Chapter 10 Securing TCP/IP
Studied by 0 people
Knowt Play
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/46
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
47 Terms
What does the CIA triad in security stand for?
A) Confidentiality, Integrity, and Availability
B) Control, Identification, and Authorization
C) Cryptography, Integrity, and Authentication
D) Confidentiality, Integrity, and Accessibility
A — Confidentiality, Integrity, and Availability
Which mechanism is primarily used to provide confidentiality for data in transit?
A) Hashing
B) Encryption
C) Backups
D) Load balancing
B — Encryption
What does integrity refer to in the context of security?
A) Keeping data secret from unauthorized users
B) Ensuring systems are always reachable
C) Ensuring data is unaltered and comes from the claimed source (non-repudiation), often via certificates and hashes
D) Controlling what an authenticated user is allowed to do
C — Ensuring data is unaltered and comes from the claimed source (non-repudiation), often via certificates and hashes
What is included under availability in the CIA model?
A) Strong passwords only
B) High availability and backups to ensure systems and data are ready and recoverable when needed
C) Encrypting data at rest
D) Using DNS to resolve names quickly
B — High availability and backups to ensure systems and data are ready and recoverable when needed
What is the difference between authentication and authorization?
A) Authentication verifies who you are (e.g., username/password, smart card); authorization determines what you can do after you're authenticated
B) Authentication determines access rights; authorization verifies identity
C) They are the same concept and interchangeable
D) Authentication is only for networks; authorization is only for applications
A — Authentication verifies who you are (e.g., username/password, smart card); authorization determines what you can do after you're authenticated
What security trade-off does the excerpt warn about when adding many security controls?
A) Adding more locks always makes the system more secure with no downsides
B) Overly strict security can reduce availability and usability, so we must balance confidentiality/integrity with availability
C) Security measures never affect user behavior
D) Only authorization affects availability
B — Overly strict security can reduce availability and usability, so we must balance confidentiality/integrity with availability
What are the three core parts of identity management described in the excerpt?
A) Identification (who you claim to be), Authentication (prove you are that person), Authorization (what you can do)
B) Identification (your password), Authentication (your permissions), Authorization (your username)
C) Authentication (who you claim to be), Authorization (prove you are that person), Identification (what you can do)
D) Authorization (who you claim to be), Identification (what you can do), Authentication (your role)
A — Identification (who you claim to be), Authentication (prove you are that person), Authorization (what you can do)
Which example best illustrates "identification" versus "authentication" from the ticket pickup analogy?
A) Identification: showing a driver’s license (who you are); Authentication: providing the confirmation number (prove you reserved the tickets)
B) Identification: providing a confirmation number; Authentication: showing a driver’s license
C) Identification: selecting a seat; Authentication: buying a drink
D) Identification: giving money; Authentication: showing your seat number
A — Identification: showing a driver’s license (who you are); Authentication: providing the confirmation number (prove you reserved the tickets)
What are the three main factors used in multifactor authentication (MFA)?
A) Something you know (password), Something you have (smart card/RSA token), Something you are (biometrics)
B) Something you can do (signature), Something you exhibit (typing speed), Someone you know (trusted person)
C) Username, email address, and home address
D) IP address, MAC address, and DNS server
A — Something you know (password), Something you have (smart card/RSA token), Something you are (biometrics)
Which pair correctly matches MFA factor to an example?
A) Something you have — smart card or RSA token; Something you are — fingerprint or retinal scan
B) Something you know — fingerprint; Something you have — typing speed
C) Something you are — PIN code; Something you know — smart card
D) Something you have — typing speed; Something you are — confirmation number
A — Something you have — smart card or RSA token; Something you are — fingerprint or retinal scan
Which attribute category does "typing speed" belong to in the excerpt's breakdown of multifactor attributes?
A) Someone you know
B) Something you exhibit
C) Something you have
D) Somewhere you are
B — Something you exhibit
How does the "somewhere you are" attribute help authenticate transactions, and what example was given?
A) It uses physical location to detect anomalies; example: entering your ZIP code at a gas station to verify the card is being used locally
B) It uses caller ID to verify identity; example: answering a phone call
C) It uses social media presence to confirm identity; example: checking a friend list
D) It uses time of day only; example: allowing logins only at night
A — It uses physical location to detect anomalies; example: entering your ZIP code at a gas station to verify the card is being used locally
What is the difference between authentication and authorization?
