Network Security (4.0) study set
Which of the following terms refers to a type of denial-of-service (DoS) attack that bombards a target server with traffic that requires a large amount of processing? Amplified Reflective Distributed Permanent
Amplified
Which of the following are means of preventing unauthorized individuals from entering a sensitive location, such as a datacenter? (Choose all correct answers.) Biometric scans Identification badges Key fobs Motion detection
Biometric scans Identification badges Key fobs
A secured government building that scans the faces of incoming people and compares them to a database of authorized entrants is using which of the following types of technology? Pattern recognition Hand geometry Biometrics Tamper detection
Biometrics
A common technique used by malicious individuals to perform a man-in-the-middle attack on a wireless network is: ARP cache poisoning Amplified DNS attacks Session hijacking Creating an evil twin
Creating an evil twin Evil Twin access points are the most common way to perform a man-in-the-middle attack on a wireless network.
After an employee connected one of the switch ports on a SOHO router to the office's wall jack, other employees in the building started losing network connectivity. Which of the following could be implemented on the company's switch to prevent this type of loss of connection? Loop prevention ARP inspections DHCP snooping ACL block
DHCP snooping DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure. When DHCP servers are allocating IP addresses to the LAN clients, DHCP snooping can be configured on LAN switches to prevent malicious or malformed DHCP traffic or rogue DHCP servers.
Which of the following is another term for a perimeter network? VLAN PEAP TKIP DMZ
DMZ
Which of the following terms refers to a denial-of-service (DoS) attack that involves zombies? Amplified Reflective Distributed Permanent
Distributed
Which of the following terms refers to a type of denial-of-service (DoS) attack that uses multiple computers to bombard a target server with traffic? Amplified Reflective Distributed Permanent
Distributed
Which of the following modifications occur when you configure the native VLAN on your network switches to use 802.1q tagging? (Choose all correct answers.) Double-tagged packets are prevented. BPDU guards are applied. Root guards are applied. Trunk traffic is routed, not switched.
Double-tagged packets are prevented. To join ports on different switches into one VLAN, you designate a trunk port on each switch for the traffic between switches. Initially, the native VLAN uses the default VLAN1 for trunk traffic, and that traffic is left untagged. Untagged traffic is susceptible to attacks using double-tagged packets. When you configure the native VLAN to use tagging, this makes it impervious to double-tagging. Changing the native VLAN does not create root guards or BPDU guards, and all traffic continues to be switched, not routed.
Which of the following types of servers are typically found in a DMZ? (Choose all correct answers.) Domain controllers DHCP servers Email servers Web servers
Email servers Web servers
Which of the following is not a security task that should be performed on a new WAP? Enable encryption Change administrator account and password Disable SSID broadcast Enable backward compatibility
Enable backward compatibility
Which of the following can be described as wireless network hardening techniques? (Choose all correct answers.) Encryption Authentication MAC filtering Social engineering
Encryption Authentication MAC filtering
Sam is setting up two pieces of networking equipment that are identical. He can use them in conjunction for what purpose? (Choose all correct choices) Bandwidth shaping Fault tolerance High availability CARP Latency reduction
Fault tolerance High availability Common Address Redundancy Protocol (CARP) is a protocol used to allow multiple hosts on the same network to share a set of IP addresses. This provides your network with redundancy. Remember, the question is asking for the "purpose". CARP is a protocol, not a purpose.
To ensure that the data received over a network is identical to the data that was transmitted, it is common for systems to run a cryptographic function on a file that generates a value called a checksum or a message digest. Which of the following terms describes this type of mechanism? Deauthentication File hashing Root guard Geofencing
File hashing
SHA and MD5 are cryptographic algorithms that are used for which of the following applications? Data encryption Digital signing File hashing Wireless authentication
File hashing Secure Hash Algorithm (SHA) and Message Digest 5 (MD5) are file hashing algorithms, used to test data integrity by calculating a hash value before transmission a file over a network. After the transmission, the receiving system performs the same calculation. If the values match, then the data is intact. These two algorithms are not used for data encryption, digital signing, or wireless authentication.
Which of the following mitigation techniques helps organizations maintain compliance to standards such as HIPAA and FISMA? File integrity monitoring Role separation Deauthentication Tamper detection
File integrity monitoring File integrity monitoring (FIM) is a process that typically consists of a comparison of files in their current state to a known baseline copy stored elsewhere. The comparison can be direct, or it could involve the calculation of checksums or other types of file hashes. The object of the comparison is to detect changes in documents, both in content and in sensitive areas, such as credentials, privileges, and security settings, which might indicate the presence of a potential or actual security breach.
Which of the following attack types is similar to a smurf attack, except that it uses a different protocol to generate its traffic? Phishing Evil twin Logic bomb Fraggle
Fraggle The difference between a fraggle and a smurf attack is that a fraggle attack uses User Datagram Protocol (UDP) traffic instead of ICMP.
Which of the following is an effective method for preventing sensitive data from being compromised through social engineering? Implement a program of user education and corporate policies. Install an antivirus software product on all user workstations. Install a firewall between the internal network and the Internet. Use IPsec to encrypt all network traffic.
Implement a program of user education and corporate policies.
Which of the following authentication protocols do Windows networks use for Active Directory Domain Services authentication of internal clients? RADIUS WPA2 Kerberos EAP-TLS
Kerberos
A senior IT administrator at your company was terminated two weeks ago. Today, Friday, you arrived at the office and found that all of the hosts in the web server farm had their data deleted. There are no unauthorized entries to the datacenter recorded, but you suspect the terminated administrator to be responsible. Which of the following attack types might the administrator have directed at the web server farm? Social engineering ARP poisoning Evil twin Logic bomb
Logic bomb
Which of the following network concepts is prevented by using a split horizon? Large routing tables Duplicate addresses Collisions Loops
Loops In computer networking, split-horizon route advertisement is a method of preventing routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the interface from which it was learned.
On a wireless access point that uses an access control list (ACL) to specify which devices are permitted to connect to the network, which of the following is used to identify the authorized devices? Usernames IP addresses Device names MAC addresses
MAC addresses
Honeypots and honeynets belong to which of the following categories of devices? Mitigation techniques Network attacks Switch port protection types Firewall filters
Mitigation techniques
What anti-malware solution should be implemented to deter attackers from loading custom files onto a distributed target platform? Network-based anti-malware Signature-based anti-malware Cloud-based anti-malware Host-based anti-malware
Network-based anti-malware
Which of the following types of denial-of-service (DoS) attack does not involve flooding a server with traffic? Amplified Reflective Distributed Permanent
Permanent A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
Ed receives an email through his personal account, warning him that his checking account has been locked due to excessive activity. To confirm that the activity is fraudulent, the email instructs Ed to click the enclosed hyperlink, log on to his account, and review the list of charges. Ed clicks the link and is taken to a web page that appears to be that of his bank. He then supplies his username and password to log on. Which of the following types of attacks is Ed likely to be experiencing? Social engineering Phishing Logic bomb Spoofing
Phishing
Identification badges, key fobs, and mantraps all fall into which of the following categories of security devices? Physical security Data security Asset tracking Port security
Physical security
Which of the following are cryptographic algorithms used for file hashing? (Choose all correct answers.) SHA MD5 RC4 AES
SHA MD5
Which protocol is used to establish a secure and encrypted VPN tunnel that can be initiated through a web browser? PPP PPTP SSL IPSec
SSL SSL VPN can be done thru browser. If browser requirement not in Q, IPSec would have worked as well.
In a public key infrastructure (PKI), which half of a cryptographic key pair is never transmitted over the network? The public key The private key The session key The ticket granting key
The private key
In testing the new application he has designed, Ralph has discovered that it contains a weakness that could enable an attacker to gain full administrative access. Which of the following is another term for this weakness? Exploit Mitigation Vulnerability Honeypot
Vulnerability
Which of the following wireless security protocols uses CCMP-AES for encryption? WEP WPA WPA2 TKIP
WPA2
Which of the following types of attacks on a network switch can a flood guard help to prevent? DNS poisoning War driving MAC flooding Evil twin
MAC flooding
Regularly applying operating system updates and patches to network computers is an important mitigation procedure for which of the following security problems? Denial-of-service attacks Malware Social engineering Port security
Malware
To connect a wireless client to a wireless access point using the Wi-Fi Protected Access II (WPA2) security protocol with a preshared key, which of the following must you supply on both devices? Base key Passphrase Serial number MAC address
Passphrase
A company needs to implement stronger authentication by adding an authentication factor to their wireless system. The wireless system only supports WPA with pre-shared keys, but the back-end authentication system supports EAP and TTLS. What should the network administrator implement? PKI with user authentication 802.1x using EAP with MSCHAPv2 WPA2 with a complex shared key MAC address filtering with IP filtering
802.1x using EAP with MSCHAPv2
Which of the following terms refers to a denial-of-service (DoS) attack that places more of a burden on the target server than that of the flood of incoming traffic? Amplified Reflective Distributed Permanent
Amplified An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would.
