Security + 12 / Understanding Monitoring and Auditing
How many entities are involved in the 802.1x authentication process? 1 2 3 4
3 client, authenticator, authentication server
Which of the following are true regarding a network-based IDS? (Choose two.) A. Network traffic is analyzed for malicious packets. B. Alerts and notifications can be configured. C. Malicious packets are dropped. D. Laptops are protected when disconnected from the LAN.
A. Network traffic is analyzed for malicious packets. B. Alerts and notifications can be configured.
What can be done to prevent malicious users from tampering with and modifying log file entries? (Choose three.) A. Store log files on a secured centralized logging host. B. Encrypt archived log files. C. Run Windows Update. D. Generate file hashes for log files.
A. Store log files on a secured centralized logging host. B. Encrypt archived log files. D. Generate file hashes for log files.
Which of the following is a federation system technology? bcrypt OAuth EAP Argon2
OAuth (Single-sign-on)
Which of the following should NOT be stored in a secure password database? a. Plaintext password b. Iterations c. Salt d. Password digest
a. Plaintext password
Which attack uses one or a small number of commonly used passwords to attempt to log in to several different user accounts? a. Role attack b. Offline brute force attack c. Online brute force attack d. Password spraying attack
d. Password spraying attack
A user complains that his machine performance has degraded ever since he downloaded a free file recovery utility. You would like to rule out the possibility of any malicious network services running in the background by viewing all active port numbers and connections on the machine. Which Windows command should you use to do this? ____________________
netstat -a --- The netstat -a command is a built-in Windows command that displays local listening ports that can accept connections, as well as which network services (and ports) you are connected to.
In a security review meeting, you proposed using security assertion markup language (SAML) to exchange user authentication and authorization data with another web domain. Some higher-level executives are wary of involving a third party (the identity provider) in the authentication process. How should you explain the steps of a SAML transaction to ease the executives' worry? a. When using SAML, the user first attempts to reach the website of the service provider. The service provider then prompts the user for their credentials. The entered credentials are then sent with a SAML authentication request to the identity provider. The identity provider authenticates the user and sends a signed SAML response to the service provider, verifying the request and logging the user in. b. When using SAML, the user first attempts to reach the website of the secure service provider. The secure service provider then sends a SAML authentication request to the identity provider. The identity provider sends an authentication credential back to the secure service provider. The secure service provider then prompts the user for credentials. If the user enters credentials that match the ones provided by the identity provider, they are logged in. c. When using SAML, the user first attempts to reach the website of the service provider. The service provider sends a SAML authentication request to the identity provider. The identity provider then sends a SAML response to the service provider. This then tells the service provider to prompt the user for credentials. The credentials are sent from the user to the identity provider, which uses them to authenticate the user and log them in. d. When using SAML, the user first attempts to reach the website of the service provider. The service provider then sends a SAML authentication request to the secure identity provider. The identity provider decodes the SAML request and authenticates the user. It then sends a signed SAML response to the service provider, verifying the request and logging the user in.
d. When using SAML, the user first attempts to reach the website of the service provider. The service provider then sends a SAML authentication request to the secure identity provider. The identity provider decodes the SAML request and authenticates the user. It then sends a signed SAML response to the service provider, verifying the request and logging the user in.
An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use? A. Virus scanner B. Port scanner C. System restore point D. Performance Monitor
D. Performance Monitor
A Windows administrator must track key performance metrics for a group of seven Windows servers. What should she do? A. Run Performance Monitor on each host. B. Use RDP to log into each host and run Performance Monitor. C. Use RDP to log into each host and check Event Viewer logs. D. Run Performance Monitor on her machine and add counters from the other seven servers.
D. Run Performance Monitor on her machine and add counters from the other seven servers. --- D. Like many Microsoft administrative tools, Performance Monitor can run locally but can display data (performance counters) added from remote hosts.
