Security+ Domain 3.0
The system administrator is installing a web server certificate and receives an error indicating the server does not accept wild card certificates. After examining the certificate, the system admin notices the problem. Determine the specific location where the admin found the problem.
NOT In the X.509 NOT In the CSR Maybe in the CRL
An organization uses a Session Initiation Protocol (SIP) endpoint for establishing communications with remote branch offices. Which of the following protocols will provide encryption for streaming data during the call?
NOT SIPS NOT ESP
During the functional testing phase of application development, an application tests for vulnerabilities against the running code. What type of code testing is this?
NOT Static code analyzing NOT Model Verification MAYBE Stress Testing
In a Public Key Infrastructure (PKI), which option best describes how users and multiple Certificate Authorities (CA) interact with each other in a large environment?
Trust model
A network administrator set up a stateless firewall using an open-source application running on a Linux virtual machine. The immediate benefit to this setup is that it was easy to set up quickly with basic rules. What other reasons may have influenced the administrator's decision to deploy a stateless, rather than a stateful, firewall? (Select all that apply.)
Allow network protocols Block TCP Ports
An authoritative server for a zone creates a Resource Records Set (RRSet) signed with a zone signing key. From the following Domain Name System (DNS) ...
DNS Security Extensions
An authoritative server for a zone creates a Resource Records Set (RRSet) signed with a zone signing key. From the following Domain Name System (DNS) traits and functions, what does this scenario demonstrate?
DNS Security Extensions
Following a secure deployment methodology for custom applications, early code testing would run in which type of environment?
Development
Implementing Lightweight Directory Access Protocol Secure (LDAPS) on a web server secures direct queries to which of the following?
Directory Services
Which of the following protocols would secure file transfer services for an internal network?
FTPES
A developer writes code for a new application, and wants to ensure protective countermeasures against the execution of SQL injection attacks. What secure coding technique will provide this?
Input validation
A web server will utilize a directory protocol to enable users to authenticate with domain credentials. A certificate will be issued to the server to setup a secure tunnel. Which protocol is ideal for this situation?
LDAPS
When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content?
Layer 7
Which of the following practices would help mitigate mistaken assumptions of applying coding techniques that will secure the code of an internal application for a company?
Maybe Static Code analysis
Which of the following would secure an endpoint and provide attestation signed by a trusted platform module (TPM)?
Measured boot
A laptop arrives at the company technology lab with a private key embedded, providing full disk encryption. When matched with a public key, what does this system provide?
NOT Hardware Security Model NOT SSL Decryptor MAYBE Hardware root of trust
Consider the principles of web server hardening and determine which actions a system administrator should take when deploying a new server. (Select all that apply.)
Secure a guest zone Use SSH for uploading files Use the configuration templates provided
Engineers are considering network options that will maintain data transfers between systems within the same cloud-based data-center. They also look to configure security on these systems. Which of the following would ensure this type of implementation? (Select all that apply.)
Set up efficient east-west traffic. Set up zero trust
A Transport Layer Security (TLS) Virtual Private Network (VPN) requires a remote access server listening on port 443 to encrypt traffic with a client machine. An IPSec (Internet Protocol Security) VPN can deliver traffic in two modes. One mode encrypts only the payload of the IP packet. The other mode encrypts the whole IP packet (header and payload). These two modes describe which of the following? (Select all that apply.)
Transport Tunnel
An independent penetration testing company is invited to test a company's legacy banking application developed for Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. Penetrations tests reveal the connections with clients were vulnerable to a Man-in-the-Middle (MITM) attack. How does the company prevent this from happening in the public Internet?
Use certificate pinning
An organization moves its data to the cloud. Engineers utilize regional replication to protect data. Review the descriptions and conclude which ones apply to this configuration. (Select all that apply.)
A solution that is known as zone-redundant storage. Access is available if a single data center is destroyed.
An administrator navigates to the Windows Firewall with Advanced Security. The inbound rules show a custom rule, which assigned the action, "Allow the connection" to all programs, all protocols, and all ports with a scope of 192.168.0.0/24. This is an example of what type of security setting?
