CompTIA Security Plus Mock Test Q1663

A consultant has been tasked to assess a client’s network. The client reports frequent network outages. Upon viewing the spanning tree configuration, the consultant notices that an old and law performing edge switch on the network has been elected to be the root bridge. Which of the following explains this scenario?

A. The switch also serves as the DHCP server
B. The switch has the lowest MAC address
C. The switch has spanning tree loop protection enabled
D. The switch has the fastest uplink port

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1543

A switch is set up to allow only 2 simultaneous MAC addresses per switch port. An administrator is reviewing a log and determines that a switch port has been deactivated in a conference room after it detected 3 or more MAC addresses on the same port. Which of the following reasons could have caused this port to be disabled?

A. A pc had a NIC replaced and reconnected to the switch
B. An ip telephone has been plugged in
C. A rouge access point was plugged in
D. An arp attack was launched from a pc on this port

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1485

A classroom utilizes workstations running virtualization software for a maximum of one virtual machine per working station. The network settings on the virtual machines are set to bridged. Which of the following describes how the switch in the classroom should be configured to allow for the virtual machines and host workstation to connect to network resources?

A. The maximum-mac settings of the ports should be set to zero
B. The maximum-mac settings of the ports should be set to one
C. The maximum-mac settings of the ports should be set to two
D. The maximum mac settings of the ports should be set to three

Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1451

An administrator, Ann, wants to ensure that only authorized devices are connected to a switch. She decides to control access based on MAC addresses. Which of the following should be configured?

A. Implicit deny
B. Private VLANS
C. Flood guard
D. Switch port security

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1377

A system requires administrators to be logged in as the “root” in order to make administrator changes. Which of the following controls BEST mitigates the risk associated with this scenario?

A. Require that all administrators keep a log book of times and justification for accessing root
B. Encrypt all users home directories using file-level encryption
C. Implement a more restrictive password rotation policy for the shared root account
D. Force administrator to log in with individual accounts and switch to root
E. Add the administrator to the local group

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q711

A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack?

A. Configure MAC filtering on the switch.
B. Configure loop protection on the switch.
C. Configure flood guards on the switch.
D. Configure 802.1x authentication on the switch.


Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an
attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker
will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can
only occur on local area networks that utilize the Address Resolution Protocol.
To perform ARP spoofing the attacker floods the network with spoofed ARP packets. As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the
victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.
A flood guard configured on the network switch will block the flood of spoofed ARP packets.

Incorrect Answers:
A: MAC filtering will restrict which computers can connect to the switch ports by specifying which MAC address is allowed to connect to each port. However, it will not prevent any of
those computers from initiating an ARP spoofing attack.
B: Loop protection is used to prevent broadcast storms when there are multiple links between network switches. Spanning Tree Protocol is one type of loop protection. Loop protection
does not prevent ARP spoofing attacks.
D: With 802.1X port-based authentication, the supplicant (client device) provides credentials, such as user name/password or digital certificate, to the authenticator, and the
authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is
allowed to access resources located on the protected side of the network. However, once the authenticated device is connected to the switch, 802.1x cannot prevent the device from
initiating an ARP spoofing attack.

References:
http://www.veracode.co.uk/security/arp-spoofing

CompTIA Security Plus Mock Test Q622

A new virtual server was created for the marketing department. The server was installed on an existing host machine. Users in the marketing department report that they are unable to connect to the server. Technicians verify that the server has an IP address in the same VLAN as the marketing department users. Which of the following is the MOST likely reason the users are unable to connect to the server?

A. The new virtual server’s MAC address was not added to the ACL on the switch
B. The new virtual server’s MAC address triggered a port security violation on the switch
C. The new virtual server’s MAC address triggered an implicit deny in the switch
D. The new virtual server’s MAC address was not added to the firewall rules on the switch

Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Configuring the switch to allow only traffic from computers based upon their physical address is known as MAC filtering. The physical address is known as the MAC address. Every network adapter has a unique MAC address hardcoded into the adapter.
You can configure the ports of a switch to allow connections from computers with specific MAC addresses only and block all other MAC addresses.
In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network.

