- Security+ SY0-601 Certification
- Security+ SY0-601: Passing the Security+ Exam
- Security+ SY0-601: Definitions and Catchwords
- Security+ SY0-601: 1.0 Threats, Attacks, and Vulnerabilities
- Security+ SY0-601: 1.1 Social Engineering Techniques
- Security+ SY0-601: 1.2 Indicators of Attack
- Security+ SY0-601: 1.3 Application Attacks
- Security+ SY0-601: 1.4: Network Attack Indicators
- Security+ SY0-601: 1.5: Threat Actors, Vectors, and Intelligence Sources
- Security+ SY0-601: 1.6: Vulnerabilities
- Security+ SY0-601: 1.7: Security Assessment
- Security+ SY0-601: 1.8: Penetration Testing
- Security+ SY0-601: 2.0 Architecture and Design
- Security+ SY0-601: 2.1 Enterprise Security Architecture
- Security+ SY0-601: 2.2: Virtualization and Cloud Security
- Security+ SY0-601: 2.3: Secure Application Development, Deployment and Automation
- Security+ SY0-601: 2.4: Authentication and Authorization
- Security+ SY0-601: 2.5: Implementing Cybersecurity Resilience
- Security+ SY0-601: 2.6: Embedded and Specialized Systems
- Security+ SY0-601: 2.7: Physical Security Controls
- Security+ SY0-601: 2.8: Cryptography
- Security+ SY0-601: 3.0: Implementation
- Security+ SY0-601: 3.1 Secure Protocols
- Security+ SY0-601: 3.2: Host and Application Security
- Security+ SY0-601: 3.3: Secure Network Design
- Security+ SY0-601: 3.4: Wi-Fi Security
- Security+ SY0-601: 3.5: Secure Mobile Solutions
- Security+ SY0-601: 3.6: Cybersecurity Solutions in the Cloud
- Security+ SY0-601: 3.7: Identity and Account Management Controls
- Security+ SY0-601: 3.8: Implement Authentication and Authorization Solutions
- Security+ SY0-601: 3.9: Public Key Infrastructure
- Security+ SY0-601: 4.0: Operations and Incident Response
- Security+ SY0-601: 4.1: Tools to Assess Organizational Security
- Security+ SY0-601: 4.2: Policies, Processes, and Procedures for Incident Response
- Security+ SY0-601: 4.3: Appropriate Data Sources for Investigation
- Security+ SY0-601: 4.4: Mitigation Techniques
- Security+ SY0-601: 4.5: Digital Forensics
- Security+ SY0-601: 5.0: Governance, Risk, and Compliance
- Security+ SY0-601: 5.1: Types of Controls
- Security+ SY0-601: 5.2 Regulations, Standards, and Frameworks
- Security+ SY0-601: 5.3: Policies and Organizational Security
- Security+ SY0-601: 5.4: Risk Management Processes and Concepts
- Security+ SY0-601: 5.5: Privacy and Sensitive Data
- Security+: My Favorite Free Tools
- Security+ : Sample Questions
- Passing the CompTIA Exams
- Understanding CompTIA Objectives Using Bloom’s Taxonomy
Sample Questions
A) PKI has nothing to do with certificates
B) Certificates provide identifying credentials only
C) Certificates identify a certificate authority
D) Certificates provide a copy of a remote system’s private key
E) Certificates provide a copy of a remote system’s public key
A: Certificates provide a signed copy of a remote system’s or user’s public key.
A) Encapsulating Security Payload (ESP)
B) Security Policy (SP)
C) Authentication Header (AH)
D) Challenge-Handshake Authentication Protocol (CHAP)
E) Internet Security Association Key Management Protocol (ISAKMP)
A,C,E: IPSEC uses three protocols to provide three types of security.
ESP encrypts packet payloads.
AH provides authentication.
ISAKMP allows secure key exchange.
A) client and CA exchange certificates
B) client and CA exchange public keys
C) client and CA exchange private keys
D) one CA exchanges certificates with another
E) two CAs sign each other’s certificates
A: E is correct. This strange maneuver allows clients in segregated administrative domains to communicate.
A: We all know what a network sniffer is, and what sniffing is. Don’t forget this “formal” definition.
