Domain 4 CISSP Exam: Communication and Network Security

Explanation: 802.1X/EAP is a port-based NAC (Network Access Control) system that provides enterprise authentication for wireless networks. It checks for client access control to network resources and allows the wireless network to leverage the existing network infrastructures authentication services. It supports multifactor authentication techniques using RADIUS, TACACS, certificates, smart cards, token devices, and biometrics to provide secure authentication.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 431 in PDF)

Explanation: Class A range of IPv4 addresses, which is 1-127, corresponds to a maximum number of 127 networks per range.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 411 in PDF)

Explanation: Centralized remote authentication services provide an extra layer of protection by separating and protecting the entire networks authentication and authorization services from those used by remote access clients.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 474 in PDF)

Explanation: RADIUS (Remote Authentication Dial-In User Service) is an example of a centralized remote authentication service used for remote authentication and authorization services. It is important because if a remote access server is compromised, other network services are still unaffected.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 474 in PDF)

Explanation: Enforcing user compliance with network usage policies is not one of the basic goals for the use of NAC. The basic goals for NAC include mitigation of non-zero-day attacks, authentication and authorization of network connections, post-authentication role-based control of users and devices, encryption of traffic to the wireless and wired network using protocols for 802.1X, enforcement of network policy to prevent endpoints from network access if they lack up-to-date security patches or required configurations, ability to control access to the network based on device type and user roles, and identity and access management based on authenticated user identities instead of just blocking IP addresses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 459 in PDF)

Explanation: The circuit-level firewall is the type of firewall that operates at the OSI model session layer and only verifies the TCP handshaking is complete. It does not inspect any packets nor drop any individual packet. It only verifies the session while masking any details about the protected network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 446 in PDF)

Explanation: Gigabit Ethernet delivers a data rate of 1,000 Mbps (1 Gbps).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 451 in PDF)

Explanation: According to the text, TLS is the primary protocol for securing web traffic that has replaced SSL as it uses stronger authentication and encryption protocols.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 420 in PDF)

Explanation: An extranet is an externally facing web portal that allows an organization to share select information with vendors, customers, and other external parties. In contrast, a LAN is a group of devices that communicate on a single localized network, typically within the same building. A WAN is a larger network that covers a broader space than a LAN, typically larger than most MANs. A PAN connects devices within a narrow distance of each other, typically within 10 yards.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: Converged protocols enable an organization to reduce its reliance on distinct, costly proprietary hardware, ultimately lowering costs by merging specialized or proprietary protocols with standard protocols such as TCP/IP suite protocols.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 423 in PDF)

Explanation: A local area network (LAN) is a group of devices that communicate on a single localized network, typically (but not always) within the same building. On the other hand, a wide area network (WAN) is a larger network that covers a broader space than a LAN, typically larger than most MANs. The internet is the largest, most commonly used WAN.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: Within the 2.4 GHz frequency range, the United States has allocated 11 channels for wireless signals. In other countries and jurisdictions, the number of channels is regulated by national or union regulations, which explains the differences in the number of frequencies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 435 in PDF)

Explanation: IKE protocol is a secure mechanism used to establish a secure and authenticated communication channel between two entities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 421 in PDF)

Explanation: An omnidirectional antenna sends signals in all directions away from the antenna, and it is the prevalent type of antenna on base stations and endpoint devices. This radiation pattern is omnidirectional, and it is not focused to one direction like directional antennas.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 435 in PDF)

Explanation: In a network cables naming convention, XX represents the maximum speed the cable type offers, such as 10 Mbps for a 10Base2 cable.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 453 in PDF)

Explanation: VXLANs allows for a maximum of 16 million virtual networks (VXLANs) in a domain, which is a vast improvement from the 4,094 VLANs that traditional Ethernet switches offer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 427 in PDF)

Explanation: According to the text, a metropolitan area network is a connection of multiple LANs throughout an entire city, for example, a citywide Wi-Fi network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: According to Table 4.2, Wi-Fi 6E (802.11ax) offers a maximum data rate of 9.6 Gbps, which is higher than all other options listed. This is due to the additional frequency band (6 GHz) that is available for use in this standard.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 428 in PDF)

Explanation: The control layer is responsible for determining how traffic should flow based on the status of the infrastructure layer and the requirements specified by the application layer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 425 in PDF)