Which of the following statements best describes a type of replay attack? A type of attack in which an intruder reenters a resource previously compromised by another intruder A type of attack in which an intruder retransmits captured authentication packets to gain access to a secured resource A type of attack in which an intruder uses the same technique that provided access to other resources to penetrate a new resource A type of attack in which an intruder accesses a resource that was accidentally left unsecured by an authorized user
A type of attack in which an intruder retransmits captured authentication packets to gain access to a secured resource
Which of the following are not means of detecting intruders in a network datacenter? (Choose all correct answers.) Motion detection Video surveillance Biometrics Smartcards
Biometrics Smartcards Biometrics and smartcards are both means of preventing intrusions, whereas motion detection and video surveillance are mechanisms for detecting them.
A user attempting to connect to a Wi-Fi hotspot in a coffee shop is taken to a web page that requires her to accept an End User License Agreement before access to the network is granted. Which of the following is the term for such an arrangement? Captive portal Ransomware Port security Root guard
Captive portal
Which of the following steps can help to prevent war driving attacks from compromising your wireless network? (Choose all correct answers.) Configure your access point to use a longer SSID. Configure your access point not to broadcast its SSID. Configure your clients and access point to use WPA2 security. Configure your clients and access point to use WEP security.
Configure your access point not to broadcast its SSID. Configure your clients and access point to use WPA2 security.
Which of the following types of mitigation techniques is not applicable to servers? Role separation Applying ACLs File integrity monitoring DHCP snooping
DHCP snooping DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. The other options are all techniques that are applicable to servers.
Which of the following is the term for a network segment that is separated from the internal network by a firewall and exposed to the Internet? AES Honeynet DMZ VLAN
DMZ
Which of the following are elements you can use to segment a network? (Choose all correct answers.) RADIUS DMZ VLAN LDAP
DMZ VLAN
Metaphorically speaking, which of the following terms best describes the function of honeypots and honeynets? Attack Key Roadblock Detour
Detour
The network administrator noticed that the border router has high network capacity loading during non-working hours. This load is causing web services outages. Which of the following is the MOST likely cause of the issue? Evil twin Session hijacking Distributed DoS ARP cache poisoning
Distributed DoS
A NAC service has discovered a virus on a client's laptop. What location should the NAC service put the laptop in? DMZ network Sandbox network Honeypot Quarantine network
Quarantine network Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), the user or system authentication, and network security enforcement. When NAC detects an issue with a client, it places them in a quarantine network.
Upgrading a wireless network from the Wired Equivalent Privacy (WEP) security protocol to Wi-Fi Protected Access (WPA) enables it to use the Temporal Key Integrity Protocol (TKIP) for encryption, which generates a unique key for each packet. Which of the following types of attacks does this capability prevent? Denial-of-service attacks Brute-force attacks Replay attacks Deauthentication attacks
Replay attacks
Which of the following is not an element of risk management? Security controls Security procedures Secure infrastructure from threats Security policies
Secure infrastructure from threats While it is important to secure a network's infrastructure, it is not an element of risk management. Among other things, risk management includes creating and following security policies, security controls, and security procedures.
What benefit does network segmentation provide? Security through isolation Link aggregation Packet flooding through all ports High availability through redundancy
Security through isolation
Sarah connects a pair of switches using redundant links. When she checks the links' status, one of them is not active, even when she changes ports. What MOST likely disabled the redundant connection to the other switch? Spanning Tree IGRP routing SSID mismatch Port Mirroring
Spanning Tree The purpose of the spanning tree is to verify no loops exist in the network. If something isn't working, the switch may be detecting a loop in the redundant connections.
Which of the following attack types typically involve modifying network packets while they are in transit? (Choose all correct answers.) Spoofing Denial of service Man in the middle Logic bomb
Spoofing, Man in the middle Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. One way of doing this is to modify the MAC address in the packets to one that is approved by the MAC filter. A man-in-the-middle attack is one in which an attacker intercepts network traffic, reads the traffic, and can even modify it before sending it on to the destination.
A firewall that checks out all the incoming traffic and decides if the traffic is going to be allowed or filtered out is an example of which of the following? Stateful inspecting Content filtering Packet filtering Packet sniffing
Stateful inspecting Packet sniffing is not a feature of a firewall as much as it is a feature on packet analyzers such as Wireshark. Packet filtering is basically what a firewall does. It's not a type of firewall. It's like saying "high-speed RAM." Content filtering is the ability to keep or discard specific types of transmission. It operates higher in the OSI model and doesn't concern itself with IP addresses and ports.
Which of the following are types of firewalls? Statement Deep state Stateless Stateful
Stateless Stateful
Which of the following statements best describes the primary scenario for the use of TACACS+? TACACS+ was designed to provide authentication, authorization, and accounting services for wireless networks. TACACS+ was designed to provide authentication, authorization, and accounting services for the Active Directory directory service. TACACS+ was designed to provide authentication, authorization, and accounting services for remote dial-up users. TACACS+ was designed to provide authentication, authorization, and accounting services for network routers and switches.
TACACS+ was designed to provide authentication, authorization, and accounting services for network routers and switches. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. It was not designed to provide AAA services for wireless networks, Active Directory, or remote dial-in users.
Which of the following encryption ciphers was replaced by CCMP-AES when the WPA2 wireless security protocol was introduced? EAP WEP TKIP CCMP
TKIP
Which of the following encryption protocols was introduced in the Wi-Fi Protected Access (WPA) wireless security standard? CCMP-AES TKIP-RC4 EAP-TLS TACACS+
TKIP-RC4
In an 802.1X transaction, what is the function of the supplicant? The supplicant is the service that issues certificates to clients attempting to connect to the network. The supplicant is the service that verifies the credentials of the client attempting to access the network. The supplicant is the network device to which the client is attempting to connect. The supplicant is the client user or computer attempting to connect to the network.
The supplicant is the client user or computer attempting to connect to the network.
Which of the following is not an element that is exclusive to Mobile NAC? Captive Portal Geofencing Onboarding Two-factor authentication
Two-factor authentication Two-factor authentication is generic and can apply to a standalone system as well as a network. Onboarding, captive portals, and geofencing are all elements of Network Access Control (NAC) and Moblie NAC.
For which of the following reasons is disabling the SSID broadcast of a wireless network to prevent unauthorized access a relatively weak method of device hardening? Attackers have ways of connecting to the network without the SSID. Attackers can capture packets transmitted over the network and read the SSID from them. Every access point's SSID is printed on a label on the back of the device. Attackers have software that can easily guess a network's SSID
Attackers can capture packets transmitted over the network and read the SSID from them.
Which of the following statements about authentication auditing are not true? Auditing can disclose attempts to compromise passwords. Auditing can detect authentications that occur after hours. Auditing can identify the guess patterns used by password cracking software. Auditing can record unsuccessful as well as successful authentications.
Auditing can identify the guess patterns used by password cracking software. Auditing does not record the passwords specified during authentications, so it cannot identify patterns of unsuccessful guesses.
EAP and 802.1X are components that help to provide which of the following areas of wireless network security? Authentication Authorization Encryption Accounting
Authentication
When a user supplies a password to log on to a server, which of the following actions is the user performing? Authentication Authorization Accounting Auditing
Authentication
When a user swipes a smartcard through a reader to log on to a laptop computer, which of the following actions is the user performing? Authentication Authorization Accounting Auditing
Authentication
Which of the following terms refers to the process of confirming a user's identity by checking specific credentials? Authentication Accounting Authorization Access control
Authentication
Which of the following services are provided by access control lists (ACLs)? Authentication Authorization Accounting Auditing
Authorization
Which of the following terms refers to the process of determining whether a user is a member of a group that provides access to a particular network resource? Authentication Accounting Authorization Access control
Authorization Authorization is the process of determining what resources a user can access on a network. Typically, this is done by assessing the user's group memberships. Accounting is the process of tracking a user's network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.
Which of the following security procedures is often tied to group membership? Authentication Authorization Accounting Auditing
Authorization In many instances, the authorization process is based on the groups to which a user belongs.
Which statements are true about access control? Authentication requires two factors Authorization is granted to administrator accounts Authorization determines how much access a user has to a system Authentication governs who accesses a system
Authorization determines how much access a user has to a system Authentication governs who accesses a system
Which of the following is not one of the roles involved in an 802.1X transaction? Supplicant Authentication server Authorizing agent Authenticator
Authorizing agent An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant's identity. There is no party to the transaction called an authorizing agent.
Which of the following did the second version of the Wi-Fi Protected Access (WPA) protocol add to the standard? CCMP-AES MIMO WEP TKIP
CCMP-AES
Which of the following elements associates a public and private key pair to the identity of a specific person or computer? Exploit Signature Certificate Resource record
Certificate As part of a public key infrastructure (PKI), digital certificates are associated with a key pair, consisting of a public key and a private key. The certificate is issued to a person or computer as proof of its identity.
Doug was troubleshooting in a wiring closet in 2013. The cabling diagrams and documents are five years old and have little resemblance to what Doug sees. What configuration management process has fallen behind? System logs Asset management Baselining Change management
Change management Asset management is concerned with the disposition of equipment.
Which of the following statements about a public key infrastructure (PKI) are true? (Choose all correct answers.) Data encrypted with the public key can only be decrypted using that public key. Data encrypted with the private key can only be decrypted using that private key. Data encrypted with the public key can only be decrypted using the private key. Data encrypted with the private key can only be decrypted using the public key.
