Security+ SYO-401 Chapter 4: Securing Your Network
Your organization is planning to implement a wireless network using WPA2 Enterprise. Of the following choices, what is required? A. An authentication server with a digital certificate installed on the authentication server. B. An authentication server with DHCP installed on the authentication server. C. An authentication server with DNS installed on the authentication server. D. An authentication server with WEP running on the access point.
A. An authentication server with a digital certificate installed on the authentication server. WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server. The network will likely have Dynamic Host Configuration Protocol and Domain Name System services, but it isn't necessary to install them on the authentication server. Wired Equivalent Privacy provides poor security and is not compatible with WPA2 Enterprise.
An attacker is able to access email contact lists on your smartphone. What type of attack is this? A. Bluesnarfing B. War chalking C. War driving D. Bluejacking
A. Bluesnarfing Attackers are able to access data on a smartphone in a bluesnaring attack. War chalking is the practice of marking the location of wireless networks. War driving is the practice of looking for wireless networks, often by driving around. Bluejacking is the practice of sending unsolicited messages to other Bluetooth devices.
You are assisting a small business owner in setting up a public wireless hot spot for her customers. Which of the following actions are MOST appropriate for this hot spot? A. Enabling Open System Authentication B. Enabling MAC filtering C. Disabling SSID broadcast D. Installing Yagi antennas
A. Enabling Open System Authentication Open System Authentication is the best choice of those given for a public wireless hot spot. It is used with Wired Equivalent Privacy, doesn't require users to enter a preshared key or passphrase, and doesn't require the business owner to give out this information. It's also possible to disable security for the hot spot. Media access control address filtering would be very difficult to maintain. Disabling service set identifier broadcasting would make it difficult to find the wireless network, and installing a directional Yagi antenna isn't appropriate for a hot spot that needs an omnidirectional antenna.
Homer is able to connect to his company's wireless network with his smartphone but not with his laptop computer. Which of the following is the MOST likely reason for this disparity? A. His company's network has a MAC address filter in place. B. His company's network his enabled SSID broadcast. C. His company's network has enabled CCMP. D. His company's network has enabled WPA2 Enterprise.
A. His company's network has a MAC address filter in place A media access control address filter allows devices based on their MAC addresses, so it is likely that the filter is allowing Homer's smartphone but not allowing his laptop computer. Enabling the service set identifier makes the network easier to see by casual users, but it doesn't block access even if SSID broadcast is disabled. Wi-Fi Protected Access II and Counter Mode Cipher Block Chaining Message Authentication Code Protocol both provide strong security, but they do not differentiate between devices.
Which of the following network tools includes sniffing capabilities? A. IDS B. WAP C. VPN D. NAC
A. IDS Intrusion detection system and intrusion prevention system include sniffing capabilities allowing them to inspect packet streams for malicious activity. None of the other tools have the capability of inspecting packets. A wireless access point provides access to a wired network for wireless devices. A virtual private network provides access to an internal network for remote users. A network access control system inspects clients to ensure they meet minimum security requirements.
You need to provide connectivity between two buildings without running any cables. You decide to use two WAPs and a high-gain directional antenna. Which of the following antennas is the BEST choice to meet this need? A. Yagi B. Omni C. Isotropic D. Dipole
A. Yagi A Yagi antenna is a high-gain directional antenna with a very narrow radiation pattern and is an ideal choice for this scenario. An isotropic antenna is theoretical and indicates the signal goes in all direction equally. Omnidirectional and dipole antennas attempt to mimic an isotropic antenna, but have stronger gains horizontally then vertically, assuming they are standing vertically.
Administrators have noticed an increased workload recently. Which of the following can cause an increased workload from incorrect reporting? A. False negatives B. False positives C. Separation of duties D. Signature-based IDs's
B. False positive False positives can cause an increased workload because they falsely indicate an alert has occurred. A false negative doesn't report an actual attack, so it doesn't increase the workload because administrators are unaware of the attack. Seperation of duties ensures a single person can't control an entire process, so it is unrelated to increased workload. Signature-based intrusion detection systems don't necessarily cause an increased unless they have a high incidence of false positives.