A) Certificate Policy
B) Certificate Practice Statement
C) CRL
D) JVM
A: A CP is the formal, corporate set of rules for the operation of a PKI, such as auditing, enforcement and requirements (and CP is the right answer). A CPS is the technical, managerial description of actual practice and procedures.
A: No. The term “down-level software” generally means older-version software (down one level in version numbers), which presumably has more known vulnerabilities. Thus it’s usually considered less secure.
A) It’s a long-term solution
B) Allows flexible configuration
C) Provides annual readiness testing
D) Provides only a building; you supply all equipment
E) Gives you a way to use proprietary hardware
F) It’s exclusive to your company
G) It’s a low-cost solution
A: Hot site: A, B, C, E, F. The fastest-recovery solution, it’s fully set up for your company alone, provides annual readiness testing, and allows flexible configuration. But it’s also the most expensive. NOTE that if you select “It’s a high-cost solution” (which is true of a hot site), you’ll be WRONG if the test asks about advantages to your company. High cost? An advantage? Not.
Warm site: B, E. Partially configured and less expensive, a warm site depends on a vendor or support organization to supply proprietary hardware and software – after disaster strikes. Not as quick, but cheaper.
Cold site: A, D, E, G. The cheap alternative, this is simply a building environment. There’s no equipment, so you’ll experience the longest downtime while you get your equipment in place and operating.
A) local (host) security policies
B) file/data ownership
C) domain or network security policies
D) the principal of least privilege
E) separation of duties and responsibilities
A: The mechanisms that limit authorization to resources are B, D and E.
– File and data owners can set rights and permissions on network resources.
– The “principal of least privilege” means that users are given only the minimum necessary level of permissions to network resources to perform their duties – and no more.
– The concept of “separation of duties and responsibilities” means keeping a system of checks and balances. In a truly secure enterprise, no one can entirely control any function. Purchasing decisions, for instance, may be made by a department head, but must be confirmed by a purchasing manager.
A: HTTP typically uses port 80, HTTPS uses 443.
A) An L2TP device that provides a dedicated path
B) A network device that restricts access to prevent attacks
C) A POTS device with a dedicated connection to the CO
D) A network interconnection device between two or more networks
A: We all know what firewalls are (B), what telco devices are (C), what tunneling involves (A), and that a router always routes between multiple networks. Don’t be confused by technobabble.
A) EAP
B) ERP
C) ESP
D) WTLS
A: WAP is the Wireless Application Protocol. It includes:
Wireless Application Environment
Wireless Session Protocol
Wireless Transport Protocol
Wireless Transport Layer Security (WTLS – the correct answer)
Wireless Datagram Protocol
A) WEP
B) Permissions
C) DAC
D) MAC
E) ACL
F) WPA
A: There are a lot of semi-correct acronyms the test could throw at you in this example. The question really is about permissions, but Permissions isn’t the right answer. Neither of the security standards (WEP and WPA) deal with permission settings. DAC is the mechanism that lies behind setting permissions on files you own, not with network settings. A MAC address is just a MAC address. But all the action involving network and user permissions happens at the ACL (Access Control List) level, where permissions are actually set.
A) Everyone
B) System
C) Anonymous
D) Administrator
E) Quick! Shut down the server!
A: Pulling the plug is always the most secure option, short of, say, encasing the server in concrete. But the Admin and the System user absolutely need access to the root directory for the system to run. The Anonymous user shouldn’t have access, but does because it’s a member of Everyone (of course). The real error here is in giving Everyone system root access in the first place, so Everyone is the correct answer here. Note that if Everyone isn’t on the list, but Guest is, Guest will be the correct answer (assuming identical phrasing of the question).
A) L2TP
B) LT2P
C) L2F
D) L2TF
E) PPTP
F) PPP
A: This is a case where knowing exactly what the acronyms mean will really help you. L2TP is Layer 2 (of the OSI model) Tunneling Protocol (a correct answer), L2F is Layer 2 Forwarding (another correct answer), and PPTP is Point-to-Point Tunnelling Protocol (the last correct answer). “Tunnelling” and “forwarding” are the key words here, dead giveaways for VPN operations.
A) RAID 0, disk striping
B) RAID 1, disk mirroring
C) RAID 1, disk duplexing
D) RAID 0, disk striping with parity
E) RAID 5
A: No striping, even with parity, will get you past a disk controller failure. RAID 1 can be either mirroring (two disks on one controller) or duplexing (two disks on two controllers), and clearly duplexing can get past a failed (single) controller.
