Security+ : Sample Questions

Sample Questions

Q: What exactly is a PKI certificate?

A) PKI has nothing to do with certificates
B) Certificates provide identifying credentials only
C) Certificates identify a certificate authority
D) Certificates provide a copy of a remote system’s private key
E) Certificates provide a copy of a remote system’s public key

A: Certificates provide a signed copy of a remote system’s or user’s public key.

Q: Which of these are components of IPSEC?

A) Encapsulating Security Payload (ESP)
B) Security Policy (SP)
C) Authentication Header (AH)
D) Challenge-Handshake Authentication Protocol (CHAP)
E) Internet Security Association Key Management Protocol (ISAKMP)

A,C,E: IPSEC uses three protocols to provide three types of security.

ESP encrypts packet payloads.

AH provides authentication.

ISAKMP allows secure key exchange.

Q: In PKI cross-certification,

A) client and CA exchange certificates
B) client and CA exchange public keys
C) client and CA exchange private keys
D) one CA exchanges certificates with another
E) two CAs sign each other’s certificates

A: E is correct. This strange maneuver allows clients in segregated administrative domains to communicate.

Q: What’s it called when someone captures and views packets from a network?

A) Fracking
B) Spoofing
C) Phreaking
D) Dissing
E) Sniffing
F) Packet Attack

A: We all know what a network sniffer is, and what sniffing is. Don’t forget this “formal” definition.

Q: All CAs have to have a formal statement of how certificates can be used. This statement is a(n):

A) Certificate Policy
B) Certificate Practice Statement

A: A CP is the formal, corporate set of rules for the operation of a PKI, such as auditing, enforcement and requirements (and CP is the right answer). A CPS is the technical, managerial description of actual practice and procedures.

Q: Is “down-level software” considered more secure? (Yes/No)

A: No. The term “down-level software” generally means older-version software (down one level in version numbers), which presumably has more known vulnerabilities. Thus it’s usually considered less secure.

Q: What are the features of a cold site? A warm site? A hot site?

A) It’s a long-term solution
B) Allows flexible configuration
C) Provides annual readiness testing
D) Provides only a building; you supply all equipment
E) Gives you a way to use proprietary hardware
F) It’s exclusive to your company
G) It’s a low-cost solution

A: Hot site: A, B, C, E, F. The fastest-recovery solution, it’s fully set up for your company alone, provides annual readiness testing, and allows flexible configuration. But it’s also the most expensive. NOTE that if you select “It’s a high-cost solution” (which is true of a hot site), you’ll be WRONG if the test asks about advantages to your company. High cost? An advantage? Not.

Warm site: B, E. Partially configured and less expensive, a warm site depends on a vendor or support organization to supply proprietary hardware and software – after disaster strikes. Not as quick, but cheaper.

Cold site: A, D, E, G. The cheap alternative, this is simply a building environment. There’s no equipment, so you’ll experience the longest downtime while you get your equipment in place and operating.

Q: Access rights and permissions determine (1) who can access resources and (2) which resources they can access. The mechanisms that limit Authorization to resources are:

A) local (host) security policies
B) file/data ownership
C) domain or network security policies
D) the principal of least privilege
E) separation of duties and responsibilities

A: The mechanisms that limit authorization to resources are B, D and E.
– File and data owners can set rights and permissions on network resources.
– The “principal of least privilege” means that users are given only the minimum necessary level of permissions to network resources to perform their duties – and no more.
– The concept of “separation of duties and responsibilities” means keeping a system of checks and balances. In a truly secure enterprise, no one can entirely control any function. Purchasing decisions, for instance, may be made by a department head, but must be confirmed by a purchasing manager.

Q: What two ports are used for http and https?

A: HTTP typically uses port 80, HTTPS uses 443.

Q: Think about it, now: what exactly is a router?

A) An L2TP device that provides a dedicated path
B) A network device that restricts access to prevent attacks
C) A POTS device with a dedicated connection to the CO
D) A network interconnection device between two or more networks

A: We all know what firewalls are (B), what telco devices are (C), what tunneling involves (A), and that a router always routes between multiple networks. Don’t be confused by technobabble.

Q: Which of these is the WAP layer providing security?


A: WAP is the Wireless Application Protocol. It includes:
Wireless Application Environment
Wireless Session Protocol
Wireless Transport Protocol
Wireless Transport Layer Security (WTLS – the correct answer)
Wireless Datagram Protocol

Q: You’re the unfortunate administrator of a wireless network that you’re trying to keep secure. You’ve got things clamped down fairly tightly, but one access point keeps reverting to open permissions. When you get the chance you dig into that access point, you discover that the _____ settings aren’t right; a nearby user is changing the access point’s setup, even though he isn’t supposed to do so.