Your organization hosts three wireless networks for different purposes. A recent site survey audit discovered the information shown in the following table: SSID Security Channel Power GetCertifiedVisitors WPA2 1 71 dBm GetCertifiedEmployee WPA2 2 94 dBm GetCertifiedEmployees WPA2 3 73 dBm GetCertifiedKiosk WPA2 5 79 dBm What does this indicate? A. Evil twin B. Rouge access point C. Interference D. Near field communication
B. Rouge access point This indicates a rouge access point because the organization is hosting three wireless networks, but the survey found four. A rouge access point typically has a similar name. An evil twin will have the exact name as an authorized WAP. An interference or jamming attack would make it difficult to connect to the access points causing users to disconnect often. Near field communication refers to two devices communicating when they are close to each other and is unrelated to this scenario.
A HIDS reported a vulnerability on a system using an assigned vulnerability identification number. After researching the number on the vendor's web site, you identify the recommended solution and begin applying it. What type of HIDS is in use? A. Network-based B. Signature-based C. Heuristic-based D. Anomaly-based
B. Signature-based If the issue has an assigned number, it must be known, so it is signature-based. A host-based intrusion detection system is not network-based. A heuristic-based detection system catches issues that are not previously known.
You are assisting a user in the implementation of a wireless network in his home. The wireless hardware he has requires the RC4 protocol. What type of security is BEST for this network? A. WEP B. WPA-TKIP C. WPA-AES D. WPA2 Enterprise
B. WPA-TKIP Temporal Key Integrity Protocol uses RC4 and is compatible with older hardware so Wi-Fi Protected Access with TKIP is the best option for this network. Wired Equivalent Privacy uses RC4, but it is not secure and should not be used. WPA with Advanced Encryption Privacy Standard is stronger, but it uses AES instead of RC4. Wi-Fi Protected Access II Enterprise requires an 802.1x server and does not use RC4.
Management s concerned about malicious activity on your network and wants to implement a security control that will detect unusual traffic on the network. Which of the following is the BEST choice to meet this goal? A. Network firewall B. Signature-based IDS C. Anomaly-based IDS D. Honeypot
C. Anomaly-based IDS An anomaly-based detection system compares current activity with a previously created baseline to detect any anomalies or changes. A network firewall blocks and allows traffic, but does not detect unusual traffic. Signature-based systems use signatures similar to antivirus software. A honeypot is a server designed to look valuable to an attacker and can divert attacks.
A security company wants to identify and learn about current and new attack methodologies. Which of the following is the BEST choice to meet this objective? A. Pen test B. HIDS C. Honeypots D. Firewall logs
C. Honeypots A honeypot is a server designed to look valuable to an attacker and can help administrators learn about zero-day exploits, or previously unknown attacks. Security personnel perform a pen test to determine if attackers can exploit existing vulnerabilities, but attackers may not try to do so. A host-based intrusion detection system attempts to detect intrusions on an individual host, but may not catch new methods against the network. Firewall logs can log connections, but don't identify new attack methods.
Your organization is planning to implement a VPN and wants to ensure it is secure. Which of the following protocols is the BEST choice to use with the VPN? A. HTTP B. SFTP C. IPsec D. PPTP
C. IPsec Internet Protocol secure is one of several protocols used to secure virtual private network traffic. It is the best choice of the available answers. Hypertext Transfer Protocol doesn't provide any security. Secure File Transfer Protocol secures FTP transmissions but not VPNs. Point-to-point Tunneling Protocol is an older protocol used with VPNs, but it is not as secure as IPsec.