Explanation: FCoE is a solution developed to enable Fibre Channel to work more efficiently using less expensive copper cables over Ethernet connections. It works by using 10 Gbps Ethernet frames to support Fibre Channel communications, achieving high-speed file transfers with Fibre Channel-like performance over Ethernet connections.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 424 in PDF)

Explanation: Twisted pair cabling is designed to guard against interference from external radio frequencies and electric and magnetic waves through the use of twisted pairs of wires. Each pair of wires is twisted at a different rate, measured as twists per inch, to prevent interference from one pair to another. This arrangement helps reduce electromagnetic radiation leakage and crosstalk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 454 in PDF)

Explanation: Kerberos is a communication protocol that provides protection for logon credentials. It uses the concept of tickets to allow systems communicating over an unsecured network to prove their identity to one another securely. The correct answer is B.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 421 in PDF)

Explanation: The key difference between 4G and 5G cellular technologies is the tenfold increase in speed provided by 5G technology. This dramatic speed increase brings new applications to cellular technology and is projected to further advance the growth of IoT technologies in the near future.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 440 in PDF)

Explanation: The use of multimedia collaboration tools for remote meetings can lead to possible security breaches due to sharing digital files. These platforms can be a target for malicious actors to exploit vulnerabilities and gain unauthorized access to sensitive information. It is important for organizations to implement appropriate security measures for these tools, such as encryption and access controls, to prevent such incidents.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 465 in PDF)

Explanation: Hubs are prohibited in organizations because they offer little security-related capability. Since hubs repeat inbound traffic over all outbound ports, network traffic is essentially shared with all devices connected to the hub. This makes it very easy for attackers to eavesdrop on network traffic, which is a significant security risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 448 in PDF)

Explanation: The application layer is the highest layer of the OSI model and supports network access for software applications and provides an interface for the user. The software applications do not reside at the application layer, but this layer facilitates communication with applications at the other end of the network connection.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 406 in PDF)

Explanation: The first step in securing SMTP servers is to ensure that the protocols used provide the same basic functionality and compliance with internet email standards. This is important in ensuring that the email system works properly and can communicate with other email systems. Without proper configuration of the protocols, the server is vulnerable to attacks and spam.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 468 in PDF)

Explanation: TKIP includes a sequence counter to prevent packet replay attacks which was not present in WEP.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 432 in PDF)

Explanation: A LAN extender is a multilayer switch used to extend a network segment beyond the distance limitation specified in the IEEE 802.3 standard for a particular cable type.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 450 in PDF)

Explanation: A stateful inspection firewall operates at the network and transport layers of the OSI model, which are layers 3 and 4, respectively. It monitors the traffic state to apply filters based on the information gathered.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 445 in PDF)

Explanation: WPA2 provides U.S. government–grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm, while WPA does not. This makes WPA2 more secure than WPA when it comes to encryption.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 431 in PDF)

Explanation: Layer 2 Tunneling Protocol (L2TP) operates on any LAN protocol, making it a versatile choice for VPN implementation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 476 in PDF)

Explanation: TCP is a connection-oriented protocol that establishes a reliable connection before transmitting data; it provides extensive error checking mechanisms through flow control and acknowledgment of data, enforces data sequencing, and supports packet retransmission if packets are lost. Due to its guarantees of delivery, it is considered a reliable protocol.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 401 in PDF)

Explanation: Fiber-optic cables transmit pulses of light rather than electricity, which makes it extremely fast and nearly impervious to tapping and interference. In addition, fiber-optic cables can transmit over a much longer distance before attenuation degrades the signal.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 455 in PDF)

Explanation: In a ring topology, the digital token is passed around the circle to ensure that only one system at a time can transmit data. When the data is sent, the token goes with the packet.The intended recipient releases the token but retains the data packet. Only with the token can a system transmit data. This ensures that there is no collision of data transmission.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 455 in PDF)

Explanation: Layer 2 Tunneling Protocol (L2TP) operates at layer 2 on IP networks and encapsulates the PPP packets to create a point-to-point tunnel connecting two separate systems. The protocol does not employ encryption, so it does not provide confidentiality or strong authentication. In conjunction with IPSec, those services are possible.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 476 in PDF)

Explanation: A botnet is created and used to produce volumes of machines needed for a DDoS attack. It is a number of internet-connected and commandeered devices that communicate in a command-and-control manner.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 415 in PDF)