Which of the following denotes a "pass the hash?" Sending the hash to get authenticated Cracking the password Hashing the password digest Securing the passwords by hashing
Sending the hash to get authenticated
Which of the following factor is critical in the Gait analysis? Body language Head movement Way of talking Way of walking
Way of walking
Which of the following is NOT an MFA using a smartphone? a. SMS text message b. Biometric gait analysis c. Authentication app d. Automated phone call
b. Biometric gait analysis --- multifactor authentication (MFA)
Which of these attacks is the last-resort effort in cracking a stolen password digest file? a. Hybrid b. Brute force c. Rule list d. Mask
b. Brute force
Timur was making a presentation regarding how attackers break passwords. His presentation demonstrated the attack technique that is the slowest yet most thorough attack that is used against passwords. Which of these password attacks did he demonstrate? a. Hybrid attack b. Brute force attack c. Dictionary attack d. Custom attack
b. Brute force attack
Which of the following protocol uses port-based authentication? Extensible Authentication Protocol (EAP) Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) 802.1X
802.1X EAP - is a framework for transporting authentication protocols instead of the authentication protocol itself which replaced CHAP & PAP
Which of the following are true regarding behavior-based network monitoring? (Choose two.) A. A baseline of normal behavior must be established. B. Deviations from acceptable activity cannot be monitored. C. New threats can be blocked. D. A database of known attack patterns is consulted.
A. A baseline of normal behavior must be established. C. New threats can be blocked. --- A and C. Behavior-based monitoring detects activity that deviates from the norm. A baseline is required to establish what normal is. Because of this, new attacks could potentially be stopped if they do not conform to normal network usage patterns.
You are reviewing forwarded log entries for your Internet-facing firewall appliance. Last year, your company did some IP restructuring and began using the 172.16.0.0/16 address space internally. You notice abnormally large amounts of traffic within a short time frame coming from the firewall appliance's public interface, 172.16.29.97, destined for UDP port 53. Which of the following might you conclude from this information, assuming default ports are in use? A. 172.16.29.97 is an invalid IP address. B. 172.16.29.97 is a spoofed IP address. C. The logs on the firewall appliance have been tampered with. D. An HTTP denial-of-service attack was in progress.
B. 172.16.29.97 is a spoofed IP address. --- B. From the list of choices, the most likely answer is that 172.16.29.97 is a spoofed IP address. IP addresses used on the internal network should not be coming into the network from the outside. A, C, and D are incorrect. 172.16.29.97 is a valid IP address. The question states you are reviewing forwarded log entries, not entries on the firewall appliance itself, so log file tampering would not affect you in this case. HTTP normally uses TCP port 80; the question states UDP port 53 (DNS).
You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, by viewing network and host configuration reports you notice many users seem to have more privileges on the network than they need. What should you do? A. Delete and re-create all user accounts. B. Conduct a user access and rights review. C. Check server audit logs. D. Enforce stronger user passwords.
B. Conduct a user access and rights review.
You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files? A. Firewall log B. FTP access log C. FTP download log D. FTP upload log
B. FTP access log
A server named CHARLIE runs a mission-critical database application. The application encrypts all data from connected client workstations. You would like to monitor CHARLIE for suspicious activity and prevent any potential attacks. What should you deploy? A. Honeypot B. Host-based IPS C. Network-based IDS D. PKI
B. Host-based IPS
To adhere to new corporate security guidelines, your branch offices must track details regarding web sites visited by employees. What should you install to track this activity? A. VPN B. Proxy server C. Packet-filtering firewall D. NAT gateway
B. Proxy server
You are a firewall appliance administrator for your company. Previously restricted outbound RDP packets are now successfully reaching external hosts, and you did not configure this firewall rule. Where should you look to see who made the firewall change and when? A. Security log B. Firewall log C. Audit log D. Event Viewer log
C. Audit log --- C. Audit logs differ from regular activity logs because they record administrative configuration activities, such as modifying firewall rules. A, B, and D are incorrect. On Windows machines, the security log shows security events, including Windows auditing events. Firewall logs display normal firewall usage activity, not administrative configuration activity. Windows Event Viewer logs would not display anything related to firewall appliance configurations.
What is the difference between a packet sniffer and a network-based IDS? A. There is no difference. B. Packet sniffers put the network card in promiscuous mode. C. A NIDS puts the network card in promiscuous mode. D. Packet sniffers do not process captured traffic.
