Practice Test(DOMAIN4)

CISSP総合学習サイト

Domain 4 Exam.

A minimum of 70% is required to pass.

 

Results

Wonderful!

There may be content you haven’t seen yet.

#1. What are the problems with RADIUS that have been eliminated by Diameter?

Diameter is an authentication protocol that implements the AAA (Authentication, Authorization, Accounting) service, the successor to RADIUS. This can cause performance degradation and data loss. This can lead to performance degradation and data loss.

#2. The IT Security team has been asked to propose a mitigation strategy using the OSI reference model. Which of these would address the Layer 7 issue?

Application firewalls target Layer 7 of the OSI. The main advantage of an application firewall is its ability to understand specific applications and protocols. Packets are not decrypted until Layer 6, so Layer 7 can see the entire packet. Other firewalls can only inspect the packet, not the payload. It can detect if an unwanted application or service is trying to bypass the firewall by using a protocol on an allowed port, or if the protocol is being used in a malicious manner.

#3. What is the IPSec SA value?

Each IPSec VPN device will have at least one security association (SA) for each secure connection it uses; the SA, which is critical to the IPSec architecture, is the device’s need to support IPSec connections over VPN connections This is a record of the configuration that needs to be in place.

#4. Encryption can occur at different layers of the operating system and network stack. Where does PPTP encryption occur?

Point-to-Point Tunneling Protocol (PPTP) is a way to implement a virtual private network (VPN). It is Microsoft’s proprietary VPN protocol that operates at the data link layer of the OSI model; PPTP can only provide a single connection and can operate over a PPP connection.

#5. Communication speed has become a problem and we want to renew our Wi-Fi. I want to get the fastest possible connection speed. Which Wi-Fi standard should we use?

IEEE 802.11 is one of the wireless LAN standards established by IEEE.

Type Max Speed Frequency
802.11
2Mbps
2.4GHz
802.11a
54Mbps
5GHz
802.11b
11Mbps
2.4GHz
802.11g
54Mbps
2.4GHz
802.11n
600Mbps
2.4GHz or 5GHz
802.11ac
1.3Gbps
5GHz

#6. Which of the following is NOT a Distributed Denial of Service (DDoS) attack?

There are many different types of distributed denial of service (DDoS) attacks; there is no IPSec flood; UDP flood, SYN flood, and MAC flood are all distributed denial of service (DDoS) attacks.

#7. An attacker is attempting a distributed denial of service (DDoS) attack using UDP floods. How does a distributed denial of service (DDoS) attack work at this time?

UDP (User Datagram Protocol) floods are often used in distributed denial of service (DDOS) attacks because they are connectionless and yet allow for easy generation of UDP messages from various scripting and compilation languages. UDP is a datagram protocol.

#8. We are implementing a new network infrastructure for our organization. The new infrastructure uses carrier sense multiple access with collision detection (CSMA / CD). What are you trying to implement?

Carrier Sense Multiple Access Collision Detection (CSMA / CD) is used for systems that can transmit and receive simultaneously, such as Ethernet. If two clients listen at the same time and make sure the line is clear, both may transmit at the same time, causing a collision. Collision Detection (CD) is added to solve this scenario. The client checks to see if the line is idle and transmits if it is idle. If in use, they wait for a random time (milliseconds). During transmission, they monitor the network and if more input is received than transmitted, another client is also transmitting and sends a jam signal instructing other nodes to stop transmitting, wait a random time and then start transmitting again.

#9. Which of the following is a straightforward inference as to why email spoofing was so easily carried out?

〇:SMTP lacks proper authentication mechanisms.

Email spoofing is easy to perform if the SMTP lacks proper authentication mechanisms. An attacker can spoof the sender address of an e-mail by sending a Telnet command to port 25 of the mail server. The spammer uses e-mail spoofing to prevent himself from being identified.

 

×:The administrator forgot to configure a setting that prevents inbound SMTP connections for non-functioning domains.

If it is spoofed, the email sender is also spoofed. This can happen even if you prevent inbound SMTP connections for a domain.

 

×:Technically abolished by keyword filtering.

Filtering is not very effective against spoofing. Therefore, even if it is technically obsolete, it is unlikely to be the cause.

 

×:The blacklist function is not technically reliable.

If an email is spoofed, the sender of the email is also spoofed. This can happen even if the filtering function is not reliable.

#10. Which unique internal protocol selects the best path between source and destination in network routing?

〇:IGRP

The Internal Gateway Routing Protocol (IGRP) is a distance vector routing protocol developed by and proprietary to Cisco Systems, Inc. Whereas the Routing Information Protocol (RIP) uses one criterion to find the optimal path between source and destination, IGRP uses five criteria to make an “optimal route” determination. The network administrator can set weights on these different metrics so that the protocol works optimally in its particular environment.

