Wireless Security and Vulnerabilities Quiz

Questions and Answers

An attacker intercepts an HTTPS public encryption key and decrypts login credentials. What type of vulnerability is primarily exploited in this scenario?

Session Hijacking

Brute Force Attack

Replay Attack

Man-in-the-Middle Attack (correct)

What type of WLAN attack is specifically mitigated by using a per-MPDU TKIP sequence counter (TSC)?

Weak-IV attack

Forgery attack

Bit-flipping attack

Replay attack (correct)

A small business is using consumer-grade wireless routers. Which security measure is the most appropriate to implement to secure the wireless network?

WPA2-Enterprise

WPA-Enterprise

WPA2-Personal (correct)

802.1X/EAP-PEAP

Which of the following is a primary criteria for a network to qualify as a Robust Security Network (RSN)?

WEP may not be used for encryption.

After capturing network traffic, you observe authentication and association frames, followed by DHCP and ISAKMP protocol packets. What security solution is likely represented?

Open 802.11 authentication with IPSec

A Windows laptop has a dual-band Wi-Fi adapter. Which wireless frequency band would potentially offer less interference in a crowded area with multiple access points?

5 GHz band

Given the previous scenario, to mitigate common threats, which encryption protocol is best suited if we use WPA2-Personal?

AES-CCMP

In a WPA2-Personal scenario, what kind of key is used for the actual data encryption once the shared secret has been initially established during authentication?

Session Key

Which of the following topics should be included in end-user training for password selection and acceptable network use?

Social engineering recognition and mitigation techniques.

What is the most appropriate way for a wireless security professional to address rogue access points within a large organization's network?

Implementing a WIPS for rogue detection and response.

Before creating a WLAN security policy, what is the most essential prerequisite for ABC Hospital?

Strong management support for the process.

In which deployment scenario is peer-to-peer traffic blocking most beneficial?

Public hot-spots with many users and applications.

Which of these authentication technologies is capable of setting up a TLS tunnel between the client device and the authentication server?

WPA2-Enterprise

What specific action should a wireless professional take to mitigate the biggest risk posed by rogue access points?

Set up a WIPS system.

What initial step is crucial before developing a robust WLAN security policy for ABC Hospital?

Securing sponsorship from senior leadership and management.

In which situation is it most critical to block peer-to-peer traffic on a Wi-Fi network?

Public Wi-Fi hotspots with many clients using assorted applications.

Which of the following security measures BEST addresses the requirement to limit network permissions for a guest hot-spot to only internet access?

Configuring ACLs that restrict data types and destinations on the guest WLAN.

What is the primary purpose of implementing a captive portal with HTTPS login for a guest WLAN?

To ensure all guest users are authenticated before accessing the WLAN.

In the 802.1X/EAP framework, what event directly precedes the opening of the 802.1X controlled port?

The completion of the 4-way handshake.

Why does the 802.1X Uncontrolled Port open while the Controlled Port is still blocked after 802.1X/EAP is successful?

Uncontrolled Ports are always open for network operations.

What was a significant obstacle that hindered early adoption of Opportunistic Key Caching (OKC)?

Lack of standardization and client certification caused delayed support.

Why is it recommended to use different VLANs for corporate and guest WLANs in addition to separate controllers?

To segregate network traffic and enhance security by logically separating networks.

Which security control helps prevent guest users from associating their device to the corporate WLAN?

Implementing a WIPS to deauthenticate guest users

Why is it important for a hot-spot to limit access to network resources as much as possible?

To reduce the risk of unauthorized access to sensitive information and systems.

ABC company is upgrading their WLAN infrastructure to support Voice over Wi-Fi, what is a primary security concern given that most Voice over Wi-Fi phones do not support IPSec?

The lack of IPSec support on Voice over Wi-Fi phones.

What is the most appropriate security solution to implement when upgrading to Voice over Wi-Fi and needing to replace WEP with IPSec?

Migrate to WPA2-Enterprise with fast secure roaming for all devices and segment Voice over Wi-Fi on a separate VLAN.

