Add the required firewall rule to allow the
server administrator to securely work on the
web server's configuration.
Source
Destination
Protocol
Port
Action
192.168.1.0/24
10.1.2.33
TCP
80
Pass
192.168.1.44/32
10.1.2.33/32
TCP
22
Pass
Any
Any
Any
Any
Block
On the real test, these might be objects you can
drag and drop in place in the grey slots above.
Or maybe each empty line will be a drop-down
menu with the below choices.
192.168.1.0/24
10.1.2.0/24
TCP
22
Pass
192.168.1.44/32
10.1.2.33/32
TCP
22
Pass
192.168.1.0/24
10.1.2.0/24
TCP
443
Pass
192.168.1.44/32
10.1.2.33/32
TCP
443
Pass
To read these, 192.168.1.0/24 means any
address in the range 192.168.1.0 through
192.168.1.255.
"/24" means it's specifying the first 24 bits,
therefore the first three 8-bit chunks,
therefore the first three numbers, 192.168.1.*.
192.168.1.44/32 means precisely
that one address, 192.168.1.44,
because the "32" means it's specifying all 32 bits.
TCP/22 is SSH, an appropriate way for someone to connect
to a server to do configuration work.
That's the goal.
TCP/443 is HTTPS, which is a secure way to look at its
content.
That's useful, but not our goal.
The first choice would allow the administrator to do that
work, but it would also allow anyone on the left subnet
to make SSH connections to anything on the right subnet:
192.168.1.0/24
10.1.2.0/24
TCP
22
Pass
The second choice is better, because it allows what's needed
and no more.
Just from the administrator's workstation to the server:
192.168.1.44/32
10.1.2.33/32
TCP
22
Pass
Yes, these rule sets are overly simplified and would not
really work!
They only explicitly allow traffic from the client to
the server, a real rule set would have to
allow return packets as well.
It would be more like this:
Source
Destination
Protocol
Source Port
Destination Port
Action
192.168.1.0/24
10.1.2.33/32
TCP
Any
80
Pass
10.1.2.33/32
192.168.1.0/24
TCP
80
Any
Pass
192.168.1.44/32
10.1.2.33/32
TCP
Any
22
Pass
10.1.2.33/32
192.168.1.44/32
TCP
22
Any
Pass
Any
Any
Any
Any
Any
Block
However, CompTIA usually has things simplified to the point
that they're not really correct.
This is an example of how knowing too much makes the exam
much harder.
Examine this network map.
Add the two required firewall rules to allow the
user workstations to query the primary DNS server,
and also allow the secondary DNS server to synchronize
with the primary.
Source
Destination
Protocol
Port
Action
192.168.1.0/24
10.1.2.33
TCP
80
Pass
192.168.1.0/24
10.1.2.66/32
UDP
53
Pass
192.168.1.200/32
10.1.2.66/32
TCP
53
Pass
Any
Any
Any
Any
Block
On the real test, these might be objects you can
drag and drop in place in the grey slots above.
Or maybe each empty line will be a drop-down
menu with the below choices.
192.168.1.0/24
10.1.2.66/32
TCP
80
Pass
192.168.1.0/24
10.1.2.66/32
TCP
53
Pass
192.168.1.0/24
10.1.2.66/32
UDP
53
Pass
192.168.1.200/32
10.1.2.66/32
UDP
53
Pass
192.168.1.200/32
10.1.2.66/32
TCP
80
Pass
192.168.1.200/32
10.1.2.66/32
TCP
53
Pass
This question is about two aspects of DNS, so the TCP/80
choices are obviously distractors.
The third rule allows anything on the left subnet to make
DNS queries (UDP/53) to the primary DNS server:
192.168.1.0/24
10.1.2.66/32
UDP
53
Pass
The last rule allows just the secondary DNS server to
do a DNS zone transfer (TCP/53) from the primary DNS server:
192.168.1.200/32
10.1.2.66/32
TCP
53
Pass
The second rule would allow anything on the left
subnet to do that DNS zone transfer.
While it also achieves the second goal,
the last rule is a better choice as it achieves it but
no more.
192.168.1.0/24
10.1.2.66/32
TCP
80
Pass
The fourth rule would allow the secondary server to make
individual queries (UDP/53), but not the required
zone transfers (TCP/53).
192.168.1.200/32
10.1.2.66/32
UDP
53
Pass
Suheb, the IT department manager, needs to be able to assess
organizational security at any time, and identify issues
before they become big problems.
Which should he use?
Monthly audits
Continuous monitoring
Continuous improvement
Baseline analysis
Tipoffs are "at any time" and
"before they become big problems"
Chuck, a network engineer, needs to compartmentalize traffic
flow on the Intranet, and authenticate each connected
endpoint device.
