CIS 4550 Test 2
Which remote authentication protocol do most Internet service providers use to authenticate customers before they can access the Internet? Hint: it uses UDP and does NOT support more complex Authorization activities like another similar protocol. A. TACACS+ B. RADIUS C. OAuth 2.0 D. XTACACS E. Kerberos
B. RADIUS
Alice wants to send a message to Bob, who is several network hops away from her. What is the best approach to protecting the confidentiality of the message? A. PPTP B. S/MIME C. Link encryption D. SSH
B. Secure Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting and digitally signing e-mail and for providing secure data transmissions using public key infrastructure (PKI).
Which of the following is NOT a recommended best practice regarding passwords?
Keyboard "walk" passwords such as "QwErTyUiOp1!"
Which of the following statements is TRUE?
Most Kerberos implementations use shared secret keys and symmetric key cryptography.
Which of the following VPN authentication protocols is universally considered to be the most insecure & is therefore no longer recommended to be used in any production environment?
PAP
Which form of NAT (Network Address Translation) allows all internal devices to have the same external public IP address without potentially causing "first-come, first-served basis" availability issues?
Port address translation
What is one pro & one con of 5G mobile networks relative to 4G LTE?
Pro: up to 20 times faster bandwidth. Con: high frequencies are more susceptible to interference.
Which term best describes the maximum amount of data that actually traverses a given network link?
Throughput
RSA's SecurID is a good example of what?
Time synchronous token-based one-time password
What is considered a "best effort" & connectionless protocol?
UDP
Which of the following reasons is NOT a reason to use virtual desktops?
Virtual desktops support both physical & remote logins
Which wireless cryptographic protocol has at least three core deficiencies and is universally considered the least secure for a WLAN?
WEP
What is the term for when primary & secondary DNS servers synchronize their information? HINT: these can sometimes be used by an attacker to obtain unauthorized information from a victim's DNS server.
Zone transfer
Which of the following is NOT a valid private IP range?
142.16.0.0 - 142.255.255.255
What IEEE standard is not a solely wireless protocol and can be implemented as an access control protocol for both wired & Wi-Fi networks?
802.1X
Which one of the following tools provides similar functionality as the other listed tools, but in a more secure manner? A. SSH B. Telnet C. FTP D. rlogin E. rsh F. rexec
A. SSH
You are the CISO of a research and development company that is transitioning to a 100 percent remote workforce, so your entire staff will be working from home. You don't have enough laptops for all your staff, so those without one will be using their personal computers and printers for work. Your VPN concentrators are sufficient to support the entire workforce, and you will be requiring all staff members to connect to the VPN. Which of the following additional VPN configurations should you also enable? A. Split tunneling B. Full tunneling C. VPN kill switch D. Hybrid tunneling
A. Because your staff will be using printers on their home networks, you will have to enable split tunneling, which allows some traffic to be sent over the VPN and other traffic to go to the local network or to the Internet directly.
An effective method to shield networks from unauthenticated DHCP clients is through the use of __________ on network switches. A. DHCP snooping B. DHCP protection C. DHCP shielding D. DHCP caching
A. DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems, identified by their MAC addresses. Also, advance network switches now have the capability to direct clients toward legitimate DHCP servers to get IP addresses and to restrict rogue systems from becoming DHCP servers on the network.
What would be a recommended best practice to implement to prevent e-mail spoofing attacks against your organizations? A. DMARC B. IMAP C. SPF D. POP E. DKIM
A. DMARC
All of the following statements are true of converged protocols except which one? A. Distributed Network Protocol 3 (DNP3) is a converged protocol. B. Fibre Channel over Ethernet (FCoE) is a converged protocol. C. IP convergence addresses a specific type of converged protocols. D. The term includes certain protocols that are encapsulated within each other.
A. DNP3 is a multilayer communications protocol that was designed for use in SCADA systems and has not converged with other protocols. All other statements are descriptive of converged protocols.
Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3?
A. Data link, session, application, transport, and network
Which of the following is the best description of directories that are used in identity management technology? A. Most are hierarchical and follow the X.500 standard. B. Most have a flat architecture and follow the X.400 standard. C. Most have moved away from LDAP. D. Most use RADIUS.