B) Permissions

A: There are a lot of semi-correct acronyms the test could throw at you in this example. The question really is about permissions, but Permissions isn’t the right answer. Neither of the security standards (WEP and WPA) deal with permission settings. DAC is the mechanism that lies behind setting permissions on files you own, not with network settings. A MAC address is just a MAC address. But all the action involving network and user permissions happens at the ACL (Access Control List) level, where permissions are actually set.

Q: You’ve just set up a Windows 2000 Server, which means of course that it has default security settings. The following users and groups have permissions to the C: folder. Which one should be removed?

A) Everyone
B) System
C) Anonymous
D) Administrator
E) Quick! Shut down the server!

A: Pulling the plug is always the most secure option, short of, say, encasing the server in concrete. But the Admin and the System user absolutely need access to the root directory for the system to run. The Anonymous user shouldn’t have access, but does because it’s a member of Everyone (of course). The real error here is in giving Everyone system root access in the first place, so Everyone is the correct answer here. Note that if Everyone isn’t on the list, but Guest is, Guest will be the correct answer (assuming identical phrasing of the question).

Q: Which of these are used to implement VPDNs (Virtual Private Dial-Up Networks)?

C) L2F

A: This is a case where knowing exactly what the acronyms mean will really help you. L2TP is Layer 2 (of the OSI model) Tunneling Protocol (a correct answer), L2F is Layer 2 Forwarding (another correct answer), and PPTP is Point-to-Point Tunnelling Protocol (the last correct answer). “Tunnelling” and “forwarding” are the key words here, dead giveaways for VPN operations.

Q: You’re using a form of RAID in which data is duplicated across two disks, but you fear that if a disk controller fails you won’t be able to get to either disk. For better fault tolerance, you should be using:

A) RAID 0, disk striping
B) RAID 1, disk mirroring
C) RAID 1, disk duplexing
D) RAID 0, disk striping with parity

A: No striping, even with parity, will get you past a disk controller failure. RAID 1 can be either mirroring (two disks on one controller) or duplexing (two disks on two controllers), and clearly duplexing can get past a failed (single) controller.

Q: What’s the most important element in a new security policy?

A: Management buy-in is the most important part of any security policy! Remember this point.

Q: Select the event that you should audit if you suspect someone is attempting improper access to an account and that account’s data.

A) success/failure of changes to accounts
B) restarts and shutdowns
C) use of accounts during off hours
D) success/failure of access to printers and shares

A: Only the success/failure of access to resources can pinpoint suspicious account activity (among the choices listed here).

Q: Select the cable that provides the best protection from electromagnetic interference, for instance from heavy machinery.

C) Coaxial
D) Thicknet
E) fiber-optic

A: All of the electrical conductors are susceptible to EMF. Only fiber-optic cable is immune to it.

Q: Your company retains a security consultant to test your network. He lets you know he’s running an attack on your servers. But when you check you see no attack happening. Why is this?

A) The consultant is using the wrong account.
B) He’s not getting through the firewall.
C) He’s actually a cracker trying to sucker you.
D) He’s trapped in a “honeypot.”
E) Your company would never hire a security consultant.

A: Even if E is true, it’s not the right answer. Of course there is no “hacker” account, so A is wrong. He is conducting an attack against SOMETHING, so he’s certainly getting through the firewall. Your company has retained this consultant, so he’s (most likely) not a cracker. So D, “He’s trapped in a ‘honeypot,'” is the correct answer.

Q: What are the two components of L2TP?


A: LNS is “L2TP Network Server,” and LAC is “L2TP Access Concentrator.” At least one mnemonic is that the first letter of each is “L” because each handles part of “L”2TP.

Q: What does the acronym SNMP mean?

A: No, really. Know that it’s Simple Network Management Protocol.

Q: Which of these solutions is entirely biometrics-based?

A) passwords
B) fingerprints and PIN numbers
C) voice recognition and retinal scans
D) PIN numbers and face recognition

A: Obviously, passwords, fingerprints and face recognition are not biometric. C is correct.

Q: Which of these statements about CAs is true?

A) CAs use the X.509 standard for certificate format
B) CAs store both public and private keys
C) CAs sign certificates using their public keys
D) CAs sign certificates using their private keys
E) CAs enroll and distribute digital certificates

A: Yes, Virginia, CAs enroll, distribute and revoke certificates. A CA signs certificates using its private key, and uses the X.509 standard for format. A, D and E are true.

Q: What protocol provides secure login and traffic?

A) Telnet

A: SSH (Secure Shell) provides secure, i.e. encrypted, login and session traffic. Telnet encrypts nothing. SSL is primarily used in web traffic, and SHTTP is used exclusively for HTTP traffic. S/MIME is used for secure email.

