Module 6 S433
88. Which of the following defines a hashing algorithm creating the same hash value from two different messages? A. AES B. MD5 C. Hashing D. Collision
D. A collision occurs when a hashing algorithm creates the same hash from two different messages. Option A is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm. Option B is incorrect. MD5 (Message Digest 5) is a hashing algorithm. Option C is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
61. Which of the following statements is true regarding symmetric key systems? A. They use different keys on each end of the transported data. B. They use public key cryptography. C. They use multiple keys for creating digital signatures. D. They use the same key on each end of the transported data.
D. A symmetric key system uses the same key to encrypt and decrypt data during the transport Options A, B, and C are incorrect. These statements refer to an asymmetric key system, where it uses two keys to encrypt and decrypt data and creates digital signatures for nonrepudiation purposes.
94. Which of the following encryption algorithms is used to encrypt and decrypt data? A. MD5 B. HMAC C. Kerberos D. RC4
D. RC4 is a stream cipher used for encrypting and decrypting data, but there are known weaknesses and using it is not recommended. Option A is incorrect. MD5 is a hashing algorithm used to verify integrity. Option B is incorrect. HMAC is known as a message authentication code and it is used for integrity. Option C is incorrect. Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network such as the Internet. Kerberos uses tickets to provide mutual authentication.
29. Which of the following uses two mathematically related keys to secure data during transmission? A. Twofish B. 3DES C. RC4 D. RSA
D. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a public and a private key to encrypt and decrypt data during transmissions. Options A, B, and C are incorrect. Twofish, 3DES, and RC4 are symmetric algorithms. Also known as a secret key algorithm, a symmetric algorithm uses the same key to encrypt and decrypt data.
115. You want to send confidential messages to a friend through email, but you do not have a way of encrypting the message. Which of the following methods would help you achieve this goal? A. AES B. Collision C. RSA D. Steganography
D. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files. Option A is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data. The question stated that you didn't have a way of encrypting the message. Option B is incorrect. A collision occurs when a hashing algorithm creates the same hash from two different messages. Option C is incorrect. RSA is an asymmetric algorithm used to encrypt data. The question stated that you didn't have a way of encrypting the message.
55. Which of the following best describes the drawback of symmetric key systems? A. You must use different keys for encryption and decryption. B. The algorithm is more complex. C. The system works much more slowly than an asymmetric system. D. The key must be delivered in a secure manner.
D. Symmetric encryption uses the same key to encrypt and decrypt data, so the key must be sent to the receiver in a secure manner. If a person were to get the key somewhere in the middle, they would be able to decrypt the information and read the data or inject it with malware. Options A, B, C are incorrect. These statements describe asymmetric encryption.
134. If a threat actor obtains an SSL private key, what type of attack can be performed? (Choose two.) A. Eavesdropping B. Man-in-the-middle C. Social engineering D. Brute force
A and B. A threat actor can create an eavesdropping and a man-in-the-middle attack. Eavesdropping with a private key can allow the threat actor to see data in clear text. A man-in-the-middle attack can allow the threat actor to modify the data transmitting to the server, such as adding malware to the data. Option C is incorrect. Social engineering is exploiting a person's trust to give up confidential information. Option D is incorrect. A brute-force attack is used to obtain information such as a user password or personal identification number (PIN) by use of a trial-and-error method.
130. Which of the following hardware devices can store keys? (Choose two.) A. USB flash drive B. Smartcard C. PCI expansion card D. Cipher lock
A and B. USB flash drives and smartcards can carry a token and store keys for authentication to systems. They are often used in a multifactor authentication situation. Option C is incorrect. A PCI expansion card is internal to a PC and normally doesn't store keys for authentication purposes. Option D is incorrect. A cipher lock is a programmable lock used for controlling access to a secure area.
66. Which of the following items are found within a digital certificate? (Choose two.) A. Serial number B. Default gateway C. Public key D. Session key
A and C. The structure of an X.509 digital signature includes a serial number and public key of the user or device. Option B is incorrect. A default gateway is an access point that a device uses to send data to a device in another network or to the Internet. Option D is incorrect. A session key is a symmetric key that uses the same key for encryption and decryption.
77. Which of the following security setup modes are intended for use in a small office or home office environment? (Choose two.) A. WPS B. WPA-Enterprise C. WPA2-Enterprise D. WPA2-Personal
A and D. Most small office, home office (SOHO) networks use WPS and WPA2-Personal. WPS is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases. WPA2-Personal uses a passphrase that is entered into the SOHO router. Options B and C are incorrect. WPA-Enterprise and WPA2-Enterprise, also known as 802.1x, use a RADIUS server for authentication purposes.
109. How many effective key sizes of bits does 3DES have? (Choose three.) A. 56 B. 112 C. 128 D. 168
A, B, and D. 3DES is a symmetric key block cipher that applies the DES cipher algorithm three times to each data block. 3DES has three keying options. First, all three keys are independent, so 3 × 56 = 168-bit key length. Second, key 1 and key 2 are independent and the third key is the same as the first key, so 2 × 56 = 112-bit key length. Third, all three keys are identical, so 1 × 56 = 56-bit key length. Option C is incorrect. With three keying options, 3DES has effective key sizes of 56, 128, and 168 bits.
95. Which of the following provides additional encryption strength by repeating the encryption process with additional keys? A. 3DES B. AES C. Twofish D. Blowfish
A. 3DES is a symmetric algorithm used to encrypt data by applying the DES cipher algorithm three times to the data. Options B, C, and D are incorrect. AES, Twofish, and Blowfish do not repeat the encryption process with additional keys.
5. Which of the following digital certificate management practices will ensure that a lost certificate is not compromised? A. CRL B. Key escrow C. Nonrepudiation D. Recovery agent
A. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option B is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user's key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. Option C is incorrect. Nonrepudiation is a method of guaranteeing a message transmission between parties by a digital signature. Option D is incorrect. A recovery agent is a user who is permitted to decrypt another user's data in case of emergency or in special situations.
147. Which of the following algorithms is typically used to encrypt data-at-rest? A. Symmetric B. Asymmetric C. Stream D. Hashing
A. A symmetric algorithm, sometimes called a secret key algorithm, uses the same key to encrypt and decrypt data and is typically used to encrypt data-at-rest. Option B is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data and is typically not used to encrypt data-at-rest. Option C is incorrect. Stream ciphers encrypt data one bit at a time. Option D is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
93. Which of the following is used to exchange cryptographic keys? A. Diffie-Hellman B. HMAC C. ROT13 D. RC4
A. Diffie-Hellman is used to establish a shared secret between two users and is primarily used as a method of exchanging cryptography keys. Option B is incorrect. HMAC is known as a message authentication code and is used for integrity. Option C is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, that replaces a letter with the 13th letter after it in the alphabet. Option D is incorrect. RC4 is an example of a stream cipher that encrypts data one bit at a time.
31. Which of the following EAP types use a three-phase operation? A. EAP-FAST B. EAP-TLS C. EAP-TTLS D. PEAP
A. EAP-FAST is for situations where strong password policy cannot be enforced and certificates are not used. EAP-FAST consists of three phases: EAP-FAST authentication, establishment of a secure tunnel, and client authentication. Options B, C, and D are incorrect. These EAP types do not use a three-phase phase.
79. Which of the following EAP types uses the concepts of public key infrastructure (PKI)? A. EAP-TLS B. PEAP C. EAP-FAST D. EAP-TTLS
A. EAP-TLS uses the concepts of public key infrastructure (PKI). It eliminates the need for a shared secret between the client and the server. Digital certificates are used instead. Options B, C, and D are incorrect. These EAP types do not use PKI
30. You have been instructed by the security manager to protect the server's data-at-rest. Which of the following would provide the strongest protection? A. Implement a full-disk encryption system. B. Implement biometric controls on data entry points. C. Implement a host-based intrusion detection system. D. Implement a host-based intrusion prevention system.
A. Full-disk encryption on data-at-rest will help protect the inactive data should the storage device be stolen. The thief would not be able to read the data. Option B is incorrect. Implementing biometrics will control who enters the location. An unauthorized user can tailgate and obtain the storage device and read the data-at-rest. Option C is incorrect. Implementing a host-based intrusion detection system is designed to alert you when an attack occurs on a network but does not protect the data-at-rest if the storage device is stolen. Option D is incorrect. Implementing a host-based intrusion prevention system is designed to prevent an attack on a network but does not protect the data-at-rest if the storage device is stolen.
50. In asymmetric encryption, what is used to decrypt an encrypted file? A. Private key B. Public key C. Message digest D. Ciphertext
A. In asymmetric encryption, sometimes referred to as public key encryption, the private key is used to decrypt an encrypted file. Option B is incorrect. A public key is used to encrypt a file. Option C is incorrect. A message digest is created to check the integrity of a file to ensure it hasn't changed. Option D is incorrect. Ciphertext is plain text that has been encrypted.
139. PEAP protects authentication transfers by implementing which of the following? A. TLS tunnels B. SSL tunnels C. AES D. SHA hashes
A. PEAP is a protocol that encapsulates the EAP within a TLS tunnel. Option B is incorrect. SSL was superseded by TLS and is considered not as secure as TLS. Option C is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data. Option D is incorrect. SHA is a hashing algorithm and is used for integrity. SHA is used with SSL, and HMAC is used with TLS.
129. A company's database is beginning to grow, and the data-at-rest are becoming a concern with the security administrator. Which of the following is an option to secure the data-at-rest? A. SSL certificate B. Encryption C. Hashing D. TLS certificate
B. Data-at-rest is all data that is inactive and physically stored in a physical digital form such as nonvolatile memory. If the device the data is stored on is stolen, the unauthorized person will not be able to read the data due to the encryption. Option A is incorrect. SSL is designed to protect data in transit. Option C is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option D is incorrect. TLS is the successor to SSL and is designed to protect data in transit.
64. Data integrity is provided by which of the following? A. 3DES B. MD5 C. AES D. Blowfish
B. MD5 is a hashing algorithm that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Options A, C, and D are incorrect. 3DES, AES, and Blowfish are symmetric algorithms. Also known as a secret key algorithm, a symmetric algorithm uses the same key to encrypt and decrypt data.
85. Katelyn, a network administrator, has deleted the account for a user who left the company last week. The user's files were encrypted with a private key. How can Katelyn view the user's files? A. The data can be decrypted using the backup user account. B. The data can be decrypted using the recovery agent. C. She must re-create the former user's account. D. The data can be decrypted using a CRL.