Data encrypted with the public key can only be decrypted using the private key. Data encrypted with the private key can only be decrypted using the public key.
At which layer of the OSI reference model does DHCP snooping operate? Data link Network Transport Application
Data link Although DHCP is an application layer service, which uses the UDP transport layer protocol to assign network layer IP addresses, DHCP snooping is a data link layer process in which a network switch examines incoming DHCP traffic to determine whether it originates from an authorized server and is arriving over the correct port.
Which of the following is not a method for hardening a wireless access point? Upgrading firmware Changing default credentials Generating new keys Deauthentication
Deauthentication Deauthentication is a type of denial-of-service attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network.
Which of the following attack types are specifically targeted at wireless network clients? (Choose all correct answers.) Logic bomb Deauthentication Evil twin ARP poisoning
Deauthentication Evil twin Deauthentication is a type of denial-of-service (DoS) attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. The object of the attack is often to compel the client to connect to a rogue access point called an evil twin. ARP poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches.
Which of the following terms describes the process by which a client user or computer requests that it be issued a certificate, either manually or automatically? Authorization Enrollment Authentication Certification
Enrollment Enrollment is the process by which a client submits a request for a certificate from a certification authority (CA). The enrollment process can be automated and invisible to the user, or it can be a manual request generated using an application.
An outside organization has completed a penetration test for a company. One of the items on the report is reflecting the ability to read SSL traffic from the web server. What is the MOST likely mitigation for this reported item? Ensure patches are deployed Install an IDS on the network Configure the firewall to block traffic on port 443 Implement a VPN for employees
Ensure patches are deployed A patch is designed to correct a known bug or fix a known vulnerability, such as in this case to be able to read SSL traffic, in a piece of software.
A company has a secondary datacenter in a remote location. The data center staff handles cable management and power management. The building's security is also handled by the data center staff with little oversight from the company. Which of the following should the technician do to follow the best practices? Secure the patch panels Ensure power monitoring is enabled Ensure rack security is performed Secure the UPS units
Ensure rack security is performed By ensuring rack security is performed, the staff would have locks, RFID card locks, and swing handles installed. This provides an extra layer of physical security to the servers, which is considered a best practice.
Which of the following are characteristics of an enterprise wireless network? Enterprise WAPs with a common SSID work cooperatively All WAPs are managed and configured with a single utility WAPs are managed by a wireless controller Each WAP must have a unique SSID
Enterprise WAPs with a common SSID work cooperatively All WAPs are managed and configured with a single utility WAPs are managed by a wireless controller
Which of the following attack types are specifically directed at wireless networks? (Choose all correct answers.) Evil twin Phishing Deauthentication War driving
Evil twin Deauthentication War driving
Video surveillance of sensitive areas, such as datacenters, can prevent which of the following types of attacks? (Choose all correct answers.) Social engineering Evil twin Brute force Insider threats
Evil twin Insider threats
A user is receiving certificate errors in other languages within their web browser when accessing your company's website. Which of the following is the MOST likely cause of this issue? DoS Reflective DNS Man-in-the-middle ARP poisoning
Man-in-the-middle A man-in-the-middle attack is a general term when a perpetrator positions himself in a conversation between a user and an application, either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is occurring. For example, if your user and server are both in the United States (English language), the attacker performing the MITM is from Russia. The user may see a certificate error in Russian instead of English.
You want to install a perimeter device on the network that will help ensure FTP commands are not being sent out over port 25. Which of the following devices would allow for deep packet inspection to catch this type of activity? Layer 7 firewall Web proxy Layer 3 switch Protocol analyzer
Layer 7 firewall Layer 7 firewalls are application-filtering firewalls. FTP traffic does not usually travel over port 25 and should travel over port 21. Using a Layer 7 firewall, the device can perform a deep packet inspection (DPI) to identify which application or protocol is actually being used to send traffic over a given port.
Alice is a consultant working in your office, who has been given the SSID and the passphrase for the company's wireless network, but she is unable to connect with her laptop. Which of the following security measures might be preventing her from connecting? MAC filtering Disabling SSID broadcast Geofencing Using WPA2
MAC filtering
Which of the following attack types can be facilitated by ARP poisoning? (Choose all correct answers.) Evil twin Man in the middle Session hijacking Social engineering
Man in the middle Session hijacking
Which of the following best describes the process of whitelisting on a wireless network? Using an access control list to specify the IP addresses that are permitted to access a wireless network Using port protection to specify the well-known port numbers of applications that users are permitted to run over a wireless network Using MAC filtering to create a list of devices that are permitted to access a wireless network Using an AAA server to create a list of users that are permitted to access a wireless network
Using MAC filtering to create a list of devices that are permitted to access a wireless network
Which of the following types of attacks are rarely seen anymore because of changes in device design that were specifically designed to prevent them? (Choose all correct answers.) VLAN hopping Logic bomb Phishing Smurf
VLAN hopping Smurf Smurf attacks rely on routers to forward broadcast traffic. Routers no longer forward broadcast messages, so smurf attacks have been rendered ineffective. In the same way, VLAN hopping, which is a method for sending commands to switches to transfer a port from one VLAN to another, is rarely seen because switches are now designed to prevent them.
In which of the following ways is VLAN hopping a potential threat? VLAN hopping enables an attacker to scramble a switch's patch panel connections. VLAN hopping enables an attacker to rename the default VLAN on a switch. VLAN hopping enables an attacker to access different VLANs using 802.1q spoofing. VLAN hopping enables an attacker to change the native VLAN on a switch.
VLAN hopping enables an attacker to access different VLANs using 802.1q spoofing.
Which of the following are network segmentation methods that can prevent intruders from gaining full access to a network? (Choose all correct answers.) ACL VLAN NAC DMZ
VLAN, DMZ
Which of the following security measures can monitor the specific activities of authorized individuals within sensitive areas? Video surveillance Identification badges Key fobs Motion detection
Video surveillance
Which of the following types of physical security is most likely to detect an insider threat? Smartcards Motion detection Video surveillance Biometrics
Video surveillance An insider threat by definition originates with an authorized user. Smartcards, motion detection, and biometrics will only detect the presence of someone who is authorized to enter sensitive areas. Video surveillance, however, can track the activities of anyone, authorized or not.
Preparation for incidents is a multifaceted process that includes which tasks? Statement of work Service-level agreement Vulnerability scanning Penetration testing
Vulnerability scanning Penetration testing
Which of the following was the first wireless LAN security protocol to come into common usage? WEP WPA WPA2 TKIP
WEP
Which of the following wireless LAN security protocols was rendered obsolete after it was found to be extremely easy to penetrate? WEP WPA WPA2 EAP
WEP
Which of the following wireless security protocols was substantially weakened by its initialization vector? WPA WEP WPA2 PEAP
WEP
Which of the following wireless network security protocols provides open and shared key authentication options? WPA WEP WPA2 EAP
WEP Wired Equivalent Privacy (WEP), which was one of the first commercially successful security protocols for wireless LANs, enabled administrators to choose between open and shared key authentication. The open option enabled clients to connect to the network with an incorrect key. The shared option required the correct key, but it also exposed the key to potential intruders. The correct option is not to use WEP at all
Which of the following wireless security protocols uses TKIP for encryption? WEP WPA WPA2 AES
WPA
The administrator would like to use the strongest encryption level possible using PSK without utilizing an additional authentication server. What encryption type should be implemented? WPA2 Enterprise WEP MAC filtering WPA personal
WPA personal Since he wishes to use a pre-shared key and not require an authentication server, WPA personal is the most secure choice. If WPA2 Personal were an option, it would be more secure, though. WPA2 Enterprise is incorrect since the requirement was for a PSK, whereas WPA2 Enterprise requires a RADIUS authentication server to be used.
Which of the following forms of the Wi-Fi Protected Access (WPA) and WPA2 protocols require a RADIUS server? (Choose all correct answers.) WPA-Personal WPA-PSK WPA-Enterprise WPA-802.1X
WPA-Enterprise WPA-802.1X WPA-Enterprise, also known as WPA-802.1X, can use the Extensible Authentication Protocol (EAP) to support various types of authentication factors and requires a Remote Authentication Dial-In User Service (RADIUS) server. WPA-Personal, also known as WPA-PSK (preshared key), is intended for small networks and does not require RADIUS.