What should he use?
Select two.
NAC
DLP
802.3
VLAN
Compartmentalize with VLANs, authenticate with NAC or 802.1x.
802.3 is plain Ethernet, you build your networks with it
but it doesn't add those two required capabilities.
Akio, a systems engineer, needs to implement a technical
defense that verifies the validity of the operating system
itself before booting the system.
He hopes this will solve the problem of root kits and other
kernel modification.
What should he use?
Anti-malware scanning
BIOS checks
UEFI
Trusted supply chain
This is Secure Boot.
Philip, a system administrator, has been asked for
recommendations for protecting compute servers
in the data center.
Which should he suggest?
Select three.
FM-200
Biometrics
DLP
Remote wipe
Mantrap
GPS tracking
Biometrics and mantrap for access, FM-200 for fire suppression.
DLP would instead be at end points (where the data is used,
and might be transferred to portable media)
and the organization edge.
Your company is being targeted by numerous
spearphishing attempts.
Which defense do you recommend?
Security awareness training
Pop-up blocker
Spam filter
Mail application-layer firewall
Network intrusion prevention system
We need a non-technical defense as it's a
non-technical problem.
You observe this command output.
Server: 192.168.1.3
Address: 192.168.1.3#53
** server can't find www.faasdfjh.com: NXDOMAIN
What is wrong?
DNS cache poisoning has happened
Your workstation cannot contact the nameserver
The domain faasdfjh.com does not exist
There is no host named www.faasdfjh.com
"NXDOMAIN" means "non-existent domain".
There won't be a host within that domain, but the output
is telling us that the entire domain does not exist.
This is Snort output, it has detected 192.168.3.7 attempting
a directory traversal attack (asking for "../../../something")
against the server 192.168.1.1 via HTTP on TCP/80.
Unless this triggered something else that we don't see here,
there was no prevention, just detection of network traffic.
Which of these are appropriate defenses for a mobile device?
Select three.
Remote wipe
Cable lock
FM-200
Biometrics
GPS tracking
Transparent proxy
When they say "mobile device" they mean a phone, maybe
a tablet, but something too small for a cable lock.
Fire suppression goes into the building,
proxies are out in the network infrastructure,
the other three can go into a mobile device.
Note that GPS tracking is to recover the device,
it does not protect the data.
But the question askes about the device, now the data.
Tony, a network engineer, has been tasked by his manager with
monitoring the more sensitive internal networks, to spot
and block attacks.
What should Tony use?
SIEM
HIDS
HIPS
NIDS
NIPS
Tipoffs are monitoring... networks... and block.
Yoyodyne Corporation plans to use Active Directory
for single sign-on throughout the enterprise.
Which network protocols must be added to the ALLOW
list in all internal router ACLs?
Select two.
LDAP
LDAPS
Kerberos
X.500
Active directory is the combination of DNS, LDAP, and Kerberos,
plus a shared back-end database.
But given the choice of an insecure and secure version
of the same protocol, always select the secure one.
The LDAP interface allows clients to interact with an
X.500 database, but it isn't a protocol on the network.
Dmitri's company wants to establish SSO.
The initial analysis concluded that they need a system
that handles both authentication and authorization with tokens.
Dmitri has concluded that the protocol used by Facebook and
LinkedIn is the most promising.
He is favoring:
SAML
OAUTH
OpenID
WS-Federation
Shibboleth
OAUTH is the answer when social media is involved.
OpenID has similar capability and operation, and would be
used across the Internet, but the user gets an OpenID token
from some place that isn't social media or intentionally
working like social media.
SAML and WS-Federation are much more business-like:
A cloud-based identity provider like Okta, Oracle,
or one of the "Big Three" of AWS, Google, and Microsoft,
is paid by the corporation to provide identity services
for personnel.
Shibboleth works much like SAML but is found mostly in
academic settings.
Rather than pay big money to a cloud provider, someone involved
says "We'll do this with a free software package and some
effort by our skilled personnel."
Pedro's manager has been given a recommendation that they
implement a single-sign on solution in which user sessions
will have cryptographic software tokens providing
their identity,
their authorization to use services,
and the cryptographic keys used to secure their communication.
What should Pedro recommend?
Kerberos
RADIUS
SAML
VPN
The Kerberos TGT proves their identity.
A service ticket specifies the symmetric key for that
user communicating with that service — it isn't
exactly authorization as most people use Kerberos,
but it's close enough.
This certainly isn't RADIUS, SAML, or a VPN.
