Module 4 challenge: Securing Your Networks:IT Security: Defense against the digital dark arts(Google IT Support Professional Certificate) Answers:2025
Question 1
Which tenet of security are flood guards designed to help ensure?
✅ Availability
❌ Authentication
❌ Authorization
❌ Accounting
Explanation:
Flood guards protect against DoS (Denial-of-Service) and DDoS (Distributed Denial-of-Service) attacks. These attacks aim to make a network or service unavailable. Flood guards maintain availability, one of the CIA triad principles (Confidentiality, Integrity, Availability).
Question 2
What kind of attack does IP Source Guard (IPSG) protect against?
✅ IP Spoofing attacks
❌ DoS attacks
❌ ARP Man-in-the-middle attacks
❌ Rogue DHCP Server attacks
Explanation:
IP Source Guard (IPSG) prevents IP spoofing by verifying the source IP address against known trusted bindings (from DHCP snooping tables or static entries).
Question 3
A host-based firewall protects against malicious attacks in which of the following scenarios?
✅ A device on a company’s internal network needs protection when another device connected to the network has been corrupted.
✅ An employee connects to the unsecured internet at their local coffee shop with their company computer.
❌ Layer 2 man-in-the-middle attack
❌ Rogue DHCP server attack
Explanation:
A host-based firewall filters traffic directly on the computer itself, offering local protection even when the overall network is compromised or unsafe (like in public Wi-Fi).
Question 4
What underlying symmetric encryption cipher does WEP use?
✅ RC4
❌ AES
❌ DES
❌ RSA
Explanation:
WEP (Wired Equivalent Privacy) uses the RC4 stream cipher for encryption. However, due to weak key implementation, WEP is highly insecure and has been replaced by WPA/WPA2.
Question 5
Which of the following are critical flaws of PIN entry WPS authentication with a hard-coded PIN?
✅ It uses an 8-digit PIN (7 digits + 1 checksum), sent in two parts — making it guessable in ~11,000 tries.
✅ The hard-coded PIN can never be reset, so if recovered it can be reused to recover new passwords.
❌ Lockout period after 3 attempts
❌ Secure exchange of SSID
Explanation:
WPS (Wi-Fi Protected Setup) with PIN mode is vulnerable because:
-
The 8-digit PIN is split into two parts → easily brute-forced.
-
Many routers use a non-resettable hard-coded PIN, creating a permanent vulnerability.
Question 6
How can you increase the security of a wireless network that uses WPA2 with AES/CCMP mode?
✅ Use a long, complex passphrase that wouldn’t be found in the dictionary.
❌ Change SSID
❌ Connect clients with WPS
❌ Connect with SSID
Explanation:
The biggest weakness in WPA2-PSK networks is a weak password. Using a strong, random, long passphrase greatly enhances security against brute-force and dictionary attacks.
Question 7
Port mirroring allows you to:
✅ Access all packets from a specified port, port range, or entire VLAN.
❌ Perform DHCP snooping
❌ Access only the packets from one port
❌ Require promiscuous mode
Explanation:
Port mirroring (SPAN) duplicates network traffic from one or more ports/VLANs to a monitoring port — useful for packet capture or IDS/IPS systems.
Question 8
You’re setting up a NIPS. Which constraint must you consider?
✅ The monitored traffic must pass through the NIPS so it can drop suspicious traffic.
❌ Monitor all traffic without passing
❌ Access outgoing traffic only
❌ Access incoming traffic only
Explanation:
A Network Intrusion Prevention System (NIPS) must sit inline with network traffic so it can detect and actively block malicious packets in real-time.
Question 9
You want to use tcpdump to retrieve packets with 172.217.6.46 as source or destination IP and port 53. Which command should you use?
✅ sudo tcpdump -i eth0 -vn host 172.217.6.46 and port 53 &
❌ tcpdump -i eth0 -vn host 172.217.6.46 and port 53 &
❌ sudo tcpdump -i eth0 -vn
❌ sudo tcpdump -i eth0 -vn port 53 &
Explanation:
Adding sudo ensures you have permission to capture traffic.
The flags mean:
-
-i eth0→ Capture on interface eth0 -
-v→ Verbose -
-n→ No DNS resolution -
hostandport→ Filter for that IP and port -
&→ Run in background
Question 10
You want to determine Layer 3 protocol, source/destination addresses and ports, and TCP details — but not overly detailed output. What flags should you use with sudo tcpdump -i eth0?
✅ -vn
❌ -v
❌ -n
❌ none
Explanation:-v (verbose) gives moderate detail about TCP flags and protocol info, and -n disables name lookups — together, -vn gives a concise yet detailed view of traffic headers without overwhelming output.
🧾 Summary Table
| Q# | ✅ Correct Answer | Concept |
|---|---|---|
| 1 | Availability | Flood guards ensure uptime |
| 2 | IP Spoofing attacks | IPSG defense |
| 3 | Internal device + public Wi-Fi | Host-based firewall |
| 4 | RC4 | WEP encryption |
| 5 | Split PIN + hard-coded | WPS flaws |
| 6 | Long, complex passphrase | WPA2 security |
| 7 | Access all packets from VLAN | Port mirroring |
| 8 | Traffic must pass through NIPS | Inline protection |
| 9 | sudo tcpdump -i eth0 -vn host 172.217.6.46 and port 53 & | Correct tcpdump syntax |
| 10 | -vn | Moderate tcpdump detail |