Which of the following forms of the Wi-Fi Protected Access (WPA) and WPA2 protocols call for the use of a preshared key? WPA-Personal WPA-Enterprise WPA-EAP WPA-802.1X
WPA-Personal WPA-Personal, also known as WPA-PSK, is intended for small networks
Which of the following wireless security protocols provides the greatest degree of network device hardening? WEP WPA WPA2 EAP
WPA2
Which of the following wireless security protocols uses CCMP for encryption? WEP WPA WPA2 802.1X
WPA2
You are setting up a wireless LAN in a friend's home, using devices that conform to the IEEE 802.11g standard. You have installed and successfully tested the devices on an open network, and now you are ready to add security. Which of the following protocols should you choose to provide maximum security for the wireless network? WEP WPA2 IPsec TLS L2TP
WPA2
Which choice is not a typical Wi-Fi problem? WPS failure Wrong WAP password Interference WAP configuration has changed
WPS failure
On the fence outside your home, you happen to notice a small sticker that has the SSID of your wireless network written on it, along with the name of the security protocol your network is using. To which of the following attacks have you been made a victim? War driving War chalking War tagging War signing
War chalking
MAC filtering is an access control method used by which of the following types of hardware devices? Wireless access point RADIUS server Domain controller Smartcards
Wireless access point
Which of the following devices are likely to have default credentials configured into them that attackers might know? (Choose all correct answers.) Wireless access points Windows servers Switches Routers
Wireless access points Switches Routers
Which of the following standards is most commonly used to define the format of digital certificates? 802.1X X.509 802.1q X.500
X.509 X.500, another standard published by the ITU-T, defines functions of directory services.
A network technician is tasked with designing a firewall to improve security for an existing FTP server on the company network and is accessible from the Internet. The security personnel are concerned that the FTP server is compromised and is possibly being used to attack other company servers. What is the BEST way to mitigate this risk? Add an outbound ACL to the firewall Change the FTP server to a more secure SFTP Use the implicit deny of the firewall Move the server to the company's DMZ
Move the server to the company's DMZ
A network technician is responsible for the basic security of the network. Management has asked if there is a way to improve the level of access users have to the company file server. Right now, any employee can upload and download files with basic system authentication (username and password). What should he configure to increase security? Kerberos authentication MDS authentication Multi-factor authentication Single sign-on authentication
Multi-factor authentication This security approach provides a defense layer that makes it difficult for unauthorized users to break into a system. It provides multiple factors that a user must know to obtain access. For instance, if one factor is successfully broken, there will be few others that the individual attempting to enter the system must overcome.
Which of the following terms describes a system that prevents computers from logging on to a network unless they have the latest updates and antimalware software installed? NAC LDAP RADIUS TKIP-RC4
NAC Network Access Control is a mechanism that defines standards of equipment and configuration that systems must meet before they can connect to the network.
Which of the following Extended Authentication Protocol (EAP) variants utilize tunneling to provide security for the authentication process? (Choose all correct answers.) PEAP EAP-FAST EAP-TLS EAP-PSK
PEAP EAP-FAST Protected Extended Authentication Protocol (PEAP) encapsulates EAP inside a Transport Layer Security (TLS) tunnel. Flexible Authentication via Secure Tunneling (FAST) also establishes a TLS tunnel to protect user credential transmissions. EAP-TLS uses TLS for encryption, but not for tunneling. EAP-PSK uses a preshared key to provide an authentication process that does not use encryption.
In addition to EAP-TLS, which of the following are also Extensible Authentication Protocol (EAP) variants that use the Transport Layer Security (TLS) protocol? PEAP EAP-PWD EAP-MD5 EAP-FAST
PEAP, EAP-FAST
Which of the following is not a core tenet of securing IP networks? Confidentiality Availability Integrity Performance
Performance Performance is important to IP networks but is not a core tenet of securing the network. The "CIA" of security is comprised of confidentiality, integrity, and availability.
A company has just installed a VoIP system on their network. Prior to the installation, all of the switches were upgraded to layer 3 capable in order to more adequately route packets. What network segmentation technique is this an example of? Compliance implementation Separate public/private networking Honeypot implementation Performance optimization
Performance optimization Voice over Internet Protocol (VoIP) performance optimization can help a business improve the quality of its video and audio communications over the Internet by tending to such issues as transport and protocol conversion, as well as mitigation.
Which of the following terms refers to a denial-of-service (DoS) attack in which an attacker breaks into a company's datacenter and smashes its servers with a sledgehammer? Amplified Reflective Distributed Permanent
Permanent
Which of the following blocks IP packets using any port other than the ones prescribed by the system administrator? Encryption Hiding IP addresses Port filtering Packet filtering
Port filtering Packet filtering enables administrators to filter packets by IP addresses.
A network technician must allow HTTP traffic from the Internet over port 80 to an internal server running HTTP over port 81. Which of the following is this an example of? Dynamic DNS VPN Dynamic NAT Port forwarding
Port forwarding Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall.
What does posture assessment do? Posture assessment is a Cisco process that queries a host to see if it meets certain security criteria. Posture assessment is an IT process that checks the biophysical layout of network resources such as chairs and keyboard locations to ensure maximum user wellness and productivity. Posture assessment sends all hosts to a quarantine network until their security credentials can be established.
Posture assessment is a Cisco process that queries a host to see if it meets certain security criteria.
What is the BEST way to secure the most vulnerable attack vector for a network? Update all antivirus definitions on workstations and servers Use biometrics and SSO for authentication Remove unneeded services running on the servers Provide end-user awareness training for office staff
Provide end-user awareness training for office staff Users are our most vulnerable attack vector; proper training can help reduce the risk.
An outside technician notices that a SOHO employee who is logged into the company VPN has an unexpected source IP address. What is the employee MOST likely using? Proxy server Least Cost Routing IPv6 VPN Concentrator
Proxy server Proxy servers are just different computers that serve as a hub where Internet requests are processed. When you are connected to a proxy, your computer sends a request to that server and then returns your answers to the proxy server before forwarding the data to the requesting computer.
Your company has just installed a new web server that will allow inbound connections over port 80 from the internet while not being able to accept any connections from the internal network. You have been asked where to place the web server in the network architecture and how to configure the ACL rule to support the requirements. The current network architecture is segmented using a firewall to create the following three zones: ZONE INTERFACE IP address PUBLIC eth0 66.13.24.16/30 DMZ eth1 172.16.1.1/24 PRIVATE eth2 192.168.1.1/24 Based on the requirements and current network architecture above, what is the BEST recommendation? Put the server in the DMZ with an inbound rule from eth1 to eth0 that allows port 80 traffic to the server's IP Put the server in the PUBLIC zone with an inbound rule from eth0 to eth1 that allows port 80 traffic to the server's IP Put the server in the DMZ with an inbound rule from eth0 to eth1 that allows port 80 traffic to the server's IP Put the server in the PRIVATE zone with an inbound rule from eth0 to eth1 that allows port 80 traffic to the server's IP
Put the server in the DMZ with an inbound rule from eth0 to eth1 that allows port 80 traffic to the server's IP
Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue? SSL certificates CSMA/CA RADIUS WPA2 security key
RADIUS Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.
The corporate network uses a centralized server to manage credentials for all of its network devices. What type of server is MOST likely being used in this configuration? FTP DNS RADIUS Kerberos
RADIUS RADIUS is used to manage credentials for network devices centrally. TACACS is an older username and login system that uses authentication to determine access, while RADIUS combines authorization AND authentication. For this question, either RADIUS or TACACS would be an acceptable answer.
Which of the following standards was originally designed to provide authentication, authorization, and accounting services dial-up network connections? RADIUS TACACS+ Kerberos LDAP
RADIUS Remote Authentication Dial-In User Service (RADIUS) was originally conceived to provide AAA services for Internet Service Providers (ISPs), which at one time ran networks with hundreds of modems providing dial-up access to subscribers. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches but not for dial-up connections.
A company is installing several APs for a new wireless system that requires users to authenticate to the domain. The network technician would like to authenticate to a central point. What solution would be BEST to achieve this? TACACS+ device and RADIUS server TACACS and proxy server RADIUS server and access point RADIUS server and network controller
RADIUS server and access point
Which of the following stream ciphers does the Temporal Key Integrity Protocol (TKIP) use for encryption on a wireless network? RC4 AES CCMP SHA
RC4
When Ralph digitally signs and encrypts a document with his private key, Alice can decrypt the document only by using Ralph's public key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all correct answers.) Ralph cannot deny having created the document. No one has altered the document since Ralph sent it. No one but Ralph can have created the document. No one but Alice can decrypt and read the document.
Ralph cannot deny having created the document. No one has altered the document since Ralph sent it. No one but Ralph can have created the document.
A user calls the help desk, complaining that he can't access any of the data on his computer. A message has also appeared on his screen stating that his data has been encrypted and that it will only be decrypted after he pays $768 in Bitcoin to an unknown address. Which of the following types of attacks has the user experienced? War driving Ransomware Denial of service ARP poisoning
Ransomware
Which of the following terms refers to a type of denial-of-service (DoS) attack that coerces other servers on the Internet into bombarding a target server with traffic? Amplified Reflective Distributed Permanent
Reflective
Which of the following terms refer to denial-of-service (DoS) attacks that use other computers to flood a target server with traffic? (Choose all correct answers.) Amplified Reflective Distributed Permanent
Reflective Distributed A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses to the target.
Which of the following terms describes the threat mitigation technique of deploying individual applications and services on virtual servers so that no more than one is endangered at any one time, rather than deploying multiple applications on a single server? Geofencing Network segmentation Role separation VLAN hopping
Role separation Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Network segmentation describes the process of creating multiple VLANs or deploying firewalls to isolate part of a network.