What is the role of LDAP when used in a WLAN authentication solution?

A data retrieval protocol used by authentication services like RADIUS.

Which of the following security protocols provides mutual authentication without the need for X.509 certificates?

EAP-FAST

An 802.1X/EAP is being used for wireless authentication, with a controller and 7 access points, what is the most common role of Radius in this solution?

The RADIUS server is responsible for authentication and authorization of the clients.

Given an 802.1X/EAP-based wireless security solution, with a WLAN controller and 7 APs, what is the purpose of the EAP protocol?

To provide a framework for authentication within the 802.1X architecture.

What is the primary difference between EAP-FAST, and EAP-TLS?

EAP-FAST uses a Protected Access Credential (PAC), and EAP-TLS uses X.509 certificates.

Why might an organization choose to implement WPA2-Enterprise over WPA-Personal?

WPA2-Enterprise is considered more secure than WPA-Personal, especially for a large number of managed device.

What is a primary difference between EAP-TTLS and EAP-TLS regarding authentication credentials?

EAP-TTLS does not require the use of a certificate for each STA, but EAP-TLS does.

In a WPA2-Enterprise setup, how does the WLAN controller receive group assignments for authenticated users to apply specific security profiles?

The RADIUS server includes a group name attribute in its response to the WLAN controller during each successful authentication.

What is the specific role of the Pairwise Transient Key (PTK) within IEEE 802.11 authentication and key management?

It provides keys to encrypt unicast data frames across the wireless medium.

Which technology would need to be implemented to support a TSN due to legacy wireless equipment that doesn't support AES encryption, when it wouldn't be necessary in an 802.11-2012 compliant network?

WEP

What is the primary difference in the way EAP-TTLS and EAP-TLS handle client authentication?

EAP-TLS requires both server and client certificates for authentication, while EAP-TTLS only requires a server-side certificate and uses a tunneled authentication method for the client.

In the context of WPA2-Enterprise, what is the immediate effect of a RADIUS server returning a group name to the WLAN controller during user authentication?

The WLAN controller assigns a pre-configured security profile to the authenticated user, based on the returned group name.

Why is the Pairwise Transient Key (PTK) specific to unicast data frame encryption, and not used for other traffic?

The PTK is specifically designed to protect sensitive data during unicast transmissions by encrypting and signing packets.

Why might an administrator choose to implement WEP for older wireless equipment given the potential security risks?

Some very old devices do not support the newer encryption standards like CCMP (AES), making WEP necessary to connect to the network.

Joe is unable to connect to ABC Company's 802.11 WLAN. Given that his laptop is authorized and the environment includes WIPS, what is the most likely cause of his connectivity issue?

Joe's laptop is using a personal PC card radio with different drivers, and client utilities, disabling the integrated 802.11 radio.

ABC Company uses an overlay WIPS with dipole antenna sensors to locate rogue devices. Which of the following techniques can the 802.11 based platform use to determine the location of rogue devices?

Time Difference of Arrival (TDoA), Trilateration of RSSI measurements, and RF Fingerprinting

In a Single Channel Architecture (SCA) network, what key characteristic is shared across all Access Points (APs)?

The same channel and BSSID for each AP.

In ABC Company's Single Channel Architecture (SCA) network, which authentication method is exclusively used?

PEAPv0/EAP-MSCHAPv2

In an SCA environment with a Voice over Wi-Fi client (STA-1) moving throughout the network, what best describes the changes that are happening?

STA-1 associates with a new AP when the RSSI signal of the current connected AP drops below an acceptable level, without requiring further authentication.

What is the primary purpose of ABC Company's WIPS termination policy?

To trigger alerts for rogue stations, rogue APs, DoS attacks, and unauthorized roaming.

What is a key factor that makes a Single Channel Architecture (SCA) beneficial for client roaming?

It allows all APs to use the same channel and BSSID.