B. The data can be decrypted with a recovery agent if the company configured one before. If there is no recovery agent, the encrypted file will be unrecoverable. Option A is incorrect. The backup user account does not have the ability to recover the files that were encrypted by the other user. Option C is incorrect. The encrypted file cannot be recovered by re-creating the user's account. The new user account will have a different SID even though the name is the same, and it will not be able to access the files. Option D is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted
20. Which symmetric block cipher supersedes Blowfish? A. RSA B. Twofish C. MD5 D. PBKDF2
B. Twofish is a symmetric block cipher that replaced Blowfish. Option A is incorrect. RSA is an asymmetric algorithm. Option C is incorrect. MD5 is a hashing algorithm. Option D is incorrect. PBKDF2 is a key stretching algorithm.
4. Wi-Fi Alliance recommends that a passphrase be how many characters in length for WPA2-Personal security? A. 6 characters B. 8 characters C. 12 characters D. 16 characters
B. WiFi Alliance, a nonprofit organization that promotes WiFi technology, recommends a passphrase be at least eight characters long and include a mixture of upper- and lowercase letters and symbols. Options A, C, and D are incorrect.
146. Your company has discovered that several confidential messages have been intercepted. You decide to implement a web of trust to encrypt the files. Which of the following are used in a web of trust concept? (Choose two.) A. RC4 B. AES C. PGP D. GPG
C and D. PGP and GPG use a web of trust to establish the authenticity of the binding between a public key and its owner. Option A is incorrect. RC4 is a symmetric algorithm and does not use the web of trust concept. Option B is incorrect. AES is a symmetric algorithm and does not use the web of trust concept.
25. You are conducting a training program for new network administrators for your company. You talk about the benefits of asymmetric encryption. Which of the following are considered asymmetric algorithms? (Choose two.) A. RC4 B. DES C. RSA D. ECC
C and D. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a public and a private key to encrypt and decrypt data during transmissions. ECC (elliptical curve cryptography) is based on elliptic curve theory that uses points on a curve to define more efficient public and private keys. Option A is incorrect. RC4 is a symmetric algorithm and uses one key to encrypt and decrypt data. Option B is incorrect. DES is a symmetric algorithm and uses one key to encrypt and decrypt data.
71. Which of the following standards was developed by the Wi-Fi Alliance and implements the requirements of IEEE 802.11i? A. NIC B. WPA C. WPA2 D. TKIP
C. 802.11i is an amendment to the original IEEE 802.11 and is implemented as WPA2. The amendment deprecated WEP. Option A is incorrect. A NIC (network interface card) enables a device to network with other devices. Option B is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP. Option D is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and is used in WPA. TKIP replaced WEP in WLAN devices.
127. Network data needs to be encrypted, and you are required to select a cipher that will encrypt 128 bits at a time before the data are sent across the network. Which of the following would you choose? A. Stream cipher B. Hash algorithm C. Block cipher D. Obfuscation
C. Block ciphers encrypt data one block, or fixed block, at a time. Option A is incorrect. Stream ciphers encrypt data one bit at a time. Option B is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option D is incorrect. Obfuscation is the action of making something difficult to read and understand.
37. You have been promoted to security administrator for your company and you need to be aware of all types of hashing algorithms for integrity checks. Which algorithm offers a 160-bit digest? A. MD5 B. RC4 C. SHA-1 D. AES
C. SHA-1 is a hashing algorithm that produces a 160-bit digest. Option A is incorrect. MD5 is a hashing algorithm that produces a 128-bit digest. Option B is incorrect. RC4 is a symmetric algorithm and encrypts data. Option D is incorrect. AES is a symmetric algorithm and encrypts data.
140. AES-CCMP uses a 128-bit temporal key and encrypts data in what block size? A. 256 B. 192 C. 128 D. 64
C. The AES-CCMP encryption algorithm used in the 802.11i security protocol uses the AES block cipher and limits the key length to 128 bits. AES-CCMP makes it difficult for an eavesdropper to spot patterns. Options A, B, and D are incorrect. AES-CCMP is restricted to a key length of 128 bits.
60. Which of the following are negotiation protocols commonly used by TLS? (Choose two.) A. DHE B. ECDHE C. RSA D. SHA
A and B. DHE (Diffie-Hellman Ephemeral) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) are commonly used with TLS to provide perfect forward secrecy. Option C is incorrect. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a public and a private key to encrypt and decrypt data during transmissions. Option D is incorrect. SHA is a hashing algorithm and is used for integrity.
47. Which of the following benefits do digital signatures provide? (Choose two.) A. Nonrepudiation B. Authentication C. Encryption D. Key exchange
A and B. Digital signatures provide three core benefits: authentication, integrity, and nonrepudiation. Option C is incorrect. A digital signature is a one-way hash and encrypted with the private key. A digital signature does not encrypt data. Option D is incorrect. A digital signature is used for authentication, integrity, and nonrepudiation—not to securely exchange keys.
145. Which of the following are the filename extensions for PKCS #12 files? (Choose two.) A. .p12 B. .KEY C. .pfx D. .p7b
A and C. .p12 and .pfx are filename extensions for PKCS #12 files. Option B is incorrect. KEY is used for both private and public PKCS #8 keys. Option D is incorrect. p7b is a filename extension for PKCS #7 and is used to sign and/or encrypt messages under a PKI. It also provides a syntax for disseminating certificates.
52. Your security manager is looking to implement a one-time pad scheme for the company's salespeople to use when traveling. Which of the following best describes a requirement for this implementation? (Choose three.) A. The pad must be distributed securely and protected at its destination. B. The pad must always be the same length. C. The pad must be used only one time. D. The pad must be made up of truly random values.
A, C, and D. A one-time pad must be delivered by a secure method and properly guarded at each destination. The pad must be used one time only to avoid introducing patterns, and it must be made up of truly random values. Today's computer systems have pseudorandom- number generators, which are seeded by an initial value from some component within the computer system. Option B is incorrect. The one-time pad must be at least as long as the message. If the pad is not as long as the message, it will need to be reused to be the same length as the message. This could introduce patterns and make it easy to crack.
99. Which of the following types of device are found in a network that supports Wi-Fi Protected Setup (WPS) protocol? (Choose three.) A. Registrar B. Supplicant C. Enrollee D. Access Point
A, C, and D. The WiFi Protected Setup protocols define the following devices in a network. A registrar is the device with the authority to issue or revoke access to the network. The enrollee is a client device that is seeking to join the wireless network. The AP (access point) functions as a proxy between the registrar and the enrollee. Option B is incorrect. A supplicant is the client that authenticates against the RADIUS server using an EAP method configured on the RADIUS server.
136. Which of the following transpires in a PKI environment? A. The CA signs the certificate. B. The RA signs the certificate. C. The RA creates the certificate and the CA signs it. D. The CA creates the certificate and the RA signs it.
A. A CA (certificate authority) is a trusted entity that creates and digitally signs certificates so the receiver can verify the certificate came from that specific CA. Option B is incorrect. The RA (registered authority) does not digitally sign the certificate; the CA (certificate authority) performs this action. Option C is incorrect. The RA (registered authority) performs the certification registration duties. The RA identifies the individual requesting a certificate and initiates the certification process with the CA on behalf of the individuals. The CA creates and signs the certificate. Option D is incorrect. The CA (certificate authority) creates and digitally signs the certificate. The RA (registered authority) performs the certification registration duties.
98. You are a security technician and have been given the task to implement a PKI on the company's network. When verifying the validity of a certificate, you want to ensure bandwidth isn't consumed. Which of the following can you implement? A. CRL B. OCSP C. Key escrow D. CA
A. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option B is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. An OCSP response contains signed assertions that a certificate is not revoked. Option C is incorrect. Key escrow is a security measure where cryptographic keys are held in escrow by a third party and under normal circumstances, the key should not be released to someone other than the sender or receiver without proper authorization. Option D is incorrect. A CA (certificate authority) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet or computer network.
121. The CIO has instructed you to set up a system where credit card data will be encrypted with the most secure symmetric algorithm with the least amount of CPU usage. Which of the following algorithms would you choose? A. AES B. SHA-1 C. MD5 D. 3DES
A. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data that uses the least amount of CPU usage. Option B is incorrect. SHA-1 is a hashing algorithm that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option C is incorrect. MD5 is a hashing algorithm that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option D is incorrect. 3DES is a symmetric algorithm used to encrypt data by applying the DES cipher algorithm three times to the data, and it uses a lot of CPU resources.
138. AES is an algorithm used for which of the following? A. Encrypting a large amount of data B. Encrypting a small amount of data C. Key recovery D. Key revocation
A. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt large amounts of data (bulk). Option B is incorrect. Asymmetric algorithms are used to encrypt a small amount of data. Option C is incorrect. A key escrow is a database of stored keys that can be recovered should the original user's key be lost or compromised. Option D is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted.
65. Which of the following is a symmetric encryption algorithm that is available in 128-bit, 192-bit, and 256-bit key versions? A. AES B. DES C. RSA D. TKIP
A. AES is a symmetric encryption that supports key sizes of 128, 192, and 256 bits. Option B is incorrect. DES is a symmetric encryption that supports a key size of 56 bits. Option C is incorrect. RSA is an asymmetric encryption. Option D is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and supports a key size of 128 bits.
32. Which of the following is an encryption standard that uses a single 56-bit symmetric key? A. DES B. 3DES C. AES D. WPS
A. DES is a symmetric encryption standard that uses a key length of 56 bits. Option B is incorrect. Option C is incorrect. AES uses a block length of 128 bits and key lengths of 128, 192, or 256 bits. Option D is incorrect. WPS is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases.
63. Katelyn is sending an important email to Zackary, the manager of human resources. Company policy states messages to human resources must be digitally signed. Which of the following statements is correct? A. Katelyn's public key is used to verify the digital signature. B. Katelyn's private key is used to verify the digital signature. C. Zackary's public key is used to verify the digital signature. D. Zackary's private key is used to verify the digital signature.
A. Digital signatures are created with the sender's private key and verified by the sender's public key. Answers B, C, and D are incorrect. Katelyn is sending the digital signature created by her private key and Zackary verifies the digital signature by obtaining Katelyn's public key.
