Adam is setting up a public key infrastructure (PKI) and knows that keeping the passphrases and encryption keys used to generate new keys is a critical part of how to ensure that the root certificate authority remains secure. Which of the following techniques is not a common solution to help prevent insider threats?
A. Require a new passphrase every time the certificate is used.
B. Use a split knowledge process for the password or key.
C. Require dual control.
D. Implement separation of duties
A. Dual control, which requires two individuals to perform a function; split knowledge, which splits the passphrase or key between two or more people; and separation of duties, which ensures that a single individual does not control or oversee the entire process all help prevent insider threats when managing a PKI. Requiring a new passphrase when a certificate is used is not a reasonable solution and would require reissuing the certificate.
Naomi is designing her organization's wireless network and wants to ensure that the design places access points in areas where they will provide optimum coverage. She also wants to plan for any sources of RF interference as part of her design. What should Naomi do first?
A. Contact the FCC for a wireless map. B. Conduct a site survey.
C. Disable all existing access points.
D. Conduct a port scan to find all existing access points.
B. A site survey is the process of identifying where access points should be located for best coverage and identifying existing sources of RF interference, including preexisting wireless networks and other devices that may use the same radio frequency spectrum. By conducting a site survey, Naomi can guide the placement of her access points as well as create a channel design that will work best for her organization.
Chris is preparing to implement an 802.1X-enabled wireless infrastructure. He knows that he wants to use an Extensible Authentication Protocol (EAP)-based protocol that does not require client-side certificates. Which of the following options should he choose?
A. EAP-MD5
B. PEAP
C. LEAP
D. EAP-TLS
B. The option that best meets the needs described above is PEAP, the Protected Extensible Authentication Protocol. PEAP relies on server-side certificates and relies on tunneling to ensure communications security. EAP-MD5 is not recommended for wireless networks and does not support mutual authentication of the wireless client and network. LEAP, the Lightweight Extensible Authentication Protocol, uses WEP keys for its encryption and is not recommended due to security issues. Finally, EAP-TLS, or EAP Transport Layer Security, requires certificates on both the client and server, consuming more management overhead.
What term is commonly used to describe lateral traffic movement within a network?
A. Side-stepping
B. Slider traffic
C. East-west traffic
D. Peer interconnect
C. East-west traffic is traffic sent laterally inside a network. Some networks focus security tools at the edges or places where networks interconnect, leaving internal, or east-west, traffic open. In zero-trust environments, internal traffic is not presumed to be trustworthy, reducing the risks of this type of lateral communication. Side-stepping, slider traffic, and peer interconnect were all made up for this question, although peer interconnect may sound similar to peer-to-peer traffic, which may be lateral in many networks.
Charlene wants to use the security features built into HTTP headers. Which of the following is not an HTTP header security option?
A. Requiring transport security
B. Preventing cross-site scripting
C. Disabling SQL injection
D. Helping prevent MIME sniffing
C. Although preventing Multipurpose Internet Mail Extensions (MIME) sniffing may sound humorous, MIME sniffing can be used in cross-site scripting attacks, and the X-Content-TypeOptions header helps prevent MIME sniffing. HTTP securityoriented headers can also set X-Frame options, turn on crosssite scripting protection, set content security policies, and require transport security. There isn’t a “Disable SQL injection” header, however!
Charlene wants to provision her organization's standard set of marketing information to mobile devices throughout her organization. What MDM feature is best suited to this task?
A. Application management
B. Remote wipe
C. Content management
D. Push notifications
C. Mobile device management (MDM) suites often provide the ability to manage content on devices as well as applications. Using content management tools can allow Charlene to provision files, documents, and media to the devices that staff members in her organization are issued. Application management would be useful for apps. Remote wipe can remove data and applications from the device if it is lost or stolen, or an employee leaves the organization. Push notifications are useful when information needs to be provided to the device user.
Denny wants to deploy antivirus for his organization and wants to ensure that it will stop the most malware. What deployment model should Denny select?
A. Install antivirus from the same vendor on individual PCs and servers to best balance visibility, support, and security.
B. Install antivirus from more than one vendor on all PCs and servers to maximize coverage.
C. Install antivirus from one vendor on PCs and from another vendor on the server to provide a greater chance of catching malware.
D. Install antivirus only on workstations to avoid potential issues with server performance.
C. In this scenario, Denny specifically needs to ensure that he stops the most malware. In situations like this, vendor diversity is the best way to detect more malware, and installing a different vendor’s antivirus (AV) package on servers like email servers and then installing a managed package for PCs will result in the most detections in almost all cases. Installing more than one AV package on the same system is rarely recommended, since this often causes performance issues and conflicts between the packages—in fact, at times AV packages have been known to detect other AV packages because of the deep hooks they place into the operating system to detect malicious activity!
When Amanda visits her local coffee shop, she can connect to the open wireless without providing a password or logging in, but she is immediately redirected to a website that asks for her email address. Once she provides it, she is able to browse the Internet normally. What type of technology has Amanda encountered?
A. A preshared key
B. A captive portal
C. Port security
D. A Wi-Fi protected access
B. Amanda has encountered a captive portal. Captive portals redirect all traffic to the portal page, either to allow the portal to collect information or to display the page itself. Once users have completed the requirements that the portal puts in place, they are permitted to browse the Internet. This may be accomplished by assigning a new IP address or by allowing the connected IP address to have access to the Internet using a firewall rule or other similar method. Preshared keys are used in wireless networks for authentication. Port security is used for wired networks, and WPA stands for Wi-Fi Protected Access, as in WPA, WPA-2, and WPA-3.
Charles has been asked to implement DNSSEC for his organization. Which of the following does it provide?
A. Confidentiality
B. Integrity
C. Availability
D. All of the above
B. Domain Name System Security Extensions, or DNSSEC, provides the ability to validate DNS data and denial of existence, and provides data integrity for DNS. It does not provide confidentiality or availability controls. If Charles needs to provide those, he will have to implement additional controls.
Sarah has implemented an OpenID-based authentication system that relies on existing Google accounts. What role does Google play in a federated environment like this?
A. An RP
B. An IdP
C. An SP
D. An RA
B. Google is acting as an identity provider, or IdP. An IdP creates and manages identities for federations. An RP is a relying party, which relies on an identity provider. An SP is a service provider, and an RA is a registration authority involved in the process for providing cryptographic certificates.
Ian needs to connect to a system via an encrypted channel so that he can use a command-line shell. What protocol should he use?
A. Telnet
B. HTTPS
C. SSH
D. TLS
C. SSH, or Secure Shell, is a secure protocol used to connect to command-line shells. SSH can also be used to tunnel other protocols, making it a useful and frequently used tool for system administrators, security professionals, and attackers. Using HTTPS or Transport Layer Security (TLS) for a secure command line is rare, and Telnet is an insecure protocol.
Casey is considering implementing password key devices for her organization. She wants to use a broadly adopted open standard for authentication and needs her keys to support that. Which of the following standards should she look for her keys to implement, in addition to being able to connect via USB, Bluetooth, and NFC?
A. SAML
B. FIDO
C. ARF
D. OpenID
B. Of the options provided, only FIDO U2F, an open standard provided by the Fast IDentity Online Alliance, is a standard for security keys. Other standards that you may encounter include OTP (One Time Password), SmartCard, OATH-HOTP, and OpenPGP. Of note, OATH, the Initiative for Open Authentiation provides standards both HMAC-based one time password (HOTP) and TOTP, or time-based one time passwords. SAML (Security Assertion Markup Language) and OpenID are both used in authentication processes but not for security keys. ARF was made up for this question.
