L8, L9, and L10

What security benefits are provided by enabling DHCP snooping or DHCP sniffing on switches in your network?

- Collection of information about DHCP bindings - Prevention of malicious or malformed DHCP traffic - Prevention of rogue DHCP servers Dynamic Host Configuration Protocol (DHCP) sniffing or snooping can be enabled to prevent rogue DHCP servers as well as malicious or malformed DHCP traffic. It also allows the capture and collection of DHCP binding information to let network administrators know who is assigned what IP address.

What channels do not cause issues with channel overlap or overlap in U.S. installations of 2.4 GHz Wi-Fi networks?

1, 6, & 11 - The three channels that do not overlap are 1, 6, and 11. The rest of the channels will overlap. In an ideal installation, these three channels can be used to maximize throughput and minimize interference.

A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure?

802.1X Explanation: - As an alternative to personal authentication, the enterprise authentication method implements IEEE 802.1X to use an Extensible Authentication Protocol (EAP) mechanism. EAP-TLS is one of the strongest types of authentication and is very widely supported. An encrypted Transport Layer Security (TLS) tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. As both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed on the client device, possibly in a Trusted Platform Module (TPM).

A company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring?

802.1x with EAPoW - As an alternative to personal authentication, the enterprise authentication method implements IEEE 802.1X to use an Extensible Authentication Protocol (EAP) mechanism. 802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point to forward authentication data without allowing any other type of network access. It is configured by selecting WPA2-Enterprise or WPA3-Enterprise as the security method on the access point. With enterprise authentication, when a wireless station requests an association, the WAP enables the channel for EAPoW traffic only. It passes the credentials of the supplicant to an AAA (RADIUS or TACACS+) server on the wired network for validation. When the supplicant has been authenticated, the AAA server transmits a master key (MK) to the supplicant. The supplicant and authentication server then derive the same pairwise master key (PMK) from the MK. The AAA server transmits the PMK to the the access point. The wireless station and access point use the PMK to derive session keys, using either the WPA2 4-way handshake or WPA3 SAE methods.

An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include: - Check-in/checkout of credentials - The ability to use but not know the password - Automated password changes - Logging of access to credentials Which of the following solutions would meet the requirements?

A privileged access management system

A security analyst is investigating an incident that was first reported as an issue connecting to network shares and the Internet. While reviewing logs and tool output, the analyst sees the following: <<see picture>> Which of the following attacks has occurred? IP address | Physical address

ARP poisoning Explanation: - Look at the .116 host. Note its MAC address. - ARP poisoning (ARP spoofing) A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.

Nina wants to use information about her users like their birth dates, addresses, and job titles as part of her identity management system. What term is used to describe this type of information?

Attributes - Identity attributes are characteristics of an identity, including details like the individual's birth date, age, job title, address, or a multitude of other details about the identity. They are used to differentiate the identity from others and may also be used by the identity management system or connected systems in coordination with the identity itself. Roles describe the job or position an individual has in an organization, and factors are something you know, something you have, or something you are. Identifiers are not a common security or authentication term, although identity is.

Josh is looking for an authentication protocol that would be effective at stopping session hijacking. Which of the following would be his best choice?

CHAP - Challenge Handshake Authentication Protocol (CHAP) was designed specifically for this purpose. It periodically reauthenticates, thus preventing session hijacking. Neither Password Authentication Protocol (PAP) nor TACACS+ prevents session hijacking, and RADIUS is a protocol for remote access, not authentication.

Drew has implemented an AI-based network traffic analysis tool that requires him to allow the tool to monitor his network for a period of two weeks before being put into full production. What is the most significant concern he needs to address before using the AI's baselining capabilities?

Compromised or otherwise malicious machines could be added to the baseline resulting in tainted training data. Explanation: - Training an artificial intelligence (AI) or machine learning (ML) system with tainted data is a significant concern. Drew needs to ensure that the traffic on his network is typical and nonmalicious to ensure that the AI does not presume that malicious traffic is normal for his network.

A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol and allows an external attacker the ability to rapidly infect computers. Once infected, computers are encrypted and held for ransom. Which of the following would BEST prevent this attack from reoccurring?

Configure the perimeter firewall to deny inbound external connections to SMB ports. Explanation: - This question is basically asking what companies should have done in 2017 before the NotPetya attack launched. In this question, the vulnerability is externally exploited by attackers; to prevent the attack, block external SMB requests over ports 135-139 (older version of SMB that use NetBIOS and also for network printers) and definitely port 445 (newer versions of Windows after Win 2000). It has been unsafe to expose ports 135-139 & 445 to the Internet for at least a decade, but NotPetya happened anyway. None of the other answer choices will prevent a new zeroday attack against this vector (SMB) from affecting your network.