A: Management buy-in is the most important part of any security policy! Remember this point.
A) success/failure of changes to accounts
B) restarts and shutdowns
C) use of accounts during off hours
D) success/failure of access to printers and shares
A: Only the success/failure of access to resources can pinpoint suspicious account activity (among the choices listed here).
A) UTP
B) STP
C) Coaxial
D) Thicknet
E) fiber-optic
A: All of the electrical conductors are susceptible to EMF. Only fiber-optic cable is immune to it.
A) The consultant is using the wrong account.
B) He’s not getting through the firewall.
C) He’s actually a cracker trying to sucker you.
D) He’s trapped in a “honeypot.”
E) Your company would never hire a security consultant.
A: Even if E is true, it’s not the right answer. Of course there is no “hacker” account, so A is wrong. He is conducting an attack against SOMETHING, so he’s certainly getting through the firewall. Your company has retained this consultant, so he’s (most likely) not a cracker. So D, “He’s trapped in a ‘honeypot,'” is the correct answer.
DNS
LAC
LNS
PAP
MS-CHAP
CHAP
A: LNS is “L2TP Network Server,” and LAC is “L2TP Access Concentrator.” At least one mnemonic is that the first letter of each is “L” because each handles part of “L”2TP.
A: No, really. Know that it’s Simple Network Management Protocol.
A) passwords
B) fingerprints and PIN numbers
C) voice recognition and retinal scans
D) PIN numbers and face recognition
A: Obviously, passwords, fingerprints and face recognition are not biometric. C is correct.
A) CAs use the X.509 standard for certificate format
B) CAs store both public and private keys
C) CAs sign certificates using their public keys
D) CAs sign certificates using their private keys
E) CAs enroll and distribute digital certificates
A: Yes, Virginia, CAs enroll, distribute and revoke certificates. A CA signs certificates using its private key, and uses the X.509 standard for format. A, D and E are true.
A) Telnet
B) SSH
C) SSL
D) S/MIME
E) SHTTP
F) SOCKS
A: SSH (Secure Shell) provides secure, i.e. encrypted, login and session traffic. Telnet encrypts nothing. SSL is primarily used in web traffic, and SHTTP is used exclusively for HTTP traffic. S/MIME is used for secure email.
WARNING! I have seen a version of this question that asks, “which protocol provides secure login and Telnet traffic?” The correct answer was still SSH, but technically Telnet is not involved in SSH; it’s a different protocol.
A) Encrypt using a symmetric algorithm, and give the key to the people you want to access the data
B) digital signatures
C) everyone encrypts all documents
D) Users sign on with their certificates, and all permissions and restrictions are defined on a per-certificate basis.
A: Okay, sharing keys is literally giving the keys away. Digital signatures or encryption alone won’t provide access control, just identificaton and encryption. The real way to do this is via an LDAP-type directory that recognizes and uses certificates.
A) determine if your systems need the patch
B) perform test installations on non-production computers
C) schedule downtime if a reboot is necessary
D) install the patch on production computers
A: All of these, and any others that become necessary. Patches can bring down your machines. But you knew that already.
A) Smurf attack
B) root kit
C) Ping of Death
D) Fraggle attack
E) Land attack
F) Teardrop attack
A: This particular attack is a Teardrop attack.
A Smurf attack occurs when an attacker sends forged ICMP echo request packets to intermediaries, using a false source IP. This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses.
A Fraggle attack is the same technique, used over UDP rather than ICMP.
A root kit is any of several ways of gaining root access on a Unix computer, not an attack per se.
The Ping of Death is a variant of Smurf that sends deliberately malformed ICMP ping packets, attacking computers susceptible to this malformation.
A Land attack is an older one that sends a packet with the same host specified as both sender and receiver. This locks up some systems.
A) Phil Zimmerman developed it
B) It uses a web-of-trust model (not a CA)
C) The acronym stands for “Pretty Good Privacy”
D) It provides secure, encrypted email
E) It provides only message encryption, not proof of origin
A: All except the last are true. PGP does provide both sender authentication and message encryption.
A) Web Zone
B) DMZ
C) IPChains
D) ISP
E) VPN
F) Firewall
G) VLAN
A: Don’t be confused by and combination of acronyms. The only (reasonably) safe place to put web servers, and DNS servers if you’re running an ISP for instance, is in the De-Militarized Zone (DMZ).
