Domain 3 Quiz

Decide where things go.

WAF on web server.

DLP on firewall. In a later quiz I say DLP goes either at a perimeter firewall or on endpoints, or workstations. But we have just two. Putting DLP on just one or two workstations is wrong. The idea is really "On what type of place does this go?", it's all or none. I don't have two workstations, or two border firewalls, so I picked firewall and file server on the exam, and I think it was graded as correct.

DLP on file server.

3 802.1x on 3 switches.

ACL on router.

Rules on firewall.

RADIUS on spare server.
Your CEO has met with the CEO of another company, and they have agreed to work together to develop a new service. Authentication and identity management will be connected across the two organizations. Given the sensitivity of the development project, user authentication and authorization will use a centralized server running the best available trusted third-party service. Users will receive identity and service tokens from a unified authentication and authorization service, which requires that system clocks be synchronized across the organizations. Applications will be limited to those written with the API of that service. What do you need?
1. BPA
2. Federation
3. Kerberos
4. KDC
5. NTP
6. Kerberization
This is a very difficult type of question because it isn't primarily a cybersecurity question. You have to understand the cybersecurity terms and concepts, but it's really testing your ability to analyze English prose. All choices are relevant and correct in some sense, I put them in the same order to make this easier:
1. BPA = the CEOs met
2. Federation = connecting IAM
3. Kerberos = best available 3rd party authentication service
4. KDC = Key Distribution Center, the Kerberos server
5. NTP = Network Time Protocol
6. Kerberization = (re)writing an application with the Kerberos API, making it Kerberized
Figure out the answer by analyzing the verbs. Most of this is a narrative story, explaining what has or will happen. The question is "What do you need?", and the verb require is associated with synchronizing system clocks. NTP is required, we need NTP; everything else is the story.
The content management group is considering the use of DNS Round Robin technology. What benefit could this provide?
1. Load balancing
2. Transparent proxying
3. Anti-spoofing
4. Certificate sharing
The DNS server returns a list of IP addresses, rotating the last one to the head of the list at each additional response. The clients will distribute their activity across the multiple servers, which hold identical data sets, in roughly equal amounts.

As a practical example, at one time www.jpl.nasa.gov resolved to a list of IP addresses, one server at each major NASA facility in the US. The list you got was in an arbitrary order, and your browser used the first on in the list. It worked, you saw the images from the current mission, and all NASA web servers had roughly equal loads.

Users are reporting that they can't access the financial department's secure web page. The following command output is observed. What is wrong?

$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.138.0.3:22          184.16.205.240:50966   ESTABLISHED
tcp4       0      0 127.0.0.1:9000         127.0.0.1:37632        TIME_WAIT
tcp4       0      0 127.0.0.1:11628        127.0.0.1:9000         TIME_WAIT
tcp4       0      0 127.0.0.1:12042        127.0.0.1:9000         TIME_WAIT
tcp4       0      0 10.138.0.3:80          130.15.4.209:46944     TIME_WAIT
tcp4       0      0 10.138.0.3:80          46.229.168.70:15234    TIME_WAIT
tcp4       0      0 10.138.0.3:80          173.187.65.22:50598    ESTABLISHED
tcp4       0      0 10.138.0.3:80          212.3.84.1:55989       ESTABLISHED
tcp4       0      0 10.138.0.3:80          212.3.84.1:55987       ESTABLISHED
tcp4       0      0 10.138.0.3:80          212.3.84.1:55988       TIME_WAIT
tcp4       0      0 10.138.0.3:80          212.3.84.1:55986       TIME_WAIT
tcp4       0      0 *:80                   *.*                    LISTEN
tcp4       0      0 127.0.0.1:9000         *.*                    LISTEN
tcp4       0      0 *:22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1:25           *.*                    LISTEN
udp4       0      0 127.0.0.1:123          *.*                    
udp4       0      0 10.138.0.3:123         *.*                    
udp4       0      0 *:123                  *.*                    
udp4       0      0 *:514                  *.*