During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?

Create and apply microsegmentation rules. Explanation: - Microsegmentation is a security process that is capable of applying policies to a single node, as though it was in a security zone of its own. None of the other choices allow continued observation of the attack.

You're designing a new network infrastructure so that your company can allow unauthenticated users connecting from the Internet to access certain areas. Your goal is to protect the internal network while providing access to those areas. You decide to put the web server on a separate subnet open to public contact. What is this subnet called?

DMZ - A demilitarized zone (DMZ) is a separate subnet coming off the separate router interface. Public traffic may be allowed to pass from the external public interface to the DMZ, but it won't be allowed to pass to the interface that connects to the internal private network. A guest network provides visitors with Internet access. An intranet consists of internal web resources. Frequently companies put up web pages that are accessible only from within the network for items like human resources notifications, vacation requests, and so forth. A virtual LAN, or VLAN, is used to segment your internal network.

An organization blocks user access to command-line interpreters, but hackers still managed to invoke the interpreters using native administrative tools. Which of the following should the security team do to prevent this from happening in the future?

Disable the built-in OS utilities as long as they are not needed for functionality. - The organization wants to prevent the future use of CLI tools by attackers. Blocking SMB ports will not do this; neither will triggering a SIEM alert. Additionally, AV inspects file execution and content, not kernel/OS-level code that is already installed, so you will not be able to use AV to "quarantine" something that is already included in the system build. The main thing that can be done is to disable the built-in CLI tools at the OS level. Note, this will significantly hamper legitimate admin and user activity, but it is the only solution here that works.

Drew is building a wireless network and wants to implement an Extensible Authentication Protocol (EAP)-based protocol for authentication. What EAP version should she use if she wants to prioritize reconnection speed and doesn't want to deploy client certificates for authentication?

EAP-FAST - EAP-FAST is specifically designed for organizations that want to quickly complete reconnections and does not require certificates to be installed at the endpoint device. EAP Tunneled Transport Layer Security (EAP-TTLS) requires client-side certificates; EAP-TLS requires mutual authentication, which can be slower; and Protected Extensible Authentication Protocol (PEAP) is similar to EAP-TTLS.

Drew wants to ensure that session persistence is maintained by her load balancer. What is she attempting to do?

Ensure that all of a client's requests go to the same server for the duration of a given session or transaction. - Session persistence makes sure that all of a client's traffic for a transaction or session goes to the same server or service. The remaining options do not properly describe how session persistence works.

Casey is considering implementing password key devices for her organization. She wants to use a broadly adopted open standard for authentication and needs her keys to support that. Which of the following standards should she look for her keys to implement, in addition to being able to connect via USB, Bluetooth, and NFC?

FIDO - Only FIDO U2F, an open standard provided by the Fast IDentity Online Alliance, is a standard for security keys. - Other standards that you may encounter include OTP (One Time Password), SmartCard, OATH-HOTP, and OpenPGP. Of note, OATH, the Initiative for Open Authentiation provides standards both HMAC-based one time password (HOTP) and TOTP, or time-based one time passwords. SAML (Security Assertion Markup Language) and OpenID are both used in authentication processes but not for security keys.

Drew is implementing a load-balanced web application cluster. Her organization already has a redundant pair of load balancers, but each unit is not rated to handle the maximum designed throughput of the cluster by itself. She has recommended that the load balancers be implemented in an active/active design. What concern should she raise as part of this recommendation?

If one of the load balancers fails, it could lead to service degradation. - Drew should make her organization aware that a failure in one of the active nodes would result in less maximum throughput and a potential for service degradation. Since services are rarely run at maximum capacity, and many can have maintenance windows scheduled, this does not mean that the load balancers cannot be patched. There is nothing in this design that makes the load balancers more vulnerable to denial of service than they would be under any other design.

Drew, a user at a company, clicked an email links that led to a website that infected his workstation. He was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection. Which of the following should a security administrator implement to protect the environment from this malware?

