Quiz: Wireless Security

A 26-question self-check covering this chapter's protocols, attacks, and defenses. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] Which WiFi security protocol allows an attacker to recover the key from captured traffic in minutes, regardless of passphrase length, due to initialization-vector reuse? A. WPA3 B. WPA2 C. WPA D. WEP

2. [Sec+] WPA2-Personal's primary weakness is that an attacker can capture the four-way handshake and then: A. read all traffic in real time B. guess the passphrase offline C. forge the AP's certificate D. disable AES

3. The WPA3-Personal feature that specifically resists offline dictionary attacks on the handshake is: A. TKIP B. SAE (Dragonfly) C. WPS D. RC4

4. [Sec+] An unauthorized access point that an employee plugs into the corporate LAN for better coverage is best called a: A. evil twin B. rogue access point C. captive portal D. supplicant

5. An attacker stands up an access point broadcasting the same SSID as the corporate network to lure devices into connecting to them. This is a(n): A. rogue AP only B. evil twin C. deauthentication attack D. KRACK attack

6. [CISSP] In the 802.1X model, the access point that blocks all traffic until authentication succeeds plays the role of the: A. supplicant B. authenticator C. authentication server D. certificate authority

7. [Sec+] Which EAP method uses mutual X.509 certificate authentication and therefore has no password to phish or crack? A. PEAP B. EAP-TTLS C. EAP-TLS D. EAP-MD5

8. The deauthentication attack works because, for most of WiFi's history, management frames were: A. encrypted with WEP B. unauthenticated C. sent only by the server D. rate-limited

9. [Sec+] The standard that authenticates management frames and defeats the classic deauthentication attack is: A. 802.1X B. 802.11w (Protected Management Frames) C. 802.11n D. WPS

10. Which control most directly ensures that even a fully compromised guest WiFi reaches nothing of value at a Meridian branch? A. a longer guest passphrase B. hiding the guest SSID C. segmentation with default-deny between zones D. a captive portal

11. [Sec+] Bluetooth risk is usually rated lower than WiFi risk primarily because of its: A. encryption strength B. short range C. lack of pairing D. use of certificates

12. A skimmed contactless (NFC) payment yields little of value to an attacker because the transaction uses: A. a reusable card number B. a static PIN C. a one-time cryptogram D. the SSID

13. [CISSP] WPA3's "Enhanced Open" (Opportunistic Wireless Encryption) provides: A. certificate-based login B. encryption on password-free networks C. faster roaming D. rogue-AP detection

14. Which is the correct standing decision rule for choosing a WiFi protocol today? A. WPA2 always; WPA3 is unproven B. WEP is fine with a long key C. WPA3 if you can, WPA2-AES if you must, never WPA/WEP D. any protocol with a strong passphrase

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "Increasing a WEP passphrase from 8 to 40 characters makes the network meaningfully harder to crack."

16. [Sec+] "Because the SSID is broadcast in cleartext, disabling its broadcast hides the network from an attacker with a wireless sniffer."

17. "Deploying PEAP automatically protects credentials, so server-certificate validation is optional."

18. "A deauthentication attack is dangerous mainly because it can force handshake re-capture and push devices onto an evil twin, not just because it disconnects them."

19. "WPA3 eliminates the need for network segmentation of wireless."

20. "A rogue access point is only a security problem if the person who installed it intended harm."

Section 3 — Fill in the blank (1 pt each)

21. A single passphrase shared by all devices on a WPA2-Personal network is called the _ _.

22. [Sec+] In WPA-Enterprise, the access point relays the authentication exchange to a central __ server (commonly speaking the RADIUS protocol) that makes the accept/reject decision.

23. An _ _ is a rogue access point that impersonates a legitimate SSID to lure devices into connecting to the attacker.

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain why a shared wireless passphrase is a poor foundation for an organization the size of Meridian, naming at least two specific operational problems that WPA-Enterprise solves.

25. A WIDS reports an access point advertising Meridian-Staff from a BSSID not on the authorized allowlist. State what attack this most likely indicates, what immediate risk it poses (reference the PEAP credential-harvesting path), and your first containment step.

