Phishing is a type of social engineering attack where an attacker impersonates a trusted entity to deceive people into providing sensitive information, such as passwords or credit card numbers. An example of phishing is when an attacker sends emails posing as a service team member or a legitimate organization with the intention of getting users to disclose their passwords or other confidential information. These emails often contain links to fake websites that look remarkably similar to legitimate ones, tricking users into entering their details.References: Cybersecurity guidelines on identifying and preventing phishing attacks.
Question 82
Which is a correct description of a stage in the Lockheed Martin kill chain?
Correct Answer: B
The Lockheed Martin Cyber Kill Chain is a framework that outlines the stages of a cyber attack, from initial reconnaissance to achieving the attacker's objective. It is often referenced in HPE Aruba Networking security documentation to help organizations understand and mitigate threats. The stages are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Option A, "In the weaponization stage, which occurs after malware has been delivered to a system, the malware executes its function," is incorrect. The weaponization stage occurs before delivery, not after. In this stage, the attacker creates a deliverable payload (e.g., combining malware with an exploit). The execution of the malware happens in the exploitation stage, not weaponization. Option B, "In the exploitation and installation phases, malware creates a backdoor into the infected system for the hacker," is correct. The exploitation phase involves the attacker exploiting a vulnerability (e.g., a software flaw) to execute the malware on the target system. The installation phase follows, where the malware installs itself to establish persistence, often by creating a backdoor (e.g., a remote access tool) to allow the hacker to maintain access to the system. These two phases are often linked in the kill chain as the malware gains a foothold and ensures continued access. Option C, "In the reconnaissance stage, the hacker assesses the impact of the attack and how much information was exfiltrated," is incorrect. The reconnaissance stage occurs at the beginning of the kill chain, where the attacker gathers information about the target (e.g., network topology, vulnerabilities). Assessing the impact and exfiltration occurs in the Actions on Objectives stage, the final stage of the kill chain. Option D, "In the delivery stage, malware collects valuable data and delivers or exfiltrates it to the hacker," is incorrect. The delivery stage involves the attacker transmitting the weaponized payload to the target (e.g., via a phishing email). Data collection and exfiltration occur later, in the Actions on Objectives stage, not during delivery. The HPE Aruba Networking Security Guide states: "The Lockheed Martin Cyber Kill Chain outlines the stages of a cyber attack. In the exploitation phase, the attacker exploits a vulnerability to execute the malware on the target system. In the installation phase, the malware creates a backdoor or other persistence mechanism, such as a remote access tool, to allow the hacker to maintain access to the infected system for future actions." (Page 18, Cyber Kill Chain Overview Section) Additionally, the HPE Aruba Networking AOS-8 8.11 User Guide notes: "The exploitation and installation phases of the Lockheed Martin kill chain involve the malware gaining a foothold on the target system. During exploitation, the malware is executed by exploiting a vulnerability, and during installation, it creates a backdoor to ensure persistent access for the hacker, enabling further stages like command and control." (Page 420, Threat Mitigation Section) : HPE Aruba Networking Security Guide, Cyber Kill Chain Overview Section, Page 18. HPE Aruba Networking AOS-8 8.11 User Guide, Threat Mitigation Section, Page 420.
Question 83
You have been instructed to look in the ArubaOS Security Dashboard's client list. Your goal is to find clients that belong to the company and have connected to devices that might belong to hackers. Which client fits this description?
Correct Answer: D
The ArubaOS Security Dashboard, part of the AOS-8 architecture (Mobility Controllers or Mobility Master), provides visibility into wireless clients and access points (APs) through its Wireless Intrusion Prevention (WIP) system. The goal is to identify clients that belong to the company (i.e., authorized clients) and have connected to devices that might belong to hackers (i.e., rogue APs). Client Classification: Authorized: A client that has successfully authenticated to an authorized AP and is recognized as part of the company's network (e.g., an employee device). Interfering: A client that is not authenticated to the company's network and is considered external or potentially malicious. AP Classification: Authorized: An AP that is part of the company's network and managed by the MC/MM. Rogue: An AP that is not authorized and is suspected of being malicious (e.g., connected to the company's wired network without permission). Neighbor: An AP that is not part of the company's network but is not connected to the wired network (e.g., a nearby AP from another organization). The requirement is to find a client that is authorized (belongs to the company) and connected to a rogue AP (might belong to hackers). Option A: MAC address: d8:50:e6:f3:70:ab; Client Classification: Interfering; AP Classification: Rogue This client is classified as "Interfering," meaning it does not belong to the company. Although it is connected to a rogue AP, it does not meet the requirement of being a company client. Option B: MAC address: d8:50:e6:f3:6e:c5; Client Classification: Interfering; AP Classification: Neighbor This client is "Interfering" (not a company client) and connected to a "Neighbor" AP, which is not considered a hacker's device (it's just a nearby AP). Option C: MAC address: d8:50:e6:f3:6e:60; Client Classification: Interfering; AP Classification: Authorized This client is "Interfering" (not a company client) and connected to an "Authorized" AP, which is part of the company's network, not a hacker's device. Option D: MAC address: d8:50:e6:f3:6d:a4; Client Classification: Authorized; AP Classification: Rogue This client is "Authorized," meaning it belongs to the company, and it is connected to a "Rogue" AP, which might belong to hackers. This matches the requirement perfectly. The HPE Aruba Networking AOS-8 8.11 User Guide states: "The Security Dashboard in ArubaOS provides a client list that includes the client classification and the AP classification for each client. A client classified as 'Authorized' has successfully authenticated to an authorized AP and is part of the company's network. A 'Rogue' AP is an unauthorized AP that is suspected of being malicious, often because it is connected to the company's wired network (e.g., detected via Eth-Wired-Mac-Table match). To identify potential security risks, look for authorized clients connected to rogue APs, as this may indicate that a company device has connected to a hacker's AP." (Page 415, Security Dashboard Section) Additionally, the HPE Aruba Networking Security Guide notes: "An 'Authorized' client is one that has authenticated to an AP managed by the controller, typically an employee or corporate device. A 'Rogue' AP is classified as such if it is not authorized and poses a potential threat, such as being connected to the corporate LAN. Identifying authorized clients connected to rogue APs is critical for detecting potential man-in-the-middle attacks." (Page 78, WIP Classifications Section) : HPE Aruba Networking AOS-8 8.11 User Guide, Security Dashboard Section, Page 415. HPE Aruba Networking Security Guide, WIP Classifications Section, Page 78.
