CWSP-208 Certified Wireless Security Professional (CWSP) Questions and Answers

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

The AKM (Authentication and Key Management) Suite List field within the RSN Information Element defines which authentication methods are supported by the AP. This field distinguishes between PSK (Pre-Shared Key) and Enterprise (802.1X) modes:

AKM Suite OUI 00-0F-AC:1 = WPA2-Personal (PSK)

AKM Suite OUI 00-0F-AC:2 = WPA2-Enterprise (802.1X)

By examining this field in Beacon or Probe Response frames, a protocol analyzer can determine the authentication method enforced by the BSS.

The correct sequence of the 4-Way Handshake frames in WPA/WPA2 is:

Message 1: Authenticator sends ANonce to the supplicant → (3)

Message 2: Supplicant sends SNonce and a MIC to the authenticator → (4)

Message 3: Authenticator sends GTK and confirms keys with MIC → (1)

Message 4: Supplicant confirms installation of PTK/GTK → (2)

This process ensures mutual key confirmation and integrity before data traffic begins.

In integrated WIPS systems, radios are shared between client servicing and security scanning. To maintain quality of service for latency-sensitive applications such as VoWiFi (Voice over Wi-Fi), scanning operations may be temporarily suspended or deprioritized, potentially reducing security monitoring during those periods.

WIPS platforms with multiple sensors can locate rogue devices using:

A. TDoA: Measures the time difference a signal takes to reach multiple sensors; requires synchronized clocks.

C. Trilateration using RSSI: Estimates distance based on signal strength from three or more known sensor positions.

E. RF Fingerprinting: Matches received signals to known RF patterns in the environment for device positioning.

AoA requires directional antennas (not typical with dipoles), and GPS is used for locating mobile sensors or vehicles, not indoor rogues.

Wireless Intrusion Prevention Systems (WIPS) are excellent for detecting on-air threats such as rogue APs, DoS attacks, spoofing, and misconfigured devices. However, WIPS cannot detect:

C. Eavesdropping — Passive listening on wireless transmissions cannot be detected because no signal is transmitted by the attacker.

D. Social engineering — Human-based attacks like phishing or pretexting fall outside the scope of wireless monitoring.

Incorrect:

A. Rogue APs can be detected via MAC address comparison, frame analysis, and signal triangulation.

B. DoS attacks, such as deauth floods or RF jamming, can be detected with appropriate WIPS sensors.

Open networks with captive portals do not provide link-layer encryption, so:

A. Man-in-the-Middle (MitM): Attackers can intercept or modify traffic between the user and the legitimate network (especially before HTTPS negotiation).

B. Wi-Fi phishing: Evil twin APs may mimic the legitimate hotspot and show a fake captive portal, stealing user credentials or prompting malicious downloads.

Incorrect:

C. Management interface exploits target device admin panels, not typical client users.

D. UDP port redirection and

E. IGMP snooping are network-layer behaviors, not common user-targeted attacks.

Most integrated Wi-Fi adapters in Windows laptops are not capable of entering “monitor mode” or capturing 802.11ac frames properly. Compatibility with protocol analyzers like Wireshark or Omnipeek requires special drivers or specific USB adapters. Therefore, it is recommended to use a USB adapter known to support monitor mode and frame capture on 802.11ac for accurate and complete data capture.

Incorrect:

A. Not all adapters support protocol analyzer features.

C. MU-MIMO support is irrelevant for frame capture.

D. Other analyzers besides Wireshark can decode 802.11ac (e.g., Omnipeek).

E. Remote capture is not the only method—local USB adapters are effective too.

In this scenario, although the bank’s website uses HTTPS (which encrypts communications between John’s browser and the bank’s server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.

John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.

Here's how this aligns with CWSP knowledge domains:

CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.

CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.

CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.

Other answer options and why they are incorrect:

A & D are invalid because an expired or unsigned certificate may cause browser warnings but won’t result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn’t stated).

C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint—including credentials.

E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.

Given that only consumer-grade routers are used and no RADIUS server or enterprise infrastructure is mentioned, WPA2-Personal is the most secure option available. It uses a pre-shared key (PSK) for authentication and AES-CCMP for encryption, offering strong protection for small businesses lacking enterprise equipment.

Enterprise methods such as WPA2-Enterprise, 802.1X, and EAP-PEAP require a RADIUS server or authentication backend, which isn’t supported in typical consumer-grade routers.

MS-CHAPv2 is a widely used authentication protocol, but it has notable weaknesses:

B. MS-CHAPv2 is vulnerable to offline dictionary attacks. Attackers can capture authentication exchanges and attempt password guesses offline due to predictable hashing behavior.

D. The only secure use of MS-CHAPv2 is inside a secure tunnel (e.g., EAP-TTLS or PEAP), where credentials are protected during transmission.