ACL
A company set up controls to allow only a specific set of software and tools to install on workstations. A user navigates to a software library to make a selection. What type of method prevents installation of software that is not a part of a library?
Allow List
A company has a two-level certificate authority (CA) hierarchy. One of the CA servers is offline, while the others are online. Which statements are TRUE of online and offline CAs? (Select all that apply.)
An online root is required to add an intermediate CA. An Online CA is Needed in order to publish a CRL ?
A network engineer is plugging in new patch cables and wants to prevent inadvertent disruptions to the network while doing so. What will the engineer prevent if Spanning Tree Protocol (STP) is configured on the switches?
Broadcast storms
A company would like to deploy a software service to monitor traffic and enforce security policies in their cloud environment. What tool should the company consider using?
CASB
A large firm requires better control over mobile users' access to business applications in the cloud. This will require single-sign on and support for different device types. What solution should the company consider using?
CASB
Employees have the ability to download certain applications onto their workstations to complete work functions. The CIO installed a reliable method to ensure that no modifications to the application have occurred. What method of validation did the CIO implement?
Code signing
A cloud administrator connects two separate cloud server instances on Amazon Web Services (AWS). How does the administrator configure the instances with private IP addresses without using an Internet gateway?
Configure VPC endpoint interface.
What can a system administrator configure on two load balanced servers to achieve a round-robin configuration?
Configure scheduling.
Which of the following will reduce the risk of data exposure between containers on a cloud platform? (Select all that apply.)
Control groups Namespaces
A security engineer must install a X.509 certificate to a computer system, but it is not accepted. The system requires a Base64 encoded format. What must the security engineer execute to properly install this certificate?
Convert to a .pem file.
A web administrator notices a few security vulnerabilities that need to be addressed on the company Intranet site. The portal must force a secure browsing connection, mitigate script injection, and prevent caching on shared client devices. Determine the secure options to set on the web server's response headers. (Select all that apply.)
HTTP Strict Transport Security (HSTS) Content Security Policy (CSP) Cache-Control
A company is renovating a new office space and is updating all Cisco routers. The up-to-date Internetwork Operating System (IOS) will provide the best protection from zero-day exploits. What other options could a network administrator configure for route security? (Select all that apply.)
Message authentication Block source routed packets
Which certificate format allows the transfer of private keys and is password protected?
PFX
A small organization operates several virtual servers in a single host environment. The physical network utilizes a physical firewall with NIDS for security. What would be the benefits of installing a Host Intrusion Prevention System (HIPS) at the end points? (Select all that apply.)
Prevent Malicious Traffic between VMs Protection from zero day attacks
What is a jump server commonly used for?
Provide secure access to DMZ servers.
A new cloud service provider (CSP) leases resources to multiple organizations (or customers) around the world. Each customer is independent and does not share the same cloud storage resource. The customers use an on-demand payment plan. Which cloud model is the CSP most likely providing to its customers?
Public cloud
Cloud service providers make services available around the world through a variety of methods. The concept of a zone assumes what type of service level? (Select all that apply.)
Regional replication High availability
A tokenization process is a substitute for encryption when securing a database. What does tokenization do?
Replaces data field with random string of characters
A company hosts internal web servers between two firewalls: one firewall at the edge network and another near the internal gateways. These web servers provide multiple services to employees on the road. A recent security audit advised the company to find ways to further secure connections between remote clients and these internal web servers. Which of the following will satisfy the security advice?
Reverse Proxy
The administrator in an exchange server needs to send digitally signed and encrypted messages. What should the administrator use?
S/MIME
An administrator deploys a basic network intrusion detection (NID) device to identify common patterns of attacks. What detection method does this device use?
Signature-based
Select the vulnerabilities that can influence routing. (Select all that apply.)
Source Routing Route Injection ARP Poisoning
A cloud service provider (CSP) dashboard provides a view of all applicable logs for cloud resources and services. When examining the application programming interface (API) logs, the cloud engineer sees some odd metrics. Which of the following are examples that the engineer would have concerns for? (Select all that apply.)
