Sec + Quiz 2

EAP-TLS

"EAP-Transport Layer Security--Uses PKI, requiring both server-side and client-side certificates."

A company uses a RADIUS server that connects to an authentication client which receives remote user log in requests. What method of authentication is being utilized here?

802.1x

802.1x

A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

SCP (Secure Copy Protocol)

A protocol that uses SSH to securely copy files between a local and a remote host, or between two remote hosts.

what to use to diagnose wireless connectivity issue?

A sniffer is a network tool that captures traffic. A honeypot is a network attached server set up as a decoy to lure and detect hackers. A routing table is what a router uses to decide how to forward packets to other networks. A wireless scanner (correct answer!) is used to see what wireless networks are present, and details associated with those access points. An evil twin is a wireless access point that has a spoofed SSID, so that it looks legitimate.

A security administrator is upgrading the office wireless access point and wants to configure WPA2-PSK. Which encryption method is going to be the MOST likely to be configured with this configuration?

AES. AES encryption is commonly used in a lot of ways, including wireless security, processor security, file encryption, and SSL/TLS.

An admin wishes to help with securing his network against MitM vulnerabilities. They wish to include an automated script as part of each users log on process to help prevent these exploits. Which of the following commands should be included to help the admin with their concern?

ARP poisoning is an attempt to create a Man-in-The-Middle by "poisoning" users' ARP tables and mis-matching target IP and MAC addresses. By putting static (manual) entries in your ARP table, an attacker can not poison the entry by modifying it.

Which of the following differentiates ARP poisoning from a MAC spoofing attack?

ARP poisoning sends unsolicited ARP replies to clients in order to trick them into thinking an attacker is the default gateway of the LAN. MAC flooding overflows a switch's CAM tables. DHCPOFFER/DHCPACK are DHCP packets when a client is looking to acquire/renew DHCP addresses. MAC (layer 2) spoofing cannot be performed across a router (IP - layer 3).

A network administrator wants to make their wireless network as secure as possible. In order to do this the administrator needs to implement a protocol that authenticates both the server and the client to provide mutual authentication. Which of the following provides the functionality the admin requires? A.PEAP B.EAP-TLS C.EAP-FAST D.EAP

B is the best answer "A. PEAP" The mutual authentication feature is optional, requiring a client side cert to be in place for mutual to occur in the first place. The server cert is mandatory, and the client cert is not. Therefore, mutual auth isn't guaranteed. "B. EAP-TLS" ALWAYS requires a client side cert in addition to the server side cert. Mutual Authentication ALWAYS occurs with EAP-TLS, so "B" is a better answer.

BYOD

Bring your own device. A policy allowing employees to connect personally owned devices, such as tablets and smartphones, to a company network. Data security is often a concern with BYOD policies and organizations often use VLANs to isolate mobile devices.

A network administrator is reviewing requirements for a company's new wireless configuration. The new configuration must have accessibility in mind. User authentication should not rely on certificates and should not depend on centralized directory services. Which configurations BEST fits these requirements?

Captive portals, PSK An example of this is when you log-on to wireless at a hotel. When you launch your browser, it takes you to a captive portal (hotel web-page) where you need to enter this week's Pre-Shared-Key (password). This solves the above requirements. PEAP and EAP would be tied to the enterprise directory services so they're out. Open Authentication wouldn't require *any* authentication, so that's out too.

After a routine vulnerability scan, it turns out that your company has been losing confidential documents through the email server. Closing ports is out of the question as it would disrupt legitimate business operations. Given this scenario, what should the company configure to prevent this from occurring in the future?

Company credentials and no shared key? Sounds like centralized AAA like radius or diameter. You need 802.1x.

COPE

Corporate Owned, Personally Enabled device

You have been tasked with implementing security controls for your company's website. You decide that deploying DNSSEC would be will help keep you safe from various name server exploits. Which of following would BEST support this security implementation?