Incorrect Answers:
B: The new virtual server’s MAC address triggering a port security violation on the switch may happen if the MAC address was not added to the ACL on the switch. However, the port security violation is not the actual cause of the users being unable to connect to the server. The MAC address not being added to the ACL on the switch is what would prevent the users connecting to the server. Therefore this answer is incorrect.
C: The new virtual server’s MAC address triggering an implicit deny in the switch would happen if the MAC address met a condition that caused the deny. This is unlikely. The MAC address not being added to the ACL on the switch to allow access if more likely. Therefore this answer is incorrect.
D: Dedicated network switches don’t tend to have firewalls. A typical home wireless router may function as a switch and a firewall. However, even in this case, the firewall typically wouldn’t prevent communications between devices connected to the switch. This answer is very unlikely and is therefore incorrect.

References:
http://en.wikipedia.org/wiki/MAC_filtering

CompTIA Security Plus Mock Test Q621

An administrator has a network subnet dedicated to a group of users. Due to concerns regarding data and network security, the administrator desires to provide network access for this group only. Which of the following would BEST address this desire?

A. Install a proxy server between the users’ computers and the switch to filter inbound network traffic.
B. Block commonly used ports and forward them to higher and unused port numbers.
C. Configure the switch to allow only traffic from computers based upon their physical address.
D. Install host-based intrusion detection software to monitor incoming DHCP Discover requests.


Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
Configuring the switch to allow only traffic from computers based upon their physical address is known as MAC filtering. The physical address is known as the MAC address. Every network adapter has a unique MAC address hardcoded into the adapter.
You can configure the ports of a switch to allow connections from computers with specific MAC addresses only and block all other MAC addresses.
MAC filtering is commonly used in wireless networks but is considered insecure because a MAC address can be spoofed. However, in a wired network, it is more secure because it would be more difficult for a rogue computer to sniff a MAC address.

Incorrect Answers:
A: A proxy server is often used to filter web traffic. It is not used in port security or to restrict which computers can connect to a network.
B: You should not block commonly used ports. This would just stop common applications and protocols working. It would not restrict which computers can connect to a network.
D: DHCP Discover requests are part of the DHCP process. A DHCP client will send out a DHCP Discover request to locate a DHCP server. All computers on the network receive the DHCP Discover request because it is a broadcast packet but all computers (except the DHCP server) will just drop the packet. Blocking DHCP Discover requests will not restrict which computers can connect to a network.

References:
http://alliedtelesis.com/manuals/awplusv212weba/mac_address_Port_security.html

CompTIA Security Plus Mock Test Q571

Maintenance workers find an active network switch hidden above a dropped-ceiling tile in the CEO’s office with various connected cables from the office. Which of the following describes the type of attack that was occurring?

A. Spear phishing
B. Packet sniffing
C. Impersonation
D. MAC flooding


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing. However, packet sniffing requires a physical connection to the network. The switch hidden in the ceiling is used to provide the physical connection to the network.
Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

Incorrect Answers:
A: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient’s own company and generally someone in a position of authority. The attack described in this question is not an example of spear phishing.
C: Impersonation is where a person, computer, software application or service pretends to be someone it’s not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. However, the attack described in this question is not an example of impersonation.
D: In computer networking, MAC flooding is a technique employed to compromise the security of network switches. Switches maintain a MAC Table that maps individual MAC addresses on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as a hub does. The advantage of this method is that data is bridged exclusively to the network segment containing the computer that the data is specifically destined for.
In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table. The attack described in this question is not an example of MAC flooding.

References:
http://en.wikipedia.org/wiki/Packet_analyzer
http://en.wikipedia.org/wiki/MAC_flooding

Comptia Security Plus Mock Test Q70

An administrator connects VoIP phones to the same switch as the network PCs and printers. Which of the following would provide the BEST logical separation of these three device types while still allowing traffic between them via ACL?

A. Create three VLANs on the switch connected to a router
B. Define three subnets, configure each device to use their own dedicated IP address range, and then connect the network to a router
C. Install a firewall and connect it to the switch
D. Install a firewall and connect it to a dedicated switch for each device type

Correct Answer: A
Section: Network Security

Explanation:
A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function.

Incorrect Answers:
B: Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections.
C, D: Firewalls are used to protect one network from another, not separate it.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 5, 23, 29