A) Authentication determines what you can do; Authorization verifies who you are
B) Authentication verifies identity (e.g., username/password); Authorization determines what that authenticated user is allowed to do
C) Authentication and Authorization are the same thing
D) Authentication sets group permissions; Authorization sets owner permissions
B — Authentication verifies identity (e.g., username/password); Authorization determines what that authenticated user is allowed to do
What is an access control list (ACL) and where might you find one?
A) A list of IP addresses only used on routers; not used on computers
B) A generic list defining who/what can access resources; found on computers (file permissions), wireless networks (passwords/channels), and network devices (port rules)
C) A list of installed applications on a laptop
D) A DNS configuration file used for name resolution
B — A generic list defining who/what can access resources; found on computers (file permissions), wireless networks (passwords/channels), and network devices (port rules)
What describes Mandatory Access Control (MAC) as explained in the excerpt?
A) Resources are labeled (e.g., Top Secret) and access is strictly determined by those labels; originally used by military and is more limiting
B) Resource owners assign permissions to users and groups freely
C) Access is granted based solely on user roles and group membership
D) A dynamic policy that changes with user behavior
A — Resources are labeled (e.g., Top Secret) and access is strictly determined by those labels; originally used by military and is more limiting
What characterizes Discretionary Access Control (DAC)?
A) Only administrators can access resources, no owners exist
B) The resource owner can assign permissions (e.g., read, write) to other users; more flexible than MAC
C) Permissions are assigned only to groups, not individual users
D) Access is determined by geographical location
B — The resource owner can assign permissions (e.g., read, write) to other users; more flexible than MAC
How does Role-Based Access Control (RBAC) manage permissions?
A) Permissions are attached to individual users only
B) Users are placed in groups (roles) and permissions are assigned to those groups; users inherit rights from group membership (Windows best practice)
C) Permissions are randomly assigned at login time
D) RBAC uses resource labels like Top Secret to grant access
B — Users are placed in groups (roles) and permissions are assigned to those groups; users inherit rights from group membership (Windows best practice)
In the RADIUS architecture, what are the roles of the supplicant, RADIUS client, and RADIUS server?
A) Supplicant is the device requesting authentication; RADIUS client (e.g., an AP) forwards requests; RADIUS server performs authentication/authorization/accounting
B) Supplicant stores user databases; RADIUS client authenticates locally; RADIUS server is the end-user device
C) Supplicant is the authentication server; RADIUS client is the network switch; RADIUS server is unused
D) Supplicant, client, and server are interchangeable names for the same device
A — Supplicant is the device requesting authentication; RADIUS client (e.g., an AP) forwards requests; RADIUS server performs authentication/authorization/accounting
Which ports and transport protocol does RADIUS commonly use?
A) UDP on ports 1812 and 1813 (and historically 1645/1646)
B) TCP on port 49
C) UDP on port 53
D) TCP on ports 80 and 443
A — UDP on ports 1812 and 1813 (and historically 1645/1646)
What does RADIUS provide as part of AAA?
A) Authentication, Authorization, and Accounting for users and sessions
B) Only Authentication and no logging
C) Only Authorization and encryption
D) Only Accounting for financial transactions
A — Authentication, Authorization, and Accounting for users and sessions
How does TACACS+ differ from RADIUS according to the excerpt?
A) TACACS+ is a Cisco-proprietary AAA protocol typically used for device management and uses TCP port 49, whereas RADIUS commonly serves wireless access and uses UDP
B) TACACS+ uses UDP and is mainly for wireless networks; RADIUS uses TCP for routers
C) TACACS+ and RADIUS are identical in protocol and ports
D) TACACS+ is only for email servers and uses port 25
A — TACACS+ is a Cisco-proprietary AAA protocol typically used for device management and uses TCP port 49, whereas RADIUS commonly serves wireless access and uses UDP
Where can a RADIUS server get its user database from?
A) The user database can be local or external (e.g., a Windows domain controller or other backend) — the RADIUS server queries that backend to authenticate users
B) RADIUS servers can only use an embedded, unchangeable local file
C) RADIUS requires each client to store usernames locally
D) RADIUS only authenticates anonymously without any database
A — The user database can be local or external (e.g., a Windows domain controller or other backend) — the RADIUS server queries that backend to authenticate users
Which authentication methods can a RADIUS supplicant use when contacting the RADIUS server?