45. Your company's branch offices connect to the main office through a VPN. You recently discovered the key used on the VPN has been compromised. What should you do to ensure the key isn't compromised in the future? A. Enable perfect forward secrecy at the main office and branch office ends of the VPN. B. Enable perfect forward secrecy at the main office end of the VPN. C. Enable perfect forward secrecy at the branch office end of the VPN. D. Disable perfect forward secrecy at the main office and branch office ends of the VPN.
A. Enable perfect forward secrecy (PFS) at the main office and branch office end of the VPN. Perfect forward secrecy is a way to ensure the safety of session keys from future abuse by threat actors. Options B, C, and D are incorrect. You should enable PFS at both ends of the VPN since PFS depends on asymmetric encryption and ensures the session key created from the public and private keys will not be compromised if one of the private keys is compromised.
36. You are the network administrator for a small office of 35 users and need to utilize mail encryption that will allow specific users to encrypt outgoing email messages. You are looking for an inexpensive onsite encryption server. Which of the following would you implement? A. PGP/GPG B. WPA2 C. CRL D. EAP-TLS
A. PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard) provides a low-cost or open source alternative solution that allows users to encrypt their outgoing emails. Option B is incorrect. WPA2 is a security standard that secures computers connected to a WiFi network. Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. EAP-TLS is a remote access authentication protocol that supports the use of smartcards.
26. Which of the following is a form of encryption also known as ROT13? A. Substitution cipher B. Transposition cipher C. Diffusion D. Confusion
A. Substitution ROT13 replaces a letter with the 13th letter after it in the alphabet. Option B is incorrect. Transposition scrambles data by reordering the plain text in some certain way. Option C is incorrect. Diffusion is a change in the plain text resulting in multiple changes that are spread out throughout the ciphertext. Option D is incorrect. Confusion encryption is a method that uses a relationship between the plain text and the key that is so complicated the plain text can't be altered and the key can't be determined by a threat actor.
49. Your IT support center is receiving a high number of calls stating that users trying to access the company's website are receiving certificate errors within their browsers. Which of the following statements best describes what the issue is? A. The website certificate has expired. B. Users have forgotten their usernames or passwords. C. The domain name has expired. D. The network is currently unavailable.
A. Users are receiving the error because the website certificate has expired. The user can continue accessing the website, but the error will state the user could be accessing an untrusted site. Option B is incorrect. The scenario states that users are receiving an error when they access the company's website. Users are not logging into the company's website, so any username and password issue would not fit in this scenario. Option C is incorrect. If the domain had expired, the users would receive a page stating that the website domain is unavailable. Domain name expiration does not relate to this scenario. Option D is incorrect. If the network was unavailable, the users would not be able to access the company's website whether or not the certificate was expired. The users would possibly not be able to access other resources.
72. You are asked to create a wireless network for your company that implements a wireless protocol that provides maximum security while providing support for older wireless devices. Which protocol should you use? A. WPA B. WPA2 C. WEP D. IV
A. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP and is designed to work with older wireless clients. Option B is incorrect. WPA2 implements the 802.11i standard completely but does not support the use of older wireless cards. Option C is incorrect. WEP is a security standard for wireless networks and devices but is not as secure as WPA. Option D is incorrect. An IV (initialization vector) is an arbitrary number that is used with a secret key for data encryption.
123. When setting up a secure wireless company network, which of the following should you avoid? A. WPA B. WPA2 C. EAP-TLS D. PEAP
A. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP. WPA is less secure than WPA2. Option B is incorrect. WPA2 provides message authenticity and integrity verification by the use of the AES algorithm and is stronger and more reliable than WPA. Option C is incorrect. EAP-TLS is a remote access authentication protocol that supports the use of smartcards. EAP-TLS is more secure than WPA. Option D is incorrect. PEAP is an encapsulating protocol that uses a certificate on the authentication server and a certificate on the client. It supports password-based authentication
87. Tim, a wireless administrator, has been tasked with securing the company's WLAN. Which of the following cryptographic protocols would Tim use to provide the most secure environment for the company? A. WPA2 CCMP B. WEP C. WPA D. WPA2 TKIP
A. WPA2 CCMP replaced TKIP and is a more advanced encryption standard. CCMP provides data confidentiality and authentication. Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b. It is designed to provide the least security for a WLAN. Option C is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP. WPA is less secure than WPA2. Option D is incorrect. TKIP is an older encryption protocol introduced with WPA to replace the insecure WEP encryption. TKIP is considered deprecated and should not be used.
144. Which of the following statements are correct about public and private key pairs? (Choose two.) A. Public and private keys work in isolation of each other. B. Public and private keys work in conjunction with each other as a team. C. If the public key encrypts the data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data. D. If the private key encrypts the data using an asymmetric encryption algorithm, the receiver uses the same private key to decrypt the data.
B and C. Public and private keys work with each other to encrypt and decrypt data. If the data is encrypted with the receiver's public key, the receiver decrypts the data with their private key. Option A is incorrect. Public and private keys are not isolated from each other. If you encrypt data with one key, the other key is used to decrypt the data. Option D is incorrect. Data that is encrypted with the private key will be decrypted with the corresponding public key. The private key is designed to be held privately by the owner and not shared.
80. Which of the following use PSK authentication? (Choose two.) A. WPA-Enterprise B. WPA-Personal C. WPA2-Personal D. WPA2-Enterprise
B and C. Security used in SOHO environments is PSK (preshared key) authentication. WPA-Personal and WPA2-Personal use the PSK authentication method. Options A and D are incorrect. WPA-Enterprise and WPA2-Enterprise, also known as 802.1x, use a RADIUS server for authentication purposes.
13. Which of the following symmetric key algorithms are block ciphers? (Choose two.) A. MD5 B. 3DES C. RC4 D. Blowfish
B and D. 3DES and Blowfish are a symmetric-key block cipher. 3DES and Blowfish use a block size of 64 bits. Option A is incorrect. MD5 is a hashing algorithm and is used for integrity. Option C is incorrect. RC4 is a stream cipher and uses key sizes of 40 to 2048 bits.
76. Your company has a public key infrastructure (PKI) in place to issue digital certificates to users. Recently, your company hired temporary contractors for a project that is now complete. Management has requested that all digital certificates issued to the contractors be revoked. Which PKI component would you consult for the management's request? A. CA B. CRL C. RA D. CSR
B. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option A is incorrect. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet or computer network. Option C is incorrect. A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA. Option D is incorrect. A certificate signing request (CSR) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate.
62. Which of the following ciphers was created from the foundation of the Rijndael algorithm? A. TKIP B. AES C. DES D. 3DES
B. AES is a subset of the Rijndael cipher developed by Vincent Rijmen and Joan Daemen. Rijndael is a family of ciphers with different key and block sizes. Option A is incorrect. TKIP uses RC4. RC4 was designed by Ron Rivest of RSA Security. Option C is incorrect. DES is a block cipher and is unrelated to Rijndael. Option D is incorrect. 3DES is a block cipher and is unrelated to Rijndael.
92. Which of the following types of encryption offers easy key exchange and key management? A. Obfuscation B. Asymmetric C. Symmetric D. Hashing
B. Asymmetric encryption is also known as public key cryptography and uses public and private keys to exchange a session key between two parties. It offers key management by administering the life cycle of cryptographic keys and protecting them from loss or misuse. Option A is incorrect. Obfuscation is the action of making something difficult to read and understand. Option C is incorrect. Symmetric encryption, also known as a secret key algorithm, uses the same key to encrypt and decrypt data. Option D is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
19. You must implement a cryptography system that applies encryption to a group of data at a time. Which of the following would you choose? A. Stream B. Block C. Asymmetric D. Symmetric
B. Block ciphers encrypt data one block, or fixed block, at a time. Cryptographic service provider, a cryptographic module, performs block and stream cryptography algorithms. Option A is incorrect. Stream ciphers encrypt data one bit at a time. Option C is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data. Option D is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data.
3. Mary is concerned about the validity of an email because a coworker denies sending it. How can Mary prove the authenticity of the email? A. Symmetric algorithm B. Digital signature C. CRL D. Asymmetric algorithm
B. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something. Option A is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data. Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data.
22. Which of the following protocols should be used to authenticate remote access users with smartcards? A. PEAP B. EAP-TLS C. CHAP D. MS-CHAPv2
B. EAP-TLS is a remote access authentication protocol that supports the use of smartcards. Option A is incorrect. PEAP is an encapsulating protocol that uses a certificate on the authentication server and a certificate on the client. It supports password-based authentication. Option C is incorrect. CHAP authenticates by using PPP servers to validate the identity of remote clients. It supports password-based authentication. Option D is incorrect. MS-CHAPv2 is Microsoft's version of CHAP and is used as an authentication option with RADIUS. It supports password-based authentication.
57. Which cryptography concept uses points on a curve to define public and private key pairs? A. Obfuscation B. ECC C. Stream cipher D. Block cipher
B. ECC (elliptical curve cryptography) is based on elliptic curve theory that uses points on a curve to define more efficient public and private keys. Option A is incorrect. Obfuscation is the action of making something difficult to read and understand. Option C is incorrect. Stream ciphers encrypt data one bit at a time. Option D is incorrect. Block ciphers encrypt data one block, or fixed block, at a time.
21. Root CAs can delegate their authority to which of the following to issue certificates to users? A. Registered authorities B. Intermediate CAs C. CRL D. CSR
B. In a certification hierarchy, the root CA certifies the intermediate CA and can issue certificates to users, computers, or services. Option A is incorrect. A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA. Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate.
102. Which of the following is an authentication service and uses UDP as a transport medium? A. TACACS+ B. RADIUS C. LDAP D. Kerberos
B. RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security, and messages are sent as UDP. Option A is incorrect. TACACS+ is a Cisco proprietary authentication protocol and is used to securely access Cisco devices. TACACS+ uses TCP to send messages. Option C is incorrect. LDAP (Lightweight Directory Access Protocol) is a software protocol to help locate individuals and other resources within a network. Option D is incorrect. Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network such as the Internet. Kerberos uses tickets to provide mutual authentication
34. SSL is a protocol used for securing transactions transmitting over an untrusted network such as the Internet. Which of the following best describes the action that occurs during the SSL connection setup process? A. The client creates a session key and encrypts it with the server's private key. B. The client creates a session key and encrypts it with the server's public key. C. The server creates a session key and encrypts it with the client's private key. D. The server creates a session key and encrypts it with the client's public key.
