Exam 4 Study Guide

A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ASCII output only. Which of the following tcpdump options will achieve this output?

-SX port 443

Match the Class of Service (CoS) priority on the left with its corresponding value on the right.

0 - Background 1 - Best Effort 2 - Excellent Effort 3 - Critical applications 4 - Video (< 100ms latency) 5 - Voice (< 10ms latency) 6 - Internetwork control 7 - Network control

Which TCP/IP utility gives you the following output?

ipconfig

An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory. Which of the following commands would produce the desired outcome? (Select two.)

userdel bsmith;rm -rf /home/bsmith userdel -r bsmith

You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company. Which command can you use to disable this account?

usermod -L joer

Which Class of Service (CoS) priority value should be assigned to a video conference call?

4

You have a Windows 10 system. You have used the Settings app to access Windows Update. From this location, how long can you pause updates?

7 days

You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access except to a special server that holds the patches the computers need to download. Which of the following components should be part of your solution? (Select two.)

802.1x authentication Remediation servers

Match the port security MAC address type on the left with its description on the right.

A MAC address that is manually identified as an allowed address. -> SecureConfigured A MAC address that has been learned and allowed by the switch. -> SecureDynamic A MAC address that is manually configured or dynamically learned and is saved in the config file. -> SecureSticky

What is WindowsUpdate.log?

A log file you can create and save in order to locate errors or problems.

Which of the following is the strongest form of multi-factor authentication?

A password, a biometric scan, and a token device

Which of the following is an example of two-factor authentication?

A token device and a PIN

You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?

ACME, Inc

You are configuring the Local Security Policy on a Windows system. You want to require users to create passwords that are at least 10 characters in length. You also want to prevent login after three unsuccessful login attempts. Which policies should you configure? (Select two.)

Account lockout threshold Minimum password length

Which of the following components do switches use to optimize network performance by performing switching operations in hardware rather than using the CPU and software?

An application-specific integrated circuit

You are the network administrator for a small corporate network. While working on your Linux server, you have determined that you need to enable and disable a few services. In this lab, your task is to: Use the systemctl command to enable anaconda.service. Use the systemctl command to disable vmtoolsd.service. After each command, check the service status with the systemctl is-enabled command.

Complete this lab as follows: Enable the Anaconda service. From the Favorites bar, select Terminal. At the Terminal prompt, type systemctl enable anaconda.service and then press Enter. Type systemctl is-enabled anaconda.service and then press Enter to check the service's status. Disable the VMware Tools service. Type systemctl disable vmtoolsd.service and press Enter. Type systemctlis-enabled vmtoolsd.service and press Enter to check the service's status.

You are the IT security administrator for a small corporate network. You need to increase the security on the switch by updating the switch's firmware. In this lab, your task is to: Import the latest firmware file found in C:\Sx300_Firmware. Change the switch's active image to the version just imported. Complete the required steps to be able to start using the new update.

Complete this lab as follows: Import a new firmware image for the Cisco switch. From the right pane, under Quick Access, select Upgrade Device Software. For File Name, select Choose File. Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. Select Open. Select Apply. Select OK. Select Done. Change the switch's active image to 1.2.7.76. From the left pane, under Administration > File Management, select Active Image. For Active Image After Reboot, use the drop-down menu to select 1.2.7.76. Select Apply. Reboot the switch to be able to start using the new firmware. From the left pane, under Administration, select Reboot. From the right pane, select Reboot. Select OK.

You are logged on to your computer as Abigail Pain (apain), who is an administrator on this system. However, you think someone has learned your password. In this lab, your task is to change your password using the following information: Current password: P@ssw0rd (use a zero) New password: V3rySecure1@

Complete this lab as follows: Open the Terminal. From the Favorites bar, select Terminal. Change your password to V3rySecure1@. From the Terminal's prompt, type passwd and press Enter. When prompted, enter your current password of P@ssw0rd (use a zero) and then press Enter. As you type in the password, the cursor will not move. Continue entering the password anyway. At the New password prompt, type V3rySecure1@ and then press Enter. Retype V3rySecure1@ as the new password and then press Enter.