Explanation: Network virtualization is the combination of hardware and software networking components into a single integrated entity. The resulting system is managed by software control over all network functions including management, traffic shaping, address assignment, and more, eliminating the need for physical presence at all the hardware locations. A single management console or interface can be used to oversee every aspect of the network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 479 in PDF)

Explanation: Software-defined security (SDS) is a security model in which security mechanisms are controlled and managed by security software. SDS is software-managed, policy-driven security that consists of network segmentation, intrusion detection and prevention, user and device identification, application controls, and more.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 426 in PDF)

Explanation: IoT devices are delivered with default settings that are easily guessed or publicly well known. Administrative credentials and management access are wide open to internet-facing interfaces, which makes them an easy target for potential attackers.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 416 in PDF)

Explanation: While Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) do not employ encryption for session establishment and authentication, Secure Sockets Layer/Transport Layer Security (SSL/TLS) can be used as a VPN protocol and provides session encryption and security for communication over an IP network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 477 in PDF)

Explanation: The internet is the largest, most commonly used WAN.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: Circuit-level firewalls operate only at the session layer (layer 5) of the OSI model, and are designed to verify that the TCP handshaking is complete. Unlike other types of firewalls, circuit-level firewalls do not inspect any actual packet nor drop any packets; they only ensure that the session is legitimate while masking any details about the protected network. This makes circuit-level firewalls both functionally simple and efficient compared to other firewall types.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 445 in PDF)

Explanation: Li-Fi cannot transfer data through walls or other physical barriers, so it can only be contained within a physical space. As a result, Li-Fi offers a security benefit over Wi-Fi as it is less susceptible to unauthorized access from outside of that space.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 438 in PDF)

Explanation: The Star topology connects all nodes to a central device, such as a switch or hub. This central device creates a point of failure, since if it fails, the entire network can go down. However, it is easier to manage and troubleshoot than other topologies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 455 in PDF)

Explanation: In the context of the OSI model, MPLS is commonly labeled a layer 2.5 protocol since it operates squarely between the common definitions of data link (layer 2) and network (layer 3) protocols.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 424 in PDF)

Explanation: The ZigBee standard includes security features such as access control lists (ACLs), frame counters, and encryption (using 128-bit AES keys).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 439 in PDF)

Explanation: ARP (Address Resolution Protocol) is responsible for resolving the hardware address of a host from a given IP address on the internet layer of the TCP/IP reference model. It is a protocol used to map an IP address to the physical address (MAC address) of a device on a local network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 408 in PDF)

Explanation: PEAP encapsulates EAP methods to provide authentication and encryption in network communication. Since EAP is usually not encrypted, PEAP can provide encryption for EAP methods. Thats why the correct answer is option B.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 432 in PDF)

Explanation: Endpoint Detection and Response (EDR) is an emerging category of security solutions that addresses the need for continuous monitoring and response to advanced threats on all types of endpoints.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 461 in PDF)

Explanation: A spanning tree algorithm (STA) is used to prevent bridges from forwarding traffic in endless loops. This is important because infinite loops can cause broadcast storms and can degrade network performance.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 448 in PDF)

Explanation: TACACS+ is an example of a centralized remote authentication service. It provides separate authentication, authorization, and accounting services for remote network access. The use of a centralized server ensures that if a remote access server is compromised, the entire networks authentication and authorization services remain unaffected.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 474 in PDF)

Explanation: The presentation layer of the OSI model is responsible for converting and presenting data to the application layer in the appropriate format. This includes common data representation formats, data compression schemes, and data encryption and decryption schemes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 405 in PDF)

Explanation: A gateway device operates at the application layer (layer 7), but arguably also at the presentation layer (layer 6) where formats change, to connect networks that are using different network protocols and transform the format of one data stream from one network to a compatible format that can be used by the second network. This makes the gateway device a protocol translator.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 449 in PDF)

Explanation: An application-level firewall examines packets and network traffic with more scrutiny than static packet filtering firewalls but is the slowest of all types since deep inspection takes time.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 445 in PDF)

Explanation: The text states that coaxial cable has a larger minimum arc radius than twisted pair wiring. The arc radius is the maximum distance the cable can be bent without damaging the internal conductors. Bending the coax beyond the minimum arc is a relatively common cause of coaxial cabling failures.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 452 in PDF)

