Pen used to do a practice exam.

Domain 3 Quiz (Part 2)

Domain 3 Quiz

  1. Examine this network map.
    Firewall diagram.
    Add the required firewall rule to allow the server administrator to securely work on the web server's configuration.
    Source Destination Protocol Port Action TCP 80 Pass TCP 22 Pass
    Any Any Any Any Block
    On the real test, these might be objects you can drag and drop in place in the grey slots above. Or maybe each empty line will be a drop-down menu with the below choices. TCP 22 Pass TCP 22 Pass TCP 443 Pass TCP 443 Pass
    To read these, means any address in the range through "/24" means it's specifying the first 24 bits, therefore the first three 8-bit chunks, therefore the first three numbers, 192.168.1.*. means precisely that one address,, because the "32" means it's specifying all 32 bits.

    TCP/22 is SSH, an appropriate way for someone to connect to a server to do configuration work. That's the goal.

    TCP/443 is HTTPS, which is a secure way to look at its content. That's useful, but not our goal.

    The first choice would allow the administrator to do that work, but it would also allow anyone on the left subnet to make SSH connections to anything on the right subnet: TCP 22 Pass
    The second choice is better, because it allows what's needed and no more. Just from the administrator's workstation to the server: TCP 22 Pass
    Yes, these rule sets are overly simplified and would not really work! They only explicitly allow traffic from the client to the server, a real rule set would have to allow return packets as well. It would be more like this:
    Source Destination Protocol Source Port Destination Port Action TCP Any 80 Pass TCP 80 Any Pass TCP Any 22 Pass TCP 22 Any Pass
    Any Any Any Any Any Block
    However, CompTIA usually has things simplified to the point that they're not really correct. This is an example of how knowing too much makes the exam much harder.
  2. Examine this network map.
    Firewall diagram.
    Add the two required firewall rules to allow the user workstations to query the primary DNS server, and also allow the secondary DNS server to synchronize with the primary.
    Source Destination Protocol Port Action TCP 80 Pass UDP 53 Pass TCP 53 Pass
    Any Any Any Any Block
    On the real test, these might be objects you can drag and drop in place in the grey slots above. Or maybe each empty line will be a drop-down menu with the below choices. TCP 80 Pass TCP 53 Pass UDP 53 Pass UDP 53 Pass TCP 80 Pass TCP 53 Pass
    This question is about two aspects of DNS, so the TCP/80 choices are obviously distractors.

    The third rule allows anything on the left subnet to make DNS queries (UDP/53) to the primary DNS server: UDP 53 Pass
    The last rule allows just the secondary DNS server to do a DNS zone transfer (TCP/53) from the primary DNS server: TCP 53 Pass
    The second rule would allow anything on the left subnet to do that DNS zone transfer. While it also achieves the second goal, the last rule is a better choice as it achieves it but no more. TCP 80 Pass
    The fourth rule would allow the secondary server to make individual queries (UDP/53), but not the required zone transfers (TCP/53). UDP 53 Pass
  3. Suheb, the IT department manager, needs to be able to assess organizational security at any time, and identify issues before they become big problems. Which should he use?
    1. Monthly audits
    2. Continuous monitoring
    3. Continuous improvement
    4. Baseline analysis
    Tipoffs are "at any time" and "before they become big problems"
  4. Chuck, a network engineer, needs to compartmentalize traffic flow on the Intranet, and authenticate each connected endpoint device. What should he use? Select two.
    1. NAC
    2. DLP
    3. 802.3
    4. VLAN
    Compartmentalize with VLANs, authenticate with NAC or 802.1x. 802.3 is plain Ethernet, you build your networks with it but it doesn't add those two required capabilities.
  5. Akio, a systems engineer, needs to implement a technical defense that verifies the validity of the operating system itself before booting the system. He hopes this will solve the problem of root kits and other kernel modification. What should he use?
    1. Anti-malware scanning
    2. BIOS checks
    3. UEFI
    4. Trusted supply chain
    This is Secure Boot.
  6. Philip, a system administrator, has been asked for recommendations for protecting compute servers in the data center. Which should he suggest? Select three.
    1. FM-200
    2. Biometrics
    3. DLP
    4. Remote wipe
    5. Mantrap
    6. GPS tracking
    Biometrics and mantrap for access, FM-200 for fire suppression. DLP would instead be at end points (where the data is used, and might be transferred to portable media) and the organization edge.
  7. Your company is being targeted by numerous spearphishing attempts. Which defense do you recommend?
    1. Security awareness training
    2. Pop-up blocker
    3. Spam filter
    4. Mail application-layer firewall
    5. Network intrusion prevention system
    We need a non-technical defense as it's a non-technical problem.
  8. You observe this command output.
    ** server can't find NXDOMAIN 
    What is wrong?
    1. DNS cache poisoning has happened
    2. Your workstation cannot contact the nameserver
    3. The domain does not exist
    4. There is no host named
    "NXDOMAIN" means "non-existent domain". There won't be a host within that domain, but the output is telling us that the entire domain does not exist.
  9. You observe this data.
    [**] [122:1:0] (Web) Directory Traversal [**] [Priority: 2] 07/05-12:15:41.483293 -> PROTO:255 TTL:0 TOS:0x0 ID:3253 IpLen:20 DgmLen:1501
    Which tool or defensive measure was involved?
    1. NIDS
    2. NIPS
    3. HIDS
    4. HIPS
    This is Snort output, it has detected attempting a directory traversal attack (asking for "../../../something") against the server via HTTP on TCP/80.