Nadia is concerned about the content of her emails to her friend Danielle being read as they move between servers. What technology can she use to encrypt her emails, and whose key should she use to encrypt the message?
A. S/MIME, her private key
B. Secure POP3, her public key
C. S/MIME, Danielle's public key
D. Secure POP3, Danielle's private key
C. Nadia should use Secure/Multipurpose Internet Mail Extensions (S/MIME), which supports asymmetric encryption and should then use Danielle’s public key to encrypt the email so that only Danielle can decrypt the messages and read them. Secure POP3 would protect messages while they’re being downloaded but would not protect the content of the messages between servers.
What type of communications is SRTP most likely to be used for?
A. Email
B. VoIP
C. Web
D. File transfer
B. SRTP is a secure version of the Real-Time Transport Protocol and is used primarily for Voice over IP (VoIP) and multimedia streaming or broadcast. SRTP, as currently implemented, does not fully protect packets, leaving RTP headers exposed, potentially exposing information that might provide attackers with information about the data being transferred.
Olivia is implementing a load-balanced web application cluster. Her organization already has a redundant pair of load balancers, but each unit is not rated to handle the maximum designed throughput of the cluster by itself. Olivia has recommended that the load balancers be implemented in an active/active design. What concern should she raise as part of this recommendation?
A. The load balancer cluster cannot be patched without a service outage.
B. The load balancer cluster is vulnerable to a denial-of-service attack.
C. If one of the load balancers fails, it could lead to service degradation.
D. None of the above
C. Olivia should make her organization aware that a failure in one of the active nodes would result in less maximum throughput and a potential for service degradation. Since services are rarely run at maximum capacity, and many can have maintenance windows scheduled, this does not mean that the load balancers cannot be patched. There is nothing in this design that makes the load balancers more vulnerable to denial of service than they would be under any other design.
What two ports are most commonly used for FTPS traffic?
A. 21, 990
B. 21, 22
C. 433, 1433
D. 20, 21
A. File Transfer Protocol Secure (FTPS) typically uses port 990 for implicit FTPS and port 21, the normal FTP command port, is used for explicit FTPS. Port 22 is used for SSH, 433 was used for the Network News Transfer Protocol (NNTP), 1433 is used for Microsoft SQL, and port 20 is used for FTP.
What occurs when a certificate is stapled?
A. Both the certificate and OCSP responder are sent together to prevent additional retrievals during certificate path validation.
B. The certificate is stored in a secured location that prevents the certificate from being easily removed or modified.
C. Both the host certificate and the root certificate authority's private key are attached to validate the authenticity of the chain.
D. The certificate is attached to other certificates to demonstrate the entire certificate chain.
A. Certificate stapling allows the server that is presenting a certificate to provide a more efficient way to check the revocation status of the certificate via the Online Certificate Status Protocol (OCSP) by including the OCSP response with the handshake for the certificate. This provides both greater security because clients know that the certificate is valid, and greater efficiency because they don’t have to perform a separate retrieval to check the certificate’s status. The rest of the options were made up and are not certificate stapling.
Greg is setting up a public key infrastructure (PKI). He creates an offline root certificate authority (CA) and then needs to issue certificates to users and devices. What system or device in a PKI receives certificate signing requests (CSRs) from applications, systems, and users?
A. An intermedia CA
B. An RA
C. A CRL
D. None of the above
B. A registration authority, or RA, receives requests for new certificates as well as renewal requests for existing certificates. They can also receive revocation requests and similar tasks. An intermedia CA is trusted by the root CA to issue certificates. A CRL is a certificate revocation list.
Mark is responsible for managing his company's load balancer and wants to use a load-balancing scheduling technique that will take into account the current server load and active sessions. Which of the following techniques should he choose?
A. Source IP hashing
B. Weighted response time
C. Least connection
D. Round robin
C. Least connection-based load balancing takes load into consideration and sends the next request to the server with the least number of active sessions. Round robin simply distributes requests to each server in order, whereas weighted time uses health checks to determine which server responds the most quickly on an ongoing basis and then sends the traffic to that server. Finally, source IP hashing uses the source and destination IP addresses to generate a hash key and then uses that key to track sessions, allowing interrupted sessions to be reallocated to the same server and thus allowing the sessions to continue.
During a security review, Matt notices that the vendor he is working with lists their IPSec virtual private network (VPN) as using AH protocol for security of the packets that it sends. What concern should Matt note to his team about this?
A. AH does not provide confidentiality.
B. AH does not provide data integrity.
C. AH does not provide replay protection.
D. None of the above; AH provides confidentiality, authentication, and replay protection.
A. IPSec’s Authentication Header (AH) protocol does not provide data confidentiality because it secures only the header, not the payload. That means that AH can provide integrity and replay protection but leaves the rest of the data at risk. Matt should note this and express concerns about why the VPN is not using Encapsulating Security Protocol (ESP).
Michelle wants to secure mail being retrieved via the Post Office Protocol Version 3 (POP3) because she knows that it is unencrypted by default. What is her best option to do this while leaving POP3 running on its default port?
A. Use TLS via port 25.
B. Use IKE via port 25.
C. Use TLS via port 110.
D. Use IKE via port 110.
C. Michelle knows that POP3 runs on port 110 by default, and that TLS (via STARTTLS as an extension) allows POP3 clients to request a secure connection without needing to use the alternate port 995 used in some configurations. Port 25 is the default port for Simple Mail Transfer Protocol (SMTP), and IKE is used for IPSec
Daniel works for a mid-sized financial institution. The company has recently moved some of its data to a cloud solution. Daniel is concerned that the cloud provider may not support the same security policies as the company's internal network. What is the best way to mitigate this concern?
A. Implement a cloud access security broker.
B. Perform integration testing.
C. Establish cloud security policies.
D. Implement security as a service.
A. A cloud access security broker (CASB) is a software tool or service that sits between an organization’s on-premises network and a cloud provider’s infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies into the cloud.
The company that Angela works for has deployed a Voice over IP (VoIP) environment that uses SIP. What threat is the most likely issue for their phone calls?
A. Call interception
B. Vishing
C. War dialing
D. Denial-of-service attacks
A. Angela’s company has deployed a version of Session Initiation Protocol (SIP) that doesn’t use Transport Layer Security (TLS) to maintain confidentiality. She should switch to a SIP Secure (SIPS) implementation to protect the confidentiality of phone conversations. Vishing, or voice phishing; war dialing, which attempts to map all numbers for a phone service, typically to find modems; and denial of service are all less likely on a VoIP network, although they could occur.
Alaina is concerned about the security of her NTP time synchronization service because she knows that protocols like TLS and BGP are susceptible to problems if fake NTP messages were able to cause time mismatches between systems. What tool could she use to quickly protect her NTP traffic between Linux systems?
A. An IPSec VPN
B. SSH tunneling
C. RDP
D. A TLS VPN
B. The fastest way for Alaina to implement secure transport for her Network Time Protocol (NTP) traffic will typically be to simply tunnel the traffic via Secure Shell (SSH) from the NTP server to her Linux systems. An IPSec virtual private network (VPN) between devices will typically take more work to set up and maintain, although this could be scripted, and a Transport Layer Security (TLS) VPN would require additional work since it is intended for web traffic. RDP is the Remote Desktop Protocol and is primarily used for Windows systems and would not be a good choice. In most environments, however, NTP traffic does not receive any special security, and NTP sources are trusted to perform without exceptional security measures.