The web server is down
The server is up but its web service isn't running
The certificate is expired
The certificate has been revoked
HTTPS isn't enabled
A firewall is blocking connections

Read the output. There are multiple TCP services, all with either 127.0.0.1 (localhost), or 10.138.0.3 (apparently the Ethernet interface address), or "*" (meaning "on all interfaces") in the "Local Address" column, and some of those are less than 1024 (22, 80, 25, 123, 514). The "Foreign Address" column has a variety of IP addresses at high-number ports. So, this command ran on the server. Now look at the listening TCP services: just 22 (SSH), 25 (SMTP), 80 (HTTP), and whaever that it on TCP/9000. So the server OS is running, and it is running HTTP, but it is not running HTTPS. One small omission in the web server configuration file.

This is real output, copy and paste from a connection to my web server, but with listening HTTPS removed and all instances of TCP/443 changed to TCP/80. My server is at Google, in a 10.38.0.0/24 VLAN.

Which of these can you put in a boot script to prevent MitM?
1. nmap -sS -sV -T5 192.168.12.72
2. arp -s 00:13:3B:12:6f:aa 192.168.12.72
3. tcpdump -i eth0 host 192.168.12.72 or ether host 00:13:3b:12:6f:aa
4. netstat -an
5. ping 192.168.12.72
That arp syntax sets up static ARP, it's that same syntax on Windows, Linux, MacOS, BSD, and probably other places. Static ARP isn't at all practical, but it could prevent MitM connection hijacking with ARP spoofing. Once you set a static ARP mapping, the operating system no longer uses ARP to make requests, or pays attention to inbound unsolicited ARP "answers". The other commands are nmap (port scanning and OS detection), tcpdump (packet capture), netstat (measuring TCP/UDP activity), and ping (testing end-to-end IP connectivity). Static ARP is the only one that has any preventative function.
You are examining records from a busy server that is critical to your organization's financial well-being. You find this:
```
LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 
```
What should you report to management?
1. Everything seems to be fine.
2. A user is violating the AUP.
3. An intruder has gained administrative access and changed the system configuration.
4. An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.
The file /etc/shadow changed, but we expect this. It will change every time a user changes their password. Apparently "busy" implies enough users that we caught someone changing their password between yesterday's and today's Tripwire run.

You are examining records from a busy server that is critical to your organization's financial well-being. You observe this:

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	9c5bbcbdc2994a9835b8804b9ffa699935715a34
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

What should you report to management?

Everything seems to be fine.
A user is violating the AUP.
An intruder has gained administrative access and changed the system configuration.
An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

Intrusion! Someone has modified a system configuration file! See /etc/ssh/sshd_config.

You are examining records from a busy server that is critical to your organization's financial well-being. You observe this:

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	cfc34c90281bbed47540c6288ec975a4602ee3df
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

What should you report to management?

Everything seems to be fine.
A user is violating the AUP.
An intruder has gained administrative access and changed the system configuration.
An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

This is worst of all! Someone has replaced the file containing the kernel. Once you reboot after such a change, you are running the intruder's operating system. This is a sign of a root kit.

Management has decided that they want wireless security, but they don't have the resources to do key management and maintain certificates. What should they use?
1. WEP
2. WAP
3. WPA
4. WPA2 Enterprise
5. WPS
WEP, of course, must not be used. WPS is also insecure, but not as well-known to be so insecure for as long as WEP. Multiple WAPs will be involved but it's a tempting distractor. It's like "We need copper wire" for solving Ethernet problems. WPA2 Enterprise requires a RADIUS server and certificates, thus PKI.
Management has decided to use geo-fencing to restrict mobile device operation to company premises. Which technology should you select?
1. BYOD
2. COPE
3. CYOD
4. BODE
BYOD and CYOD would leave the employees with partially dysfunctional personal devices. The COPE choice is just as dysfunctional off-premises, but it's the company's phone, not the employee's.
You observe the following in the results of a security scan. What is this?