WARNING! I have seen a version of this question that asks, “which protocol provides secure login and Telnet traffic?” The correct answer was still SSH, but technically Telnet is not involved in SSH; it’s a different protocol.

Q: How could you use cryptography for access control?

A) Encrypt using a symmetric algorithm, and give the key to the people you want to access the data
B) digital signatures
C) everyone encrypts all documents
D) Users sign on with their certificates, and all permissions and restrictions are defined on a per-certificate basis.

A: Okay, sharing keys is literally giving the keys away. Digital signatures or encryption alone won’t provide access control, just identificaton and encryption. The real way to do this is via an LDAP-type directory that recognizes and uses certificates.

Q: It’s Patch Tuesday, and Microsoft releases a critical update. Your intern wants to go gung-ho and install it, but you know better. You want to follow which step(s) of best practice?

A) determine if your systems need the patch
B) perform test installations on non-production computers
C) schedule downtime if a reboot is necessary
D) install the patch on production computers

A: All of these, and any others that become necessary. Patches can bring down your machines. But you knew that already.

Q: Some systems are weak when it comes to reassembling overlapping IP fragments. Hackers can target these systems by sending a series of overlapping, fragmented IP packets. This kind of attack is called:

A) Smurf attack
B) root kit
C) Ping of Death
D) Fraggle attack
E) Land attack
F) Teardrop attack

A: This particular attack is a Teardrop attack.

A Smurf attack occurs when an attacker sends forged ICMP echo request packets to intermediaries, using a false source IP. This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses.

A Fraggle attack is the same technique, used over UDP rather than ICMP.

A root kit is any of several ways of gaining root access on a Unix computer, not an attack per se.

The Ping of Death is a variant of Smurf that sends deliberately malformed ICMP ping packets, attacking computers susceptible to this malformation.

A Land attack is an older one that sends a packet with the same host specified as both sender and receiver. This locks up some systems.

Q: Which of these statements about PGP are true?

A) Phil Zimmerman developed it
B) It uses a web-of-trust model (not a CA)
C) The acronym stands for “Pretty Good Privacy”
D) It provides secure, encrypted email
E) It provides only message encryption, not proof of origin

A: All except the last are true. PGP does provide both sender authentication and message encryption.

Q: In which area of your network should you place public DNS and web servers?

A) Web Zone
C) IPChains
F) Firewall

A: Don’t be confused by and combination of acronyms. The only (reasonably) safe place to put web servers, and DNS servers if you’re running an ISP for instance, is in the De-Militarized Zone (DMZ).

Q: Computers installed in the DMZ should:

A) Be running IP forwarding
C) Be in an unsecured location
B) Run lots of services
E) Be hardened and run only essential services
D) Come pre-loaded with a root kit

A: Obviously, servers in the DMZ should be hardened and stripped. The fewer services, the less the vulnerability footprint. And no server should be “in an unsecured location.”

Q: PKI trust models include:

A) Network/Mesh
B) Key ring
C) Trust
D) Weighted
E) Hierarchical
F) Balanced
G) Token ring

A: Network/Mesh, trust, hierarchical, and key ring are the four categories of PKI trust models.

Q: Hash encryption is a ______ process.

A) One-way
B) Fast
C) Three-way
D) Two-way
E) Slow

A: When data is “hashed,” it’s scrambled irrecoverably. This means it’s a one-way process.

Q: A PKI certificate contains which of the following?

A) PGP hash
B) Serial Number
C) Digital Signature
D) Date of creation
E) Name
F) Copy of the certificates holder’s private key
G) Expiration Date
H) Copy of the certificate holder’s public key

A: A PKI certificate contains:
serial number
expiration date
digital signature
a copy of the certificates holder’s public key

Q: After you perform an upgrade (hardware or software) on a server, test it and put it back into production, what’s the most critical next step?

A) Back up
B) Clear logs
C) Reset auditing
D) Document changes
E) Lock up

A: Consider this a gimme. Good SOP will always include documentation.

Q: What is the port number for HTTP?
MS SQL Server?
NetBIOS over TCP/IP?

A: This is mean stuff if you have a hard time with numbers, but the test expects you to know it because you’ll sometimes need to open these ports.

HTTP = 80
FTP = 21
PPTP = 1723
L2TP = 1701
ISAKMP = 500
LDAP = 389
Telnet = 23
SMTP = 25
POP = 110
MS SQL Server = 1433, 1444
Oracle = 1521, 1522, 1525 or 1529
NetBIOS over TCP/IP = 139 and 445 (Win 2000 also uses 445 for directory services, a port used by Zotob)

Q: What is the most informative IDS?