DNSSEC is a suite of protocols that protect DNS by allowing DNS responses to be validated. To do this, the responses are signed with a certificate on the DNS server. This requires the organization to establish a Public Key Infrastructure (PKI) beforehand to then enable DNSSEC.

DLP

Data Loss Prevention

A security analyst is concerned with the potential of insecure transmission of data. The analyst wishes to start by mitigating directory credential information being sent in clear text. What would be the BEST way to mitigate this security concern?

Directory credential information = LDAP traffic. Use LDAPS to encrypt the traffic.

In terms of application server security, which of the following controls would be the BEST at maintaining high availability? (Pick TWO)

HA = High Availability. To increase the availability (uptime) of your web server, you could distribute the workload among several servers using a load balancer. If one server fails, the others will still be running. Also, putting a Web Application Firewall (WAF) in front of your webservers will protect them from attack, thus increasing the availability.

Identify active attacks on system?

IDS, Intrusion detection system

An infosec news outlet is reporting on a recent botnet attack that hijacked IP cameras that caused a DDoS using GRE-encapsulated packets. Which category does the compromised cameras most likely belong to?

IOT devices GRE-encapsulation is a VPN tunnel protocol (secure traffic) - The attacker has hid the malicious traffic inside the tunnel. The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines that are provided with unique identifiers and the ability to transfer data over a network without requiring human interaction. For example, webcams, thermostats, music-players, and even microwaves and refrigerators are now connecting to the internet. SoC = System On Chip. ICS = Industrial Control System. MFD = Multi-Function Device.

IDS

Intrusion detection system. A detective control used to detect attacks after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline. An IDS can be either host-based (HIDS) or network-based (NIDS). In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur. An IPS is a preventative control that will stop an attack in progress.

With IOT devices on a network, what is the largest ongoing risk that exists after you find a vulnerability?

IoT devices often employ vendor specific software and protocols. Many vendors rarely provide security updates to IoT devices, if ever Firmware often needs to be updated manually, if it is even possible

Two app development companies have teamed up to fulfill a government contract. What type of user centric access control could they use to limit who can edit different libraries or modules during the development process?

Key word: User centric With Discretionary access control (DAC) the owner (subject) of a file (object) can decide what other users (subjects) can read, write, etc. It is said to be "user defined" or "user centric". Mandatory access control (MAC) is system defined, and doesn't give file owners the ability to freely change permissions. It tags all files (objects) with sensitivity labels such as secret or top secret. All users (subjects) are granted permissions in the form of clearance levels.

DAC (Discretionary access control)

Owner of the file decides who can read, write, etc

A security administrator wishes to implement a form of authentication that both encrypts and requires a secure TLS tunnel to rule out oversights. Which of the following technologies BEST fits the admin's requirements?

PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

A directory admin is attempting to further secure the domain controller against future attack. Currently the server uses an unsecure version of LDAP and the admin wants to implement an authenticity check and encryption. Which of the following does the admin need to implement to accomplish this? (pick two)

Port 636 is LDAPS (Secure LDAP), which uses an X.509 certificate to encrypt the LDAP traffic so nobody can sniff and read the traffic.

Which of the following types of embedded systems is required in manufacturing environments with life safety requirements?

Real-time Operating System (RTOS) are seen in implementations where life safety is of the utmost concern. Examples include airliner control systems (avionics) and systems that control life-support systems in hospitals.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides security to networks against unauthorized access. RADIUS secures a network by enabling centralized authentication of dial-in users and authorizing their access to use a network service

An organization uses separate VLANs for each of it's departments. The organization wants to make its authentication web portal usable by all it's employees and wishes to implement SAML to support this. During the authentication process what will occur when the employee authenticate to this system? (Pick TWO)

SAML is an open standard for exchanging authentication and authorization data (assertions) between parties, specifically between a front-end service provider (SP), and a back-end, federated identity database called an Identity Provider (IdP).

After a quarterly vulnerability scan a company discovers that they have been transferring files without any encryption. Which of the following should the company use to correct this issue?

SCP = Secure Copy Protocol. It first establishes an encrypted SSH tunnel (on port 22), then transfers files through this tunnel.

