Communication and Network Security for CISSP

Sample Practice Questions

1. Question 1

   Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will remain protected by using which protocol?
   1. A. Extensible Authentication Protocol (EAP)
   2. B. Internet Protocol Security (IPsec)
   3. C. Secure Sockets Layer (SSL)
   4. D. Secure Shell (SSH)
   Explanation

   The correct answer is: A. Extensible Authentication Protocol (EAP).

   WPA2 Enterprise raises assurance above the simple pre-shared key model by carrying authentication through the Extensible Authentication Protocol, which the 802.1X port-based framework uses to tunnel methods such as EAP-TLS, EAP-PEAP, and EAP-TTLS between the supplicant and a RADIUS server. EAP-TLS in particular enables mutual certificate-based authentication, eliminating shared-secret exposure and giving each user or device a uniquely revocable credential. IPsec operates at the network layer and is not the protocol WPA2 relies on for wireless authentication. SSL has been deprecated and superseded by TLS, and while TLS forms the inner protection of some EAP methods, it is EAP itself that is the framework WPA2 uses. SSH is for secure remote shells and has no role in 802.11 authentication.

2. Question 2

   Which Wide Area Network (WAN) technology requires the first router in the path to determine the full path the packet will travel, removing the need for other routers in the path to make independent determinations?
   1. A. Synchronous Optical Networking (SONET)
   2. B. Multiprotocol Label Switching (MPLS)
   3. C. Fiber Channel Over Ethernet (FCoE)
   4. D. Session Initiation Protocol (SIP)
   Explanation

   The correct answer is: B. Multiprotocol Label Switching (MPLS).

   MPLS uses label switching in which the ingress label edge router classifies the packet, attaches a label, and selects the label-switched path that defines the full route across the MPLS cloud; downstream label switch routers then forward purely on label lookups rather than re-evaluating the destination prefix at each hop. This matches the description of the first router determining the full path. SONET is a Layer 1 optical transport standard for synchronous frames and does not perform path computation in the packet sense. Fibre Channel over Ethernet is a storage networking encapsulation and is not a WAN path-selection technology. Session Initiation Protocol is an application-layer signaling protocol for multimedia sessions, not a WAN routing protocol. MPLS is the precise fit.

3. Question 3

   Which of the following attacks, if successful, could give an intruder complete control of a software-defined networking (SDN) architecture?
   1. A. A brute force password attack on the Secure Shell (SSH) port of the controller
   2. B. Sending control messages to open a flow that does not pass a firewall from a compromised host within the network
   3. C. Remote Authentication Dial-In User Service (RADIUS) token replay attack
   4. D. Sniffing the traffic of a compromised host inside the network
   Explanation

   The correct answer is: A. A brute force password attack on the Secure Shell (SSH) port of the controller.

   The SDN controller is the single point that holds the complete network view and pushes flow rules to every forwarding element, so compromising its administrative interface yields total control over the data plane. A successful brute-force attack against the controller's SSH management port produces exactly that outcome, letting the attacker rewrite flows, disable security policies, and redirect traffic anywhere in the fabric. Sending unauthorized flow-modification messages from a compromised host requires the attacker to already have authenticated control-plane access; it does not by itself give controller-level authority. RADIUS token replay attacks the authentication infrastructure for users, not the SDN controller. Sniffing traffic on a compromised host yields visibility into local flows but cannot reprogram the network. Controller takeover via SSH brute force is therefore the catastrophic compromise.

4. Question 4

   Which of the following is the BEST option to reduce the network attack surface of a system?
   1. A. Disabling unnecessary ports and services
   2. B. Ensuring that there are no group accounts on the system
   3. C. Uninstalling default software on the system
   4. D. Removing unnecessary system user accounts
   Explanation

   The correct answer is: A. Disabling unnecessary ports and services.

   The network attack surface is the set of services and ports an attacker can reach over the wire, so disabling unnecessary listening services and closing their ports is the most direct way to shrink it. Every open port is a potential vulnerability vector exposed to scanners and exploit kits, and removing those listeners eliminates entire classes of remote attack paths. Eliminating group accounts reduces accountability ambiguity but is an identity hygiene concern, not a network exposure reduction. Uninstalling default software helps overall hardening and can incidentally close ports, yet the targeted control for network exposure is specifically the port and service inventory. Removing unused system users tightens local authentication but does not change which services accept inbound connections. Service and port minimization is the most precise reduction of network attack surface.

5. Question 5

   An organization has implemented a protection strategy to secure the network from unauthorized external access. The new Chief Information Security Officer (CISO) wants to increase security by better protecting the network from unauthorized internal access. Which Network Access Control (NAC) capability BEST meets this objective?
   1. A. Port security
   2. B. Two-factor authentication (2FA)
   3. C. Strong passwords
   4. D. Application firewall
   Explanation

   The correct answer is: A. Port security.

   Port security is the switch-level NAC capability that controls which devices can attach to a specific physical access port by restricting the allowed MAC addresses and reacting when an unauthorized device plugs in, which directly addresses the risk of an internal attacker connecting a rogue laptop or device to a live drop. It is the canonical control against unauthorized internal connection. Two-factor authentication strengthens user identity but does nothing to stop a rogue device from getting a link-layer connection. Strong passwords likewise are an identity control unrelated to device admission at the switch port. An application firewall inspects Layer 7 traffic well above where the unauthorized device is already on the network. For internal admission control, port security is the precise NAC capability needed.

Other CISSP domains

• Asset Security (46 questions)
• Identity and Access Management (IAM) (55 questions)
• Security and Risk Management (75 questions)
• Security Architecture and Engineering (71 questions)
• Security Assessment and Testing (54 questions)
• Security Operations (68 questions)
• Software Development Security (57 questions)