A. Most organizations have some type of directory service that contains information pertaining to the organization's network resources and users. Most directories follow a hierarchical database format, based on the X.500 standard, and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a specific resource by using a similar request.
The process of mutual authentication involves _______________. A. a user authenticating to a system and the system authenticating to the user B. a user authenticating to two systems at the same time C. a user authenticating to a server and then to a process D. a user authenticating, receiving a ticket, and then authenticating to a service
A. Mutual authentication means it is happening in both directions. Instead of just the user having to authenticate to the server, the server also must authenticate to the user.
Which protocol makes sure that frames that are forwarded by switches do not simply circle the network indefinitely? A. Spanning Tree Protocol B. User Datagram Protocol C. Border Gateway Protocol D. Open Shortest Path First E. Transmission Control Protocol
A. Spanning Tree Protocol
Which of the following provides secure end-to-end encryption? A. Transport Layer Security (TLS) B. Secure Sockets Layer (SSL) C. Layer 2 Tunneling Protocol (L2TP) D. Domain Name System Security Extensions (DNSSEC)
A. TLS and SSL are the only two answers that provide end-to-end encryption, but SSL is insecure, so it's not a good answer.
Which of the following is not a wireless-only standard? A. 802.15.4 B. 802.16 C. Li-Fi D. 802.11ax E. 802.1X
E. 802.1X
What takes place at the session layer? A. Dialog control B. Routing C. Packet sequencing D. Addressing
A. The session layer is responsible for controlling how applications communicate, not how computers communicate. Not all applications use protocols that work at the session layer, so this layer is not always used in networking functions. A session layer protocol sets up the connection to the other application logically and controls the dialog going back and forth. Session layer protocols allow applications to keep track of the dialog.
The diagram shown here explains which of the following concepts? A. Crossover error rate. B. Type III errors. C. FAR equals FRR in systems that have a high crossover error rate. D. Biometrics is a high acceptance technology.
A. This rating is stated as a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining a biometric system's accuracy. • Type I error, false rejection rate (FRR) Rejects authorized individual • Type II error, false acceptance rate (FAR) Accepts impostor
How would you best ensure the security of a ZigBee system? A. Ensure a coordinator acts as a Trust Center B. Use 256-bit encryption keys C. Deploy in a ring topology with preassigned slots for each device D. Use the Symmetric-Key Key Establishment (SKKE) protocol to derive keys
A. Using a Trust Center provides a way to centrally authenticate devices and securely manage encryption keys, which are 128 bits (not 256). Without a Trust Center, the SKKE protocol can be used to derive keys, but this approach is not as secure. ZigBee does not support ring topologies.
Which of the following is NOT a way that the ICMP networking protocol can be missued by an attacker?
ARP cache poisoning
In networking, what is the term used to describe the loss of signal strength as it travels?
Attenuation
Which of the following technologies divides a communication channel into individual and independent subchannels? A. Baseband B. Broadband C. Circuit-switched D. Crosstalk
B. A broadband technology divides the communication channel into individual and independent subchannels so that different types of data can be transmitted simultaneously. A baseband technology, on the other hand, uses the entire communication channel for its transmission.
All of the following are good reasons to implement a content distribution network except for which one? A. Reduced latency B. Reduced total cost of ownership (TCO) C. Protection against distributed denial-of-service (DDoS) attacks D. Tailoring content to users around the world
B. A content distribution network (CDN) consists of multiple servers distributed across a large region, each of which provides content that is optimized for users closest to it. This improves latency and localization. The very distributed nature of the CDN also provides DDoS protections. It all comes at significant costs and increases the complexity of deploying systems and content, which may require additional organizational resources apart from the service itself.
How is a challenge/response protocol utilized with token device implementations? A. This type of protocol is not used; cryptography is used. B. An authentication service generates a challenge, and the smart token generates a response based on the challenge. C. The token challenges the user for a username and password. D. The token challenges the user's password against a database of stored credentials.
B. An asynchronous token device is based on challenge/response mechanisms. The authentication service sends the user a challenge value, which the user enters into the token. The token encrypts or hashes this value, and the user uses this as her one-time password.
