many applications as an alternate to the x.509 v3 certificate standard. PGP was designed to operate in a web of trust rather than a hierarchical or third-party trust model. Elements of PGP have been crafted into a proposed standard.

What type of information or data is the basis of most forms of modern cryptography, making modern cryptography possible and encryption cracking significantly more difficult? A Randomness B 128-bit block sizes C Key triplet usage D Static keys

A. Randomness is the basis of most forms of cryptography. Without randomness, most forms of modern cryptography would not be possible and cracking encryption would be significantly simpler. The use of randomness increases the complexity of the ciphertext output. Thus it makes the act of cryptanalysis or cryptography cracking significantly more difficult. Without randomness, cryptography would be more predictable and thus much easier to break. Answer B is incorrect. The block size of a cryptographic algorithm determines how much work it can perform at one time. Smaller block sizes process less data than larger block sizes. Thus, the overall speed of cryptography is often increased as the block size increases. However, the limitation on block size is the capabilities of the hardware - specifically the CPU - and its ability to perform the complicated mathematical operations on large sets of data. If all cryptography used 64-bit or 128-bit blocks or some other number, there would not be any significant difference in capabilities of modern algorithms, or any reduction of security, just a reduction of efficiency. Answer D is incorrect. Static keys are not an essential part of cryptography. In fact, static keys are to be avoided in symmetric cryptography at all costs. Even in asymmetric cryptography, key pairs are only static for a reasonable period of time (such as one year), but not indefinitely. Dynamic keys are essential to cryptography and without them, cryptography would be weaker. Answer C is incorrect. There is no standard or common form of cryptography based on key triplets. There are systems based on key pairs (i.e. asymmetric public key cryptography) and on shared single keys (symmetric cryptography).

What is the Exchange Principle as defined by Dr. Edmund Locard? A Anyone entering or leaving a crime scene will take something with them when they leave and will leave something of themselves behind. B A bit-stream image copy must be performed to make an exact duplicate of evidence files. C Data files must be hashed in order to prove their integrity. D Only original evidence is valid for submission in court.

A. The Exchange Principle as defined by Dr. Edmund Locard basically states that anyone entering or leaving a crime scene will take something with them when they leave and will leave something of themselves behind. The Exchange Principle is the foundation of the forensic science of trace evidence in use today. While this concept was formulated in the 1800's, it is just a true today in relationship to cybercrime as it is in physical world crimes. It is not possible to interact with a computer system without leaving something behind and taking something with you, even if that something is information. If those somethings are discovered, they can be used as evidence. Answer D is incorrect. The Exchange Principle does NOT state that original evidence is valid for submission in court. While original evidence is always preferred in court, original evidence is not always available. The original may have been lost or destroyed, or might be in the possession of someone who is not willing to give consent and whom cannot be legally compelled to provide the evidence. Answer C is incorrect. The Exchange Principle does NOT state that data files must be hashed in order to prove their integrity. Because data files exist as collections of binary data on a storage media, they are intangible. Thus, the primary means to identify a data file (or the contents of an entire storage device) is through hash calculations. File names, file sizes, access dates, and more will still be collected, but the hash value of a data set is the most important. If everything else about a file remains the same, but the hash calculation changes, then the evidence has changed and thus is no longer admissible. Answer B is incorrect. The Exchange Principle does NOT state that a bit-stream image copy must be performed to make an exact duplicate of evidence files. A bit-stream image copy is distinct from a backup or file copy because more than just the obvious files are copied to the target storage device. A bit-stream image copy duplicates every individual bit on the source drive to the target drive. This includes named normal files, deleted files, the contents of bad sectors, lost clusters, slack space, and anything located in unpartitioned or unallocated space on the storage device.

Which security plan is used to restore normal operations in the event of the full interruption of mission critical business functions? A Disaster recovery plan B Acceptable use policy C Preventative policy D Incident response plan

A. The disaster recovery plan (DRP) is the security plan used to restore normal operations in the event of the full interruption of mission critical business functions. The DRP is triggered when mission critical business functions are completely lost due to some event. Thus, the ability to perform core business functions needs to be restored. The DRP is designed to address the most severe situations and provides a response plan to return to normal operations. Answer B is incorrect. An acceptable use policy (AUP) is NOT used to restore normal operation. The AUP defines what is and is not appropriate to do at work and the consequences of violating those restrictions. Answer C is incorrect. A Preventative policy is NOT used to restore normal operation. There is not a specific policy within the realm of SSCP that is labeled by the phrase of "preventative policy". However, the concept of this type of policy is likely part of many security policies of an organization. The concept is to implement safeguards in order to prevent the occurrence of violations. Answer D is incorrect. An incident response plan is NOT used to restore normal operation. The incident response plan or policy defines how an organization will respond to security violations and intrusions. When mission critical business processes are interrupted by security violations or intrusions, the DRP is still triggered to handle the restoration of business processes.

Which team is made up of members from across the enterprise? A Functional incident response team B Dedicated full-time incident response team C Expert incident response team D Third-party incident response team

A. The functional incident response team should consist of a broad range of talents from across the organization. Answers B, D, and C, although types of incident response teams, usually featured experts, dedicated personnel, or third-party contractors.

What is the purpose of a business continuity plan (BCP)? A To maintain the ability to perform mission critical work tasks while dealing with harmful events B To define performance requirements and consequences if providers fail to meet quality expectations C To restore mission critical tasks D To train replacement personnel in the event of a senior executive leaving the organization

A. The purpose of a business continuity plan (BCP) is to maintain the ability to perform mission critical work tasks while dealing with harmful events. A BCP is designed to handle minor to moderately damaging events. Any interference or affecting situation that does not result in the full and total loss of mission critical operations is addressed by the BCP. If mission critical processes are fully interrupted, then the disaster recovery plan (DRP) is triggered. Organizations should have both BCP and DRP in order to be well prepared to handle any breach or incident that may occur. Answer C is incorrect. The purpose of a BCP is NOT to restore mission critical tasks. The restoration of mission critical tasks is addressed by the DRP, not the BCP. If mission critical tasks need to be restored, that means they are not currently operating. That is the definition of a disaster and thus relates to the DRP. Answer D is incorrect. The purpose of a BCP is NOT to train replacement personnel in the event of a senior executive leaving the organization. The training of replacement senior executives is known as succession planning. It may be considered part of a BCP and DRP, but it is not the entirety of such plans. Similar to succession training is that of cross-training or job rotation. Cross-training or job rotation is used to ensure that employees are able to perform a range of tasks or job positions. If someone is not at work for a few days or leaves the organization, other employees can fill those positions or take on the work load until the position is refilled. Answer B is incorrect. The purpose of a BCP is NOT to define performance requirements and consequences if providers fail to meet quality expectations. Setting performance requirements and defining consequences for violations is typically found in a service level agreement (SLA). A SLA is a contractual agreement between a customer and a provider of some service or product.

What is the term used to refer to an activity, occurrence, or event which could cause damage or harm to an organization? A Incident B Alarm C Baseline D Clipping level

A. The term incident refers to an activity, occurrence, or event which could cause damage or harm to an organization. For an organization to be prepared to respond to incidents, they need to craft an incident response policy. This policy defines what events are considered incidents, which level of incidents requires a response, and what type of response the organization can perform. An incident can be defined as any violation of company policy or law. However, not all company policy violations are illegal actions. Also, not all company policy violations warrant a specific response by the incident response team. Every incident should be recorded into audit records and included in regular analysis reports. Answer B is incorrect. An alarm (or warning or alert) is the means of gaining the incident response personnel's attention once an event is recognized as an incident and needs a human response. The alarm can be an audible sound, a text message, a pop-up message on a computer screen, an e-mail, or any other form of quick or instant communication. Answer C is incorrect. A baseline is an established level of normal or expected events and behaviors. When events are different than the baseline, then an incident response strategy is triggered. Answer D is incorrect. A clipping level is a defined threshold. Events that do not cross the threshold or clipping level are seen as either benign or insignificant to warrant a response. Events that cross the threshold or clipping level are seen as warranting a response. The act of crossing a clipping level is a trigger for an incident response strategy.