 

×:RIP  

Routing Information Protocol (RIP) is incorrect because it is not proprietary; RIP allows routers to exchange routing table data and calculate the shortest distance between source and destination. It is considered a legacy protocol due to poor performance and lack of features. It should be used in smaller networks.

 

×:BGP

Border Gateway Protocol (BGP) is incorrect because it is an Exterior Gateway Protocol (EGP); BGP allows routers in different ASes to share routing information to ensure effective and efficient routing between different networks. BGP is used by Internet Service Providers.

 

×:OSPF  

OSPF is incorrect because it is not proprietary; it uses a link-state algorithm to transmit information in the OSPF routing table. Smaller and more frequent routing table updates.

#11. Which of the following is NOT a benefit of VoIP?

〇:Security

Voice over Internet Protocol (VoIP) refers to a transmission technology that delivers voice communications over an IP network; IP telephony uses technology that is similar to TCP/IP and therefore similar in its vulnerabilities. Voice systems are vulnerable to application manipulation and unauthorized administrative access. It is also vulnerable to denial of service attacks against gateway and network resources. Eavesdropping is also a concern since data traffic is transmitted in clear text unless encrypted.

The term security is a difficult answer to choose from because it has a very broad meaning. However, information security scriptures such as CISSP are persistent in saying that VoIP has vulnerabilities. Although this answer is a bit over the top in practical terms, it was made to educate the public, because depending on the creator’s intentions, this issue may arise.

 

×:Cost

Wrong, because cost is an advantage of VoIP; with VoIP’s, a company becomes a dedicated alternative to a separate network dedicated to data transmission and voice transmission. For telephony features such as conference calling, call forwarding, and automatic redialing are freed up in VoIP, which is open source, while companies that use traditional communications charge for VoIP.

 

×:Convergence

Wrong because convergence is the advantage of VoIP. Convergence means the integration of traditional IP networks with traditional analog telephone networks.

 

×:Flexibility

Wrong, because flexibility is an advantage of VoIP. The technology is very simple, easy and supports multiple calls over a single Internet broadband connection.

#12. What is the intention of preparing artificially vulnerable network domains?

〇:For early detection or enclosure in the event of an attack.

Attackers will conduct an investigation before launching a substantial attack. In such cases, a vulnerable network can provide preventative information such as where the attacker is accessing the network from. This is because only an attacker would have the incentive to break into the network. Vulnerable network domains, such as honeypots, make this kind of intrusion easier and clarify the attacker’s behavior. Thus, the correct answer is “to detect or enclose them early in the event of an attack.” will be

 

×:Debugging environment for when a system outage occurs in the current environment.

The answer is not to intentionally create a vulnerable environment. It is only the result of creating an environment that is vulnerable.

 

×:Aiming to prevent regressions due to old vulnerabilities.

Even if it is an old vulnerability, it should be addressed and there is no point in allowing it to remain.

 

×:A special environment for running a product with a low version that is no longer supported.

It is not an answer to intentionally create a vulnerable environment. It is merely the result of creating an environment that is vulnerable.

#13. Robert is responsible for implementing a common architecture for accessing sensitive information over an Internet connection. Which of the following best describes this type of architecture?

〇:3-tier architecture

The 3-tier architecture clearly distinguishes the three layers: the client has the user interface responsible for input and displaying results, and the server has the functional process logic responsible for data processing and data storage for accessing the database. The user interface role is generally handled by the front-end web server with which the user interacts. It can handle both static and cached dynamic content. The functional process logic is where requests are reformatted and processed. It is typically a dynamic content processing and generation level application server. Data storage is where sensitive data is held. It is the back-end database and holds both the data and the database management system software used to manage and provide access to the data.

 

×:2-tier architecture

Two-tier, or client/server, is incorrect because it describes an architecture in which a server serves one or more clients that request those services.

 

×:Screened Subnets

A screen-subnet architecture is for one firewall to protect one server (basically a one-tier architecture). The external, public-side firewall monitors requests from untrusted networks like the Internet. If one layer, the only firewall, is compromised, an attacker can access sensitive data residing on the server with relative ease.

 

×:Public and Private DNS Zones

Separating DNS servers into public and private servers provides protection, but this is not the actual architecture.

#14. You are implementing Quality of Service (QoS) in your network; which is one of the main benefits of QoS?

#15. Which of the following is an incorrect description of IP telephony security?

〇:Softphones are safer than IP phones. 

IP softphones should be used with caution. A softphone is a software application that allows users to make calls via computer over the Internet. Replacing dedicated hardware, a softphone works like a traditional telephone. Skype is an example of a softphone application. Compared to hardware-based IP phones, softphones are more receptive to IP networks. However, softphones are no worse than other interactive Internet applications because they do not separate voice traffic from data, as IP phones do, and also because data-centric malware can more easily enter the network through softphones. network.

 

×:VoIP networks should be protected with the same security controls used on data networks.

