ESP provides both encryption and authentication, encapsulating the entire original packet.
Why this answer
ESP in tunnel mode encrypts and authenticates the entire original IP packet, while AH only authenticates.
75 of 79 questions · Page 1/2 · Sscp Network Security topic · Answers revealed
ESP provides both encryption and authentication, encapsulating the entire original packet.
Why this answer
ESP in tunnel mode encrypts and authenticates the entire original IP packet, while AH only authenticates.
A security analyst is reviewing a TLS 1.3 deployment. Which THREE of the following are features of TLS 1.3?
TLS 1.3 requires forward secrecy.
Why this answer
TLS 1.3 removed vulnerable cipher suites, mandates forward secrecy, and supports 0-RTT for faster handshakes.
During a wireless penetration test, an attacker captures the four-way handshake of a WPA2-PSK network and attempts to crack the passphrase offline. Which attack is the attacker likely using?
PMKID allows offline cracking of the PSK using the PMKID from the beacon or probe response.
Why this answer
The PMKID attack targets WPA2-PSK by capturing the PMKID from the RSN IE, which can be computed offline to brute-force the passphrase without requiring a full handshake.
An attacker sends a forged ARP reply associating the attacker's MAC address with the IP address of the default gateway. What type of attack is this?
This is the classic ARP spoofing attack, where the attacker sends fake ARP messages to intercept traffic.
Why this answer
ARP spoofing involves sending gratuitous ARP replies to associate the attacker's MAC with another IP address, enabling man-in-the-middle attacks at Layer 2.
Port 443 is the standard port for HTTPS.
An organization wants to ensure that only authorized devices can connect to the corporate wired network. Which technology should they implement to enforce this?
NAC with 802.1X authenticates and authorizes devices on the network.
Why this answer
Network Access Control (NAC) with 802.1X authenticates devices before granting network access, enforcing compliance and authorization.
A network administrator is tasked with segmenting the network to isolate a DMZ containing public-facing web servers from the internal corporate network. Which device should be placed between the DMZ and internal network, and what type of traffic should it allow?
A firewall can enforce least privilege between segments.
Why this answer
A firewall should be used to control traffic; it should allow only necessary inbound and outbound traffic while blocking direct access from DMZ to internal network.
A network administrator is troubleshooting a DNS poisoning attack. Which TWO countermeasures can help prevent such attacks? (Select two)
DNSSEC adds cryptographic signatures to DNS records.
Why this answer
DNSSEC validates DNS responses to prevent spoofing, and using secure DNS resolvers (like Quad9 or Cloudflare) can filter malicious domains. Disabling recursion is a best practice but not a direct countermeasure against poisoning. DHCP snooping is for DHCP attacks.
Firewalls don't prevent DNS poisoning.
DHCP snooping allows only authorized DHCP servers to respond to client requests.
Why this answer
DHCP snooping is a switch feature that filters DHCP messages based on trusted ports, blocking rogue DHCP servers.
In IPsec VPNs, which protocol provides authentication and encryption of the entire IP packet, including the IP header, in tunnel mode?
ESP provides both authentication and encryption, and in tunnel mode protects the entire original packet.
Why this answer
ESP (Encapsulating Security Payload) in tunnel mode encrypts and authenticates the entire original IP packet, adding a new IP header. AH (Authentication Header) does not provide encryption.
Which of the following best describes the function of SYN cookies in mitigating SYN flood attacks?
This is the correct description of SYN cookies.
Why this answer
SYN cookies allow the server to avoid allocating resources for half-open connections until the handshake completes, preventing resource exhaustion.
Which attack sends a flood of forged ICMP echo requests to a network's broadcast address to overwhelm a target?
Smurf attack leverages broadcast amplification.
Why this answer
A Smurf attack sends ICMP echo requests with the victim's spoofed source IP to the broadcast address, causing all hosts to reply to the victim, amplifying traffic.
Many SSL VPNs can check for antivirus, updates, etc., before connecting.
Why this answer
SSL/TLS VPNs use standard ports (often 443) to bypass firewalls, can perform endpoint posture checks, and allow split tunneling for performance.
During a security assessment, a penetration tester discovers that the network uses WPA2-PSK. Which attack could be used to recover the pre-shared key without interacting with the access point after capturing a single handshake?
The PMKID is included in the first EAPOL frame and can be used to crack the PSK offline.
Why this answer
The PMKID attack allows offline cracking of the PSK using information from the first frame of the 4-way handshake, even without a full handshake.
Which wireless security protocol uses the Simultaneous Authentication of Equals (SAE) handshake to replace the Pre-Shared Key (PSK) method and provides stronger protection against offline dictionary attacks?
WPA3 uses SAE to replace PSK.
Tunnel mode encrypts the entire IP packet and adds a new header.