Which choice best describes a federation?

An association of nonrelated third-party organizations that share information based upon a single sign-on. A federation is an association of nonrelated third-party organizations that share information based upon single sign-on and one-time authentication of a user. A single sign-on technique that allows nonrelated third-party organizations access to network resources is incorrect.

Which of the following statements best describes Kerberos?

An authentication, single sign-on protocol. Kerberos is an authentication, single sign-on protocol developed at MIT and is named after a mythical three-headed dog that stood at the gates of Hades. Kerberos allows single sign-on in a distributed environment. It is used to verify a user or host identity. The Kerberos v5 authentication protocol is the default authentication service for Windows 2000. It is integrated into the administrative and security model, and provides secure communication between Windows 2000 Server domains and clients.

Which of the following network monitoring methods can be set within established baselines?

Anomaly-based detection

Which RAID concept writes data to all disks at the same time? A Parity B Striping C Mirroring

B

Which of the following block cipher modes uses counter for converting plain text to cipher text? A CFB B CTR C CBC D OFB

B

Which of the following is a technique used to completely erase a key from an electronic device or a memory module? A Key destruction B Zeroisation C Key revocation

B

Which type of symmetric key algorithm utilizes a key of 32 bits to 448 bits? A RC4 B Blowfish C DES D CAST

B

_________ occurs when one or more individuals or companies conspire to create fraud. A Collision B Collusion C Diffusion D Nonrepudiation

B

What type of event is more likely to trigger the business continuity plan (BCP) rather than the disaster recovery plan (DRP)? A Several users failing to remember their logon credentials B A security breach of an administrator account C A port-scanning event against your public servers in the DMZ D A level 5 hurricane

B. A security breach of an administrator account is a type of event which is more likely to trigger the business continuity plan rather than the disaster recovery plan. The compromise of an administrator account can be a serious issue. It can result in lost data and crashed systems. However, such an event is more likely to trigger the business continuity plan rather than the disaster recovery plan because most administrators are compartmentalized and thus do not have enough power to take down mission critical processes. Answer D is incorrect. A level 5 hurricane is powerful enough to damage most buildings, cause the building to collapse, distribute debris throughout the facility, or cause flooding, especially on lower levels. This type of event is likely a disaster, causing complete interruption of mission critical processes. Thus a DRP is needed to resolve disaster level events. Answer C is incorrect. While port scanning is not a desired occurrence, it is not in and of itself a serious concern. Port scanning is a systematic interaction with a target to determine the state or status of some or all of the TCP and UDP ports. Usually a port scan is performed in such a way to give the attacker information without crashing the target system or triggering firewall or IDS response. Thus, a port scan should not cause any damage; thus it should not require any type of response--either BCP, DRP, or even incident response. If a port scan is configured to operate on a flooding level, then it could require the response and recovery efforts of security staff at either an incident response level or higher. But, such an event should be labeled a denial of service attack rather than a port scan. Answer A is incorrect. Users entering incorrect credentials too many times may cause account lockout, which in turn will require the users to either wait for the lockout timer to expire or contact help desk to have their accounts reinstated. This is not an issue at a level to require incident response, much less BCP or DRP.

What is the correct description of a certificate? A A certificate contains the owner's private key. B A certificate contains the owner's public key. C A certificate contains the owner's symmetric key. D A certificate always contains a user's key.

B. Certificates always contain the owner's public key. Answer A is incorrect because private keys are private. Answer C is incorrect because certificates do not have anything to do with symmetric keys. Answer D is incorrect because there is no such thing as a user's key.

How should countermeasures be implemented as part of the recovery phase of incident response? A As defined by the current security policy B As determined by the violation that occurred C During next year's security review D Based on the lowest cost among available options

B. Countermeasures should be implemented as part of the recovery phase of incident response as determined by the violation that occurred. Countermeasures are deployed to prevent reoccurrence. Once a violation has taken place, new information is available that should be used to make the best determination as to which countermeasure to deploy. Countermeasures should be selected based on their ability to prevent or reduce the occurrence of a repeat violation. Answer A is incorrect. Countermeasures should NOT be implemented as defined by the current security policy. The current security policy was insufficient to prevent a violation. Thus, staying with the security plan that failed is not good security management. New countermeasures should be selected based upon the newly understood need to address a weakness in the existing environment. This in turn should be used to improve and upgrade the security policy and installed security infrastructure. Answer C is incorrect. Countermeasures should NOT be implemented during next year's security review. Countermeasures appropriate to prevent a re-occurrence should be implemented promptly. Waiting any significant period of time will leave the vulnerability to be discovered and exploited by other attackers. Any change to a production environment should be evaluated in a lab or pilot environment and then approved by a change approval board before being rolled out. However, these activities should take place across days or weeks, not delayed until next year. Answer D is incorrect. Countermeasures should NOT be implemented based on the lowest cost amongst available options. Countermeasures should be selected that are the most effective based on the known vulnerability. Budget restraints can be a serious limitation for many organizations. Fortunately, many countermeasures are not expensive. In fact, many countermeasures are reconfiguring existing hardware and software. When new purchases must be performed to obtain effective countermeasures, then the cost/benefit equation should be used to determine which option provides the most benefit for the cost to acquire. The lowest cost option may not provide sufficient protection against the known threat.

In the realm of incident response, what is the purpose of the recovery phase? A To prevent the spread of an infection or harm caused by an intrusion B To restore the environment back to normal operating conditions C To assemble an incident response team D To remove the offending element from the environment

B. In the realm of incident response, the purpose of the recovery phase is to restore the environment back to normal operating conditions. A typical incident response policy involves several key steps, including preparation, detection, notification, containment, eradication, recovery, and feedback review. The recovery phase can include the installation of new countermeasures to prevent the re-occurrence of the violation. Answer D is incorrect. Eradication is the removal of the offending element from the environment. Eradication typically occurs immediately after containment. To some extent, eradication will prevent further damage, but its primary goal is to remove the offending element in order to prevent it from being re-used or allowing the attack to be repeated. Answer C is incorrect. Assembling an incident response team is part of the preparation phase. Answer A is incorrect. Containment is the incident response phase which has the goal of preventing further damage to the organization from a known incident. Containment can include disconnected affected systems, disabling software or hardware, disconnecting the Internet link, and removing a suspect from the environment.

What is the term used for the range of values that can be used to control the symmetric encryption function while converting plaintext into ciphertext? A Key length B Key space C Block size D Rounds

B. Key space is the range of values that can be used to control the symmetric encryption function while converting plaintext into ciphertext. The key space is every value between a key of all zeros and a key of all ones. A key is a binary number used to control the encryption and decryption processes of symmetric encryption. (Note: asymmetric encryption may use key pair sets which are also just binary numbers as well.) Keys should be selected at random, never repeated, and from the full spectrum of the key space. Answer C is incorrect. The block size is the amount of data that is processed by an encryption or decryption operation at one time. Encryption processes are unable to perform their transformation functions on large data sets, so data is broken up into sections or blocks. Each block is processed individually, and then the results are concatenated for the final result. Older algorithms typically use 64-bit blocks, while newer algorithms (since the late 1990s) often use 128-bit blocks. Answer D is incorrect. The term rounds refers to the number of times an internal operation of encryption is performed on a block of data before its final result is outputted. Many algorithms use multiple rounds or encryption iterations to increase the complexity and chaos in the encrypted result. For example, Advanced Encryption Standard (AES) uses 128-key encryption performing 10 rounds of internal operations before outputting the encrypted block. Answer A is incorrect. Key length is the number of bits in the length of a key. So, a 128-bit key has 128 individual digits in its length, each of which can be either a one or a zero. The longer the length, the larger the key space; but the key space is the range of values that the key can take, while length is the number of bits in the key.

Which choice is not a proper method of managing keys? A Keys frequently in use should be replaced frequently. B Keys may be sent to and reused by a different department. C Memory locations of keys should be overwritten seven times. D Key expiration dates should be carefully monitored.

B. Keys are never reused by different departments. Answers A, D, and C are all activities that represent appropriate methods to manage keys.