Which of the following is not considered a best practice for securing multimedia collaboration platforms? A. Don't record meetings unless necessary B. Use consumer-grade products C. Use AES 256-bit encryption D. Restrict participants' sharing of their screens or cameras as appropriate
B. Consumer-grade products almost always lack the security controls and management features that we need to properly secure multimedia collaboration platforms.
Which approach provides the best protection against e-mail spoofing? A. Internet Message Access Protocol (IMAP) B. Domain-based Message Authentication, Reporting and Conformance (DMARC) C. Sender Policy Framework (SPF) D. DomainKeys Identified Mail (DKIM)
B. Domain-based Message Authentication, Reporting and Conformance (DMARC) systems incorporate both SPF and DKIM to protect e-mail. IMAP does not have any built-in protections against e-mail spoofing.
On an Ethernet network, which is the valid broadcast address? A. 127.0.0.1 B. FF:FF:FF:FF:FF:FF C. 255.255.255.255 D. AA:AA:AA:AA:AA:AA E. FF00::
B. FF:FF:FF:FF:FF:FF
Which of the following is not a characteristic of Li-Fi networks? A. Support for high client densities B. High latency C. Constrained coverage area D. Can work on the infrared spectrum
B. Latency is the delay in data transfers, which is extremely low in Li-Fi networks.
Which application layer protocol is used for call setup & teardown in IP telephony, video conferencing, and some online gaming? A. Transmission Control Protocol B. Session Initiation Protocol C. User Datagram Protocol D. Border Gateway Protocol E. Spanning Tree Protocol
B. Session Initiation Protocol
During a recent review of your enterprise architecture, you realize that many of your mission-critical systems rely on Remote Procedure Call (RPC). What measures should you take to ensure remote procedure calls are secured? A. Implement ITU standard H.323 B. Tunnel RPC through Transport Layer Security (TLS) C. Use the Password Authentication Protocol (PAP) for authentication D. Enforce client-side authentication
B. Since many implementations of RPC lack security controls, many organizations require TLS for authenticating hosts and encrypting RPC traffic.
Suppose you work at a large cloud service provider that has thousands of customers around the world. What technology would best support segmentation of your customers' environments? A. Virtual local area network (VLAN) B. Virtual eXtensible Local Area Network (VxLAN) C. Software-defined wide area networking (SD-WAN) D. Layer 2 Tunneling Protocol (L2TP)
B. Since there are thousands of customers to support, VxLAN is the best choice because it can support over 16 million subnetworks. Traditional VLANs are capped at just over 4,000 subnetworks, which would not be able to provide more than a few segments to each customer.
Which best describes the IP protocol? A. A connectionless protocol that deals with dialog establishment, maintenance, and destruction B. A connectionless protocol that deals with the addressing and routing of packets C. A connection-oriented protocol that deals with the addressing and routing of packets D. A connection-oriented protocol that deals with sequencing, error detection, and flow control
B. The IP protocol is connectionless and works at the network layer. It adds source and destination addresses to a packet as it goes through its data encapsulation process. IP can also make routing decisions based on the destination address.
Which of the following is not one of the messages exchanged during the DHCP lease process? i. Discover ii. Offer iii. Request iv. Acknowledgment A. All of them are exchanged B. None of them are exchanged C. i, ii D. ii, iii
B. The four-step DHCP lease process is 1. DHCPDISCOVER message: This message is used to request an IP address lease from a DHCP server. 2. DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers. 3. DHCPREQUEST message: The client sends this message to the initial DHCP server that responded to its request. 4. DHCPACK message: This message is sent by the DHCP server to the DHCP client and is the process whereby the DHCP server assigns the IP address lease to the DHCP client.
This graphic covers which of the following? A. Crossover error rate B. Identity verification C. Authorization rates D. Authentication error rates
B. These steps are taken to convert the biometric input for identity verification: i. A software application identifies specific points of data as match points. ii. An algorithm is used to process the match points and translate that information into a numeric value. iii. Authentication is approved or denied when the database value is compared with the end user input entered into the scanner.
Which of the following is not part of user provisioning? A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration
B. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. User provisioning software may include one or more of the following components: change propagation, self-service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service. Services may include e-mail, access to a database, access to a file server or mainframe, and so on.