A) Honeypot
B) Network-based
C) Router-based
D) Host-based

A: A honeypot isn’t an IDS; there are formally only two kinds: network-based and host-based.

Network-based IDSs use a less complex Manager application. Host-based IDSs rely on a single Manager and multiple Agents distributed among PCs. They see more and do more, to put it simply.

Q: Under Kerberos, you give this to a server so you can access a resource.

A) P2P
D) Session ticket
E) Lip

A: Be very clear on Kerberos.

Element one is a KDC, or Key Distribution Center, which takes your username/password, token, or what have you, and issues you a Ticket Granting Ticket (TGT). Your computer will cache the TGT during your session.

Then, when you want access to an actual network resource, your computer presents its TGT back to the KDC. The KDC then gives you a session ticket. Then the server that controls that resource will accept your session ticket (if it’s valid) and give you access (if you have permission).

Q: To analyze encrypted traffic, you’ll need a(n) ____-based IDS system:

A) Cryptography
B) Network
C) Heuristic
D) Router
E) Host
F) Stastics

A: IDSs differ along several lines. They include:
Host-based vs. network-based
Active vs. passive
Signature- vs. anomaly-based

But in this case we have a trick(y) question. When is encrypted traffic not encrypted (i.e. analyzable)? When it’s on the host, prior to encryption and transmission. In this instance the right answer is host-based.

Q: Which is more secure, two-factor authentication, or single-factor?

A: In this context, a “factor” is anything like a password (something you know) or a token (something you have). Requiring two factors, then, is always more secure than requiring only one.

Q: IDS systems do all of the following EXCEPT?

A) Log violations
B) Monitor activity
C) Analyze activity
D) Prevent attacks
E) Sense attacks
F) Track abnormal activity

A: Again, “Duh!” An IDS is not an IPS, and the literature I’ve seen so far makes it appear CompTIA isn’t talking about these yet (I write 6/17/2005). So just remember that if there’s a “D” then we’re only talking about Detection, not Prevention.

Q: Which client-server protocol allows users to communicate with a centralized server?

B) rlogin

A: Tricky, tricky. All of these are client-server protocols, so practically anything could fit, if that were the only requirement. But it’s the “allows” and “centralized server” that are the clues here. What they’re really asking is, which protocol allows a user to communicate ONLY with an authorization server until they’re authenticated – a textbook description of a directory service. Only one is listed here: LDAP. If NDS or AD showed up they’d fit too.

Q: Hash generation takes data of any size and converts it into _____________.

A) A private key
B) A 128-bit value
C) A secret key
D) A 64-bit value
E) A verified cryptospasm
F) A fixed-length 32-bit string

A: If you’re having cryptospasms, see your doctor. But if you have an encrypted hash, you have a fixed-length value that depends on the hash: 32, 48, 64, 128 bits etc.

BE AWARE that some study materials indicate “a fixed 128-bit value” is the answer they’re looking for, even if other length values are listed.

Q: Which of these should be performed as part of a security baseline?

A) DoS
B) Spoofing
C) Scanning other people’s networks
D) Port scanning
E) ICMP redirects
F) Pings

A: Yeah, you should do a Denial of Service attack on yourself. No, a good (series of) port scan(s) is always a part of establishing a security baseline.

Q: “Accountability” means that any action can be traced back to:

A) Users
B) Groups
C) Administrators
D) Token users
E) the police

A: Accountability focuses on the individual. “Users” is the correct answer.

Q: In your network, users are assigned a security clearance, and network objects have security labels that show their data classification. What kind of access controls or security levels are we talking about in this environment?

A) ACL: Access Control List
B) MAC: Mandatory Access Control
C) DAC: Discretionary Access Control
D) RBAC: Role-Based Access Control
E) CAC: Configurable Access Control
F) The Wild, Wild West

A: When you see a description like this, the dead giveaways are “security clearance” and “security labels.” Both of these are used only in government-type classified environments, which are run using MAC, the “tightest” of the security models.

Q: What are the principles of information security?

A) Confidentiality
B) Spoofing
C) Availability
D) Accountability
E) the parity bit

A: CompTIA loves lists, so know this one. The three principles are Confidentiality (data is protected from other eyes), Availability (the people who need it can get it) and Accountability (everything you do can be traced back to you).

Q: Which of these accurately describes the main responsibility of the IT security pro?

A) damage control
B) flaw management
C) risk assessment
D) risk management
E) threat management
F) threat control

A: As much as it feels like damage control, the real task of the IS security pro is risk management (which included risk assessment). Don’t be confused by any combination of term and “management” or term and “assessment.” This job is all about managing the risk.