What is the term used to describe the process of a certificate authority extending the expiration date of a digital certificate? A Reissue B Renewal C Suspension D Revocation

B. Renewal is the process by which a certificate authority (CA) extends the expiration date of a digital certificate. This must be performed before the certificate expires, since once the expiration date has passed, the x.509 v3 standard does not allow the expired certificate (specifically its serial number) to be used ever again. If renewal is requested and approved by the CA prior to expiration, then a revised certificate is generated with a new expiration date, which in turn will alter its hash value (also known as the certificate fingerprint or thumbprint). Answer A is incorrect. Reissue is the only option available to the site owner once his certificate has expired. The expiration date set on digital certificates is a hard termination date. After that point in time, the certificate is not valid and will not be supported or respected by the issuing certificate authority or any end-point device. The x.509 v3 certificate standard dictates that expired certificates are not reusable and their serial numbers must never be recycled. The only option is reissue, which is to repeat the issuance process to obtain a new certificate. The process is nearly the same as the process for obtaining a certificate the first time, with the exception that you already have an account on the certificate authority's Web site. The term reissue can be confusing because it seems like it implies that a certificate authority could publish the certificate again with a modified expiration date. The rules of x.509 v3 prevent this action, so re-performing the full new issuance process is the only option. Answer D is incorrect. Revocation is the term used to describe the event of a CA canceling an issued digital certificate. Reasons for revocation include that the certificate was used in a crime, the user violated the terms of service, or the user changed some aspect of their identity which was being verified by the certificate. Answer C is incorrect. Suspension is the means by which a certificate can be temporarily disabled without fully causing it to be revoked. This would allow this Web site owner to take his site offline for a period of time and still be able to return after a few months to the same digital certificate based identity. Suspension adds the serial number of the digital certificate to the certificate authority's certificate revocation list (CRL), but in a special subsection named suspension. Thus, during the suspension timeframe, the digital certificate is treated as if it was revoked, but it can be returned to normal use. Placing a digital certificate in suspension does not affect its expiration date. Thus, if suspension lasts for three months, then that length of valid use time is lost or sacrificed for the benefit of temporary suspension.

Which disaster recovery/emergency management plan testing type is considered the most cost-effective and efficient way to identify areas of overlap in the plan before conducting a more demanding training exercise? A Full failover test B Structured walk-through test C Tabletop exercise D Simulation test

B. Structured walk-through test is both cost effective and efficient. It involves gathering all the plan participants into a conference room and discussing roles and activities that are assigned to each person, and individuals may role-play their assigned activities. Only these staff members have purchasing authority. Answer A is incorrect. Full failover test is a very expensive test. Full failover testing is a backup operational technique, which makes the system able to assign extra resources and to move operations to back-up systems. Answers C and D are incorrect. Tabletop exercise and simulation test are types of tests. Tabletop exercises analyze roles and responsibilities and identify additional campus mitigation needs. In the simulation test, all the steps are followed that are for real emergency and are instructed by the continuity plan leader.

What is the logical network topology of Ethernet when deployed in a physical star wiring layout?

Bus. Ethernet is always a logical network topology of a bus. Logical network topology is not dependent upon or altered by physical network topology. Ethernet was designed when the only network topology type was a bus. Originally, Ethernet connected devices were linked in a series or a chain along a single cable pathway. Communications along the cable chain were relayed by each device until the recipient received the communication. Over time, the bus of Ethernet was hidden inside the box of a device known as a hub. A hub contains the bus, but instead of the systems being connected like links in a chain, external cable segments are used to connect the systems to points along the bus within the hub. This allows for the cable segments to be deployed in a physical start topology (similar to the shape of a starfish), while still maintaining the logical topology of a bus. This hidden bus concept remains true even with the deployment of switches. A switch still contains a miniature bus; however, it manages communications by MAC addresses rather than functioning as a simple multi-port repeater. Answer C is incorrect. Ring topology is a key component in Token Ring and Fiber Distributed Data Interface (FDDI). A ring topology is a bus that has been looped back onto itself to form a ring instead of a straight path. Similar to Ethernet, Token Ring can be deployed as a physical start. The equivalent of an Ethernet hub is a Token Ring multistation access unit (MAU). An MAU has a miniature ring inside with ports connected around its circumference. This allows for cable segments to be deployed in a physical start topology while maintaining the logical topology of a ring. Answer A is incorrect. Star topologies exist as a physical topology, not a logical topology. While Ethernet (and Token Ring) can be deployed as physical stars, Ethernet is always a logical bus topology. Answer B is incorrect. Mesh topologies are deployments of connections where multiple pathways between end-points are established. A full mesh has all possible pathways established, while a partial mesh is any wiring pattern with fewer links than a full mesh but more links than a star. Mesh topologies are only physical topologies. Ethernet networks can be deployed with a physical topology of a mesh.

How does IPSec verify that data arrived at the destination without intentional or accidental corruption?

By using a randomized hashing operation. The VPN protocol of IPSec verifies that data arrived at the destination without intentional or accidental corruption (i.e. verifies integrity) by using a randomized hashing operation known as HMAC. Hash-based Message Authentication Code (HMAC) is a hashing mechanism that uses hashing algorithms along with a symmetric key to produce more robust hash digests. HMAC can use any standard hashing algorithm, such as MD5, SHA-1, or SHA-2, and modifies their process by integrating random values. The values are derived from a symmetric key, which serves as a random input. Answer D is incorrect. Public key encryption is NOT how IPSec verifies integrity. Public key cryptography is used as part of both AH and ESP. Authentication Header (AH) is responsible for establishing the initial connect and the authentication of endpoints. Encapsulating Security Payload (ESP) is the bulk encryptor of an IPSec VPN. Both AH and ESP use the keys managed by IKE. Internet Key Exchange (IKE) is the component of IPSec that handles key generation and distribution. IKE is comprised of three components: Oakley, SKEME, and ISAKMP. Oakley assists with key generation, Secure Key Exchange Mechanism (SKEME) is a mechanism to exchange keys securely, and Internet Security Association Key Management Protocol (ISAKMO) maintains unique security associations for each IPSec VPN. Both AH and ESP use hybrid cryptography, which is a combination of symmetric cryptography and asymmetric public key cryptography. Answer A is incorrect. Symmetric key exchange is NOT how IPSec verifies integrity. Symmetric keys are used by both AH and ESP. Answer B is incorrect. Compression technology is NOT how IPSec verifies integrity. IP Compression (IPComp) is used to pre-compress data prior to being encrypted by ESP. This assists in speeding up the encryption process towards the goal of maintaining wire speed transmission.

Which is the first phase of the incident response plan? A Respond B Analyze C Prevent and protect D Detect

C

Which of the following block cipher modes does not use XOR technique to convert plain text to cipher text? A Cipher feedback B Cipher block chaining C Electronic codebook D Counter

C

Which of the following keys is a one-time key generated at the time of need for a specific use or for use in a short or temporary time frame? A Escrow B Recovery C Ephemeral D Session

C

Which term is used to describe the role of the person who takes physical control of a crime scene in order to preserve evidence and prevent tampering before the full forensics team arrives? A Senior management B CIRT C First responder D BCP team

C. A first responder is the person who takes physical control of a crime scene in order to preserve evidence and prevent tampering before the full forensics team arrives. The goal of the first responder is to preserve evidence. A first responder might be an organizational staff member, a non-forensically training law enforcement officer, or a forensics lab employee to arrive on the scene before the full forensics team. A first responder should stop all use of items and equipment in the area, remove all personnel from the area, and preserve the crime scene until the full forensics team arrives. Answer D is incorrect. The person who takes physical control of a crime scene is NOT a business continuity planning (BCP) team. BCP team members do not have the role of securing a crime scene. BCP team members focus on understanding the threats to business processes and implementing preventative strategies and designing response and recovery solutions to address anything that might partially or fully interrupt business tasks. Answer B is incorrect. The person who takes physical control of a crime scene is NOT the computer incident response team (CIRT). CIRT members do not have the role of securing a crime scene. CIRT members focus on stopping or containing attacks, removing any offending elements, and then restoring the environment back to normal conditions promptly. Thus, the CIRT has a goal of restoring normal operations. This is often in conflict with the goal of forensics which aims at preserving evidence. Answer A is incorrect. The person who takes physical control of a crime scene is NOT Senior management. Senior management does not have the role of securing a crime scene. Senior management's role is to guide and lead the organization.Individuals who may have the roles of BCP team member, CIRT member, or senior management might be called upon to serve as a first responder. But when asked to do so, they take on the role of first responder to accomplish that task. Thus, their standard organizational roles are independent of the role of a first responder.