Which of the following can take place if an attacker is able to insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer? A. Open relay manipulation B. VLAN hopping attack C. Hypervisor denial-of-service attack D. DNS tunneling
B. VLAN hopping attacks allow attackers to gain access to traffic in various VLAN segments. An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols and can insert itself between other VLAN devices and gain access to the traffic going back and forth. Attackers can also insert tagging values to manipulate the control of traffic at this data link layer.
What problem is inevitable as the length of a cable run increases? A. Thermal noise B. Line noise C. Crosstalk D. Attenuation
D. Attenuation is the loss of signal strength as it travels. Regardless of which type of cabling is used, attenuation is inevitable given a long enough distance, which is why repeaters were invented.
You are planning an upgrade for the wireless network at one of your manufacturing sites and want to use this as an opportunity to improve network security. The current system is based on 10-year-old wireless access points (WAPs) that implement 802.11g. You're using WPA2 in Personal mode because you have multiple Industrial Internet of Things (IIoT) devices. You can update the firmware on the WAPs, but you really think it's time for an upgrade. The existing wireless network has recently become unusable, and you suspect you may be the target of a persistent Wi-Fi deauthentication attack. How can you best mitigate this threat? A. Deploy WPA3 access points across the facility B. Perform MAC address filtering to keep the rogue stations off the network C. Immediately update the firmware on the access points to support 802.11w D. Change the channel used by the WAPs
C. 802.11w provides Management Frame Protection (MFP) capabilities that would mitigate this type of attack. This is included in WPA3, so either answer would generally work. However, it is probably faster, cheaper, and safer to roll out 802.11w upgrades first, which would likely have no negative effects on the networks, while research and planning continue on how to best implement a WPA3 solution across the enterprise. This is a good example of the types of ambiguous questions you'll see on the CISSP exam.
Systems that are built on the OSI model are considered open systems. What does this mean? A. They do not have authentication mechanisms configured by default. B. They have interoperability issues. C. They are built with internationally accepted protocols and standards so they can easily communicate with other systems. D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.
C. An open system is a system that has been developed based on standardized protocols and interfaces. Following these standards allows the systems to interoperate more effectively with other systems that follow the same standards.
Which of the following is true of asynchronous transmission signals? A. Used for high-speed, high-volume transmissions B. Robust error checking C. Used for irregular transmission patterns D. More complex, costly implementation
C. Asynchronous communications are typically used when data transfers happen at lower volumes and with unpredictable intervals. All other answers describe synchronous signaling, which is best suited for regular, high-volume traffic.
What role does biometrics play in access control? A. Authorization B. Authenticity C. Authentication D. Accountability
C. Biometrics is a technology that validates an individual's identity by reading a physical attribute. In some cases, biometrics can be used for identification, but that was not listed as an answer choice.
Which of the following protections are provided by Domain Name System Security Extensions (DNSSEC)? A. Confidentiality and integrity B. Integrity and availability C. Integrity and authentication D. Confidentiality and authentication
C. Domain Name System Security Extensions (DNSSEC) is a set of IETF standards that ensures the integrity and authenticity of DNS records but not their confidentiality or availability.
Which of the following issues would be likeliest to cause problems in a cable tray where large numbers of cables run in parallel and close proximity? A. Thermal noise B. Line noise C. Crosstalk D. Attenuation
C. Crosstalk is a phenomenon that occurs when electrical signals of one wire spill over to the signals of another wire. The more cables you have in close proximity, the worse this issue can be unless you use shielded cables.
What is the term for the maximum amount of data that actually traverses a given network link? A. Latency B. Bandwidth C. Throughput D. Maximum transmission unit (MTU)
C. Data throughput is the actual amount of data that can be carried over a real link. Bandwidth, on the other hand, is the amount of information that can theoretically be transmitted over a link within a second.
Which of the following protocols work in the following layers: application, data link, network, and transport? A. FTP, ARP, TCP, and UDP B. FTP, ICMP, IP, and UDP C. TFTP, ARP, IP, and UDP D. TFTP, RARP, IP, and ICMP
C. Different protocols have different functionalities. The OSI model is an attempt to describe conceptually where these different functionalities take place in a networking stack. The model attempts to draw boxes around reality to help people better understand the stack. Each layer has a specific functionality and has several different protocols that can live at that layer and carry out that specific functionality. These listed protocols work at these associated layers: TFTP (application), ARP (data link), IP (network), and UDP (transport).