Implement a heuristic behavior-detection solution. Explanation: - In this case, the existing defenses (such as definition-based AV, IDP/IPS) did not / possibly will not stop the virus. We need something that looks at the behavior of the malware. Behavioral-based detection means that the engine is trained to recognize baseline "normal" traffic or events. Anything that deviates from this baseline (outside a defined level of tolerance) generates an incident. The idea is that the software will be able to identify zero day attacks, insider threats, and other malicious activity for which there is single signature. Historically, this type of detection was provided by network behavior and anomaly detection (NBAD) products. An NBAD engine uses heuristics (meaning to learn from experience) to generate a statistical model of what baseline normal traffic looks like.

Drew's organization uses a NAT gateway at its network edge. What security benefit does a NAT gateway provide?

It allows systems to connect to another network without being directly exposed to it. Explanation: - Network address translation (NAT) gateways allow internal IP addresses to be hidden from the outside, preventing direct connections to systems behind them. This effectively firewalls inbound traffic unless the gateway is set to pass traffic to an internal host when a specific IP, port, and protocol is used. They are not a firewall in the traditional sense, however, and do not specifically statefully block traffic by port and protocol, nor do they detect malicious traffic. Finally, NAT gateways are not used to send non-IP traffic out to IP networks.

Drew wants to implement EAP-based protocols for his wireless authentication and wants to ensure that he uses only versions that support Transport Layer Security (TLS). Which of the following EAP-based protocols does not support TLS?

LEAP - Of these versions of Extensible Authentication Protocol (EAP), only Lightweight Extensible Authentication Protocol (LEAP) does not support TLS. EAP Tunneled Transport Layer Security (EAP-TTLS) actually extends TLS, but supports the underlying protocol. Protected Extensible Authentication Protocol (PEAP) encapsulates EAP within an encrypted TLS tunnel.

An organization regularly scans its infrastructure for missing security patches but is concerned about hackers gaining access to the scanner's account. Which of the following would be BEST to minimize this risk while ensuring the scans are useful?

Log and alert on unusual scanner account logon times.

A security analyst needs to make a recommendation for restricting access to certain segments of the network using only data-link layer security. Which of the following controls will the analyst MOST likely recommend?

MAC - MAC filtering can be used to prevent unauthorized MAC-addressed hosts from accessing the network. This is not a bad security mechanism, but also not very robust because there are ways to find out the MAC address of legitimate clients and then spoof the MAC address. ACL's are usually associated with routers (layer 3) and firewalls and application security devices (layers 3-7). BPDU guard (Bridge Protocol Data Unit guard) Switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where there any BPDU frames are likely to be malicious. BPDU guards are set for network performance much more than this edge case of security. Finally, ARP is a protocol that allows sharing of layer 2 & 3 addressing information and is part of every network; it is not related to setting security but it can be abused by attackers (ARP poisoning)

A company processes highly sensitive data and senior management wants to protect the sensitive data by utilizing classification labels. Which of the following access control schemes would be BEST for the company to implement?

MAC - Mandatory access control (MAC) is based on the idea of security clearance levels. Rather than defining ACLs on resources, each object and each subject is granted a clearance level, referred to as a label.

A security administrator checks the table of a network switch, which shows the following output. What attack has likely occurred? GEO/5

MAC flooding - The picture shows numerous different hosts reporting to the switch that each are associated with Port GE0/5. The point of this attack is to fill up the switching table in the switch which will exhaust the switch's memory and subsequently make the switch act like a hub, broadcasting all message traffic on the switch to all ports. Attackers can used this to conduct reconnaissance by capturing all traffic distributed over the switch.

Drew is designing the physical layout for her wireless access point (WAP) placement in her organization. Which of the following items is not a common concern when designing a WAP layout?

Maximizing coverage overlap - Maximizing coverage overlap would cause greater contention between access points. Instead, installations should minimize overlap without leaving dead spots in important areas. Performing a site survey, controlling power levels and adjusting them to minimize contention, and designing around the construction materials of a building are all important parts of designing the physical layout and placement of WAPs. Fortunately, modern enterprise wireless networks have advanced intelligent features that help do many of these things somewhat automatically.

A network administrator has been asked to design a solution to improve a company's security posture. The administrator is given the following requirements: - The solution must be inline in the network. - The solution must be able to block known malicious traffic. - The solution must be able to stop network-based attacks. Which of the following should the network administrator implement to BEST meet these requirements?

NIPS Explanation: - This question comes down to knowing the difference between an IDS & IPS and between host and network based systems. First, the device must take action (IPS) and it must do it at the network level, therefore a NIPS

You work for a social media website. You wish to integrate your users' accounts with other web resources. To do so, you need to allow authentication to be used across different domains, without exposing your users' passwords to these other services. Which of the following would be most helpful in accomplishing this goal?