Q: Which three of these are true about DSS?

A) DSS means “Digital Signature Standard”
B) DSS means “Dual Symmetric Standard”
C) It uses symmetric keys
D) It uses public and private keys
E) It provides non-repudiation

A: A, D and E are true.

Q: What mechanisms are used for protecting email?


A: PGP (Pretty Good Privacy), PEM (Privacy Enhanced Mail) and S/MIME (Secure Multipurpose Internet Mail Extensions) provide authentication and encryption of email.

Q: Whether securing a single computer or a whole network, the admin must ensure the availability of data but also protect:

A) rights and privileges
B) integrity and confidentiality
C) data backups
D) integrity and rights
E) flow control and error handling
F) altruistic synergistics

A: Remember that list: Principles of Security:

Q: From an IT security standpoint, any attempt to get around security is:

A) an access
B) a hack
C) an attempt
D) an attack
E) a crack

A: Any attempt is an attack, whether it succeeds or not.

Q: What kind of attack attempts to prevent normal access to data by authorized users?

A) autodialer
B) cracking
C) denial of service
D) hijacking
E) login attempt

A: The key word here is “denial,” because that’s what’s going on. Of course we’re all primed to look for denial of service.

Q: ________ is the process by which a user or computer states who they are in order to gain access to a network resource.

A) Identification
B) Identity theft
C) Authentication
D) Hijacking
E) Accountability

A: The Security+ test splits these layers very thin. There are three major steps to logging in.
The first is Identification, and happens when I provide a login name, for instance.
The second is Authentication, which happens when I provide a password.
The third is Authorization, which is the actual granting of permissions to a resource.
Within this context, then, the correct answer is Identification. Be wary of vague phrasing in this and related questions.

Q: IDSs come in several types. Which type performs analysis using a database of attack signatures?

A) active detection
B) passive detection
C) reactive detection
D) network-based detection
E) host-based detection
F) signature-based detection
G) misuse detection
H) Mozilla detection

A: Know these categories well!

Misuse detection (the correct answer here) gathers and analyzes network traffic, and compares it to a database of attack signatures. This type of IDS requires lots of upkeep.

Anomaly detection is arguably more sophisticated. The IDS analyzes traffic compared to a baseline load, distribution of protocols, packet size and other criteria. Unusual traffic or events are logged.

Network-based IDS (NIDS) analyzes the packets passing through a network, in order to find unusual ones that may have escaped the attention of a firewall.

Host-based IDSs monitor packets on each separate host (computer).

Passive IDSs simply log any event that may be a potential security breach.

Reactive IDSs do more than log: they may log off a user, or actively alter firewall rules to block traffic from suspect sources.

Q: Mandatory Access Control is: (select one)

A) based on a mandatory check of user identity
B) enforced via reliable mechanisms
C) based on the properties of an object
D) implemented using a login server. If the server can’t be reached, the mandatory login can’t be done.

A: Mandatory Access Control is all about the properties of network objects. An object has a security rating, and users must have at least that rating to access it.

Compare this to Discretionary Access Control, in which all permissions are at the owner’s discretion. I can grant you read, write, execute or other permissions on my files, a la NTFS or ext2.

Role-Based Access Control is implemented using groups, which have permissions, and users, who are assigned to groups depending on their role in the organization.

Q: Kerberos provides: (select one)

A) integrity
B) confidentiality
C) access to multiple hosts, though the user must log in to each host
D) non-repudiation
E) single sign-on

A: Kerberos (Cerberus) was the three-headed guard dog of the underworld in Greek myth. In other words, he provided the one barrier to everything beyond, which is exactly what the Kerberos system does in the computing realm: single sign-on.

Q: A PKI certificate is: (select one)

A) a copy of a remote host’s private key
B) proof that a certificate authority is trustworthy
C) only used for authentication
D) a signed copy of a remote host’s public key
D) Don’t be ridiculous; PKI doesn’t use certificates.

A: Yes, PKI does use certificates, which contain a host’s public key. Private keys are not shared. PKI provides Authentication (through the public key) and Integrity (by providing an integrity check, namely successful decryption).

Q: Which of the following are standard measures of accuracy in a biometric system?

A) False positives
B) False negatives
C) Type I errors
D) Type II errors
E) Type III errors
F) Crossover error rate
G) Null error rate

A: With this type of question, you need to know that rejecting a valid user is a Type I error, and accepting an invalid user is a Type II error. The crossover error rate is the error rate when false positives and false negatives are equal; a lower number is a better number. There are no Type III errors, and there is no such measure as a null error rate.

Q: I’ve managed to insert my computer into the traffic stream between you and your server. To you, I look like the server. To the server, I look like you. What am I doing?