Why this answer
In tunnel mode, the entire original IP packet is encapsulated and encrypted, with a new IP header added, suitable for site-to-site VPNs.
Which protocol and port combination is commonly used for secure remote administration of a server?
SSH is the standard secure remote administration protocol.
A company wants to deploy a network IDS that can analyze traffic patterns and detect anomalies. Where should the IDS sensor be placed to monitor all traffic on a network segment without introducing latency?
SPAN port copies traffic for monitoring without affecting flow.
Why this answer
A passive tap or SPAN port allows the IDS to monitor traffic without being inline, avoiding latency.
An attacker sends a gratuitous ARP reply associating the attacker's MAC address with the default gateway's IP address. Which attack is being performed, and what is the primary risk?
The attacker positions themselves between the victim and gateway.
An organization deploys a firewall that examines the entire packet, including application-layer data, and can block specific commands or content. Which type of firewall is this?
Application proxy firewalls terminate and inspect application-layer protocols, allowing granular control.
A company wants to deploy a firewall that can track the state of active connections and make decisions based on the context of traffic flows. Which firewall type should they choose?
Stateful firewalls track connection state for context-aware filtering.
Why this answer
Stateful firewalls maintain a state table and track the state of connections, allowing them to make more intelligent filtering decisions compared to stateless packet filters.
An attacker sends a flood of DHCP request packets with spoofed MAC addresses to exhaust the DHCP server's IP address pool, preventing legitimate clients from obtaining IP addresses. This attack is known as:
Correct description of the attack.
Why this answer
DHCP starvation exhausts the IP pool by sending many fake DHCP requests, leading to denial of service.
Which wireless security standard introduced the Simultaneous Authentication of Equals (SAE) handshake to replace the pre-shared key (PSK) method?
WPA3 introduces SAE (a variant of Dragonfly) for secure key exchange.
A company is designing a network with multiple security zones. Which TWO of the following are best practices for network segmentation? (Select TWO)
Firewalls enforce policies between zones.
Why this answer
Placing firewalls between zones and using VLANs for logical separation are key segmentation practices. DMZ is a specific zone, not a universal practice.
A system administrator notices a high number of half-open TCP connections to the company's web server. The server is becoming unresponsive. Which attack is likely occurring, and which mitigation is effective?
SYN cookies allow the server to maintain state without allocating resources until the handshake completes.
Why this answer
A SYN flood exploits the TCP three-way handshake by sending many SYN packets without completing the handshake. SYN cookies allow the server to avoid allocating resources until the handshake completes.
Which protocol is used for secure web browsing and operates on TCP port 443?
A security analyst discovers that an attacker has set up a fake wireless access point with the same SSID as the corporate network. Users are unknowingly connecting to it. What is this attack called?
An evil twin is a malicious AP with the same SSID as a trusted network.
Why this answer
An evil twin is a rogue AP that impersonates a legitimate SSID to capture credentials and traffic.
A security administrator is hardening a wireless network. Which TWO of the following should be avoided due to known vulnerabilities?
WEP is broken and should not be used.
Why this answer
WEP and WPA2-PSK have known vulnerabilities; WEP is broken, and WPA2-PSK is vulnerable to offline dictionary attacks (PMKID, KRACK).
Tunnel mode encrypts the entire original packet for site-to-site VPN.
Why this answer
IPsec tunnel mode encrypts the entire original IP packet and adds a new IP header, suitable for site-to-site VPNs.
An organization is deploying a network-based intrusion detection system (NIDS). The security team must decide on placement and configuration. Which THREE considerations are critical for effective NIDS deployment?
Passive monitoring avoids impact on network performance.
Why this answer
Placing the NIDS on a network tap ensures visibility without affecting traffic; tuning signatures reduces false positives; and placing it outside the firewall captures attacks before filtering.
PMF prevents deauthentication and disassociation attacks.
Why this answer
WPA3 uses Simultaneous Authentication of Equals (SAE) to resist offline dictionary attacks, mandates Protected Management Frames (PMF) to prevent deauth attacks, and offers 192-bit security for Enterprise mode.
Which of the following wireless security protocols uses AES-CCMP and is based on the 802.11i standard?
WPA2 uses AES-CCMP per 802.11i.
Why this answer
WPA2 (Wi-Fi Protected Access 2) uses AES-CCMP encryption, as defined in 802.11i.
A security engineer is designing a network segmentation strategy to isolate a DMZ containing public-facing web servers from the internal corporate network. Which TWO controls should be implemented? (Select two)
VLANs provide logical segmentation at Layer 2.
Which wireless security standard replaces WPA2 and mandates Protected Management Frames (PMF) to prevent certain types of attacks?
WPA3 requires PMF and uses SAE for secure key exchange.
Why this answer
WPA3 mandates PMF, making it resistant to offline dictionary attacks and key recovery attacks like KRACK.