The statement is incorrect because it correctly describes the security of an IP telephony network. an IP telephony network uses the same technology as a traditional IP network, which allows it to support voice applications. Therefore, IP telephony networks are susceptible to the same vulnerabilities as traditional IP networks and should be protected accordingly. This means that IP telephony networks should be designed to have adequate security.

 

×:As an endpoint, IP telephony can be a target of attack.

Incorrect because true: An IP phone on an IP telephony network is equivalent to a workstation on a data network in terms of vulnerability to attack. Thus, IP phones should be protected with many of the same security controls implemented on traditional workstations. For example, the default administrator password must be changed. Unnecessary remote access functions need to be disabled. Logging should be enabled and the firmware upgrade process should be secured.

 

×:The current Internet architecture in which voice is transmitted is more secure than physical phone lines.

True and therefore incorrect. In most cases, the current Internet architecture in which voice is transmitted is more secure than physical telephone lines. Physical phone lines provide a point-to-point connection, which is difficult to leverage over the software-based tunnels that make up the bulk of the Internet. This is an important factor to consider when protecting IP telephony networks because the network is now transmitting 2 valuable asset data and voice. It is not unusual for personal information, financial information, and other sensitive data to be spoken over the phone; intercepting this information over an IP telephony network is as easy as intercepting regular data. Currently voice traffic should also be encrypted.

#16. One approach to fighting spam mail is to use the Sender Policy Framework, an email validation system. What type of system implements this functionality and receives and responds to requests?

Sender Policy Framework (SPF) is an email verification system that detects email spoofing and prevents spam and malicious email. Attackers typically spoof e-mail addresses to make recipients believe that the messages come from a known and trusted source. SPF allows network administrators to specify which hosts can send mail from a particular domain by implementing SPF records in the Domain Name System (DNS). The e-mail server is configured to check with the DNS server to ensure that e-mail sent from a particular domain was sent from an IP address authorized by the administrator of the sending domain.

#17. Software-defined network (SDN) technology specifies which of the following?

〇:How routers are centrally managed and control packets based on the controller’s instructions 

Software-defined networks (SDN) are intended to facilitate centralized management of routing decisions and to separate the router’s logical functions of passing data between the routing decision and the interface and making its mechanical functions.SDN architecture is a scalable, a programmable, and is intended to be a standard method of providing router control logic. Therefore, the correct answer is “a way for routers to be centrally managed and control packets based on the controller’s instructions.

 

×:Mapping between MAC and IP addresses.

ARP table.

 

×:Updating the routing table in a dynamic way.

Explanation of dynamic routing.

 

×:A method in which routers communicate with each other to update the routing table when an event occurs.

This is an explanation of routing control in case of communication failure.

#18. Which technology optimizes content delivery by determining geographic location based on the client’s IP address for routing that constitutes the proximal topology of Web content?

〇:Content Delivery Network (CDN)

Content delivery networks (CDNs) are designed to optimize the delivery of content to clients based on their global topology. In such a design, multiple web servers hosted at many points of existence on the Internet are globally synchronized and contain the same content, and the client is usually directed to the nearest source via DNS record manipulation based on geolocation algorithms for can be directed to.

 

×:Distributed Name Service (DNS)

Wrong, as there is no protocol called Distributed Name Service; DNS refers to the Domain Name Service protocol.

 

×:Distributed Web Service (DWS)

Distributed Web Services is also wrong because it is an incorrect answer. The concept of a distributed Web services discovery architecture is not a formal protocol, although it has been discussed by the IEEE and others.

 

×:Content Domain Distribution (CDD)

The term Content Domain Distribution (CDD) does not appear in CISSP’s CBK terminology.

#19. Which of the following attacks aims to bring down equipment by means of packets whose offsets have been tampered with?

〇:Teardrop

Teardrop is an attack to bring a system to a halt by forging the offset of IP packets when they are returned before splitting.

 

×:Fraggle attack

Fraggle attack is an attack that uses the CHARGEN function to generate an appropriate string.

 

×:CHARGEN attack

There is no attack with such a name.

 

×:War Driving

Wardriving is the act of driving around a city looking for vulnerable wireless LAN access points.

#20. Which of the following is the most appropriate relationship between SSL and TLS?

〇:TLS is an open community version of SSL.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols used to protect communications by encrypting segments of a network connection. SSL is a proprietary protocol and TLS was developed by a standards body, making it an open community protocol.

 

×:TLS is an open community version of SSL. SSL is a proprietary protocol and TLS was developed by a standards body, making it an open community protocol. x: The SSL protocol can be modified by developers to extend its capabilities.

This is incorrect because SSL is a proprietary protocol developed by Netscape. This means that the technical community cannot easily interoperate and extend SSL to extend to its functionality.

 

×:SSL is an open community protocol while TLS is a proprietary protocol.

The meaning and matching are reversed.

 

×:SSL is an extended version and backward compatible with TLS.

Wrong, since TLS is actually more extensible than SSL and is not backward compatible with SSL.

Previous
終了