A) Certificates, usernames/passwords, RSA tokens (one-time codes), or similar credentials — RADIUS forwards these for verification
B) Only plaintext passwords with no alternatives
C) Only biometric scans transmitted directly over DNS
D) Only MAC addresses with no credentials
A — Certificates, usernames/passwords, RSA tokens (one-time codes), or similar credentials — RADIUS forwards these for verification
What problem do Windows workgroups create that Single Sign-On (SSO) solves?
A) Workgroups require separate usernames/passwords on each machine, making password management difficult; SSO allows logging in once for access across many systems
B) Workgroups prevent file sharing entirely; SSO disables sharing
C) Workgroups enforce Kerberos by default; SSO removes authentication
D) Workgroups only work with cloud services; SSO only works on local networks
A — Workgroups require separate usernames/passwords on each machine, making password management difficult; SSO allows logging in once for access across many systems
How is Active Directory typically used to provide Single Sign-On in a LAN environment?
A) Install Windows Server, create a domain, join each computer to the domain, and use Kerberos-based authentication so users log in once and are trusted across the domain
B) Replace all usernames with email addresses and use FTP for authentication
C) Use DNS to store passwords for all users
D) Configure each workstation to accept anonymous logins
A — Install Windows Server, create a domain, join each computer to the domain, and use Kerberos-based authentication so users log in once and are trusted across the domain
What is SAML and when is it commonly used?
A) SAML is a web SSO protocol where an identity provider issues authentication tokens to service providers so a user can access multiple web apps or cloud services after a single login
B) SAML is a Windows-only directory service for file shares
C) SAML replaces Kerberos for LAN authentication and runs on port 88
D) SAML is a DNS record type used for email delivery
A — SAML is a web SSO protocol where an identity provider issues authentication tokens to service providers so a user can access multiple web apps or cloud services after a single login
What role does LDAP play in identity management and Single Sign-On?
A) LDAP is a Lightweight Directory Access Protocol used to query directory services (like Active Directory) so applications can retrieve user data and authenticate on-premises users
B) LDAP is a protocol for issuing SAML tokens to cloud services
C) LDAP stores only DNS records and is unrelated to authentication
D) LDAP is a biometric standard for fingerprint scanning
A — LDAP is a Lightweight Directory Access Protocol used to query directory services (like Active Directory) so applications can retrieve user data and authenticate on-premises users
How do Kerberos, LDAP, and SAML commonly relate within an enterprise SSO strategy?
A) Kerberos provides secure ticket-based authentication (often for AD domains), LDAP supplies directory lookups and attribute access, and SAML issues tokens for web/cloud service providers — each serves different layers of SSO
B) Kerberos replaces LDAP and SAML entirely and is used only for web apps
C) LDAP issues Kerberos tickets and SAML stores user passwords
D) SAML is used for local file shares, Kerberos for cloud apps, LDAP for email routing
A — Kerberos provides secure ticket-based authentication (often for AD domains), LDAP supplies directory lookups and attribute access, and SAML issues tokens for web/cloud service providers — each serves different layers of SSO
Which statement best summarizes when to choose Active Directory/LDAP versus SAML for SSO?
A) Use Active Directory/LDAP for on-premises LAN SSO (file shares, domain-joined machines); use SAML for federated web SSO across web apps and cloud services
B) Use SAML for local workstation login and LDAP for cloud single sign-on
C) Always use LDAP for everything and avoid SAML and Active Directory
D) Use neither; only manual passwords are secure
A — Use Active Directory/LDAP for on-premises LAN SSO (file shares, domain-joined machines); use SAML for federated web SSO across web apps and cloud services
Which four components are common to all encryption algorithms as described in the excerpt?
A) Clear text, cipher text, algorithm, and key
B) Clear text, checksum, protocol, and port
C) Cipher text, DNS server, key, and MAC address
D) Plain text, firewall, algorithm, and certificate
A — Clear text, cipher text, algorithm, and key
What is the Caesar Cipher and why is it considered weak?
A) A simple substitution that shifts letters by a fixed amount (e.g., +3); easy to break by frequency analysis or brute force
B) A complex algorithm using large prime numbers; impossible to break
C) A hashing method that produces fixed-length output; cannot be reversed
D) An asymmetric encryption scheme using public/private keys; slow but secure
A — A simple substitution that shifts letters by a fixed amount (e.g., +3); easy to break by frequency analysis or brute force
What defines symmetric encryption in the excerpt's explanation?