    Unless this triggered something else that we don't see here, there was no prevention, just detection of network traffic.
  10. Which of these are appropriate defenses for a mobile device? Select three.
    1. Remote wipe
    2. Cable lock
    3. FM-200
    4. Biometrics
    5. GPS tracking
    6. Transparent proxy
    When they say "mobile device" they mean a phone, maybe a tablet, but something too small for a cable lock. Fire suppression goes into the building, proxies are out in the network infrastructure, the other three can go into a mobile device. Note that GPS tracking is to recover the device, it does not protect the data. But the question askes about the device, now the data.
  11. Tony, a network engineer, has been tasked by his manager with monitoring the more sensitive internal networks, to spot and block attacks. What should Tony use?
    1. SIEM
    2. HIDS
    3. HIPS
    4. NIDS
    5. NIPS
    Tipoffs are monitoring... networks... and block.
  12. Yoyodyne Corporation plans to use Active Directory for single sign-on throughout the enterprise. Which network protocols must be added to the ALLOW list in all internal router ACLs? Select two.
    1. LDAP
    2. LDAPS
    3. Kerberos
    4. X.500
    Active directory is the combination of DNS, LDAP, and Kerberos, plus a shared back-end database. But given the choice of an insecure and secure version of the same protocol, always select the secure one. The LDAP interface allows clients to interact with an X.500 database, but it isn't a protocol on the network.
  13. Dmitri's company wants to establish SSO. The initial analysis concluded that they need a system that handles both authentication and authorization with tokens. Dmitri has concluded that the protocol used by Facebook and LinkedIn is the most promising. He is favoring:
    1. SAML
    2. OAUTH
    3. OpenID
    4. WS-Federation
    5. Shibboleth
    OAUTH is the answer when social media is involved. OpenID has similar capability and operation, and would be used across the Internet, but the user gets an OpenID token from some place that isn't social media or intentionally working like social media. SAML and WS-Federation are much more business-like: A cloud-based identity provider like Okta, Oracle, or one of the "Big Three" of AWS, Google, and Microsoft, is paid by the corporation to provide identity services for personnel. Shibboleth works much like SAML but is found mostly in academic settings. Rather than pay big money to a cloud provider, someone involved says "We'll do this with a free software package and some effort by our skilled personnel."
  14. Pedro's manager has been given a recommendation that they implement a single-sign on solution in which user sessions will have cryptographic software tokens providing their identity, their authorization to use services, and the cryptographic keys used to secure their communication. What should Pedro recommend?
    1. Kerberos
    2. RADIUS
    3. SAML
    4. VPN
    The Kerberos TGT proves their identity. A service ticket specifies the symmetric key for that user communicating with that service — it isn't exactly authorization as most people use Kerberos, but it's close enough. This certainly isn't RADIUS, SAML, or a VPN.
  15. Mikhail, a system administrator, has been asked by Kelli, a database administrator, to create an account for the new database project. The account should require authenticated access, have auditing enable, but incapable of interaction, with credentials that rarely if ever change. What type of account should Mikhail create?
    1. Ordinary user
    2. Privileged user
    3. Administrator
    4. Guest
    5. Service
    6. Management
    The list of four attributes must all be true. "Incapable of interaction" is unusual, and it eliminates the first four choices. This account will own database tables and processes, but will never be used interactively. It's similar to the user apache or nginx owning the web service configuration file, logs, and web service processes. The question is really: "What do we call these types of accounts, service or management?"
  16. Which password policy setting would require a user to include both digits and special characters in their password?
    1. Prohibiting dictionary words
    2. Length
    3. Complexity
    4. Maximum age
    5. Minimum age
    6. Expiration
    7. Length
    The usual concept is "character classes" — lower-case, upper-case, digits, and other or special. Requiring a mix of classes is complexity. Random numbers would not be in the dictionary, but they would be all-digit strings.
  17. A military contractor is very worried about physical intrusion. They need to keep unauthorized individuals out of sensitive areas. Inappropriately allowing an unauthorized individuals into an area is classified as which of the following:
    1. False Acceptance
    2. False Rejection
    3. False Positive
    4. False Negative
    5. Fail Open
    6. Fail Closed