Ramon is building a new web service and is considering which parts of the service should use Transport Layer Security (TLS). Components of the application include:
Authentication
A payment form
User data, including address and shopping cart
A user comments and reviews section
Where should he implement TLS?
A. At points 1 and 2, and 4
B. At points 2 and 3, and 4
C. At points 1, 2, and 3
D. At all points in the infrastructure
D. The safest and most secure answer is that Ramon should simply implement TLS for the entire site. Although TLS does introduce some overhead, modern systems can handle large numbers of simultaneous TLS connections, making a secure website an easy answer in almost all cases.
Katie's organization uses File Transfer Protocol (FTP) for contractors to submit their work product to her organization. The contractors work on sensitive customer information, and then use organizational credentials provided by Katie's company to log in and transfer the information. What sensitive information could attackers gather if they were able to capture the network traffic involved in this transfer?
A. Nothing, because FTP is a secure protocol
B. IP addresses for both client and server
C. The content of the files that were uploaded
D. Usernames, passwords, and file content
D. Although IP addresses for public servers and clients are not typically considered sensitive, the usernames, passwords, and files that the contractors use would be. Katie should consider helping her organization transition to a secure FTP or other service to protect her organization’s customers and the organization itself.
What security benefits are provided by enabling DHCP snooping or DHCP sniffing on switches in your network?
A. Prevention of malicious or malformed DHCP traffic
B. Prevention of rogue DHCP servers
C. Collection of information about DHCP bindings
D. All of the above
D. Dynamic Host Configuration Protocol (DHCP) sniffing or snooping can be enabled to prevent rogue DHCP servers as well as malicious or malformed DHCP traffic. It also allows the capture and collection of DHCP binding information to let network administrators know who is assigned what IP address.
. Aaron wants to use a certificate for the following production hosts: www.example.com blog.example.com news.example.com What is the most efficient way for him to provide Transport Layer Security (TLS) for all of these systems?
A. Use self-signed certificates.
B. Use a wildcard certificate.
C. Use an EV certificate.
D. Use an SSL certificate
B. Aaron can use a wildcard certificate to cover all the hosts inside of a set of subdomains. Wildcards only cover a single level of subdomain, however, so if he purchased *. example.com, he could not use *. blog.example.com. A self-signed certificate will cause errors for visitors and should not be used for production purposes. Self-signed certificates will create errors in most browsers and so are not used in production environments. Extended validation (EV) certificates will not provide this functionality, and Secure Sockets Layer (SSL) is no longer in use with the switch to TLS for security reasons.
Cassandra is concerned about attacks against her network's Spanning Tree Protocol (STP). She wants to ensure that a new switch introduced by an attacker cannot change the topology by asserting a lower bridge ID than the current configuration. What should she implement to prevent this?
A. Enable BridgeProtect.
B. Set the bridge ID to a negative number.
C. Disable Spanning Tree protocol.
D. Enable Root Guard.
D. Root Guard can be set on a per-port basis to protect ports that will never be set up to be the root bridge for a VLAN. Since this shouldn’t change regularly, it is safe to set for most ports in a network. Spanning tree is used to prevent loops, so disabling STP would actually make this problem more likely. Bridge IDs cannot be negative, and BridgeProtect was made up for this question.
Charles finds a PFX formatted file on the system he is reviewing. What is a PFX file capable of containing?
A. Only certificates and chain certificates, not private keys
B. Only a private key
C. A server certificate, intermediate certificates, and the private key
D. None of the above, because PFX files are used for certificate requests only
C. A Personal Information Exchange (PFX) formatted file is a binary format used to store server certificates, as well as intermediary certificates, and it can also contain the server’s private key. Privacy Enhanced Mail (PEM) files can contain multiple PEM certificates and a private key, but most systems store certificates and the key separately. Distinguished Encoding Rules (DER) format files are frequently used with Java platforms and can store all types of certificates and private keys. P7B, or PKCS#7, formatted files can contain only certificates and certificate chains, not private keys. For the exam, you should also know that a CER is a file extension for an SSL certificate file format used by web servers to help verify the identity and security of the site in question. SSL certificates are provided by a third-party security certificate authority such as VeriSign, GlobalSign, or Thawte.
Which device would most likely process the following rules? PERMIT IP ANY EQ 443 DENY IP ANY ANY
A. NIPS
B. HIPS
C. Content filter
D. Firewal
D. A firewall has two types of rules. One type is to allow specific traffic on a given port. The other type of rule is to deny traffic. What is shown here is a typical firewall rule. Options A, B, and C are incorrect. The rule shown is clearly a firewall rule.
Ted wants to use IP reputation information to protect his network and knows that third parties provide that information. How can he get this data, and what secure protocol is he most likely to use to retrieve it?
A. A subscription service, SAML
B. A VDI, XML
C. A subscription service, HTTPS
D. An FDE, XML
C. Many subscription services allow for data retrieval via HTTPS. Ted can subscribe to one or more threat feeds or reputation services, and then feed that information to an intrusion detection system (IDS), intrusion prevention system (IPS), next -generation firewall, or similar network security tool. Security Assertion Markup Language (SAML) is used to make assertions about identities and authorization, a VDI is a virtual desktop environment, and FDE is full-disk encryption
What does setting the secure attribute for an HTTP cookie result in?
A. Cookies will be stored in encrypted form.
B. Cookies will be sent only over HTTPS.
C. Cookies will be stored in hashed form.
D. Cookies must be accessed using a cookie key.
B. Secure cookies are HTTP cookies that have the secure flag set, thus requiring them to only be sent via a secure channel like HTTPS. They are not stored in encrypted form or hashed, and cookie keys were made up for this question.
Charles wants to use IPSec and needs to be able to determine the IPSec policy for traffic based on the port it is being sent to on the remote system. Which IPSec mode should he use?
A. IPSec tunnel mode
B. IPSec IKE mode
C. IPSec PSK mode
D. IPSec transport mode
D. Unlike IPSec’s tunnel mode, IPSec transport mode allows different policies per port. The IP addresses in the outer header for transport mode packets are used to determine the policy applied to the packet. IPSec doesn’t have a PSK mode, but WPA2 does. IKE is used to set up security associations in IPSec but doesn’t allow this type of mode setting.
Wi-Fi Protected Setup (WPS) includes four modes for adding devices to a network. Which mode has significant security concerns due to a brute-force exploit?
A. PIN
B. USB
C. Push button
D. Near-field communication
A. WPS personal identification numbers (PINs) were revealed to be a problem in 2011, when a practical brute-force attack against WPS PIN setup modes was demonstrated. WPS suffers from a variety of other security issues and is not used for enterprise security. WPS remains in use in home environments for ease of setup.
Claire wants to check whether a certificate has been revoked. What protocol is used to validate certificates?
A. RTCP
B. CRBL
C. OCSP
D. PKCRL
C. The Online Certificate Status Protocol, or OCSP, is used to determine the status of a certificate. RTCP, CRBL, and PKCRL were all made up for this question.
Nick is responsible for cryptographic keys in his company. What is the best way to deauthorize a public key?