D. Packet sniffers do not process captured traffic. --- D. Packet sniffers (protocol analyzers) capture network traffic, but they do not process the traffic resulting in a decision to allow, deny, or report on the activity; a NIDS does these things. A, B, and C are incorrect. There is a difference between a packet sniffer and a NIDS. Packet sniffers capture network traffic passively but do not take action to allow or block or to report the activity. A NIDS analyzes traffic looking for suspicious activity. Promiscuous mode enables a host's NIC to capture and analyze all traffic it intercepts.
Which of the following functions can be performed by a hardware security module (HSM)? [Choose all that apply] Encryption Keys Management Key Exchange Encryption and Decryption User Password Management Cryptographic function offloading from a server
Encryption Keys Management Key Exchange Encryption and Decryption Cryptographic function offloading from a server
Which of the following type of scanner scans for features, such as the shape, size, and position of the ear, nose, and eyes? Fingerprint Facial Retina Iris
Facial
Which of the following is considered as the root of the Active Directory hierarchy? Domain Forest Organizational Units Site
Forest
Which of the following is required for two-factor authentication? [Choose all that apply] USB drive Password key Password Smart card
Password key Password Smart card
Which of the following enhances the security of stored digests by adding a random string to the plaintext before hashing? Vaults Key stretching Salts Keys
Salts
Your enterprise's network requires more administration every day. You are tasked with setting up a centralized server so that authentication and authorization can be centrally managed while enhancing security. Which of the following methods should you choose? IEEE 802.1x TACACS+ SAML RADIUS
TACACS+ --- Terminal Access Control Access Control System (TACACS) is an authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. The centralized server can be either a TACACS database or a database such as a Linux or UNIX password file with TACACS protocol support.
You were conducting a study on authentication attacks and found that different scenarios lead an attacker to choose different attack types. Which of the following scenarios will lead an attacker to perform a brute force attack instead of a rule attack? When the target is known to the attacker, so the password pattern is predictable. When the attacker has a large collection of already-cracked passwords. When the attacker has no information on potential passwords or the target. When the password policy is already known to the attacker.
When the attacker has no information on potential passwords or the target.
How is key stretching effective in resisting password attacks? a. The license fees are very expensive to purchase and use it. b. It requires the use of GPUs. c. It does not require the use of salts. d. It takes more time to generate candidate password digests.
d. It takes more time to generate candidate password digests. Protecting Password Digests -These include using salts and key stretching. -A more secure approach for creating password digests (slowly) -limits the ability of an attacker to crack passwords because it requires significantly more time
Fernando is explaining to a colleague how a password cracker works. Which of the following is a valid statement about password crackers? a. Most states prohibit password crackers unless they are used to retrieve a lost password. b. A password cracker attempts to uncover the type of hash algorithm that created the digest because once it is known, the password is broken. c. Due to their advanced capabilities, they require only a small amount of computing power. d. Password crackers differ as to how candidates are created.
d. Password crackers differ as to how candidates are created.
Which human characteristic is NOT used for biometric identification? a. Retina b. Iris c. Height d. Fingerprint
c. Height
Which of the following is an authentication credential used to access multiple accounts or applications? a. Identification authentication b. Credentialization c. Single sign-on d. Federal login
c. Single sign-on
Which of the following is NOT used for authentication? a. Something you exhibit b. Something you can do c. Something you can find d. Somewhere you are
c. Something you can find
Which of these is NOT a reason that users create weak passwords? a. A lengthy and complex password can be difficult to memorize. b. A security policy requires a password to be changed regularly. c. The length and complexity required force users to circumvent creating strong passwords. d. Having multiple passwords makes it hard to remember all of them.
c. The length and complexity required force users to circumvent creating strong passwords.
Why are dictionary attacks successful? a. They link known words together in a "string" for faster processing. b. They use pregenerated rules to speed up the processing. c. Users often create passwords from dictionary words. d. Password crackers using a dictionary attack require less RAM than other types of password crackers.
c. Users often create passwords from dictionary words.
_____ biometrics is related to the perception, thought processes, and understanding of the user. a. Intelligent b. Behavioral c. Standard d. Cognitive
d. Cognitive
Which one-time password is event driven? a. POTP b. TOTP c. ROTP d. HOTP
d. HOTP OTP = One Time Password two types of OTPs HMAC-based one-time password (HOTP) - "event driven" and changes when a specific event occurs, such as when a user enters a personal identification number (PIN) on the token's keypad, which triggers the token to create a random code. time-based one-time password (TOTP) - changes after a set period of time.