The graphic shown here illustrates how which of the following works? A. Rainbow tables B. Dictionary attack C. One-time password D. Strong authentication
C. Different types of one-time passwords are used for authentication. This graphic illustrates a synchronous token device, which synchronizes with the authentication service by using time or a counter as the core piece of the authentication process.
You are the CISO of a research and development company that is transitioning to a 100 percent remote workforce, so your entire staff will be working from home. You don't have enough laptops for all your staff, so those without one will be using their personal computers and printers for work. Your VPN concentrators are sufficient to support the entire workforce, and you will be requiring all staff members to connect to the VPN. Which authentication protocol would be best for your VPN connections? A. Password Authentication Protocol (PAP) B. Challenge Handshake Authentication Protocol (CHAP) C. Extensible Authentication Protocol (EAP) D. Session Initiation Protocol (SIP)
C. EAP is considered much more secure than both PAP (which is not secure at all) and CHAP. SIP does not provide authentication mechanisms at all.
Which technology would best provide confidentiality to a RESTful web service? A. Web Services Security (WS-Security) B. Transport Layer Security (TLS) C. HTTP Secure (HTTPS) D. Simple Object Access Protocol (SOAP)
C. Either TLS or HTTPS would be a correct answer, but since web services in general and RESTful ones in particular require HTTP, HTTPS is the best choice. Keep in mind that you are likely to come across similar questions where multiple answers are correct but only one is best. SOAP is an alternative way to deliver web services and uses WS-Security for confidentiality.
In the OSI model, what takes place in the data link layer? A. End-to-end connection B. Dialog control C. Framing D. Routing E. Addressing
C. Framing
Which of the following is not a disadvantage of satellite networks compared to terrestrial ones? A. Latency B. Cost C. Bandwidth D. Video conferencing
C. If you have the budget for it, data rates on satellite networks are comparable with other modes of communication. These systems, however, are typically more expensive and have high latencies, which means they are not well suited for time-sensitive applications, such as voice and video conferencing.
What is one of the biggest challenges when using geosynchronous satellites instead of low Earth orbit (LEO) satellites for wireless connectivity? A. Confidentiality B. Ground station antenna must move to stay in sync C. Latency D. Integrity E. Availability F. Signal being passed between different geosynchronous satellites as the Earth rotates
C. Latency
Which open standard is used for Authorization to third parties, but not Authentication? Hint: it defines four roles for Client, Resource Server, Authorization Server, & Resource Owner? A. OpenID Connect B. Kerberos C. OAuth 2.0 D. RADIUS E. SAML
C. OAuth 2.0
Which of the following statements correctly describes the use of passwords for authentication? A. They are the least expensive and most secure. B. They are the most expensive and least secure. C. They are the least expensive and least secure. D. They are the most expensive and most secure.
C. Passwords provide the least amount of protection, but are the cheapest because they do not require extra readers (as with smart cards and memory cards), do not require devices (as do biometrics), and do not require a lot of overhead in processing (as in cryptography). Passwords are the most common type of authentication method used today.
Which of the following is not a characteristic of the IEEE 802.11a standard? A. It works in the 5-GHz range. B. It uses the OFDM spread-spectrum technology. C. It provides 52 Mbps in bandwidth. D. It covers a smaller distance than 802.11b.
C. The IEEE standard 802.11a uses the OFDM spread-spectrum technology, works in the 5-GHz frequency band, and provides bandwidth of up to 54 Mbps. The operating range is smaller because it works at a higher frequency.
What takes place at the data link layer? A. End-to-end connection B. Dialog control C. Framing D. Data syntax
C. The data link layer, in most cases, is the only layer that understands the environment in which the system is working, whether it be Ethernet, Token Ring, wireless, or a connection to a WAN link. This layer adds the necessary headers and trailers to the frame. Other systems on the same type of network using the same technology understand only the specific header and trailer format used in their data link technology.