A. Send out a network alert.
B. Delete the digital certificate.
C. Publish that certificate in the CRL.
D. Notify the RA
C. Certificate revocation lists (CRLs) are designed specifically for revoking certificates. Since public keys are distributed via certificates, this is the most effective way to deauthorize a public key. Option A is incorrect. Simply notifying users that a key/certificate is no longer valid is not effective. Option B is incorrect. Deleting a certificate is not always possible and ignores the possibility of a duplicate of that certificate existing. Option D is incorrect. The registration authority (RA) is used in creating new certificates, not in revoking them.
What two connection methods are used for most geofencing applications?
A. Cellular and GPS
B. USB and Bluetooth
C. GPS and Wi-Fi
D. Cellular and Bluetooth
C. Global Positioning System (GPS) data and data about local Wi-Fi networks are the two most commonly used protocols to help geofencing applications determine where they are. When a known Wi-Fi signal is gained or lost, the geofencing application knows it is within range of that network. GPS data is even more useful because it can work in most locations and provide accurate location data. Although Bluetooth is sometimes used for geofencing, its limited range means that it is a third choice. Cellular information would require accurate tower-based triangulation, which means it is not typically used for geofencing applications, and of course USB is a wired protocol.
Gabriel is setting up a new e-commerce server. He is concerned about security issues. Which of the following would be the best location to place an e-commerce server?
A. DMZ
B. Intranet
C. Guest network
D. Extranet
A. The demilitarized zone (DMZ) is a zone between an outer firewall and an inner firewall. It is specifically designed as a place to locate public-facing servers. The outer firewall is more permissive, thus allowing public access to the servers in the DMZ. However, the inner firewall is more secure, thus preventing outside access to the corporate network.
Janelle is the security administrator for a small company. She is trying to improve security throughout the network. Which of the following steps should she take first?
A. Implement antimalware on all computers.
B. Implement acceptable use policies.
C. Turn off unneeded services on all computers.
D. Set password reuse policies
C. The first step in security is hardening the operating system, and one of the most elementary aspects of that is turning off unneeded services. This is true regardless of the operating system. Although installing antimalware, implementing usage policies, and setting password reuse policies are all good practices, turning off unnecessary services is typically the first step in securing a system..
Ben is responsible for a new application with a worldwide user base that will allow users to sign up to access existing data about them. He would like to use a method of authentication that will permit him to verify that users are the correct people to match up with their accounts. How can he validate these users?
A. Require that they present their Social Security number.
B. Require them to use a federated identity via Google.
C. Require them to use knowledge-based authentication.
D. Require them to validate an email sent to the account they signed up with.
C. Knowledge-based authentication requires information that only the user is likely to know. Examples include things like previous tax payments, bill amounts, and similar information. Requesting a Social Security number is less secure and would only work for users in the United States. Federated identity via Google accounts does not meet this need because Google accounts do not have a user validation requirement. Finally, validation emails only prove that the user has access to an account that they provide, not that they are a specific individual.
Jason wants to implement a remote access virtual private network (VPN) for users in his organization who primarily rely on hosted web applications. What common VPN type is best suited to this if he wants to avoid deploying client software to his end-user systems?
A. A TLS VPN
B. An RDP (Remote Desktop Protocol) VPN
C. An Internet Control Message Protocol (ICMP) VPN
D. An IPSec VPN
A. A Transport Layer Security (TLS) VPN is frequently chosen when ease of use is important, and web applications are the primary usage mode. IPSec VPNs are used for site-to-site VPNs and for purposes where other protocols may be needed, because they make the endpoint system appear to be on the remote network.
Juan is a network administrator for an insurance company. His company has a number of traveling salespeople. He is concerned about confidential data on their laptops. What is the best way for him to address this?
A. FDE
B. TPM
C. SDN
D. DMZ
A. Full-disk encryption (FDE) fully encrypts the hard drive on a computer. This is an effective method for ensuring the security of data on a computer. Trusted Platform Modules (TPMs) are store keys and are used for boot integrity and other cryptographic needs and won’t directly protect the data. Software-defined networking (SDN) is virtualized networking, and demilitarized zones (DMZs) are used to segment a network and won’t affect this problem.
Which design concept limits access to systems from outside users while protecting users and systems inside the LAN?
A. DMZ
B. VLAN
C. Router
D. Guest network
A. A DMZ (demilitarized zone) provides limited access to public-facing servers for outside users, but blocks outside users from accessing systems inside the LAN. It is a common practice to place web servers in the DMZ. A virtual LAN, or VLAN, is most often used to segment the internal network, routers direct traffic based on IP address, and a guest network allows internal users who are not employees to get access to the Internet.
Nina wants to use information about her users like their birth dates, addresses, and job titles as part of her identity management system. What term is used to describe this type of information?
A. Roles
B. Factors
C. Identifiers
D. Attributes
D. Identity attributes are characteristics of an identity, including details like the individual’s birth date, age, job title, address, or a multitude of other details about the identity. They are used to differentiate the identity from others and may also be used by the identity management system or connected systems in coordination with the identity itself. Roles describe the job or position an individual has in an organization, and factors are something you know, something you have, or something you are. Identifiers are not a common security or authentication term, although identity is.
Megan is preparing a certificate signing request (CSR) and knows that she needs to provide a CN for her web server. What information will she put into the CN field for the CSR?
A. Her name
B. The hostname
C. The company's name
D. The fully qualified domain name of the system
D. The CN, or common name, for a certificate for a system is typically the fully qualified domain name (FQDN) for the server. If Megan was requesting a certificate for herself, instead of for a server, she would use her full name.
Which of the following is the equivalent of a VLAN from a physical security perspective?
A. Perimeter security
B. Partitioning
C. Security zones
D. Firewall
B. Physically portioning your network is the physical equivalent of a virtual LAN, or VLAN. A VLAN is designed to emulate physical partitioning. Perimeter security does not segment the network. Security zones are useful but don’t, by themselves, segment a network. Often a network is segmented, using physical partitions or VLAN, to create security zones. A firewall is meant to block certain traffic, not to segment the network, although a firewall can be part of a segmentation or security zone implementation.
Nelson uses a tool that lists the specific applications that can be installed and run on a system. The tool uses hashes of the application's binary to identify each application to ensure that the application matches the filename provided for it. What type of tool is Nelson using?
A. Antivirus
B. Blacklisting
C. Antimalware
D. Whitelisting
D. Nelson is using a whitelisting (or allowed list) tool. Tools like this allow only specific applications to be installed and run on a system and often use hashes of known good applications to ensure that the applications are those that are permitted. A blacklisting (or blocked list) tool prevents specific applications or files from being used, stored, or downloaded to a system. Although antivirus and antimalware tools may have similar features, the most accurate answer here is whitelisting.
Which type of firewall examines the content and context of each packet it encounters?
A. Packet filtering firewall
B. Stateful packet filtering firewall
C. Application layer firewall
D. Gateway firewall
B. A stateful inspection firewall examines the content and context of each packet it encounters. This means that a stateful packet inspection (SPI) firewall understands the preceding packets that came from the same IP address, and thus the context of the communications. This makes certain attacks, like a SYN flood, almost impossible. Packet filtering firewalls examine each packet but not the context. Application-layer firewalls can use SPI or simple packet filtering, but their primary role is to examine application-specific issues. A common example is a web application firewall. A gateway firewall is simply a firewall at the network gateway. This does not tell us whether it is packet filtering or SPI.
