Network Security N10-008
Which of the following can be described as wireless network hardening techniques? (Choose all that apply.) A. Encryption B. Authentication C. MAC filtering D. Social engineering E. Antenna placement
A, B, C, E. Encryption, authentication, Media Access Control (MAC) filtering, and antenna placement are all techniques for hardening a wireless network against attack. Social engineering is a type of attack in which an intruder contacts a user and convinces him or her to disclose sensitive information, such as account passwords; it is not specifically associated with wireless networks.
Which of the following types of attacks require no additional hardware or software components? (Choose all that apply.) A. Brute-force B. Social engineering C. Denial-of- Service D. Phishing
A, B, C. A brute-force attack is one in which an attacker uses repeated guesses to find a password, an open port, or some other type of sensitive data. A Denial-of-Service (DoS) attack floods a target server with traffic so that it is unable to function normally. While both of these attack types can be mounted using specialized software, they can also be the work of a lone attacker using nothing more than the tools provided on a standard workstation. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. It requires nothing more than a telephone or an email client. Phishing is the term for an attack that uses bogus emails or websites designed to infect users with some type of malware.
Which of the following Extended Authentication Protocol (EAP) variants utilize tunneling to provide security for the authentication process? (Choose all that apply.) A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-PSK
A, B. Protected Extended Authentication Protocol (PEAP) encapsulates EAP inside a Transport Layer Security (TLS) tunnel. Flexible Authentication via Secure Tunneling (FAST) also establishes a TLS tunnel to protect user credential transmissions. EAP-TLS uses TLS for encryption, but not for tunneling. EAP-PSK uses a preshared key to provide an authentication process that does not use encryption.
Which of the following attack types are specifically directed at wireless networks? (Choose all that apply.) A. Evil twin B. Phishing C. Deauthentication D. War driving
A, C, D. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. Deauthentication is a type of Denial-of-Service (DoS) attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. Phishing is an attack type that is targeted at all users, not just wireless ones.
As part of her company's new risk management initiative, Alice has been assigned the task of performing a threat assessment for the firm's data resources. For each potential threat she discovers, which of the following elements should Alice estimate? (Choose all that apply.) A. Severity B. Mitigation C. Likelihood D. Posture
A, C. A threat assessment should estimate the potential severity of a threat, such as the damage that the loss of a specific resource can cause to the organization. The assessment should also estimate the likelihood of a particular threat occurring, as the organization will have to devote more attention to the more likely threats. An assessment of the organization's current posture (or status) with regard to a specific threat and the mitigation techniques used to counter it are both elements that come later in the risk management process, after the threat assessment has been completed.
Which of the following attack types typically involves modifying network packets while they are in transit? (Choose all that apply.) A. Spoofing B. Denial-of- Service C. On-path D. Logic bomb
A, C. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. One way of doing this is to modify the Media Access Control (MAC) address in the packets to one that is approved by the MAC filter. An on-pass (or man-in-the-middle) attack is one in which an attacker intercepts network traffic, reads the traffic, and can even modify it before sending it on to the destination. Denial-of-Service (DoS) is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly, whereas a logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Neither of these last two involves modifying network packets.
Which of the following types of attacks are rarely seen anymore because of changes in device design that were specifically designed to prevent them? (Choose all that apply.) A. VLAN hopping B. Logic bomb C. Phishing D. Smurf
A, D. Smurf attacks rely on routers to forward broadcast traffic. Routers no longer forward broadcast messages, so smurf attacks have been rendered ineffective. In the same way, Virtual Area Network (VLAN) hopping, which is a method for sending commands to switches to transfer a port from one VLAN to another, is rarely seen because switches are now designed to prevent them. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Phishing is the term for a bogus email or website designed to infect users with some type of malware. Both of these are still commonly used attack types.
In addition to EAP-TLS, which of the following are also Extensible Authentication Protocol (EAP) variants that use the Transport Layer Security (TLS) protocol? (Choose all that apply.) A. PEAP B. EAP-PWD C. EAP-MD5 D. EAP-FAST
A, D. The Protected Extensible Authentication Protocol (PEAP) and EAP Flexible Authentication via Secure Tunneling (EAP-FAST) both use TLS tunneling to secure authentication transmissions. EAP Password (EAP-PWD) and EAP-MP5 do not use TLS for tunneling or any other purpose.
Which of the following technologies can maintain an account database that multiple remote access servers can employ to authenticate remote users? A. RADIUS B. IDS C. NGFW D. NAS
A. A Remote Authentication Dial-In User Service (RADIUS) server can provide Authentication, Authorization, and Accounting (AAA) services for remote access servers. Intrusion Detection Systems (IDSs), Next-Generation Firewalls (NGFWs), and Network Attached Storage (NAS) devices do not provide authentication services.
Honeypots and honeynets belong to which of the following categories of devices? A. Mitigation techniques B. Network attacks C. Switch port protection types D. Firewall filters
A. A honeypot or honeynet is a type of mitigation technique that takes the form of a computer or network configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access
In the hacker subculture, which of the following statements best describes a zombie? A. A computer that is remotely controllable because it has been infected by malware B. A computer that is no longer functioning because it is the target of a Denial-of-Service (DoS) attack C. A user that has fallen victim to a phishing attack D. A program that attackers use to penetrate passwords using brute-force attacks
A. A zombie (or bot) is a computer that has been infected by malware—usually some form of Trojan—which an attacker can control remotely, causing the computer to flood a target system with traffic. An attack using multiple zombies is known as a Distributed Denial-of-Service (DDoS) attack. The other options are not examples of zombies.
Which of the following terms refers to a type of Denial-of- Service (DoS) attack that bombards a target server with traffic that requires a large amount of processing? A. Amplified B. Reflective C. Distributed D. Permanent
A. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
Which of the following terms refers to a Denial-of- Service (DoS) attack that places more of a burden on the target server than just the flood of incoming traffic? A. Amplified B. Reflective C. Distributed D. Permanent
A. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. Reflective and distributed DoS attacks use other computers to flood a target with traffic. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses a botnet consisting of hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning
An intruder has deployed a rogue access point on your company's wireless network and is using it to access traffic generated by users who have accidentally connected to it. Which of the following is the name for this type of attack? A. Evil twin B. War driving C. Social networking D. Spoofing
A. An evil twin is a fraudulent access point on a wireless network, which an intruder can use to obtain passwords and other sensitive information transmitted by users. War driving is the term for seeking out open wireless networks. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else.
Which of the following terms refers to the process of confirming a user's identity by checking specific credentials? A. Authentication B. Accounting C. Authorization D. Access control
A. Authentication is the process of confirming a user's identity by checking credentials, such as passwords, ID cards, or fingerprints. Authorization is the process of determining what resources a user can access on a network. Accounting is the process of tracking a user's network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.