You have been asked to perform administrative tasks for a computer that is not a member of a domain. To increase security and prevent unauthorized access to the computer, you need to configure specific password and account lockout policies. In this lab, your task is to use the Local Security Policy to configure the following password and account lockout policies: Configure password settings so that the user must: Cycle through 10 passwords before reusing an old one. Change the password every 90 days. Keep the password at least 14 days. Create a password at least 8 characters long. Create a password that meets complexity requirements, such as using uppercase letters, lowercase letters, numbers, or symbols. Configure the account lockout policy to: Lock out any user who enters 5 incorrect passwords. Unlock an account automatically after 60 minutes. Configure the number of minutes that must elapse after a failed logon attempt to 10 minutes.

Complete this lab as follows: Using Windows Administrative Tools, access the Local Security Policy. Select Start. Locate and expand Windows Administrative Tools. Select Local Security Policy. Maximize the window for easier viewing. Configure the password policies. From the left pane, expand Account Policies and then select Password Policy. From the center pane, expand the Policy column for better viewing. Double-click the policy to be configured. Configure the policy settings. Click OK. Repeat steps 2c-2e to configure the additional password policies. Configure the account lockout policies. From the left pane, select Account Lockout Policy. From the center pane, expand the Policy column. Double-click the policy to be configured. Configure the policy settings (as needed, answer any prompts shown). Click OK. Repeat steps 3c-3e to configure the additional lockout policies.

Your organization uses a time-keeping application that only runs on Windows 2000 and does not run on newer OS versions. Because of this, there are several Windows 2000 workstations on your network. Last week, you noticed unusual activity on your network coming from the workstations. After further examination, you discover that they were victims of a malicious attack and were being used to infiltrate the network. You find out that the attackers were able to gain access to the workstations because of the legacy operating system being used. Your organization still needs to use the Windows 2000 workstations (which need to be connected to the internet) but you want to make sure that the network is protected from future attacks. Which solution should you implement to protect the network while also allowing operations to continue as normal?

Configure VLAN membership so that the Windows 2000 workstations are on their own VLAN.

A network switch is configured to perform the following validation checks on its ports: All ARP requests and responses are intercepted. Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. If the packet has a valid binding, the switch forwards the packet to the appropriate destination. If the packet has an invalid binding, the switch drops the ARP packet. Which security feature was enabled on the switch to accomplish this task?

Dynamic ARP inspection

For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within 10 minutes. What should you do?

Configure account lockout policies in Group Policy

You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days. What should you do?

Configure account policies in Group Policy.

You have a website that uses multiple servers for different types of transactions. For example, one server is responsible for static web content, while another is responsible for secure transactions. You would like to implement a device to speed up access to your web content. The device should be able to distribute requests between the various web servers using specialized hardware, not just software configurations. In addition, SSL sessions should use the hardware components in the device to create the sessions. Which type of device should you use to accomplish this?

Content switch

Which of the following actions typically involve the use of 802.1x authentication? (Select two.)

Controlling access through a switch. Controlling access through a wireless access point.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, which is a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer, and he would like his account to have even stricter password policies than are required for other members in the Directors OU. What should you do?

Create a granular password policy for Matt. Apply the new policy directly to Matt's user account.

You are a contractor that has agreed to implement a new remote access solution based on a Windows Server 2016 system for a client. The customer wants to purchase and install a smart card system to provide a high level of security to the implementation. Which of the following authentication protocols are you MOST likely to recommend to the client?

EAP

A user reports that she can't connect to the internet. After some investigation, you find that the wireless router has been misconfigured. You're responsible for managing and maintaining the wireless access point. What should you do next?

Create an action plan.

A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organization's firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this?

DHCP snooping

Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take? (Select two. Each response is part of a complete solution.)

Delete the account that the sales employees are currently using. Train sales employees to use their own user accounts to update the customer database.

What does the Windows Update Delivery Optimization function do?

Delivery Optimization provides you with Windows and Store app updates and other Microsoft products.

Users report that the network is down. As a help desk technician, you investigate and determine that a specific router is configured so that a routing loop exists. What should you do next?

Determine if escalation is needed.

A user reports that she can't connect to a server on your network. You check the problem and find out that all users are having the same problem. What should you do next?

Determine what has changed.

Which of the following is a best practice for router security?

Disable unused protocols, services, and ports.

Which EAP implementation is MOST secure?

EAP-TLS

A new assistant network administrator was recently hired by your organization to relieve some of your workload. You assigned the assistant network administrator to replace a defective patch cable that connected port 1 on your patch panel to one of your network switches. You noticed that it took him an unusually long time to complete this task. Once done, users almost immediately began to report that the network had gone down. Upon entering the server room, you see that the assistant administrator has configured your network rack as shown below. What should you do? (Choose two. Each response is a complete solution.)