Channel SSID

1 corpnet3

6 corpnet3

6 netgear

11 corpnet3
1. Evil twin
2. Rogue AP
3. Bluesnarfing
4. Watering hole
The third one in the list has a default SSID, the name of a major manufacturer. It may have many security problems caused by other default settings.
Desmond, a network engineer, has been directed to set up network security that will require a device to authenticate itself onto the network and verify that patching and anti-virus signatures are updated, before allowing the user to try to authentication. What should Desmond use?
1. 802.1i
2. 802.1x
3. 802.1q
4. 802.11i
A.k.a. Network Access Control or NAC, or Port Security.
You observe the following in the results of a security scan. What is this?

Channel SSID

1 corpnet3

6 corpnet3

6 corpnet3

11 corpnet3
1. Evil twin
2. Rogue AP
3. Bluesnarfing
4. Watering hole
In the CompTIA universe, no organization is large enough to need more than three WAPs. Nor does it have a large enough facility to have two WAPs on the same channel at either end of the building. And, apparently, all WLANs are 802.11b/g/n/ax in North America, so there are 11 channels. So, either the 2nd or 3rd in the list is a fake set up to attract connections.

In case Bob hasn't remembered to tell you this part yet...

The three useful channels (in the CompTIA universe) are 1, 6, and 11. If you get a "configure this network" diagram involving wireless, carefully look all around it to see what fixed wireless is already there.

If you are configuring the only WAP, use channel 6 as it's the middle of the band and the antenna(s), always a compromise, will work best there.

If you are configuring an additional WAP, and there's already just one on either channel 1 or 11, pick the opposite end.

If there are two others, pick whichever of 1, 6, and 11 aren't yet in use.

You observe this data.

An unapproved executable attempted to run and was prevented.
The action was stopped and logged.
Location: c:\Program Files\Chromium Browser\Chrome.exe
    User: Elon
   Cause: Policy setting for unapproved software

Which tool or defensive measure was involved?

File integrity check
Antivirus
Blacklisting
Whitelisting
DLP
DEP

It was not on the approved list, so it was blocked.