Which of the following authentication method can use location to authenticate a user? Attribute-based Access Control (ABAC) Role-based Access Control (RBAC) Rule-based Access Control (RBAC) Mandatory Access Control (MAC)
Attribute-based Access Control (ABAC)
Which of the following correctly differentiates physiological biometrics and cognitive biometrics? Physiological biometrics relates to the user's thought process, whereas cognitive biometrics relate to actions that the user is uniquely qualified to perform. Physiological biometrics relates to how a body part functions, whereas cognitive biometrics relates to the user's thought process. Physiological biometrics relates to how a body part functions, whereas cognitive biometrics relates to actions that the user is uniquely qualified to perform. Physiological biometrics relate to actions that the user is uniquely qualified to perform, whereas cognitive biometrics relates to the user's thought process.
Physiological biometrics relates to how a body part functions, whereas cognitive biometrics relates to the user's thought process.
What is a disadvantage of biometric readers? a. Weight b. Cost c. Standards d. Speed
b. Cost
What is a potential problem with enabling detailed verbose logging on hosts for long periods of time? A. There is no problem. B. It causes performance degradation. C. Network bandwidth is consumed. D. Verbose logging consumes a user license.
B. It causes performance degradation. --- B. Detailed verbose logging presents much more log data than normal logging; therefore, performance is affected. What is being logged and how much activity is occurring will determine how much performance degradation will occur. A, C, and D are incorrect. Verbose logging is useful for troubleshooting, but not for long periods of time, because performance is degraded. Network bandwidth is not affected by verbose logging (unless forwarding log data to a central logging host). Changing logging levels does not consume a user license.
You have configured a network-based IPS appliance to prevent web server directory traversal attacks. What type of configuration is this? A. Behavior-based B. Signature-based C. Anomaly-based D. Web-based
B. Signature-based --- B. Comparing known attacks against current activity is called signature-based detection. A, C, and D are incorrect. With behavior-based monitoring, deviations from normal, acceptable activity are detected. A deviation from normal behavior is referred to as an anomaly; there is no such thing as an anomaly-based configuration, however. Web-based is a fictitious detection method in this context.
Your manager has asked you to identify which internal client computers have been controlled using RDP from the Internet. What would be the quickest and most efficient way to accomplish this? A. Check the logs on each computer. B. Check the logs on your RDP servers. C. Check your firewall log. D. Contact your ISP and have them check their logs.
C. Check your firewall log. --- C. Since RDP connections from the Internet would go through the firewall, it would be quickest and easiest to consult your firewall log. A, B, and D are incorrect. Checking logs on each computer is too time consuming. Your RDP servers would not be involved with somebody from the Internet RDPing to one of your internal clients. There is no need to contact your ISP; your own firewall should have this information.
You have established a baseline of employee login activity on the VPN. You are configuring notifications of abnormal login events to a security orchestration, automation, and response (SOAR) dashboard to reduce security incident response time. Which term is the most closely related to this scenario? A. Network IPS B. SIEM C. User behavior analysis D. Sentiment analysis
C. User behavior analysis --- C. Establishing a baseline of normal user login activity facilitates configuring notifications for login anomalies and sending them to a SOAR dashboard. A, B, and D are incorrect. A NIPS analyzes network traffic patterns, generates event logs, and alerts system administrators to events; it also stops potential intrusions. SIEM tools provide a centralized way to monitor and manage security incidents. SIEM solutions also aggregate and deduplicate events and provide reports that correlate data. A sentiment analysis involves analyzing text data to provide context and the emotional origins of messages; it is often used to measure customer satisfaction (or dissatisfaction) with products or services in addition to social media monitoring.
Which of the following attacks takes more time? Dictionary attack Hybrid attack Rule attack Brute force attack
Brute force attack
You are monitoring the performance on a Unix server called ALPHA. ALPHA is used to host concurrent remote sessions for users. You notice that long periods of intense server disk activity on ALPHA coincide with remote users working with large documents stored on a separate Unix server called BRAVO. What might be causing the degraded performance on Alpha? A. There is too much network traffic. B. The CPU is too slow. C. The disks are too slow. D. There is not enough RAM.