Explanation: A wide area network (WAN) is a larger network that covers a broader space than a LAN, typically larger than most MANs. The internet is the largest, most commonly used WAN.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: Static packet filtering firewalls, also called screening routers, operate at the OSI models network layer (layer 3) and inspect each packet. If a packet breaks the established rules, the packet is dropped and/or logged. This type of firewall is the fastest of all four types but offers no authentication mechanism and can be vulnerable to spoofing.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 445 in PDF)

Explanation: Frame Relay originated as an extension of ISDN, and it integrates a packet-switched network capability over circuit-switched technology. Frame relay is a cost-effective and standalone means of creating a WAN, usually used to connect LANs with major backbones, and separate WANs and private network environments with leased lines over T-1 connections.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 477 in PDF)

Explanation: The technical term for the string of characters that identify a wireless network is ESSID, which is the name of a wireless network in infrastructure mode when a wireless base station or WAP is used. It represents the logical wireless network and there can be multiple access points to provide coverage for one or multiple ESSIDs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 436 in PDF)

Explanation: One important step in protecting mobile device data is to encrypt data at rest on mobile devices. For many organizations, encryption is a regulatory expectation for sensitive information on mobile devices.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 461 in PDF)

Explanation: A mesh topology provides maximum levels of resiliency and redundancy, which means that if one connection fails, there are other connections that can compensate for this failure. This prevents failures of the entire network as only one segment or device fails. Therefore, the key benefit of a mesh topology is the level of resilience and redundancy it provides.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 458 in PDF)

Explanation: Remote control or remote access is commonly used for help desk or Tier 1 support and employee training functions. Employee time tracking is an example of an application for such capabilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 472 in PDF)

Explanation: Layer 2 of the OSI Model, the Data Link Layer, is responsible for data transmission between neighboring nodes. This layer is responsible for transferring data between adjacent network nodes in a local network. It divides data into frames and performs error checking to ensure that data is transmitted without errors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 394 in PDF)

Explanation: SYN flooding is a denial of service attack that bombards the recipient with an overwhelming number of SYN packets, and the sender or senders do not acknowledge any of the replies. This attack exploits properties of TCP at the transport layer, and attempts to consume enough server resources to make the system unresponsive to legitimate traffic.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 415 in PDF)

Explanation: One disadvantage of a bus topology is that it is difficult to add or remove nodes. This is primarily because adding or removing a node requires disrupting the entire system, as each node is connected to the backbone. Therefore, adds and drops are complicated and result in downtime for the network. Hence, option A is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 457 in PDF)

Explanation: Using centralized remote authentication services such as RADIUS helps protect the networks authentication and authorization services if the remote access server is compromised. If a remote access server is compromised, the entire networks authentication and authorization services are unaffected because they are different and separated from the services used for network clients locally.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 474 in PDF)

Explanation: The first action to take when creating wireless access is to conduct a site survey. This helps in assessing what, if any, wireless access already exists and allows for better planning for the future.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 433 in PDF)

Explanation: WEP is currently considered a highly insecure encryption standard and should not be used. It has major security weaknesses and is easily crackable. Both WPA and WPA2 should also be moved away from in favor of WPA3.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 429 in PDF)

Explanation: VoIP stands for Voice over Internet Protocol which is a technology that allows voice communication to be transmitted over an IP network. This is done by encapsulating the voice data in IP packets and transmitting them over a network such as the Internet. VoIP is a popular telecommunication solution used by both individuals and companies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 424 in PDF)

Explanation: Multihomed firewalls have two or more network interfaces and use software-defined rules to determine what traffic can pass between them, minimizing the risk of data being inadvertently exchanged between networks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 446 in PDF)

Explanation: Phishing attacks, where attackers trick users into clicking on malicious links or attachments, are a common and effective attack method in email security.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 469 in PDF)

Explanation: iSCSI is a networking storage protocol that facilitates the connection of a remote storage volume over a network, as if it were directly connected. The iSCSI transmits SCSI commands over IP networks and is often viewed as a low-cost alternative to Fibre Channel. It is not a networking protocol based on DNS or WiFi. Therefore, option A is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 424 in PDF)

Explanation: An encrypted VPN, or virtual private network, provides the most secure method of transmitting data between two parties, as it encrypts the data and provides a secure tunnel for it to travel through. Routers, switches, and hubs do not provide encryption and are vulnerable to attacks, such as packet sniffing and man-in-the-middle attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 441 in PDF)

Explanation: Encapsulation, especially subsequent protocol wrapping, is a method of logically separating functions in a network from their underlying structures, which is used in all the microsegmentation methods.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 427 in PDF)