Mikhail, a system administrator, has been asked by Kelli,
a database administrator, to create an account for the new
database project.
The account should require authenticated access,
have auditing enable,
but incapable of interaction,
with credentials that rarely if ever change.
What type of account should Mikhail create?
Ordinary user
Privileged user
Administrator
Guest
Service
Management
The list of four attributes must all be true.
"Incapable of interaction" is unusual,
and it eliminates the first four choices.
This account will own database tables and processes,
but will never be used interactively.
It's similar to the user apache or
nginx owning the web service configuration file,
logs, and web service processes.
The question is really: "What do we call these types of
accounts, service or management?"
Which password policy setting would require a user to
include both digits and special characters in their
password?
Prohibiting dictionary words
Length
Complexity
Maximum age
Minimum age
Expiration
Length
The usual concept is "character classes" — lower-case,
upper-case, digits, and other or special.
Requiring a mix of classes is complexity.
Random numbers would not be in the dictionary,
but they would be all-digit strings.
A military contractor is very worried about physical intrusion.
They need to keep unauthorized individuals out of sensitive
areas.
Inappropriately allowing an unauthorized individuals into
an area is classified as which of the following:
False Acceptance
False Rejection
False Positive
False Negative
Fail Open
Fail Closed
The first two are commonly considered with biometrics,
where there is no precisely correct input and the system
must decide "close enough".
The middle two are associated with automated decision
making like virus detection and vulnerability detection.
The last two have to do with the behavior during failure
or other unexpected situations; automatic locking doors
should fail open when the fire alarm is sounding,
to protect life and safety.
Which of these is an open-source standards-based solution
for single sign-on web authentication, based largely on SAML?
OAUTH
OpenID
EAP-TLS
Shibboleth
WS-Federation
SAML and WS-Federation are corporate solutions.
Shibboleth is very similar to SAML,
but is used largely in academic settings.
Mutual authentication involves which two?
Select two.
Client authenticating the server
Client authorizing the server
Server authenticating the client
Server authorizing the client
For example, you can only connect in to work using your
laptop that has a work certificate installed.
That's ifconfig output, the now outdated tool
on Linux.
If they showed you the up-to-date ip addr command
instead, it would look like this:
2: enp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:62:66:2c:ab:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global enp9s0
valid_lft forever preferred_lft forever
inet 192.168.1.2/24 brd 192.168.1.255 scope global secondary enp9s0
valid_lft forever preferred_lft forever
inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c/64 scope global dynamic mngtmpaddr
valid_lft 345510sec preferred_lft 345510sec
inet6 fe80::a62:66ff:fe2c:ab1c/64 scope link
valid_lft forever preferred_lft forever
You observe this data.
192.168.1.4 at dc:a6:32:36:a9:4e [ether] on enp9s0
192.168.1.218 at b8:27:eb:1f:f6:87 [ether] on enp9s0
192.168.1.20 at b8:27:eb:03:6b:37 [ether] on enp9s0
192.168.1.205 at b8:27:eb:f9:ea:4d [ether] on enp9s0
192.168.1.7 at b8:27:eb:95:25:5b [ether] on enp9s0
192.168.1.40 at 00:12:79:df:81:b1 [ether] on enp9s0
192.168.1.254 at 38:94:ed:fa:48:88 [ether] on enp9s0
192.168.1.42 at 00:1c:50:ac:72:1e [ether] on enp9s0
192.168.1.3 at dc:a6:32:36:a9:4e [ether] on enp9s0
Which tool or defensive measure was involved?
Wireshark
ping
nmap
tcpdump
netstat
arp
ifconfig
Windows uses dashes instead of colons in MAC addresses
in arp output.
I just ran netstat -a on my server,
with some clients caught in the act of downloading pages.
A questions on an earlier quiz showed the command.
Once in a while on the real test, one question tells
you the answer to a different question.
You observe this command output.
;; connection timed out; no servers could be reached
What is wrong?
DNS cache poisoning has happened
Your workstation cannot contact the nameserver
The domain does not exist
There is no host with the requested name
The servers it's talking about are DNS nameservers.
Which of these can you put in a boot script to
prevent MitM?
nmap -sS -sV -T5 192.168.12.72
arp -s 00:13:3B:12:6f:aa 192.168.12.72
tcpdump -i eth0 host 192.168.12.72 or ether host 00:13:3b:12:6f:aa
netstat -an
ping 192.168.12.72
That arp syntax sets up static ARP, it's that
same syntax on Windows, Linux, MacOS, BSD, and probably
other places.
Static ARP isn't at all practical, but it could prevent
MitM connection hijacking with ARP spoofing.