D. There is not enough RAM.
Which of the following would an administrator most likely use to determine whether there has been unauthorized use of a wireless LAN? A. Protocol analyzer B. Proxy server C. Performance Monitor D. Wireless access point logs
D. Wireless access point logs --- D. Wireless access points as well as wireless router logs can reveal all wireless LAN activity. Some access points may require you to enable logging. In an enterprise, log events should be forwarded to a central logging host to facilitate the detection of suspicious activity.
Which of the following best describes the difference between a brute force attack and a hybrid attack? A brute force attack uses the results of statistical stolen password analyses to crack the password, whereas a hybrid attack uses mental analysis to crack the password. A brute force attack tries every possible alphanumeric combination to crack the password, whereas a hybrid attack combines a dictionary attack and a rule attack. A brute force attack uses dictionary words to crack the password, whereas a hybrid attack tries every possible alphanumeric combination to crack the password. A brute force attack uses password spraying to crack the password, whereas a hybrid attack uses dictionary words to crack the password.
A brute force attack tries every possible alphanumeric combination to crack the password, whereas a hybrid attack combines a dictionary attack and a rule attack.
Which of the following best describes a windowed token? A windowed token is an authentication method that has multiple permanent codes assigned when the token is issued. A windowed token is an authentication method that can issue dynamic codes to authenticate users. A windowed token is an authentication method that can authenticate a user when it is in proximity to a device. A windowed token is an authentication method that has a permanent code assigned when the token is issued.
A windowed token is an authentication method that can issue dynamic codes to authenticate users. ------------------------------ Specialized Devices Two specialized devices provide authentication based on something you have. These are smart cards and windowed tokens. -typically a small device (usually one that can be affixed to a keychain called a key fob) with a window display.
You are the Windows server administrator for a clothing outlet in New York City. Six Windows Server Active Directory computers are used regularly. Files are being modified on servers during nonbusiness hours. You want to audit the system to determine who made the changes and when. What is the quickest method of deploying your audit settings? A. Configure audit settings using Group Policy. B. Configure each server with the appropriate audit settings. C. Configure one server appropriately, export the settings, and import them to the other five. D. Delegate the audit configuration task to six other administrators.
A. Configure audit settings using Group Policy. --- A. In an Active Directory environment, Group Policy can be used to deliver settings to domain computers, such as audit settings for servers. B, C, and D are incorrect. Each listed solution would work, but they take much more time to implement than using Group Policy would.
How do logging and auditing differ? A. Logging tracks more than just security events; auditing tracks specifically configured security events. B. Auditing tracks more than just security events; logging tracks specifically configured security events. C. Logging can track hardware events; auditing cannot. D. Auditing can track hardware events; logging cannot.
A. Logging tracks more than just security events; auditing tracks specifically configured security events. --- A. Logging tracks many different types of events related to hardware and software, but auditing specifically tracks security-related events. B, C, and D are incorrect. Auditing focuses on tracking access to a specific resource for security purposes. Both logging and auditing could track hardware-related events. For example, logging can track the activity related to a printer, whereas auditing could track smartcard authentication.
As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on the file share SALES. Where will you view the audit results? A. Security log B. Audit log C. Application log D. Deletion log
A. Security log --- A. Windows machines write audit data to the Event Viewer security log. A centralized SIEM system can store audit log data from many devices in a single repository where the data is written once but can be read many times—write once read many (WORM). WORM functionality is sometimes required for regulatory compliance. An additional benefit is deduplication of similar events, which results in less storage space consumed and quicker searching. B, C, and D are incorrect. Windows machines do not have an audit or deletion log. The application log lists events related to specific applications, not audit data.
User workstations on your network connect through NAT to a screened subnet, where your Internet perimeter firewall exists. On Friday night, a user connects to an inappropriate web site. You happened to have been capturing all network traffic on the screened subnet at the time. What would be the easiest and fastest way to track which user workstation visited the web site? (Choose two.) A. View logs on the NAT router. B. View logs on the perimeter firewall. C. View your packet capture. D. View all workstation web browser histories.
A. View logs on the NAT router. C. View your packet capture. --- Network address translation gateway. Network address translation (NAT) is a technique that allows private IP addresses to be used on the public Internet. A and C. NAT router logs will list which internal addresses were translated and at what time. This could be used in correlation with captured packet time stamps to establish who visited the web site.