Explanation: A social engineering attack involves manipulating individuals through psychological means into divulging sensitive information. This can include phishing attacks, where a fake website or email is created to trick victims into providing their login credentials or other sensitive information. This type of attack exploits human weakness rather than technical weaknesses in a system or network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 415 in PDF)

Explanation: The most widely used LAN technologies are Ethernet and wireless LAN using IEEE 802.11. As a security professional, it is important to understand the characteristics of these LAN technologies to properly secure a network. The differences between LAN technologies occur at and below the data link layer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 451 in PDF)

Explanation: The MITRE ATT&CK knowledge base provides a foundation for security professionals to develop threat models and methodologies in their organizations based on hundreds of real-world attack tactics and techniques.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 419 in PDF)

Explanation: Microsegmentation is a method of isolating resources within a network by creating zones to reduce the attack surface, and securing each segment individually. It can help to limit the network traffic between resources, and simplify policy management. However, the primary goal is to reduce the risk of compromise and attack by isolating resources.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 425 in PDF)

Explanation: Multifactor authentication is the standard to protect sensitive information when managing remote access to a corporate network. A strong authentication system is essential to ensure that only authorized and authenticated users can access the network. Multifactor authentication involves requiring credentials from two or more authentication factors, such as something the user knows (such as a password), something the user has (such as a smart card), or something the user is (such as a biometric). This helps to ensure that even if one factor is compromised, the attacker would still need to provide the other factor(s) to gain access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 473 in PDF)

Explanation: IPv4 is currently the main version used, while IPv6 is the evolving version. IPv4 and IPv6 both exist in the network layer of the OSI model and the internet layer of the TCP/IP model. Therefore, option A and B are incorrect. Option D is also incorrect because IPv4 and IPv6 have different protocols.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 411 in PDF)

Explanation: The security professional needs to consider the security impact of network cable selection, for instance the ease with which a potential adversary could wiretap copper network cabling as opposed to glass fiber. The main concern when selecting network cabling from a security standpoint is how easy it is to wiretap or intercept the cables, which could potentially put sensitive information at risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 452 in PDF)

Explanation: The current protocol version for SOCKS that also provides authentication is SOCKSv5.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 450 in PDF)

Explanation: Repeaters, concentrators, and amplifiers operate at the physical layer (layer 1). They serve to extend the maximum length a signal can travel over a specific media type.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 448 in PDF)

Explanation: The Open Systems Interconnection (OSI) model is a commonly used data communications framework that breaks down the process of data exchange into different layers, each with specific functions. This model helps ensure interoperability and compatibility between various networking technologies and protocols.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 477 in PDF)

Explanation: Media Access Control (MAC) is responsible for controlling how devices on a network gain permission to transmit data. MAC provides an addressing mechanism and channel access so nodes on a network can communicate with each other. The MAC sublayer is the interface between the logical link control (LLC) above and the physical layer (layer 1) below. MAC addressing works at the data link layer (layer 2) and provides a physical address that is unique and specific to each computing device.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 396 in PDF)

Explanation: VLAN hopping is an attack using a double-encapsulated IEEE 802.1Q VLAN tag. The attacker uses multilayer protocol encapsulation to gain access to a VLAN by encapsulating a packet already encapsulated with a different VLAN ID. The first VLAN tag is removed by the first switch it encounters, and the next switch will inadvertently move traffic according to the second layer VLAN encapsulated tag.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 422 in PDF)

Explanation: A screened subnet is a combination of bastion hosts that distinctly separate public and private segments. On the private intranet, the local computers and system are located behind a protective device or application, screening them from public access. On the other segment, public services like web servers and proxy servers are accessible. The subnets are helpful for increased security and can improve performance in data throughput.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 446 in PDF)

Explanation: One of the benefits of IPv6 over IPv4 is that it includes scoped addresses, which allows administrators to group and then deny or allow access to network services, like file servers or printing. This adds a layer of security and access control. Autoconfiguration is another benefit of IPv6, but it does not remove the need for DHCP or NAT. IPv6 also includes Quality of Service (QoS) priority values, which allow for traffic management based on content priority.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 414 in PDF)

Explanation: The two basic modes of Wi-Fi are infrastructure mode and ad hoc mode. Infrastructure mode is used when mobile APs, like laptops, connect via WAPs or wireless routers with APs to serve as an entry point or bridge to a wired private network or directly to an internet connection. Ad hoc mode is used when mobile units transmit directly with each other or in a peer-to-peer interconnection.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 452 in PDF)