Which of the following is NOT a component of a cipher suite used by TLS? A Symmetric encryption B Asymmetric algorithm C Rotation cipher D Key exchange mechanism

C. A rotation cipher is NOT a component of a cipher suite used by Transport Layer Security (TLS). TLS is the current standard for encryption used at the transport layer of the OSI model protocol stack to protect application layer protocols and their payloads. TLS has replaced the original Secure Sockets Layer (SSL). Both TLS and SSL use cipher suites. Cipher suites are the parameters set by Web browsers which define the supported encryption options that can be negotiated during the establishment of a TLS protected connection. A cipher suite is comprised of four main components: a key exchange algorithm, an asymmetric system for authentication, a symmetric encryption algorithm, and a hashing algorithm. Answer B is incorrect. An asymmetric algorithm is a component of a cipher suite. Answer A is incorrect. A symmetric encryption algorithm is a component of a cipher suite. Answer D is incorrect. A key exchange mechanism is a component of a cipher suite.

What is the name of the process used to replace an old asymmetric key pair set with a new key pair set? A Key generation B Key exchange C Key rotation D Key escrow

C. Key rotation is the name of the process used to replace an old asymmetric key pair set with a new key pair set. An asymmetric key pair set is comprised of a public key and a private key. The system that uses these keys is known as public key cryptography. While public key cryptography key pair sets are crafted to be used multiple times, they are not intended to be used indefinitely. Thus, on a regular periodic basis, the current set of keys which have been used for a set time frame should be replaced or rotated out by a newly generated key pair set. Answer B is incorrect. Key exchange is the process of securely distributing a key between one communication entity and the other. This can be accomplished by using an asymmetric public key-based digital envelope (which is created using the recipient's public key) or with an asymmetric key generation mechanism, such as Diffie-Hellmann. Answer A is incorrect. Key generation is the crafting of new keys. Most new keys are generated using a complex process which is based on random numbers. In an asymmetric public key system, the private key is generated at random; then the public key is derived from the private key in order to link them together as a key pair. Answer D is incorrect. Key escrow is the storage of encryption keys in a backup or archive database which is held by a third party. A key escrow may be used in an event of recovery or during an investigation.

A man-in-the-middle (MITM) attack occurs when a victim, typically a client, is fooled by a modified resolution process into initiating a connection with a third-party attacker rather than directly to their intended resource host. Which of the following is NOT a technique that can be used to initiate an MITM attack? A ARP poisoning B DNS spoofing C Password guessing D Proxy manipulation

C. Password guessing is NOT a technique used in MITM attacks. Password guessing is often an attack used as part of an impersonation or gaining system access attack. DNS spoofing, ARP poisoning, and proxy manipulation are all potential elements that can be used in an MITM attack. In addition to these three, other techniques include MAC flooding, DHCP abuse, HOSTS file manipulation, authoritative DNS server attack, caching DNS server attack, and DNS server address changing. Each of these MITM attack concepts focuses on abusing some form of resolution to fool a victim into initiating a connection with a third-party attacker rather than directly to their intended resource host. The DNS forms of attack focus on altering the resolution of a fully qualified domain name (FQDN) into an IP address. This can be accomplished by planting a static false entry in the local HOSTS file, changing the original zone file definition on the authoritative DNS server, populating the memory of a caching DNS server with invalid zone file information, altering the DNS server address used by a system to perform queries in order to force queries to a rogue DNS server, or intercepting DNS queries on the way to a valid DNS server in order to send back a spoofed reply. The ARP poisoning-based MITM attack attempts to abuse a switch. An attacker monitors the network for ARP requests. An ARP request is a system's request to determine the MAC address of a system that is using a specific IP address. When the attacker sees an ARP request, this attack sends a false ARP reply indicating the requesting IP address is linked to the attacker's MAC address instead of the valid system's MAC address. ARP poisoning attacks are limited to situations where the client, server, and attacker are all within the same Ethernet broadcast domain (i.e. typically across the same switch or within the same subnet). Proxy manipulation-based MITM occurs when the proxy settings of an individual client (when a non-transparent proxy is in use) or the routing to proxy (when a transparent proxy is in use) are manipulated in order to redirect traffic to an attacker controlled rogue proxy server.

What is the bit-length, hash-digest output of the SHA-1 hashing algorithm? A 128 B 224 C 160 D 64

C. The bit-length, hash-digest output of the SHA-1 hashing algorithm is 160 bits.Secure Hashing Algorithm 1 (SHA-1) was set as a National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) standard (specifically FIPS PUB 180-4 CRYPTREC). SHA-1 is no longer considered a recommended hashing algorithm as more robust algorithms are available, such as SHA-2 and SHA-3. While the SSCP exam may still have mention of the SHA-1 in its questions, SHA-2 and SHA-3 will be more common in everyday real-world use. For example, all digital certificates issued since 1/1/2016 use SHA-2 rather than SHA-1. Answer B is incorrect. 224 is the bit length of the SHA-224 member of the SHA-2 family. Each of the SHA-2 family members include their hash digest bit length output in their name. The SHA-2 family includes SHA-224, SHA-256, SHA-384, and SHA-512. The latest revision, SHA-3, released in Aug 2015, uses the same hash digest bit length outputs, specifically: SHA3-224, SHA3-256, SHA3-384, and SHA3-512. Answer A is incorrect. 128 is the hash digest bit length output of MD5. Answer D is incorrect. There are no widely used or known hash algorithms with a 64-bit output. Instead, this is a common block size for older symmetric algorithms, such as DES.

An initialization vector (IV) when used in a cipher block mode serves what purpose? A Ensures that the code is repetitive B Enhances the strength of an owner's public key C dds to the encryption power of a password or key D Increases the speed of computations

C. The initialization vector adds to the power of a password or key so that the same text encrypted by the same key will not create the same ciphertext. It creates complexity during the encryption process. Answer B is incorrect. An initialization vector is not used with an owner's public key. Answer A is incorrect. An initialization vector should create an environment where a code is not repetitive. Answer D is incorrect. An initialization vector has nothing to do with speed.

What version of AES is used by WPA-2?

CCMP The version of Advanced Encryption Standard (AES) that is used by WPA-2 is Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES is a block cipher, which means it is appropriate for use to encrypt data-at-rest, i.e. data being stored. Wireless is a communications mechanism that requires an encryption algorithm suitable for encrypting data-in-transit. The CCMP version of AES was created for use by WPA-2, and is effectively a stream cipher. Answer A is incorrect. Transport Layer Security (TLS) is an encryption system for application layer protocols. Answer B is incorrect. Dynamic Host Configuration Protocol (DHCP) is a mechanism for assigning IP addresses to systems. Answer D is incorrect. Rivest Shamir Adleman (RSA) is an asymmetric public key cryptography system.

When a storage device is taken in as evidence, what is the first step performed by the forensic personnel after starting the chain of custody form and writing out the evidence collection form? A Write an evidence header file to the storage device. B Make a hash calculation of the contents. C Connect the device to a write blocker. D Create a bit-stream image copy.