Enable STP on each switch. Remove the patch cable connecting the first switch to the third switch.

Which of the following are best practices for hardening a server? (Select three.)

Ensure that a host-based firewall is running. Apply the latest patches and service packs. Disable or uninstall unnecessary software.

You are a network administrator for your company. A frantic user calls you one morning exclaiming that nothing is working. What should you do next in your troubleshooting strategy?

Establish the symptoms.

A web server on your network hosts your company's public website. You want to make sure that an NIC failure doesn't prevent the website from being accessible on the internet. Which solution should you implement?

Ethernet bonding

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. Which of the following actions should you take?

Implement a granular password policy for the users in the Directors OU.

Examine the following output: Active ConnectionsProto Local Address Foreign Address StateTCP SERVER1:1036 localhost:4832 TIME_WAITTCP SERVER1:4798 localhost:1032 TIME_WAITTCP SERVER1:1258 pool-141-150-16-231.mad.east.ttr:24076 CLOSE_WAITTCP SERVER1:2150 cpe-66-67-225-118.roc.res.rr.com:14100 ESTABLISHEDTCP SERVER1:268 C872c-032.cpe.net.cale.rers.com:46360 ESTABLISHEDTCP SERVER1:2995 ip68-97-96-186.ok.ok.cox.net:23135 ESTABLISHED Which of the following utilities produced this output?

netstat

Which of the following utilities could you use to lock a user account? (Select two.)

passwd usermod

Which TCP/IP utility gives the following output?

ping

Match the Network Access Protection (NAP) component on the left with its description on the right.

Generates a Statement of Health (SoH) that reports the client configuration for health requirements. -> NAP client Runs the System Health Validator (SHV) program. -> NAP server Is clients' connection point to the network. -> Enforcement server (ES) Contains resources accessible to non-compliant computers on a limited-access network. -> Remediation server

Your Windows system is a member of a domain. Windows Update settings are being controlled through Group Policy. How can you determine whether a specific security update from Windows Update is installed on the computer?

Go to Programs and Features in Control Panel.

A router periodically goes offline. Once it goes offline, you find that a simple reboot puts the router back online. After doing some research, you find that the MOST likely cause is a bug in the router software. A new patch is available from the manufacturer that is supposed to eliminate the problem. What should you do next?

Identify possible side effects of the solution.

A user reports that he can't connect to a specific website. You go to the user's computer and reproduce the problem. What should you do next?

Identify the affected areas of the network.

A user is unable to connect to the network. You investigate the problem and determine that the network adapter is defective. You replace the network adapter and verify that it works. What should you do next?

Identify the results and side effects of the solution.

Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take?

Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.

Which of the following statements about DSCP are true? (Select two.)

It uses the DiffServ field to add precedence values. Classification occurs at Layer 3.

Which type of switch optimizes network performance by using ASIC to perform switching at wire speed?

Multilayer switch

Which of the following is a feature of MS-CHAPv2 that is not included in CHAP?

Mutual authentication

You are in the process of implementing a Network Access Protection (NAP) infrastructure to increase your network's security. You are currently configuring the remediation network that non-compliant clients will connect to in order to become compliant. The remediation network needs to be isolated from the secure network. Which technology should you implement to accomplish this task?

Network segmentation

You are in the process of implementing a network access protection (NAP) infrastructure to increase your network's security. You are currently configuring the remediation network that non-compliant clients will connect to in order to become compliant. You need to isolate the remediation network from the secure network. Which technology should you implement to accomplish this task?

Network segmentation

With Wireshark, you've used a filter to capture only the desired packet types. Using the information shown in the image, which of the following BEST describes the effects of using the host 192.168.0.34 filter?

Only packets with 192.168.0.34 in either the source or destination address are captured.

Match the authentication factor types on the left with the appropriate authentication factor on the right. (You can use each authentication factor type more than once.)

PIN -> Something you know Smart card -> Something you have Password -> Something you know Retina scan -> Something you are Fingerprint scan -> Something you are Hardware token -> Something you have Voice recognition -> Something you are Wi-Fi triangulation -> Somewhere you are Typing behaviors -> Something you do

Which of the following is a mechanism for granting and validating certificates?