    The first two are commonly considered with biometrics, where there is no precisely correct input and the system must decide "close enough". The middle two are associated with automated decision making like virus detection and vulnerability detection. The last two have to do with the behavior during failure or other unexpected situations; automatic locking doors should fail open when the fire alarm is sounding, to protect life and safety.
  18. Which of these is an open-source standards-based solution for single sign-on web authentication, based largely on SAML?
    1. OAUTH
    2. OpenID
    3. EAP-TLS
    4. Shibboleth
    5. WS-Federation
    SAML and WS-Federation are corporate solutions. Shibboleth is very similar to SAML, but is used largely in academic settings.
  19. Mutual authentication involves which two? Select two.
    1. Client authenticating the server
    2. Client authorizing the server
    3. Server authenticating the client
    4. Server authorizing the client
    For example, you can only connect in to work using your laptop that has a work certificate installed.
  20. You observe this data.
    enp9s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet  netmask  broadcast
            inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c  prefixlen 64  scopeid 0x0<global>
            inet6 fe80::a62:66ff:fe2c:ab1c  prefixlen 64  scopeid 0x20<link>
            ether 08:62:66:2c:ab:1c  txqueuelen 1000  (Ethernet)
            RX packets 16332198  bytes 4799272313 (4.7 GB)
            RX errors 0  dropped 3  overruns 0  frame 0
            TX packets 27220877  bytes 32805346549 (32.8 GB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's ifconfig output, the now outdated tool on Linux. If they showed you the up-to-date ip addr command instead, it would look like this:
    2: enp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 08:62:66:2c:ab:1c brd ff:ff:ff:ff:ff:ff
        inet brd scope global enp9s0
           valid_lft forever preferred_lft forever
        inet brd scope global secondary enp9s0
           valid_lft forever preferred_lft forever
        inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c/64 scope global dynamic mngtmpaddr
           valid_lft 345510sec preferred_lft 345510sec
        inet6 fe80::a62:66ff:fe2c:ab1c/64 scope link
           valid_lft forever preferred_lft forever 
  21. You observe this data. at dc:a6:32:36:a9:4e [ether] on enp9s0 at b8:27:eb:1f:f6:87 [ether] on enp9s0 at b8:27:eb:03:6b:37 [ether] on enp9s0 at b8:27:eb:f9:ea:4d [ether] on enp9s0 at b8:27:eb:95:25:5b [ether] on enp9s0 at 00:12:79:df:81:b1 [ether] on enp9s0 at 38:94:ed:fa:48:88 [ether] on enp9s0 at 00:1c:50:ac:72:1e [ether] on enp9s0 at dc:a6:32:36:a9:4e [ether] on enp9s0 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    Windows uses dashes instead of colons in MAC addresses in arp output.
  22. You observe this data.
    Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
    tcp        0      0 www.http               ec2-54-251-14-39.http  SYN_RCVD
    tcp        0      0 www.http               97-127-152-158.c.http  SYN_RCVD
    tcp        0     72 www.ssh                c-67-162-124-176.57046 ESTABLISHED
    tcp        0      0 www.ssh                c-67-162-124-176.56956 TIME_WAIT
    tcp        0      0 www.57694      ESTABLISHED
    tcp        0      0 localhost.9000         localhost.45172        TIME_WAIT
    tcp        0      0 www.https              cpe-184-153-88-7.45718 ESTABLISHED
    tcp        0      0 www.https              ec2-54-90-33-176.40684 ESTABLISHED
    tcp        0      0 www.https              petalbot-114-119.32762 TIME_WAIT
    tcp        0      0 www.https       ESTABLISHED
    tcp        0      0 www.https       ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1480  ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1478  ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1476  ESTABLISHED
    tcp        0      0 www.https              crawl-66-249-79-.52368 TIME_WAIT
    tcp        0      0 www.https              crawl-66-249-79-.35610 TIME_WAIT
    tcp        0      0 www.http               crawl-66-249-68-.58406 TIME_WAIT
    tcp        0      0 www.https         ESTABLISHED
    tcp        0      0 www.https              ip-99-203-20-246.19011 ESTABLISHED
    tcp        0      0 www.https              pool-96-252-105-.51616 TIME_WAIT
    tcp        0     63 www.https              CPE589630c056fc-.59897 FIN_WAIT_1
    tcp        0      0 www.http         CLOSED
    tcp        0      0 www.http      CLOSED
    tcp        0      0 *.https                *.*                    LISTEN
    tcp        0      0 *.http                 *.*                    LISTEN
    tcp        0      0 localhost.9000         *.*                    LISTEN
    tcp        0      0 *.ssh                  *.*                    LISTEN
    tcp6       0      0 *.ssh                  *.*                    LISTEN
    tcp        0      0 localhost.smtp         *.*                    LISTEN 
    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    I just ran netstat -a on my server, with some clients caught in the act of downloading pages.

