Domain 4 Quiz

Domain 4 Quiz

1. Yoyodyne Corporation plans to use Active Directory for single sign-on throughout the enterprise. Which network protocols must be added to the ALLOW list in all internal router ACLs? Select two.
   1. LDAP
   2. LDAPS
   3. Kerberos
   4. X.500
   Active directory is the combination of DNS, LDAP, and Kerberos, plus a shared back-end database. But given the choice of an insecure and secure version of the same protocol, always select the secure one. The LDAP interface allows clients to interact with an X.500 database, but it isn't a protocol on the network.
2. Dmitri's company wants to establish SSO. The initial analysis concluded that they need a system that handles both authentication and authorization with tokens. Dmitri has concluded that the protocol used by Facebook and LinkedIn is the most promising. He is favoring:
   1. SAML
   2. OAUTH
   3. OpenID
   4. WS-Federation
   5. Shibboleth
   OAUTH is the answer when social media is involved. OpenID has similar capability and operation, and would be used across the Internet, but the user gets an OpenID token from some place that isn't social media or intentionally working like social media. SAML and WS-Federation are much more business-like: A cloud-based identity provider like Okta, Oracle, or one of the "Big Three" of AWS, Google, and Microsoft, is paid by the corporation to provide identity services for personnel. Shibboleth works much like SAML but is found mostly in academic settings. Rather than pay big money to a cloud provider, someone involved says "We'll do this with a free software package and some effort by our skilled personnel."
3. Kristina works at a financial services firm that suffered a major breach. They have implemented a centralized AAA system regulating access to the Intranet. After proving their identity with a smart card and a complex passphrase, users are connected to the appropriate VLAN. Internal services are only provided to user sessions holding valid service tickets. Intranet activity records are continuously analyzed to detect inappropriate or malicious activity. Identify this latter activity.
   1. Identification
   2. Authentication
   3. Authorization
   4. Auditing
   Many questions have a lot of distracting content. This question is really no more than "What is the name for monitoring activity?"
4. Pedro's manager has been given a recommendation that they implement a single-sign on solution in which user sessions will have cryptographic software tokens providing their identity, their authorization to use services, and the cryptographic keys used to secure their communication. What should Pedro recommend?
   1. Kerberos
   2. RADIUS
   3. SAML
   4. VPN
   The Kerberos TGT proves their identity. A service ticket specifies the symmetric key for that user communicating with that service — it isn't exactly authorization as most people use Kerberos, but it's close enough. This certainly isn't RADIUS, SAML, or a VPN.
5. Mikhail, a system administrator, has been asked by Kelli, a database administrator, to create an account for the new database project. The account should require authenticated access, have auditing enable, but incapable of interaction, with credentials that rarely if ever change. What type of account should Mikhail create?
   1. Ordinary user
   2. Privileged user
   3. Administrator
   4. Guest
   5. Service
   6. Management
   The list of four attributes must all be true. "Incapable of interaction" is unusual, and it eliminates the first four choices. This account will own database tables and processes, but will never be used interactively. It's similar to the user apache or nginx owning the web service configuration file, logs, and web service processes. The question is really: "What do we call these types of accounts, service or management?"
6. Which password policy setting would require a user to include both digits and special characters in their password?
   1. Prohibiting dictionary words
   2. Length
   3. Complexity
   4. Maximum age
   5. Minimum age
   6. Expiration
   7. Length
   The usual concept is "character classes" — lower-case, upper-case, digits, and other or special. Requiring a mix of classes is complexity. Random numbers would not be in the dictionary, but they would be all-digit strings.
7. Akira authenticates with a device that displays a different value every minute. What is this an example of?
   1. Multi-factor
   2. OTP
   3. HOTP
   4. TOTP
   Many people will say "multi-factor" because they're assuming that this is in addition to a password, but the question only mentions the token. TOTP is a time-based one-time password. Yes, it will actually involved hashing within the token, but HOTP or hash-based one-time password implied something like repeated hashing.
8. Kerberos provides which three of the following? Select three.
   1. Network intrusion detection
   2. ESSO
   3. Cryptographic key control
   4. Log analysis and alerting
   5. An API supporting third-party applications
   6. A "single pane of glass" dashboard
   Applications written to use Kerberos capabilities are said to be "Kerberized".
9. Functional SSO must incorporate which of the following?
   1. Active Directory
   2. RADIUS
   3. Federated identity management
   4. Kerberos
   Single sign-on requires federated identities. You could do that with Kerberos alone, or with AD which contains Kerberos.
10. Which of these is an XML-based open-source standard that involves an IdP or Identity Provider, an SP or Service Provider, and a Principal, and is the basis for several other authentication systems?
    1. SAML
    2. OAUTH
    3. OpenID
    4. Shibboleth
    5. WS-Federation
11. A military contractor is very worried about physical intrusion. They need to keep unauthorized individuals out of sensitive areas. Inappropriately allowing an unauthorized individuals into an area is classified as which of the following:
    1. False Acceptance
    2. False Rejection
    3. False Positive
    4. False Negative
    5. Fail Open
    6. Fail Closed
    The first two are commonly considered with biometrics, where there is no precisely correct input and the system must decide "close enough". The middle two are associated with automated decision making like virus detection and vulnerability detection. The last two have to do with the behavior during failure or other unexpected situations; automatic locking doors should fail open when the fire alarm is sounding, to protect life and safety.
12. Which of these is an open-source standards-based solution for single sign-on web authentication, based largely on SAML?
    1. OAUTH
    2. OpenID
    3. EAP-TLS
    4. Shibboleth
    5. WS-Federation
    SAML and WS-Federation are corporate solutions. Shibboleth is very similar to SAML, but is used largely in academic settings.
13. Mutual authentication involves which two? Select two.
    1. Client authenticating the server
    2. Client authorizing the server
    3. Server authenticating the client
    4. Server authorizing the client
    For example, you can only connect in to work using your laptop that has a work certificate installed.
14. You are equipping a forensics team. Which of these would be most useful?
    1. A set of precision screwdrivers
    2. A playbook
    3. Luminol
    4. Latex gloves and masks
    The last two are for biomedical work, CompTIA will trap people who like a certain type of TV show. The first might be useful, eventually. But a playbook is always useful during a forensics investigation, planning in advance for decision points during an incident.
15. You observe this data.