Once you set a static ARP mapping, the operating system no
longer uses ARP to make requests, or pays attention to
inbound unsolicited ARP "answers".
The other commands are nmap (port scanning and OS
detection), tcpdump (packet capture),
netstat (measuring TCP/UDP activity),
and ping (testing end-to-end IP connectivity).
Static ARP is the only one that has any preventative function.
Which of these are advantages of WPA/2 Enterprise
over WPA/2 PSK?
Select two.
PKI
Stronger cipher suite
Higher performance
Integrated Active Directory
RADIUS
The RADIUS server deals with trusted digital certificates,
which means integration into your PKI.
The two choices support the same cipher suite
with identical network performance.
AD isn't related.
Tasha, a network engineer, is designing a wireless solution
for her large corporation.
She needs to specify the current best encryption,
supporting 802.1x with either LEAP or EAP-TLS.
What should she use?
Select three.
CCMP
AES-GCM-256
WPA/2 PSK
WPA/2 Enterprise
RADIUS
Active Directory
CompTIA tends to say "CCMP" when they should say "AES-CCMP".
It is authenticated encryption.
AES-GCM-256 is also authenticated encryption, but it is
appropriate for use with TLS, not 802.11.
WPA/2 Enterprise uses a RADIUS server and certificates,
while WPA/2 PSK uses manually configured pre-shared keys.
RADIUS is a trusted third party authentication service
commonly used with 802.1x, it can speak several EAP
variants.
Isaac is a cybersecurity architect for a financial services
company.
He has been tasked with securing key escrow.
The escrow storage is extremely sensitive.
What should he use to implement trustworthy key escrow?
Asymmetric encryption
M-of-N control
Certificate chaining
Off-site storage
Divide the master key into N overlapping parts,
give each part to one person,
and any M of them can reassemble the master key.
You can pick M and N as appropriate for your situation
Ellen is a webmaster for a major high technology company.
She will use virtual hosting to provide six web sites
with unique domain names on a single server: weyland-yutani.com www.weyland-yutani.com weyland-yutani.net www.weyland-yutani.net weyland-yutani.org www.weyland-yutani.org
That is, the same corporation name in three top-level domains,
both with and without leading "www.".
What would be the most economic way to obtain certificates?
Self-signed certificates
Wildcard certificates
Server Alternative Names
Six individual certificates
This would be one certificate with six names listed under
SAN or Server Alternative Names.
A wildcard certificate could work for, e.g.,
*.weyland-yutani.com,
maybe for hosts
www,
www2,
ftp,
ns1,
ns2,
mailbox,
and so on,
but all would have to be in the same
top-level and second-level domain.
Six individual certificates would work, but at significantly
higher cost.
Self-signed certificates wouldn't work at all for external
clients.
Which of the following is not needed to enable any user
to encrypt a message which only the intended recipient
can read?
PKI
Public keys
Private keys
Hashing
Lee is a security analyst at a software development company.
Their data is worth far more than the hardware on which it
is stored, and confidentiality is protected with strong
encryption.
However, management is also concerned about availability.
Lee has been tasked with providing availability of cleartext
versions of encrypted software, even if an employee
loses or destroys their decryption key.
What should be set up?
Escrow
Secret sharing
Certificate chaining
Key pinning
Key stapling
Key escrow keeps backup copies of decryption keys in
highly trusted storage.
Secret sharing would be something like Diffie-Hellman.
Certificate chaining is used in TLS servers.
Pinning and stapling are concepts associated with web
server certificates, not simple keys.
Notice that another question provides a hint for this one.
Charlize, a data archivist for a government agency, needs
to protect the confidentiality of a large data set.
A government regulation requires the use of the
Advanced Encryption Standard for this category of data.
But in which mode should she employ that cipher?
CBC
CCMP
ECB
GCM
CBC mode is among the appropriate modes for
large block (or file-like) data sets.
CCMP mode is used with 802.11, GCM with TLS.
ECB is only appropriate for some very specific use cases.
Gary works for a bank, and is designing a wireless solution
for customers to use during their visits to bank branches.
Which two technologies should he deploy?
Select two.
WPA/2 Enterprise
Captive portal
Open system authentication
Enable an Internet-facing SSID
It's for customers visiting the bank, so WPA/2 Enterprise
with its need to enroll their devices into the bank PKI
and install certificates is very impractical.
"Internet-facing SSID" doesn't really mean anything.
A captive portal redirects their attempted browser connections
to a small local web server, to a page where they check the
box for "Yes, I will follow the rules, before routing them
out to the Internet."
Open system authentication means that there's no encryption
and no authentication needed.
This combination is what you find in most US hotels.