A network administrator wants to block all inbound traffic except for web and email services. Which firewall rule configuration would achieve this?
Default-deny blocks everything; allow rules enable only required services.
A network administrator wants to prevent unauthorized devices from connecting to the wired network. Which technology can be used to enforce authentication at the switch port level before granting network access?
802.1X authenticates devices at the port level.
Why this answer
802.1X is a port-based access control standard used in NAC to authenticate devices before network access.
A company is deploying a VPN for remote employees. They require strong encryption and authentication, and the solution must be compatible with native OS clients without additional software. Which VPN protocol is most appropriate?
IKEv2/IPsec is natively supported on Windows, macOS, iOS, and Android.
Why this answer
IKEv2 with IPsec is widely supported natively on major operating systems, provides strong security, and is suitable for remote access VPNs.
What is the default port for Microsoft SQL Server?
Port 1433 is the default listener for MSSQL.
Why this answer
MSSQL defaults to TCP port 1433. MySQL uses 3306.
Which attack exploits the lack of IV (Initialization Vector) randomness in the RC4 algorithm to recover the Wi-Fi password, and is considered completely broken?
WEP's use of weak IVs in RC4 allows key recovery.
Why this answer
WEP uses RC4 with weak IVs that can be captured and analyzed to recover the key, making WEP completely insecure.
Which of the following is a characteristic of TLS 1.3 that improves security over previous versions?
TLS 1.3 requires ephemeral key exchange, providing forward secrecy.
Why this answer
TLS 1.3 mandates forward secrecy by requiring ephemeral Diffie-Hellman key exchange, ensuring that session keys cannot be derived if the server's private key is compromised later.
An attacker sends a large number of DHCP request messages with spoofed MAC addresses to a network's DHCP server, causing the server to exhaust its IP address pool and deny service to legitimate clients. This attack is known as:
DHCP starvation exhausts the IP pool by sending many fake DHCP requests.
Why this answer
DHCP starvation floods the DHCP server with fake requests to deplete the IP address pool.
An organization wants to ensure that only corporate-managed devices can connect to the internal network. Non-compliant devices should be placed in a restricted VLAN with limited access. Which technology should be deployed?
NAC integrates with authentication to enforce compliance and VLAN assignment.
Why this answer
Network Access Control (NAC) with 802.1X can enforce policies, quarantine non-compliant devices, and assign appropriate VLANs.
Which of the following protocols operates on TCP port 443 and provides encrypted communication between a web browser and a web server?
Which of the following is a common defense against ARP spoofing attacks on a local area network?
Why this answer
Dynamic ARP Inspection (DAI) validates ARP packets against a trusted database (DHCP snooping binding), preventing spoofed ARP messages.
Application proxies terminate and inspect application-layer traffic.
Why this answer
SSL/TLS VPNs use TLS to provide secure remote access, often with AnyConnect client.
A network administrator notices that legitimate clients are unable to obtain IP addresses from the DHCP server. The network logs show a high volume of DHCP Discover messages from different MAC addresses. Which attack is most likely occurring?
A high volume of DHCP Discover messages from fake MACs is characteristic of a DHCP starvation attack.
Why this answer
DHCP starvation floods the network with fake DHCP Discover messages to exhaust the IP address pool, preventing legitimate clients from obtaining addresses.
A company wants to implement a firewall that can track the state of network connections and make decisions based on the context of traffic (e.g., allowing return packets for an established connection). Which type of firewall should they choose?
Stateful firewall tracks connection state and allows return traffic accordingly.
Why this answer
Stateful firewalls maintain connection state tables and allow return traffic for established sessions.
A security team is implementing Network Access Control (NAC) to enforce endpoint compliance before granting network access. Which technology allows port-based authentication on wired networks?
802.1X provides port-based authentication for wired networks.
During a wireless site survey, a security engineer identifies several security weaknesses. Which TWO measures should be implemented to improve wireless security for a corporate network using WPA2-Enterprise?
EAP-TLS provides strong mutual authentication.
An attacker is performing a man-in-the-middle attack at Layer 2 by sending forged ARP messages to associate their MAC address with the IP address of a legitimate host on the same subnet. This attack is known as:
ARP spoofing sends fake ARP messages to perform MitM.
Why this answer
ARP spoofing involves sending gratuitous ARP replies to poison the ARP cache of other hosts.
Which protocol is used to securely transfer files between a client and server, typically over TCP port 22?
Why this answer
SSH (Secure Shell) provides encrypted file transfer capabilities via SCP or SFTP, using port 22.
SYN flood uses incomplete TCP handshakes to exhaust resources.
Why this answer
SYN flood sends many SYN packets without completing the handshake, exhausting server resources.
A security analyst discovers that an internal DNS server is returning incorrect IP addresses for legitimate domains. The analyst suspects that an attacker has compromised the DNS resolver's cache. Which type of attack has likely occurred?