A) Be running IP forwarding
C) Be in an unsecured location
B) Run lots of services
E) Be hardened and run only essential services
D) Come pre-loaded with a root kit
A: Obviously, servers in the DMZ should be hardened and stripped. The fewer services, the less the vulnerability footprint. And no server should be “in an unsecured location.”
A) Network/Mesh
B) Key ring
C) Trust
D) Weighted
E) Hierarchical
F) Balanced
G) Token ring
A: Network/Mesh, trust, hierarchical, and key ring are the four categories of PKI trust models.
A) One-way
B) Fast
C) Three-way
D) Two-way
E) Slow
A: When data is “hashed,” it’s scrambled irrecoverably. This means it’s a one-way process.
A) PGP hash
B) Serial Number
C) Digital Signature
D) Date of creation
E) Name
F) Copy of the certificates holder’s private key
G) Expiration Date
H) Copy of the certificate holder’s public key
A: A PKI certificate contains:
name
serial number
expiration date
digital signature
a copy of the certificates holder’s public key
A) Back up
B) Clear logs
C) Reset auditing
D) Document changes
E) Lock up
A: Consider this a gimme. Good SOP will always include documentation.
A: This is mean stuff if you have a hard time with numbers, but the test expects you to know it because you’ll sometimes need to open these ports.
HTTP = 80
FTP = 21
PPTP = 1723
L2TP = 1701
ISAKMP = 500
LDAP = 389
Telnet = 23
SMTP = 25
POP = 110
MS SQL Server = 1433, 1444
Oracle = 1521, 1522, 1525 or 1529
NetBIOS over TCP/IP = 139 and 445 (Win 2000 also uses 445 for directory services, a port used by Zotob)
A) Honeypot
B) Network-based
C) Router-based
D) Host-based
A: A honeypot isn’t an IDS; there are formally only two kinds: network-based and host-based.
Network-based IDSs use a less complex Manager application. Host-based IDSs rely on a single Manager and multiple Agents distributed among PCs. They see more and do more, to put it simply.
A) P2P
B) PGP
C) CHAP
D) Session ticket
E) Lip
A: Be very clear on Kerberos.
Element one is a KDC, or Key Distribution Center, which takes your username/password, token, or what have you, and issues you a Ticket Granting Ticket (TGT). Your computer will cache the TGT during your session.
Then, when you want access to an actual network resource, your computer presents its TGT back to the KDC. The KDC then gives you a session ticket. Then the server that controls that resource will accept your session ticket (if it’s valid) and give you access (if you have permission).
A) Cryptography
B) Network
C) Heuristic
D) Router
E) Host
F) Stastics
A: IDSs differ along several lines. They include:
Host-based vs. network-based
Active vs. passive
Signature- vs. anomaly-based
But in this case we have a trick(y) question. When is encrypted traffic not encrypted (i.e. analyzable)? When it’s on the host, prior to encryption and transmission. In this instance the right answer is host-based.
A: In this context, a “factor” is anything like a password (something you know) or a token (something you have). Requiring two factors, then, is always more secure than requiring only one.
A) Log violations
B) Monitor activity
C) Analyze activity
D) Prevent attacks
E) Sense attacks
F) Track abnormal activity
A: Again, “Duh!” An IDS is not an IPS, and the literature I’ve seen so far makes it appear CompTIA isn’t talking about these yet (I write 6/17/2005). So just remember that if there’s a “D” then we’re only talking about Detection, not Prevention.
A) NetBEUI
B) rlogin
C) PPP
D) RADIUS
E) SLIP
F) SSL
G) LDAP
A: Tricky, tricky. All of these are client-server protocols, so practically anything could fit, if that were the only requirement. But it’s the “allows” and “centralized server” that are the clues here. What they’re really asking is, which protocol allows a user to communicate ONLY with an authorization server until they’re authenticated – a textbook description of a directory service. Only one is listed here: LDAP. If NDS or AD showed up they’d fit too.
A) A private key
B) A 128-bit value
C) A secret key
D) A 64-bit value
E) A verified cryptospasm
F) A fixed-length 32-bit string
A: If you’re having cryptospasms, see your doctor. But if you have an encrypted hash, you have a fixed-length value that depends on the hash: 32, 48, 64, 128 bits etc.