As part of his wireless network deployment efforts, Scott generates the image shown here. What term is used to describe this type of visualization of wireless networks?
A. A heatmap
B. A network diagram
C. A zone map
D. A DMZ
A. Wireless network heatmaps are used to show how strong wireless network signals are throughout a building or location. Scott can use a heatmap like this to see where the wireless signal drops off or where interference may occur. A network diagram would show the logical layout of a network. A demilitarized zone (DMZ) is a network security zone that is exposed to a higher risk region, and a zone map is not a common security term.
You're designing a new network infrastructure so that your company can allow unauthenticated users connecting from the Internet to access certain areas. Your goal is to protect the internal network while providing access to those areas. You decide to put the web server on a separate subnet open to public contact. What is this subnet called? A. Guest network
B. DMZ
C. Intranet
D. VLAN
B. A demilitarized zone (DMZ) is a separate subnet coming off the separate router interface. Public traffic may be allowed to pass from the external public interface to the DMZ, but it won’t be allowed to pass to the interface that connects to the internal private network. A guest network provides visitors with Internet access. An intranet consists of internal web resources. Frequently companies put up web pages that are accessible only from within the network for items like human resources notifications, vacation requests, and so forth. A virtual LAN, or VLAN, is used to segment your internal network.
Madhuri's web application converts numbers that are input into fields by specifically typing them and then applies strict exception handling. It also sets a minimum and maximum length for the inputs that it allows and uses predefined arrays of allowed values for inputs like months or dates. What term describes the actions that Madhuri's application is performing?
A. Buffer overflow prevention
B. String injection
C. Input validation
D. Schema validation
C. The application includes input validation techniques that are used to ensure that unexpected or malicious input does not cause problems with the application. Input validation techniques will strip out control characters, validate data, and perform a variety of other actions to clean input before it is processed by the application or stored for future use. This validation may help prevent buffer overflows, but other techniques described here are not used for buffer overflow prevention. String injection is actually something this helps to prevent, and schema validation looks at data to ensure that requests match a schema, but again this is a narrower description than the broad range of input validation occurring in the description.
You're outlining your plans for implementing a wireless network to upper management. What wireless security standard should you adopt if you don't want to use enterprise authentication but want to provide secure authentication for users that doesn't require a shared password or passphrase?
A. WPA3
B. WPA
C. WPA2
D. WEP
C. WPA3 supports SAE, or simultaneous authentication of equals, providing a more secure way to authenticate that limits the potential for brute-force attacks and allows individuals to use different passwords. WPA is not as secure as WPA2, and WEP is the oldest, and least secure, wireless security protocol.
Brandon wants to ensure that his intrusion prevention system (IPS) is able to stop attack traffic. Which deployment method is most appropriate for this requirement?
A. Inline, deployed as an IPS
B. Passive via a tap, deployed as an IDS
C. Inline, deployed as an IDS
D. Passive via a tap, deployed as an IPS
A. In order to stop attack traffic, an IPS needs to be deployed inline. Deployments that use a network tap receive a copy of the data without being in the flow of traffic, which makes them ideal for detection but removes the ability to stop traffic. Deploying as an intrusion detection system (IDS) instead of an IPS means that the system will only detect, not stop, attacks.
You are the chief security officer (CSO) for a large company. You have discovered malware on one of the workstations. You are concerned that the malware might have multiple functions and might have caused more security issues with the computer than you can currently detect. What is the best way to test this malware?
A. Leave the malware on that workstation until it is tested.
B. Place the malware in a sandbox environment for testing.
C. It is not important to analyze or test it; just remove it from the machine.
D. Place the malware on a honeypot for testing
B. The correct answer is to use a sandboxed environment to test the malware and determine its complete functionality. A sandboxed system could be an isolated virtual machine (VM) or an actual physical machine that is entirely isolated from the network. Leaving the malware on a production system is never the correct approach. You should test or analyze the malware to determine exactly what malware it is, allowing you to respond to the threat properly. A honeypot is used for luring and trapping attackers, not for testing malware.
You are trying to increase security at your company. You're currently creating an outline of all the aspects of security that will need to be examined and acted on. Which of the following terms describes the process of improving security in a trusted OS?
A. FDE
B. Hardening
C. SED
D. Baselining
B. Hardening is the process of improving the security of an operating system or application. One of the primary methods of hardening a trusted OS is to eliminate unneeded protocols. This is also known as creating a secure baseline that allows the OS to run safely and securely. FDE is full-disk encryption, a SED is a self-encrypting drive, and baselining is the process of establishing security standards.
Melissa's website provides users who access it via HTTPS with a Transport Layer Security (TLS) connection. Unfortunately, Melissa forgot to renew her certificate, and it is presenting users with an error. What happens to the HTTPS connection when a certificate expires?
A. All traffic will be unencrypted.
B. Traffic for users who do not click OK at the certificate error will be unencrypted.
C. Trust will be reduced, but traffic will still be encrypted.
D. Users will be redirected to the certificate authority's site for a warning until the certificate is renewed.
C. Although trust in the site is likely to be reduced because users will receive warnings, the actual underlying encryption capabilities will not change. Users will not be redirected to the certificate authority’s site, and if they click past the warnings, users will be able to continue normally and with an encrypted connection
Isaac is reviewing his organization's secure coding practices document for customer-facing web applications and wants to ensure that their input validation recommendations are appropriate. Which of the following is not a common best practice for input validation?
A. Ensure validation occurs on a trusted server.
B. Validate all client-supplied data before it is processed.
C. Validate expected data types and ranges.
D. Ensure validation occurs on a trusted client.
D. Isaac knows that trusting client systems to be secure is not a good idea, and thus ensuring that validation occurs on a trusted client is not an appropriate recommendation. Ensuring that validation occurs on a trusted server, that client data is validated, and that data types and ranges are reasonable are all good best practices for him to recommend.
Frank knows that the systems he is deploying have a built-in TPM module. Which of the following capabilities is not a feature provided by a TPM?
A. A random number generator
B. Remote attestation capabilities C. A cryptographic processor used to speed up SSL/TLS
D. The ability to bind and seal data
C. Trusted Platform Modules (TPMs) provide a random number generator, the ability to generate cryptographic keys, support for remote attestation as part of the boot process, as well as binding and sealing capabilities. They do not act as cryptographic processors to speed up Secure Sockets Layer (SSL) or Transport Layer Security (TLS) traffic.
What is the primary use of hashing in databases?
A. To encrypt stored data, thus preventing exposure
B. For indexing and retrieval
C. To obfuscate data
D. To substitute for sensitive data, allowing it to be used without exposure
B. Hashing is commonly used in databases to increase the speed of indexing and retrieval since it is typically faster to search for a hashed key rather than the original value stored in a database. Hashing is not a form of encryption, meaning that it is not used to encrypt stored data. Hashing is not used to obfuscate data or to substitute for sensitive data
Hans is a security administrator for a large company. Users on his network visit a wide range of websites. He is concerned they might get malware from one of these many websites. Which of the following would be his best approach to mitigate this threat?
