CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 1101:

  Matt, a systems security engineer, is determining which credential-type authentication to use within a planned 802.1x deployment. He is looking for a method that does not require a client certificate, has a server side certificate, and uses TLS tunnels for encryption. Which credential type authentication method BEST fits these requirements?

  A. EAP-TLS

  B. EAP-FAST

  C. PEAP-CHAP

  D. PEAP-MSCHAPv2

  Correct Answer: D

  PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authentication is accomplished via password-base credentials (user name and password) rather than digital certificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate.

  Incorrect Answers:

  A: Authenticated wireless access design based on Extensible Authentication Protocol Transport Level Security (EAP-TLS) can use either smart cards or user and computer certificates to authenticate wireless access clients. EAP-TLS does not use usernames and passwords for authentication.

  B: EAP-FAST does not make use of TLS, but PAC (Protected Access Credentials).

  C: CHAP intermittently authenticates the identity of the client via a three-way handshake.

  References: https://technet.microsoft.com/en-us/library/dd348500(v=ws.10).aspx https://technet.microsoft.com/en-us/library/dd348478(v=ws.10).aspx http:// www.techrepublic.com/article/ultimate-wireless-security-guide-a-primer-on-cisco-eap- fast-authentication/ http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol

• Question 1102:

  Which of the following would satisfy wireless network implementation requirements to use mutual authentication and usernames and passwords?

  A. EAP-MD5

  B. WEP

  C. PEAP-MSCHAPv2

  D. EAP-TLS

  Correct Answer: C

  PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authentication is accomplished via password-base credentials (user name and password) rather than digital certificates or smart cards.

  Incorrect Answers:

  A: MD5 has been employed in a wide selection of cryptographic applications, and is also commonly used to verify data integrity.

  B: Usernames and passwords are not required for WEP authentication.

  D: Authenticated wireless access design based on Extensible Authentication Protocol Transport Level Security (EAP-TLS) can use either smart cards or user and computer certificates to authenticate wireless access clients. EAP-TLS does not use usernames and passwords for authentication.

  References:

  https://technet.microsoft.com/en-us/library/dd348500(v=ws.10).aspx https://technet.microsoft.com/en-us/library/dd348478(v=ws.10).aspx http://en.wikipedia.org/ wiki/MD5

• Question 1103:

  Which of the following BEST describes the weakness in WEP encryption?

  A. The initialization vector of WEP uses a crack-able RC4 encryption algorithm. Once enough packets are captured an XOR operation can be performed and the asymmetric keys can be derived.

  B. The WEP key is stored in plain text and split in portions across 224 packets of random data. Once enough packets are sniffed the IV portion of the packets can be removed leaving the plain text key.

  C. The WEP key has a weak MD4 hashing algorithm used. A simple rainbow table can be used to generate key possibilities due to MD4 collisions.

  D. The WEP key is stored with a very small pool of random numbers to make the cipher text. As the random numbers are often reused it becomes easy to derive the remaining WEP key.

  Correct Answer: D

  WEP is based on RC4, but due to errors in design and implementation, WEP is weak in a number of areas, two of which are the use of a static common key and poor implementation of initiation vectors (IVs). When the WEP key is discovered, the attacker can join the network and then listen in on all other wireless client communications.

  Incorrect Answers:

  A: RC4 itself is not crack-able, but the IV that is crack-able.

  B: The initialization vector (IV) that WEP uses for encryption is 24-bit and IVs are reused with the same key. By examining the repeating result, it is easy for intruders to crack the WEP secret key, known as an IV attack.

  C: WEP does not use the MD4 hashing algorithm, but RC4.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 189.

• Question 1104:

  A security administrator must implement a network authentication solution which will ensure encryption of user credentials when users enter their username and password to authenticate to the network.

  Which of the following should the administrator implement?

  A. WPA2 over EAP-TTLS

  B. WPA-PSK

  C. WPA2 with WPS

  D. WEP over EAP-PEAP

  Correct Answer: D

  D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isn't considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP- PSK, EAP-MD5, as well as LEAP and PEAP. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server- side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.

  Incorrect Answers:

  A: WPA2 is a more recent version of WEP. Although many consider PEAP and EAP-TTLS to be similar options, PEAP is more secure because it establishes an encrypted channel between the server and the client. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. With EAP TTLS the client can, but does not have to be authenticated via a CA-signed PKI certificate to the server.

  B: WPA is basically a version of WEP. EAP-PSK, defined in RFC 4764, is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK). EAP-PSK is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography. The EAP method protocol exchange is done in a minimum of four messages.

  C: WPA2 is a more recent version of WEP but does not ensure encryption of user credentials when they enter their usernames and passwords to authenticate to the network.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 171, 181.

• Question 1105:

  Configuring key/value pairs on a RADIUS server is associated with deploying which of the following?

  A. WPA2-Enterprise wireless network

  B. DNS secondary zones

  C. Digital certificates

  D. Intrusion detection system

  Correct Answer: A

  WPA2-Enterprise is designed for enterprise networks and requires a RADIUS authentication server.

  Incorrect Answers:

  B: A secondary zone is merely a copy of a primary zone that is hosted on another server.

  C: Digital certificates are used for proving the identity of a user or the source of an object.

  D: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.

  References:

  http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

  https://technet.microsoft.com/en-us/library/cc771898.aspx Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 61.

• Question 1106:

  A security administrator must implement a wireless security system, which will require users to enter a 30 character ASCII password on their accounts. Additionally the system must support 3DS wireless encryption.