Management asks you if you can modify the wireless network to prevent users from easily discovering it. Which of the following would you modify to meet this goal? A. CCMP B. WPA2 Enterprise C. SSID broadcast D. MAC address filter
C. SSID broadcast You can disable service set identifier broadcasting to prevent users from easily discovering the wireless networks. None of the other methods hide the network. Counter Mode Cipher Block Chaining Message Authentication Code Protocol provides stronger security for Wi-Fi Protected Access II and WPA2 Enterprise adds authentication for a wireless network. Media access control address filtering can restrict access to the wireless network.
Your network IDS recently detected an attack on a server. Upon investigation, you discover that the IDS does not have a signature on this attack. Instead, the IDS detected it using a heuristic analysis. Of the following choices, what is the MOST likely category of this attack? A. Definition B. CVE C. Zero-day D. Phishing
C. Zero-day Heuristic analysis has the best chance of detecting a zero-day attack. A zero-day attack is one that is unknown to vendors and because this attack doesn't have a signature, it is most likely unknown. Definition-based intrusion detection systems are the same as signature-based IDSs. Many signatures are based on the Common Vulnerabilities and Exposures list. A phishing attack is an email, not an attack on a server.
Of the following choices, what can you use to divert malicious attacks on your network away from valuable data to worthless fabricated data? A. IPS B. Proxy server C. Web application firewall D. Honeypot
D. Honeypot A honeypot can divert malicious attacks to a harmless area of your network, such as away from production servers holding valid data. An intrusion prevention system can block attacks, but it doesn't divert it. A proxy server can filter and cache content from web pages, but doesn't divert attacks. A web application firewall is an additional firewall designed to protect a web application.
You want to implement the STRONGEST level of security on a wireless network. Which of the following supports this goal? A. Implementing WEP B. Disabling SSID Broadcast C. Enabling MAC filtering D. Implementing WPA2
D. Implementing WPA2 Wi-Fi Protected Access II provides the strongest level of security of the available answers. Wired Equivalent Privacy is weak and should not be used. Disabling service set identifier broadcast hides the network from casual users, but attackers can still discover it because the SSID is still included in some packets in plaintext. Attackers can bypass media access control address filtering by spoofing authorized MAC addresses.
An automated process isolated a computer in a restricted VLAN because the process noticed the computer's antivirus definitions were not up to date. What is the name of this process? A. NFC B. NIPS C. NIDS D. NAC
D. NAC Network access control is a group of technologies that can inspect systems and control their access to a network. In this scenario, NAC changed the computer's IP address to quarantine it in a restricted virtual local area network. Near field communication refers to standards that allow mobile devices to communicate with each other and is not related to VLANs. Network-based intrusion prevention systems and network-based intrusion detection systems protect a network from intrusions, but do not quarantine internal systems.
A war driver is capturing traffic from a wireless network. When an authorized client connects, the attacker is able to implement a brute force attack to discover the encryption key. What type of attack did this war driver use? A. WPS attack B. IV attack C. Packet injection D. WPA cracking
D. WPA cracking A Wi-Fi Protected Access cracking attack captures traffic and then performs an offline brute force attack to discover the encryption key. Wi-Fi Protected Setup attacks also use a brute force, but do not need to wait for an authorized client to connect. Initialization vector attacks often use packet injection techniques to generate more traffic in Wired Equivalent Privacy attacks.
You are planning to deploy WLAN and you want to ensure it is secure. Which of the following provides the BEST security? A. WEP Enterprise B. WPA2 TKIP C. SSID broadcast D. WPA2 CCMP
D. WPA2 CCMP Wi-Fi Protected Access II with Counter Mode Cipher Block Chaining Message Authentication Code Protocol provides the best security of those listed. Wired Equivalent Privacy is not secure and is not available in Enterprise mode. CCMP is stronger than Temporal Key Integrity Protocol. Service set identifier broadcast indicates the network name is broadcast, but this doesn't provide any security. If SSID broadcast is disabled, it hides the network from casual users, but attackers can still see it.