OAuth - OAuth is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. There is no mechanism to validate that a user who initiated an authorization request is still logged on and present.

A cybersecurity analyst needs to implement secure authentication to third-party websites without users' passwords. Which of the following would be the BEST way to achieve this objective?

OAuth - OAuth is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. There is no mechanism to validate that a user who initiated an authorization request is still logged on and present. The access token once granted has no authenticating information. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields.

You have been asked to find an authentication service that is handled by a third party. The service should allow users to access multiple websites, as long as they support the third-party authentication service. What would be your best choice?

OpenID - OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID. Kerberos is a network authentication protocol for use within a domain. New Technology LAN Manager (NTLM) is an older Windows authentication protocol. Shibboleth is a single sign-on system, but it works with federated systems.

Drew is preparing to implement an 802.1X-enabled wireless infrastructure. He knows that he wants to use an Extensible Authentication Protocol (EAP)-based protocol that does not require client-side certificates. Which of the following options should he choose?

PEAP - The option that best meets the needs described above is PEAP, the Protected Extensible Authentication Protocol. PEAP relies on server-side certificates and relies on tunneling to ensure communications security. EAP-MD5 is not recommended for wireless networks and does not support mutual authentication of the wireless client and network. LEAP, the Lightweight Extensible Authentication Protocol, uses WEP keys for its encryption and is not recommended due to security issues. Finally, EAP-TLS, or EAP Transport Layer Security, requires certificates on both the client and server, consuming more management overhead.

Drew wants to allow users from other organizations to log in to her wireless network. What technology would allow her to do this using their own home organization's credentials?

RADIUS federation - Federating RADIUS allows organizations to permit users from other partner organizations to authenticate against their home systems, and then be allowed on to the local organization's network. An example of this is the eduroam federation used by higher education institutions to permit students, faculty, and staff to use college networks anywhere they go where eduroam is in place. Preshared keys are determined by the location organization and would not permit enterprise credentials from other organizations to be used. OpenID is used for web authentication, and 802.11q is a trunking protocol.

The following figure shows a proxy in use. In this usage model, the proxy receives a connection request, and then connects to the server and forwards the original request. What type of proxy is this?

Reverse proxy Explanation: - This diagram shows a reverse proxy. A reverse proxy takes connections from the outside world and sends them to an internal server. A forward proxy takes internal connections and sends them to external servers. Round-robin and next-generation proxies are not types of proxies, although round-robin is a form of load balancing.

Fred is building a web application that will receive information from a service provider. What open standard should he design his application to use to work with many modern third-party identity providers?

SAML - SAML, the Security Assertion Markup Language, is used by many identity providers to exchange authorization and authentication data with service providers. Kerberos and LDAP (Lightweight Directory Access Protocol) are used inside many organizations, but Fred will find more success with SAML for popular web services. New Technology LAN Manager (NTLM) remains in use for Windows systems, but Kerberos is more commonly used for modern Windows domains and would not be used in the scenario described here.

The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve security in the environment and protect patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have not been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns?

SSO would reduce the resilience and availability of systems if the identity provider goes offline. - A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. In Windows, SSO is provided by the Kerberos framework.

The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread unhindered throughout the network and infect a large number of computers and servers. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future?

Segment the network with firewalls. - The key part of the question is to mitigate impacts of a similar incident if/when it occurs in the future. Therefore, the goal is prevent the worm from spreading unfettered through the network, the only mechanism offered to do that is to ensure you have good network segmentation. - Given the ability to create segregated segments with the network, you can begin to define a topology of different network zones. A topology is a description of how a computer network is physically or logically organized. The logical and physical network topology should be analyzed to identify points of vulnerability and to ensure that the goals of confidentiality, integrity, and availability are met by the design. The main building block of a security topology is the zone. A zone is an area of the network where the security configuration is the same for all hosts within it. Zones should be segregated from one another by physical and/or logical segmentation, using VLANs and subnets. Traffic between zones should be strictly controlled using a security device, typically a firewall.

Drew is concerned about the security of his company's web application. Since the application processes confidential data, he is most concerned about data exposure. Which of the following would be the most important for him to implement?

TLS - The correct answer is to encrypt all the web traffic to this application using Transport Layer Security (TLS). This is one of the most fundamental security steps to take with any website. A web application firewall (WAF) is probably a good idea, but it is not the most important thing for Drew to implement. While a network-based intrusion prevention system (IPS) or intrusion detection system (IDS) may be a good idea, those should be considered after TLS is configured.