PKI

You manage a network that uses switches. In the lobby of your building are three RJ45 ports connected to a switch. You want to make sure that visitors cannot plug their computers in to the free network jacks and connect to the network, but you want employees who plug in to those same jacks to be able to connect to the network. Which feature should you configure?

Port authentication

You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use?

Port scanner

Which type of security uses MAC addresses to identity devices that are allowed or denied a connection to a switch?

Port security

What is the purpose of using Ethernet bonding? (Select two.)

Provides a failover solution for network adapters. Increases network performance.

Which of the following is a platform-independent authentication system that maintains a database of user accounts and passwords to centralize the maintenance of those accounts?

RADIUS

While working on a Linux server, you're unable to connect to the Windows Server system on the internet. You are able to ping the default gateway on your own network, so you suspect that the problem lies outside the local network. Which utility would you use to track the route a packet takes as it crosses the network?

traceroute

When troubleshooting network issues, it's important to carry out tasks in a specific order. Drag each trouble shooting task on the left to the correct step on the right.

Step 1 - Identify the problem. Step 2 - Establish a theory of probable cause. Step 3 - Test the theory to determine the cause. Step 4 - Establish a plan of action. Step 5 - Implement the solution or escalate. Step 6 - Verify full system functionality. Step 7 - Document findings, actions, and outcomes.

You are a network administrator for your company. A user calls and tells you that after stepping on the network cable in her office, she can no longer access the network. You go to the office and see that some of the wires in the Cat 5 network cable are now exposed. You make another cable and attach it from the wall plate to the user's computer. What should you do next in your troubleshooting strategy?

Test the solution.

With Kerberos authentication, which of the following terms describes the token that verifies the user's identity to the target system?

Ticket

You have just configured the password policy and set the minimum password age to 10. What is the effect of this configuration?

Users cannot change the password for 10 days.

Listen to simulation instructions You are the security analyst for a small corporate network. You want to find specific information about the packets being exchanged on your network using Wireshark. In this lab, your task is to: Use Wireshark to capture packets from the enp2s0 interface. Use a Wireshark filter to isolate and examine packets for:All network traffic for 192.168.0.0.Answer Question 1.All network traffic for the 192.168.0.45 host.Answer Question 2.All IP traffic with a source address of 192.168.0.45.Answer Question 3.All IP traffic with a destination address of 192.168.0.45.Answer Question 4.All HTTP traffic on port 80.Answer Question 5.All packets with an Ethernet Mac address containing 11:12:13.Answer Question 6.All TCP packets that contain the word "password".Answer Question 7.

What is the effect of the net 192.168.0.0 filter in Wireshark? - Only packets with either a source or destination address on the 192.168.0.x network are displayed. What is the effect of the host 192.168.0.45 filter in Wireshark? - Only packets with 192.168.0.45 in either the source or destination address are displayed. What is the effect of the ip.src==192.168.0.45 filter in Wireshark? - Only packets with 192.168.0.45 in the source address are displayed. What is the effect of the ip.dst==192.168.0.45 filter in Wireshark? - Only packets with 192.168.0.45 in the destination address are displayed. What is the effect of the tcp.port==80 filter in Wireshark? - Only packets with port 80 in either the source or destination port are displayed. What is the effect of the eth contains 11:12:13 filter in Wireshark? - Only packets with 11:12:13 in either the source or destination MAC address are displayed. What is the captured password? - hippophobia Complete this lab as follows: Begin a Wireshark capture.From the Favorites bar, select Wireshark.Maximize the window for easier viewing.Under Capture, select enp2s0.Select the blue fin to begin a Wireshark capture. Apply the net 192.168.0.0 filter.In the Apply a display filter field, type net 192.168.0.0 and press Enter.Look at the source and destination addresses of the filtered packets.Select the red square to stop the Wireshark capture.In the top right, select Answer Questions.Answer Question 1. Apply the host 192.168.0.45 filter.Select the blue fin to begin a Wireshark capture.In the Apply a display filter field, type host 192.168.0.45 and press Enter.Look at the source and destination addresses of the filtered packets.Answer Question 2. Apply the ip.src==192.168.0.45 filter.In the Apply a display filter field, type ip.src==192.168.0.45 and press Enter.Look at the source and destination addresses of the filtered packets.Answer Question 3. Apply the ip.dst==192.168.0.45 filter.In the Apply a display filter field, type ip.dst==192.168.0.45 and press Enter.Look at the source and destination addresses of the filtered packets.Answer Question 4. Apply the tcp.port==80 filter.In the Apply a display filter field, type tcp.port==80 and press Enter.Look in the Info column of the filtered packets.Answer Question 5. Apply the eth contains 11:12:13 filter.In the Apply a display filter field, type eth contains 11:12:13 and press Enter.Look at the source and destination addresses of the filtered packets.Answer Question 6. Apply the tcp contains password filter.In the Apply a display filter field, type tcp contains password and press Enter.Select the red box to stop the Wireshark capture.From the bottom pane, locate the password.Answer Question 7.Select Score Lab.