Explanation: A switch is an intelligent hub that operates primarily at the data link layer (layer 2), meaning the switch handles systems on the same broadcast domain but different collision domains. It can also optionally operate at network layer (layer 3) when it is capable of routing, and is forwarding packets based on IP address. Switches can discriminate and forward traffic only to the devices that need to receive it, and provide efficient traffic delivery, create separate collision domains, and improve the overall throughput of data where the segments operate on the same protocol.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 448 in PDF)

Explanation: A hijacking attack is an attack in which an attacker exploits a session and tries to intercept or eavesdrop on the session token or cookie. The attacker may then steal the token or cookie and continue the session, posing as the victim. This can provide the attacker with valuable, sensitive information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 419 in PDF)

Explanation: The Internet layer (also known as the Network layer) is responsible for routing data between different networks and ensuring that the data is sent to the correct IP address. It provides addressing, routing, and fragmentation of packets. It also determines the best path for the data to travel across different networks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 406 in PDF)

Explanation: WPA3 provides stronger security by offering individualized encryption for each user, while WPA2 uses a shared encryption key, which can expose the entire network to potential threats. This helps prevent things like dictionary attacks and packet sniffing. WPA3 also provides robust password protection using Simultaneous Authentication of Equals (SAE), also known as Dragonfly, which eliminates many legacy authentication and encryption attacks. WPA3 also provides easy setup processes for devices with no human interface and other features for enhanced network protection.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 431 in PDF)

Explanation: A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer (layer 2). The broadcast originates from one system in the group and is sent to all other systems within that group.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 442 in PDF)

Explanation: A firewall in a network environment is designed to permit approved traffic to transit between two environments and prevent unauthorized or unwanted traffic or attempts for users and entities to transit between environments.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 443 in PDF)

Explanation: A local area network (LAN) is a group of devices that communicate on a single localized network, typically (but not always) within the same building. It is a small network that serves a localized area.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: Remote Authentication Dial-In User Service (RADIUS) is a remote authentication protocol that an organization can use to strengthen credential management and permissions for remote clients and users. RADIUS is a widely used authentication and accounting protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. It is commonly used by Internet Service Providers (ISPs) and medium to large organizations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 474 in PDF)

Explanation: In a star topology, each device is connected to a central traffic management device, allowing for multiple dedicated lines to be run from each device to the central hub or switch. One benefit of this topology is that if one link goes down, the rest of the network is still functional due to segment resiliency. Cabling is also more efficiently used, and damaged cable is easier to detect and remediate.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 457 in PDF)

Explanation: One of the concerns in terms of integrity in secure voice transmissions is message integrity, where the contents of the message may be changed or reconstructed if intercepted.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 464 in PDF)

Explanation: S/MIME is an email security standard that provides both authentication and confidentiality services for emails using public key encryption and digital signatures. X.509 digital certificates are used for authentication, while PKCS encryption is used for privacy. Signed messages are used for sender authentication, nonrepudiation, and integrity, while enveloped messages maintain confidentiality and sender authentication.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 470 in PDF)

Explanation: According to the text, EAP encompasses over 40 different methods of authentication, including EAP-TLS, EAP-SIM, EAP-AKA, and EAP-TTLS. However, EAP-MD5 is known to be vulnerable and is, therefore, not a widely supported method of authentication.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 432 in PDF)

Explanation: Layer 1: Physical Layer is responsible for the transmission and reception of raw data across a transmission medium and converts digital bits into electrical signals or other forms of energy that can be transmitted across the given transmission medium.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 395 in PDF)

Explanation: War driving is when someone actively searches for Wi-Fi wireless networks using wireless network scanning tools. When using no security protocols or older ones, attackers have very little difficulty being successful. With the advancement of drones and the ability for private citizens to use them, a newer attack vector known as war droning is now a threat. War droning involves scanning and cracking activities done with a drone instead of a vehicle within proximity of the WAP.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 437 in PDF)

Explanation: Service-level agreements (SLAs) are an important mechanism to establish security expectations with an external party and hold them accountable if those expectations are not met.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 479 in PDF)