B. SSL (Secure Socket Layer) uses public key encryption. When a client accesses a secured website, it will generate a session key and encrypt it with the server's public key. The session key is decrypted with the server's private key, and the session key is used to encrypt and decrypt data sent back and forth. Option A is incorrect. The server's private key is held privately by the server and is used only to decrypt data the client encrypted with the server's public key. Option C is incorrect. The server doesn't create the session key as the client is accessing the secured website. Option D is incorrect. The server doesn't create the session key as the client is accessing the secured website. The server's public key is used to encrypt the session key created by the client.
117. Which statement is true regarding the difference between a secure cipher and a secure hash? A. A secure hash can be reversed; a secure cipher cannot. B. A secure cipher can be reversed; a secure hash cannot. C. A secure hash produces a variable output for any input size; a secure cipher does not. D. A secure cipher produces the same size output for any input size; a hash does not.
B. Secure ciphers can be reverse engineered, but hashes cannot be reversed when reverse engineered attempting to re-create a data file. Hashing is a one-way encryption that is used for integrity purposes. Options A, C, and D are incorrect. These statements are incorrect about the difference between a secure cipher and a secure hash. A secure hash creates the same size for any input size.
15. What encryption protocol does WEP improperly use? A. RC6 B. RC4 C. AES D. DES
B. WEP uses the encryption protocol RC4 and is considered insecure. Options A, C, and D are incorrect. WEP does not use the RC6, AES, or DES encryption protocol.
141. Which of the following implement Message Integrity Code (MIC)? (Choose two.) A. AES B. DES C. CCMP D. TKIP
C and D. Message Integrity Code (MIC) is a security improvement for WEP encryption within wireless networks. TKIP and CCMP use MIC, which provides an integrity check on the data packet. Options A and B are incorrect. They are encryption algorithms and are not concerned with message integrity.
48. Your company has asked you to recommend a secure method for password storage. Which of the following would provide the best protection against brute-force attacks? (Choose two.) A. ROT13 B. MD5 C. PBKDF2 D. BCRYPT
C and D. PBKDF2 applies a pseudo-random function such as a HMAC to the password along with a salt value and produces a derived key. PBKDF2 is designed to protect against brute-force attacks. BCRYPT is a password-hashing function derived from the Blowfish cipher. It adds a salt value to protect against rainbow table attacks. Option A is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, that replaces a letter with the 13th letter after it in the alphabet. ROT13 is not recommended in this scenario due to patterns it creates. Option B is incorrect. MD5 is a hashing algorithm that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. MD5 is considered weak and is not recommended.
137. Which of the following statements best describes how a digital signature is created? A. The sender encrypts a message digest with the receiver's public key. B. The sender encrypts a message digest with the receiver's private key. C. The sender encrypts a message digest with his or her private key. D. The sender encrypts a message digest with his or her public key.
C. A digital signature is a hash value (message digest) that is encrypted with the sender's private key. The receiver performs a hashing function on the message and decrypts the sent hash value with the sender's public key and compares the two hash values. If the hash values are the same, the message actually came from the sender. This is performed by DSA (digital signature algorithm) and allows traceability to the person signing the message through the use of their private key. Option A is incorrect. The sender will encrypt a hash value (message digest) with its own private key, not the receiver's public key. The receiver's public key is not part of the process. Option B is incorrect. The sender encrypts the hash value (message digest) with its own private key, not the receiver's private key. The receiver's private key is always kept private by the owner. Option D is incorrect. The receiver uses the sender's public key to decrypt the hash value (message digest) and compares the hash value produced by the receiver to verify that the message came from the sender.
150. A college wants to move data to a USB flash drive and has asked you to suggest a way to secure the data in a quick manner. Which of the following would you suggest? A. 3DES B. SHA-256 C. AES-256 D. SHA-512
C. AES-256 can encrypt data quickly and securely with a USB flash drive. Option A is incorrect. 3DES is an encryption algorithm but is not effective for sending information in a highly secure manner and quickly to a USB flash drive. Options B and D are incorrect. They are examples of hash algorithms used to verify the integrity of the data.
35. Which of the following EAP types requires both server and client certificates? A. EAP-FAST B. PEAP C. EAP-TLS D. EAP-TTLS
C. EAP-TLS requires both client and server to have certificates. The authentication is mutual where the server authenticates to the client and the client authenticates to the server. Options A, B, and D are incorrect. The other EAP types may use client certificates but they are not required.
74. Which of the following algorithms is generally used in mobile devices? A. 3DES B. DES C. ECC D. AES
C. ECC (elliptical curve cryptography) uses less processing power and works best in devices such as wireless devices and cellular phones. ECC generates keys faster than other asymmetric algorithms. Determining the correct set of security and resource constraints is an important beginning step when planning a cryptographic implementation. Options A, B, and D are incorrect. 3DES, DES, and AES are not used in mobile devices because they use more computing power to generate cryptographic keys than ECC. It's important that there be high resiliency in cryptography, or the ability to resume normal operations after an external disruption.
53. A threat actor has created a man-in-the-middle attack and captured encrypted communication between two users. The threat actor was unable to decrypt the messages. Which of the following is the reason the threat actor is unable to decrypt the messages? A. Hashing B. Symmetric encryption C. Asymmetric encryption D. Key escrow
C. In asymmetric encryption, sometimes referred to as public key encryption, the private key is used to decrypt an encrypted file. Option A is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option B is incorrect. Symmetric encryption uses the same key to encrypt and decrypt the data. Option D is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user's key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state.
103. Which of the following is true regarding the importance of encryption of data-at-rest for sensitive information? A. It renders the recovery of data more difficult should the user lose their password. B. It allows the user to verify the integrity of the data on the stored device. C. It prevents the sensitive data from being accessed after a theft of the physical equipment. D. It renders the recovery of data easier should the user lose their password.
C. Should a hard drive be stolen, the data will not be able to be read as the data is scrambled, or encrypted, and can be read only by the corresponding key. Option A and D are incorrect Encrypting data-at-rest will not help a user decrypt their data should they lose their password. Option B is incorrect. Encrypting data-at-rest will not help verify the integrity of the data. Hashing is designed to verify the integrity of data.
104. You are a network administrator and your manager has asked you to enable WPA2 CCMP for wireless clients, along with an encryption to protect the data transmitting across the network. Which of the following encryption methods would you use along with WPA2 CCMP? A. RC4 B. DES C. AES D. 3DES
C. Using AES with CCMP incorporates two cryptographic techniques that provide a more secure protocol between a mobile client and the access point. Option A is incorrect. RC4 is an example of a stream cipher that encrypts data one bit at a time and is not used along with CCMP. Option B is incorrect. DES is a symmetric encryption that supports a key size of 56 bits and is not used along with CCMP. Option D is incorrect. 3DES is a symmetric algorithm that is used to encrypt data by applying the DES cipher algorithm three times to the data and is not used along with CCMP.
149. You recently upgraded your wireless network so that your devices will use the 802.11n protocol. You want to ensure all communication on the wireless network is secure with the strongest encryption. Which of the following is the best choice? A. WEP B. WPA C. WPA2 D. WPS
C. WPA2 is a security standard that secures computers connected to the 802.11n WiFi network. It provides the strongest available encryption for wireless networks. Option A is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b. It is designed to provide a level of security for a WLAN. Option B is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP. WPA is not as secure as WPA2. Option D is incorrect. WPS (WiFi Protected Setup) is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases. WPS is known to have vulnerabilities and is not recommended.
114. Your manager wants to implement a security measure to protect sensitive company data that reside on the remote salespeople's laptops should they become lost or stolen. Which of the following measures would you implement? A. Implement WPS on the laptops. B. Set BIOS passwords on the laptops. C. Use whole-disk encryption on the laptops. D. Use cable locks on the laptops.
C. Whole-disk encryption, such as BitLocker on a Windows OS, will protect the contents of a laptop if it is lost or stolen. If the thief were to take the hard drive out of the laptop and try reading the content, they would be unsuccessful. Option A is incorrect. WPS (WiFi Protected Setup) is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases. Option B is incorrect. A BIOS password would prevent an unauthorized user from booting to the OS and possibly reading the data content. A BIOS password does not protect the data should the hard drive be removed and accessed. Option D is incorrect. A cable lock is a security device designed to deter theft of a laptop. A cable lock does not protect the data from being accessed.
97. You are a network administrator for your company, and the single AP that allows clients to connect to the wireless LAN is configured with a WPA-PSK preshared key of the company name followed by the number 1. Which of the following statements is correct regarding this implementation? A. It is secure because WPA-PSK resolved the problem with WEP. B. It is secure because the preshared key is at least five characters long. C. It is not secure because the preshared key includes only one number and the company name so it can be easily guessed. D. It is not secure because WPA-PSK is as insecure as WEP and should never be used.
C. With a single number appended to the company name, the preshared key can be easily guessed. A secure preshared key is at least eight ASCII characters in length and follows the complexity rule. Option A is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP. Replacing WEP with WPA is not secure enough as the preshared key must follow the complexity rule and be at least eight ASCII characters in length. Option B is incorrect. The preshared key must be at least eight ASCII characters in length and follow the complexity rule. Option D is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP.
101. The process of deleting data by sending a single erase or clear instruction to an address of the nonvolatile memory is an example of securing which of the following? A. Data-in-transit B. Data-over-the-network C. Data-in-use D. Data-at-rest
D. Data-at-rest is all data that is inactive and physically stored in a physical digital form such as nonvolatile memory. Option A is incorrect. Data-in-transit is data that flows over the public or private network. Option B is incorrect. Data-over-the-network is not defined as the three states of digital data. Option C is incorrect. Data-in-use is all data that is active and stored in volatile memory such as RAM, CPU caches, or CPU registers
23. Tom is sending Mary a document and wants to show the document came from him. Which of the following should Tom use to digitally sign the document? A. TKIP B. Intermediate CA C. Public key D. Private key
D. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something. Option A is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and is used in WPA. TKIP replaced WEP in WLAN devices. Option B is incorrect. An intermediate certificate authority sits between the root certificate authority and the end entity to better secure the root certificate authority. Intermediate certificate authorities can also help a large organization handle large requests for certifications. Option C is incorrect. A public key is held by the certificate authority and is available for anyone to use to encrypt data or verify a user's digital signature.