A. Implement host-based antivirus.
B. Blacklist known infected sites.
C. Set browsers to allow only signed components.
D. Set browsers to block all active content (ActiveX, JavaScript, etc.).
C. The correct answer is to only allow signed components to be loaded in the browser. Code signing verifies the originator of the component (such as an ActiveX component) and thus makes malware far less likely. Although host-based antimalware is a good idea, it is not the best remedy for this specific threat. Blacklists cannot cover all sites that are infected—just the sites you know about. And given that users on Hans’s network visit a lot of websites, blacklisting is likely to be ineffective. Finally, if you block a
Zarmeena has implemented wireless authentication for her network using a passphrase that she distributes to each member of her organization. What type of authentication method has she implemented?
A. Enterprise
B. PSK
C. Open
D. Captive portal
B. Zarmeena has implemented a preshared key, or PSK, authentication method. This means that if she needs to change the key because a staff member leaves, she will need to have every device update their passphrase. For larger deployments, enterprise authentication can connect to an authentication and authorization service, allowing each user to authenticate as themselves. This also provides network administrators with a way to identify individual devices by their authenticated user. Open networks do not require authentication, although a captive portal can be used to require network users to provide information before they are connected to the Internet.
Olivia is building a wireless network and wants to implement an Extensible Authentication Protocol (EAP)-based protocol for authentication. What EAP version should she use if she wants to prioritize reconnection speed and doesn't want to deploy client certificates for authentication?
A. EAP-FAST
B. EAP-TLS
C. PEAP
D. EAP-TTLS
A. EAP-FAST is specifically designed for organizations that want to quickly complete reconnections and does not require certificates to be installed at the endpoint device. EAP Tunneled Transport Layer Security (EAP-TTLS) requires client-side certificates; EAP-TLS requires mutual authentication, which can be slower; and Protected Extensible Authentication Protocol (PEAP) is similar to EAP-TTLS.
You work at a large company. You are concerned about ensuring that all workstations have a common configuration, that no rogue software is installed, and that all patches are kept up to date. Which of the following would be the most effective for accomplishing this?
A. Use VDI.
B. Implement restrictive policies.
C. Use an image for all workstations.
D. Implement strong patch management.
A. The correct answer is to implement a virtual desktop infrastructure (VDI). If all the desktops are virtualized, then from a single central location you can manage patches, configuration, and software installation. This single implementation will solve all the issues mentioned in the question. Restrictive policies are a good idea but are often difficult to enforce. Imaging workstations will affect only their original configuration; it won’t keep them patched or prevent rogue software from being installed. Finally, strong patch management will address only one of the three concerns
Naomi has deployed her organization's cloud-based virtual datacenters to multiple Google datacenter locations around the globe. What does this design provide for her systems?
A. Resistance to insider attacks
B. High availability across multiple zones
C. Decreased costs
D. Vendor diversity
B. Deploying to multiple locations is part of a high availability strategy that ensures that losing a datacenter or datacenters in a single region, or loss of network connectivity to that region, will not take an infrastructure down. This does not provide greater resistance to insider attacks, lower costs, or vendor diversity.
Patrick wants to deploy a virtual private networking (VPN) technology that is as easy for end users to use as possible. What type of VPN should he deploy?
A. An IPSec VPN
B. An SSL/TLS VPN
C. An HTML5 L2TP VPN
D. An SAML VPN
B. A TLS-based VPN (often called an SSL-based VPN, despite SSL being outmoded) provides the easiest way for users to use VPN since it does not require a client. SSL VPNs also work only for specific applications rather than making a system appear as though it is fully on a remote network. HTML5 is not a VPN technology, but some VPN portals may be built using HTML5. Security Assertion Markup Language (SAML) is not a VPN technology. IPSec VPNs require a client or configuration and are thus harder for end users to use in most cases.
Olivia is responsible for web application security for her company's e-commerce server. She is particularly concerned about XSS and SQL injection. Which technique would be most effective in mitigating these attacks?
A. Proper error handling
B. The use of stored procedures
C. Proper input validation
D. Code signing
C. These particular web application attacks are best mitigated with proper input validation. Any user input should be checked for indicators of cross-site scripting (XSS) or SQL injection. Error handling is always important, but it won’t mitigate these particular issues. Stored procedures can be a good way of ensuring SQL commands are standardized, but that won’t prevent these attacks. Code signing is used for code that is downloaded from a web application to the client computer; it is used to protect the client, not the web application.
Isaac wants to prevent corporate mobile devices from being used outside of his company's buildings and corporate campus. What mobile device management (MDM) capability should he use to allow this?
A. Patch management
B. IP filtering
C. Geofencing
D. Network restrictions
C. Isaac can configure a geofence that defines his corporate buildings and campus. He can then set up a geofence policy that will only allow devices to work while they are inside that geofenced area. Patch management, IP filtering, and network restrictions are not suitable solutions for this.
Sophia wants to test her company's web application to see if it is handling input validation and data validation properly. Which testing method would be most effective for this?
A. Static code analysis
B. Fuzzing
C. Baselining
D. Version control
B. Fuzzing is a technique whereby the tester intentionally enters incorrect values into input fields to see how the application will handle it. Static code analysis tools simply scan the code for known issues, baselining is the process of establishing security standards, and version control simply tracks changes in the code—it does not test the code.
Alaina has implemented an HSM. Which of the following capabilities is not a typical HSM feature?
A. Encryption and decryption for digital signatures
B. Boot attestation
C. Secure management of digital keys
D. Strong authentication support
B. Although hardware security modules (HSMs) provide many cryptographic functions, they are not used for boot attestation. A TPM, or Trusted Platform Module, is used for secure boot attestation.
Cynthia wants to issue contactless cards to provide access to the buildings she is tasked with securing. Which of the following technologies should she deploy?
A. RFID
B. Wi-Fi
C. Magstripe
D. HOTP
A. Cynthia should deploy Radio Frequency Identifier (RFID) cards, which can be read using contactless readers. RFID technology is common and relatively inexpensive, but without additional authentication, possession of a card is the only means of determining if someone is authorized to access a building or room. Wi-Fi is not used for contactless cards because of its power consumption and overhead. Magstripes require a reader rather than being contactless, and HOTP is a form of one-time password system.
Alaina wants to prevent bulk gathering of email addresses and other directory information from her web-exposed LDAP directory. Which of the following solutions would not help with this?
A. Using a back-off algorithm
B. Implementing LDAPS
C. Requiring authentication
D. Rate limiting queries
B. Rate limiting and back-off algorithms both limit how quickly queries can be performed. Requiring authentication would restrict who could access the directory. Requiring LDAPS (Lightweight Directory Access Protocol over SSL) does not prevent enumeration, but it does provide security for the queried information as it transits networks.
Alaina has been told that her organization uses a SAN certificate in their environment. What does this tell Alaina about the certificate in use in her organization?
A. It is used for a storage area network.
B. It is provided by SANS, a network security organization.
C. The certificate is part of a self-signed, self-assigned namespace. D. The certificate allows multiple hostnames to be protected by the same certificate.
D. A SAN, or Subject Alternate Name, certificate allows multiple hostnames to be protected by the same certificate. It is not a type of certificate for SAN storage systems. A SAN certificate could be self-signed, but that does not make it a SAN certificate, and of course the security organization SANS is not a certificate authority
. Edward is responsible for web application security at a large insurance company. One of the applications that he is particularly concerned about is used by insurance adjusters in the field. He wants to have strong authentication methods to mitigate misuse of the application. What would be his best choice?