    11:43:57.293662 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 1, length 64
    11:43:57.294143 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 1, length 64
    11:43:58.294308 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 2, length 64
    11:43:58.294730 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 2, length 64
    11:43:59.322328 IP 192.168.1.1 > 192.168.1.7: ICMP echo request, id 5331, seq 3, length 64
    11:43:59.322645 IP 192.168.1.7 > 192.168.1.1: ICMP echo reply, id 5331, seq 3, length 6 

    Which tool or defensive measure was involved? Select two.
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's the output from tcpdump, which you could also get by saving Wireshark output to a text file (or running the text-output version, tshark). Yes, a ping command was running to generate this traffic, but its output is different.
16. You observe this data.

    www.google.com (172.217.6.4) 56(84) bytes of data.
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=1 ttl=116 time=26.9 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=2 ttl=116 time=28.2 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=3 ttl=116 time=27.2 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=4 ttl=116 time=27.2 ms
    64 bytes from ord38s01-in-f4.1e100.net (172.217.6.4): icmp_seq=5 ttl=116 time=28.5 ms
    
    --- www.google.com statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4005ms
    rtt min/avg/max/mdev = 26.976/27.673/28.568/0.621 ms 

    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's ping output with its name removed. On the test you can go back, so if you realize that this is ping output while earlier that must have been tcpdump capture of it, you can go back and change your answer.
17. You observe this data.

    enp9s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
            inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c  prefixlen 64  scopeid 0x0<global>
            inet6 fe80::a62:66ff:fe2c:ab1c  prefixlen 64  scopeid 0x20<link>
            ether 08:62:66:2c:ab:1c  txqueuelen 1000  (Ethernet)
            RX packets 16332198  bytes 4799272313 (4.7 GB)
            RX errors 0  dropped 3  overruns 0  frame 0
            TX packets 27220877  bytes 32805346549 (32.8 GB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0 

    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's ifconfig output, the now outdated tool on Linux. If they showed you the up-to-date ip addr command instead, it would look like this:

    2: enp9s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 08:62:66:2c:ab:1c brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.1/24 brd 192.168.1.255 scope global enp9s0
           valid_lft forever preferred_lft forever
        inet 192.168.1.2/24 brd 192.168.1.255 scope global secondary enp9s0
           valid_lft forever preferred_lft forever
        inet6 2601:249:4300:cb:a62:66ff:fe2c:ab1c/64 scope global dynamic mngtmpaddr
           valid_lft 345510sec preferred_lft 345510sec
        inet6 fe80::a62:66ff:fe2c:ab1c/64 scope link
           valid_lft forever preferred_lft forever 

18. You observe this data.

    Host is up (0.00031s latency).
    rDNS record for 192.168.1.40: hplj4250n.kc9rg.org
    Not shown: 993 closed ports
    PORT      STATE SERVICE    VERSION
    80/tcp    open  http       Virata-EmWeb 6.2.1 (HP LaserJet http config)
    280/tcp   open  http       Virata-EmWeb 6.2.1 (HP LaserJet http config)
    443/tcp   open  ssl/https?
    515/tcp   open  printer
    7627/tcp  open  http       HP-ChaiSOE 1.0 (HP LaserJet http config)
    9100/tcp  open  jetdirect?
    14000/tcp open  tcpwrapped
    MAC Address: 00:12:79:DF:81:B1 (Hewlett Packard)
    Device type: printer
    Running: HP embedded
    OS details: HP LaserJet 4250 (JetDirect) printer
    Network Distance: 1 hop
    Service Info: Host: 192.168.1.40; Device: printer 

    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    That's nmap output, with the first and last lines showing its own name removed. I scanned my laser printer.
19. You observe this data.