118. Which certificate format is typically used on Windows OS machines to import and export certificates and private keys? A. DER B. AES C. PEM D. PFX
D. PFX (personal information exchange) files are typically used with Windows OSs that include digital certificates and are used for authentication processes involved in determining if a user or device can access certain files. Option A is incorrect. DER (distinguished encoding rules) is a binary form of PEM certificate and is typically used in Java platform. Option B is incorrect. AES is an asymmetric encryption algorithm. Option C is incorrect. PEM (privacy-enhanced electronic mail) is a certificate format used for securing email using public key cryptography. PEM became an IETF proposed standard; it was never widely developed or used.
107. Which of the following defines a file format commonly used to store private keys with associated public key certificates? A. PKCS #1 B. PKCS #3 C. PKCS #7 D. PKCS #12
D. PKCS #12 is a file that contains both the private key and the X.509 certificate and can be installed by the user on servers or workstations. X.509 certificates can be a wildcard certificate for multiple entities under a single fully qualified domain name. Option A is incorrect. PKCS #1 defines the mathematical properties and format of RSA public and private keys. Option B is incorrect. PKCS #3 is a cryptographic protocol that allows two parties to jointly establish a shared key over an insecure network such as the Internet. Option C is incorrect. PKCS #7 is used to sign and/or encrypt messages within a PKI (public key infrastructure).
133. You are a security administrator looking to implement a two-way trust model. Which of the following would you use? A. ROT13 B. PGP C. WPA2 D. PKI
D. PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates. A trust model is used to set up trust between CAs. A certificate has a subject alternative name (SAN) for machines (fully qualified domain names) or users (user principal name). Option A is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, and it replaces a letter with the 13th letter after it in the alphabet. Option B is incorrect. PGP (Pretty Good Privacy) is a method used for encrypting and decrypting digital files and communications over the Internet. It also provides data and file integrity services by digitally signing messages. Option C is incorrect. WPA2 is a security standard that secures computers connected to a WiFi network
42. Which of the following is mainly used for remote access into a network? A. TACACS+ B. XTACACS C. Kerberos D. RADIUS
D. RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security. Option A is incorrect. TACACS+ is a Cisco proprietary authentication protocol and is used to securely access Cisco devices. Option B is incorrect. XTACACS is a Cisco proprietary authentication protocol that replaced TACACS and was used to securely access Cisco devices. Option C is incorrect. Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network such as the Internet.
124. You want to authenticate and log connections from wireless users connecting with EAP-TLS. Which of the following should be used? A. Kerberos B. LDAP C. SAML D. RADIUS
D. RADIUS is a networking protocol that provides centralized AAA for users connecting and using a network service. EAP-TLS offers a good deal of security with the use of TLS and uses PKI to secure communication to the RADIUS authentication server. Option A is incorrect. Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network such as the Internet. Kerberos uses tickets to provide mutual authentication. Option B is incorrect. LDAP (Lightweight Directory Access Protocol) is a software protocol to help locate individuals and other resources within a network. Option C is incorrect. SAML (Security Assertion Markup Language) is an open-standard data format centered on XML. It supports the exchange of authentication and authorization details between systems, services, and devices. It does not authenticate and log connections from wireless users.
7. Your company has implemented a RADIUS server and has clients that are capable of using multiple EAP types, including one configured for use on the RADIUS server. Your security manager wants to implement a WPA2-Enterprise system. Since you have the RADIUS server and clients, what piece of the network would you need? A. Network access control B. Authentication server C. Authenticator D. Supplicant
D. You would need the supplicant. The authenticator, an AP or wireless controller, sends authentication messages between the supplicant and authentication server. Option A is incorrect. Network access control (NAC) increases the security of a proprietary network by restricting access to devices that do not comply with a defined security policy. Option B is incorrect. The authentication server is the RADIUS server and is responsible for authenticating users wanting to connect to the network. Option C is incorrect. The authenticator is the client that authenticates against the RADIUS server using an EAP method configured on the RADIUS server.
142. James, a WLAN security engineer, recommends to management that WPA-Personal security should not be deployed within the company's WLAN for their vendors. Which of the following statements best describe James's recommendation? (Choose two.) A. Static preshared passphrases are susceptible to social engineering attacks. B. WPA-Personal uses public key encryption. C. WPA-Personal uses a weak TKIP encryption. D. WPA-Personal uses a RADIUS authentication server.
A and C. Preshared passphrases can be obtained from a threat actor by the use of social engineering skills and connect to the AP. WPA-Personal uses TKIP encryption, which is considered a weak option. Option B is incorrect. WPA-Personal uses a preshared passphrase that is entered in the AP and each device that wants to connect to the network. Option D is incorrect. WPA-Enterprise uses a RADIUS server, not WPA-Personal.
6. Which of the following are restricted to 64-bit block sizes? (Choose two.) A. DES B. SHA C. MD5 D. 3DES
A and D. DES and 3DES are symmetric-key block ciphers using a 64-bit block size. Option B is incorrect. SHA is a hashing algorithm and is used for integrity. Option C is incorrect. MD5 is a hashing algorithm and is used for integrity.
82. Elliptic curve cryptosystem (ECC) is an asymmetric algorithm. Which of the following statements best describe why ECC is different from other asymmetric algorithms? (Choose two.) A. It is more efficient. B. It provides digital signatures, secure key distribution, and encryption. C. It uses more processing power to perform encryption. D. It provides fast key generation.
A and D. Elliptic curve cryptosystem (ECC) differs from other asymmetric algorithms due to its efficiency. ECC uses less processing power and works best in low power devices such as wireless devices and cellular phones. ECC generates keys faster than other asymmetric algorithms. Option B is incorrect. ECC is not the only asymmetric algorithm that provides digital signatures, secure key distribution, and encryption. Option C is incorrect. ECC uses less processing power than other asymmetric algorithms.
67. In an 802.1x implementation, which of the following devices mutually authenticate with each other? (Choose two.) A. Authentication server B. Certificate authority C. Domain controller D. Supplicant
A and D. The authentication server and supplicant mutually authenticate with each other. This helps prevent rogue devices from connecting to the network. Option B is incorrect. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet or computer network. Option C is incorrect. A domain controller (DC) is a server computer within a Windows domain that responds to requests such as logging in or checking permissions.
91. Zack, an administrator, needs to renew a certificate for the company's web server. Which of the following would you recommend Zack submit to the CA? A. CSR B. Key escrow C. CRL D. OCSP
A. A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate. Option B is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user's key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. It validates certificates by returning responses such as "good," "revoked," and "unknown."
1. Which of the following would a public key be used for? A. To decrypt a hash of a digital signature B. To encrypt TLS traffic C. To digitally sign messages D. To decrypt TLS messages
A. A digital signature is a one-way hash and encrypted with the private key. The public key is used to decrypt the hash and validate the integrity of the digital signature. Digital signatures supports non-repudiation; where the sender can not refute sending the message. Option B is incorrect. TLS (Transport Layer Security) creates a secure connection by using symmetric cryptography based on a shared secret. The same key encrypts and decrypts the data. Option C is incorrect. Digital signatures are created with the private key. Option D is incorrect. TLS creates a secure connection by using symmetric cryptography based on a shared secret. The same key encrypts and decrypts the data.
113. Which of the following works similarly to stream ciphers? A. One-time pad B. RSA C. AES D. DES
A. A stream cipher encrypts one plain text digit at a time with the corresponding digit of the keystream. Stream ciphers provide the same type of protection as one-time pads do. Option B is incorrect. RSA is an asymmetric algorithm and uses a different type of mathematics to encrypt the data. Option C is incorrect. AES is a symmetric block cipher, and the message is divided into blocks of bits and then encrypted one block at a time. Option D is incorrect. DES is a symmetric block cipher, and the message is divided into blocks of bits and then encrypted one block at a time.
51. You are performing a vulnerability assessment on a company's LAN and determine they are using 802.1x for secure access. Which of the following attacks can a threat actor use to bypass the network security? A. MAC spoofing B. ARP poisoning C. Ping of death D. Xmas attack
A. A threat actor can spoof a device's MAC address and bypass 802.1x authentication. Using 802.1x with client certificates or tunneled authentication can help prevent this attack. Option B is incorrect. ARP poisoning is an attack where a threat actor sends spoofed ARP messages over a LAN. Option C is incorrect. Ping of death is a denial-of-service attack in which a threat actor sends a larger IP packet than allowed by the IP protocol. The IP packet is broken down into smaller segments, which would cause the system to crash. Option D is incorrect. The Xmas attack is a specifically crafted TCP packet that turns on flags to scan the system and determine what operating system it's using.
78. Which of the following automatically updates browsers with a list of root certificates from an online source to track which certificates are to be trusted? A. Trust model B. Key escrow C. PKI D. RA
A. A trust model is a collection of rules that informs applications as to how to decide the validity of a digital certificate. Option B is incorrect. Key escrow is a security measure where cryptographic keys are held in escrow by a third party, and under normal circumstances, the key should not be released to someone other than the sender or receiver without proper authorization. Option C is incorrect. PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates. Option D is incorrect. A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA.
40. Your company is looking to accept electronic orders from a vendor and wants to ensure nonauthorized people cannot send orders. Your manager wants a solution that provides nonrepudiation. Which of the following options would meet the requirements? A. Digital signatures B. Hashes C. Steganography D. Perfect forward secrecy
A. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something. Option B is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option C is incorrect. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files. Option D is incorrect. Perfect forward secrecy is a way to ensure the safety of session keys from future abuse by threat actors.
89. Matt, a network administrator, is deciding which credential-type authentication to use within the company's planned 802.1x deployment. He is searching for a method that requires a client certificate and a server-side certificate, and that uses tunnels for encryption. Which credential-type authentication method would Matt use? A. EAP-TLS B. EAP-FAST C. PEAP D. EAP
A. EAP-TLS is a remote access authentication protocol that supports the use of smartcards or user and computer certificates, also known as machine certificates, to authenticate wireless access clients. EAP-TLS can use tunnels for encryption by use of TLS. Option B is incorrect. EAP-FAST is designed to increase the speed of reauthentication when a user roams from one AP to another. It authenticates the user over an encrypted TLS tunnel but uses a shared secret key. Option C is incorrect. PEAP is an encapsulating protocol that uses a certificate on the authentication server and a certificate on the client. It supports password-based authentication but does not use TLS for encryption. Option D is incorrect. EAP is a framework for authentication in a WLAN and point-to-point connections. EAP defines message formats and doesn't use tunnels for encryption.