A network architect is designing a highly-redundant network with a distance vector routing protocol to prevent routing loops. The architect has configured the routers to advertise failed routes with the addition of an infinite metric. What method should the architect utilize? Route poisoning Spanning tree Split horizon Hold down timers
Route poisoning Route poisoning is a method to prevent a router from sending packets through a route that has become invalid within computer networks.
Which of the following protocols is a root guard designed to affect? EAP STP LDAP ARP
STP Spanning tree determines the root bridge / root switch.Root guard allows you to pick the root. Prevents a rogue root bridge.
Which of the following functions cannot be implemented using digital signatures? Integrity Nonrepudiation Segmentation Authentication
Segmentation
You have installed a new wireless access point on your network and configured it to use an SSID that is not broadcasted and WPA2 for security. Which of the following describes what you must do to configure your wireless clients? Select the SSID from a list and allow the client to automatically detect the security protocol. Select the SSID from a list and then select WPA2 from the security protocol options provided. Type the SSID manually and allow the client to automatically detect the security protocol. Type the SSID manually and then select WPA2 from the security protocol options provided.
Type the SSID manually and then select WPA2 from the security protocol options provided.
Which choice is not a step to perform a man-in-the-middle attack? Capture/manipulate MIM data Configure the attack machine to spoof the two communicators Insert an attack machine between the communicators Typosquat the DNS
Typosquat the DNS Typosquat the DNS is an invalid mix of two man-in-the-middle types of attacks. Typosquatting is to simply create an Internet resource, such as a website, that is a mis-spelling of a "real" website. DNS poisoning is a method to redirect calls to legitimate resources to go to malicious sites.
Which of the following cannot be considered to be a server hardening policy? Disabling unnecessary services Disabling unused TCP and UDP ports Upgrading firmware Creating privileged user accounts
Upgrading firmware Upgrading the UEFI or BIOS firmware on a server typically does not enhance its security, so it cannot be considered a form of server hardening.
One of the basic principles of network device hardening is to use secure protocols. Which of the following suggestions comply with this principle? (Choose all correct answers.) Use SSH instead of Telnet. Use WEP instead of WPA2. Use TKIP instead of AES. Use HTTPS instead of HTTP.
Use SSH instead of Telnet. Use HTTPS instead of HTTP.
Which of the following is the BEST way to regularly prevent different security threats from occurring within your network? Disaster recovery planning User training and awareness Penetration testing Business continuity training
User training and awareness Users are the biggest vulnerability on your network. Therefore, increasing user training can decrease the number of security threats that are realized on your networks. According to industry best practices, you should conduct end user security awareness training at least annually (if not more frequently).
Users must do their part to maintain network security. How can users know how to reduce risk factors? IT management should provide complete, transparent risk protection to all user and network assets. Users should be trained in risk mitigation. Common sense provides enough risk management. Users should perform regular pentest on their workstations.
Users should be trained in risk mitigation.
Which of the following is not a characteristic of a smurf attack? Uses the Internet Control Message Protocol Uses broadcast transmissions Uses spoofed IP addresses Uses a botnet to bombard the target with traffic Uses the same type of messages as ping
Uses a botnet to bombard the target with traffic
Which of the following is the service responsible for issuing certificates to client users and computers? DNS AAA CA ACL
CA
Which of the following types of key is included in a digital certificate? Public Private Preshared Privileged
Public
Which of the following are standards that define combined authentication, authorization, and accounting (AAA) services? (Choose all correct answers.) 802.1X RADIUS TACACS+ LDAP
RADIUS TACACS+
What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? 802.1q 802.3af PKI 802.1x
802.1x 802.1x is the standard that is used for network authentication with RADIUS and TACACS+.
Which of the following IEEE standards describes an implementation of port-based access control for wireless networks? 802.11ac 802.11n 802.1X 802.3x
802.1X
Which of the following is an implementation of Network Access Control (NAC)? RADIUS 802.1X LDAP TACACS+
802.1X NAC is a set of policies that define security requirements that clients must meet before they are permitted to connect to a network. 802.1X is a basic implementation of NAC.
What is used to authenticate remote workers who connect from offsite? 802.1x Virtual PBX VTP trunking OSPF
802.1x
In the hacker subculture, which of the following statements best describes a zombie? A computer that is remotely controllable because it has been infected by malware A computer that is no longer functioning because it is the target of a denial-of-service (DoS) attack A user that has fallen victim to a phishing attack A program that attackers use to penetrate passwords using brute-force attacks
A computer that is remotely controllable because it has been infected by malware
Which of the following statements best describes asymmetric key encryption? A cryptographic security mechanism that uses the same key for both encryption and decryption A cryptographic security mechanism that uses public and private keys to encrypt and decrypt data A cryptographic security mechanism that uses two separate sets of public and private keys to encrypt and decrypt data A cryptographic security mechanism that uses separate private keys to encrypt and decrypt data
A cryptographic security mechanism that uses public and private keys to encrypt and decrypt data
Which of the following statements best describes the difference between distributed and reflective denial-of-service (DoS) attacks? A distributed DoS attack uses other computers to flood a target server with traffic, whereas a reflective DoS attack causes a server to flood itself with loopback messages. A distributed DoS attack uses malware-infected computers to flood a target, whereas a reflective DoS attack takes advantage of other servers' native functions to make them flood a target. A reflective DoS attack uses malware-infected computers to flood a target, whereas a distributed DoS attack takes advantage of other servers' native functions to make them flood a target. A distributed DoS attack floods multiple target computers with traffic, whereas a reflective DoS attack only floods a single target.
A distributed DoS attack uses malware-infected computers to flood a target, whereas a reflective DoS attack takes advantage of other servers' native functions to make them flood a target. Distributed DoS attacks use hundreds or thousands of computers that have been infected with malware, called zombies, to flood a target server with traffic, in an attempt to overwhelm it and prevent it from functioning. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses to the target.
A network engineer has been tasked with designing a network for a new branch office with approximately 50 network devices. This branch office will connect to the other offices via a MAN. Many of the other branch offices use off-the-shelf SOHO equipment. It is a requirement that the routing protocol chosen use the least amount of overhead. Additionally, all the computers on the network will be part of a single VLAN. The connection between these computers should produce the highest throughput possible in the most cost-effective manner. What devices would be MOST appropriate? A router should be used as a gateway device, with RIPv2 as the routing protocol. The computers should be connected with a Gigabit Layer 2 switch. A UTM should be used as a gateway device, with BGP as the routing protocol. The computers should be connected using the 1 Gb Fibre Channel. A router should be used as a gateway device, with EIGRP as the routing protocol. The computers should be connected using a single 802.11n MIMO access point. A router should be used as a gateway device, with OSPF as the routing protocol. The computers should be connected using a Gigabit Layer 3 switch.
A router should be used as a gateway device, with RIPv2 as the routing protocol. The computers should be connected with a Gigabit Layer 2 switch. A Gigabit Layer 2 switch is the cheapest switching solution offering 1 Gbps network connectivity between the computers. RIPv2 has a lower overhead as outlined in the requirements.
A home user reports to a network technician that the Internet is slow. The network administrator discovers that multiple unknown devices are connected to the access point. What is MOST likely the cause? An evil twin has been implemented A successful WPS attack has occurred The user is experiencing ARP poisoning The user is connected to a botnet
A successful WPS attack has occurred Successful WPS attacks happen when the default username/password etc. has not been changed or reconfigured on the router. If your default username/password hasn't been changed, anybody can get into the settings and open the network. This is why additional unknown devices are on the network.
Which of the following statements is true when a biometric authentication procedure results in a false positive? A user who should be authorized is denied access. A user who should not be authorized is denied access. A user who should be authorized is granted access. A user who should not be authorized is granted access.
A user who should not be authorized is granted access.
Which of the following statements best describes the difference between an exploit and a vulnerability? An exploit is a potential weakness in software and a vulnerability is a potential weakness in hardware. A vulnerability is a potential weakness in a system and an exploit is a hardware or software element that is designed to take advantage of a vulnerability. An exploit is a potential weakness in a system and a vulnerability is a hardware or software element that is designed to take advantage of a vulnerability. A vulnerability is a potential weakness in software and an exploit is a potential weakness in hardware.
A vulnerability is a potential weakness in a system and an exploit is a hardware or software element that is designed to take advantage of a vulnerability.
Which of the following best describes an example of a captive portal? A switch port used to connect to other switches A web page with which a user must interact before being granted access to a wireless network A series of two doors through which people must pass before they can enter a secured space A web page stating that the user's computer has been locked and will only be unlocked after payment of a fee
A web page with which a user must interact before being granted access to a wireless network
Which of the following tools are needed by an individual performing a war driving attack? (Choose all correct answers.) A stolen credit card number A wireless-equipped computer or other device A screwdriver An automobile or other vehicle A telephone
A wireless-equipped computer or other device An automobile or other vehicle A telephone is not required.