C. When a storage device is taken in as evidence, the first step performed by the forensic personnel after starting the chain of custody form and writing out the evidence collection form is to connect the device to a write blocker. The purpose of a write blocker is to physically block the signals from a computer to the storage device that would cause a change to the data on that storage device. A physical write blocker does not have the electronic pathways connected that would send write signals to the drive, only ready requests are sent to the storage device. A write blocker is used as additional insurance against accidental evidence corruption. Answer B is incorrect. The first step is NOT make a hash calculation of the contents. This is an important step, but it should be performed after connecting the suspect's storage device to the forensic workstation via a write blocker. A hash calculation should then be the next immediate step to take after connecting the write blocker. Standard forensic processes would then be followed to create either a bit-stream image copy or a file copy of the evidence to two forensically cleaned target storage devices. Once the duplication was completed, hash calculations would be repeated on the original drive, and hash calculations performed on the target copies. The before, after, and clone hashes will be compared. If they are all the same, then the original and the copies are the same and the original retained its integrity. If the hashes are different, then something about the cloning or capturing process failed. Answer D is incorrect. The first step is NOT create a bit-stream image copy. The proper first next step is to connect the storage device to a write blocker. Once that is accomplished, then the data is hashed, copied, then hashed again. However, bit-stream copying is not the only method used to create copies of evidence. In some situations a file by file copy of evidence is sufficient. Answer A is incorrect. This first step is NOT write an evidence header file to the storage device. Never under any circumstances write or otherwise modify evidence.

When crafting a digital signature, what are the initial steps in the process performed by the sender? A Sign the message with the recipient's public key. B Encrypt the message with a symmetric key. C Hash the message, and then encrypt the digest with the private key. D Hash the message, and then encrypt the message with the private key.

C. When crafting a digital signature, the initial steps in the process performed by the sender are to hash the message and then encrypt the digest with the private key. The actual message is not changed or affected by the crafting of a digital signature. The digital signature is the sender's private key encrypted hash of the message. The message is sent along with the digital signature. A recipient will need to obtain the sender's public key in order to decrypt or open the digital signature to extract the sender's original hash digest. The recipient then hashes the received data and compares the before and after hash digests. If the before and after hash digests are the same, then integrity of the message is verified, which in turn means the correct sender's public key was used, thus proving the identity of the sender. This, in turn, proves that the sender's private key was used to create the signature, which provides non-repudiation. Answer B is incorrect. Digital signatures do NOT encrypt the message with a symmetric key. Digital signatures are based on hashing and public key cryptography, not symmetric cryptography. Encrypting the message with a symmetric key provides for confidentiality protection. Answer D is incorrect. Digital signatures do NOT hash the message and then encrypt the message with the private key. This is not the correct means to create a digital signature or a digital envelope. A digital signature is the hash digest of a message encrypted by the sender's private key. A digital envelope is created by the recipient's private key. A digital envelope is commonly used when sending encrypted messages. The process begins with the sender generating a random symmetric key to encrypt a message, and then enveloping the symmetric key using the recipient's public key. This technique ensures that only the recipient can open the digital envelope containing the symmetric key using their unique private key. Answer A is incorrect. Digital signatures do NOT sign the message with the recipient's public key. This is not the correct means to create a digital signature or a digital envelope. A digital signature is the hash digest of a message encrypted by the sender's private key. A digital envelope is created by the recipient's private key. A digital envelope is commonly used when sending encrypted messages. The process begins with the sender generating a random symmetric key to encrypt a message, and then enveloping the symmetric key using the recipient's public key. This technique ensures that only the recipient can open the digital envelope containing the symmetric key using their unique private key.

What is the certificate standard used by PKI? A X.500 B IEEE 802.11n C X.509 v3 D IEEE 802.1q

C. X.509 v3 is the certificate standard used by PKI. X.509 v3 is the standard used by most certificate-based cryptography or authentication systems. There are other certificate standards, such as the de facto PGP certificate standard, but they are not as widely supported because they are not formally accepted standards. X.509 v3 certificates are issued by third-party certificate authorities (CAs) in a hierarchical trust structure. A CA is a third party when it facilitates trust between two other parties: a primary (such as a client) and a secondary (such as a server)). The trust is hierarchical as it is organized with a single root CA at the top of the trust structure with potentially numerous intermediary levels of subordinate or intermediate CAs, eventually linking at the bottom level to customer or clients. Answer D is incorrect. IEEE 802.1q is the standard for VLAN tags. A VLAN tag is an additional element added to an Ethernet frame header to communicate the VLAN membership of a communication between trunked switches. Trunked switches are multiple switches linked together in order to function as a single larger switch rather than separate individual switches. Answer B is incorrect. IEEE 802.11n is a wireless communications standard that defines how 2.4 GHz or 5 GHz frequencies can be used to support upwards of 600 Mbps throughput. This standard was established in 2009. Answer A is incorrect. X.500 is a standard governing the organization and operation of directory services. A directory service is similar to a telephone book in that it stores and organizes information about resources and their hosts within a private network.

Which of the following is a media access control protocol used to communicate in an organized manner on a type of media?

CSMA/CD

Which cryptography concept is based on trap-door, one-way functions? A Hashing B Steganography C Symmetric D Asymmetric

D. Asymmetric is the cryptography concept that is based on trap-door, one-way functions. Most of asymmetric cryptography is known by the name public-key cryptography. Public-key cryptography is a system based on a key pair set comprised of a public key and a private key. The private key is generated through a random process, and then the public key is derived from the private key. The use of the key pair sets results in a system where when one of the key pair members is used to encrypt data, only the other key in the pair set can decrypt the data. This feature is due to the use of trap-door, one-way mathematical functions in the algorithms. A one-way function is a mathematic process that is easily computed in one direction, but which is very difficult or impossible to reverse. A trap-door, one-way function is a mathematical process which cannot be directly inverted or reversed, but with knowledge and possession of an additional secret, the encryption process can be reversed. The private and public keys in public key cryptography each can be used to perform one-way encryption, while the opposite key serves as the trap-door to provide decryption. Answer C is incorrect. Symmetric cryptography is based on key-controlled reversible algorithms, not trap-door, one-way functions. Answer A is incorrect. Hashing is a one-way function. Hashing does not have a trap-door reversing mechanism or key. The only means of reversing a hashing operation is to guess potential duplicates of the input data, hash the guess, and then see if the guess's hash matches the target hash. This process of reverse hashing guessing is long and tedious made more difficult as the input data lengthens. Answer B is incorrect. Steganography is the concept of hiding communications within other communications. A common example of steganography is to embed text inside an image file through manipulations of pixel colors. Steganography can take advantage of all forms of cryptography or not use any cryptography and use clever encoding tricks instead. Steganography is not based on trap-door one-way functions, but might take advantage of them through the use of asymmetric public key cryptography.

Which means of authentication is NOT supported by IPSec? A Static password B Digital certificate C NTLM D Biometrics

D. Biometrics is a means of authentication NOT supported by IPSec. Specifically, during the setup and session establishment phase of IPSec, biometric-based authentication is NOT supported. IPSec does support static password, NTLM, and digital certificate-based authentication during the session establishment phase. The authentication at this stage of the connection is used to prove or verify the endpoint devices, rather than the user or applications that will be taking advantage of the secure communications link once established. Once IPSec is established, user authentication to services and resource hosts can take place using any authentication factors, including biometrics. IPSec supports static password, NTLM, and digital certificate-based authentication during the session establishment phase.

Which term is used for the parameters set by web browsers that define the supported encryption options negotiated during the establishment of a TLS-protected connection? A AAA services B Key pairs C Key escrow D Cipher suites

D. Cipher suites is the term used for the parameters set by Web browsers that define the supported encryption options negotiated during the establishment of a TLS-protected connection. A cipher suite is comprised of four main components: a key exchange algorithm, an asymmetric system for authentication, a symmetric encryption algorithm, and a hashing algorithm. An example of a cipher suite is: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Answer B is incorrect. Key pairs are NOT used by Web browsers to define their supported encryption options. Key pairs are a mechanism used by public key cryptography. Answer C is incorrect. Key escrow is the storage of encryption keys in a backup or archive database which is held by a third party. A key escrow may be used in an event of recovery or during an investigation. Answer A is incorrect. AAA services are the combination of authentication, authorization, and accounting. AAA services are standard security mechanisms used to manager users, software, systems, organizations, and more. AAA services are not used by Web browsers to define their supported encryption options.