When a user swipes a finger across a fingerprint scanner to log on to a laptop computer, which of the following actions is the user performing? A. Authentication B. Authorization C. Accounting D. Auditing
A. Authentication is the process of confirming a user's identity. Fingerprints and other biometric readers are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.
When a user supplies a password to log on to a server, which of the following actions is the user performing? A. Authentication B. Authorization C. Accounting D. Auditing
A. Authentication is the process of confirming a user's identity. Passwords are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.
When a user swipes a smartcard through a reader to log on to a laptop computer, which of the following actions is the user performing? A. Authentication B. Authorization C. Accounting D. Auditing
A. Authentication is the process of confirming a user's identity. Smartcards are one of the authentication factors commonly used by network devices. Authorization defines the type of access granted to authenticated users. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected.
EAP and 802.1X are components that help to provide which of the following areas of wireless network security? A. Authentication B. Authorization C. Encryption D. Accounting
A. Extensible Authentication Protocol (EAP) and 802.1X are both components of an authentication mechanism used on many wireless networks. EAP and 802.1X do not themselves provide authorization, encryption, or accounting services.
Which of the following best describes a wireless network that uses geofencing as a security mechanism? A. A wireless network that allows clients to authenticate only when the signal strength of their connections exceeds a specified level B. A wireless network that requires users to log on to a wired system before they can authenticate on a wireless device C. A wireless network that requires users to have an Active Directory account located within the local site D. A wireless network that requires users to type in the local Service Set Identifier (SSID) before they can authenticate
A. Geofencing is a mechanism that is intended to prevent unauthorized clients outside the facility from connecting to the network. The mechanism can take the form of a signal strength or power level requirement, a GPS location requirement, or strategic placement of the antennae for wireless access points. The other options listed are not descriptions of typical geofencing technologies.
Which of the following security protocols can authenticate users without transmitting their passwords over the network? A. Kerberos B. 802.1X C. TKIP D. LDAP
A. Kerberos is a security protocol used by Active Directory that employs a system of tickets to authenticate users and other network entities without the need to transmit credentials over the network. IEEE 802.1X does authenticate by transmitting credentials. Temporal Key Integrity Protocol (TKIP) and Lightweight Directory Access Protocol (LDAP) are not authentication protocols.
Combining elements like something you know, something you have, and something you are to provide access to a secured network resource is a definition of which of the following types of authentication? A. Multifactor B. Multisegment C. Multimetric D. Multifiltered
A. Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password (something you know) and a retinal scan (something you are) is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is another example of multifactor authentication because it requires users to supply something they know and something they have. Multisegment, multimetric, and multifiltered are not applicable terms in this context.
Which of the following terms describes a system that prevents computers from logging on to a network unless they have the latest updates and antimalware software installed? A. NAC B. LDAP C. RADIUS D. TKIP-RC4
A. Network Access Control (NAC) is a mechanism that defines standards of equipment and configuration that systems must meet before they can connect to the network. Lightweight Directory Access Protocol (LDAP) provides communication between directory service entities. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting service for remote users connecting to a network. Temporal Key Integrity Protocol (TKIP) with the RC4 cipher is an encryption protocol used on wireless networks running the WiFi Protected Access (WPA) security protocol.
Which of the following statements about RADIUS and TACACS+ are correct? A. By default, RADIUS uses UDP, and TACACS+ uses TCP. B. By default, RADIUS uses TCP, and TACACS+ uses UDP. C. By default, both RADIUS and TACACS+ use TCP. D. By default, both RADIUS and TACACS+ use UDP.
A. Remote Authentication Dial-In User Service (RADIUS) uses User Datagram Protocol (UDP) ports 1812 and 1813 or 1645 and 1646 for authentication, whereas Terminal Access Controller Access Control System Plus (TACACS+) uses Transmission Control Protocol (TCP) port 49.
Which of the following standards was originally designed to provide Authentication, Authorization, and Accounting (AAA) services for dial-up network connections? A. RADIUS B. TACACS+ C. Kerberos D. LDAP
A. Remote Authentication Dial-In User Service (RADIUS) was originally conceived to provide AAA services for Internet Service Providers (ISPs), which at one time ran networks with hundreds of modems providing dial-up access to subscribers. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol that was designed to provide AAA services for networks with many routers and switches, but not for dial-up connections. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.
Which of the following abbreviations describes a product that combines real-time monitoring of security events and automated analysis of the event information gathered? A. SIEM B. SNMP C. SEIM D. SEM/SIM
A. Security Information and Event Management (SIEM) is a product that combines two technologies: security event management (SEM) and security information management (SIM). Together, the two provide a combined solution for gathering and analyzing information about a network's security events. Simple Network Management Protocol (SNMP) is a technology that gathers information about managed devices. SEIM and SEM/SIM are not correct abbreviations for Security Information and Event Management.
Which of the following is an effective method for preventing sensitive data from being compromised through social engineering? A. Implement a program of user education and corporate policies. B. Install an antivirus software product on all user workstations. C. Install a firewall between the internal network and the Internet. D. Use Internet Protocol Security (IPSec) to encrypt all network traffic.
A. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. No software or hardware solution can prevent it; the only way is to educate users on the potential dangers and establish policies that inform users what to do when they experience a social engineering attempt. Social engineering is not a virus or other form of malware, so an antivirus product has no effect against it. Social engineering is not implemented in network traffic, so a firewall cannot filter it. Social engineering is not implemented in network traffic, so IPSec cannot protect it.
Which of the following authentication factors is an example of something you are? A. A fingerprint B. A smartcard C. A password D. A finger gesture
A. Something you are refers to a physical characteristic that uniquely identifies an individual, such as a fingerprint or other form of biometric. This type of authentication is often used as part of a multifactor authentication procedure because a biometric element can conceivably be compromised. A finger gesture would be considered something you do, a password is something you know, and a smartcard is something you have.
Which of the following types of attacks can be used to enable an intruder to access a wireless network despite the protection provided by MAC filtering? A. Spoofing B. Brute-force C. DNS poisoning D. War driving
A. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. One way of doing this is to modify the Media Access Control (MAC) address in the packets to one that is approved by the MAC filter. Brute-force is the method of repeated guessing, which is impractical with MAC addresses. A Domain Name System (DNS) works with IP addresses, not MAC addresses. War driving is the process of looking for unprotected Wireless Access Points (WAPs).