CCMP is based on which of the following encryption standards? TKIP RC4 AES 802.1X
AES
Which of the following protocols provides wireless networks with the strongest encryption? AES TKIP EAP 802.1X
AES
Which choices are examples of symmetric encryption? AES RC4 DES ECC PGP
AES RC4 DES
A disgruntled employee executes a man-in-the-middle attack on the company network. Layer 2 traffic destined for the gateway is redirected to the employee's computer. What type of attack is this an example of? ARP cache poisoning IP spoofing Amplified DNS attack Evil twin
ARP cache poisoning
Rick is upset that he was passed over for a promotion. He decides to take revenge on his nemesis, Mary, who got the job instead of him. Rick sets up a man-in-the-middle attack against Mary's computer by redirecting any layer 2 traffic destined for the gateway to his own computer first. Rick is careful to only affect the traffic associated with Mary's computer and not the entire network. Which type of man-in-the-middle attack is Rick conducting against Mary? IP spoofing MAC spoofing ARP cache poisoning Evil twin
ARP cache poisoning Based on the scenario, we can eliminate evil twin (which is focused on wireless access points) and IP spoofing (since this affects layer 3 traffic).
Which of the following are items found in a security policy document? Employee work hours Acceptable use Network use Absence procedures
Acceptable use Network use
Which of the following services are methods of tracking a user's activities on a network? (Choose all correct answers.) Authentication Authorization Accounting Auditing
Accounting Auditing
Which selections provide single sign-on services? Active Directory TACACS+ SAML RADIUS
Active Directory SAML TACACS+ and RADIUS provide authentication and other services but not single sign-on.
You are working at the service desk as a network security technician and just received the following email from an end user who believes a phishing campaign is being attempted. *********************** From: [email protected] To: [email protected] Subject: You won a free iPhone! Dear Susan, You have won a brand new iPhone! Just click the following link to provide your address so we can ship it out to you this afternoon: (http://www.freephone.io:8080/winner.php) *********************** What should you do to prevent any other employees from accessing the link in the email above, while still allowing them access to any other webpages at the domain freephone.io? Add http://www.freephone.io:8080/winner.php to the browser's group policy block list Add DENY TCP http://www.freephone.io ANY EQ 8080 to the firewall ACL Add DENY IP ANY ANY EQ 8080 to the IPS filter Add http://www.freephone.io:8080/winner.php to the load balancer
Add http://www.freephone.io:8080/winner.php to the browser's group policy block list By adding the full URL of the phishing link to the browser's group policy block list (or black hole list), the specific webpage will be blocked from being accessed by the employees while allowing the rest of the freephone.io domain to be access. Now, why not just block the entire domain? Well, maybe the rest of the domain isn't suspect but just this one page is. (For example, maybe someone is using a legitimate site like GitHub to host their phishing campaign, therefore you only want to block their portion of GitHub.)
Which of the following is not one of the functions provided by TACACS+? Authentication Authorization Administration Accounting
Administration
Which of the following are the default administrative user accounts found in Windows and Linux operating systems? (Choose all correct answers.) Administrator root admin Control
Administrator root Control and admin are not privileged user accounts provided with the operating systems.
Which statement is not true of a DMZ? All hosts in a private network should be placed in the DMZ Hosts that are exposed to the public network should be placed in a DMZ A bastion host provides the first level of protection for the DMZ Honeypots and honeynets can be placed in a DMZ to distract attackers
All hosts in a private network should be placed in the DMZ Placing a host in the DMZ exposes it to the public network so it would be inadvisable (downright crazy!) to place all of the internal network hosts in the DMZ.
An 802.11g wireless access point has the following configuration:- AP encryption forced to WPA2-AES mode only- MAC address filtering enabled with the following MAC address in the allow list: 00-a1-29-da-d3-4aWhich is true about the above configuration? Any 802.11b/g compatible client can connect to the wireless network if they support TKIP, the MAC address is 00-a1-29-da-d3-4a, and the encryption key is known by the client. An 802.11n compatible client can connect to the wireless network only if its MAC address is 00-a1-29-da-d3-4a, and the encryption key is known by the client. Any 802.11g compatible client can connect to the wireless network if the encryption key is known by the client. An 802.11a compatible client can connect to the wireless network only if its MAC address is 00-a1-29-da-d3-4a, and the encryption key is known by the client.
An 802.11n compatible client can connect to the wireless network only if its MAC address is 00-a1-29-da-d3-4a, and the encryption key is known by the client. TKIP is not the same as AES, so it would not work. Because MAC filtering is enabled, the client's NIC must have the right MAC address. 802.11a and 802.11g aren't compatible with one another.
Which of the following are not considered to be denial-of-service (DoS) attacks? (Choose all correct answers.) An intruder breaks into a company's datacenter and smashes their web servers with a sledgehammer. An attacker uses the ping command with the -t parameter to send a continuous stream of large ICMP packets to a specific server. An attacker captures the packets transmitted to and from a domain controller to obtain encrypted passwords. An attacker connects a rogue access point to a company's wireless network, using their SSID in the hope of attracting their users.
An attacker captures the packets transmitted to and from a domain controller to obtain encrypted passwords. An attacker connects a rogue access point to a company's wireless network, using their SSID in the hope of attracting their users.
Which of the following best describes the process of penetration testing? Administrators create computers or networks that are alluring targets for intruders. Administrators attempt to access the network from outside using hacker tools. An organization hires an outside consultant to evaluate the security conditions on the network. An organization hires an outside consultant who attempts to compromise the network's security measures.
An organization hires an outside consultant who attempts to compromise the network's security measures.
Your company has just purchased 800 new PCs for a roll-out you are about to make. Of the following choices, which should you update accordingly? Wire schemes Change management Asset management Baselines
Asset management
A new piece of malware is attempting to exfiltrate user data through hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic? Intrusion detection system Application aware firewall Stateful packet inspection Stateless packet inspection
Application aware firewall A Web Application Firewall (WAF) or Application Aware Firewall would be able to detect both the accessing of random ports and TLS encryption, and could identify it as suspicious, whereas Stateless would inspect port number being used by the traffic leaving. IDS only analyzes incoming traffic, therefore would not be able to see this activity as suspicious.
The organization should upgrade to what technology to prevent unauthorized traffic from traversing the firewall? HTTPS Stateless packet inspection Intrusion detection system Application-aware firewall
Application-aware firewall Application-aware firewall can analyze and verify protocols all the way up to layer 7 of the OSI reference model. It has the advantage to be aware of the details at the application layer. Since we desired to allow HTTP traffic, we must deal with the traffic at the application layer. This will prevent an attacker from sending SSH traffic over port 80, for example. By using an application-aware firewall, only HTTP traffic will be allowed over port 80.
Which of the following features helps to protect network switches from attacks related to the Spanning Tree Protocol (STP)? (Choose all correct answers.) BPDU guard Root guard DHCP snooping Geofencing
BPDU guard Root guard Bridging Protocol Data Units (BPDUs) are messages that switches running the Spanning Tree Protocol exchange to learn about the available paths through a switched network and the states of other switches. Switches should only receive BPDUs through ports that are connected to other switches. BPDU guard is a feature that prevents BPDU messages from arriving through ports connected to end systems, such as computers, thus preventing an attacker from manipulating the STP topology. A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric.
What is the quickest and easiest technology available to keep servers and equipment up and running? Business continuity plan Disaster recovery plan Battery backup/UPS RAID array
Battery backup/UPS RAID arrays are great to keep things running, but if the power goes out, they are not available. A disaster recovery plan is for dealing with a situation where the system is already down. A business continuity plan is for dealing with a situation where the system is already down.
When a switch has multiple paths to reach the root bridge, what state is the port with the LEAST desirable path placed by the spanning tree protocol? Forwarding Bonding Blocking Listening
Blocking STP port states -Blocking. Not forwarding to prevent a loop. -Listening. Not forwarding and cleaning the MAC table. -Learning. Not forwarding and adding to the MAC table. -Forwarding. Data passes through and is fully operational. -Disabled. Administrator has turned off the port.
Which of the following is the name for an attack in which an intruder uses a Bluetooth connection to steal information from a wireless device, such as a smart phone? Bluedogging Bluesnarfing Bluesmurfing Bluejacking
Bluesnarfing Bluesnarfing is an attack in which an intruder connects to a wireless device using Bluetooth, for the purpose of stealing information. Bluejacking is the process of sending unsolicited messages to a device using Bluetooth. The other options do not exist.
Which of the following statements about RADIUS and TACACS+ are correct? By default, RADIUS uses UDP, and TACACS+ uses TCP. By default, RADIUS uses TCP, and TACACS+ uses UDP. By default, both RADIUS and TACACS+ use TCP. By default, both RADIUS and TACACS+ use UDP.
By default, RADIUS uses UDP, and TACACS+ uses TCP.
How does MAC address filtering increase the security of a wireless LAN? By preventing access points from broadcasting their presence By allowing traffic sent to or from specific MAC addresses through the Internet firewall By substituting registered MAC addresses for unregistered ones in network packets By permitting only devices with specified MAC addresses to connect to an access point
By permitting only devices with specified MAC addresses to connect to an access point
Which of the following best explains how tagging the native VLAN traffic can improve in-band switch management security? By renaming the default VLAN By preventing double-tagged packets By encrypting in-band management traffic By moving in-band management traffic off the native VLAN
By preventing double-tagged packets
Which of the following statements about DHCP snooping is not true? DHCP snooping detects rogue DHCP servers. DHCP snooping is implemented in network switches. DHCP snooping drops DHCP messages arriving over the incorrect port. DHCP snooping prevents DNS cache poisoning.