Drew uses a wireless analyzer to perform a site survey of his organization. Which of the following is not a common feature of a wireless analyzer's ability to provide information about the wireless networks around it?

The ability to show the version of the RADIUS server used for authentication - Although wireless analyzers provide in-depth information about Service Set Identifiers (SSIDs), signal strength, and protocol versions, the Remote Authentication Dial-In User Service (RADIUS) or Kerberos version number for the backend authentication servers is not something that they will typically be able to provide.

Drew wants to gain admission to a network which is protected by a network access control (NAC) system that recognized the hardware address of systems. How can he bypass this protection?

Use MAC cloning to clone a legitimate MAC address. Explanation: - Drew can clone a legitimate Media Access Control (MAC) address if he can identify one on the network. This can be as easy as checking for a MAC label on some devices or by capturing traffic on the network if he can physically access it.

Which wireless standard uses CCMP to provide encryption for network traffic?

WPA2 - WPA2 uses the AES-based CCMP, or Counter Mode Block Chaining Message Authentication (CBC-MAC) Protocol to encapsulate traffic, providing confidentiality. WPA3 also uses CCMP as the minimum acceptable encryption in WPA3-Personal mode. WEP, infrared, and Bluetooth do not use CCMP.

You're outlining your plans for implementing a wireless network to upper management. What wireless security standard should you adopt if you don't want to use enterprise authentication but want to provide secure authentication for users that doesn't require a shared password or passphrase?

WPA3 - WPA3 supports SAE, or simultaneous authentication of equals, providing a more secure way to authenticate that limits the potential for brute-force attacks and allows individuals to use different passwords. WPA is not as secure as WPA2, and WEP is the oldest, and least secure, wireless security protocol.

A company's Chief Information Officer (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers?

a CTF competition - Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants must complete a series of challenges within a virtualized computing environment to discover a flag. The flag will represent either threat actor activity (for blue team exercises) or a vulnerability (for red team exercises) and the participant must use analysis and appropriate tools to discover it. Capturing the flag allows the user to progress to the next level and start a new challenge.

A security engineer is installing a WAF to protect the company's website from malicious web requests over SSL. Which of the following is needed to meet the objective?

a decryption certificate Explanation: - Since the malicious web requests being sent to the web server are encrypted using SSL/TLS, the WAF needs to legitimately intercept the encrypted traffic, decrypt it with a valid certificate, inspect the traffic for malicious content before forwarding legit content to the web server.

Drew needs to securely connect to a DMZ from an administrative network using Secure Shell (SSH). What type of system is frequently deployed to allow this to be done securely across security boundaries for network segments with different security levels?

a jump box Explanation: - Jump boxes are a common solution for providing access to a network with a different security profile. In this case, Ed can deploy a jump box in the demilitarized zone (DMZ) to allow users within his administrative zone to perform tasks without directly connecting to the world-exposed DMZ. This helps keep administrative systems secure and allows him to focus on the security of the jump box, while also making it easier to monitor and maintain. An intrusion prevention system (IPS) is used to monitor and block unwanted traffic, but isn't used for remote access. A NAT gateway performs network address translation and is placed between networks but is not typically used to provide secure connections between networks. Instead, it serves to reduce the number of public IP addresses used and to provide some limited security for systems behind it. Routers are used to connect to networks but are not used to provide secure access as described in the question.

Magnus is concerned about someone using a password cracker on computers in his company. He is concerned that crackers will attempt common passwords in order to log in to a system. Which of the following would be best for mitigating this threat?

account lockout policies - Accounts should lock out after a small number of login attempts. Three is a common number of attempts before the account is locked out. This prevents someone from just attempting random guesses. Password aging will force users to change their passwords but won't affect password guessing. Longer passwords would be harder to guess, but this option is not as effective as account lockout policies. Account usage auditing won't have any effect on this issue.

After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic?

an ACL - Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the same topology, regardless of the physical location of the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical divisions enforced by IP subnets at layer 3. VLAN access control lists (ACLs) or VLAN maps access-control all packets (bridged and routed). You can use VLAN maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide access control based on Layer 3 addresses for IPv4.

Drew is considering deploying a network intrusion prevention system (IPS) and wants to be able to detect advanced persistent threats. What type of IPS detection method is most likely to detect the behaviors of an APT after it has gathered baseline information about normal operations?

anomaly-based IPS detections Explanation: - Anomaly-based detection systems build a behavioral baseline for networks and then assess differences from those baselines. They may use heuristic capabilities on top of those, but the question specifically asks about baselined operations pointing to an anomaly-based system. Heuristic-based detections look for behaviors that are typically malicious, and signature-based or hash-based detections look for known malicious tools or files.