43. A security manager has asked you to explain why encryption is important and what symmetric encryption offers. Which of the following is the best explanation? A. Confidentiality B. Nonrepudiation C. Steganography D. Collision
A. Encryption provides confidentiality because the data is scrambled and cannot be read by an unauthorized user. Symmetric encryption uses one key to encrypt, and decrypting data with one key is considered fast. Option B is incorrect. Nonrepudiation is a method of guaranteeing a message transmission between parties by a digital signature. Option C is incorrect. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files. Option D is incorrect. A collision occurs when a hashing algorithm creates the same hash from two different messages.
16. James, an IT manager, expresses a concern during a monthly meeting about weak user passwords used on company servers and how they may be susceptible to brute-force password attacks. Which concept can James implement to make the weak passwords stronger? A. Key stretching B. Key escrow C. Key strength D. ECC
A. Key stretching increases the strength of stored passwords and protects passwords from brute-force attacks and rainbow table attacks. Option B is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user's key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. Option C is incorrect. Key strength is the length of the key that is being used to encrypt the data. According to NIST guidance, the use of keys that provide less than 112 bits of security strength for key agreement is disallowed. Option D is incorrect. ECC (elliptic curve cryptography) is an asymmetric algorithm that uses smaller keys and has the same level of strength compared to longer key length asymmetric algorithm.
105. Which of the following is the least secure hashing algorithm? A. MD5 B. RIPEMD C. SHA-1 D. AES
A. MD5 produces a 128-bit message digest regardless of the length of the input text. Option B is incorrect. RIPEMD produces a 128-, 160-, 256-, and 320-bit message digest. RIPEMD was not often seen in practical implementations. Option C is incorrect. SHA-1 produces a 160-bit message digest regardless of the length of the input text. Option D is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm used for encryption and not considered a hashing algorithm.
18. You set up your wireless SOHO router to encrypt wireless traffic, and you configure the router to require wireless clients to authenticate against a RADIUS server. What type of security have you configured? A. WPA2 Enterprise B. WPA2 Personal C. TKIP D. WEP
A. WPA2 Enterprise uses an authentication server such as a RADIUS server to control access to a WLAN. Option B is incorrect. WPA2 Personal does not use an authentication server. It uses a passphrase that is entered into the SOHO router. Option C is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and is used in WPA. TKIP replaced WEP in WLAN devices. Option D is incorrect. WEP does not use an authentication server. Users enter a passphrase to connect to the SOHO router.
38. You are the security manager for your company, and a system administrator wants to know if there is a way to reduce the cost of certificates by purchasing a certificate to cover all domains and subdomains for the company. Which of the following solutions would you offer? A. Wildcards B. Object identifiers C. Key escrow D. OCSP
A. Wildcard certificates allow the company to secure an unlimited number of subdomain certificates on a domain name from a third party. Option B is incorrect. Object identifiers (OIDs) identify an object or entity. OIDs are used in X.509 certificates to name almost every object type. Option C is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user's key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. Option D is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. An OCSP response contains signed assertions that a certificate is not revoked.
39. Which of the following are authentication protocols? (Choose two.) A. WPS B. EAP C. IPSec D. IEEE 802.1x
B and D. EAP and IEEE 802.1x are authentication protocols that transfer authentication data between two devices. Option A is incorrect. WPS (WiFi Protected Setup) is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases. Option C is incorrect. IPSec is a framework of open standards that ensures communications are private and secure over IP networks.
128. Which of the following are considered cryptographic hash functions? (Choose two.) A. AES B. MD5 C. RC4 D. SHA-256
B and D. MD5 and SHA are considered cryptography hashing functions that transform a string of characters into a fixed-length value. Options A and C are incorrect. They are symmetric encryption algorithms.
108. Which of the following statements are true regarding ciphers? (Choose two.) A. Stream ciphers encrypt fixed sizes of data. B. Stream ciphers encrypt data one bit at a time. C. Block ciphers encrypt data one bit at a time. D. Block ciphers encrypt fixed sizes of data.
B and D. Stream ciphers is a low latency operation that encrypt data one bit at a time, and block ciphers encrypt data one block, or fixed block, at a time. Option A is incorrect. Stream ciphers do not encrypt data one block at a time. Option C is incorrect. Block ciphers do not encrypt data one bit at a time.
54. You have implemented a PKI to send signed and encrypted data. The user sending data must have which of the following? (Choose two.) A. The receiver's private key B. The sender's private key C. The sender's public key D. The receiver's public key
B and D. To sign the data for nonrepudiation purposes, the sender uses their private key and when encrypting the data, the sender uses the receiver's public key. Option A is incorrect. The receiver's private key is kept private by the receiver. Option C is incorrect. The sender's public key is used to encrypt data that is being sent to the sender and decrypted by its private key.
143. Which of the following is correct regarding root certificates? A. Root certificates never expire. B. A root certificate contains the public key of the CA. C. A root certificate contains information about the user. D. A root certificate cannot be used to authorize subordinate CAs to issue certificates on its behalf.
B. A root certificate is a public key certificate that identifies the root CA (certificate authority). Digital certificates are verified using a chain of trust (certificate chaining) and the trust anchor for the certificate is the root certificate authority (CA). Option A is incorrect. A root certificate has an expiration date, also known as the validity period. Option C is incorrect. A root certificate contains information about the CA (certificate authority), not the user. Option D is incorrect. A root certificate is able to authorize subordinate CAs to issue certificates on its behalf.
90. A coworker is connecting to a secure website using HTTPS. The coworker informs you that before the website loads, their web browser displays an error indicating that the site certificate is invalid and the site is not trusted. Which of the following is most likely the issue? A. The web browser is requiring an update. B. The server is using a self-signed certificate. C. A web proxy is blocking the connection. D. The web server is currently unavailable.
B. A self-signed certificate will display an error in the browser stating the site is not trusted because the self-signed certificate is not from a trusted certificate authority. Option A is incorrect. The web browser needing an update will not display an error message that the site certificate is invalid and the site is not trusted. Option C is incorrect. A web proxy blocking the connection would not allow the site to load and display a message regarding the invalid certificate. Option D is incorrect. If the web server was unavailable, the user would not be able to receive any information about the status of the certificate.
28. You are conducting a one-time electronic transaction with another company. The transaction needs to be encrypted, and for efficiency and simplicity, you want to use a single key for encryption and decryption of the data. Which of the following types would you use? A. Asymmetric B. Symmetric C. Hashing D. Steganography
B. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data. Option A is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data. Option C is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key also known as a hash value. Hashes ensure the integrity of data or messages. Option D is incorrect. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files.
86. Your company has recently implemented an encryption system on the network. The system uses a secret key between two parties and must be kept secret. Which system was implemented? A. Asymmetric algorithm B. Symmetric algorithm C. Hashing algorithm D. Steganography
B. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data. Option A is incorrect. An asymmetric algorithm, also known as public key cryptography, uses two keys (a public and private key) to encrypt and decrypt data. Option C is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option D is incorrect. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files.
131. You are a security manager and have been asked to encrypt database system information that contains employee social security numbers. You are looking for an encryption standard that is fast and secure. Which of the following would you suggest to accomplish the requirements? A. SHA-256 B. AES C. RSA D. MD5
B. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data that is fast and secure. Option A is incorrect. SHA-256 is a hashing algorithm not used to encrypt data but rather to verify the integrity of the data. Option C is incorrect. RSA is an asymmetric algorithm that is considered slow when encrypting data. Option D is incorrect. MD5 is a hashing algorithm not used to encrypt data but rather to verify the integrity of the data.
116. Which of the following cipher modes uses a feedback-based encryption method to ensure that repetitive data result in unique cipher text? A. ECB B. CBC C. GCM D. CTM
B. CBC (Cipher Block Chaining) mode uses feedback information to ensure the current block ciphertext differs from other blocks even if the same data is being encrypted. Option A is incorrect. ECB (Electronic Code Book) encrypts each data block individually. Repetitive data can result in the same ciphertext. Option C is incorrect. GCM (Galois/Counter Mode) encrypts data and checks integrity. Option D is incorrect. CTM (counter mode), also abbreviated as CTR, is similar to CBC except it does not use a random number and does not chain the blocks.
17. You are installing a network for a small business named Matrix Interior Design that the owner is operating out of their home. There are only four devices that will use the wireless LAN, and you are installing a SOHO wireless router between the wireless LAN clients and the broadband connection. To ensure better security from outside threats connecting to the wireless SOHO router, which of the following would be a good choice for the WPA2-PSK passphrase? A. 123456 B. XXrcERr6Euex9pRCdn3h3 C. bRtlBv D. HomeBusiness
B. Complex passwords of 16 or more ASCII characters are considered strong. Passwords should follow the complexity rule of having three of the four following items: lowercase letter, uppercase letter, number, and special character. Option A is incorrect. This password is too common and can be easily guessed. Option C is incorrect. This password isn't following the complexity rule and it has only six ASCII characters, which can easily be guessed through the use of brute force. Option D is incorrect. This password is commonly found in the dictionary and can be susceptible to a dictionary attack.
96. Which of the following security mechanisms can be used for the purpose of nonrepudiation? A. Encryption B. Digital signature C. Collision D. CA
B. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something. Option A is incorrect. Encryption is the process of using an algorithm to change plain text data into unreadable information to protect it from unauthorized users. The main purpose of encryption is to protect the confidentiality of digital data stored on a computer system or transmitted via a network. Option C is incorrect. A collision occurs when a hashing algorithm creates the same hash from two different messages. Option D is incorrect. A CA (certificate authority) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet or computer network.
135. Most authentication systems make use of a one-way encryption process. Which of the following is an example of a one-way encryption? A. Symmetric algorithm B. Hashing C. Asymmetric algorithm D. PKI
B. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option A is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data. Option C is incorrect. Asymmetric encryption is also known as public key cryptography, and it uses public and private keys to exchange a session key between two parties. Option D is incorrect. PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates.
33. Which of the following cryptography concepts converts output data into a fixed-length value and cannot be reversed? A. Steganography B. Hashing C. Collision D. IV
B. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option A is incorrect. Steganography is a process of hiding data within data, also known as security through obscurity. This technique can be applied to images, video files, or audio files. Option C is incorrect. A collision occurs when a hashing algorithm creates the same hash from two different messages. Option D is incorrect. An IV (initialization vector) is an arbitrary number that is used with a secret key for data encryption. IV makes it more difficult for hackers to break a cipher.