BE AWARE that some study materials indicate “a fixed 128-bit value” is the answer they’re looking for, even if other length values are listed.
A) DoS
B) Spoofing
C) Scanning other people’s networks
D) Port scanning
E) ICMP redirects
F) Pings
A: Yeah, you should do a Denial of Service attack on yourself. No, a good (series of) port scan(s) is always a part of establishing a security baseline.
A) Users
B) Groups
C) Administrators
D) Token users
E) the police
A: Accountability focuses on the individual. “Users” is the correct answer.
A) ACL: Access Control List
B) MAC: Mandatory Access Control
C) DAC: Discretionary Access Control
D) RBAC: Role-Based Access Control
E) CAC: Configurable Access Control
F) The Wild, Wild West
A: When you see a description like this, the dead giveaways are “security clearance” and “security labels.” Both of these are used only in government-type classified environments, which are run using MAC, the “tightest” of the security models.
A) Confidentiality
B) Spoofing
C) Availability
D) Accountability
E) the parity bit
A: CompTIA loves lists, so know this one. The three principles are Confidentiality (data is protected from other eyes), Availability (the people who need it can get it) and Accountability (everything you do can be traced back to you).
A) damage control
B) flaw management
C) risk assessment
D) risk management
E) threat management
F) threat control
A: As much as it feels like damage control, the real task of the IS security pro is risk management (which included risk assessment). Don’t be confused by any combination of term and “management” or term and “assessment.” This job is all about managing the risk.
A) DSS means “Digital Signature Standard”
B) DSS means “Dual Symmetric Standard”
C) It uses symmetric keys
D) It uses public and private keys
E) It provides non-repudiation
A: A, D and E are true.
A) 3DES
B) PGP
C) PHP
D) PEM
E) S/MIME
A: PGP (Pretty Good Privacy), PEM (Privacy Enhanced Mail) and S/MIME (Secure Multipurpose Internet Mail Extensions) provide authentication and encryption of email.
A) rights and privileges
B) integrity and confidentiality
C) data backups
D) integrity and rights
E) flow control and error handling
F) altruistic synergistics
A: Remember that list: Principles of Security:
Confidentiality
Integrity
Availability
A) an access
B) a hack
C) an attempt
D) an attack
E) a crack
A: Any attempt is an attack, whether it succeeds or not.
A) autodialer
B) cracking
C) denial of service
D) hijacking
E) login attempt
A: The key word here is “denial,” because that’s what’s going on. Of course we’re all primed to look for denial of service.
A) Identification
B) Identity theft
C) Authentication
D) Hijacking
E) Accountability
A: The Security+ test splits these layers very thin. There are three major steps to logging in.
The first is Identification, and happens when I provide a login name, for instance.
The second is Authentication, which happens when I provide a password.
The third is Authorization, which is the actual granting of permissions to a resource.
Within this context, then, the correct answer is Identification. Be wary of vague phrasing in this and related questions.
A) active detection
B) passive detection
C) reactive detection
D) network-based detection
E) host-based detection
F) signature-based detection
G) misuse detection
H) Mozilla detection
A: Know these categories well!
Misuse detection (the correct answer here) gathers and analyzes network traffic, and compares it to a database of attack signatures. This type of IDS requires lots of upkeep.
Anomaly detection is arguably more sophisticated. The IDS analyzes traffic compared to a baseline load, distribution of protocols, packet size and other criteria. Unusual traffic or events are logged.
Network-based IDS (NIDS) analyzes the packets passing through a network, in order to find unusual ones that may have escaped the attention of a firewall.
Host-based IDSs monitor packets on each separate host (computer).
Passive IDSs simply log any event that may be a potential security breach.
Reactive IDSs do more than log: they may log off a user, or actively alter firewall rules to block traffic from suspect sources.
A) based on a mandatory check of user identity
B) enforced via reliable mechanisms
C) based on the properties of an object
D) implemented using a login server. If the server can’t be reached, the mandatory login can’t be done.
A: Mandatory Access Control is all about the properties of network objects. An object has a security rating, and users must have at least that rating to access it.
Compare this to Discretionary Access Control, in which all permissions are at the owner’s discretion. I can grant you read, write, execute or other permissions on my files, a la NTFS or ext2.
Role-Based Access Control is implemented using groups, which have permissions, and users, who are assigned to groups depending on their role in the organization.