A client needs to remotely connect to their web server for the purposes of changing code manually. What protocol would need to be configured on the clients machine to allow connection to the Unix web server, which is behind a firewall?

SSH is commonly used for remotely controlling systems or editing remote files. Since SSH (secure-shell) interacts with the remote device's Shell, it is all plain text/command line editing (aka Manual). SSH (tcp 22) is a secure connection, unlike Telnet (tcp 23).

SAML

Security Assertions Markup Language. An XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.

The use of SAML is necessary for the deployment of which technologies? (Pick TWO)

Single sign on, federation SAML is an open standard for exchanging authentication and authorization data between parties, specifically between the Service Provider (SP), and a back-end, federated identity database called an Identity Provider (IdP). This allows single-sign-on (SSO) by an end user, otherwise known as the "principal". The single most important use case that SAML addresses is web browser single sign-on.

A network administrator is hardening security across the wireless network. The admin wishes to use the strongest security possible as depreciated algorithms are no longer meeting compliance. Which of the following algorithms should the administrator use?

Strongest algorithm is CCMP

SSH port

TCP 22

HTTP port

TCP 80

TKIP

Temporal Key Integrity Protocol. Wireless security protocol introduced to address the problems with WEP. TKIP was used with WPA but many implementations of WPA now support CCMP.

TACACS+

Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services.

CCMP

The CCMP™ is a globally recognized credential established by ACMP for professionals to demonstrate their commitment to leading the way change works. The CCMP™ was developed based on ACMP's industry-leading Standard for Change Management© ("the Standard") that defines best practices in change management.

LDAP

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

During the course of a security evaluation a tester discovers that the client is using the PCL printing protocol for their MFD. What is the risk that the client need to MOST likely be concerned about?

The PCL printing protocol traffic is not encrypted and a MiTM sniffing attack could capture sensitive documents sent to the printer, and replay those print jobs back to any printer to re-create all of the captured content.

A member of your accounting team is accessing files during off hours in order to catch up on missed work. The network security admin wishes to be made aware of this behavior in the future without interrupting legitimate traffic in different time zones. How can the admin BEST deal with this concern?

They want a method of DETECTING the behavior WITHOUT IMPEDING ACCESS. A SIEM (Security Information and Event Management) system is a logging solution, so it can detect abnormal activities and report on it, without actually restricting access.

SNMP port

UDP 161/162

DNS port

UDP 53

During the identification phase, what must a user provide to a RADIUS system before authenticating?

Username

Easiest wireless protocol to defeat?

WEP is the easiest wireless protocol to defeat

A security administrator a looking to implement wireless connectivity to the office network. The only consideration that the admin needs to observe is that the company does not wish to distribute a password or certificate to employees. Which of the following technologies BEST fits this requirement?

WPS, or WiFi-Protected-Setup, allows you to join a secure WiFi network without having to enter the network name or any credentials. You simply press the button on your WPS enabled router and enter the PIN on your wireless device (within specified timeframe) to complete the connection.

Many users are experiencing service interruptions. After inspecting traffic logs you find out that a hacker is intercepting user traffic before it gets to the default gateway. Which of the following BEST describes how the hacker could have done this?

Weak switch: It sounds like the hacker has performed a Man In The Middle attack of some sort. There are various ways to do this, such as ARP poisoning or MAC flooding. Fortunately, if the switch is locked-down properly (port-security, etc.) MiTM attacks like this can be prevented.

WPA2

Wireless Protected Access 2. Wireless network encryption system. Can utilize TKIP for backwards compatibility.

WORM Drive

Write Once, Read Many

A security administrator has decided to use an internet-based authentication service. Given that that the provider uses some version of OAuth, what would the security administrator need to integrate to use this service?

XACML is standard that describes both a policy language and an access control decision request/response language . OAuth uses XACML for authorization functionality.

MAC (Mandatory Access Control)

system defined, doesnt give file owners ability to freely change permissions

SSL port

used with HTTPS, which is TCP 443