Julie, a network engineer, has been informed by management that they want to deploy network security technology that uses OSI layers 4 through 7 to authenticate, authorize, and audit Internet activity. To reduce the load on help desk personnel, this must require little to no browser or other application reconfiguration. What should she recommend?
1. SIEM
2. 802.1x
3. Transparent proxy
4. Load balancer
Jenny can unlock her work mobile phone by drawing a pattern on the screen with her finger. This mode of authentication verifies:
1. Something you know
2. Something you have
3. Something you are
4. Something you do
5. Somewhere you are
Yes, she has to know what to draw, but let's say she knows she's to draw the digit 4. Each of us would have our own way of drawing that. The test is how she draws it. And she has to have the phone. Ultimate answer: This is what CompTIA wants you to say for drawing a pattern.
To enter the server room Joe must pass through a mantrap, entering a PIN on a keypad at the outer door, entering the mantrap and closing the door behind him, swiping his badge on the reader, then typing a password into a keyboard by the inner door. How many factors is this?
1. 1
2. 2
3. 3
4. 4
PIN = know, badge = have, password = know. The thing he knows is split into two parts, one called PIN and the other password.
To enter the server room Joe must be recognized by the guard, enter a PIN on the keypad, and place his hand on a scanner. How many factors is this?
1. 1
2. 2
3. 3
4. 4
Recognized = is (his face), PIN = know, hand scan = is. The thing he is has been considered in two parts, his face and his hand.
To enter the server room Joe must be recognized by the guard, show the guard his badge, and enter a PIN on the keypad. How many factors is this?
1. 1
2. 2
3. 3
4. 4
Recognized = is, badge = has, PIN = know. The question doesn't say anything about his picture being on the badge.
Joe has been given a Post-It note with a PIN written on it. To enter the server room he must be recognized by the guard, tell the guard the passphrase of the day, and enter the PIN on the keypad. How many factors is this?
1. 1
2. 2
3. 3
4. 4
Recognized = is, passphrase = know, PIN = know. Yes, the PIN is written on a Post-It note, but that doesn't make the note a thing he has to have. Obviously he's supposed to memorize the PIN.
Kristina works at a financial services firm that suffered a major breach. They have implemented a centralized AAA system regulating access to the Intranet. After proving their identity with a smart card and a complex passphrase, users are connected to the appropriate VLAN. Internal services are only provided to user sessions holding valid service tickets. Intranet activity records are continuously analyzed to detect inappropriate or malicious activity. Identify this latter activity.
1. Identification
2. Authentication
3. Authorization
4. Auditing
Many questions have a lot of distracting content. This question is really no more than "What is the name for monitoring activity?"
Akira authenticates with a device that displays a different value every minute. What is this an example of?
1. Multi-factor
2. OTP
3. HOTP
4. TOTP
Many people will say "multi-factor" because they're assuming that this is in addition to a password, but the question only mentions the token. TOTP is a time-based one-time password. Yes, it will actually involved hashing within the token, but HOTP or hash-based one-time password implied something like repeated hashing.
Kerberos provides which three of the following? Select three.
1. Network intrusion detection
2. ESSO
3. Cryptographic key control
4. Log analysis and alerting
5. An API supporting third-party applications
6. A "single pane of glass" dashboard
Applications written to use Kerberos capabilities are said to be "Kerberized".
Functional SSO must incorporate which of the following?
1. Active Directory
2. RADIUS
3. Federated identity management
4. Kerberos
Single sign-on requires federated identities. You could do that with Kerberos alone, or with AD which contains Kerberos.
Which of these is an XML-based open-source standard that involves an IdP or Identity Provider, an SP or Service Provider, and a Principal, and is the basis for several other authentication systems?
1. SAML
2. OAUTH
3. OpenID
4. Shibboleth
5. WS-Federation
You are equipping a forensics team. Which of these would be most useful?
1. A set of precision screwdrivers
2. A playbook
3. Luminol
4. Latex gloves and masks
The last two are for biomedical work, CompTIA will trap people who like a certain type of TV show. The first might be useful, eventually. But a playbook is useful during a forensics investigation, planning in advance for decision points during an incident.

You observe this data.

11:43:57.293662 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 1, length 64
11:43:57.294143 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 1, length 64
11:43:58.294308 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 2, length 64
11:43:58.294730 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 2, length 64
11:43:59.322328 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 3, length 64
11:43:59.322645 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 3, length 6

Which tool or defensive measure was involved? Select two.

Wireshark
ping
nmap
tcpdump
netstat
arp
ifconfig

That's the output from tcpdump, which you could also get by saving Wireshark output to a text file (or running the text-output version, tshark). Yes, a ping command was running to generate this traffic, but its output is different.

You observe this data.

www.google.com (172.217.6.4) 56(84) bytes of data.
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=1 ttl=116 time=26.9 ms
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=2 ttl=116 time=28.2 ms
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=3 ttl=116 time=27.2 ms
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=4 ttl=116 time=27.2 ms
64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=5 ttl=116 time=28.5 ms

--- www.google.com statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 26.976/27.673/28.568/0.621 ms

Which tool or defensive measure was involved?

Wireshark
ping
nmap
tcpdump
netstat
arp
ifconfig

That's ping output with its name removed. On the test you can go back, so if you realize that this is ping output while earlier that must have been tcpdump capture of it, you can go back and change your answer.

You observe this data.

Host is up (0.00031s latency).
rDNS record for 192.168.1.40: hplj4250n.kc9rg.org
Not shown: 993 closed ports
PORT      STATE SERVICE    VERSION
80/tcp    open  http       Virata-EmWeb 6.2.1 (HP LaserJet http config)
280/tcp   open  http       Virata-EmWeb 6.2.1 (HP LaserJet http config)
443/tcp   open  ssl/https?
515/tcp   open  printer
7627/tcp  open  http       HP-ChaiSOE 1.0 (HP LaserJet http config)
9100/tcp  open  jetdirect?
14000/tcp open  tcpwrapped
MAC Address: 00:12:79:DF:81:B1 (Hewlett Packard)
Device type: printer
Running: HP embedded
OS details: HP LaserJet 4250 (JetDirect) printer
Network Distance: 1 hop
Service Info: Host: 192.168.1.40; Device: printer

Which tool or defensive measure was involved?