Your network consists of programmable logic controllers (PLCs) that control robotic machinery as well as Linux servers and Windows desktops. Network administrators complain that there are too many similar log events in reports and notifications via e-mail. A solution that can aggregate similar events is needed. What should you suggest? A. PowerShell B. SIEM C. SCCM D. Group Policy
B. SIEM --- B. SIEM tools provide a centralized way to monitor and manage security incidents. SIEM solutions also combine, or aggregate, like events to reduce duplicate event notifications and provide reports that correlate data. A, C, and D are incorrect. PowerShell provides Windows administrators with a command-line solution that supports scripting to automate repetitive administrative tasks. System Center Configuration Manager is a centralized configuration and change management tool from Microsoft. Group Policy user and computer settings number in the thousands and can be configured locally on a single host or centrally using Active Directory.
You are asked to analyze events in a firewall log that occurred six months ago. When you analyze the log file, you notice events go back only two months. What is most likely the problem? A. You must have administrative access to the logs. B. The log file size is too small. C. Firewalls cannot keep logs for more than two months. D. The firewall is not patched.
B. The log file size is too small. --- B. The firewall is probably configured to overwrite the oldest log entries after the maximum log file size has been reached. Even in this case, however, there are normally log archival options available for configuration. A, C, and D are incorrect. Administrative rights are definitely required to access firewall logs, but you wouldn't be able to see any entries if you did not have this privilege. Most firewalls can keep logs as long as you configure them to (log archiving). Failure to patch a firewall (software or firmware) would not cause an inability to access archived logs.
In reviewing your firewall log, you notice a large number of your stations connecting to the web site www.freetripsforyou.com and downloading an EXE file, sometimes in the middle of the night. Your users state they did not visit the web site. Your firewall does not allow any inbound packets initiated from the Internet. What does this most likely indicate? A. User stations are connecting to Windows Update to apply patches. B. User stations have been hijacked and are downloading malware. C. User stations are infected with a password-cracking program. D. User stations are being controlled from the Internet through RDP.
B. User stations have been hijacked and are downloading malware.
Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the screened subnet without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration. A. The honeypot needs to be patched. B. Honeypots should not run a web site. C. Honeypot logs are not being forwarded to another secured host. D. Honeypots should not run SMTP services.
C. Honeypot logs are not being forwarded to another secured host. --- C. The honeypot host is unpatched and is therefore vulnerable, so storing the only copy of log files (a default setting) on a honeypot means attackers could delete the contents of logs to remove all traces of their malicious activity. A, B, and D are incorrect. The honeypot does not necessarily need to be patched; a lack of applied patches can be useful so that the honeypot is an easy target for malicious users and malicious code. Honeypots can run web or SMTP mail services if you want to track related malicious activity.
Pablo has been asked to look into security keys that have a feature of a key pair that is "burned" into the security key during manufacturing time and is specific to a device model. What feature is this? a. Attestation b. Authorization c. Authentication d. Accountability
a. Attestation
How is the Security Assertion Markup Language (SAML) used? a. It allows secure web domains to exchange user authentication and authorization data. b. It is no longer used because it has been replaced by LDAP. c. It is an authenticator in IEEE 802.1x. d. It serves as a backup to a RADIUS server.
a. It allows secure web domains to exchange user authentication and authorization data.
Ilya has been asked to recommend a federation system technology that is an open source federation framework that can support the development of authorization protocols. Which of these technologies would he recommend? a. OAuth b. Open ID c. Shibboleth d. NTLM
a. OAuth
Which of the following statements describe the function of a Trusted Platform Module (TPM)? [Choose all that apply] Storage of certificates Perform encryption and decryption process Management of encryption keys Storage of encryption keys
all
Which of the following is the Microsoft version of EAP? a. PAP-Microsoft b. MS-CHAP c. AD-EAP d. EAP-MS
b. MS-CHAP --- Extensible authentication Protocol - EAP is a framework for transporting authentication protocols instead of the authentication protocol itself. EAP essentially defines the format of the messages and uses four types of packets: request, response, success, failure.
Which of these creates a format of the candidate password to significantly reduce the time needed to crack a password? a. Rainbow b. Mask c. Overlay d. Pass the hash
b. Mask