83. WEP's RC4 approach to encryption uses a 24-bit string of characters added to data that are transmitted. The same plain text data frame will not appear as the same WEP-encrypted data frame. What is this string of characters called? A. Diffusion B. IV C. Session key D. Hashing
B. IV (initialization vector) is an arbitrary number that is used with a secret key for data encryption. IV makes it more difficult for hackers to break a cipher. Option A is incorrect. Diffusion is a property of cryptography that makes cryptanalysis hard. A change of a single character of the input will change many characters of the output. Option C is incorrect. A session key is a symmetric key that uses the same key for encryption and decryption. Option D is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages
9. Matt has been told that successful attacks have been taking place and data that has been encrypted by his company's software system has leaked to the company's competitors. Matt, through investigation, has discovered patterns due to the lack of randomness in the seeding values used by the encryption algorithm in the company's software. This discovery has led to successful reverse engineering. What can the company use to ensure patterns are not created during the encryption process? A. One-time pad B. Initialization vector C. Stream cipher D. Block cipher
B. Initialization vectors (IVs) are random values that are used with algorithms to ensure patterns are not created during the encryption process. IVs are used with keys and are not encrypted when being sent to the destination. Option A is incorrect. A one-time pad is an encryption method and uses a pad with random values that are XORed against the message to produce ciphertext. One-time pad is at least as long as the message itself and is used once and then discarded. This technology is not addressed in this scenario. Option C is incorrect. Stream ciphers encrypt data one bit at a time. This concept is not addressed in this scenario. Option D is incorrect. Block ciphers encrypts data one block, or fixed block, at a time. This concept is not addressed in this scenario.
56. Your company is looking for a secure backup mechanism for key storage in a PKI. Which of the following would you recommend? A. CSR B. Key escrow C. CRL D. CA
B. Key escrow is a security measure where cryptographic keys are held in escrow by a third party and under normal circumstances, the key should not be released to someone other than the sender or receiver without proper authorization. Option A is incorrect. A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate. Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. A CA (certificate authority) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet or computer network.
12. Which of the following would you use to verify certificate status by receiving a response of "good," "revoked," or "unknown"? A. CRL B. OSCP C. RA D. PKI
B. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. It validates certificates by returning responses such as "good," "revoked," and "unknown." Option A is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option C is incorrect. An RA (registered authority) is used to verify requests for certificates and forwards responses to the CA. Option D is incorrect. PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates. OCSP is part of the PKI.
122. Which of the following encryption methods is used by RADIUS? A. Asymmetric B. Symmetric C. Elliptic curve D. RSA
B. RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security. Option A is incorrect. RADIUS does not use asymmetric encryption. Asymmetric encryption uses a key pair, and RADIUS uses the same key to encrypt and decrypt information. Option C is incorrect. Elliptic curve cryptography is a public key encryption based on the elliptic curve equation rather than large prime numbers. Option D is incorrect. RSA is a public key encryption and includes hardware and software tokens
44. You are a security administrator and have discovered one of the employees has been encoding confidential information into graphic files. Your employee is sharing these pictures on their social media account. What concept was the employee using? A. Hashing B. Steganography C. Symmetric algorithm D. Asymmetric algorithm
B. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files. Option A is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option C is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data. Option D is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data.
120. Why would a threat actor use steganography? A. To test integrity B. To conceal information C. To encrypt information D. To create a hashing value
B. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files. Option A is incorrect. Hashing is used to test integrity. Option C is incorrect. Encryption is the process of using an algorithm to change plain text data into unreadable information to protect it from unauthorized users. Option D is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
58. You are a security administrator and have been given instructions to update the access points to provide a more secure connection. The access points are currently set to use WPA TKIP for encryption. Which of the following would you configure to accomplish the task of providing a more secure connection? A. WEP B. WPA2 CCMP C. Enable MAC filtering D. Disable SSID broadcast
B. WPA2 CCMP replaced TKIP and is a more advanced encryption standard. CCMP provides data confidentiality and authentication. Option A is incorrect. WEP is a security standard for wireless networks and devices but is not as secure as WPA. Option C is incorrect. Enabling MAC filtering by allowing or prohibiting a MAC address is not a secure option since threat actors can spoof MAC addresses. Option D is incorrect. Disabling SSID broadcast will not help better secure the network since threat actors can use tools to sniff hidden SSIDs.
46. You are configuring your friend's new wireless SOHO router and discover a PIN on the back of the router. Which of the following best describes the purpose of the PIN? A. This is a WEP PIN. B. This is a WPS PIN. C. This is a WPA PIN. D. This is a Bluetooth PIN.
B. WPS is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases. Users enter a PIN to allow the device to connect after pressing the WPS button on the SOHO router. Options A, C, and D are incorrect. WEP and WPA have passphrases, not PINs, that are entered. Bluetooth PINs are used to set up devices to communicate via Bluetooth, not with a SOHO router.
148. Which of the following can assist in the workload of the CA by performing identification and authentication of users requesting certificates? A. Root CA B. Intermediate CA C. Registered authority D. OSCP
C. A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA. Option A is incorrect. A root CA is the top of the hierarchy and certifies intermediate CAs to issue certificates to users, computers, or services. Option B is incorrect. An intermediate CA is certified by the root CA and can issue certificates to users, computers, or services. Option D is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. It validates certificates by returning responses such as "good," "revoked," and "unknown."
110. Which of the following statements is true about symmetric algorithms? A. They hide data within an image file. B. They use one key to encrypt data and another to decrypt data. C. They use a single key to encrypt and decrypt data. D. They use a single key to create a hashing value.
C. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data. Option A is incorrect. Steganography is the process of hiding data within data. This technique can be applied to images, video files, or audio files. Option B is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data. Option D is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value, by using a mathematical function, not a key. Hashes ensure the integrity of data or messages
68. Which of the following statements is true regarding the confusion encryption method? A. It puts one item in the place of another; for example, one letter for another or one letter for a number. B. It scrambles data by reordering the plain text in a certain way. C. It uses a relationship between the plain text and the key that is so complicated the plain text can't be altered and the key can't be determined. D. Change in the plain text will result in multiple changes that are spread throughout the cipher text.
C. Confusion encryption is a method that uses a relationship between the plain text and the key that is so complicated the plain text can't be altered and the key can't be determined by a threat actor. Option A is incorrect. This method defines substitution. Option B is incorrect. This method defines transposition. Option D is incorrect. This method defines diffusion.
14. Which of the following encryption algorithms is the weakest? A. Blowfish B. AES C. DES D. SHA
C. DES (Data Encryption Standard) is a 56-bit key and is superseded by 3DES. DES is considered to be insurance for many applications. Option A is incorrect. Blowfish has a 64-bit block size and a variable key length up to 448 bits. Option B is incorrect. AES (Advanced Encryption Standard) is a newer and stronger encryption standard and is capable of using 128- bit, 192-bit, and 256-bit keys. Option D is incorrect. SHA is a hashing algorithm.
69. Which of the following is required when employing PKI and preserving data is important? A. CA B. CRL C. Key escrow D. CER
C. Key escrow is a database of stored keys that can be retrieved should the original user's key be lost or compromised. The stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. Option A is incorrect. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet or computer network. Option B is incorrect. A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted. Option D is incorrect. CER is a certificate file extension for an SSL certificate and is used by web servers to help confirm the identity and security of the site a user is visiting.
132. James is a security administrator and wants to ensure the validity of public trusted certificates used by the company's web server, even if there is an Internet outage. Which of the following should James implement? A. Key escrow B. Recovery agent C. OCSP D. CSR
C. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. OCSP can prepackage a list of revoked certificates and distribute them through browser updates and can be checked if there is an Internet outage. Option A is incorrect. Key escrow is a security measure in which cryptographic keys are held in escrow by a third party, and under normal circumstances, the key should not be released to someone other than the sender or receiver without proper authorization. Option B is incorrect. A recovery agent is a user who is permitted to decrypt another user's data in case of emergency or in special situations. Option D is incorrect. A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate. A CSR can be generated for code signing purposes.
75. Which of the following statements best describes the difference between public key cryptography and public key infrastructure? A. Public key cryptography is another name for an asymmetric algorithm, whereas public key infrastructure is another name for a symmetric algorithm. B. Public key cryptography uses one key to encrypt and decrypt the data, and public key infrastructure uses two keys to encrypt and decrypt the data. C. Public key cryptography is another name for asymmetric cryptography, whereas public key infrastructure contains the public key cryptographic mechanisms. D. Public key cryptography provides authentication and nonrepudiation, whereas public key infrastructure provides confidentiality and integrity.
C. Public key cryptography is also known as asymmetric cryptography. Public key cryptography is one piece of the PKI (public key infrastructure). Option A is incorrect. Public key cryptography is also known as asymmetric cryptography and PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates. Option B is incorrect. Public key cryptography uses two keys to encrypt and decrypt the data, also known as asymmetric encryption. PKI (public key infrastructure) is not known as an asymmetric encryption (using two keys to encrypt and decrypt data) but rather as an entire system that creates, distributes, manages, stores, and revokes certificates. Option D is incorrect. Public key cryptography can provide authentication and nonrepudiation, but PKI (public key infrastructure) cannot provide confidentiality and integrity. PKI can use algorithms that can provide these security services.
11. The CIO at your company no longer wants to use asymmetric algorithms because of the cost. Of the following algorithms, which should the CIO discontinue using? A. AES B. RC4 C. RSA D. Twofish
C. RSA is an asymmetric algorithm and should be discontinued. Options A, B, and D are incorrect. AES, RC4, and Twofish are symmetric algorithms.
27. Matt needs to calculate the number of keys that must be generated for 480 employees using the company's PKI asymmetric algorithm. How many keys must Matt create? A. 114,960 B. 480 C. 960 D. 229,920
C. With asymmetric algorithms, every user must have at least one pair of keys (private and public). The two keys are mathematically related. If a message is encrypted with one key, the other key is required to decrypt the message. The formula to determine the number of keys needed is N × 2, where N is the number of people. Option A is incorrect. This is the number of keys needed in a symmetric key cryptosystem. Each pair of users who are exchanging data must have two instances of the same key. The formula for calculating the number of symmetric keys needed is: N (N-1) / 2 = number of keys. Option B is incorrect. Each user in a public key infrastructure requires at least one pair of keys (private and public). The formula for determining the number of keys that are needed is N × 2. Option D is incorrect. This total is derived from N (N−1), which is part of the formula for calculating the number of symmetric keys needed.