Question 84
A client has accessed an HTTPS server at myhost1.example.com using Chrome. The server sends a certificate that includes these properties: Subject name: myhost.example.com SAN: DNS: myhost.example.com; DNS: myhost1.example.com Extended Key Usage (EKU): Server authentication Issuer: MyCA_Signing The server also sends an intermediate CA certificate for MyCA_Signing, which is signed by MyCA. The client's Trusted CA Certificate list does not include the MyCA or MyCA_Signing certificates. Which factor or factors prevent the client from trusting the certificate?
Correct Answer: A
This question is identical to Question 17, with the same certificate properties and scenario. The client (Chrome browser) accesses an HTTPS server at myhost1.example.com, and the server presents a certificate with: Subject name: myhost.example.com SAN: DNS: myhost.example.com; DNS: myhost1.example.com EKU: Server authentication Issuer: MyCA_Signing (intermediate CA) The intermediate CA certificate (MyCA_Signing) is signed by MyCA (root CA). The client's Trusted CA Certificate list does not include MyCA or MyCA_Signing. The certificate validation process is the same as in Question 17: Name Validation: The SAN includes "myhost1.example.com," which matches the server's hostname, so this passes. EKU Validation: The EKU is "Server authentication," which is correct for HTTPS, so this passes. Chain of Trust Validation: The client attempts to build a chain from the server's certificate to a trusted root CA: Server certificate → MyCA_Signing → MyCA Since MyCA is not in the client's Trusted CA Certificate list, the chain cannot be validated, and the client does not trust the certificate. Option A, "The client does not have the correct trusted CA certificates," is correct. The absence of MyCA in the client's trust store prevents the client from validating the certificate chain. Option B, "The certificate lacks a valid SAN," is incorrect because the SAN includes "myhost1.example.com," which is valid. Option C, "The certificate lacks the correct EKU," is incorrect because the EKU is correctly set to "Server authentication." Option D, "The certificate lacks a valid SAN, and the client does not have the correct trusted CA certificates," is incorrect because the SAN is valid; the only issue is the missing trusted CA certificates. The HPE Aruba Networking AOS-CX 10.12 Security Guide states: "For a client to trust a server's certificate during HTTPS communication, the client must validate the certificate chain to a trusted root CA in its trust store. If the root CA (e.g., MyCA) or intermediate CA (e.g., MyCA_Signing) is not in the client's Trusted CA Certificate list, the chain of trust cannot be established, and the client will reject the certificate. The Subject Alternative Name (SAN) must include the server's hostname, and the Extended Key Usage (EKU) must include 'Server authentication' for HTTPS." (Page 205, Certificate Validation Section) Additionally, the HPE Aruba Networking Security Fundamentals Guide notes: "A common reason for certificate validation failure is the absence of the root CA certificate in the client's trust store. For example, if a server's certificate is issued by an intermediate CA (e.g., MyCA_Signing) that chains to a root CA (e.g., MyCA), the client must have the root CA certificate in its Trusted CA Certificate list to trust the chain." (Page 45, Certificate Trust Issues Section) : HPE Aruba Networking AOS-CX 10.12 Security Guide, Certificate Validation Section, Page 205. HPE Aruba Networking Security Fundamentals Guide, Certificate Trust Issues Section, Page 45.
Question 85
What is an Authorized client as defined by ArubaOS Wireless Intrusion Prevention System (WIP)?
Correct Answer: C
In the context of ArubaOS Wireless Intrusion Prevention System (WIP), an authorized client is defined as a client that has successfully authenticated to an authorized Access Point (AP) and has passed encrypted traffic. This ensures that only clients which have been verified and authenticated according to the network's security policies are allowed to access network resources. Authentication typically involves credentials that are validated by a server, confirming the client's right to access the network securely.References: ArubaOS Wireless Intrusion Prevention System configuration and management guidelines.