Pascal Bullock (pbullock) forgot her password and needs access to the resources on her computer. You are logged on as Sydney Hoffer. The password for the root account is P@ssw0rd (use a zero). In this lab, your task is to: Find Sydney Hoffer's username. Change the password for the pbullock user account to 1234asdf. Make sure the password is encrypted in the shadow file. Answer the question.

What is your username? shoffer Complete this lab as follows: Find your username. From the Favorites bar, select Terminal. Type whoami at the prompt.From the top right, select Answer Questions. Answer the question. Change Pascal Bullock's password. At the prompt, type su -c "passwd pbullock" and then press Enter. Type P@ssw0rd and then press Enter. This is the password for the root user. At the New password prompt, type 1234asdf and then press Enter. This is the new password for the schawla user account. At the Retype new password prompt, type 1234asdf and then press Enter. Select Score Lab.

While deploying Windows updates, when would you use the critical update ring?

When deploying updates to important systems (only after the update has been vetted).

When deploying Windows updates, when would you use the preview update ring?

When deploying updates to users that want to stay on top of changes.

You are the IT security administrator for a small corporate network. You have had problems with users installing remote access services, like Remote Desktop Services and VNC Server. You need to find, stop, and disable these services on all computers running them. In this lab, your task is to: Use Zenmap to run a scan on the 192.168.0.0/24 network to look for the following open ports: Port 3389 - Remote Desktop Services (TermServices). Port 5900 - VNC Server (vncserver). Answer Questions 1 and 2. Disable and stop the services for the open ports found running on the applicable computers.Use the following table to identify the computers:

Which computers have port 3389 open? Office2 Which computers have port 5900 open? ITAdmin Complete this lab as follows: Using Zenmap, scan the network for open remote access ports. From the Favorites bar, select Zenmap. Maximize the windows for better viewing. In the Command field, use nmap -p [port number] 192.168.0.0/24 to scan the port. Select Scan (or press Enter) to scan the subnet for a given service. Using the table in the scenario, identify the computer(s) with the open port using the IP address found. From the top right, select Answer Questions. Answer Question 1. Repeat steps 1c-1e and then answer Question 2. For computers that have a remote access service port open, disable and then stop the applicable service from running. From the top left, select Floor 1 Overview. Select the computer with the remote access service port open. If needed, minimize or move the Lab Questions dialog. Right-click Start and select Computer Management. From the left pane, expand and select Services and Applications > Services. Maximize the window for better viewing. Double-click the service (Remote Desktop Services or VNC Server) that needs to be stopped. Using the Startup type drop-down menu, select Disabled. Under Service status, select Stop. Select OK. Repeat step 2a-2i. From the top right, select Answer Questions. Select Score Lab.

Windows Update for Business (WUfB) lets you keep your devices current with the latest security upgrades and features. Which operating system releases does WUfB support?

Windows 10

Which of the following tools can you use to troubleshoot and validate Windows updates? (Select three.)

Windows Update Troubleshooter Windows Server Update Service (WSUS) PowerShell

Which of the following are true about Windows Update for Business? (Select three.)

Windows Update for Business works with all versions of Windows 10 except Windows 10 Home. Windows Update for Business provides the latest features for your Windows 10 devices, including security upgrades. Windows Update for Business can be configured with Group Policy, Mobile Device Management, or Systems Center Configuration Manager.

Which of the following tools would you use to view the MAC addresses associated with IP addresses that the local workstation has contacted recently?

arp

You are troubleshooting a connectivity problem on a Linux server. You're able to connect to another system on the local network but not to a server on a remote network. You suspect that the default gateway information for the system may be configured incorrectly. Which of the following commands would you use to view the default gateway information on the Linux server?

ifconfig