    A questions on an earlier quiz showed the command. Once in a while on the real test, one question tells you the answer to a different question.
  23. You observe this command output.
    ;; connection timed out; no servers could be reached 
    What is wrong?
    1. DNS cache poisoning has happened
    2. Your workstation cannot contact the nameserver
    3. The domain does not exist
    4. There is no host with the requested name
    The servers it's talking about are DNS nameservers.
  24. Which of these can you put in a boot script to prevent MitM?
    1. nmap -sS -sV -T5
    2. arp -s 00:13:3B:12:6f:aa
    3. tcpdump -i eth0 host or ether host 00:13:3b:12:6f:aa
    4. netstat -an
    5. ping
    That arp syntax sets up static ARP, it's that same syntax on Windows, Linux, MacOS, BSD, and probably other places. Static ARP isn't at all practical, but it could prevent MitM connection hijacking with ARP spoofing. Once you set a static ARP mapping, the operating system no longer uses ARP to make requests, or pays attention to inbound unsolicited ARP "answers". The other commands are nmap (port scanning and OS detection), tcpdump (packet capture), netstat (measuring TCP/UDP activity), and ping (testing end-to-end IP connectivity). Static ARP is the only one that has any preventative function.
  25. Which of these are advantages of WPA/2 Enterprise over WPA/2 PSK? Select two.
    1. PKI
    2. Stronger cipher suite
    3. Higher performance
    4. Integrated Active Directory
    5. RADIUS
    The RADIUS server deals with trusted digital certificates, which means integration into your PKI. The two choices support the same cipher suite with identical network performance. AD isn't related.
  26. Tasha, a network engineer, is designing a wireless solution for her large corporation. She needs to specify the current best encryption, supporting 802.1x with either LEAP or EAP-TLS. What should she use? Select three.
    1. CCMP
    2. AES-GCM-256
    3. WPA/2 PSK
    4. WPA/2 Enterprise
    5. RADIUS
    6. Active Directory
    CompTIA tends to say "CCMP" when they should say "AES-CCMP". It is authenticated encryption. AES-GCM-256 is also authenticated encryption, but it is appropriate for use with TLS, not 802.11.