DHCP snooping prevents DNS cache poisoning.
You are attempting to troubleshoot an issue between two computers that are both connected to a Layer 2 unmanaged switch. Of the following, which is the BEST way to find out if the switch is the problem? Access the switches configuration screens and set up a log file Attach a loopback plug to the switch and monitor the traffic Check to make sure that 802.1d is enabled on the switch Connect both of the PC's together with a crossover cable
Connect both of the PC's together with a crossover cable You are dealing with an unmanaged switch. There will be no log files to work with on this one. 802.1d is the IEEE name for Spanning Tree Protocol (STP) and is used to prevent switching loops, not for finding problems between two PCs. Attaching a loopback plug to a switch will only waste a perfectly good port on your switch. You can't monitor traffic with it.
Which attack can cause a user's attempts to connect to an Internet website to be diverted to an attacker's website instead? Evil twin ARP poisoning Spoofing DNS poisoning
DNS poisoning ARP poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches, which can interfere with the resolution of IP addresses into MAC addresses on a local level. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else.
Unauthorized users are connecting to your wireless access point and gaining access to the network. Which of the following is a step you can take to prevent this from happening? (Choose all that apply) Disable SSID broadcasting Use Kerberos for authentication Place the access point in a DMZ Implement MAC address filtering
Disable SSID broadcasting Implement MAC address filtering Disabling SSID broadcasting prevents a wireless network from appearing to clients. The clients must specify the SSID to which they want to connect. MAC address filtering is a form of access control list (ACL) that is maintained in the access point and that contains the addresses of devices that are to be permitted to access the network. Both of these mechanisms make it more difficult for unauthorized devices to connect to the access point. Kerberos is an authentication protocol used by Active Directory, and relocating the access point to a DMZ will not resolve the problem.
Despite having imposed password policies on his network, compelling users to change their passwords frequently, create passwords of a specific length, and use complex passwords, Ralph has had several reports of account penetrations. The victims of the incidents had all apparently shared a "tip" suggesting that users cycle through the names of their children, nephews, nieces, and other relatives when forced to create new passwords, changing letters to numbers as needed. Which of the following actions can Ralph take to remedy the situation without creating a larger problem? Distribute a list of common passwords that are insecure, such as those based on names, birth dates, etc. Modify the password policies to force users to change passwords more frequently Assign the users long passwords consisting of random-generated characters and change them often Change the password history policy to a value greater than the number of children in any user's family
Distribute a list of common passwords that are insecure, such as those based on names, birth dates, etc.
Which of the following is not a good approach to mitigating network threats? Training and awareness Documenting chain-of-custody Patch management Incident response Policies and procedures
Documenting chain-of-custody Documenting chain-of-custody may help prosecute someone after an event has occurred, but it does nothing to mitigate the risk or impact of a threat.
Which of the following physical security mechanisms can either "fail close" or "fail open"? Motion detectors Video cameras Honeypots Door locks
Door locks
Which of the following standards defines a framework for the authentication process but does not specify the actual authentication mechanism? WPA EAP TKIP TLS
EAP
Which of the following wireless security protocols can enable network users to authenticate using smartcards? WEP WPA2 EAP AES
EAP Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. Its many variants provide support for the use of smartcards and other authentication factors, such as biometrics, in addition to traditional passwords.
Which of the following protocols can you use to authenticate Windows remote access users with smartcards? EAP MS-CHAPv2 CHAP PAP
EAP The Extensible Authentication Protocol (EAP) is the only Windows remote authentication protocol that supports the use of authentication methods other than passwords, such as smartcards. MS-CHAPv2 is a strong remote access authentication protocol, but it supports password authentication only. Users cannot use smartcards. The Challenge Handshake Authentication Protocol (CHAP) is a relatively weak authentication protocol that does not support the use of smartcards. The Password Authentication Protocol (PAP) supports only clear text passwords, not smartcards.
Which selections represent authentication services? TKIP EAP AES KERBEROS
EAP KERBEROS
Which of the following is the best description of geofencing? Something you have Something you know Something you do Somewhere you are
Somewhere you are
Which of the following types of attacks can be used to enable an intruder to access a wireless network despite the protection provided by MAC filtering? Spoofing Brute force DNS poisoning War driving
Spoofing
Which of the following security protocols can authenticate users without transmitting their passwords over the network? Kerberos 802.1X TKIP LDAP
Kerberos Kerberos is a security protocol used by Active Directory that employs a system of tickets to authenticate users and other network entities without the need to transmit credentials over the network. IEEE 802.1X does authenticate by transmitting credentials. Temporal Key Integrity Protocol (TKIP) and Lightweight Directory Access Protocol (LDAP) are not authentication protocols.
Which of the following physical security devices can use passive RFIDs to enable an authorized user to enter a secured area? (Choose all correct answers.) Key fob Keycard lock Prox card Cypher lock
Key fob Prox card Keycard locks typically require the card to be inserted into a reader and typically use magnetic strips to store data. Cypher locks rely on data supplied by the user—that is, the combination numbers.
Which of the following types of attacks have been rendered all but obsolete by the routers that no longer forward broadcast traffic? (Choose all correct answers.) Logic bomb Fraggle Phishing Smurf
Fraggle, Smurf
Which of the following physical security devices can enable an authorized user to enter a secured area without any physical contact with the device? (Choose all correct answers.) Key fob Keycard lock Prox card Cypher lock
Key fob Prox card Keycard locks typically use magnetic strips to store data and require the card to be physically inserted into a reader. Cypher locks rely on data manually supplied by the user—that is, the combination numbers.
A network engineer is designing a campus-wide wireless network. Wireless access points will be distributed across the campus for maximum availability. The network is to be designed to handle a large number of roaming wireless devices. What feature should he employ? VLAN Pooling Subnetting WPA2 LWAPP
LWAPP LWAPP is the best choice because it serves as a standard single point that allows quick and efficient management of multiple wireless devices at a time.
The boss has just read an article about zero-day attacks and rushes into your office in a panic, demanding to know what you'll do to save the company network. What security technique would best protect against such attacks? Keep antivirus definitions updated. Implement user awareness training. Use aggressive patch management. Implement effective security policies.
Implement effective security policies. Because a zero-day attack exploits previously unknown software vulnerabilities, updating virus definitions and keeping your software patched wouldn't help at all. By definition, there's no patch out yet for the zero-day exploit! User awareness will help because many zero-day attacks come through users accessing dodgy Web sites, but a good security policy that includes properly implemented firewalls and restrictions on access to those sites offers the best protection.
A wireless network is configured to allow clients to authenticate only when the signal strength of their connections exceeds a specified level. Which of the following terms best describes this configuration? Local authentication Port security Geofencing Motion detection
Geofencing Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. In wireless networking, geofencing is intended to prevent unauthorized clients outside the facility from connecting to the network.
In terms of network security, what is the purpose of hashing? Hashes are used to verify data integrity Hashing encrypts data
Hashes are used to verify data integrity Hashing does not encrypt or decrypt data.
Your company wants to test out the security of your network by allowing attackers to hit a fake network that you create. Which technology would you need to use? Honeynet NIDS NMAP Honeypot
Honeynet A Honeynet is a network of honeypots used to simulate a network where all the activity is monitored and recorded.
Which of the following network devices does not employ an access control lists to restrict access? Routers Hubs Switches Wireless access points
Hubs
Which of the following protocols is responsible for inserting the tags into frames that enable switches to forward them to the appropriate VLAN? IEEE 802.3x IEEE 802.1X IEEE 802.1q IEEE 802.11ac
IEEE 802.1q The IEEE 802.1q protocol is responsible for VLAN tagging, a procedure that enables network switches to support virtual LANs (VLANs). Through the insertion of VLAN identifier tags into frames, switches can determine which VLAN each packet is destined for and forward it to the correct ports. IEEE 802.1X is a standard that defines a port-based network access control mechanism used for authentication on wireless and other networks.
Using an ACL in a firewall to block known malicious Web addresses is an example of which of the following? Port filtering Mac filtering Application filtering IP filtering
IP filtering Application filtering stops types of programs, MAC filtering prevents specific computers, and port filtering prevents specific processes.
Which of the following are common types of cameras used for video surveillance of secured network installations? (Choose all correct answers.) IP LDAP CCTV NAC
IP, CCTV While CCTV cameras can only be monitored by users in the security center, or another designated location, IP cameras can be monitored by any authorized user with a web browser.
A technician in the IT department at your company was terminated today and had to be escorted from the building. Your supervisor has instructed you to disable all of the technician's accounts, change all network device passwords to which the technician had access, and have the datacenter doors rekeyed. Which of the following terms best describes your supervisor's concern in asking you to do these things? Social engineering Insider threats Logic bombs War driving
Insider threats
Which choice is not a step in planning and installing a wireless network? Install patch antenna(s) Configure WAP security Perform site survey Plan the WAP locations
Install patch antenna(s) Patch antennas may not be appropriate for every installation.