As a best practice, which end-to-end encryption system(s) and version(s) are recommended? A. Secure Socket Layer version 3 only B. Transport Layer Security version 1.3 only C. Transport Layer Security version 1.2 or 1.3 D. Any version of Secure Socket Layer or Transport Layer Security E. Any version of Transport Layer Security version 1.0, 1.1, 1.2, or 1.3 F. Secure Socket Layer version 3 or Transport Layer Security version 1.3
C. Transport Layer Security version 1.2 or 1.3
You are the CISO of a research and development company that is transitioning to a 100 percent remote workforce, so your entire staff will be working from home. You don't have enough laptops for all your staff, so those without one will be using their personal computers and printers for work. Your VPN concentrators are sufficient to support the entire workforce, and you will be requiring all staff members to connect to the VPN. Which of the following will best protect the confidentiality of your sensitive research data? A. Secure Shell (SSH) B. Virtualized networks C. Virtual desktop infrastructure (VDI) D. Remote Procedure Calls (RPC)
C. VDI allows your sensitive data to remain in your protected network even as users are able to work with it over a virtual desktop. Properly configured, this infrastructure prevents any sensitive research data from being stored on the remote user's computer.
Which of the following is not an advantage of virtual desktops? A. Reduced user downtime during incident response B. Support for both persistent and nonpersistent sessions C. Support for both physical and remote logins D. Better implementation of data retention standards
C. VDI is particularly helpful in regulated environments because of the ease with which it supports data retention, configuration management, and incident response through persistent and nonpersistent sessions. However, since VDI relies on VMs in a data center, there is not a computer at which a user could physically log in.
What are commonly used to make up a distinguished name (DN) in a directory database based on the X.500 standard?
Common names (cn) & domain identifiers (di)
You are planning an upgrade for the wireless network at one of your manufacturing sites and want to use this as an opportunity to improve network security. The current system is based on 10-year-old wireless access points (WAPs) that implement 802.11g. You're using WPA2 in Personal mode because you have multiple Industrial Internet of Things (IIoT) devices. You can update the firmware on the WAPs, but you really think it's time for an upgrade. What is the best technology to which you should consider upgrading? A. IEEE 802.16 B. IEEE 802.11w C. IEEE 802.11f D. IEEE 802.11ax
D. 802.11ax is the only standard describing a WLAN among the list of options. 802.16 is used in metropolitan area networks (MANs). 802.11w covers Management Frame Protection (MFP) in wireless networks. 802.11f deals with users roaming among access points.
Which of the following would not be considered an endpoint? A. Point of sale (POS) terminal B. Industrial control system (ICS) C. Internet of Things (IoT) device D. Multiprotocol Label Switching (MPLS) system
D. An endpoint is any computing device that communicates through a network and whose principal function is not to mediate communications for other devices on that network. MPLS functionality is built into networking devices to help them move packets between endpoints more efficiently.
What does the IEEE 802.1X standard cover? A. A Management Frame Protection (MFP) that prevents replay and denial-ofservice (DoS) attacks B. Wi-Fi Protected Access 2 (WPA2) C. Security extensions to the physical layer (PHY) and Media Access Control (MAC) sublayer of the data link layer in the OSI model D. An access control protocol for user authentication and key distribution
D. 802.1X is an access control protocol that can be implemented on both wired and wireless networks for user authentication and key distribution. MFP is covered in 802.11w, WPA2 is covered in 802.11i, and the other option (security extensions) was a distracter.
Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec? A. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks. B. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity. C. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange. D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.
D. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange. Internet Key Exchange provides authenticated keying material for use with ISAKMP.
Which attack allows unauthorized access to read, steal, or exfiltrate data off of a mobile device via Bluetooth? A. Blues Clues B. Evil twin C. Bluejacking D. Bluesnarfing E. Smurf attack
D. Bluesnarfing
Which of the following is a Bluetooth-specific attack that allows unauthorized read/write access from a wireless device? A. Bluejacking B. Replay attack C. Smurf attack D. Bluesnarfing
D. Bluesnarfing could allow an attacker to read, modify, or delete calendar events, contacts, e-mails, text messages, and so on. Bluejacking is the only other Bluetooth attack option, but this refers to someone sending an unsolicited message to a device.