A) Infecting you with a worm
B) A man-in-the-middle attack
C) Installing a trojan
D) A browser hijack
E) Giving you a virus

A: This one’s a gimme; obviously anything like this is a man-in-the-middle attack.

Q: Which of these is a cryptographic attack?

A) social engineering
B) klez
C) dictionary
D) birthday
E) “random-number” attack
F) Anna Kournikova

A: Of these, only the birthday attack involves cryptography. Social engineering is a lousy way to crack cryptography. klez is a worm. A dictionary attack is a password attack, as is a pseudorandom generator attack.

Q: Of these types of malware, which one both propagates without any human intervention, and does not embed itself in another program?

A) worm
B) smurf
C) trojan
D) macro
E) virus

A: A worm is by definition self-propagating code that travels independent of existing software. Worms such as Code Red travelled as email attachments – the whole attachment is the worm.

A virus propagates by attaching itself to other files. Melissa is an email-attachment virus. Melissa infected attachments, but can’t be an attachment on its own.

And a trojan requires human cooperation for its propagation. A trojan by definition appears benign, but frequently destroys data.

Also be familiar with logic bombs, which are not generally “infective” – that is, usually a logic bomb is a one-off booby trap, not a mass mailing, for instance. The most common exploit by a logic bomb is the destruction of data.

Q: Which of these are examples of symmetric encryption, and which are examples of asymmetric encryption?

Triple DES
RC 4 and RC 5

A: Actually this list is easy. Only the last three are examples of asymmetric encryption. I use the acronym “RED” to remember these three.

Public Key Encryption (asymmetric encryption):

Q: Select at least three mechanisms for accessing or distributing digital certificates.


A: You can access or distribute digital certificates via FTP, HTTP or LDAP (among others).

Q: Select the two modes of IPSec.

A) Host Mode
B) Transfer Mode
C) Network Mode
D) Integrity Mode
E) Tunnel Mode

A: Transfer Mode and Tunnel Mode are the two modes of IPSec. Transfer mode is used for point-to-point VPNs, while Tunnel Mode is used when there are other devices (routers etc.) between the two endpoints. Important point: Tunnel Mode encrypts headers as well as packet payload, while Transfer Mode encrypts only the payload.

But you need to understand this one level deeper. IPSec in and of itself provides authentication and encryption over the public internet via the Policy Agent.

Internet Key Exchange (IKE) manages peer authentication and key exchange, and does its job before an actual IPSec connection is made. It is in fact the method for exchanging the necessary pre-shared keys in order to form and secure an IPSec connection. It does this based on the authentication and security information it receives from the Policy Agent. IKE is a combination of ISAKMP and the Oakley Key Determination Protocol.

ISAKMP (the Internet Security Association Key Management Protocol) provides a protocol for negotiating what encryption scheme will be used for the IPSec session.

Under IKE, the Diffie-Hellman key-exchange protocol actually performs the key exchange. Both parties involved send a hashed version of the pre-shared key.

Once all this is done, IPSec creates the connection. The Authentication Header (AH) signs packets with a hash to provide authentication and guaranteed integrity. Normally unencrypted, these headers ARE encrypted in Tunnel Mode.

Encapsulating Security Payload (ESP) signs payloads with a hash, as well as encrypting them (regardless of mode).

(How’s that for a mouthful?)

Q: A program that has the following two properties:
1. It moves from host to host without needing human intervention
2. It’s self-contained, and doesn’t infect other software (or need to)
is a:

A) klez
B) nimda
C) macro
D) worm
E) trojan
F) virus

A: Remember:

A worm is by definition self-propagating code that travels independant of existing software.
A virus must infect another program.
A trojan requires human intervention.

Q: A consultant tells you your phone system is vulnerable to attack. Why is he even concerned about this?

A) Because your phone and data systems are integrated
B) Because your phone system provides a dedicated connection between two LANs
C) Because phone systems are peer-to-peer
D) Because your phone system provides a connection between different kinds of networks

A: Many (but not all) systems combine PBX phone services with data networking. Thus your PBX can be a gateway to your LAN or VPN.

Q: In the most common model of client-server networking, the client has to authenticate itself to a server. But in higher-security models, each participant in a transaction must definitively identify itself to the other. This is called:

A) client-client networking
B) mutual mistrust model
C) peer-to-peer
D) two-way authentication
E) mutual authentication

A: Sure, you could make an argument for any of these (especially the mutual mistrust model), but the correct term is mutual authentication.

Q: To what does the X.509 standard apply?

A) encryption algorythms
B) the format of http packets
C) the format of ip packets
D) the format of digital certificates
E) the format of digital signatures

A: X.509 defines the format of digital certificates.