A) The same key is used to both encrypt and decrypt the data
B) One key encrypts and a different unrelated key decrypts
C) No key is used; encryption is based on public DNS records
D) Keys are derived from MAC addresses automatically
A — The same key is used to both encrypt and decrypt the data
What sequence best describes the "algorithm machine" process for encrypting data?
A) Place clear text into algorithm, apply key, produce cipher text; reverse process with same algorithm and key to decrypt
B) Place cipher text into algorithm, drop the key, produce clear text automatically
C) Send clear text to DNS, retrieve key from server, algorithm not needed
D) Generate cipher text first, then guess the clear text via trial and error
A — Place clear text into algorithm, apply key, produce cipher text; reverse process with same algorithm and key to decrypt
Why is key management/distribution a major challenge with symmetric encryption?
A) The sender and receiver must securely share the same secret key beforehand, otherwise the receiver cannot decrypt the data
B) Keys are public and posted to DNS which makes them easy to retrieve
C) Symmetric keys regenerate automatically and require no protection
D) Keys can only be distributed via email with no encryption
A — The sender and receiver must securely share the same secret key beforehand, otherwise the receiver cannot decrypt the data
Which symmetric encryption algorithms did the excerpt mention as commonly used in wireless networks?
A) RC4 and AES
B) RSA and ECC
C) SHA-1 and MD5
D) Kerberos and LDAP
A — RC4 and AES
What is the main limitation of symmetric encryption that led to the development of asymmetric encryption?
A) It cannot handle large files efficiently
B) The key must be shared, and if intercepted, both the key and encrypted data can be compromised
C) It requires two different algorithms for encryption and decryption
D) Keys expire too quickly to be practical
B — The key must be shared, and if intercepted, both the key and encrypted data can be compromised
Who developed the asymmetric encryption method mentioned in the excerpt?
A) Diffie, Hellman, and Merkle
B) Rivest, Shamir, and Adleman
C) Whitfield, Shannon, and Turing
D) Kerberos, Miller, and AES
B — Rivest, Shamir, and Adleman
What is the key difference between symmetric and asymmetric encryption?
A) Symmetric uses keys that expire, asymmetric uses permanent keys
B) Symmetric uses one shared key, asymmetric uses a pair: a public key and a private key
C) Symmetric works only with wireless networks, asymmetric works only with wired
D) Symmetric uses algorithms, asymmetric does not
B — Symmetric uses one shared key, asymmetric uses a pair: a public key and a private key
What is the function of a public key in asymmetric encryption?
A) Encrypts data only
B) Decrypts data only
C) Both encrypts and decrypts data
D) Stores encrypted data
A — Encrypts data only
What is the function of a private key in asymmetric encryption?
A) Generates new public keys
B) Encrypts data only
C) Decrypts data only
D) Stores multiple keys
C — Decrypts data only
What is a “key exchange” in the context of asymmetric encryption?
A) The process of swapping private keys with one another
B) The process of sending and receiving public keys for secure communication
C) A method of converting public keys into private keys
D) The replacement of old keys with stronger symmetric keys
B — The process of sending and receiving public keys for secure communication
What is the main problem with asymmetric encryption that digital certificates help solve?
A) Public keys cannot encrypt data reliably
B) Private keys are too large to manage securely
C) Verifying the authenticity and origin of a public key
D) Asymmetric encryption cannot be used on the internet
C — Verifying the authenticity and origin of a public key
What is created when a hash of data is encrypted with a private key?
A) Public key
B) Digital certificate
C) Digital signature
D) Symmetric key
C — Digital signature
What does a digital certificate always include when sent to a client?
A) Only the public key
B) Public key, digital signature, and a trusted third party’s validation
C) Private key and digital signature
D) Algorithm and symmetric key
B — Public key, digital signature, and a trusted third party’s validation
Which of the following best describes a Certificate Authority (CA)?
A) A person who verifies trust manually in a Web of Trust
B) An organization that issues and validates digital certificates
C) A server that stores encrypted private keys
D) A software tool that generates symmetric keys
B — An organization that issues and validates digital certificates
What is the main drawback of the Web of Trust model compared to PKI?
A) It does not use public keys
B) It requires significant manual effort and is not automated
C) It only works for websites, not email
D) It requires root certificate authorities
B — It requires significant manual effort and is not automated
Which trust model is the foundation of HTTPS and e-commerce on the internet?
A) Symmetric key exchange
B) Web of Trust
C) Unsigned certificates
D) Public Key Infrastructure (PKI)
D — Public Key Infrastructure (PKI)