Despite having imposed password policies on his network, compelling users to change their passwords frequently, create passwords of a specific length, and use complex passwords, Ralph has had several reports of account penetrations. The victims of the incidents had all apparently shared a "tip" suggesting that users cycle through the names of their children, nephews, nieces, and other relatives when forced to create new passwords, changing letters to numbers as needed. Which of the following actions can Ralph take to remedy the situation without creating a larger problem? A. Distribute a list of common passwords that are insecure, such as those based on names, birth dates, etc. B. Modify the password policies to force users to change passwords more frequently C. Assign the users long passwords consisting of random-generated characters and change them often D. Change the password history policy to a value greater than the number of children in any user's family
A. There are no policies that can prevent users from creating easily guessed passwords. The only action that can help is to educate users on the fact that attackers are frequently able to guess passwords by using information such as familiar names and dates. Forcing more frequent password changes would not compel users to alter their method for choosing passwords, nor would increasing the password history value. Assigning random passwords would address the issue, but user complaints and forgotten passwords would likely create greater problems than it would solve.
Which of the following steps can help to prevent war driving attacks from compromising your wireless network? (Choose all that apply.) A. Configure your access point to use a longer SSID. B. Configure your access point not to broadcast its SSID. C. Configure your clients and access point to use WPA2 security. D. Configure your clients and access point to use WEP security.
B, C. Configuring the access point not to broadcast its Service Set Identifier (SSID) will prevent an unsophisticated war driving attacker from seeing the network. Configuring your equipment to use WiFi Protected Access II (WPA2) security will make it difficult for a war driver who detects your network to connect to it. The SSID is just an identifier; its length has no effect on security. Wired Equivalent Privacy (WEP) is a security protocol that has been found to have serious weaknesses.
Which of the following attack types are specifically targeted at wireless network clients? (Choose all that apply.) A. Logic bomb B. Deauthentication C. Evil twin D. ARP poisoning
B, C. Deauthentication is a type of Denial-of-Service (DoS) attack in which the attacker targets a wireless client by sending a deauthentication frame that causes the client to be disconnected from the network. The object of the attack is often to compel the client to connect to a rogue access point called an evil twin. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches. Neither of these last two is specifically targeted at wireless clients.
Which of the following terms refer to Denial-of- Service (DoS) attacks that use other computers to flood a target server with traffic? (Choose all that apply.) A. Amplified B. Reflective C. Distributed D. Permanent
B, C. Reflective and distributed DoS attacks use other computers to flood a target with traffic. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as DNS servers, causing them to send a flood of responses to the target. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
Which of the following are standards that define combined Authentication, Authorization, and Accounting (AAA) services? (Choose all that apply.) A. 802.1X B. RADIUS C. TACACS+ D. LDAP
B, C. Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are both services that provide networks with AAA. 802.1X provides only authentication, and Lightweight Directory Access Protocol (LDAP) provides communication between directory service entities.
Which of the following statements are true about a public key infrastructure? (Choose all that apply.) A. Data encrypted with a user's public key can be decrypted with the user's public key. B. Data encrypted with a user's public key can be decrypted with the user's private key. C. Data encrypted with a user's private key can be decrypted with the user's private key. D. Data encrypted with a user's private key can be decrypted with the user's public key.
B, D. In a public key infrastructure, data encrypted with a user's public key can only be decrypted with the user's private key, and data encrypted with a user's private key can only be decrypted with the user's public key. This enables the system to provide both message encryption and nonrepudiation. If data encrypted with a user's public key could be decrypted with that same public key, the system would provide no security at all. If data encrypted with a user's private key could be decrypted with that same private key, the user could only send secure messages to him- or herself.
Which of the following tools are needed by an individual performing a war driving attack? (Choose all that apply.) A. A stolen credit card number B. A wireless-equipped computer or other device C. A screwdriver D. An automobile or other vehicle E. A telephone
B, D. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. It therefore requires nothing more than a vehicle and a wireless-equipped computer. The term driving in war driving refers to driving a vehicle, not a screw; a screwdriver is therefore not required. War driving uses a wireless computer or other device to scan for open networks; a telephone is therefore not required. War driving is a means for locating unprotected networks; it does not require a credit card number, nor does it involve stealing them.
Which of the following are terms for an area of an enterprise network, separated by firewalls, which contains servers that must be accessible both from the Internet and from the internal network? (Choose all that apply.) A. Intranet B. DMZ C. EGP D. Stateless network E. Perimeter network F. Screened subnet
B, E, F. Servers that must be accessible both from the internal network and from the Internet are typically located in an area of the enterprise called a screened subnet, a perimeter network, or a demilitarized zone (DMZ). This area is separated from both the Internet and the internal network by firewalls, which prevents unauthorized Internet users from accessing the internal network. Intranet is another term for the internal network. Edge Gateway Protocol (EGP) is a type of routing protocol, and stateless is a type of firewall; neither apply to this definition.
Which of the following best describes a brute-force attack? A. An attacker breaking down the door of a datacenter B. An attacker cracking a password by trying thousands of guesses C. An attacker using zombie computers to flood a server with traffic D. An attacker deploying an unauthorized access point on a wireless network
B. A brute-force attack (also called a dictionary attack) is one in which an attacker uses repeated guesses to find a password, an open port, or some other type of sensitive data. Brute-force does not refer to a physical attack. Flooding a server with traffic created by zombies is a Distributed Denial-of-Service (DDoS) attack. Deploying an unauthorized access point is an evil twin attack.
In some cases, network administrators create computers that function as enticing targets for attackers but that do not provide access to any legitimately sensitive services or information. Which of the following is the term used to describe this technique? A. DMZ B. Honeypot C. Root guard D. Spoofing
B. A honeypot is a computer configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access. A demilitarized zone (DMZ) is the part of a network where administrators locate servers that must be accessible from the Internet. A root guard provides protection to switch ports. Spoofing is an attack technique in which an intruder modifies packets to assume the appearance of another user or computer
Alice has been assigned the task of examining her department's order entry procedure, to determine whether it meets established cost, quality, and timeliness goals. Which of the following is the best term for this examination? A. Vendor assessment B. Process assessment C. Business assessment D. Risk assessment
B. A process assessment is an examination of an existing procedure to determine its compliance with a specific set of goals that can include cost, quality, and timeliness. A vendor assessment is an examination of the organization's relationship with a specific business partner. Business assessment and risk assessment are more general terms that can include process assessments
Which of the following statements best describes a type of replay attack? A. An intruder reenters a resource previously compromised by another intruder. B. An intruder retransmits captured authentication packets to gain access to a secured resource. C. An intruder uses the same technique that provided access to other resources to penetrate a new resource. D. An intruder accesses a resource that was accidentally left unsecured by an authorized user.