  Which of the following should be implemented?

  A. WPA2-CCMP with 802.1X

  B. WPA2-PSK

  C. WPA2-CCMP

  D. WPA2-Enterprise

  Correct Answer: D

  D: WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated

  setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. RADIUS can be managed centrally, and the

  servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized. Thus the RADIUS server can perform all authentications.

  This will require users to use their passwords on their user accounts.

  Incorrect Answers:

  A and C: CCMP is a block cipher that makes use of a 128 bit key. CCMP provides the following security services: Data confidentiality; ensures only authorized parties can access the information; Authentication; provides proof of genuineness of

  the user; Access control in conjunction with layer management. However, WPA2 includes support for CCMP.

  B: EAP-PSK is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 145, 172, 182.

• Question 1107:

  Which of the following is a step in deploying a WPA2-Enterprise wireless network?

  A. Install a token on the authentication server

  B. Install a DHCP server on the authentication server

  C. Install an encryption key on the authentication server

  D. Install a digital certificate on the authentication server

  Correct Answer: D

  When setting up a wireless network, you'll find two very different modes of Wi-Fi Protected Access (WPA) security, which apply to both the WPA and WPA2 versions. The easiest to setup is the Personal mode, technically called the Pre-

  Shared Key (PSK) mode. It doesn't require anything beyond the wireless router or access points (APs) and uses a single passphrase or password for all users/devices.

  The other is the Enterprise mode --which should be used by businesses and organizations--and is also known as the RADIUS, 802.1X, 802.11i, or EAP mode. It provides better security and key management, and supports other enterprise-

  type functionality, such as VLANs and NAP. However, it requires an external authentication server, called a Remote Authentication Dial In User Service (RADIUS) server to handle the 802.1X authentication of users.

  To help you better understand the process of setting up WPA/WPA2-Enterprise and 802.1X, here's the basic overall steps:

  Choose, install, and configure a RADIUS server, or use a hosted service. Create a certificate authority (CA), so you can issue and install a digital certificate onto the RADIUS server, which may be done as a part of the RADIUS server

  installation and configuration. Alternatively, you could purchase a digital certificate from a public CA, such as GoDaddy or Verisign, so you don't have to install the server certificate on all the clients. If using EAP-TLS, you'd also create digital

  certificates for each end-user. On the server, populate the RADIUS client database with the IP address and shared secret for each AP. On the server, populate user data with usernames and passwords for each end-user. On each AP,

  configure the security for WPA/WPA2-Enterprise and input the RADIUS server IP address and the shared secret you created for that particular AP. On each Wi-Fi computer and device, configure the security for WPA/WPA2- Enterprise and

  set the 802.1X authentication settings.

  Incorrect Answers:

  A: A token is not required on the authentication server when configuring WPA-Enterprise.

  B: DHCP (Dynamic Host Configuration Protocol) does not have to be installed on the authentication server. You don't have to use DHCP at all although it is easier if you do. However, DHCP is usually configured on a dedicated device, not on the authentication server.

  C: You don't install an encryption key on the authentication server when configuring WPA- Enterprise. You install a digital certificate. The private key of the certificate is then used to create secure connections.

  References:

  http://www.windowsnetworking.com/articles-tutorials/wireless-networking/Deploying-WPA2- Enterprise-Wi-Fi-Security-Small-Businesses.html

• Question 1108:

  A malicious user is sniffing a busy encrypted wireless network waiting for an authorized client to connect to it. Only after an authorized client has connected and the hacker was able to capture the client handshake with the AP can the hacker begin a brute force attack to discover the encryption key. Which of the following attacks is taking place?

  A. IV attack

  B. WEP cracking

  C. WPA cracking

  D. Rogue AP

  Correct Answer: C

  There are three steps to penetrating a WPA-protected network. Sniffing Parsing Attacking Incorrect Answers:

  A: Packet sniffing is not used for an IV attack.

  B: WEP provides protection from packet sniffing and eavesdropping against wireless transmissions

  D: Packet sniffing is not used for the Rogue AP.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 64, 189, 192.

  www.tomshardware.com/reviews/wireless-security-hack,2981-6.html

• Question 1109:

  Which of the following allows Pete, a security technician, to provide the MOST secure wireless implementation?

  A. Implement WPA

  B. Disable SSID

  C. Adjust antenna placement

  D. Implement WEP

  Correct Answer: A

  Of the options supplied, WiFi Protected Access (WPA) is the most secure and is the replacement for WEP.

  Incorrect Answers:

  B: Disabling the SSID will only hide the wireless network, and is not more secure than WPA.

  C: This will increase or decrease signal strength and availability, but will not make the network secure.

  D: WEP was replaced by WPA to offer a more secure solution.

  References:

  Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 59- 62.

• Question 1110:

  Which of the following protocols operates at the HIGHEST level of the OSI model?

  A. ICMP

  B. IPSec

  C. SCP

  D. TCP

  Correct Answer: C

  SCP (Secure Copy) uses SSH (Secure Shell). SSH runs in the application layer (layer 7) of the OSI model.

  Incorrect Answers:

  A: ICMP (Internet Control Message Protocol) works in the network layer (Layer 3) of the OSI model.

  B: IPSec (Internet Protocol Security) works in the network layer (Layer 3) of the OSI model.

  D: TCP (Transmission Control Protocol) works in the transport layer (Layer 4) of the OSI model.

  References: http://www.rhyshaden.com/osi.htm http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29 http://en.wikipedia.org/wiki/OSI_model