A. Authenticate the client with a digital certificate.
B. Implement a very strong password policy.
C. Secure application communication with Transport Layer Security (TLS).
D. Implement a web application firewall (WAF).
A. The correct answer is to assign digital certificates to the authorized users and to use these to authenticate them when logging in. This is an effective way to ensure that only authorized users can access the application. Although the remaining options are all good security measures, they are not the best way to authenticate the client and prevent unauthorized access to the application.
. Sarah is the CIO for a small company. The company uses several custom applications that have complicated interactions with the host operating system. She is concerned about ensuring that systems on her network are all properly patched. What is the best approach in her environment?
A. Implement automatic patching. B. Implement a policy that has individual users patch their systems. C. Delegate patch management to managers of departments so that they can find the best patch management for their departments. D. Immediately deploy patches to a test environment; then as soon as testing is complete, have a staged rollout to the production network.
D. The correct answer is to first test patches. It is always possible that a patch might cause issues for one or more current applications. (answer 75 chapter 3 for more information)
Gary uses a wireless analyzer to perform a site survey of his organization. Which of the following is not a common feature of a wireless analyzer's ability to provide information about the wireless networks around it?
A. The ability to show signal strength of access points on a map of the facility
B. The ability to show the version of the RADIUS server used for authentication
C. The ability to show a list of SSIDs available in a given location
D. The ability to show the version of the 802.11 protocol (n, ac, ax)
B. Although wireless analyzers provide in-depth information about Service Set Identifiers (SSIDs), signal strength, and protocol versions, the Remote Authentication Dial-In User Service (RADIUS) or Kerberos version number for the backend authentication servers is not something that they will typically be able to provide.
Emiliano is a network administrator and is concerned about the security of peripheral devices. Which of the following would be a basic step he could take to improve security for those devices?
A. Implement FDE.
B. Turn off remote access (SSH, Telnet, etc.) if not needed.
C. Utilize fuzz testing for all peripherals.
D. Implement digital certificates for all peripherals.
B. The correct answer is to turn off any remote access to such devices that is not absolutely needed. Many peripheral devices come with SSH (Secure Shell), Telnet, or similar services. If you are not using them, turn them off. Many peripherals don’t have disks to encrypt, making full-disk encryption (FDE) a less useful choice. Fuzz testing is used to test code, not devices, and peripherals are unlikely to support digital certificates in most cases.
What type of code analysis is manual code review?
A. Dynamic code review
B. Fagan code review
C. Static code review
D. Fuzzing
C. Manual code review is a type of static code review where reviewers read through source code to attempt to find flaws in the code. Dynamic code review requires running the code, Fagan testing is a formal code review process that works through multiple phases of the development process, and fuzzing is a form of dynamic inspection that sends unexpected values to a running program
Samantha has used ssh-keygen to generate new SSH keys. Which SSH key should she place on the server she wants to access, and where is it typically stored on a Linux system? A. Her public SSH key, /etc/
B. Her private SSH key, /etc/
C. Her public SSH key, ~/.ssh
D. Her private SSH key, ~/.ssh
C. Samantha should place her public SSH key in the .ssh directory in her home directory on the remote server. Private keys should never be outside of your control, and unlike many Linux configurations, SSH keys are not kept in the /etc/ directory.
Ixxia is a software development team manager. She is concerned about memory leaks in code. What type of testing is most likely to find memory leaks?
A. Fuzzing
B. Stress testing
C. Static code analysis
D. Normalization
C. The correct answer is to use static code analysis. Memory leaks are usually caused by failure to deallocate memory that has been allocated. A static code analyzer can check to see if all memory allocation commands ( malloc , alloc , etc.) have a matching deallocation command. Fuzzing involves entering data that is outside expected values to see how the application handles it. Stress testing involves testing how a system handles extreme workloads. Normalization is a technique for deduplicating a database.
What IP address does a load balancer provide for external connections to connect to web servers in a load-balanced group? A. The IP address for each server, in a prioritized order
B. The load balancer's IP address
C. The IP address for each server in a round-robin order
D. A virtual IP address
D. Load balancers provide a virtual IP, or VIP. Traffic sent to the VIP is directed to servers in the pool based on the loadbalancing scheme that that pool is using—often a round-robin scheme, but other versions that include priority order and capacity tracking or ratings are also common. The load balancer’s IP address is normally used to administer the system, and individual IP addresses for the clustered hosts are shielded by the load balancer to prevent traffic from consistently going to those hosts, thus creating a failure or load point.
What term describes random bits that are added to a password before it is hashed and stored in a database?
A. Flavoring
B. Rainbow-armor
C. Bit-rot
D. Salt
D. In a well-implemented password hashing scheme, unique random bits called salts are added to each password before they are hashed. This makes generating a rainbow table or otherwise brute-forcing hashes for all of the passwords stored in a database extremely time-consuming. The remaining options were made up and are not actual security terms.
Victor is a network administrator for a medium-sized company. He wants to be able to access servers remotely so that he can perform small administrative tasks from remote locations. Which of the following would be the best protocol for him to use?
A. SSH
B. Telnet
C. RSH
D. SNMP
A. The correct answer is to use Secure Shell (SSH). This protocol is encrypted. SSH also authenticates the user with public key cryptography. Telnet is insecure and does not encrypt data. RSH, or Remote Shell, sends at least some data unencrypted and is also insecure. SNMP, or Simple Network Management Protocol, is used to manage a network and is not used for remote communications
Dan configures a resource-based policy in his Amazon account. What control has he deployed?
A. A control that determines who has access to the resource, and the actions they can take on it
B. A control that determines the amount that service can cost before an alarm is sent
C. A control that determines the amount of a finite resource that can be consumed before an alarm is set
D. A control that determines what an identity can do
A. Resource-based policies are attached to resources and determine who has access to a resource, such as a group of sysadmins or developers, and what actions they can perform on the resource. Cloud services have different terms for monitoring their resource usage; these terms may vary from service to service.
Charlene's company uses rack-mounted sensor appliances in their datacenter. What are sensors like these typically monitoring?
A. Temperature and humidity
B. Smoke and fire
C. Power quality and reliability
D. None of the above
A. Networked sensor appliances are deployed in many datacenters to gather information about temperature and humidity as part of the environmental monitoring system. Fire detection and suppression systems are not typically mounted in racks, and power quality and reliability is measured by PDUs (power distribution units), UPS (uninterruptable power supplies), and other power infrastructure.
Laurel is reviewing the configuration for an email server in her organization and discovers that there is a service running on TCP port 993. What secure email service has she most likely discovered?
A. Secure POP3
B. Secure SMTP
C. Secure IMAP (IMAPS)
D. Secure MIME (SMIME)
C. Secure IMAP’s default port is TCP 993. Laurel can easily guess that the system offers a TLS-protected version of IMAP for clients to use to retrieve email messages. The default port for secure POP is 995, and for secure SMTP the default port is 587. S/MIME does not have a specific port, as it is used to encrypt the content of email messages.
What type of topology does an ad hoc wireless network use?
A. Point-to-multipoint
B. Star
C. Point-to-point
D. Bus
C. Ad hoc wireless networks operate in a point-to-point topology. Infrastructure mode access points work in a point-tomultipoint topology. Star and bus models are used in wired networks.
What is the primary advantage of allowing only signed code to be installed on computers?