B. A replay attack is one in which an attacker utilizes the information found in previously captured packets to gain access to a secured resource. In many cases, the captured packets contain authentication data. In this way, the attacker can make use of captured passwords, even when they are encrypted and cannot be displayed. The other options all describe valid attack methodologies, but they are not called replay attacks.
Which of the following statements best describes the difference between an exploit and a vulnerability? A. An exploit is a potential weakness in software, and a vulnerability is a potential weakness in hardware. B. A vulnerability is a potential weakness in a system, and an exploit is a hardware or software element that is designed to take advantage of a vulnerability. C. An exploit is a potential weakness in a system, and a vulnerability is a hardware or software element that is designed to take advantage of a vulnerability. D. A vulnerability is a potential weakness in software, and an exploit is a potential weakness in hardware.
B. A vulnerability is a weakness, whether in software or hardware, of which an exploit is designed to take advantage. Neither term is specific to hardware or software.
Which of the following terms refers to the process by which a system tracks a user's network activity? A. Authentication B. Accounting C. Authorization D. Access control
B. Accounting is the process of tracking a user's network activity, such as when the user logged on and logged off and what resources the user accessed. Authentication is the process of confirming a user's identity by checking credentials. Authorization is the process of determining what resources a user can access on a network. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.
Which of the following is the name for an attack in which an intruder uses a Bluetooth connection to steal information from a wireless device, such as a smart phone? A. Bluedogging B. Bluesnarfing C. Bluesmurfing D. Bluejacking
B. Bluesnarfing is an attack in which an intruder connects to a wireless device using Bluetooth, for the purpose of stealing information. Bluejacking is the process of sending unsolicited messages to a device using Bluetooth. The other options do not exist.
Which of the following statements best describes the difference between distributed and reflective Denial-of-Service (DoS) attacks? A. A distributed DoS attack uses other computers to flood a target server with traffic, whereas a reflective DoS attack causes a server to flood itself with loopback messages. B. A distributed DoS attack uses malware-infected computers to flood a target, whereas a reflective DoS attack takes advantage of other servers' native functions to make them flood a target. C. A reflective DoS attack uses malware-infected computers to flood a target, whereas a distributed DoS attack takes advantage of other servers' native functions to make them flood a target. D. A distributed DoS attack floods multiple target computers with traffic, whereas a reflective DoS attack only floods a single target.
B. Distributed Denial-of-Service (DDoS) attacks use hundreds or thousands of computers that have been infected with malware, called bots or zombies, to flood a target server with traffic in an attempt to overwhelm it and prevent it from functioning. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. Neither attack type causes a computer to flood itself.
Which of the following functions can be interfered with by a DNS poisoning attack? A. IP address resolution B. Name resolution C. Password protection D. Network switching
B. Domain Name System (DNS) poisoning is a type of attack in which an attacker adds fraudulent information into the cache of a DNS server. This can interfere with the name resolution process by causing a DNS server to supply the incorrect IP address for a specified name. The process of resolving an IP address into a Media Access Control (MAC) address can be interfered with by Address Resolution (ARP) poisoning. DNS has nothing to do with passwords or switching.
Which of the following standards defines a framework for the authentication process, but does not specify the actual authentication mechanism? A. WPA B. EAP C. TKIP D. TLS
B. Extensible Authentication Protocol (EAP) is a framework for the encapsulation of authentication messages. EAP is used on wireless networks and point-to-point connections and supports dozens of different authentication methods. WiFi Protected Access (WPA) is a wireless encryption standard. Temporal Key Integrity Protocol (TKIP) is an encryption algorithm. Transport Layer Security (TLS) is an encryption protocol used for Internet communications.
Which of the following statements best defines multifactor user authentication? A. Verification of a user's identity on all of a network's resources using a single sign-on B. Verification of a user's identity using two or more types of credentials C. Verification of a user's identity on two devices at once D. Verification of a user's membership in two or more security groups
B. Multifactor authentication combines two or more authentication methods, requiring a user to supply multiple credentials. This reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. The term multifactor does not refer to the number of resources, devices, or groups with which the user is associated.
Which of the following is an implementation of Network Access Control (NAC)? A. RADIUS B. 802.1X C. LDAP D. TACACS+
B. NAC is a set of policies that define security requirements that clients must meet before they are permitted to connect to a network. 802.1X is a basic implementation of NAC. Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are Authentication, Authorization, and Accounting (AAA) services. They are not NAC implementations themselves, although they can play a part in their deployment. Lightweight Directory Access Protocol (LDAP) provides directory service communications.
Regularly applying operating system updates and patches to network computers is an important mitigation procedure for which of the following security problems? A. Denial-of-Service attacks B. Malware C. Social engineering D. Port security
B. Operating system updates and patches are frequently released to address newly discovered exploits that make computers vulnerable to malware infestation. Applying updates on a regular basis can help to mitigate the impact of malware. Updates and patches typically cannot mitigate Denial of Service (DoS) attacks, and they have no effect on nontechnical dangers such as social engineering or dangers that apply to switches, such as port security hazards.
user calls the help desk, complaining that he cannot access any of the data on his computer. A message has also appeared on his screen stating that his data has been encrypted and that it will only be decrypted after he pays $768 in digital currency to an unknown address. Which of the following types of attack has the user experienced? A. War driving B. Ransomware C. Denial-of- Service D. ARP poisoning
B. Ransomware is a type of attack in which a user's access to his or her data is blocked unless a certain amount of money is paid to the attacker. The blockages can vary from simple screen locks to data encryption. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. Denial-of-Service (DoS) is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches.
Which of the following types of attacks requires no computer equipment? A. Denial-of-Service B. Social engineering C. Brute-force D. Dictionary E. Phishing
B. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. No computer equipment is required, and no software or hardware solution can prevent it; the only way is to educate users on the potential dangers and establish policies that inform users what to do when they experience a social engineering attempt. Denial-of-Service (DoS) is a type of attack that overwhelms a computer with traffic, preventing it from functioning properly. A brute-force or dictionary attack is one in which an attacker uses repeated guesses to find a password, an open port, or some other type of sensitive data. Phishing is the term for a bogus email or website designed to infect users with some type of malware.
Which of the following authentication factors is an example of something you have? A. A fingerprint B. A smartcard C. A password D. A finger gesture
B. Something you have refers to a physical possession that serves to identify a user, such as a smartcard. This type of authentication is typically used as part of a multifactor authentication procedure because a smartcard or other physical possession can be lost or stolen. A fingerprint would be considered something you are, a password is something you know, and a finger gesture is something you do.