A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a protected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability?

application allow lists Explanation: - One element of endpoint configuration is an execution control policy that defines applications that can or cannot be run. • An allow list (or approved list) denies execution unless the process is explicitly authorized. • A block list (or deny list) generally allows execution, but explicitly prohibits listed processes.

Samantha is looking for an authentication method that incorporates the X.509 standard and will allow authentication to be digitally signed. Which of the following authentication methods would best meet these requirements?

certificate-based authentication - Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests. OAuth allows an end user's account information to be used by third-party services, without exposing the user's password. It does not use digital certificates or support digital signing. Kerberos does not use digital certificates, nor does it support digitally signing. Smartcards can contain digital certificates but don't necessarily have to have them.

Fred sets up his authentication and authorization system to apply the following rules to authenticated users: -Users who are not logging in from inside the trusted network must use multifactor authentication. - Users whose devices have not passed a NAC check must use multifactor authentication. - Users who have logged in from geographic locations that are more than 100 miles apart within 15 minutes will be denied. What type of access control is Fred using?

conditional access - Conditional access assesses specific conditions to make a determination about whether to allow an account to access a resource. The system may choose to allow access, to block access, or to apply additional controls based on the conditions that are present and the information that is available about the login.

A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and computers are all on forklift trucks and move around the warehouse during their regular use. Which of the following should the engineer do to determine the issue? (Choose two.)

create a heat map perform a site survey - The coverage and interference factors mean that WAPs must be positioned and configured so that the whole area is covered, but that they overlap as little as possible. A site survey is used to measure signal strength and channel usage throughout the area to cover. A site survey starts with an architectural map of the site, with features that can cause background interference marked. These features include solid walls, reflective surfaces, motors, microwave ovens, and so on. The survey is performed with a Wi-Fi-enabled laptop or mobile device with Wi-Fi analyzer software installed. The Wi-Fi analyzer records information about the signal obtained at regularly spaced points as the surveyor moves around the area. - These readings are combined and analyzed to produce a heat map, showing where a signal is strong (red) or weak (green/blue), and which channel is being used and how they overlap. This data is then used to optimize the design, by adjusting transmit power to reduce a WAP's range, changing the channel on a WAP, adding a new WAP, or physically moving a WAP to a new location.

Drew has been notified of a zero-day flaw in a web application. She has the exploit code, including a SQL injection attack that is being actively exploited. How can she quickly react to prevent this issue from impacting her environment if she needs the application to continue to function?

deploy a fix via her WAF Explanation: - Drew's best option is to deploy a detection and fix via her web application firewall (WAF) that will detect the SQL injection attempt and prevent it. An intrusion detection system (IDS) only detects attacks and cannot stop them. Manually updating the application code after reverse-engineering it will take time, and she may not even have the source code or the ability to modify it. Finally, vendor patches for zero days typically take some time to come out even in the best of circumstances, meaning that Drew could be waiting on a patch for quite a while if that is the option she chooses.

Drew is concerned about attacks against her network's Spanning Tree Protocol (STP). She wants to ensure that a new switch introduced by an attacker cannot change the topology by asserting a lower bridge ID than the current configuration. What should she implement to prevent this?

enable Root Guard - Root Guard can be set on a per-port basis to protect ports that will never be set up to be the root bridge for a VLAN. Since this shouldn't change regularly, it is safe to set for most ports in a network. Spanning tree is used to prevent loops, so disabling STP would actually make this problem more likely. Bridge IDs cannot be negative, and BridgeProtect was made up for this question.

A user contacts the help desk to report the following: - Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID. This had never happened before, but the user entered the information as requested. - The user was able to access the Internet but had trouble accessing the department share until the next day. - The user is now getting notifications from the bank about unauthorized transactions. Which of the following attack vectors was MOST likely used in this scenario?

evil twin - A rogue WAP masquerading as a legitimate one is called an evil twin. An evil twin might just have a similar name (SSID) to the legitimate one, or the attacker might use some DoS technique to overcome the legitimate WAP. This attack will not succeed if authentication security is enabled on the WAP, unless the attacker also knows the details of the authentication method. However, the evil twin might be able to harvest authentication information from users entering their credentials by mistake.

