CompTIA Security+ Sy0-601 Chapter 8
You are running virtual machines in the public cloud. For security reasons, you do not want each virtual machine to have a publicly accessible IP address. What should you configure to enable remote management of the virtual machines? Each answer is independent of the other. (Choose two). A. Jump box B. VPN C. Forward proxy server D. HSM
A and B. A jump box is a host with connectivity to both a public network such as the Internet as well as to an internal network. By authenticating to a jump box, from there remote management sessions to internal devices and hosts can be initiated. Using a VPN to connect to a private network would also enable remote management of devices and hosts.
Which term is used to describe network traffic within a data center? A. East-west traffic B. North-south traffic C. Honeynet traffic D. Honeypot traffic
A. East-west traffic refers to network transmissions occurring within the boundaries of a network environment, such as between physical and virtual devices and hosts within a single data center.
Which type of cryptographic operation serves as a one-way function resulting in a unique value? A. Hashing B. Encryption C. Data masking D. Tokenization
A. Hashing feeds data as a one-way cryptographic hashing algorithm such as SHA-256, which results in a unique value representative of the original data. This is used for storing standard Unix and Linux passwords in the /etc/shadow file and to track changes to files or network transmissions.
Currently in your organization, on-premises user app access is limited based on their security clearance and the type of mobile device they are using. You would like to extend this configuration to the cloud. Which security service should be enabled? A. Unified threat management B. Cloud access security broker C. DDoS mitigation D. Web application firewall
B. A cloud access security broker (CASB) provides services to centrally manage IT security policies including encryption, data loss prevention, authentication, and authorization across on-premises and cloud environments. CASB solutions can greatly enhance an organization's ability to comply with data privacy regulations.
To attract and monitor malicious user activity, you need to deploy a single server with fake data that appears vulnerable. What should you configure? A. Honeynet B. Honeypot C. Honeyfile D. DNS sinkhole
B. A honeypot is a decoy system configured to appear as a legitimate host that may contain legitimate sensitive data. The host is intentionally configured in this way to track malicious user activity. The resultant telemetry can provide insights to the security posture of the organization and indicate what must be done to harden the environment.
Your manager has asked you to configure performance alert notifications for abnormal app performance conditions. What must you establish first? A. IP addressing schema B. Baseline C. Network diagrams D. Naming conventions
B. A performance baseline is established over time during normal application performance. Comparing the baseline to current performance conditions can identify performance problems, which could be indicative of malicious activity such as excessive CPU utilization resulting from Bitcoin mining malware or other malicious apps.
Which of the following is used by file integrity monitoring? A. Encryption B. Hashing C. Data loss protection D. Quality of service
B. Hashing feeds data as a one-way cryptographic hashing algorithm such as SHA-256, which results in a unique value representative of the original data. This is used for storing standard Unix and Linux passwords in the /etc/shadow file and to track changes to files or network transmissions. File integrity monitoring can use hashing to detect changes to any type of file including database, office productivity, and operating system files.
Virtual machines in your public cloud are configured with private IP addresses. Each virtual machine requires access only to the Internet. Which of the following options is the best choice? A. Web application firewall B. NAT gateway C. Unified threat management gateway D. Intrusion prevention system
B. Network address translation (NAT) gateways enable hosts with only private IP addresses to access Internet resources through the NAT gateway public IP address; this removes the need for all hosts to have public IP addresses.
You need to limit which devices can be active when plugged into a network switch port. What should you configure? A. Broadcast storm prevention B. MAC filtering C. Bridging loop prevention D. BPDU guard
B. Network interface cards are uniquely identified with a 48-bit hexadecimal Media Access Control (MAC) address. Network switch ports can be configured to allow only specific MAC addresses to be connected to a switch port and present on the network.
Your network infrastructure team has recommended dedicated VLANs with dedicated management interfaces for servers and network equipment. Which term best embodies this configuration? A. Data loss prevention B. Out-of-band management C. Bridge looping D. Route security
B. Out-of-band management refers to using an alternative connection (not the standard network communication medium) to manage network devices and hosts. This provides a layer of security and reliability due to network isolation.
VPN users complain that accessing Internet web sites when connected to the corporate VPN is very slow. Which VPN option should you configure to allow Internet access through the user's Internet connection when the corporate VPN is active? A. Always On VPN B. Split tunnel C. Full tunnel D. IPSec
B. Split tunneling can be configured for the VPN so that connections to corporate resources traverse the VPN and Internet connections go through the user's Internet connection.
To which of the following does SSL/TLS directly apply? (Choose two.) A. Data at rest B. Data in process C. Data in motion D. Data in transit
C and D. Data in motion and data in transit are the same thing: data being transmitted over a network. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are network security protocols that can encrypt network communications. SSL has been deprecated in favor of using newer versions of TLS such as version 1.3. SSL and TLS require a PKI certificate to secure connections, such as requiring a PKI certificate on a web server to allow HTTPS communication.
Users in your company use a VPN to connect to the corporate network. In terms of network placement, where should the VPN appliance be placed? A. Default VLAN B. Intranet C. Screened subnet D. Public cloud
C. A screened subnet is a network that resides between a public network such as the Internet and an internal secured network. Publicly accessible services such as corporate VPN end-points should be placed in a screened subnet. Firewall rules are still used to control traffic into and out of the screened subnet.
You need to connect branch office networks securely over the Internet. Which type of VPN should you deploy? A. Always On VPN B. Split tunnel C. Site-to-site D. IPSec
C. A site-to-site VPN can link networks, such as the networks at remote branch offices, together over the Internet. A VPN device must reside on each network. When the VPN tunnel is active, traffic between branch offices is encrypted as it traverses the VPN tunnel. Client end-point devices in each branch office do not need a VPN client configuration, as they would with a client-to-site VPN connection.