Section 5 — Applied scenario (5 pts)

26. [Sec+] A Meridian branch is found running this configuration: Meridian-Staff on WPA2-Personal with passphrase meridian1, on the same VLAN as Meridian-Guest; PMF disabled; no WIDS. (a) Identify the three most serious findings and assign a severity to each. (b) For each finding, name the attack it enables. (c) Write the corrected design in one or two sentences (protocol, authentication, segmentation, PMF).

Answer Key

Click to reveal answers and explanations 1. **D** — WEP; 24-bit IV reuse leaks the key from traffic. 2. **B** — capture the handshake, guess the passphrase offline. 3. **B** — SAE (Dragonfly) resists offline guessing. 4. **B** — rogue access point (unauthorized AP on your network). 5. **B** — evil twin (SSID impersonation to lure devices). 6. **B** — the authenticator is the gatekeeping access point/switch. 7. **C** — EAP-TLS uses mutual certificates. 8. **B** — management frames were unauthenticated, so they can be forged. 9. **B** — 802.11w / Protected Management Frames. 10. **C** — segmentation with default-deny is the keystone control. 11. **B** — short range limits most attacks. 12. **C** — contactless EMV uses one-time cryptograms, not reusable numbers. 13. **B** — Enhanced Open encrypts open networks. 14. **C** — WPA3 if you can, WPA2-AES if you must, never WPA/WEP. 15. **F** — WEP's attack exploits IV reuse in the protocol, not the passphrase, so length is irrelevant. 16. **F** — the SSID still appears in cleartext management frames and probe responses; a sniffer sees it regardless, so hiding it stops only casual users. 17. **F** — PEAP without enforced server-certificate validation lets an evil twin harvest the password; validation is mandatory, not optional. 18. **T** — forced reconnection enables handshake capture and evil-twin luring, the more dangerous uses. 19. **F** — WPA3 strengthens the medium but a connected attacker still must be contained; segmentation remains essential. 20. **F** — even a benign rogue AP is an unauthenticated bridge from outside onto the internal network and is a serious finding regardless of intent. 21. pre-shared key. 22. authentication (RADIUS). 23. evil twin. 24. A shared passphrase cannot be revoked for one person (a departing employee keeps working credentials until everyone is re-keyed, which rarely happens), provides no record of who connected, and tends to be written down/leaked. WPA-Enterprise (802.1X/EAP) gives each user an individually revocable, auditable identity and can assign the correct VLAN at connection time. 25. It most likely indicates an evil twin impersonating the staff network; the immediate risk is that staff devices with PEAP and weak/absent server-certificate validation will tunnel their (Active Directory) passwords to the attacker's rogue RADIUS server, yielding corporate credentials usable beyond WiFi. First containment: locate and remove the rogue radio (walk it down with a signal-strength tool) and/or have the WIPS/WIDS contain it, then force affected credential resets. 26. (a) WEP/PSK weakness is not present (it is WPA2-Personal), but: weak offline-crackable passphrase `meridian1` (HIGH); guest sharing the staff VLAN (CRITICAL); PMF disabled + no WIDS (MEDIUM/HIGH — deauth/evil-twin exposure with no detection). (b) Weak PSK → offline handshake cracking; shared VLAN → lateral path from lobby/guest to teller machines; no PMF → deauth attacks and evil-twin luring; no WIDS → rogue APs/evil twins go unseen. (c) Move staff to WPA3-Enterprise (802.1X, EAP-TLS, or PEAP with enforced server-cert validation), put guest on its own internet-only isolated VLAN with default-deny to internal, enforce 802.11w/PMF, and deploy a WIDS. **Topics to review by question:** missed 1–3, 15 → §8.2; 4–5, 8–9, 18, 20 → §8.4; 6–7, 17, 24 → §8.3; 10, 19, 26 → §8.6; 11–13, 16 → §8.1/8.5; 14 → §8.2 (decision rule); 25 → §8.3 + §8.4.