Which of the following standards provides Authentication, Authorization, and Accounting (AAA) services for network routers and switches? A. RADIUS B. TACACS+ C. Kerberos D. LDAP
B. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide AAA services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. Remote Authentication Dial-In User Service (RADIUS) provides AAA services, but not for routers and switches. Kerberos and Lightweight Directory Access Protocol (LDAP) are not AAA services.
Ralph is evaluating software products for potential deployment on his company's network. Which of the following types of searches can Ralph use to identify security issues that have been discovered in specific products? A. CIA B. CVE C. SKU D. SIEM
B. The Common Vulnerabilities and Exposures (CVE) database is a resource that assigns identifier numbers to known security issues found in software products. By searching the database, Ralph can learn about the vulnerabilities that have already been found in the products he is evaluating. The Confidentiality - Integrity - Availability (CIA) triad lists important information security concepts, but it does not provide information about specific products. Stock Keeping Units (SKU) are product identifiers that do not involve security issues. Security Information and Event Management (SIEM) is a product that gathers and analyzes information about a network's security events, but it would not help Ralph discover vulnerabilities in the products he is evaluating.
Which element of the Confidentiality-Integrity- Availability (CIA) triad prevents unauthorized modification of protected data? A. Confidentiality B. Integrity C. Availability D. None of the above
B. The Integrity element of the CIA triad prevents data from being modified by unauthorized users. Confidentiality is protection against unauthorized viewing of data. Availability provides users with access to the data they need.
Ed receives an email through his personal account, warning him that his checking account has been locked due to excessive activity. To confirm that the activity is fraudulent, the email instructs Ed to click the enclosed hyperlink, log on to his account, and review the list of charges. Ed clicks the link and is taken to a web page that appears to be that of his bank. He then supplies his username and password to log on. Which of the following types of attacks is Ed likely to be experiencing? A. Social engineering B. Phishing C. Logic bomb D. Spoofing
B. This is a classic example of a phishing scam. In all likelihood, the link in the email Ed received has taken him not to the real website of his bank, but rather a duplicate created by an attacker. By supplying his logon credentials, he is in effect giving them to the attacker, who can now gain access to his real bank account. Social engineering is the practice of obtaining sensitive data by contacting users and pretending to be someone with a legitimate need for that data. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else.
On the fence outside your home, you happen to notice a small sticker that has the Service Set Identifier (SSID) of your wireless network written on it, along with the name of the security protocol your network is using. To which of the following attacks have you been made a victim? A. War driving B. War chalking C. War tagging D. War signing
B. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. When a war driver locates a wireless network and marks it for other attackers, it is called war chalking. There are no such attacks as war tagging and war signing.
A technician in the IT department at your company was terminated today and had to be escorted from the building. Your supervisor has instructed you to disable all of the technician's accounts, change all network device passwords to which the technician had access, and have the datacenter doors rekeyed. Which of the following terms best describes your supervisor's concern in asking you to do these things? A. Social engineering B. Internal threats C. Logic bombs D. War driving E. External threats
B. Your supervisor's concern is that the disgruntled technician might take advantage of his access to devices and facilities to sabotage the network. When an individual takes advantage of information gathered during his or her employment, it is called an internal (or insider) threat. An external threat is one originating from a non-employee. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks.
Which of the following types of servers are typically found in a screened subnet? (Choose all that apply.) A. Domain controllers B. DHCP servers C. Email servers D. Web servers
C, D. A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a screened subnet, a demilitarized zone (DMZ), or a perimeter network. Administrators typically use a screened subnet for servers that must be accessible by outside users, such as web and email servers. For security reasons, domain controllers and Dynamic Host Configuration Protocol (DHCP) servers should be located on internal network segments
Which of the following services are methods of tracking a user's activities on a network? (Choose all that apply.) A. Authentication B. Authorization C. Accounting D. Auditing
C, D. Accounting and auditing are both methods of tracking and recording a user's activities on a network, such as when a user logged on and how long they remained connected. Authentication is the confirmation of a user's identity, and authorization defines the type of access granted to authenticated users.
Which of the following are examples of multifactor authentication? (Choose all that apply.) A. A system that uses an external RADIUS server for authentication B. A system that requires two passwords for authentication C. A system that requires a smartcard and a PIN for authentication D. A system that requires a password and a retinal scan for authentication
C, D. Multifactor authentication combines two or more authentication methods and reduces the likelihood that an intruder would be able to successfully impersonate a user during the authentication process. A password and a retinal scan is an example of a multifactor authentication system. A smartcard and a PIN, which is the equivalent of a password, is an example of multifactor authentication because it requires users to supply something they know and something they have. Multifactor authentication refers to the proofs of identity a system requires, not the number of servers used to implement the system. Therefore, the use of a Remote Authentication Dial-In User Service (RADIUS) server is not an example of multifactor authentication. A system that requires two passwords is not an example of multifactor authentication, because an attacker can compromise one password as easily as two. A multifactor authentication system requires two different forms of authentication
Which of the following terms refers to a type of Denial-of- Service (DoS) attack that uses multiple computers to bombard a target server with traffic? A. Amplified B. Reflective C. Distributed D. Permanent
C. A Distributed Denial-of-Service (DDoS) attack is one in which the attacker uses hundreds or thousands of computers, controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
Which of the following types of attack involves the modification of a legitimate software product? A. Social engineering B. War driving C. Logic bomb D. Evil twin
C. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. Social engineering is the practice of obtaining sensitive data by manipulating legitimate users, such as by pretending to be someone with a genuine need for that data. War driving is an attack method that consists of driving around a neighborhood with a computer, scanning for unprotected wireless networks. An evil twin is a fraudulent access point on a wireless network that mimics the Service Set Identifier (SSID) of a legitimate access point, in the hope of luring in users
In testing the new application he has designed, Ralph has discovered that it contains a weakness that could enable an attacker to gain full administrative access. Which of the following is another term for this weakness? A. Exploit B. Mitigation C. Vulnerability D. Honeypot
C. A vulnerability is a potential weakness in a system that an attacker can use to his or her advantage. An exploit is a hardware or software element that is designed to take advantage of a vulnerability. A mitigation is a form of defense against attacks on system security. A honeypot is a computer configured to function as bait for attackers, causing them to waste their time penetrating a resource that provides no significant access.
Which of the following is the best description of a software product with a zero-day vulnerability? A. A product with a vulnerability that has just been addressed by a newly-released fix B. A product with a vulnerability that has been addressed by a fix, which nearly all users have applied C. A vulnerability in a newly-released product for which no fix has yet been developed D. A vulnerability in a product which no attackers have yet discovered or exploited
C. A zero-day vulnerability is a serious software problem with a potential for exploitation in a newly released software product. The vulnerability has not yet been discovered, addressed, or patched by the software's developer, but it has been discovered by potential attackers. A zero-day vulnerability is one that has not yet been patched or fixed.