Explanation: Routing Information Protocol (RIP) is one of the earliest routing protocols and the first to use the distance-vector routing method. RIP uses the count of hops that a signal makes along the network path. RIP allows a maximum of 15 hops, and, at hop number 16, the distance is considered infinite and the destination unreachable. This constraint limits the size of networks RIP can support, but also is the reason RIP prevents routing loops which occur when a data packet is continually routed through the same routers over and over. In addition to hop count, RIP implements split horizon, route poisoning, and hold-down timers to prevent routing loops.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 397 in PDF)

Explanation: Static packet filtering firewall operates at the OSI models network layer, and inspects each packet, dropping and logging packets that break established rules. It is the fastest design and will mitigate the risk of a particular packet type, but offers no authentication mechanism and can be vulnerable to spoofing.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 445 in PDF)

Explanation: When working remotely, a user might use one of the access paths by connecting to a network over the internet, with or without a VPN. A VPN (Virtual Private Network) provides a secure connection between the remote user and the corporate network. This ensures confidentiality, integrity, and availability of data transmitted between the user device and the corporate network

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 471 in PDF)

Explanation: According to the text, wireless routers can operate on the 2.4 GHz and 5 GHz bands simultaneously in a multiband configuration and provide data transfer rates of more than 300 Mbps on the 2.4 GHz band and 450 Mbps on the 5 GHz band.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 450 in PDF)

(Page 437 in PDF)

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 437 in PDF)

Explanation: According to the 5-4-3 rule, there can be a maximum of five segments in a network that is arranged in a tree topology with a central hub or trunk. The segments can be connected by a maximum of four repeaters and concentrators. Only three of those five segments can have additional or other user, server, or networking device connections.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 455 in PDF)

Explanation: The benefit of using both static and dynamic routing is that static routing can be utilized as a backup when dynamic routing information fails to be exchanged. This ensures that data transmission is not disrupted in the network. While dynamic routing has the advantage of automatically updating routing decisions based on current network conditions, it may not always be reliable due to issues such as network failures or malicious attacks. By having static routing as a backup option, the network can continue operating even when dynamic routing is unavailable.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 449 in PDF)

Explanation: VoIP is not automatically more secure than analog and hackers have several vectors for VoIP attacks such as spoofing Caller ID, conducting DOS attacks on call managers, and eavesdropping on unencrypted network traffic. Therefore, employing encryption, increased authentication, and robust network infrastructure are necessary to deter such attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 464 in PDF)

Explanation: SSH (Secure Shell) is a common secure communications protocol that provides security services for communications channels as well as secure authentication services. It is commonly used for remote login applications, allowing users to securely access and control their computers remotely. SSH uses encryption to protect the confidentiality and integrity of data transmitted over the network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 420 in PDF)

Explanation: Domain separation helps to separate network traffic into broadcast domains, which restricts an adversary from sniffing valuable clues to the network topology. Separating a network into segments isolates local network traffic from traveling across routes, mitigating the risk of a potential adversary learning about the network design.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: IM is vulnerable to packet sniffing in the absence of encryption, putting confidentiality at risk. Packet sniffing involves monitoring network traffic and capturing data packet contents. Since IM traffic is not encrypted, an attacker can intercept and read the contents of messages passing between the sender and receiver. This poses a significant risk for both individuals and businesses using IM for sensitive communication.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 467 in PDF)

Explanation: The most common use of VPNs is to establish secure communications through the internet between two distant networks. This is done by creating a secure, point-to-point connection over an untrusted network (such as the internet) using encryption to protect the encapsulated traffic.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 475 in PDF)

Explanation: Tunnel mode in IPSec encrypts and authenticates the entire IP packet, which includes both the data and the routing information, to establish a Virtual Private Network (VPN). This provides secure communication between two places, as a new IP packet with a new IP header is formed. This mode is useful when sending encrypted traffic over the public network, as it hides the original source, destination and protocol.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 421 in PDF)

Explanation: Full-duplex mode is the mode of operation when data is sent over a connection between two devices in both directions at the same time. This mode can be constructed either as a pair of simplex links or using one channel designed to permit bidirectional simultaneous transmissions. Therefore, the correct answer is C.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 405 in PDF)

Explanation: A bastion host is a special-purpose type of firewall or host computer that acts as a proxy, as the only device reachable from external sources. It adds a layer of protection by concealing the identities of the internal nodes and by limiting the possible impact of host compromise to just one application, which is usually a proxy server to facilitate services and encapsulate data through the bastion host.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 446 in PDF)

