Which of the following are effective defenses against man-in-the-middle attacks? (Choose THREE)
Users can detect invalid certificates.
Why this answer
HTTPS, VPNs, and certificate validation help prevent MITM.
45 of 120 questions · Page 2/2 · Cc Network Security topic · Answers revealed
Which of the following are effective defenses against man-in-the-middle attacks? (Choose THREE)
Users can detect invalid certificates.
Why this answer
HTTPS, VPNs, and certificate validation help prevent MITM.
An IT administrator wants to inspect HTTP traffic for malicious payloads such as SQL injection. Which network security device is most appropriate?
WAF is designed for application-layer HTTP inspection.
A security analyst notices unusual traffic on the network. Using Wireshark, they capture packets and see that an attacker is reading all unencrypted data from the network segment. Which type of attack is most likely being performed?
Correct. Sniffing captures unencrypted traffic, as seen in the scenario.
Why this answer
Sniffing or eavesdropping involves capturing network traffic to read data. In this scenario, unencrypted data is being read, which is characteristic of sniffing.
Which of the following ports is used by HTTPS?
Why this answer
HTTPS uses port 443 by default for encrypted web traffic.
An organization wants to implement network segmentation to improve security. Which three methods are commonly used for network segmentation? (Select THREE.)
Subnetting divides IP address space.
Why this answer
VLANs, subnets, and DMZs are common segmentation methods. Firewalls enforce rules but are not segmentation methods themselves; IDS is a monitoring tool.
Which of the following ports is commonly used for secure web traffic (HTTPS)?
Port 443 is for HTTPS.
An organization wants to segment its network so that public-facing servers are isolated from internal users. Which network design component should be used?
DMZ isolates public-facing servers from internal network.
Why this answer
A DMZ (demilitarized zone) is a separate network segment that hosts public-facing services, isolated from the internal LAN.
An organization wants to allow external users to securely access internal web applications. Which network security device is specifically designed to inspect HTTP/HTTPS traffic and block malicious requests?
WAF inspects HTTP/HTTPS and filters malicious payloads like SQL injection.
During a security assessment, a penetration tester captures network traffic and notices that the source IP address in packets appears to be from a different network. Which technique is the attacker likely using?
IP spoofing forges the source IP address.
Why this answer
IP spoofing involves forging the source IP address in packets to impersonate another system or hide the true origin. This can be used in various attacks like DDoS or session hijacking.
An attacker sends a flood of SYN packets to a server, never completing the three-way handshake, exhausting the server's resources and causing it to become unresponsive. What type of attack is this?
Correct. SYN flood targets TCP handshake.
Why this answer
A SYN flood is a type of DoS attack that exploits the TCP three-way handshake by sending many SYN packets and not completing the handshake.
A company wants to protect its internal web server from common web application attacks. Which two security measures are most appropriate? (Choose TWO.)
Correct. A WAF inspects HTTP/HTTPS traffic and blocks attacks.
Which TCP segment is sent to initiate the three-way handshake?
Correct. Client sends SYN to start the handshake.
Why this answer
The three-way handshake starts with a SYN (synchronize) packet from the client.
Which protocol operates at the Transport layer of the OSI model and is connectionless and unreliable?
UDP is connectionless and unreliable.
Why this answer
UDP is connectionless and does not guarantee delivery, making it fast but unreliable.
A security analyst detects a large number of half-open TCP connections targeting a web server. This is most likely indicative of what type of attack?
SYN flood targets TCP handshake to cause resource exhaustion.
Why this answer
A SYN flood attack exploits the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources. This is a type of DoS attack.
A security team is investigating a potential man-in-the-middle attack. Which TWO of the following are common techniques used in MITM attacks? (Select TWO.)
Poisoned ARP tables redirect traffic to the attacker.
Why this answer
ARP poisoning redirects traffic, and rogue Wi-Fi access points intercept communications.
An attacker sends forged ARP messages to associate their MAC address with the IP address of a legitimate server. This allows the attacker to intercept traffic intended for that server. What is this attack?
ARP spoofing uses forged ARP messages to redirect traffic.
Why this answer
ARP spoofing (or ARP poisoning) involves sending fake ARP replies to associate the attacker's MAC with a victim's IP, enabling man-in-the-middle attacks.
A network administrator is planning to segment the network. Which of the following are valid segmentation methods? (Choose TWO)
Subnetting divides IP address space.
Why this answer
VLANs and subnetting are common segmentation techniques.
Which two of the following are best practices to mitigate man-in-the-middle attacks? (Select TWO.)
HTTPS encrypts and validates server identity.
A network engineer wants to mitigate ARP spoofing attacks. Which of the following is the most effective technique?
DAI uses DHCP snooping to validate ARP.
Why this answer
Dynamic ARP Inspection (DAI) validates ARP packets to prevent spoofing.
Which THREE of the following are common mitigation techniques against Denial of Service (DoS) attacks?
Rate limiting restricts the number of requests from a source.
Why this answer
DoS mitigation includes using DDoS protection services, rate limiting, and filtering traffic based on IP reputation.
