Sec+ CH.4 Review Test

B is correct. If the host-based intrusion detection system (HIDS)

identified a known issue, it is using signature-based detection (sometimes

called definition-based detection). A HIDS is not network-based but a

network-based IDS (NIDS) can also use signature-based detection.

Heuristic-based or behavior-based (sometimes called anomaly-based)

detection systems identify issues by comparing current activity against a

baseline. They can identify issues that are not previously known.

C is correct. A heuristic-based (also called behavior-based or anomaly-

based) detection system compares current activity with a previously created

baseline to detect any anomalies or changes. Signature-based systems (also

called definition-based) use signatures of known attack patterns to detect

attacks. A honeypot is a server designed to look valuable to an attacker and

can divert attacks. A Bridge Protocol Data Unit (BPDU) guard is used to

protect against BPDU-related attacks and is unrelated to this question.

C is correct. An inline network-based intrusion prevention system (NIPS)

can dynamically detect, react to, and prevent attacks. An inline system is

placed inline with the traffic, and in this scenario, it can be configured to

detect the logon attempts and block the traffic from the offending IP

addresses before it reaches the internal network. A passive network-based

intrusion detection system (NIDS) is not placed inline with the traffic and

can only detect the traffic after it has reached the internal network, so it

cannot prevent the attack. If you block all traffic from foreign countries,

you will likely block legitimate traffic. You should disable administrator

accounts if they’re not needed. However, if you disable all administrator

accounts, administrators won’t be able to do required work.

C is correct. A honeyfile is a file with a deceptive name (such as

password.txt) that will deceive an attacker and attract his attention. It is not

appropriate to place a file holding credentials on a desktop for any reason.

A honeypot or honeynet diverts attackers from the live network. A file on

an administrator’s desktop is on the live network. It is unlikely that any

application needs a file named password.txt to run. Even if an application

needed such a file, the file would be inaccessible if it is placed on an

administrator’s desktop.

B is correct. Protected EAP (PEAP) can be used for wireless

authentication and it uses Transport Layer Security (TLS) to encapsulate

and encrypt the authentication conversation within a TLS tunnel. Extensible

Authentication Protocol (EAP) is the basic framework for authentication.

By itself, EAP doesn’t provide encryption, but it can be combined with

other encryption protocols. Neither Wi-Fi Protected Access 2 (WPA2) nor

Wi-Fi Protected Access 3 (WPA3) use TLS.

B is correct. Wireless footprinting creates a detailed diagram of wireless

access points and hotspots within an organization. It typically displays a

heat map and dead spots if they exist. A remote access virtual private

network (VPN) provides access to a private network and is unrelated to this

question. Wi-Fi analyzers provide a graph showing channel overlaps but not

a diagram of wireless access points. An architectural diagram is typically

laid on top of a heat map to create the wireless footprint document, but by

itself, it shows the building layout.

A is correct. Open mode is the best choice of those given for a public

wireless hotspot that doesn’t require a password. A pre-shared key (PSK) is

the same as a password and the scenario says a password isn’t desired.

Enterprise mode requires each user to authenticate and is typically enabled

with a RADIUS server. If you disable service set identifier (SSID)

broadcast, it will make it harder for the customers to find the hotspot, but

unless Open mode is used, it will still require a password.

C is correct. This describes a rogue access point (AP). A rogue AP is not

authorized (also known as shadow IT) but provides access to an internal

network because it has been plugged into the network. In this scenario, the

access point has no security, so someone could connect to it from the

parking lot and then access the internal network. An evil twin has the same

or similar service set identifier (SSID) as a legitimate access point, but the

SSID isn’t mentioned. A Raspberry Pi device is an embedded system, and it

can be configured as a wireless AP, but there isn’t any indication of the type

of wireless AP in this scenario. An advanced persistent threat (APT) attacks

from external locations and is unlikely to connect to a physical wireless AP

inside a network.

A is correct. This describes an evil twin. Normally, a user shouldn’t have

to log on again to access the Internet. Because he lost access to network

resources after logging on, it indicates he didn’t log on to a corporate access

point (AP) but instead logged on to an unauthorized AP. Because the

service set identifier (SSID) is the same as the corporate SSID, it indicates

the AP is an evil twin. An evil twin is a rogue access point with the same or

similar SSID as a legitimate AP, so an evil twin is a more accurate

description. A distributed denial-of-service (DDoS) attack is an attack

against a single computer from multiple attackers and is unrelated to this

question. A captive portal forces web browser users to complete a specific

process, such as agreeing to an acceptable use policy, before it allows them

access to a network.

A is correct. A wireless jamming attack is a type of denial-of-service

(DoS) attack that can cause wireless devices to lose their association with

access points and disconnect them from the network. It transmits noise or

another radio signal on the same frequency used by the existing wireless

network. An initialization vector (IV) attack attempts to discover the

passphrase. A replay attack captures traffic intending to replay it later to

impersonate one of the parties in the original transmission. Bluesnarfing is a

Bluetooth attack that attempts to access information on Bluetooth devices.