You need to enable secure remote access to internal company HTTPS web applications as well as SSH connections to internal Linux hosts for users authenticating over the Internet. What should you enable? A. Always On VPN B. Split tunnel C. HTML5 VPN portal D. Full tunnel
C. An HTML5 VPN portal enables users to make secured connections to private network resources over the Internet using a only an HTML5 web browser. This is normally an option that must be enabled within a unified threat management (UTM) or next-generation firewall. HTML5 VPN portals are also called "clientless VPNs," since a separate VPN client is not required.
You run a small business and need an inexpensive, yet effective, network firewall solution. Which type of firewall should you consider? (Choose the best answer.) A. Unified threat management B. Proprietary C. Open source D. Next-generation
C. Open source software such as firewall software is normally inexpensive (often free), compared to proprietary software solutions.
Which of the following is a cryptographic hashing algorithm? A. 3DES B. AES C. SHA D. RSA
C. The Secure Hashing Algorithm (SHA-256) is a one-way cryptographic hashing algorithm that results in a unique value representative of the original data. This is used for storing standard Unix and Linux passwords in the /etc/shadow file and to track changes to files or network transmissions.
Your network intrusion detection system (NIDS) is configured to receive automatic updates for known malicious attacks. Which type of intrusion detection is used in this case? A. Anomaly-based B. Heuristic-based C. Signature-based D. Inline
C. Updated signature databases of known malware and attack patterns can be compared against current activity to determine if a suspicious incident is taking place. Both network intrusion prevention system (IPS) and network intrusion detection system (IDS) sensors can be used to collect and monitor network activity. The primary difference is that an IPS can take response and recovery steps to block suspicious activity, while an IDS is more focused on reporting and alerting.
You need a fast, secure, and reliable multihomed network perimeter solution that is designed to prevent specific types of network traffic from entering your corporate network. Which solution should you deploy? A. Software firewall B. Virtual firewall C. Host-based firewall D. Hardware firewall
D. Because hardware firewall appliances use firmware that is designed for security purposes, they are generally considered more reliable and fast than most software firewalls, which run within multipurpose operating systems.
You need to analyze all network traffic within a network switch. What must be configured? A. DHCP snooping B. MAC filtering C. BPDU guard D. Port mirroring
D. Capturing network traffic can be configured within a network switch using port spanning or mirroring, which copies all switch port network traffic to a designated monitoring port. The technician plugged into the monitoring port could then run network-capturing software such as Wireshark to analyze all switch network traffic.
You are configuring firewall ACLs. You need to allow DNS client queries to reach DNS servers hosted on different internal networks. Which details should exist in the rule to allow the DNS query traffic? A. TCP 53 B. UDP 161 C. TCP 80 D. UDP 53
D. Client DNS queries occur over UDP port 53. A, B, and C are incorrect. TCP port 53 is normally used for DNS zone transfers, or replication of DNS records among DNS servers as well as DNS replies larger than 512 bytes. UDP port 161 is used by the Simple Network Management Protocol (SNMP) used to remotely manage and view performance metrics of network devices and hosts. TCP port 80 is used for HTTP web server communication.
A security audit of your call center has revealed that callers' credit card numbers are shown on call center employees' screens while they are working with customer queries. What should be configured to conceal customer credit card numbers? A. Encryption B. Data loss prevention C. Data tokenization D. Data masking
D. Data masking is used to hide, or "mask," some or all parts of sensitive data, such as hiding all but the last few credit card account numbers. This enables call center workers to verify customer details without exposing the customer's entire credit card number.
Your organization stores sensitive medical data in the cloud. You must ensure that the data is not replicated outside of national boundaries for legal reasons. Which term best encompasses this scenario? A. Rights management B. API strategy C. Zero trust D. Data sovereignty
D. Data sovereignty refers to managing sensitive data that is subject to the laws present at the storage location.
Due to changes in your network infrastructure, you have been tasked with modifying firewalls to allow and block network traffic. Which aspect of the firewalls will you be configuring? A. File integrity monitoring B. Port taps C. Quality of service D. Access control lists
D. Firewall access control lists (ACLs) are collections of rules that contain transmission detail conditions such as source IP address, destination URL, port numbers, or protocol types that should be allowed or blocked.
You need to secure network traffic between clients and servers for multiple line of business apps running on your organization's private Microsoft Active Directory (AD) network. Which solution meets this requirement while minimizing the amount of technician effort? A. SSL/TLS B. L2TP C. Reverse proxy server D. IPSec
D. IPSec requires the least amount of administrative effort, because it can be configured centrally for Active Directory using Group Policy, and it can protect network traffic without having to configure individual applications specifically, unlike SSL/TLS.
Which statement best embodies the purpose of Network Access Control (NAC) solutions? A. DDoS mitigation B. Firewall ACLs C. Data loss prevention D. Control device network access
D. Network Access Control (NAC) solutions can control device network access by ensuring that connecting users and devices meet a variety of conditions before being granted network access, such as specific authentication method used, device type, up-to-date software patches, and so on. Some NAC solutions require an agent to be installed on connecting devices, whereas others are agentless.
Your firewall is configured to examine each individual packet without regard for network sessions. Which type of firewall being used? A. Stateful B. Web application firewall C. Content filtering (aka URL filtering) D. Stateless
D. To determine whether network traffic should be allowed or blocked, stateless firewalls examine each packet and treat each independently from the others with no regard for the relationship of packets in a network session.