    192.168.1.4 at dc:a6:32:36:a9:4e [ether] on enp9s0
    192.168.1.218 at b8:27:eb:1f:f6:87 [ether] on enp9s0
    192.168.1.20 at b8:27:eb:03:6b:37 [ether] on enp9s0
    192.168.1.205 at b8:27:eb:f9:ea:4d [ether] on enp9s0
    192.168.1.7 at b8:27:eb:95:25:5b [ether] on enp9s0
    192.168.1.40 at 00:12:79:df:81:b1 [ether] on enp9s0
    192.168.1.254 at 38:94:ed:fa:48:88 [ether] on enp9s0
    192.168.1.42 at 00:1c:50:ac:72:1e [ether] on enp9s0
    192.168.1.3 at dc:a6:32:36:a9:4e [ether] on enp9s0 

    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    Windows uses dashes instead of colons in MAC addresses in arp output.
20. You observe this data.

    Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
    tcp        0      0 www.http               ec2-54-251-14-39.http  SYN_RCVD
    tcp        0      0 www.http               97-127-152-158.c.http  SYN_RCVD
    tcp        0     72 www.ssh                c-67-162-124-176.57046 ESTABLISHED
    tcp        0      0 www.ssh                c-67-162-124-176.56956 TIME_WAIT
    tcp        0      0 www.57694              metadata.google..http  ESTABLISHED
    tcp        0      0 localhost.9000         localhost.45172        TIME_WAIT
    tcp        0      0 www.https              cpe-184-153-88-7.45718 ESTABLISHED
    tcp        0      0 www.https              ec2-54-90-33-176.40684 ESTABLISHED
    tcp        0      0 www.https              petalbot-114-119.32762 TIME_WAIT
    tcp        0      0 www.https              static.kpn.net.49168   ESTABLISHED
    tcp        0      0 www.https              static.kpn.net.49169   ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1480  ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1478  ESTABLISHED
    tcp        0      0 www.https              185-97-201-166.n.1476  ESTABLISHED
    tcp        0      0 www.https              crawl-66-249-79-.52368 TIME_WAIT
    tcp        0      0 www.https              crawl-66-249-79-.35610 TIME_WAIT
    tcp        0      0 www.http               crawl-66-249-68-.58406 TIME_WAIT
    tcp        0      0 www.https              84.93.94.244.56895     ESTABLISHED
    tcp        0      0 www.https              ip-99-203-20-246.19011 ESTABLISHED
    tcp        0      0 www.https              pool-96-252-105-.51616 TIME_WAIT
    tcp        0     63 www.https              CPE589630c056fc-.59897 FIN_WAIT_1
    tcp        0      0 www.http               200.46.45.114.50849    CLOSED
    tcp        0      0 www.http               201.130.137.117..44167 CLOSED
    tcp        0      0 *.https                *.*                    LISTEN
    tcp        0      0 *.http                 *.*                    LISTEN
    tcp        0      0 localhost.9000         *.*                    LISTEN
    tcp        0      0 *.ssh                  *.*                    LISTEN
    tcp6       0      0 *.ssh                  *.*                    LISTEN
    tcp        0      0 localhost.smtp         *.*                    LISTEN 

    Which tool or defensive measure was involved?
    1. Wireshark
    2. ping
    3. nmap
    4. tcpdump
    5. netstat
    6. arp
    7. ifconfig
    I just ran netstat -a on my server, with some clients caught in the act of downloading pages.
    
    A questions on an earlier quiz showed the command. Once in a while on the real test, one question tells you the answer to a different question.
21. You observe this command output.

    ;; connection timed out; no servers could be reached 

    What is wrong?
    1. DNS cache poisoning has happened
    2. Your workstation cannot contact the nameserver
    3. The domain does not exist
    4. There is no host with the requested name
    The servers it's talking about are DNS nameservers.
22. Which of these can you put in a boot script to prevent MitM?
    1. nmap -sS -sV -T5 192.168.12.72
    2. arp -s 00:13:3B:12:6f:aa 192.168.12.72
    3. tcpdump -i eth0 host 192.168.12.72 or ether host 00:13:3b:12:6f:aa
    4. netstat -an
    5. ping 192.168.12.72
    That arp syntax sets up static ARP, it's that same syntax on Windows, Linux, MacOS, BSD, and probably other places. Static ARP isn't at all practical, but it could prevent MitM connection hijacking with ARP spoofing. Once you set a static ARP mapping, the operating system no longer uses ARP to make requests, or pays attention to inbound unsolicited ARP "answers". The other commands are nmap (port scanning and OS detection), tcpdump (packet capture), netstat (measuring TCP/UDP activity), and ping (testing end-to-end IP connectivity). Static ARP is the only one that has any preventative function.

Passing = 82% of 22 = 18.0

Goal = 91% of 22 = 20.0