The attacker corrupted the cache to redirect traffic.
Why this answer
DNS poisoning involves inserting false DNS records into a resolver's cache, redirecting users to malicious sites.
A security analyst notices an unusual number of ARP replies on the network where one MAC address is claiming to be multiple IP addresses. Which type of attack is most likely occurring?
Attacker sends gratuitous ARP replies to poison the ARP cache.
Why this answer
ARP spoofing involves sending forged ARP replies to associate the attacker's MAC with the victim's IP, enabling man-in-the-middle attacks at Layer 2.
Which of the following is a primary advantage of using TLS 1.3 over earlier versions?
All TLS 1.3 cipher suites use ephemeral Diffie-Hellman, providing forward secrecy.
Why this answer
TLS 1.3 requires forward secrecy for all cipher suites, meaning that session keys are not derived from the server's private key, protecting past sessions if the private key is compromised.
Which protocol is used to securely transfer files over a network and operates on TCP port 22?
SSH uses TCP port 22 and provides secure encrypted communications for file transfer and remote administration.
Which network security control can enforce that only authorized devices with current antivirus and patches can connect to the network?
NAC assesses device health (e.g., antivirus, patches) before allowing network access.
Why this answer
Network Access Control (NAC) enforces security policies by checking device compliance before granting access, typically using 802.1X for authentication and quarantine for non-compliant devices.
A network administrator is designing a secure remote access solution for employees using company laptops. The solution must support strong authentication, encryption, and be resistant to man-in-the-middle attacks. Which THREE components should be included?
EAP-TLS uses certificates for mutual authentication, preventing MITM.
PMF is required in WPA3.
Why this answer
WPA3 introduces SAE (Simultaneous Authentication of Equals) to replace PSK, provides 192-bit security in Enterprise mode, and mandates PMF (Protected Management Frames).
WPA3-Enterprise offers 192-bit minimum security strength.
A security analyst is investigating a network incident. Which TWO of the following are indicators of a man-in-the-middle attack using ARP spoofing? (Select TWO)
The attacker's MAC is associated with the gateway IP.
A security analyst is investigating a network where an attacker successfully redirected traffic from a legitimate web server to a malicious server by corrupting the target domain's DNS records in a local resolver cache. Which attack technique was used?
DNS poisoning corrupts DNS cache to redirect traffic.
Why this answer
DNS poisoning injects false DNS records into a resolver's cache, redirecting traffic to malicious sites.
Which TWO of the following are methods to defend against SYN flood attacks? (Select TWO)
A larger backlog allows more pending connections, mitigating exhaustion.
Why this answer
SYN cookies avoid resource exhaustion by not allocating memory until the handshake completes, and increasing the backlog queue allows more half-open connections before reaching capacity.
An organization is planning to deploy a remote access VPN for employees. The solution must support strong encryption, mutual authentication, and work through firewalls without requiring additional ports. Which technology is most suitable?
Which transport layer protocol is used by DNS for its queries and responses, and why is it appropriate?
A security auditor is reviewing the configuration of a remote access VPN. Which TWO features are considered best practices for securing the VPN connection?
MFA adds an extra layer of security beyond passwords.
Why this answer
Using TLS 1.3 (which mandates forward secrecy) and enforcing split tunneling only for trusted networks are security best practices.
An organization is designing network segmentation to protect sensitive data. Which TWO of the following are effective methods for implementing network segmentation?
Firewalls enforce policies between segments.
Why this answer
VLANs segment traffic at Layer 2, and firewalls control traffic between segments at Layer 3+.
A security analyst is investigating a potential ARP spoofing attack on a local network segment. Which TWO network security controls would be most effective in preventing or detecting such an attack at Layer 2?
Port Security limits MAC addresses per port, making it harder for an attacker to spoof multiple IPs.
Why this answer
Dynamic ARP Inspection (DAI) validates ARP packets on trusted ports and drops invalid ones. Port Security with MAC address binding limits the number of MAC addresses per port, reducing the effectiveness of ARP spoofing.
Which TWO of the following are characteristics of a Smurf attack? (Select TWO)
Smurf attack uses ICMP echo request (ping) packets.
Why this answer
Smurf attacks send ICMP echo requests to a broadcast address with a spoofed source IP, causing all hosts to reply to the victim, leading to amplification.
During a penetration test, a security analyst captures a packet containing a gratuitous ARP reply that associates the attacker's MAC address with the default gateway's IP address. This is a classic indicator of which attack?
Gratuitous ARP is the key technique for ARP spoofing.
Why this answer
ARP spoofing (or ARP poisoning) sends gratuitous ARP replies to redirect traffic, enabling man-in-the-middle attacks.
Ready to test yourself?
Try a timed practice session using only Sscp Network Security questions.