Examice

Exam SY0-601 All QuestionsBrowse all questions from this exam

Question 823

A security analyst finds a rogue device during a monthly audit of current endpoint assets that are connected to the network. The corporate network utilizes 802.1 X for access control. To be allowed on the network, a device must have a known hardware address, and a valid username and password must be entered in a captive portal. The following is the audit report:

Which of the following is the most likely way a rogue device was allowed to connect?

A user performed a MAC cloning attack with a personal device.

A DHCP failure caused an incorrect IP address to be distributed

An administrator bypassed the security controls for testing.

DNS hijacking let an attacker intercept the captive portal traffic.

Correct Answer: A

In the given scenario, there are two devices listed with the same MAC address (EB-AC-11-82-42-F3), but different host names: 'PC-CA' and 'WIN10'. Such duplication of the same MAC address usually indicates a MAC cloning or spoofing attack. In a network using 802.1X for access control, this allows a rogue device to bypass security mechanisms by mimicking an authorized device's hardware address. Therefore, the most likely way a rogue device was allowed to connect is by a user performing a MAC cloning attack with a personal device.

Discussion

7308365Option: A

A. MAC Cloning Host Naming Conventions and PC-CA and WIN 10 having the exact same MAC gives it away

licks0reOption: A

The win10 machine is the personnal device.

Dapsie

Yeah. It is not using the organisational naming convention.

shady23Option: A

A. A user performed a MAC cloning attack with a personal device.

MortG7Option: A

A PC-CA & WIN10 have the same MAC...cloning or spoofing.

johnabayotOption: A

Mac cloning

Securityguy42Option: A

"A" is the only answer that makes sense in this pic.

Hs1208Option: A

. A user performed a MAC cloning attack with a personal device.