In an 802.1X transaction, what is the function of the authenticator? A. The authenticator is the service that issues certificates to clients attempting to connect to the network. B. The authenticator is the service that verifies the credentials of the client attempting to access the network. C. The authenticator is the network device to which the client is attempting to connect. D. The authenticator is the client user or computer attempting to connect to the network.
C. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a Remote Authentication Dial-In User Service (RADIUS) implementation that verifies the supplicant's identity. The authenticator is not involved in issuing certificates.
Which of the following is not one of the roles involved in an 802.1X transaction? A. Supplicant B. Authentication server C. Authorizing agent D. Authenticator
C. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a Remote Authentication Dial-In User Service (RADIUS) implementation that verifies the supplicant's identity. There is no party to the transaction called an authorizing agent.
Which of the following elements associates a public and private key pair to the identity of a specific person or computer? A. Exploit B. Signature C. Certificate D. Resource record
C. As part of a public key infrastructure (PKI), digital certificates are associated with a key pair, consisting of a public key and a private key. The certificate is issued to a person or computer as proof of its identity. A signature does not associate a person or computer with a key pair. An exploit is a hardware or software element that is designed to take advantage of a vulnerability. Resource records are associated with the Domain Name System (DNS).
Which of the following statements about authentication auditing are not true? A. Auditing can disclose attempts to compromise passwords. B. Auditing can detect authentications that occur after hours. C. Auditing can identify the guess patterns used by password cracking software. D. Auditing can record unsuccessful as well as successful authentications.
C. Auditing of authentication activities can record both successful and unsuccessful logon attempts. Large numbers of logon failures can indicate attempts to crack passwords. Auditing tracks the time of authentication attempts, sometimes enabling you to detect off-hours logons that indicate an intrusion. Auditing does not record the passwords specified during authentications, so it cannot identify patterns of unsuccessful guesses.
Which of the following terms refers to the process of determining whether a user is a member of a group that provides access to a particular network resource? A. Authentication B. Accounting C. Authorization D. Access control
C. Authorization is the process of determining what resources a user can access on a network. Typically, this is done by assessing the user's group memberships. Authentication is the process of confirming a user's identity. Accounting is the process of tracking a user's network activity. Access control is the creation of permissions that provide users and groups with specific types of access to a resource.
Which of the following is the best description of biometrics? A. Something you know B. Something you have C. Something you are D. Something you do
C. Biometrics is a type of authentication factor that uses a physical characteristic that uniquely identifies an individual, such as a fingerprint or a retinal pattern. Biometrics is therefore best described as something you are, as opposed to something you know, something you have, or something you do
Which of the following terms refers to a Denial-of- Service (DoS) attack that involves zombies? A. Amplified B. Reflective C. Distributed D. Permanent
C. Distributed Denial-of-Service (DDoS) attacks use hundreds or thousands of computers that have been infected with malware, called bots or zombies, to flood a target server with traffic, in an attempt to overwhelm it and prevent it from functioning. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A reflective attack does not require infected computers; it takes advantage of the servers' native functions. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
Which of the following terms refers to a Denial-of- Service (DoS) attack in which an attacker breaks into a company's datacenter and smashes its servers with a sledgehammer? A. Amplified B. Reflective C. Distributed D. Permanent
C. Distributed Denial-of-Service (DDoS) attacks use hundreds or thousands of computers that have been infected with malware, called bots or zombies, to flood a target server with traffic, in an attempt to overwhelm it and prevent it from functioning. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target. A reflective attack does not require infected computers; it takes advantage of the servers' native functions. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning.
A wireless network is configured to allow clients to authenticate only when the signal strength of their connections exceeds a specified level. Which of the following terms best describes this configuration? A. Local authentication B. Port security C. Geofencing D. Motion detection
C. Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. In wireless networking, geofencing is intended to prevent unauthorized clients outside the facility from connecting to the network. Local authentication is an application or service that triggers an authentication request to which the user must respond before access is granted. Port security is a method for protecting access to switch ports. Motion detection is a system designed to trigger a notification or alarm when an individual trespasses in a protected area.
When starting her new position as a network administrator, Alice was given two user accounts. One account is intended for standard user activities, and another has the additional permissions needed for Alice to perform administrative tasks. This is an example of which of the following security concepts? A. Zero-day B. Multifactor authentication C. Least privilege D. Defense in depth
C. Least privilege is the practice of only providing users with the permissions they need to perform their designated tasks and no more. For her standard activities, Alice is given an account that does not have administrative permissions, because she does not need those permissions to perform standard tasks. The administrative account has the additional permissions needed for Alice to perform administrative tasks. The intention is for Alice to use that account only for those administrative tasks. Zero-day is a type of vulnerability; multifactor authentication calls for users to supply two identifying factors; defense in depth refers to the use of multiple security mechanisms to provide additional protection. None of these three options refers to the use of multiple user accounts.
Which of the following statements best describes a ransomware attack? A. A website is rendered inaccessible by a Denial-of- Service (DoS) attack until its owner agrees to pay a fee. B. A user's access to a specific resource, such as a bank's website, is blocked until the user pays a fee. C. A message appears on a user's screen, stating that system is locked and will only be released on payment of a fee. D. An application is supplied with limited usability until the user pays a license fee.
C. Ransomware is a type of attack in which a user's access to his or her computer or data is blocked unless a certain amount of money is paid to the attacker. The blockages can vary from simple screen locks to data encryption.
Alice's company regularly hires a large number of operators for their phone center. The operators require access to a customer database and an order entry system. Because this is a high-turnover position, Alice has streamlined the on-boarding process by creating a security group with the appropriate permissions needed to access the necessary software. This way, she can simply add each new user to the group, rather than assigning the permissions individually. This is an example of which of the following security concepts? A. Least privilege B. Zero trust C. Role-based access control D. Defense in depth
C. Role-based access control works by assigning permissions to specific jobs or job roles. Each new user can then be associated with a role and receive the necessary permissions automatically. When a user leaves a job, removing them from their role revokes the permissions associated with it. Least privilege, zero trust, and defense in depth are all theoretical security concepts, but they are not descriptive of Alice's practice in this regard.
Which of the following describes the primary difference between Single Sign-On (SSO) and same sign-on? A. SSO enables users to access different resources with one set of credentials, whereas same sign-on requires users to have multiple credential sets. B. SSO credentials consist of one username and one password, whereas same sign-on credentials consist of one username and multiple passwords. C. SSO requires the user to supply credentials only once, whereas with same sign-on, the user must supply the credentials repeatedly. D. SSO requires multifactor authentication, such as a password and a smartcard, whereas same sign-on requires only a password for authentication.
