Chapter 4: Communication and Network Security (Domain 4) 353
- A. WPA2, the replacement for WPA, does not suffer from the security issues that WEP,
the original wireless security protocol, and WPA, its successor, both suffer from. AES is
used in WPA2 but is not specifically a wireless security standard. - A. User awareness is one of the most important tools when dealing with attachments.
Attachments are often used as a vector for malware, and aware users can help prevent
successful attacks by not opening the attachments. Antimalware tools, including
antivirus software, can help detect known threats before users even see the attachments.
Encryption, including tools like S/MIME, won’t help prevent attachment-based security
problems, and removing ZIP file attachments will only stop malware that is sent via those
ZIP files. - A. The Transport layer provides logical connections between devices, including end-to-
end transport services to ensure that data is delivered. Transport layer protocols include
TCP, UDP, SSL, and TLS. - B. Machine Access Control (MAC) addresses are the hardware address the machine uses
for layer 2 communications. The MAC addresses include an organizationally unique
identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so
this is not a guarantee of accuracy, but under normal circumstances you can tell what
manufacturer made the device by using the MAC address. - D. PEAP provides encryption for EAP methods and can provide authentication. It does
not implement CCMP, which was included in the WPA2 standard. LEAP is dangerously
insecure and should not be used due to attack tools that have been available since the early
2000s. - C. Double NATing isn’t possible with the same IP range; the same IP addresses cannot
appear inside and outside a NAT router. RFC 1918 addresses are reserved, but only so
they are not used and routable on the Internet, and changing to PAT would not fix the
issue. - B. A Class B network holds 2^16 systems, and its default network mask is 255.255.0.0.
- C. Traditional private branch exchange (PBX) systems are vulnerable to eavesdropping
because voice communications are carried directly over copper wires. Since standard
telephones don’t provide encryption (and you’re unlikely to add encrypted phones unless
you’re the NSA), physically securing access to the lines and central connection points is the
best strategy available. - A. Most cordless phones don’t use encryption, and even modern phones that use DECT
(which does provide encryption) have already been cracked. This means that a determined
attacker can almost always eavesdrop on cordless phones, and makes them a security risk
if they’re used for confidential communication. - A. VLAN hopping between the voice and computer VLANs can be accomplished when
devices share the same switch infrastructure. Using physically separate switches can
prevent this attack. Encryption won’t help with VLAN hopping because it relies on header
data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an
inherent problem with VoIP systems. A denial of service is always a possibility, but it isn’t
specifically a VoIP issue and a firewall may not stop the problem if it’s on a port that must
be allowed through.