A. It guarantees that malware will not be installed.
B. It improves patch management. C. It verifies who created the software.
D. It executes faster on computers with a Trusted Platform Module (TPM
C. Only using code that is digitally signed verifies the creator of the software. For example, if a printer/multifunction device (MFD) driver is digitally signed, this gives you confidence that it really is a printer driver from the vendor it purports to be from, and not malware masquerading as a printer driver. Signed software gives you a high degree of confidence that it is not malware but does not provide a guarantee. For example, the infamous Flame virus was signed with a compromised Microsoft digital certificate. Digital signing of software has no effect on patch management. Finally, digitally signed software will not execute faster or slower than unsigned software.
Samantha has been asked to provide a recommendation for her organization about password security practices. Users have complained that they have to remember too many passwords as part of their job and that they need a way to keep track of them. What should Samantha recommend?
A. Recommend that users write passwords down near their workstation.
B. Recommend that users use the same password for sites with similar data or risk profiles.
C. Recommend that users change their standard passwords slightly based on the site they are using.
D. Recommend a password vault or manager application
D. The Security+ exam refers to password managers as password vaults. Samantha should recommend a password vault that will allow her users to generate, store, and use many passwords securely. None of the other options are good advice for password use and storage
Matt has enabled port security on the network switches in his building. What does port security do?
A. Filters by MAC address
B. Prevents routing protocol updates from being sent from protected ports
C. Establishes private VLANs
D. Prevents duplicate MAC addresses from connecting to the network
A. Port security filters by MAC address, allowing whitelisted MAC addresses to connect to the port and blocking blacklisted MAC addresses. Port security can be static, using a predetermined list or dynamically allowing a specific number of addresses to connect, or it can be run in a combination mode of both static and dynamic modes.
Tom is responsible for VPN connections in his company. His company uses IPSec for VPNs. What is the primary purpose of AH in IPSec?
A. Encrypt the entire packet.
B. Encrypt just the header.
C. Authenticate the entire packet.
D. Authenticate just the header.
C. Authentication headers (AHs) provide complete packet integrity, authenticating the packet and the header. Authentication headers do not provide any encryption at all, and authentication headers authenticate the entire packet, not just the header.
Miles wants to ensure that his internal DNS cannot be queried by outside users. What DNS design pattern uses different internal and external DNS servers to provide potentially different DNS responses to users of those networks?
A. DNSSEC
B. Split horizon DNS
C. DMZ DNS
D. DNS proxying
B. A split horizon DNS implementation deploys distinct DNS servers for two or more environments, ensuring that those environments receive DNS information appropriate to the DNS view that their clients should receive. Domain Name System Security Extensions (DNSSEC) is a DNS security set of specifications to help protect DNS data. DMZ DNS and DNS proxying are not design patterns or common terms used in the security or networking field.
Abigail is responsible for setting up a network-based intrusion prevention system (NIPS) on her network. The NIPS is located in one particular network segment. She is looking for a passive method to get a copy of all traffic to the NIPS network segment so that it can analyze the traffic. Which of the following would be her best choice?
A. Using a network tap
B. Using port mirroring
C. Setting the NIPS on a VLAN that is connected to all other segments
D. Setting up a NIPS on each segment
A. Network taps copy all traffic to another destination, allowing traffic visibility without a device inline. They are completely passive methods of getting network traffic to a central location. Port mirroring would get all the traffic to the network-based intrusion prevention system (NIPS) but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configurations can cause looping. Configuring loop detection can prevent looped ports. Putting a network IPS on every segment can be very expensive and require extensive configuration work. Option D is incorrect. This is not the assignment. Setting up a NIPS on each segment would also dramatically increase administrative efforts.
Amanda wants to allow users from other organizations to log in to her wireless network. What technology would allow her to do this using their own home organization's credentials?
A. Preshared keys
B. 802.11q
C. RADIUS federation
D. OpenID Connect
C. Federating RADIUS allows organizations to permit users from other partner organizations to authenticate against their home systems, and then be allowed on to the local organization’s network. An example of this is the eduroam federation used by higher education institutions to permit students, faculty, and staff to use college networks anywhere they go where eduroam is in place. Preshared keys are determined by the location organization and would not permit enterprise credentials from other organizations to be used. OpenID is used for web authentication, and 802.11q is a trunking protocol.
Nathan wants to ensure that the mobile devices his organization has deployed can only be used in the company's facilities. What type of authentication should he deploy to ensure this?
A. PINs
B. Biometrics
C. Context-aware authentication
D. Content-aware authentication
C. Context-aware authentication can take into account information like geolocation to ensure that the devices can only be logged into when they are inside of the facility’s boundaries. That means the devices will only be useful on-site and can help protect the data and applications on the devices. Neither PINs nor biometrics can do this, and content-aware authentication was made up for this question.
Which of the following best describes a TPM?
A. Transport Protection Mode
B. A secure cryptoprocessor
C. A DNSSEC extension
D. Total Patch Management
B. A TPM, or Trusted Platform Module, is a secure cryptoprocessor used to provide a hardware root of trust for systems. They enable secure boot and boot attestation capabilities, and include a random number generator, the ability to generate cryptographic keys for specific uses, and the ability to bind and seal data used for processes the TPM supports.
Janice is explaining how IPSec works to a new network administrator. She is trying to explain the role of IKE. Which of the following most closely matches the role of IKE in IPSec?
A. It encrypts the packet.
B. It establishes the SAs.
C. It authenticates the packet.
D. It establishes the tunnel.
B. Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel. The security associations have all the settings (i.e., cryptographic algorithms, hashes) for the tunnel. IKE is not directly involved in encrypting or authenticating. IKE itself does not establish the tunnel—it establishes the SAs.
What certificate is most likely to be used by an offline certificate authority (CA)?
A. Root
B. Machine/computer
C. User
D. Email
A. A root certificate is the base certificate that signs an entire certificate chain. A common security practice to protect these incredibly important certificates is to keep the root certificate and CA offline to prevent the potential of compromise or exposure. Machine/computer, user, and email certificates are deployed and used throughout organizations and, since they are used on a frequent basis, aren’t likely be to kept offline.
Emily manages the IDS/IPS for her network. She has a networkbased intrusion prevention system (NIPS) installed and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most efficient way for her to address this?
A. Implement port mirroring for that segment.
B. Install a NIPS on that segment.
C. Upgrade to a more effective NIPS.
D. Isolate that segment on its own VLAN.
A. The NIPS is not seeing the traffic on that network segment. By implementing port mirroring, the traffic from that segment can be copied to the segment where the NIPS is installed. Installing a network IPS on the segment would require additional resources. This would work but is not the most efficient approach. Nothing in this scenario suggests that the NIPS is inadequate. It just is not seeing all the traffic. Finally, isolating the segment to its own VLAN would isolate that network segment but would still not allow the NIPS to analyze the traffic from that segment
Dana wants to protect data in a database without changing characteristics like the data length and type. What technique can she use to do this most effectively?
A. Hashing
B. Tokenization
C. Encryption
D. Rotation
B. Tokenization is used to protect data by substituting tokens for sensitive data without changing the length or data type. This allows databases to handle the data in the same way as it was prior to tokenization, ensuring that existing software will not run into problems due to the data being changed. Encryption provides similar protection but will normally change either the data length, the data type, or both. Hashing is one-way, which means it is not a good fit for many scenarios where tokenization or encryption will protect data. Rotation is not a security method used for this type of work.