What component of IPSec provides for the support of multiple simultaneous VPNs? A SKEME B IPComp C ESP D ISAKMP

D. Internet Security Association Key Management Protocol (ISAKMP) is the component of IPSec which provides for the support of multiple simultaneous VPNs. ISAKMP maintains unique security associations for each IPSec VPN. Technically, each IPSec VPN uses two security associations. A security association is the collection of cryptography attributes, such as algorithm, its mode, related communication parameters, and encryption keys. It is a little like a digital security key ring. ISAKMP can maintain multiple pairs of SAs, thus providing for multiple simultaneous VPNs. Answer C is incorrect. Encapsulating Security Payload (ESP) is the bulk encryptor of an IPSec VPN. ESP is not responsible for supporting multiple simultaneous VPNs. Answer B is incorrect. IP Compression (IPComp) is used to pre-compress data prior to being encrypted by ESP. This is to assist in speeding up the encryption process towards the goal of maintaining wire speed transmission. IPComp is not responsible for supporting multiple simultaneous VPNs. Answer A is incorrect. Secure Key Exchange Mechanism (SKEME) is a mechanism to exchange keys securely. SKEME is not responsible for supporting multiple simultaneous VPNs.

Which of the following is not a symmetric encryption algorithm? A DES B Twofish C AES D RSA

D. RSA is a widely used asymmetric algorithm. Answers A, B, and C are symmetric algorithms

What is the most appropriate use of IPSec? A Database protection B Processing encryption C Storage encryption D Data transmission protection

D. The most appropriate use of IPSec is data transmission protection. IPSec is an encryption protocol solution for IPv4. It is derived from the native security features of IPv6. Since IPSec is a security protocol, its only use is to secure communications. IPSec is a data-in-transit focused encryption solution. Answer C is incorrect. Because IPSec is a security protocol, its only use is to secure communications. File- or whole-drive encryption solutions should be used to protect storage or data-at-rest. Answer B is incorrect. IPSec does not encrypt data while it is actively being processed. Answer A is incorrect. Database encryption can be implemented by an encryption scheme designed for databases or a standard file, or while a drive encryption scheme can be used to protect the files that make up the database.

A certificate authority (CA) system is used to verify the identity of its customers. The CA system allows general Internet users to access online resources and have some level of knowledge about who the entities are that are hosting online content. For example, a user can be confident in the identity of an online shopping site while making a purchase. How is this benefit of verified identity achieved? A Transitive trust B Peer trust C Independent assignment of trust D Trusted third-party

D. Trusted third-party is the means by which a certificate authority (CA) system is able to provide the benefit of verified identity. The system acts as a third party between the end user, who is the first party, and the server or resource host, which is the second party. On their own, the user and server may not be able to trust the identity of each other, so they employ the service of a trusted third party, the CA. The CA verifies the identity of its customers, such as the server, and issues a digital certificate to the customer--in this case, a server. The digital certificate is then sent to the visitors of the customer, such as the end user. If the end user trusts in the reputation of the CA that issued the digital certificate, then the user can be assured of the identity of that server, at least to the level the CA is themselves trustworthy and the effort to which the CA verified the identity. Answer B is incorrect. A peer trust does not verify identity. Instead, a peer trust can only ensure consistency of communications through repeated use of the same certificate with the same serial number. In a peer trust environment, each entity is its own CA. Thus, each entity issues digital certificates to itself. Without the independent third-party to perform unbiased identity verification, there is no basis for proving the identity of any member of the peer group. Answer A is incorrect. A transitive trust is used to allow a trust relationship to span across intermediary nodes. For example, if A trusts B, and B trusts C, and those trusts are transitive, then A also trusts C by way of B. This is not the means or mechanism by which a CA's identity verification process operates. Answer C is incorrect. This is not the means or mechanism by which a CA's identity verification process operates. A CA system uses the trusted third-party concept. Independent assignment of trust is not a valid form of trust model in the security realm.

When using asymmetric cryptography, what is the purpose of using the recipient's public key to perform an encryption function on a data set before sending it to the recipient? A To verify integrity B To prove the identity of the sender C To support non-repudiation D To restrict delivery

D. When using asymmetric cryptography, the purpose of using the recipient's public key to perform an encryption function on a data set before sending it to the recipient is to restrict delivery. The mechanism that starts off using the recipient's public key can be called a digital envelope. It is a means to ensure that a communication can only be opened by the intended recipient. Anyone can obtain and use someone's public key. But once that encryption takes place, no-one can decrypt the result except the owner of the corresponding private key.Keep in mind that asymmetric or public-key cryptography is based on trap-door, one-way functions. Public-key cryptography is a system based on a key pair set comprised of a public key and a private key. The private key is generated through a random process, and then the public key is derived from the private key. The use of the key pair sets results in a system in which when one of the key pair members is used to encrypt data, only the other key in the pair set can decrypt the data. This feature is due to the use of trap-door, one-way mathematical functions in the algorithms. A one-way function is a mathematical process that is easily computed in one direction, but very difficult or impossible to reverse. A trap-door, one-way function is a mathematical process which cannot be directly inverted or reversed, but with knowledge and possession of an additional secret, the encryption process can be reversed. The private and public keys in public key cryptography each can be used to perform one-way encryption, while the opposite key serves as the trap-door to provide decryption. Answer A is incorrect. Hashing, not asymmetric cryptography, is used to check or verify integrity. Answer B is incorrect. A digital certificate, not asymmetric cryptography, is often used as a means to verify identity of either a sender or receiver. The digital certificate process usually involves a third-party certificate authority (CA). The CA has made efforts to verify the identity of its customers prior to issuing the digital certificate. Other entities can thus trust in the identity of subjects who possess a digital certificate based on the reliability of the issuing CA. Answer C is incorrect. A digital signature, not asymmetric cryptography, includes a means to prove non-repudiation, but it is not based on using the recipient's public key as a digital envelope. Instead, digital signatures are based on the sender's private key. A digital signature is created by crafting a hash digest from the data to be digitally signed. The hash digest is then encrypted by the sender's private key, and the result is the digital signature. The digital signature must be sent along with the data to the recipient. The recipient will hash the data received. The recipient will then retrieve the sender's public key in order to unlock or reverse the digital signature to extract the sender's original hash digest. The before and after hashes are compared with an XOR operation. If the result is zero, then the received data retains its integrity, which in turn proves the sender identity (via the use of the public key to unlock the signature), which in turn proves that the sender's private key was used to create the digital signature. The proving of the use of the private key is non-repudiation. Non-repudiation is the prevention of a subject, such as a sender, from being able to deny having performed a task because there is proof that they did in fact perform a specific task such as creating a digital signature with their private key (which no one else has access to).

According to the TCP/IP model, at which layer does the establishment and management of a communication link between end-points take place?

Host-to-host. The Host-to-host layer is where the establishment and management of a communication link between end-points take place, according to the TCP/IP model. The TCP/IP model is directly based on the TCP/IP protocol suite rather than an amalgamation of legacy protocols. The TCP/IP model is also known as the DARPA model and the DoD Model. The TCP/IP model is a four layer model, whose names are: Link Internetworking Host-to-host Process However, it is somewhat common to borrow names from the OSI model, such as TCP/IP model layer 2 is sometimes called network, layer 3 is sometimes called transport, and layer 4 is sometimes called application. Thus, it is essential for a speaker or a text to clearly indicate which model is being used when intending to base a discussion on the TCP/IP model but use names from the OSI model. It is standard practice to assume OSI model references, so when TCP/IP model is to be the focus it needs to be called out specifically in order to avoid confusion. Additionally, the TCP/IP four layer model can be roughly mapped to the OSI seven layer model in the following manner: Link - Physical and Data link Internetworking - Network Host-to-host - Transport Process - Session, Presentation, and Application. While in the OSI model, session management (i.e. establishment and management of a communication link) is labeled as taking place in the session layer. In both the OSI model and the TCP/IP model, session management is handled by TCP (transmission control protocol), which resides at the host-to-host layer in the TCP/IP model or the transport layer in the OSI model.

A company is concerned about unauthorized entities attacking their wireless network. The company has chosen to disable SSID broadcast in order to hide their base station and prevent unauthorized connections. Which of the following statements are correct of this scenario?