A) integrity
B) confidentiality
C) access to multiple hosts, though the user must log in to each host
D) non-repudiation
E) single sign-on
A: Kerberos (Cerberus) was the three-headed guard dog of the underworld in Greek myth. In other words, he provided the one barrier to everything beyond, which is exactly what the Kerberos system does in the computing realm: single sign-on.
A) a copy of a remote host’s private key
B) proof that a certificate authority is trustworthy
C) only used for authentication
D) a signed copy of a remote host’s public key
D) Don’t be ridiculous; PKI doesn’t use certificates.
A: Yes, PKI does use certificates, which contain a host’s public key. Private keys are not shared. PKI provides Authentication (through the public key) and Integrity (by providing an integrity check, namely successful decryption).
A) False positives
B) False negatives
C) Type I errors
D) Type II errors
E) Type III errors
F) Crossover error rate
G) Null error rate
A: With this type of question, you need to know that rejecting a valid user is a Type I error, and accepting an invalid user is a Type II error. The crossover error rate is the error rate when false positives and false negatives are equal; a lower number is a better number. There are no Type III errors, and there is no such measure as a null error rate.
A) Infecting you with a worm
B) A man-in-the-middle attack
C) Installing a trojan
D) A browser hijack
E) Giving you a virus
A: This one’s a gimme; obviously anything like this is a man-in-the-middle attack.
A) social engineering
B) klez
C) dictionary
D) birthday
E) “random-number” attack
F) Anna Kournikova
A: Of these, only the birthday attack involves cryptography. Social engineering is a lousy way to crack cryptography. klez is a worm. A dictionary attack is a password attack, as is a pseudorandom generator attack.
A) worm
B) smurf
C) trojan
D) macro
E) virus
A: A worm is by definition self-propagating code that travels independent of existing software. Worms such as Code Red travelled as email attachments – the whole attachment is the worm.
A virus propagates by attaching itself to other files. Melissa is an email-attachment virus. Melissa infected attachments, but can’t be an attachment on its own.
And a trojan requires human cooperation for its propagation. A trojan by definition appears benign, but frequently destroys data.
Also be familiar with logic bombs, which are not generally “infective” – that is, usually a logic bomb is a one-off booby trap, not a mass mailing, for instance. The most common exploit by a logic bomb is the destruction of data.
DES
Triple DES
AES
RC 4 and RC 5
Skipjack
Blowfish
CAST-128
RSA
Diffie-Hellman
Elgamel
A: Actually this list is easy. Only the last three are examples of asymmetric encryption. I use the acronym “RED” to remember these three.
YOU CAN COUNT ON SEEING THIS ON THE TEST.
Public Key Encryption (asymmetric encryption):
RSA
Diffie-Hellman
Elgamel
A) FTP
B) HTTP
C) AARP
D) LDAP
E) NMPIRG
A: You can access or distribute digital certificates via FTP, HTTP or LDAP (among others).
A) Host Mode
B) Transfer Mode
C) Network Mode
D) Integrity Mode
E) Tunnel Mode
A: Transfer Mode and Tunnel Mode are the two modes of IPSec. Transfer mode is used for point-to-point VPNs, while Tunnel Mode is used when there are other devices (routers etc.) between the two endpoints. Important point: Tunnel Mode encrypts headers as well as packet payload, while Transfer Mode encrypts only the payload.
But you need to understand this one level deeper. IPSec in and of itself provides authentication and encryption over the public internet via the Policy Agent.
Internet Key Exchange (IKE) manages peer authentication and key exchange, and does its job before an actual IPSec connection is made. It is in fact the method for exchanging the necessary pre-shared keys in order to form and secure an IPSec connection. It does this based on the authentication and security information it receives from the Policy Agent. IKE is a combination of ISAKMP and the Oakley Key Determination Protocol.
ISAKMP (the Internet Security Association Key Management Protocol) provides a protocol for negotiating what encryption scheme will be used for the IPSec session.
Under IKE, the Diffie-Hellman key-exchange protocol actually performs the key exchange. Both parties involved send a hashed version of the pre-shared key.
Once all this is done, IPSec creates the connection. The Authentication Header (AH) signs packets with a hash to provide authentication and guaranteed integrity. Normally unencrypted, these headers ARE encrypted in Tunnel Mode.