C. SSO uses one set of credentials and requires the user to supply them only once to gain access to multiple resources. Same sign-on also uses a single set of credentials, with one password, but the user must perform individual logons for each resource. Neither SSO nor same sign-on calls for multifactor authentication.
A person identifying herself as Trixie from IT telephones a user called Alice and tells her that there is a problem with her network user account that could cause all her data to be lost. To resolve the problem, Trixie says that she must log on using Alice's account and configure an important setting. All she needs to do this is Alice's account password. This call is, of course, an illicit attempt to learn Alice's password. Which of the following terms describes the type of attack that is currently occurring? A. On-path B. Spoofing C. Social engineering D. Evil twin
C. Social engineering is the term for a type of attack in which a smooth-talking intruder contacts a user and convinces him or her to disclose sensitive information, such as account passwords. An on-path (man-in-the-middle) attack is one in which an attacker intercepts network traffic, reads the traffic, and can even modify it before sending it on to the destination. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else. An evil twin is a fraudulent access point on a wireless network.
Which of the following authentication factors is an example of something you know? A. A fingerprint B. A smartcard C. A password D. A finger gesture
C. Something you know refers to information you supply during the authentication process, such as a password or PIN. This is the most common type of authentication factor because it cannot be lost or stolen unless the user violates security policies. A fingerprint would be considered something you are, a finger gesture is something you do, and a smartcard is something you have.
Which of the following is an example of local authentication? A. A system that uses an external RADIUS server for authentication B. A system that uses the Kerberos protocol for authentication C. A system that authenticates users without network communication D. A system that requires a password and a retinal scan for authentication
C. Systems that use local authentication have user accounts stored on the computer, enabling users to log on without the need for any network communication. Systems that use Remote Authentication Dial-In User Service (RADIUS) or Kerberos for authentication require network communication. A password and a retinal scan is an example of a multifactor authentication system, which might or might not be local.
An 802.1X transaction involves three roles: the supplicant, the authenticator, and the authentication server. Of the three, which role typically takes the form of a RADIUS implementation? A. The supplicant B. The authenticator C. The authentication server D. None of the above
C. The authentication server role is typically performed by a Remote Authentication Dial-In User Service (RADIUS) server. In an 802.1X transaction, the supplicant is the client attempting to connect to the network, the authenticator is a switch or access point to which the supplicant is requesting access, and the authentication server verifies the client's identity
In which of the following ways is VLAN hopping a potential threat? A. VLAN hopping enables an attacker to scramble a switch's patch panel connections. B. VLAN hopping enables an attacker to rename the default VLAN on a switch. C. VLAN hopping enables an attacker to access different VLANs using 802.1q spoofing. D. VLAN hopping enables an attacker to change the native VLAN on a switch.
C. Virtual Area Network (VLAN) hopping is a method for sending commands to switches to transfer a port from one VLAN to another. This can enable the attacker to connect his or her device to a potentially sensitive VLAN. VLAN hopping does not modify the switch's patch panel connections, only its VLAN assignments. It is not possible to rename a switch's default VLAN. VLAN hopping does not enable an attacker to change a switch's native VLAN.
Which of the following authentication protocols do Windows networks use for Active Directory Domain Services (AD DS) authentication of internal clients? A. RADIUS B. WPA2 C. Kerberos D. EAP-TLS
C. Windows networks that use AD DS authenticate clients using the Kerberos protocol, in part because it never transmits passwords over the network, even in encrypted form. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting service for remote users connecting to a network. Windows does not use it for internal clients. WiFi Protected Access 2 (WPA2) is a security protocol used by wireless Local Area Network (LAN networks. It is not used for AD DS authentication. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is a remote authentication protocol that AD DS networks do not use for internal clients.
Which of the following types of Denial-of-Service (DoS) attack does not involve flooding a server with traffic? A. Amplified B. Reflective C. Distributed D. Permanent
D. Although a DoS attack typically involves traffic flooding, any attack that prevents a server from functioning can be called a DoS attack. A permanent DoS attack is one in which the attacker actually damages the target system and prevents it from functioning. This can be a physical attack that actually damages the hardware, or the attacker can disable the server by altering its software or configuration settings. Flood-based attacks include the Distributed Denial-of-Service (DDoS) attack, one in which the attacker uses hundreds or thousands of computers controlled by malware and called bots or zombies, to send traffic to a single server or website in an attempt to overwhelm it and prevent it from functioning. An amplified DoS attack is one in which the messages sent by the attacker require an extended amount of processing by the target servers, increasing the burden on them more than simpler messages would. A reflective DoS attack is one in which the attacker sends requests containing the target server's IP address to legitimate servers on the Internet, such as Domain Name System (DNS) servers, causing them to send a flood of responses to the target
In an 802.1X transaction, what is the function of the supplicant? A. The supplicant is the service that issues certificates to clients attempting to connect to the network. B. The supplicant is the service that verifies the credentials of the client attempting to access the network. C. The supplicant is the network device to which the client is attempting to connect. D. The supplicant is the client user or computer attempting to connect to the network.
D. An 802.1X transaction involves three parties: the supplicant, which is the client attempting to connect to the network; the authenticator, which is a switch or access point to which the supplicant is requesting access; and the authentication server, which is typically a Remote Authentication Dial-In User Service (RADIUS) implementation that verifies the supplicant's identity. The supplicant is not involved in issuing certificates.
Which of the following types of attacks can cause a user's attempts to connect to an Internet website to be diverted to an attacker's website instead? A. Evil twin B. ARP poisoning C. Spoofing D. DNS poisoning
D. Domain Name System (DNS) poisoning is a type of attack in which an attacker adds fraudulent information into the cache of a DNS server. Then, when a client attempts to resolve the name of a website or other server, the DNS server supplies the incorrect IP address, causing the client to access the attacker's server instead. An evil twin is a rogue Wireless Access Point (WAP) on a network. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches, which can interfere with the resolution of IP addresses into Media Access Control (MAC) addresses on a local level. Spoofing is the process of modifying network packets to make them appear as though they are transmitted by or addressed to someone else.
Which of the following is a practice that a zero trust architecture is designed to protect against? A. Zero-day vulnerabilities B. External threats C. Deauthentication D. Lateral movement
D. Lateral movement is when a user gains basic access to a network by legitimate means and then uses it to gain unauthorized access to other resources inside the network. A zero trust provides full protection for all sensitive resources, even from users already inside the network. A zero trust architecture does not protect against zero-day vulnerabilities, which are exploits in software; external threats; or reauthentication, which is a type of Denial-of-Service (DoS) attack
Which of the following best describes the process of penetration testing? A. Administrators create computers or networks that are alluring targets for intruders. B. Administrators attempt to access the network from outside using hacker tools. C. An organization hires an outside consultant to evaluate the security conditions on the network. D. An organization hires an outside consultant who attempts to compromise the network's security measures.