125. Which of the following would be used to allow certain traffic to traverse from a wireless network to an internal network? A. WPA B. WEP C. Load balancers D. 802.1x
D. 802.1x enhances security within a WLAN by providing an authentication framework. Users are authenticated by a central authority before they are allowed within the network. Option A is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP and is designed to work with older wireless clients, but it does not transverse traffic from a wireless network to an internal network. Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b but does not transverse traffic from a wireless network to an internal network. Option C is incorrect. A load-balancer improves the workload by distributing traffic across multiple computer resources such as servers.
84. Your manager has recently purchased a RADIUS server that will be used by remote employees to connect to internal resources. Several client computers need to connect to the RADIUS server in a secure manner. What should your manager deploy? A. HIDS B. UTM C. VLAN D. 802.1x
D. 802.1x enhances security within a WLAN by providing an authentication framework. Users are authenticated by a central authority before they are allowed within the network. Option A is incorrect. An HIDS (host intrusion detection system) is a security management for networks and computers. It gathers information within the network or computer and identifies potential threats. Option B is incorrect. UTM (unified threat management) is a network appliance that provides firewall, intrusion detection, anti-malware, spam, and content filtering in one integrated device. Option C is incorrect. A VLAN allows network administrators to partition a switch within their network to provide security without having multiple switches.
106. Which of the following types of attack sends two different messages using the same hash function, causing a collision? A. Xmas attack B. DoS C. Logic bomb D. Birthday attack
D. A birthday attack can be used to find hash collisions. It's based off the birthday paradox stating there is a 50 percent chance of someone sharing your birthday with at least 23 people in the room. Option A is incorrect. A Xmas attack is a specifically crafted TCP packet that turns on flags to scan the system and determine what operating system it's using. Option B is incorrect. A denial of service (DoS) is a an attack that prevents legitimate users from accessing services or resources within a network. Option C is incorrect. A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.
81. You are receiving calls from users who are connected to the company's network and are being redirected to a login page with the company's logo after they type a popular social media web address in an Internet browser. Which of the following is causing this to happen? A. WEP B. Key stretching C. MAC filtering D. Captive portal
D. A captive portal is a web page where the user must view and agree to the terms before access to the network is granted. They are typically used by business centers, airports, hotels, and coffee shops. Option A is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b. It is designed to provide a level of security for a WLAN. Option B is incorrect. Key stretching increases the strength of stored passwords and protects passwords from brute-force attacks and rainbow table attacks. Option C is incorrect. MAC filtering is a technique that allows or prohibits MAC addresses to access a network. It is not a secure option since threat actors can spoof MAC addresses.
112. Which of the following takes each bit in a character and is XORed with the corresponding bit in the secret key? A. ECDHE B. PBKDF2 C. Obfuscation D. One-time pad
D. A one-time pad is a stream cipher that encrypts the plain text with a secret random key that is the same length as the plain text. The encryption algorithm is the XOR operation. Option A is incorrect. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is commonly used with TLS to provide perfect forward secrecy. Option B is incorrect. PBKDF2 is a key stretching algorithm. Key stretching makes a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the time it takes to test each possible key. Option C is incorrect. Obfuscation is the action of making something difficult to read and understand.
2. Your company's web server certificate has been revoked and external customers are receiving errors when they connect to the website. Which of following actions must you take? A. Renew the certificate. B. Create and use a self-signed certificate. C. Request a certificate from the key escrow. D. Generate a new key pair and new certificate.
D. A revoked certificate is no longer valid for the intended purpose, and a new key pair and certificate will need to be generated. Option A is incorrect. The certificate cannot be renewed after its expiration date. Option B is incorrect. A self-signed certificate will generate errors within the client's web browser and should not be used as a replacement since the self-signed certificate is not from a trusted certificate authority. Option C is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user's key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. This scenario didn't state the key was lost but rather that the certificate had expired.
119. What is another name for an ephemeral key? A. PKI private key B. MD5 C. PKI public key D. Session key
D. A session key is another name for an ephemeral key. An ephemeral key includes a private and public key, and systems use this key pair for a single session and then discard it. Option A is incorrect. A PKI private key is held by the owner of the key pair to decrypt data or to create a digital signature. Option B is incorrect. MD5 is a hashing algorithm that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option C is incorrect. A PKI public key is held by the certificate authority and is available for anyone to use to encrypt data or verify a user's digital signature.
10. You are asked to configure a WLAN that does not require a user to provide any credentials to associate with a wireless AP and access a WLAN. What type of authentication is said to be in use? A. IV B. WEP C. WPA D. Open
D. An open wireless network does not require a user to enter credentials for access. Option A is incorrect. An IV (initialization vector) is an arbitrary number that is used with a secret key for data encryption. Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b. It is designed to provide a level of security for a WLAN. Option C is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP.
24. Which of the following EAP types offers support for legacy authentication protocols such as PAP, CHAP, MS-CHAP, or MSCHAPv2? A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS
D. EAP-TTLS determines how user authentication will perform during phase 2. The user authentication may be a legacy protocol such as PAP, CHAP, MS-CHAP, or MS-CHAPV2. Options A, B, and C are incorrect. PEAP, EAP-FAST, and EAP-TLS create a TLS tunnel to protect the supplicant credentials but do not support legacy authentication protocols.
8. You are given the task of selecting an asymmetric encryption type that has an appropriate level of encryption strength but uses a smaller key length than is typically required. Which of the following encryption methods will accomplish your requirement? A. Blowfish B. RSA C. DHE D. ECC
D. ECC (elliptic curve cryptography) is an asymmetric algorithm that uses smaller keys and has the same level of strength compared to longer key length asymmetric algorithm. Option A is incorrect. Blowfish is a symmetric algorithm that uses the same key to encrypt and decrypt data. Option B is incorrect. RSA uses a longer key length than ECC. Option C is incorrect. DHE uses a longer key length than ECC.
41. You are tasked to implement a solution to ensure data that are stored on a removable USB drive hasn't been tampered with. Which of the following would you implement? A. Key escrow B. File backup C. File encryption D. File hashing
D. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. Option A is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user's key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. Option B is incorrect. File backup allows the data to be available in case the original files are deleted or become corrupted. Option C is incorrect. Encryption is the process of using an algorithm to change plain text data into unreadable information to protect it from unauthorized users. The main purpose of encryption is to protect the confidentiality of digital data stored on a computer system or transmitted via a network.
59. Which of the following is an example of a stream cipher? A. AES B. DES C. 3DES D. RC4
D. RC4 is an example of a stream cipher that encrypts data one bit at a time. Options A, B, and C are incorrect. AES, DES, and 3DES are examples of block ciphers that encrypt data one fixed block of data at a time.
73. Bob is a security administrator and needs to encrypt and authenticate messages that are sent and received between two systems. Which of the following would Bob choose to accomplish his task? A. Diffie-Hellman B. MD5 C. SHA-256 D. RSA
D. RSA is a public key encryption algorithm that can both encrypt and authenticate messages. Option A is incorrect. Diffie-Hellman encrypts data only and is used to exchange keys. Option B is incorrect. MD5 is a cryptography hashing function that transforms a string of characters into a fixed-length value. Option C is incorrect. SHA is a cryptography hashing function that transforms a string of characters into a fixed-length value.
111. The CA is responsible for revoking certificates when necessary. Which of the following statements best describes the relationship between a CRL and OSCP? A. OCSP is a protocol to submit revoked certificates to a CRL. B. CRL is a more streamlined approach to OCSP. C. CRL validates a certificate in real time and reports it to the OCSP. D. OCSP is a protocol to check the CRL during a certificate validation process.
D. Revoked certificates are stored on a CRL (certificate revocation list). The CA continuously pushes out CRL values to clients to ensure they have the updated CRL. OCSP (Online Certificate Status Protocol) performs this work automatically in the background and returns a response such as "good," "revoked," and "unknown." OCSP uses a process called stapling to reduce communication from the user to the CA to check the validity of a certificate. Option A is incorrect. OCSP does not submit revoked certificates to the CRL. The CA is responsible for creating, distributing, and maintaining certificates and revoking the certificates when necessary as part of this process. Option B is incorrect. OCSP is a more streamlined approach as it works in the background and checks a central CRL to see if a certificate has been revoked. Option C is incorrect. OCSP, not the CRL, performs real-time validation of a certificate.
126. You are asked to see if several confidential files have changed, and you decide to use an algorithm to create message digests for the confidential files. Which algorithm would you use? A. AES B. RC4 C. Blowfish D. SHA-1
D. SHA-1 is a hashing algorithm that creates message digests and is used for integrity. Options A, B, and C are incorrect. They are symmetric algorithms used for encryption
70. You need to encrypt the signature of an email within a PKI system. Which of the following would you use? A. CER B. Public key C. Shared key D. Private key
D. The private key is used to encrypt the signature of an email, and the sender's public key is used to decrypt the signature and verify the hash value. Option A is incorrect. CER is a certificate file extension for an SSL certificate and is used by web servers to help confirm the identity and security of the site a user is visiting. Option B is incorrect. The public key is used to decrypt the signature to verify the sender. Option C is incorrect. The shared key is used in a symmetric algorithm and should not be used to encrypt and decrypt a signature of an email.
100. You are a network administrator for a distribution company and the manager wants to implement a secure wireless LAN for a BYOD policy. Through research, you determine that the company should implement AES encryption and the 802.1x authentication protocol. You also determine that too many APs and clients will be installed and you will need to configure each one with a preshared key passphrase. Which of the following will meet your needs? A. WEP B. WPA C. WPA2-Personal D. WPA2-Enterprise
D. WPA2-Enterprise will implement AES and require an authentication infrastructure with an authentication server (RADIUS) and an authenticator. WPA2-Enterprise provides better protection of critically important information with BYOD (Bring Your Own Device). Option A is incorrect. WEP is the weakest security protocol. WEP does not support AES or RADIUS. Option B is incorrect. WPA does not support AES or RADIUS. Option C is incorrect. WPA2-Personal supports AES but requires a preshared key passphrase to be entered on each device connecting to the network. This leads to shared passwords and doesn't control which device connects.