SECURITY+ CERTMASTER CE TEST
3 QUESTIONS WITH CORRECT
DETAILED ANSWERS
OCSP stapling -Answer-There are several ways to check on the status of an online
certificate, but some introduce privacy concerns. Consider how each of the following is
structured, and select the option with the best ability to hide the identity of the certificate
status requestor.
***(NOT)Use certificate chaining*** -Answer-An independent penetration testing
company is invited to test a company's legacy banking application developed for
Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS)
certificates. Penetration tests reveal the connections with clients were vulnerable to a
Man-in-the-Middle (MITM) attack. How does the company prevent this from happening
in the public Internet?
Trust model -Answer-In a Public Key Infrastructure (PKI), which option best describes
how users and multiple Certificate Authorities (CA) interact with each other in a large
environment?
Key escrow -Answer-A company with archived and encrypted data looks to archive the
associated private keys needed for decryption. The keys should be externally archived
and heavily guarded. Which option should the company use?
Signature-based -Answer-An administrator deploys a basic network intrusion detection
system (NIDS) device to identify known attacks. What detection method does this
device use?
-Block TCP ports
-Allow network protocols -Answer-A network administrator set up a basic packet filtering
firewall using an open-source application running on a Linux virtual machine. The
immediate benefit to this deployment is the quick configuration of basic firewall rules.
What other functionality would influence a decision to deploy a stateless, rather than
stateful, firewall? (Select all that apply.)
ACL -Answer-An administrator navigates to the Windows Firewall with Advanced
Security. The inbound rules show a custom rule, which assigned the action, "Allow the
connection" to all programs, all protocols, and all ports with a scope of 192.168.0.0/24.
This is an example of what type of security setting?
, Use correct certificate path. -Answer-A company has two web servers using a load-
balance configuration. Users report having periodic trust errors connecting to the
website. Both servers are using web-server certificates and show the same path. Which
of the following actions would most likely resolve the issue?
openssl genrsa -aes256 -out server.key 2048 -Answer-A public key infrastructure (PKI)
is being set up for a logistics company, utilizing OpenSSL hosted on Red Hat Enterprise
Linux. Which of the following commands can the team use, when setting up the PKI, to
create an encrypted RSA private key?
DNS Security Extensions -Answer-An authoritative Domain Name System (DNS) server
for a zone creates a Resource Records Set (RRSet) signed with a zone signing key.
What is the result of this action?
S/MIME -Answer-The administrator in an Exchange Server needs to send digitally
signed and encrypted messages. What should the administrator use?
SRTP -Answer-An organization uses a Session Initiation Protocol (SIP) endpoint for
establishing communications with remote branch offices. Which of the following
protocols will provide encryption for streaming data during the call?
LDAPS -Answer-A web server will utilize a directory protocol to enable users to
authenticate with domain credentials. A certificate will be issued to the server to set up a
secure tunnel. Which protocol is ideal for this situation?
-Tunnel
-Transport -Answer-A Transport Layer Security (TLS) Virtual Private Network (VPN)
requires a remote access server listening on port 443 to encrypt traffic with a client
machine. An IPSec (Internet Protocol Security) VPN can deliver traffic in two modes.
One mode encrypts only the payload of the IP packet. The other mode encrypts the
whole IP packet (header and payload). What are these two modes? (Select all that
apply.)
-Establish a guest zone
-Upload files using SSH
-Use configuration templates -Answer-Consider the principles of web server hardening
and determine which actions a system administrator should take when deploying a new
web server in a demilitarized zone (DMZ). (Select all that apply.)
LDAPS -Answer-Which of the following protocols would secure a tunnel for credential
exchange using port 636?
Directory services -Answer-Implementing Lightweight Directory Access Protocol Secure
(LDAPS) on a web server secures direct queries to which of the following?
3 QUESTIONS WITH CORRECT
DETAILED ANSWERS
OCSP stapling -Answer-There are several ways to check on the status of an online
certificate, but some introduce privacy concerns. Consider how each of the following is
structured, and select the option with the best ability to hide the identity of the certificate
status requestor.
***(NOT)Use certificate chaining*** -Answer-An independent penetration testing
company is invited to test a company's legacy banking application developed for
Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS)
certificates. Penetration tests reveal the connections with clients were vulnerable to a
Man-in-the-Middle (MITM) attack. How does the company prevent this from happening
in the public Internet?
Trust model -Answer-In a Public Key Infrastructure (PKI), which option best describes
how users and multiple Certificate Authorities (CA) interact with each other in a large
environment?
Key escrow -Answer-A company with archived and encrypted data looks to archive the
associated private keys needed for decryption. The keys should be externally archived
and heavily guarded. Which option should the company use?
Signature-based -Answer-An administrator deploys a basic network intrusion detection
system (NIDS) device to identify known attacks. What detection method does this
device use?
-Block TCP ports
-Allow network protocols -Answer-A network administrator set up a basic packet filtering
firewall using an open-source application running on a Linux virtual machine. The
immediate benefit to this deployment is the quick configuration of basic firewall rules.
What other functionality would influence a decision to deploy a stateless, rather than
stateful, firewall? (Select all that apply.)
ACL -Answer-An administrator navigates to the Windows Firewall with Advanced
Security. The inbound rules show a custom rule, which assigned the action, "Allow the
connection" to all programs, all protocols, and all ports with a scope of 192.168.0.0/24.
This is an example of what type of security setting?
, Use correct certificate path. -Answer-A company has two web servers using a load-
balance configuration. Users report having periodic trust errors connecting to the
website. Both servers are using web-server certificates and show the same path. Which
of the following actions would most likely resolve the issue?
openssl genrsa -aes256 -out server.key 2048 -Answer-A public key infrastructure (PKI)
is being set up for a logistics company, utilizing OpenSSL hosted on Red Hat Enterprise
Linux. Which of the following commands can the team use, when setting up the PKI, to
create an encrypted RSA private key?
DNS Security Extensions -Answer-An authoritative Domain Name System (DNS) server
for a zone creates a Resource Records Set (RRSet) signed with a zone signing key.
What is the result of this action?
S/MIME -Answer-The administrator in an Exchange Server needs to send digitally
signed and encrypted messages. What should the administrator use?
SRTP -Answer-An organization uses a Session Initiation Protocol (SIP) endpoint for
establishing communications with remote branch offices. Which of the following
protocols will provide encryption for streaming data during the call?
LDAPS -Answer-A web server will utilize a directory protocol to enable users to
authenticate with domain credentials. A certificate will be issued to the server to set up a
secure tunnel. Which protocol is ideal for this situation?
-Tunnel
-Transport -Answer-A Transport Layer Security (TLS) Virtual Private Network (VPN)
requires a remote access server listening on port 443 to encrypt traffic with a client
machine. An IPSec (Internet Protocol Security) VPN can deliver traffic in two modes.
One mode encrypts only the payload of the IP packet. The other mode encrypts the
whole IP packet (header and payload). What are these two modes? (Select all that
apply.)
-Establish a guest zone
-Upload files using SSH
-Use configuration templates -Answer-Consider the principles of web server hardening
and determine which actions a system administrator should take when deploying a new
web server in a demilitarized zone (DMZ). (Select all that apply.)
LDAPS -Answer-Which of the following protocols would secure a tunnel for credential
exchange using port 636?
Directory services -Answer-Implementing Lightweight Directory Access Protocol Secure
(LDAPS) on a web server secures direct queries to which of the following?