What type of cabling would you use if you needed inexpensive networking in an environment prone to electromagnetic interference? A. Fiber-optic B. Unshielded twisted pair (UTP) C. Plenum D. Coaxial
D. Coaxial cable has a copper core that is surrounded by a shielding layer and grounding wire, which makes it more resistant to electromagnetic interference (EMI). It is significantly cheaper than fiber-optic cable, which is the other EMI-resistant answer listed, while still allowing higher bandwidths.
Which of the following statements correctly describes biometric methods of authentication? A. They are the least expensive and provide the most protection. B. They are the most expensive and provide the least protection. C. They are the least expensive and provide the least protection. D. They are the most expensive and provide the most protection.
D. Compared with the other available authentication mechanisms, biometric methods provide the highest level of protection and are the most expensive.
Which of the following is a multilayer protocol developed for use in supervisory control and data acquisition (SCADA) systems? A. Controller Area Network (CAN) bus B. Simple Authentication and Security Layer (SASL) C. Control Plane Protocol (CPP) D. Distributed Network Protocol 3 (DNP3)
D. DNP3 is a multilayer communications protocol designed for use in SCADA systems, particularly those within the power sector.
You are planning an upgrade for the wireless network at one of your manufacturing sites and want to use this as an opportunity to improve network security. The current system is based on 10-year-old wireless access points (WAPs) that implement 802.11g. You're using WPA2 in Personal mode because you have multiple Industrial Internet of Things (IIoT) devices. You can update the firmware on the WAPs, but you really think it's time for an upgrade. What could make it harder for you to switch from WPA2 Personal mode to Enterprise mode? A. Enterprise mode requires licenses that can be costly. B. The WAPs may not support Enterprise mode. C. IIoT devices may not support Enterprise mode. D. The return on investment is insufficient.
D. If a WAP supports WPA2, it would do so in either Personal or Enterprise mode as long as it can be connected to the needed backend services (e.g., a RADIUS server), with no need for additional licensing. Thus, the change would not typically be expected to have ROI issues. However, many embedded devices, including IIoT, do not support this mode and would have to be replaced.
What is the best way to secure a ZigBee system? A. Deploy ZigBee in a ring topology with preassigned positions for each device B. Implement 256-bit encryption keys C. Implement 2048-bit encryption keys D. Make sure that a coordinator acts as a Trust Center E. Generate keys using Symmetric-Key Key Establishment (SKKE)
D. Make sure that a coordinator acts as a Trust Center
What is a technology that allows a user to remember just one password? A. Password generation B. Password dictionaries C. Password rainbow tables D. Password synchronization
D. Password synchronization technologies can allow a user to maintain just one password across multiple systems. The product synchronizes the password to other systems and applications, which happens transparently to the user.
Which of the following is true about the Session Initiation Protocol (SIP)? A. Used to establish virtual private network (VPN) sessions B. Framework for authenticating network connections C. Session layer protocol for out-of-band statistics D. Application layer protocol used in online gaming communications
D. SIP is an application layer protocol used for call setup and teardown in IP telephony, video and multimedia conferencing, instant messaging, and online gaming.
How could you best protect a unified communications (UC) platform? A. Protect it as you would any other systems B. Enable Password Authentication Protocol (PAP) C. Use the Session Initiation Protocol (SIP) for every new session D. Ensure the hub is protected against physical and logical threats
D. Securing UC involves similar security controls that we would apply to any other communications platform, but with a couple of important caveats. Unified communications rely on a central hub that integrates, coordinates, and synchronizes the various technologies. You want to ensure that this hub is adequately protected against physical and logical threats.
Which protocol ensures that frames being forwarded by switches do not circle networks forever? A. Open Shortest Path First (OSPF) B. Border Gateway Protocol (BGP) C. Intermediate System-to-Intermediate System (IS-IS) D. Spanning Tree Protocol (STP)
D. Spanning Tree Protocol (STP) ensures that forwarded frames do not circle networks forever, provides redundant paths in case a bridge goes down, assigns unique identifiers to each bridge, assigns priority values to these bridges, and calculates path costs. The other answers are all routing (layer 3) protocols.