Explanation: According to Gartner, SD-WAN has four characteristics: Must support multiple connection types (e.g., internet, MPLS, LTE, etc.) Can perform dynamic path selection to support load sharing across WAN connections Provides a simple interface for managing the WAN Must support VPNs and other third-party services

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 426 in PDF)

Explanation: While content distribution networks positively affect availability, given that content distribution mitigates the impact of any one location going offline, the distribution of content among many hosts can negatively affect confidentiality. Organizations concerned with regulatory compliance must also be mindful of how content distribution affects their compliance requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 440 in PDF)

Explanation: One of the principal issues with wireless technology is the insecure nature of the technology in the default configuration. For instance, wireless devices are sometimes shipped with default credentials that can be guessed or found on the internet (such as admin for the username and password for the password). This is acceptable if the recipient changes the credentials or establishes a multifactor authentication process before the device goes into the production environment, but a massive risk if they dont.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 427 in PDF)

Explanation: NAT can connect an entire private network to the internet using only a single or a few leased public IP addresses, thereby keeping the addressing costs at a minimum. This advantage helps organizations to effectively use the available public address space, and is one of the main reasons why NAT has become so popular. NAT also allows for any address to be used on the internal network without causing collisions or conflicts with public internet hosts with the same IP addresses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 411 in PDF)

Explanation: Tamper detection is used to detect MITM attacks through examination of any latency in the transaction above baseline expectations. Response times are checked, and normal factors like long calculations of hash functions are accounted for. If a delay is not explained, there may be unwanted, malicious third-party interference in the communication.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 417 in PDF)

Explanation: A primary concern for antennas in wireless access placement is understanding how the signal pattern (or lobe pattern) extends from the antenna, particularly with directional antennas where the lobe reaches far beyond the typical unidirectional antenna in one focused direction while being attenuated (i.e., reduced) in the other directions. It is essential to ensure that the antenna does not broadcast signals beyond the intended area of access, which can result in unauthorized access and security breaches.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 434 in PDF)

Explanation: CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) was created to replace WEP and TKIP/WPA, it uses AES with a 128-bit key and is the preferred standard security protocol of 802.11 wireless networking indicated by 802.11i. CCMP is also the standard encryption mechanism used in WPA2 and WPA3. To date, no attacks have yet been successful against the AES/CCMP encryption.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 432 in PDF)

Explanation: HTTP/HTTPS is the foundation of file and data transfer on the World Wide Web and comprises and supports websites.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 410 in PDF)

Explanation: SSH-2 provides more secure and efficient protections against eavesdropping, DNS and IP spoofing, and MITM attacks compared to SSH-1, which is considered insecure. Thus, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 420 in PDF)

Explanation: A captive portal is used in wireless networks to force a newly connected device to a starting page to establish authorized access. The portal may require input of credentials, payment, or an access code. Once the end user satisfies the conditions required by the starting page, only then they can communicate across the network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 437 in PDF)

Explanation: A Personal Area Network (PAN) connects devices within a narrow distance of each other, typically within 10 yards. Bluetooth networks are common examples of PANs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 392 in PDF)

Explanation: In the TCP/IP model, the core protocols of the transport layer are TCP and UDP. TCP provides reliable, connection-oriented communication, while UDP provides unreliable, connectionless communication. ICMP and ARP are both protocols that operate at the network layer, while IPsec and SSL operate at the application layer. SSH and Telnet are both protocols that provide terminal emulation and remote access services at the application layer as well.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 410 in PDF)

Explanation: The text in DOMAIN 4 emphasizes that no single solution can fully address all security gaps. Instead, a layered solution approach, which combines different security controls like access control, authentication, and encryption, is necessary for effective network security. This highlights the importance of using multiple techniques to defend against potential security threats rather than relying solely on one solution to protect all assets and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 481 in PDF)

Explanation: The best way to protect against network sniffing is to encrypt sensitive traffic, as stated in the given text: Encrypting sensitive traffic is the best way to protect against network sniffing. This prevents attackers from being able to read the contents of the packets they capture, rendering any captured data useless.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 419 in PDF)

Explanation: The main purpose of conducting a site survey is to define the optimal placement and configuration of APs in an environment. During a site survey, security personnel investigate the strength and reach of WAPs deployed in an environment to ensure sufficient signal strength is available at all locations where access is desired, while minimizing or eliminating signal availability in areas where access is not wanted. This helps generate documentation to assess the operational benefits of the network.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 433 in PDF)