It does not resolve the issue because the SSID is still present in most other management frames. It does not resolve the issue because the Service Set Identifier (SSID) is still present in most other management frames. Thus, the disable SSID feature does not actually hide the network from detection, does not prevent unauthorized connections, and does not prevent attacks. All an attacker needs to do is operate a generic wireless sniffer to collect all packets from the network. In this collection will be numerous management frames which will still have the SSID present and in plaintext. Only the beacon frame is affected by the disable SSID broadcast setting. This feature is a false security item because it only prevents ignorant and innocent wireless clients from connecting to your network. It does nothing to prevent attackers from discovering and attacking the wireless network. Answer B is incorrect. While the wireless signal is still present and detectable, it is NOT the best answer for this question. It is true that the wireless signal itself remains detectible no matter what settings are made on the base station. As long as the base station is operating, it is transmitting physical radio waves which can always be detected. The concern in this question is whether disabling the SSID hides the network, and it does not because the SSID is still discoverable. So the better answer for this question is related to SSID discovery from management frames. Answer A is incorrect. It is not exactly true that SSID connections to the base station are not possible when SSID broadcast is disabled. While knowledge of both the SSID and the base station's MAC address are needed to establish a connection with a base station, enabling the Disable SSID broadcast feature does not effectively prevent discovery of the SSID. Answer D is incorrect. Disabling SSID broadcast does NOT prevent the SSID from being discovered by unauthorized entities. All an attacker needs to do is operate a generic wireless sniffer to collect all packets from the network. In this collection will be numerous management frames which will still have the SSID present and in plaintext.

Hashing functions and their hash value lengths

Message Digest 5 (MD5)-128 RIPEMD-160 Secure Hash Algorithm (SHA-1)-160

Once an attacker gains remote control access over a system, they want to retain this illicit access. Some attackers will block the system update service to prevent new updates from fixing vulnerabilities that are needed to maintain remote control over the compromised system. To prevent such a compromised system from allowing the attacker to access resources on the network, what security mechanism should be implemented?

Network access control. Network access control (NAC) is the security mechanism that should be implemented in this scenario. NAC will quarantine any system that is out of compliance with the baseline established for the network. Thus, even if an attacker is able to block updates, the system will be placed into quarantine once it is no longer in compliance with required settings and updates. The action of quarantining will not only place the device in a restricted subnet in order to support remediation; it will also likely result in disconnecting the remote attacker, because the victim system will likely have its IP addresses altered to be placed into the restricted remediation subnet. Answer C is incorrect. Complex password authentication is NOT the proper security mechanism needed to address this scenario. Complex passwords should be required whenever password authentication is used, although multifactor authentication would be a better option. However, improved authentication on its own is insufficient to address the concern of this scenario. Answer D is incorrect. An intrusion detection system (IDS) is NOT the proper security mechanism needed to address this scenario. An IDS has the potential to detect intrusions and notify administrators, but only if it recognizes the activities of the attacker as abnormal or suspicious. Attackers often attempt to craft and perform their new attacks to be a normal seeming as possible in order to avoid IDS detection. Thus, an IDS is not a guarantee against the problem from this scenario. Answer B is incorrect. A Web security gateway is NOT the proper security mechanism needed to address this scenario. A Web security gateway can reduce the vulnerabilities related to Web server attacks, but that is not the issue of this scenario.

Which OSI layer maintains the capability of providing some encryption and decryption as well as data compression and decompression?

Presentation

Which firewall uses increased intelligence and packet inspection methodology to better protect the internal network?

Proxy

Which routing protocol makes routing and forwarding decisions based on a metric derived from the number of other routes that than must be crossed to reach a destination?

RIP. The routing protocol that makes routing and forwarding decisions based on a metric derived from the number of other routes than must be crossed to reach a destination is Routing Information Protocol (RIP), a distance-vector routing protocol. Other examples of distance-vector routing protocols include Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Babel. Distance-vector protocols can be effective routing mechanisms. However, they do not take into account other parameters and conditions that can affect the efficiency and reliability of a chosen pathway. Answer D is incorrect. Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (ISIS) are examples of link-state routing protocols. Link-state routing protocols take into account various parameters and conditions of a router when calculating the best route. These conditions include latency, error rates, bandwidth, utilization, and even cost. A link-state routing protocol will attempt to find the most efficient route to a destination, even if that route has a greater number of hops than a route selected by a distance-vector routing protocol. Answer C is incorrect. Border Gateway Protocol (BGP) is an exterior gateway routing protocol. An exterior gateway routing protocol is implemented on routers on the boundary of a private network. A BGP router makes routing decisions is a different manner than an interior router. Interior routers each make the best routing decision based on their limited knowledge of local segments. As a packet traverses a private network, each router encountered makes its own routing decision, independent of any previous or future routers. A BGP router makes a routing decisions based on the overall route to the destination. This is because a local preferred segment may be less efficient when compared to a less preferred local segment when considering the entire remaining path to the destination. Each encountered exterior gateway router will make adjustments to the routed path based on its view of the remaining path to the destination. Answer B is incorrect. An analogy of how interior and exterior routing protocols operate differently can be made using vehicle navigation. If you take a road trip across the country and obtain state road maps each time you enter into a new state, then you are making travel decisions similar to that of an interior routing protocol. You are not taking the overall path into account, but making the best decision you can with limited knowledge. If you take a road trip across the country and use a GPS navigation device, then you are making travel decisions similar to that of an exterior gateway routing protocol. You are taking the overall path into account, but that path is adjusted as your travel based on changing conditions.

Question 14 :A Web service has been experiencing a significant increase in traffic due to a successful media announcement. However, in the chaos of new customers and an avalanche of orders, the site manager forgot to address the Web site's digital certificate. At this point, what process can the site manager perform to resolve his expired certificate? A Renewal B Reissue C Revocation D Regeneration

Reissue is the only option available to the site owner once his certificate has expired. The expiration date set on digital certificates is a hard termination date. After that point in time, the certificate is not valid and will not be supported or respected by the issuing certificate authority or any end-point device. The x.509 v3 certificate standard dictates that expired certificates are not reusable and their serial numbers must never be recycled. The only option is reissue, which is to repeat the issuance process to obtain a new certificate. The process is nearly the same as the process for obtaining a certificate the first time, with the exception that you already have an account on the certificate authority's Web site. The term reissue can be confusing because it seems like it implies that a certificate authority could publish the certificate again with a modified expiration date. The rules of x.509 v3 prevent this action, so re-performing the full new issuance process is the only option. Answer C is incorrect. Revocation is the term used to describe the event of a certificate authority (CA) canceling an issued digital certificate. Reasons for revocation include that the certificate was used in a crime, the user violated the terms of service, or the user changed some aspect of their identity which was being verified by the certificate. Answer D is incorrect. Regeneration is not a valid term or process related to digital certificates. Answer A is incorrect. Renewal is the process by which a certificate authority extends the expiration date of a digital certificate. This must be performed before the certificate expires, since once the expiration date has passed, the x.509 v3 standard does not allow the expired certificate (specifically its serial number) to be used ever again. If renewal is requested and approved by the CA prior to expiration, then a revised certificate is generated with a new expiration date, which in turn will alter its hash value (also known as the certificate fingerprint or thumbprint).

How can a switch or router be secured against unauthorized access to its management console from within the private network without inconveniencing the administrators?