Q: Which of these statements about Key Escrow is true?

A) Key Escrow uses the X.507 standard for payments
B) Key Escrow is when a trusted third party stores private keys
C) Key Escrow is when a trusted third party stores public keys
D) Key Escrow the standard for key distribution
E) Key Escrow is a technique for reading keys

A: Key Escrow is a service provided by trusted third-party organizations, which allows the recovery of lost private keys.

Q: Which of these are NOT encryption algorythms?

C) kerberos
E) MD5
F) RC-4

A: They’ll fool you with this one. 3DES, IDEA and RC-4 are encryption algorythms. MD5, however, is a one-way hash algorythm, and Kerberos is involved in single sign-in. RSA is a signature algorythm.

Q: Which of these statements about CRLs are true?

A) CRLs are issued by CAs
B) CRLs are Certificate Recovery Lists
C) CRLs are Certificate Revocation Lists
D) CRLs identify digital certificates that are no longer valid
E) CRLs are transmitted using X.509

A: A, C and D are true: Certificate Revocation Lists are issued by CAs, and identify expired or revoked certificates.

Q: User A trusts User B, and User B trusts User C. If User A trusts User C because User B does, this is what kind of trust?

A) meaningless
B) two-way
C) three-way
D) transitive
E) intransitive

A: This is a transitive trust. If User C did NOT trust User A, it would be an intransitive trust.

Q: CRLs are Certificate Revocation Lists. A certificate listed on Certification Hold in a CRL is in what state?

A) revoked
B) hold
C) suspended
D) lost
E) destroyed

A: Not all certificates listed in CRLs are revoked; certificates on Certification Hold are merely suspended.

Q: Which of these are used for authentication?

A) driver’s license
B) token
D) biometrics
E) kerberos

A: Tokens, biometrics and kerberos are all involved in authentication (not identification).

Q: All of the below are true of IEEE 802.11b except:

A) traffic can be passed as clear text
B) traffic can be encrypted securely
C) 802.11b is slower than 802.11g
D) anyone with the right configuration and a decent signal can connect

A: Don’t fool yourself. Nobody seriously considers 802.11b’s WEP encryption scheme secure, due to key weaknesses. In the sample tests I’ve seen, nobody seems to be talking about WPA, which is of course more secure, but hardly flawless.

Q: What is TACACS+?

A) a VPN protocol
B) an authentication server
C) a communication protocol allowing network devices to talk to an authentication server
D) working too hard will give you heart TACACS+

A: This question approaches the issue of remote authentication from the back door. What we’d usually be talking about is RADIUS, the open IETF standard for remote authentication. But in this realm, Cisco went its own way with its proprietary TACACS,  TACACS+ and XTACACS.

Critical word here: Server. Both RADIUS and TACACS+ are protocols (i.e. they do communication), not servers.

Q: Which of these are provided by IPsec?

A) confidentiality
B) integrity
C) authentication

A: All of them. The two components of IPsec are actually IKE (Internet Key Exchange, which provides authentication) and IPsec (which provides confidentiality and integrity assurance via encryption).

Q: Which of these are true of IPsec?

A) IPsec provides authentication and encryption
B) It travels over the Internet
C) It operates at Layer 3
D) It can secure all applications that run at Layer 4 or higher

A: All of these. Know this list well!

Q: Time for acronym soup. Which of these comprises the protocols and standards used to securely exchange information under PKI?


A: A Certificate Policy (CP) is the formal, corporate set of rules for the operation of a PKI, such as auditing, enforcement and requirements.

A Certificate Practice Statement (CPS) is the technical, managerial description of actual practice and procedures.

A Certificate Revocation List is a CRL.

Online Certificate Status Protocol (OCSP) is a “live,” internet-based alternative to CRLs.

And the Public Key Cryptography Standards (PKCS) are standards and protocols that dictate secure exchange of data using PKI (Public Key Infrastructure). This is the correct answer.

There seem to be several versions of this type of question; know these acronyms thoroughly!

Q: What’s the best way to make your users employ strong passwords?

A) AD domain policies
B) firings
C) education
D) event auditing

A: The test expects you to be magnanimous; education is the only effective way to get any results in this area (take it from me if you haven’t learned this already!).

Q: There are many kinds of attacks. Define:

A) keylogger
B) trojan
C) man in the middle
D) trapdoor
E) replay

A: A keylogger (which may be software or a hardware device) records your keystrokes. It may “phone home,” or it may be secretly picked up.
A trojan is a program that appears to do one thing, but does something malicious instead or in the background.
Man-in-the-middle attacks happen when someone manages to put himself into your traffic stream, where he can alter or intercept data.
A trapdoor is a usually-intentional “opening” into a program that can allow unauthorized access.
A replay attack is similar to a man-in-the-middle exploit, but what seems to be a live session is actually a “replay” of the real action.