Which of the following technologies utilize access control lists to limit access to network resources? (Choose all correct answers.) NTFS LDAP WAP Kerberos
NTFS WAP NTFS files and folder all have access control lists (ACLs), which contain access control entries (ACEs) that specify the users and groups that can access them and the specific permissions they have been granted. Wireless access points (WAPs) have access control lists that contain MAC address of the devices that are permitted to connect to the wireless network. Lightweight Directory Access Protocol and Kerberos are protocols that provide directory service communication and authentication, respectively. Neither one uses access control lists.
Which of the following functions can be interfered with by a DNS poisoning attack? IP address resolution Name resolution Password protection Network switching
Name resolution DNS poisoning is a type of attack in which an attacker adds fraudulent information into the cache of a DNS server. Then, when a client attempts to resolve the name of a website or other server, the DNS server supplies the incorrect IP address, causing the client to access the attacker's server instead. ARP poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches, which can interfere with the resolution of IP addresses into MAC addresses on a local level.
Creating a policy instructing users to avoid passwords that use commonly shared information, such as birth dates and the names of children and pets, is an example of which of the following? Mitigation techniques Multifactor authentication Network hardening Access control
Network hardening Network hardening is a term used to describe any method of making it more difficult for intruders to penetrate. In many cases, network hardening techniques are based on education rather than technology. Mitigation techniques are methods for reducing the severity of an attack.
When Alice digitally signs and encrypts a document with Ralph's public key, Ralph can decrypt the document only by using his private key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all correct answers.) Alice cannot deny having created the document. No one has altered the document since Alice sent it. No one but Alice can have created the document. No one but Ralph can decrypt and read the document.
No one has altered the document since Alice sent it. No one but Ralph can decrypt and read the document.
What is BEST used to perform a one-time temporary posture assessment in a NAC environment? Non-persistent agent Antivirus Host-based firewall Intrusion prevention system
Non-persistent agent A non-persistent agent is used to access the device during a one-time check-in at login. This is beneficial in BYOD (Bring Your Own Device) policies.
How many keys does a system that employs symmetric encryption use?
One. Symmetric encryption uses one key for both encryption and decryption.
Your company has purchased a new building down the street for its executive suites. You have been asked to choose the BEST encryption for AP1, AP2, and AP3 to establish a wireless connection inside the main building for visitors to use. Your boss has stated that the main building's internal wireless network is for visitors' use only and MUST NOT require the visitors to set up any special configuration on their devices to connect. Which of the following is the BEST encryption to use from the options below to meet your manager's requirements for the new visitors' Wireless Network? WEP WPA WPA2-CCMP WPA2-TKIP Open
Open Since your manager has requested that the visitors not be required to configure anything on their devices, the only option you can choose is Open. This option presents NO security for the visitor's wireless network, but it also requires no setup on the user's devices. All of the other options would require a pre-shared key and set up to allow the visitor to use the network.
The solution to a single point of failure is redundancy. Which failure points should be selected to be bolstered with redundancy? Senior management and IT management should identify critical assets and critical nodes. All hard drives should be backed up daily. All hard drives should be installed in RAID arrays. All servers and network links should be made redundant.
Senior management and IT management should identify critical assets and critical nodes. Critical assets and nodes represent single failure points. It is the job of IT management and senior management to determine which elements are critical. Not every server or link may be a critical node. Drives that are not critical nodes are assets that don't necessarily need to be in a RAID array. Critical drives should be backed up, but not every drive is critical.
When operating multiple, duplicate servers such as web servers, which method is best to take advantage of the full power of all of the servers? Round Robin Server HSRP DNS Server Server Side Load Balancer
Server Side Load Balancer HSRP is the Hot Swap Routing Protocol that allows a backup router to come online if a primary router fails.
Role separation is a threat mitigation technique that is applied to which of the following types of network components? Switches Servers Routers Wireless access points
Servers
On which of the following types of devices should you consider disabling unused ports as a security precaution? (Choose all correct answers.) Hubs Servers Switches Wireless access points
Servers Switches It is not possible to disable hub ports, and the access points used on enterprise networks typically have only a single port.
A technician has finished configuring AAA on a new network device. However, the technician cannot log into the device with LDAP credentials but can with a local user account. What is the MOST likely reason for the problem? Username is misspelled in the device configuration file IDS is blocking radius Shared secret key is mismatched Group policy has not propagated to the device
Shared secret key is mismatched AAA through RADIUS uses a Server Secret Key (a shared secret key). A secret key mismatch could cause login problems.
When the loss of a piece of equipment or link can bring down an entire process, workflow, or even the whole organization, that lost element is called what? Redundant link Critical asset Single point of failure Critical node
Single point of failure A critical asset is a resource within an organization without which the organization cannot function. While a critical asset may be a single point of failure, not all single points of failure are critical assets.
Which of the following describes the primary difference between single sign-on and same sign-on? Single sign-on requires the user to supply credentials only once, whereas with same sign-on, the user must supply the credentials repeatedly. Single sign-on enables users to access different resources with one set of credentials, whereas same sign-on requires users to have multiple credential sets. Single sign-on credentials consist of one username and one password, whereas same sign-on credentials consist of one username and multiple passwords. Single sign-on requires multifactor authentication, such as a password and a smartcard, whereas same sign-on requires only a password for authentication.
Single sign-on requires the user to supply credentials only once, whereas with same sign-on, the user must supply the credentials repeatedly.
Continuously bombarding a remote computer with broadcast pings that contain a bogus return address is an example of what specific type of attack? Man-in-the-middle DDoS Smurf FTP bounce
Smurf The DoS attack described is known specifically as a smurf attack.
You are working as a network administrator and are worried about the possibility of an insider threat. You want to enable a security feature that would remember the Layer 2 address that is first connected to a particular switch port in order to prevent someone from unplugging a workstation from the switch port and connecting their own laptop to that same switch port. Which of the following security features would BEST accomplish this goal? NAC Sticky MAC 802.1X ACL
Sticky MAC Persistent MAC learning, also known as Sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online. This is a security feature that can be used to prevent someone from unplugging their office computer and connecting their own laptop to the network jack without permission, since the switch port connected to that network jack would only allow the computer with the original MAC address to gain connectivity using Sticky MAC.
Which of the following standards provides authentication, authorization, and accounting services for network routers and switches? RADIUS TACACS+ Kerberos LDAP
TACACS+
When the Wi-Fi Protected Access (WPA) wireless security protocol was released to replace Wired Equivalent Privacy (WEP), it included the Temporal Key Integrity Protocol (TKIP) for encryption. Which of the following is not one of the improvements that WPA and TKIP provide over WEP? TKIP enlarges the WEP encryption key. TKIP modifies the encryption key for every packet. WPA does not require a hardware upgrade for WEP devices. TKIP eliminates the use of preshared keys.
TKIP eliminates the use of preshared keys. TKIP does continue to support the use of preshared keys.
In the datacenter of a company involved with sensitive government data, all servers have crimped metal tags holding the cases closed. All of the hardware racks are locked in clear-fronted cabinets. All cable runs are installed in transparent conduits. These are all examples of which of the following physical security measures? Tamper detection Asset tracking Geofencing Port security
Tamper detection
Barbara, an employee, has properly connected her personal wireless router to a network jack inside her office. The router is unable to get a DHCP address even though her corporate laptop can get a DHCP address when connected to the same jack. Barbara checked the router's configuration to ensure it is setup to obtain a DHCP address. Which of the following is the MOST likely reason that the router is not getting a DHCP address? The administrator has enabled DHCP snooping on the network The administrator is blocking DHCP requests that originate from access points The administrator is blocking the wireless router's MAC address using MAC filtering The Administrator has implemented a feature that only allows whitelist MAC addresses to connect to the network
The Administrator has implemented a feature that only allows whitelist MAC addresses to connect to the network
An 802.1X transaction involves three roles: the supplicant, the authenticator, and the authentication server. Of the three, which role typically takes the form of a RADIUS implementation? The supplicant The authenticator The authentication server None of the above
The authentication server
In an 802.1X transaction, what is the function of the authenticator? The authenticator is the service that issues certificates to clients attempting to connect to the network. The authenticator is the service that verifies the credentials of the client attempting to access the network. The authenticator is the network device to which the client is attempting to connect. The authenticator is the client user or computer attempting to connect to the network.
The authenticator is the network device to which the client is attempting to connect. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a RADIUS implementation that verifies the supplicant's identity.
Which of the following are valid reasons not to disable unused switch ports? (Choose all correct answers.) The datacenter is secured from unauthorized access. The unused ports are not patched in to wall jacks. The unused ports are left open to facilitate the on-boarding of new users. The switch is configured to use a MAC-based access control list.
The datacenter is secured from unauthorized access. The switch is configured to use a MAC-based access control list. If there is no way for unauthorized people to access the datacenter, then there is no danger of someone plugging a device into a port that is left enabled. If the switch uses an access control list (ACL) that specifies the MAC addresses of systems permitted to connect to it, then there is no need to disable unused ports.
Which of the following statements describes what it means when the automated lock on the door to a datacenter is configured to fail open? The door remains in its current state in the event of an emergency. The door locks in the event of an emergency. The door unlocks in the event of an emergency. The door continues to function using battery power in the event of an emergency.
The door unlocks in the event of an emergency.