IPS can drop packets or reset connections in real time.
A security analyst notices unusual traffic from an internal workstation to an external IP address on port 25. Which protocol is most likely being used?
Correct. SMTP uses port 25 for email transmission.
Why this answer
Port 25 is the default port for SMTP (Simple Mail Transfer Protocol).
Which of the following is a security concern associated with the Telnet protocol?
Telnet sends all data unencrypted.
An organization wants to securely manage network devices from remote locations. Which of the following protocols should be used for command-line access?
SSH provides encrypted remote access.
Which firewall type reads packet headers and also tracks the state of active connections to make filtering decisions?
Stateful firewalls track connection state.
Why this answer
Stateful inspection firewalls maintain a state table to track connections, allowing return traffic for permitted outbound connections.
Application proxy examines application-layer content.
Which common port is used by DNS and which transport layer protocol does it primarily use?
A security analyst wants to detect and analyze attacker behavior by deploying a decoy system. Which three characteristics apply to a honeypot? (Choose THREE.)
Correct. Honeypots lure attackers away from real assets.
Why this answer
Honeypots are decoy systems designed to attract attackers, provide early warning, and allow analysis of attacker techniques. They do not contain real production data and are not used for legitimate traffic.
Which transport layer protocol is used by voice over IP (VoIP) applications that require low latency and can tolerate some packet loss?
UDP is low-latency and suitable for real-time traffic.
Why this answer
UDP is connectionless and faster, making it suitable for real-time applications like VoIP where occasional packet loss is acceptable.
Which protocol is used to resolve IP addresses to MAC addresses on a local network?
ARP resolves IP addresses to MAC addresses.
Why this answer
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses, operating at Layer 2/3 boundary.
Which of the following is a characteristic of a stateful firewall that distinguishes it from a stateless firewall?
Stateful firewalls track connection states.
Why this answer
A stateful firewall maintains a state table to track active connections, allowing it to make decisions based on the context of the traffic.
A security team deploys a passive device that monitors network traffic and generates alerts when it detects suspicious patterns, but it does not take any action. This device is best described as a:
Correct. IDS is passive, alerting only.
An organization decides to implement a security control that can detect and block attacks in real-time by sitting inline in the network. Which of the following should be chosen to meet these requirements?
Correct. IPS is inline and can block.
A company's network has multiple VLANs. An attacker on VLAN 10 sends a frame with a forged source MAC address to a switch, hoping to intercept traffic intended for the default gateway. Which attack is being executed?
Correct. ARP spoofing forges MAC-IP associations.
Why this answer
ARP spoofing (or ARP poisoning) involves sending forged ARP messages to associate the attacker's MAC with the IP of another device (e.g., default gateway), enabling traffic interception.
Which port number is associated with HTTPS, and what protocol encrypts the communication?
Which protocol is used to resolve IP addresses to MAC addresses on a local network?
ARP resolves IP to MAC.
Why this answer
ARP (Address Resolution Protocol) maps IP to MAC addresses.
Which two of the following are characteristics of a stateful firewall? (Choose TWO.)
Correct. Stateful firewalls maintain a state table.
Why this answer
A stateful firewall tracks the state of active connections and can block unsolicited inbound traffic. Packet filtering is stateless, and application inspection is typical of proxy firewalls.
A company is experiencing a distributed denial-of-service (DDoS) attack that is overwhelming the network bandwidth. Which THREE mitigation techniques are most effective?
Rate limiting restricts the amount of traffic from a source.
Why this answer
Traffic filtering, rate limiting, and using a CDN can help absorb DDoS traffic. Changing IP addresses is reactive and not a standard mitigation; disabling ICMP may help against some attacks but is not a primary mitigation.
An attacker captures network traffic using Wireshark and reads unencrypted emails. Which security goal is most directly compromised?
Confidentiality is breached when data is read by an unauthorized party.
Why this answer
Sniffing captures sensitive data, violating confidentiality.
An organization deploys a network security device that inspects application-layer payloads, can block malicious HTTP requests, and uses OWASP rules. Which type of device is this?
Correct. A WAF inspects HTTP/HTTPS and uses OWASP rules.
A security analyst is reviewing network traffic and needs to identify which of the following protocols are inherently insecure because they transmit data in cleartext. (Select TWO.)
FTP transmits credentials and data in cleartext.
An organization wants to implement a network security device that can block malicious traffic in real-time and must be placed inline. Which device should be chosen?
An IPS is inline and can block traffic.
NGFWs can perform deep packet inspection including SSL decryption.
Why this answer
NGFWs often include SSL inspection capabilities to examine encrypted traffic for threats.
Which layer of the OSI model is responsible for routing packets across networks?
The Network layer routes packets.
Why this answer
The Network layer (Layer 3) handles routing and logical addressing (IP addresses).
Which security control would best mitigate the risk of network sniffing on a wired LAN segment?
Correct. Encryption renders sniffed data confidential.
Ready to test yourself?
Try a timed practice session using only Cc Network Security questions.