Encapsulating Security Payload (ESP) signs payloads with a hash, as well as encrypting them (regardless of mode).
(How’s that for a mouthful?)
A) klez
B) nimda
C) macro
D) worm
E) trojan
F) virus
A: Remember:
A worm is by definition self-propagating code that travels independant of existing software.
A virus must infect another program.
A trojan requires human intervention.
A) Because your phone and data systems are integrated
B) Because your phone system provides a dedicated connection between two LANs
C) Because phone systems are peer-to-peer
D) Because your phone system provides a connection between different kinds of networks
A: Many (but not all) systems combine PBX phone services with data networking. Thus your PBX can be a gateway to your LAN or VPN.
A) client-client networking
B) mutual mistrust model
C) peer-to-peer
D) two-way authentication
E) mutual authentication
A: Sure, you could make an argument for any of these (especially the mutual mistrust model), but the correct term is mutual authentication.
A) encryption algorythms
B) the format of http packets
C) the format of ip packets
D) the format of digital certificates
E) the format of digital signatures
A: X.509 defines the format of digital certificates.
A) Key Escrow uses the X.507 standard for payments
B) Key Escrow is when a trusted third party stores private keys
C) Key Escrow is when a trusted third party stores public keys
D) Key Escrow the standard for key distribution
E) Key Escrow is a technique for reading keys
A: Key Escrow is a service provided by trusted third-party organizations, which allows the recovery of lost private keys.
A) RSA
B) 3DES
C) kerberos
D) IDEA
E) MD5
F) RC-4
A: They’ll fool you with this one. 3DES, IDEA and RC-4 are encryption algorythms. MD5, however, is a one-way hash algorythm, and Kerberos is involved in single sign-in. RSA is a signature algorythm.
A) CRLs are issued by CAs
B) CRLs are Certificate Recovery Lists
C) CRLs are Certificate Revocation Lists
D) CRLs identify digital certificates that are no longer valid
E) CRLs are transmitted using X.509
A: A, C and D are true: Certificate Revocation Lists are issued by CAs, and identify expired or revoked certificates.
A) meaningless
B) two-way
C) three-way
D) transitive
E) intransitive
A: This is a transitive trust. If User C did NOT trust User A, it would be an intransitive trust.
A) revoked
B) hold
C) suspended
D) lost
E) destroyed
A: Not all certificates listed in CRLs are revoked; certificates on Certification Hold are merely suspended.
A) driver’s license
B) token
C) 3DES
D) biometrics
E) kerberos
A: Tokens, biometrics and kerberos are all involved in authentication (not identification).
A) traffic can be passed as clear text
B) traffic can be encrypted securely
C) 802.11b is slower than 802.11g
D) anyone with the right configuration and a decent signal can connect
A: Don’t fool yourself. Nobody seriously considers 802.11b’s WEP encryption scheme secure, due to key weaknesses. In the sample tests I’ve seen, nobody seems to be talking about WPA, which is of course more secure, but hardly flawless.
A) a VPN protocol
B) an authentication server
C) a communication protocol allowing network devices to talk to an authentication server
D) working too hard will give you heart TACACS+
A: This question approaches the issue of remote authentication from the back door. What we’d usually be talking about is RADIUS, the open IETF standard for remote authentication. But in this realm, Cisco went its own way with its proprietary TACACS, TACACS+ and XTACACS.
Critical word here: Server. Both RADIUS and TACACS+ are protocols (i.e. they do communication), not servers.
A) confidentiality
B) integrity
C) authentication
A: All of them. The two components of IPsec are actually IKE (Internet Key Exchange, which provides authentication) and IPsec (which provides confidentiality and integrity assurance via encryption).
A: All of these. Know this list well!
A) CP
B) CPS
C) CRL
D) OCSP
E) PKCS
A: A Certificate Policy (CP) is the formal, corporate set of rules for the operation of a PKI, such as auditing, enforcement and requirements.
A Certificate Practice Statement (CPS) is the technical, managerial description of actual practice and procedures.
A Certificate Revocation List is a CRL.
Online Certificate Status Protocol (OCSP) is a “live,” internet-based alternative to CRLs.
And the Public Key Cryptography Standards (PKCS) are standards and protocols that dictate secure exchange of data using PKI (Public Key Infrastructure). This is the correct answer.
There seem to be several versions of this type of question; know these acronyms thoroughly!