Wireshark
ping
nmap
tcpdump
netstat
arp
ifconfig

That's nmap output, with the first and last lines showing its own name removed. I scanned my laser printer.

You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?
1. TLS
2. CPS
3. OCSP
4. CRL
5. thumbprint
6. PFS
This is another English prose analysis question. All choices are correct, relevant, part of the story. I have again made it relatively easy by putting the answer choices in the same order:

"a system that can ..." = TLS or Transport Layer Security
"the rules" = CPS or Certificate Practices Statement
"a protocol" = OCSP or Online Certificate Status Protocol
"copy of the revoked keys" = CRL or Certificate Revocation List
"its hash" = thumbprint
"exposure today doesn't expose keys from the past" = PFS or Perfect Forward Secrecy

"What do you need?" is the actual question. One of the sentences says "You must have", it's a requirement. The others state that the item provides some feature, or describe your plan.

The requirement is for a local copy of the CRL, which is a relatively uncommon or unneeded step. This makes it a better question from the CompTIA point of view. Less common makes it more challenging.
Blake has been asked to configure the web server to provide Perfect Forward Secrecy. Which security feature will this provide?
1. Data sent from the server to the client will always be protected
2. Data sent from the client to the server will always be protected
3. A breach today does not expose keys from the past
4. A breach today does not expose keys in the future
Yes, the name seems backwards to me, too. It's sometimes called just "Perfect Secrecy".

Alice wants to send an encrypted message to Bob. What does she need?

Alice's public key
Alice's private key
Bob's public key
Bob's private key

Know the fundamentals!

Goal	Sender needs	Receiver needs
Encrypted only	Receiver's public key	Receiver's private key
Encrypted and signed	Sender's private key Receiver's public key	Sender's public key Receiver's private key
Signed only	Sender's private key	Sender's public key

That table answers a lot of questions in the Domain 6 pool.

Alice has obtained a copy of Bob's certificate. Which of these does it contain?
1. Bob's private key
2. Bob's public key
3. The CA's private key
4. The CA's public key
Certificates are publicly available, so of course they don't contain private keys! It's Bob's certificate, so it contains his public key, wrapped in a digital certificate by the CA.
Alice has obtained a copy of what claims to be Bob's certificate. Which of these does she need to verify that it really belongs to Bob?
1. Bob's private key
2. Bob's public key
3. The CA's private key
4. The CA's public key
Bob's certificate contains his public key, wrapped in a digital certificate by the CA. You need the signer's public key to verify a digital signature.
Bob has just received an digitally signed, encrypted message from Alice. What does he need? Select three.
1. Alice's certificate
2. Bob's certificate
3. The CA's certificate
4. Bob's public key
5. Bob's private key
To verify Alice's digital signature, he needs Alice's public key. But he needs to be quite certain that it's really her public key, which means he needs it in the form of a certificate, signed by a trusted CA. And that means he needs her CA's certificate containing the CA's public key. Their shared PKI will provide the certificates.

Then he needs his private key to decrypt the content. (which she encrypted with a copy of his public key, which was in his certificate, etc.)

I'm sure that I am giving CompTIA far too much credit, implying that they would get this complete and correct. But if you understand the above, you're doing well. Expect this to be simpler, choosing just these two of four:
1. Alice's public key
2. Alice's private key
3. Bob's public key
4. Bob's private key

Exhibit with 9 things, plus 34 regular questions

Passing = 82% of 43 = 35.3

Goal = 91% of 43 = 39.1

To the Cybersecurity Page

Channel	SSID
1	`corpnet3`
6	`corpnet3`
6	`netgear`
11	`corpnet3`