Restrict access to SSH or HTTPS. A switch or router can be secured against unauthorized access to its management console from within the private network without inconveniencing the administrators by restricting access to SSH or HTTPS. Many devices are set to accept Telnet or HTTP connections by default. These plaintext connection options expose the authentication credentials of administrators to eavesdropping. Telnet and HTTP connections also make password guessing at a rapid pace simple to implement. The use of encrypted connections will protect administrator credentials and limit the use of password guessing attacks. Answer B is incorrect. Setting a longer password is a good concept overall, but is not as important as using secure connections to the management interface. It is always essential to change the default password of a device before placing it into production. Longer passwords will also make password guessing less likely to be successful. However, if a long password is sent over a cleartext connection, it can be eavesdropped with no difficulty. Answer D is incorrect. Updating the firmware is a good concept overall, but in this scenario it is not as important as using secure connections to the management interface. An updated firmware may eliminate flaws or exploitation points in the device, but usually will cause a reset of settings back to factory defaults. This usually includes the default password and cleartext connections to the management interface. Answer A is incorrect. Requiring a physical direct cable connection is an inconvenience to administrators. Requiring direct physical presence at a device will reduce the chance of an authorized user gaining controlling access to a device; it is not as elegant a solution as using encrypted remote access options to the management interface.

asymmetric cryptography

Rivest, Shamir, and Adleman (RSA) Diffie-Hellman ElGamal Elliptic curve cryptography (ECC)

Which answer is most accurate regarding a wireless intrusion prevention system?

Rogue access points are detected. A wireless intrusion prevention system (WIPS) is used to mitigate the possibility of rogue access points. These systems are typically implemented in an existing wireless LAN infrastructure and enforce wireless policies within an organization. Typically, they prevent unauthorized network access to local area networks through unauthorized access points.

What form of VPN is based on a Transport-layer standard for encryption that is commonly used for Application-layer protocol protection?

SSL VPN. SSL VPN is a form of VPN based on a Transport-layer standard for encryption that is commonly used for Application-layer protocol protection. Secure Sockets Layer (SSL) can provide security for any Application-layer protocol, but is mostly recognized when used to protect HTTP as HTTPS. SSL was replaced by Transport Layer Security (TLS). However, common use of the term SSL has evolved so that SSL now means any form of Transport-layer encryption designed to protect Application-layer protocols. Thus, when the term SSL is used today, it is usually referring to the specific protocol of TLS. Transport Layer Security (TLS), as its name indicates, typically operates at the Transport layer of the OSI model. However, an SSL VPN uses TLS as a VPN protocol rather than just a tool to protect application layer protocols. An SSL VPN encapsulates an original plaintext packet or frame into the payload of a SSL/TLS segment. Answer D is incorrect. An Internet Protocol Security (IPSec) VPN is crafted from the security features of IPv6 to create an add-on for IPv4. It is a Network-layer implementation of a VPN. While IPSec is considered a standard, it is not a Transport-layer standard for encryption. Additionally, IPSec focuses on Network-layer protection, rather than Application-layer protection. But keep in mind that by encrypting at the Network layer, all higher layers are also encrypted, including the Application layer. Answer B is incorrect. A Layer 2 Tunneling Protocol (L2TP) VPN is a solution created by Cisco and Microsoft. It is based on the Layer 2 Forwarding (L2F) protocol and Point to Point Tunneling Protocol (PPTP) products. It does not provide native encryption, but it supports use of third-party provided encryption solutions. For example, if IP is being tunneled with L2TP, then IPSec can be used for encryption. Answer C is incorrect. A PPTP VPN is a standard based on RFC 2637. The standards-based form of PPTP does not include native encryption. A Microsoft proprietary version of PPTP using Ms-CHAPv2 for authentication has the option to provide data encryption. PPTP is based on Point to Point Protocol (PPP) and not a Transport-layer standard for encryption that is commonly used for application layer protocol protection.

What is the means of incident or violation detection which is based on a collected sample of the unwanted activity?

Signature. Signature-based detection is the means of incident or violation detection which is based on a collected sample of the unwanted activity. Signature-based detection can also be called pattern-matching or pattern-based detection. Signature-based detection is a reliable means to detect known attacks, violations, and malicious code. However, it is unable to detect new and previously unknown attacks because it is only able to find matches in the detection database. Thus, signature-based detection is insufficient on its own and should be combined with anomaly-, behavioral-, and heuristic-based methods to have the best chance of detecting known and unknown violations. Answer B is incorrect. Behavioral detection is based on a defined or recorded baseline of normal activity and events. All future activities and events are compared to the recorded baseline. If an event is found in the baseline, then it is considered benign. If an event is not found in the baseline, then it is considered malicious or at least suspicious. Unfortunately, attackers often craft their attacks to be similar to normal activities, so behavioral might not be sensitive enough to detect subtle differences between normal and seemingly-normal but malicious events. Behavioral detection is also problematic as there is no guarantee that all possible benign events took place during the time frame of baseline recording. There is also no guarantee that no malicious events took place during the time frame of baseline recording. If a non-baseline benign event occurs in the future, it will be treated as initially suspicious, causing a false positive. If a malicious event that was recorded in the baseline occurs again in the future, it will be treated as benign, causing a false negative. Answer C is incorrect. Anomaly detection is based on a set of rules, parameters, or boundaries. These rules must be defined by someone familiar with the environment. When a new or unknown attack violates one of the anomaly rules, the violation is detected. However, not all new and unknown attacks will violate an organization's anomaly rules. Often attackers craft new attacks to function as close to normal activities as possible to avoid being detected through an anomaly based detection mechanism. While anomaly has the potential to detect new attacks, this is only beneficial if the attack is different enough from normal activity to actually violate one of the organization's anomaly rules. Answer A is incorrect. Heuristic detection is effectively software profiling. It is a mixture of the mechanisms of anomaly and behavior. The basic concept is examples of benign and malicious software and events are analyzed to create a list of benign behaviors and malicious behaviors. Then new and unknown software or activities are compared against these lists. If a new event or software only elicits items from the benign list, then it is labeled as benign. If a new event or software elicits too many items from the malicious list, then it is treated as malicious.

The address space for IPv6 is how many bits?

The address space for IPv6 is 128 bits. The address space for IPv4 is 32 bits.

How can an attacker implement a man-in-the-middle attack in a wireless network?

Through deployment of a rogue base station. An attacker can implement a man-in-the-middle attack in a wireless network through the deployment of a rogue base station. An attacker's rogue base station can be configured to duplicate the Service Set identifier (SSID) or network name of the original valid base station. If necessary, the rogue base station can also spoof its MAC address to appear to be that of the original base station. These tactics may fool valid devices into automatically connecting, or may fool users into selecting to connect to the rogue base station rather than the valid one. Answer D is incorrect. Eavesdropping on traffic content is NOT a valid means by which a man-in-the-middle attack is implemented. Some amount of network evaluation needs to be performed in order to learn the current SSID and collect valid MAC addresses. However, this type of network eavesdropping is more concerned with the management components of wireless communications rather than the content payload. Answer A is incorrect. Transmission of de-authorization packets is NOT a valid means by which a man-in-the-middle attack is implemented. Transmission of de-authorization packets results in a denial of service attacks against valid wireless clients. Answer B is incorrect. Cloning client MAC addresses is NOT a valid means by which a man-in-the-middle attack is implemented. This technique is used to impersonate valid wireless clients.

Which wireless configuration protocol can use either RC4 or TKIP for communication encryption?

WPA. Wi-Fi Protected Access (WPA) is a wireless configuration protocol that can use either Rivest Cipher #4 (RC4) or Temporal Key Integrity Protocol (TKIP) for communication encryption. WPA was released by the WiFi Alliance as an intermediary mechanism to provide secure wireless communications in the expectation that forthcoming WPA-2 would be too complex to implement in smaller environments. WPA, whether using RC4 or TKIP, is vulnerable to exploitation due to increased computational capacity today. WPA should generally be avoided in favor of WPA-2. Answer D is incorrect. WEP was part of the original 1997 IEEE 802.11 standard. It uses the RC4 algorithm for encryption. While RC4 was considered robust at the time, it has since been overcome by computational power in recent years. No wireless network should be configured to use WEP because it does not provide any level of meaningful security. Attacks exist which can compromise WEP in less than 60 seconds. Answer C is incorrect. Open System Authentication (OSA) is the version of the original IEEE 802.11 wireless configuration, which does not require authentication or encryption. OSA is the basis for modern wireless networks labeled as open or public. Answer B is incorrect. Shared Key Authentication (SKA) is the version of the original IEEE 802.11 wireless configuration, and uses the same key for authentication and encryption. The encryption scheme of SKA is Wired Equivalent Privacy (WEP).