A) AD domain policies
B) firings
C) education
D) event auditing
A: The test expects you to be magnanimous; education is the only effective way to get any results in this area (take it from me if you haven’t learned this already!).
A) keylogger
B) trojan
C) man in the middle
D) trapdoor
E) replay
A: A keylogger (which may be software or a hardware device) records your keystrokes. It may “phone home,” or it may be secretly picked up.
A trojan is a program that appears to do one thing, but does something malicious instead or in the background.
Man-in-the-middle attacks happen when someone manages to put himself into your traffic stream, where he can alter or intercept data.
A trapdoor is a usually-intentional “opening” into a program that can allow unauthorized access.
A replay attack is similar to a man-in-the-middle exploit, but what seems to be a live session is actually a “replay” of the real action.
A) PKI
B) hashing
C) auditing
D) S-HTTP
E) SSL
A: HTTPS uses SSL as its transport layer. S-HTTP would have been the correct answer if it ever caught on, but it didn’t.
A) Sender and recipient have to trade private keys
B) The public key allows you to calculate the private key
C) The sender encrypts the message with the recipient’s public key
D) The sender encrypts the message with her own private key
A: Be sure you understand how this process works. First, it’s the sender’s responsibility to encrypt the message, of course. And theoretically the sender could encrypt with her own private key and distribute the public key for decryption – but that’s not the way it’s done. The sender encrypts with the recipient’s public key. Why? Because anyone could decrypt a message I sent encrypted with my private key; I only want the designated recipient to be able to decrypt it.
Asymmetric encryption algorythms include: RSA, RC2, RC4, RC5, Blowfish, Diffie-Hellman, and the mysterious El Gamal.
If we were talking about symmetric encryption, then we’re forced to share our private key because it’s the only way to decrypt. Obviously this is highly open to abuse.
Symmetric encryption algorythms include DES and Triple DES, IDEA (Int’l Data Encrytion Algorythm), AES (Advanced Encrytion Standard, a.k.a. Rijndael), and the charming Skipjack.
A) Manager
B) Agent
C) Rules
D) Policies
E) Reporting
A: A manager, multiple agents and a reporting subsystem are the three software components of a host-based IDS. Rules and policies are involved too, but they are determined by the manager; the test apparently considers them NOT to be “components.”
A: Darn right this is esoteric. What we’re really looking at are three-part rules.
The first component is the permission: simply “allow” or “deny.”
The second component is the IP address of the external interface (in this case).
The third component is a subnet mask.
So what do we really have? One rule allows all addresses on the internal network to “get to” the external interface. This is nice if we want to access the Internet. The other rule denies anyone from the outside world from pretending it has an IP address on our internal network.
Now think about this: what we really have here is a setup that blocks spoofing attempts.
A) Unsuccessful login attempts
B) Successful login attempts
C) Resource accesses
D) Changes to accounts
E) Everything
A: If you think she’s already in, the thing to audit is successful logins. Then you can see exactly when she enters or entered.
A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Man in the middle
A: I was surprised to read that SYN floods are one of the most, if not the most common attack against web server.
A) Authentication
B) Integrity
C) Nonrepudiation
D) Confidentiality
E) Authorization
F) Availability
A: I use the acronym CAIN to remember these four goals.
Confidentiality means unauthorized people can’t access the data.
Authentication means only people with the correct credentials can access the data.
Integrity means the data can’t be changed without detection.
Nonrepudiation means the sender can’t deny sending.
A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Hijacking
A: SYN floods and hijackings are the most common attacks at this layer. Keep in mind that hijacking, in this context, does NOT mean browser hijacks. Instead it refers to an attacker interfering with the predictable flow of traffic to interrupt sessions.
A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Man in the middle
A: I was surprised to read that SYN floods are one of the most, if not the most common attack against web server.
A) UDP 31337
B) TCP 1056
C) UDP 1056
D) UDP 1049
E) TCP 1049
A: BackOrifice uses a whole cluster of port. By default, the server component runs on UDP 31337.
The client component runs on UDP 1049, but if the BackOrifice HTTP web server is running, it’ll use TCP 1056. (Notice that TCP.)
A) DNS
B) FTP
C) DHCP
D) POP3
E) TCP/IP
F) NetBEUI
A: You know darn well we’re talking about DHCP and DNS. But never forget that both of these run over TCP/IP.