    WPA/2 Enterprise uses a RADIUS server and certificates, while WPA/2 PSK uses manually configured pre-shared keys.

    RADIUS is a trusted third party authentication service commonly used with 802.1x, it can speak several EAP variants.
  27. Isaac is a cybersecurity architect for a financial services company. He has been tasked with securing key escrow. The escrow storage is extremely sensitive. What should he use to implement trustworthy key escrow?
    1. Asymmetric encryption
    2. M-of-N control
    3. Certificate chaining
    4. Off-site storage
    Divide the master key into N overlapping parts, give each part to one person, and any M of them can reassemble the master key. You can pick M and N as appropriate for your situation
  28. Ellen is a webmaster for a major high technology company. She will use virtual hosting to provide six web sites with unique domain names on a single server:
    That is, the same corporation name in three top-level domains, both with and without leading "www.". What would be the most economic way to obtain certificates?
    1. Self-signed certificates
    2. Wildcard certificates
    3. Server Alternative Names
    4. Six individual certificates
    This would be one certificate with six names listed under SAN or Server Alternative Names.

    A wildcard certificate could work for, e.g., *, maybe for hosts www, www2, ftp, ns1, ns2, mailbox, and so on, but all would have to be in the same top-level and second-level domain.

    Six individual certificates would work, but at significantly higher cost.

    Self-signed certificates wouldn't work at all for external clients.
  29. Which of the following is not needed to enable any user to encrypt a message which only the intended recipient can read?
    1. PKI
    2. Public keys
    3. Private keys
    4. Hashing
  30. Lee is a security analyst at a software development company. Their data is worth far more than the hardware on which it is stored, and confidentiality is protected with strong encryption. However, management is also concerned about availability. Lee has been tasked with providing availability of cleartext versions of encrypted software, even if an employee loses or destroys their decryption key. What should be set up?
    1. Escrow
    2. Secret sharing
    3. Certificate chaining
    4. Key pinning
    5. Key stapling
    Key escrow keeps backup copies of decryption keys in highly trusted storage. Secret sharing would be something like Diffie-Hellman. Certificate chaining is used in TLS servers. Pinning and stapling are concepts associated with web server certificates, not simple keys.

    Notice that another question provides a hint for this one.
  31. Charlize, a data archivist for a government agency, needs to protect the confidentiality of a large data set. A government regulation requires the use of the Advanced Encryption Standard for this category of data. But in which mode should she employ that cipher?
    1. CBC
    2. CCMP
    3. ECB
    4. GCM
    CBC mode is among the appropriate modes for large block (or file-like) data sets. CCMP mode is used with 802.11, GCM with TLS. ECB is only appropriate for some very specific use cases.
  32. Gary works for a bank, and is designing a wireless solution for customers to use during their visits to bank branches. Which two technologies should he deploy? Select two.
    1. WPA/2 Enterprise
    2. Captive portal
    3. Open system authentication
    4. Enable an Internet-facing SSID
    It's for customers visiting the bank, so WPA/2 Enterprise with its need to enroll their devices into the bank PKI and install certificates is very impractical. "Internet-facing SSID" doesn't really mean anything.

    A captive portal redirects their attempted browser connections to a small local web server, to a page where they check the box for "Yes, I will follow the rules, before routing them out to the Internet."

    Open system authentication means that there's no encryption and no authentication needed.

    This combination is what you find in most US hotels.

30 questions

Passing = 82% of 30 = 24.6

Goal = 91% of 30 = 27.3

To the Cybersecurity Page