Spike in API calls 78% average error rate
Which aspect of certificate and key management should an administrator consider when trying to mitigate or prevent the loss of private keys?
Storage
Evaluate and select the differences between WPA and WPA2. (Select all that apply.)
WPA2, and not WPA, supports an encryption algorithm based on the Advanced Encryption Standard (AES) instead of the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). WPA2, and not WPA, uses the Advanced Encryption Standard (AES) cipher with 128-bit keys.
Which wireless configuration provides the most up-to-date and secure way of connecting wireless devices to an office or home network? (Select all that apply.)
WPA3 SAE
A public key infrastructure (PKI) is being set up for a logistics company, utilizing OpenSSL. Which of the following commands can the team use, when setting up the PKI, to create an encrypted RSA key pair?
openssl genrsa -out server.key 1024
A company with multiple types of archived encrypted data is looking to archive the keys needed to decrypt the data. However, the company wants to separate the two in order to heavily guard these keys. Analyze the scenario to determine the most likely key placement.
Key escrow
Management has set up a feed or subscription service to inform users on regular updates to the network and its various systems and services. The feed is only accessible from the internal network. What else can systems administrators do to limit the service to internal access?
NOT CONFIGURE RSS FEEDS NOT Use SIP Endpoints
A company has two web servers using a load-balance configuration. Users report having periodic trust errors connecting to the website. Both servers are using server-only certificates. Which of the following actions would most likely resolve the issue?
NOT Change the trust model. NOT Use a wildcard certificate MAYBE Remove certificate from the CRL
Systems administrators want to set up a way for remote administration from home. Rather than installing a software agent, the solution should use an underlying technology that is available to an application, such as a web browser. Which option would best support these requirements?
NOT L2TP Not HSM Maybe HTML5
A company recently implemented a Secure Sockets Layer/Transport Layer Security (SSL/TLS) version that supports Secure Hashing Algorithm-256 (SHA-256) cipher. Which SSL/TLS version was deployed?
TLS 1.2
Users are reporting jittery video communication during routine video conferences. What can a system administrator implement to improve video quality and overall use of the network bandwidth?
Use 802.1p header.
If managed improperly, which of the following would be most detrimental to access management of cloud-based storage resources?
NOT Encryption NOT Private subnet Maybe Resource Policies
The IT team has purchased a few devices that are compatible with the Trusted Computing Group Security Subsystem Class called Opal. Which of these device specifications will take advantage of Opal's security features?
Disk Encryption
A cloud customer prefers separating storage resources that hold different sets of data in virtual private clouds (VPCs). One of those data sets must comply with Health Insurance Portability and Accountability Act (HIPAA) guidelines for patient data. How should the customer configure these VPCs to ensure the highest degree of network security?
Split segments between VPCs
Which of the following makes it possible for cloud service providers (CSP) to create a virtual instance and container simultaneously?
Dynamic resource allocation
A company is looking into integrating on-premise services and cloud services with a cloud service provider (CSP) using an Infrastructure as a Service (IaaS) plan. As a cloud architect works on architectural design, which of the following statements would NOT apply in this case?
NOT The company must establish separation of duties mechanisms. NOT The provider must update the firmware and security patches of physical servers. MAYBE The provider is responsible for the availability of the software
Determine a solution that can combine with a cloud access security broker (CASB) to provide a wholly cloud-hosted platform for client access?
Next-generation secure web gateway
There are several ways to check on the status of an online certificate, but some introduce privacy concerns. Consider how each of the following is structured, and select the option with the best ability to hide the identity of the certificate status requestor.
OCSP Stapling?
A network administrator is importing a list of certificates from an online source, so that employees can trust and communicate securely with public websites. Another set of certificates were already imported, to trust and securely communicate with intranet sites and other internal resources. Which type of certificate is the network administrator currently importing?
Root
What are the benefits of using Wi-Fi heat maps for wireless networks? (Select all that apply.)
Survey a site for signal strength Determine where to place access points