D. Penetration testing is when an outside consultant is engaged to attempt an unauthorized access to protected network resources. Testing by an internal administrator familiar with the security barriers would not be a valid test. While having a consultant examine the network's security from within can be useful, this is not a penetration test. Computers or networks that are alluring targets for intruders are called honeypots or honeynets.
Which of the following authentication factors is an example of something you do? A. A fingerprint B. A smartcard C. A password D. A finger gesture
D. Something you do refers to a physical action performed by a user, such as a finger gesture, which helps to confirm his or her identity. This type of authentication is often used as part of a multifactor authentication procedure because a gesture or other action can be imitated. A fingerprint would be considered something you are, a password is something you know, and a smartcard is something you have.
Which of the following statements best describes the primary scenario for the use of TACACS+? A. TACACS+ was designed to provide authentication, authorization, and accounting services for wireless networks. B. TACACS+ was designed to provide authentication, authorization, and accounting services for the Active Directory service. C. TACACS+ was designed to provide authentication, authorization, and accounting services for remote dial-up users. D. TACACS+ was designed to provide authentication, authorization, and accounting services for network routers and switches.
D. Terminal Access Controller Access Control System Plus (TACACS+) is a protocol designed to provide Authentication, Authorization, and Accounting (AAA) services for networks with many routers and switches, enabling administrators to access them with a single set of credentials. It was not designed to provide AAA services for wireless networks, Active Directory, or remote dial-in users.
Your new smartphone enables you to configure the lock screen with a picture of your husband, on which you draw eyes, nose, and a mouth with your finger to unlock the phone. This is an example of which of the following authentication factors? A. Something you have B. Something you know C. Something you are D. Something you do
D. The act of drawing on the screen with your finger is a gesture, which is an example of something you do. A PIN or a password is something you know; a thumbprint, or any other biometric factor, is something you are; and a smartcard is an example of something you have
Which of the following is not a form of social engineering? A. Piggybacking B. Tailgating C. Shoulder surfing D. Evil twin E. Phishing
D. The term social engineering refers to various methods that attackers can use to gain access to secured resources by manipulating authorized users, either physically or digitally. An evil twin is a rogue access point deliberately connected to the network for malicious purposes, so it is not a form of social engineering. Piggybacking and tailgating typically refer to the practice of closely following an authorized individual through a physical security barrier, such as a locked door or a guarded entrance. Shoulder surfing is a method of gathering sensitive information by passing behind a user and looking at their monitor. Phishing is a digital form of social engineering in which a user is duped into disclosing sensitive information by a faked email or other communication.
Which of the following protocols can you use to authenticate Windows remote access users with smartcards? A. EAP B. MS-CHAPv2 C. CHAP D. PAP
A. The Extensible Authentication Protocol (EAP) is the only Windows remote authentication protocol that supports the use of authentication methods other than passwords, such as smartcards. MS-CHAPv2 is a strong remote access authentication protocol, but it supports password authentication only. Users cannot use smartcards. The Challenge Handshake Authentication Protocol (CHAP) is a relatively weak authentication protocol that does not support the use of smartcards. The Password Authentication Protocol (PAP) supports only cleartext passwords, not smartcards.
The new door lock on your company's datacenter door requires you to supply both a PIN and a thumbprint scan. Which of the following types of authentication factors does the lock use? (Choose all that apply.) A. Something you have B. Something you know C. Something you are D. Something you do
B, C. A PIN, like a password, is something you know, and a thumbprint, or any other biometric factor, is something you are. An example of something you have would be a smartcard, and an example of something you do would be a finger gesture
Which of the following attack types can be facilitated by ARP poisoning? (Choose all that apply.) A. Evil twin B. On-path C. Session hijacking D. Social engineering
B, C. Address Resolution Protocol (ARP) poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches. This can enable an attacker to intercept traffic intended for another system. In an on-path (man-in-the-middle) attack, the attacker can read the intercepted traffic and even modify it before sending it on to the destination. In a session hijacking attack, the attacker can use the intercepted traffic to obtain authentication information, including passwords. An evil twin is a fraudulent access point on a wireless network. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone.
Which of the following are not considered to be Denial-of- Service (DoS) attacks? (Choose all that apply.) A. An intruder breaks into a company's datacenter and smashes their web servers with a sledgehammer. B. An attacker uses the ping command with the -t parameter to send a continuous stream of large Internet Control Message Protocol (ICMP) packets to a specific server. C. An attacker captures the packets transmitted to and from a domain controller to obtain encrypted passwords. D. An attacker connects a rogue access point to a company's wireless network, using their Service Set Identifier (SSID) in the hope of attracting their users.
C, D. A DoS attack is one designed to prevent a target from fulfilling its function. While ping floods are a common form of server DoS attacks, physically damaging the server hardware also prevents it from performing its function. Therefore, this too is a type of DoS attack. Capturing packets and rogue access points are not typically described as DoS attacks.
A senior IT administrator at your company was terminated two weeks ago. Today, Friday, you arrived at the office and found that all of the hosts in the web server farm had had their data deleted. There are no unauthorized entries to the datacenter recorded, but you suspect the terminated administrator is responsible for deleting the data. Which of the following attack types might the administrator have directed at the web server farm? A. Social engineering B. ARP poisoning C. Evil twin D. Logic bomb
D. A logic bomb is a code insert placed into a legitimate software product that triggers a malicious event when specific conditions are met. The terminated administrator might have created code designed to trigger the deletions after the administrator's departure from the company. Social engineering is a form of attack in which an innocent user is persuaded by an attacker to provide sensitive information via email or telephone. The Address Resolution Protocol (ARP) is responsible for resolving IP addresses into Media Access Control (MAC) addresses. ARP poisoning is the deliberate insertion of fraudulent information into the ARP cache stored on computers and switches. An evil twin is a fraudulent access point on a wireless network.
Which of the following is not one of the mechanisms often used to implement a defense in depth strategy? A. Screened subnets B. Network segmentation enforcement C. Honeypots D. Access control vestibules E. Social engineering F. Separation of duties
E. Social engineering is a means for gaining unauthorized access to a network by convincing users to disclose passwords or other sensitive information; it is not part of a defense in depth strategy. Defense in depth can include physical protection, such as access control vestibules; division of resources using network segmentation, separation of duties, or screened subnets; and deceptive lures, such as honeypots.