31 - Questions - Security Threat Defenses
Assume that you are traveling and are connected to a public wireless network. Your company uses multiple tunneling policies for a VPN session. To ensure that your internet traffic and traffic when accessing internal resources remains confidential, which policy must you use?
Full-tunneling
Which statement is correct regarding how ESP modes protect an IP packet?
In the tunnel mode, security is provided for the complete original IP packet.
Which statement regarding TLS is correct?
The correct answer is "TLS is natively supported in browsers." TLS is natively supported in modern browsers; therefore, there is no need for users to install any additional software on their devices. Cryptographically, TLS relies on PKI and digital certificates for authentication. The most widely used application that uses TLS is HTTPS, but other well-known applications also use it.
Which three options are important services that network security aims to provide to manage risk? (Choose three.)
Confidentiality Availability Integrity
In a WLAN, a common key can be used for which three things? (Choose three.)
Authentication only Encryption only Authentication + Encryption
How does Unicast Reverse Path Forwarding help with DoS and DDoS attacks mitigation?
By verifying the "reachability" of the source address in packets being forwarded.
Which statement regarding the SSL and TLS is true?
SSL and TLS rely on PKI and digital certificates for authentication.
Which statement is correct regarding traditional firewalls?
The correct answer is "A traditional firewall can be deployed as a hardware or a virtual appliance." All firewalls have some traffic-filtering capabilities, and they have ability to enforce access control policies between two or more security zones. On the other hand, NGFWs also have some additional capabilities such as comprehensive network visibility, URL filtering, enforcement of policies based on type of application and ability to identify malware in the network.
Which method provides the strongest encryption in wireless networks?
The correct answer is "AES." AES allows for longer keys and is used for most WLAN security. On the other hand, WEP uses a shared key, which is a very weak form of encryption (no longer used), while WPA2, which is the current implementation of the 802.11i security standard, deprecates the use of WEP, WPA, and TKIP. DES is not commonly used in wireless networks, as well as it provides weaker security than AES.
You want to send an email to a specific customer, while guaranteeing that only this customer receives it. Which security concept must the email system provide to prevent sensitive information from reaching the wrong people?
The correct answer is "confidentiality." Providing confidentiality of data ensures that only authorized users can view sensitive information. Providing integrity of data guarantees that the data cannot be altered during the transport by unauthorized people. In a sense, it ensures the authenticity of data. Providing availability ensures that authorized users are able to access the information when needed. Lastly, anti-replay is a subprotocol of IPSec that ensures that the packets cannot be replayed later in time.
What is the main functionality of the Cisco WSA?
The correct answer is: "scans web traffic". The Cisco Web Security Appliance scans web traffic. This system uses the Cisco WSA Dynamic Vectoring and Streaming (DVS) engine, and third party verdict engines from Webroot, Sophos, and McAfee, to provide best-of-breed protection against the widest variety of web-based threats.
Which two statements are true regarding asymmetric encryption algorithms? (Choose two.)
The correct answers are "The key that is used for encryption is different from the key that is used for decryption" and "Asymmetric algorithms are substantially slower than symmetric algorithms." Asymmetric encryption uses different keys to encrypt and decrypt data. Asymmetric algorithms are substantially slower than symmetric algorithms. Their design is based on computational problems, such as factoring extremely large numbers or computing discrete logarithms of extremely large numbers. Examples of asymmetric cryptographic algorithms include RSA, DSA, ElGamal, and elliptic curve algorithms. Lastly, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms.
Which two algorithms provide the confidentiality in a VPN? (Choose two.)
The correct answers are: "AES" and "3DES." Both AES and 3DES are encryption algorithms. AES provides stronger security than DES and is computationally more efficient than 3DES. Data encryption prevents third parties from reading the data. Only the IPsec peer can decrypt and read the encrypted data. Lastly, SHA-1, SHA-2, and MD5 are hashing algorithms that are used to ensure data integrity.
Which three characteristics correctly describe wireless protected access for enterprise? (Choose three.)
The correct answers are: "Authentication server is required," "It offers centralized access control," and "Encryption uses TKIP and optional AES." Enterprise authentication uses 802.1X and EAP-based authentication. The EAP authentication process provides the AAA features that are missing in WPA-Personal, allowing each user or device to be individually authenticated-a policy that is based on the authentication ID applied (authorization) and the collection of statistics that are based on authentication ID (accounting). Lastly, the enterprise authentication uses TKIP and optional AES, where the latter is recommended.
Which WPA3 feature uses 802.1X for authentication?
WPA3-Enterprise
How does remotely triggered black hole filtering help with DoS and DDoS attacks?
The correct answer is "By dropping undesirable traffic before it enters a protected network." Remotely triggered black hole (RTBH) filtering can drop undesirable traffic before it enters a protected network. Network black holes are places where traffic is forwarded and dropped. When an attack has been detected, black holing can be used to drop all attack traffic at the network edge based on either destination or source IP address.
Which IPsec component ensures that data arrives unchanged to the destination?
The correct answer is "SHA-2." IPsec relies on existing algorithms to implement encryption, authentication, and key exchange. SHA-2 based algorithms are used for data integrity, in place of the aging MD5 and SHA-1 based algorithms. AES is now commonly implemented for confidentiality, in place of the aging DES and 3DES technologies. Lastly, PSKs are used for origin authentication.
Which type of traffic inspection observes network traffic over time and builds a normal profile of traffic behavior?
The correct answer is "statistical-anomaly detection." Both statistical-anomaly detection and protocol verification are anomaly-based network IPS. Statistical anomaly detection observes network traffic over time and builds a statistical profile of normal traffic, based on traffic flows. On the other hand, the protocol verification observes network traffic and compares network, transport, and application layer protocols that are used inside network traffic to standard-based protocol behavior. A signature-based IPS examines the packet headers or data payloads in network traffic and compares the data against a database of known attack signatures. Lastly, a policy-based IPS analyzes network traffic and takes action if it detects a network event outside a configured traffic policy.
Which two capabilities does an NGFW have that a traditional firewall does not have? (Choose two.)
ability to provide actionable indications of compromise to identify malware activity comprehensive network visibility
What is the purpose of Web reputation filters?
analyze web server behavior and assign a reputation score to a URL
Match the IPsec component with its category.
confidentiality AES authentication ECDSA key management IKE data integrity SHA-2
Match the concept with the appropriate description.
ensuring that only authorized parties can read a message confidentiality ensuring that any messages received were actually sent from the perceived origin origin authentication ensuring that the original source of a secured message cannot deny having produced the message non-repudiation ensuring that any changes to data in transit will be detected and rejected data integrity
Which type of traffic inspection uses pattern matching?
signature-based inspection