Q: What protocol is being used by a web page that begins with “https://”?

B) hashing
C) auditing

A: HTTPS uses SSL as its transport layer. S-HTTP would have been the correct answer if it ever caught on, but it didn’t.

Q: Which way does public-key encryption work?

A) Sender and recipient have to trade private keys
B) The public key allows you to calculate the private key
C) The sender encrypts the message with the recipient’s public key
D) The sender encrypts the message with her own private key

A: Be sure you understand how this process works. First, it’s the sender’s responsibility to encrypt the message, of course. And theoretically the sender could encrypt with her own private key and distribute the public key for decryption – but that’s not the way it’s done. The sender encrypts with the recipient’s public key. Why? Because anyone could decrypt a message I sent encrypted with my private key; I only want the designated recipient to be able to decrypt it.

Asymmetric encryption algorythms include: RSA, RC2, RC4, RC5, Blowfish, Diffie-Hellman, and the mysterious El Gamal.

If we were talking about symmetric encryption, then we’re forced to share our private key because it’s the only way to decrypt. Obviously this is highly open to abuse.

Symmetric encryption algorythms include DES and Triple DES, IDEA (Int’l Data Encrytion Algorythm), AES (Advanced Encrytion Standard, a.k.a. Rijndael), and the charming Skipjack.

Q: Which of these are components of a host-based IDS?

A) Manager
B) Agent
C) Rules
D) Policies
E) Reporting

A: A manager, multiple agents and a reporting subsystem are the three software components of a host-based IDS. Rules and policies are involved too, but they are determined by the manager; the test apparently considers them NOT to be “components.”

Q: A router ACL question:

You’re looking at the router’s ACL for the INTERNAL network, which you know operates on the subnet. You see this rule:


You scratch your head and check out the ACL for the EXTERNAL network, and see:


What conclusions can you draw from this?

A: Darn right this is esoteric. What we’re really looking at are three-part rules.

The first component is the permission: simply “allow” or “deny.”
The second component is the IP address of the external interface (in this case).
The third component is a subnet mask.

So what do we really have? One rule allows all addresses on the internal network to “get to” the external interface. This is nice if we want to access the Internet. The other rule denies anyone from the outside world from pretending it has an IP address on our internal network.

Now think about this: what we really have here is a setup that blocks spoofing attempts.

Q: Now for a question about auditing. If you’re suspicious that a cracker has broken into your system, what should you audit?

A) Unsuccessful login attempts
B) Successful login attempts
C) Resource accesses
D) Changes to accounts
E) Everything

A: If you think she’s already in, the thing to audit is successful logins. Then you can see exactly when she enters or entered.

Q: Which of these is the most common attack against web servers??

A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Man in the middle

A: I was surprised to read that SYN floods are one of the most, if not the most common attack against web server.

Q: Cryptographic security has what four goals?

A) Authentication
B) Integrity
C) Nonrepudiation
D) Confidentiality
E) Authorization
F) Availability

A: I use the acronym CAIN to remember these four goals.

Confidentiality means unauthorized people can’t access the data.

Authentication means only people with the correct credentials can access the data.

Integrity means the data can’t be changed without detection.

Nonrepudiation means the sender can’t deny sending.

Q: What are the most common attacks against the Transport Layer of the OSI network model?

A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Hijacking

A: SYN floods and hijackings are the most common attacks at this layer. Keep in mind that hijacking, in this context, does NOT mean browser hijacks. Instead it refers to an attacker interfering with the predictable flow of traffic to interrupt sessions.

Q: Which of these is the most common attack against web servers??

A) Worm
B) Virus
C) SYN flood
D) Spoofing
E) Man in the middle

A: I was surprised to read that SYN floods are one of the most, if not the most common attack against web server.

Q: Uh-oh. You’ve got BackOrifice. Which ports should you look at?

A) UDP 31337
B) TCP 1056
C) UDP 1056
D) UDP 1049
E) TCP 1049

A: BackOrifice uses a whole cluster of port. By default, the server component runs on UDP 31337.

The client component runs on UDP 1049, but if the BackOrifice HTTP web server is running, it’ll use TCP 1056. (Notice that TCP.)

Q: A tricky question about services: your server assigns IP addresses, and resolves IP addresses to domain names. Which of the below must you leave enabled?


A: You know darn well we’re talking about DHCP and DNS. But never forget that both of these run over TCP/IP.

Series Navigation<< Security+: My Favorite Free ToolsPassing the CompTIA Exams >>