A user reports constant lag and performance issues with the wireless network when working at a local coffee shop. A security analyst walks the user through an installation of Wireshark and gets a five-minute pcap to analyze. The analyst observes the following output: <<see picture>> Which of the following attacks does the analyst MOST likely see in this packet capture? De-authentication

evil twin - Evil twin attacks often use de-authentication attacks in order to bump users off the legitimate WAP so that when the hosts reconnect, they will join the Evil Twin which will likely have a little more signal strength than the legit WAP. The picture shows, even if you don't know how to read anything else in the image, numerous deauthentication messages.

Mason is responsible for security at a company that has traveling salespeople. The company has been using ABAC for access control to the network. Which of the following is an issue that is specific to ABAC and might cause it to incorrectly reject logins?

geographic location - Attribute-based access control (ABAC) looks at a group of attributes, in addition to the login username and password, to make decisions about whether or not to grant access. One of the attributes examined is the location of the person. Since the users in this company travel frequently, they will often be at new locations, and that might cause ABAC to reject their logins. Wrong passwords can certainly prevent login, but are not specific to ABAC. ABAC does not prevent remote access, and a firewall can be configured to allow, or prohibit, any traffic you wish.

Drew manages the IDS/IPS for her network. She has a network-based intrusion prevention system (NIPS) installed and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most efficient way for her to address this?

implement port mirroring for that segment Explanation: - The NIPS is not seeing the traffic on that network segment. By implementing port mirroring, the traffic from that segment can be copied to the segment where the NIPS is installed. Installing a network IPS on the segment would require additional resources. This would work but is not the most efficient approach. Nothing in this scenario suggests that the NIPS is inadequate. It just is not seeing all the traffic. Finally, isolating the segment to its own VLAN would isolate that network segment but would still not allow the NIPS to analyze the traffic from that segment.

A network engineer needs to build a solution that will allow guests at the company's headquarters to access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing the Internet. Which of the following should the engineer employ to meet these requirements?

install a captive portal - When a wireless client associates with the open hotspot and launches the browser, the client is redirected to a captive portal or splash page. This will allow the client to authenticate to the hotspot provider's network (over HTTPS, so the login is secure). The portal may also be designed to enforce terms and conditions and/or take payment to access the Wi-Fi service.

Avery accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies successful logon attempts to access Avery's accounts. Which of the following security practices would have addressed the issue?

offboarding An exit interview (or offboarding) is the process of ensuring that an employee leaves a company gracefully. Offboarding is also used when a project using contractors or thirdparties ends. In terms of security, there are several processes that must be completed: - Account Mgt - Company assets - Personal assets The departure of some types of employees should trigger additional processes to re-secure network systems.

Which of the following is the equivalent of a VLAN from a physical security perspective?

partitioning - Physically portioning your network is the physical equivalent of a virtual LAN, or VLAN. A VLAN is designed to emulate physical partitioning. Perimeter security does not segment the network. Security zones are useful but don't, by themselves, segment a network. Often a network is segmented, using physical partitions or VLAN, to create security zones. A firewall is meant to block certain traffic, not to segment the network, although a firewall can be part of a segmentation or security zone implementation.

A company has three technicians who share the same credentials for troubleshooting multiple systems. Every time credentials are changed, the new ones are sent by email to all three technicians. The security administrator has become aware of this situation and wants to implement a solution to mitigate the risk. Which of the following is the BEST solution for company to implement?

password vaults - Password vault—software-based password manager, typically using a cloud service to allow access from any device

While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Which of the following should be the administrator's NEXT step to detect if there is a rogue system without impacting availability?

physically check each system - This is an awful question, but let's do it anyway. Which of these approaches will not affect wireless availability for other users? A ping sweep won't affect availability, but it only determines that a host IP is active on the network, and the admin can already see that in the wireless router interface. Applying a MAC filter will block both the potential rogue user and legitimate user, but the rogue user can just change their MAC address and then you just block the legitimate user. Denying Internet access to the unknown device will affect availability for that device... what if it is not a rogue device? That leaves only one answer - physically checking each wireless host connected to the AP. Note, this will be difficult because you have to find them all and requires admin access to determine their MAC and IP address, so that could be impactful to users and take a long if you can actually find the connected hosts.

Chloe has noticed that users on her company's network frequently have simple passwords made up of common words. Thus, they have weak passwords. How could Chloe best mitigate this issue?

require password complexity - Password complexity requires that passwords have a mixture of uppercase letters, lowercase letters, numbers, and special characters. This would be the best approach to correct the problem described in the question. Longer passwords are a good security measure but will not correct the issue presented here. Changing passwords won't make those passwords any stronger, and Single Sign-On (SSO) will have no effect on the strength of passwords.

Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations?

seperation of duties - Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. An employee is supposed to work for the interests of their organization exclusively.

Drew wants to deploy a firewall that will protect her endpoint systems from other systems in the same security zone of her network as part of a zero-trust design. What type of firewall is best suited to this type of deployment?

software firewalls Explanation: - A software firewall is best suited to deployments to individual machines, particularly when endpoint systems are being protected. Hardware firewalls are typically deployed to protect network segments or groups of systems, and result in additional expense and management. Virtual and cloud firewalls are most often deployed in datacenters where virtual or cloud environments are in use, although a virtual firewall could be run on an endpoint.

Which type of firewall examines the content and context of each packet it encounters?

stateful packet filtering firewall Explanation: - A stateful inspection firewall examines the content and context of each packet it encounters. This means that a stateful packet inspection (SPI) firewall understands the preceding packets that came from the same IP address, and thus the context of the communications. This makes certain attacks, like a SYN flood, almost impossible. Packet filtering firewalls examine each packet but not the context. Application-layer firewalls can use SPI or simple packet filtering, but their primary role is to examine application-specific issues. A common example is a web application firewall. A gateway firewall is simply a firewall at the network gateway. This does not tell us whether it is packet filtering or SPI.

An organization plans to transition the intrusion detection and prevention techniques on a critical subnet to an anomaly-based system. Which of the following does the organization need to determine for this to be successful?

the baseline Explanation: - Anomaly-based detection systems build a behavioral baseline for networks and then assess differences from those baselines.

Drew is reviewing configuration management documentation for his organization and finds a note in his company's document repository about a specific firewall requirement. Allow Clients @192.168.10.x/24 to communicate with the Server at 10.1.10.11 using ports 139 & 445 <<see picture>> What key information is missing that a security professional would need to build firewall rules based on the note? Client WS --> Firewall --> Server

the protocol the traffic uses - The diagram shows services and ports, but it does not list the protocol. Drew should ask if these are TCP- or UDP-based services, since an incorrect guess would result in a nonfunctional service, and opening up unnecessary protocols may inadvertently create exposures or risks. The subnet mask is shown where multiple systems in a network on the client side require it, the service name isn't necessary for a firewall rule, and API keys should not be stored in documents like this.

Sheila is concerned that some users on her network may be accessing files that they should not—specifically, files that are not required for their job tasks. Which of the following would be most effective in determining if this is happening?

usage auditing and review - Auditing and reviewing how users actually utilize their account permissions would be the best way to determine if there is any inappropriate use. Usage auditing and permissions auditing are both part of account maintenance, but auditing and review is a better answer. Finally, this is not a policy issue.

Patrick regularly connects to untrusted networks when he travels and is concerned that an on-path attack could be executed against him as he browses websites. He would like to validate certificates against known certificates for those websites. What technique can he use to do this?

use certificate pinning - Certificate pinning associates a known certificate with a host and then compares that known certificate with the certificate that is presented. This can help prevent man-in-the middle attacks but can fail if the certificate is updated and the pinned certificate isn't. A CRL, or certificate revocation list, would show whether the certificate has been revoked, but it would not show if it was changed. Patrick will not have access to the remote server's private key unless he happens to be the administrator.

Drew wants to detect a potential insider threat using his security information and event management (SIEM) system. What capability best matches his needs?

user behavior analysis Explanation: - User behavior analysis is a key capability when attempting to detect potential insider threats. Drew can use his SIEM's behavioral analysis capabilities to detect improper or illicit use of rights and privileges as well as abnormal behavior on the part of his users. Sentiment analysis helps analyze feelings, and log aggregation and security monitoring provide ways to gain insight into the overall security posture and status of the organization.

After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw. The exploit code is publicly available and has been reported as being used against other industries in the same vertical. Which of the following should the network security manager consult FIRST to determine a priority list for forensic review?

vulnerability scan output - The first thing to do is to check whether you have the vulnerable software in your network. You may or may not have an accurate inventory of assets and installed software (Sal's guess is that you don't), but even if you do, there is always the chance that some shadow IT or forgotten infrastructure is still online. Therefore, you should a vulnerability scan specifically looking for the software and vuln of interest. The other choices are all focused on looking to see whether the IoC's are active on your network, and you won't need to do that if you don't have the software of interest.