Which standard specifically addresses issues in network access control? A. IEEE 802.1Q B. IEEE 802.1aq C. IEEE 802.AE D. IEEE 802.1X
D. The 802.1X protocol allows devices to connect in a very limited manner (i.e., only to the network authenticator) until the device and/or user can be authenticated. The other standards listed all pertain to layer 2 bridging and security.
In which type of networks is the Signaling System 7 (SS7) protocol used? A. Integrated Services Digital Network (ISDN) B. IP telephony network C. Real-time Transport Protocol (RTP) network D. Public switched telephone network (PSTN)
D. The SS7 protocol is used in a PSTN to set up, control, and disconnect calls.
Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best describes these network infrastructure layers? A. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a core network. The metro layer is the metropolitan area network. The core connects different metro networks. B. The access layer connects the customer's equipment to a service provider's core network. Aggregation occurs on a distribution network at the core. The metro layer is the metropolitan area network. C. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different access layers. D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.
D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.
Which of the following is NOT one of the main protocols included in IPSec? A. Authentication Header B. Encapsulating Security Payload C. Internet Key Exchange D. Transport Layer Security E. Internet Security Association and Key Management Protocol
D. Transport Layer Security
Wireless LAN technologies have gone through different versions over the years to address some of the inherent security issues within the original IEEE 802.11 standard. Which of the following provides the correct characteristics of WPA2 in Enterprise mode? A. IEEE 802.1X, WEP, MAC B. IEEE 802.1X, EAP, TKIP C. IEEE 802.1X, EAP, WEP D. IEEE 802.1X, EAP, CCMP
D. Wi-Fi Protected Access 2 requires IEEE 802.1X or preshared keys for access control, Extensible Authentication Protocol (EAP) or preshared keys for authentication, and the Advanced Encryption Standard (AES) algorithm in counter mode with CBC-MAC Protocol (CCMP) for encryption.
Which of the following statements is TRUE? A. IPv4 addresses are 32 bits long, IPv6 addresses are 64 bits long, and IPv6 can support substantially more than two times as many possible addresses as IPv4 B. Both IPv4 and IPv6 addresses have the same number of bits, but IPv6's longer header introduces additional speed and security features C. IPv4 addresses are 32 bits long, IPv6 addresses are 64 bits long, and IPv6 can support two times as many possible addresses as IPv4 D. IPv4 addresses are 32 bits long, IPv6 addresses are 128 bits long, and IPv6 can support four times as many possible addresses as IPv4 E. IPv4 addresses are 32 bits long, IPv6 addresses are 128 bits long, and IPv6 can support substantially more than four times as many possible addresses as IPv4
E. IPv4 addresses are 32 bits long, IPv6 addresses are 128 bits long, and IPv6 can support substantially more than four times as many possible addresses as IPv4
As data moves through each layer of the OSI networking reference model what is occurring?
Encapsulation or de-encapsulation
Which four steps are in the CORRECT ORDER for a subject to access an object?
Identification, Authentication, Authorization, Accountability
Match the correct Access Control model with its main characteristics.
RBAC - Access decisions are based on each subject's role and/or functional position. DAC - Data owners decide who has access to resources, & ACLs are used to enforce these access decisions. ABAC - Access decisions are based on attributes of any component of or action on the system. MAC - Operating systems enforce the system's security policy through the use of security labels.
What architectural pattern uses HTTP or HTTPS to provide an API for clients to make programmatic requests from servers?
REST
Which of the following is TRUE about routers & bridges?
Routers work at the network layer & filter packets based on IP addresses. Bridges work at the data link layer & filter frames based on MAC addresses.
Which OSI networking reference model layer contains protocols such as RPCApplication layer & NetBIOS which are some of the least used in a modern secure networking environment?
Session layer
What category of attacks against smart cards include differential power analysis, electromagnetic analysis, & timing?
Side-channel attacks
Since SAML is an XML-based standard, what is a common protocol to transmit SAML data?
Simple Object Access Protocol (SOAP)
Which networking cable doesn't lose signal strength over long distances, is unaffected by EMI, & is difficult to eavesdrop on?
Single mode fiber-optic
1. Which of the following protocols is considered connection-oriented?
TCP