Joe’s laptop is attempting to connect to a PEAPv0/EAP-MSCHAPv2 network and failing. What is the most likely reason for the failure, given the company’s WIPS policy?

Joe's laptop uses a different radio card, despite being authorized on the WIPS.

Study Notes

CWSP-207 Study Notes

• Course is CWSP-207

• Total questions: 119

• Topic 1: Vulnerabilities, Threats, and Attacks

  • An attack is in progress, but the attacker has not gained access to any files. This describes a denial-of-service (DoS) attack.
  • WLAN attacks exploit specific vulnerabilities such as management interface exploits, zero-day exploits, RF DoS, hijacking attacks, and social engineering attacks. These can be used to gain credentials or disrupt communication.
  • 802.11n access points at airports are susceptible to man-in-the-middle attacks and Wi-Fi phishing attacks.
  • ABC Corporation should be advised against using MS-CHAPv2 for their WLAN security, as it is vulnerable to offline dictionary attacks and not secure for WPA2-Enterprise implementations. LEAP is secure only when used within a TLS-encrypted tunnel.

• Topic 1 (continued) -Wireless attacks such as rogue APs, DoS, and eavesdropping can't be detected by WIPS solutions of any kind.

  • Social engineering is a security attack that cannot be detected by WIPS software solutions. -In a WLAN security penetration exercise, obtaining the WEP key allows an attacker to decrypt other users' traffic. To recreate encryption keys using a protocol analyzer three inputs are required: authenticator nonce, supplicant nonce, and authenticator address (BSSID). -802.11w protects against RF DoS and Layer 2 disassociation attacks.
  • When using a wireless aggregator utility to combine multiple packet captures the utility is likely being used for troubleshooting wireless adapter failures and performing a interference source location test.

• Topic 1 (continued)

  • WPA2 Personal uses Open System authentication followed by a 4-Way Handshake resulting in easily performed hijacking attacks.

• Topic 2: Security Policy

  • A security policy that requires VPN software for connectivity to the corporate network will help mitigate peer-to-peer attacks when laptops are used on public access networks.
  • Password complexity and regular changes to static passwords in a security policy help to mitigate vulnerabilities.
  • Strong authentication, encryption, and robust security methods should be addressed by a WLAN security policy to provide a secure network for users to access sensitive information such as corporate data, file shares, intranet web servers, or internet network access.

• Topic 3: WLAN Security Design and Architecture

  • EAP-MD5, EAP-TLS, PEAPv0/MSCHAPv2 technologies are used, establishing a TLS tunnel between the supplicant and the authentication server.
  • When CCMP is used for protection of data frames, 16 bytes of overhead are added to Layer 2 frames. Eight of these bytes make up the MIC (message integrity code) Layer of validation to ensure that the wireless receiver does not incorrectly process corrupted signals, The MIC a hash computation against the MAC Header to detect replay attacks.
  • WPA2-Personal authentication and AES-CCMP encryption protect the MSDU contents of the 802.11 frames from eavesdroppers.

• Topic 3 (continued)

  • EAP-TLS will not protect the client's username and password within an encrypted tunnel used as a security solution. This is a disadvantage when comparing PEAPv0 EAP/MSCHAPv2.
  • 802.1x/EAP-TTLS and PEAPv0/MSCHAPv2 authentication protocols are used for securing corporate WLAN data. Each group's security settings are configured in the WLAN controller for their respective VLANs. When authenticated users are assigned to groups their access to data is controlled according to the security policies.
  • A common issue is security issues and user conflicts caused by having corporate and guest accounts on the same WLAN. Using a different controller for guest networks is a good solution.
  • Offline dictionary attacks can be used to gain wireless network access, but will not decrypt data traffic from other users.

• Additional Topics (as applicable)

  • Wireless security attacks,
  • Wireless security solutions,
  • Wireless security policies

Description

Test your knowledge on wireless security vulnerabilities and solutions. This quiz covers common attacks, network security criteria, and encryption protocols suitable for a secure wireless network. Ideal for those aiming to enhance their understanding of WLAN security measures.