Incorrect:

A. MS-CHAPv2 is used in WPA2-Enterprise, not WPA-Personal, and it is allowed under WPA2-Enterprise via PEAP.

C. WEP does not enhance LEAP’s security; it compounds vulnerabilities.

E and F. MS-CHAPv2 does not use AES for authentication. Using AES-CCMP for encryption does not fix MS-CHAPv2's weaknesses.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

This network uses WPA-Personal (Pre-Shared Key) and MAC filtering. While it does offer some basic protections, it is still vulnerable to several well-known attack vectors:

A. Offline dictionary attacks: An attacker can capture the 4-way handshake and perform offline dictionary or brute-force attacks to guess the PSK.

B. MAC Spoofing: Since MAC filtering is based on easily observed MAC addresses, attackers can spoof an authorized MAC address.

D. DoS: Attacks such as deauthentication floods or RF jamming can deny users access without needing to break encryption.

Incorrect:

C. ASLEAP: This is specific to LEAP (a weak EAP type), which is not used in WPA-Personal.

A Robust Security Network (RSN) is defined by the IEEE 802.11i standard and is designed to provide a framework for secure wireless LAN communications. One of the primary criteria for a network to qualify as an RSN is that WEP (Wired Equivalent Privacy) must not be used for encryption, as WEP has well-known vulnerabilities and is considered insecure. RSN-compliant networks must use either CCMP (AES) or GCMP for encryption and 802.1X/EAP or WPA2-Personal for authentication.

Incorrect:

A. Token cards are not part of RSN criteria.

B. Dynamic WEP is still WEP and disqualifies RSN status.

D. WPA-Personal may be supported, but alone does not define an RSN.

E. SSHv1 concerns device management security, not RSN qualification.

In WPA2-Personal with AES-CCMP:

The MSDU (MAC Service Data Unit), which includes the payload from Layer 3 and above, is encrypted.

This protects the actual application data (e.g., web content, email).

Frame headers (MAC headers) are not encrypted.

Incorrect:

B. MPDU includes MAC headers, which are not encrypted.

C. PPDU includes preamble and physical-layer components, which are never encrypted.

D. PSDU includes the MAC header and frame body; again, headers are not encrypted.

Without traffic monitoring or filtering on guest VLANs, the following threats remain possible:

Spammers can exploit the open Internet access to send unsolicited traffic

en.wikipedia.org

Guests may launch external network attacks (e.g., scanning, DDoS)

Peer-to-peer attacks are prevented if client isolation is enabled. AP management plane security is a separate concern from VLAN separation, and VLAN isolation prevents frame sniffing into corporate networks.

The GTK (Group Temporal Key) is used to encrypt multicast/broadcast traffic.

Each SSID has a unique GTK.

Only clients on the same SSID (ABCData) will receive and be able to decrypt multicast traffic encrypted with ABCData’s GTK.

Incorrect:

A. Application-layer authentication does not affect GTK distribution.

C. Clients on other SSIDs (e.g., Guest, ABCVoice) have different GTKs and cannot decrypt ABCData’s multicast traffic.

D. Each SSID uses a unique GTK; GTKs are not shared across SSIDs.

Outdoor APs must be:

Protected from theft or tampering (physical security).

Shielded from weather/environmental conditions (IP-rated enclosures).

Mounted and secured to prevent unauthorized physical access or damage.

Incorrect:

A & B. Antenna type is relevant to RF coverage but does not address outdoor-specific security needs.

C. PoE is useful for power delivery but not a security solution.

Opportunistic Key Caching (OKC) is a non-standardized fast roaming method that allows clients to roam between APs without repeating the full 802.1X/EAP authentication process.

OKC was proposed by vendors (not the IEEE or Wi-Fi Alliance), so there was no formal certification early on.

This led to inconsistent and delayed client support, preventing widespread adoption.

Incorrect:

A. OKC does not involve inter-controller roaming in most scenarios; it's a local caching method.

C. The cryptographic overhead was not a significant barrier compared to lack of standardization.

D. OKC was not defined in IEEE 802.11r—Fast BSS Transition (FT) was.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

In tunneled EAP types (e.g., PEAP, EAP-TTLS):

A secure TLS tunnel is first established using the server’s certificate.

Then, user credentials (e.g., username/password) are sent through the encrypted tunnel to ensure confidentiality.

Incorrect:

A. Certificates are exchanged during tunnel establishment, not protected within it.

C. Server credentials are used to establish the tunnel, not protected inside it.

D. The RADIUS shared secret secures communication between AP/controller and RADIUS server—not sent via the tunnel.

EAP-MD5:

Only authenticates the client.

Does not provide mutual authentication, making it vulnerable to man-in-the-middle attacks.

It also does not protect the user’s identity or credentials in a secure tunnel.

Incorrect:

A. The outer identity concept is not relevant to EAP-MD5 since it doesn’t support tunneling.

B. EAP-MD5 is a valid EAP type, just insecure.

D. It can be used with a RADIUS server, but security is insufficient.

The 802.1X Controlled Port remains blocked after EAP authentication is complete. It is only unblocked once the 4-Way Handshake completes successfully. This handshake:

Confirms that both client and AP have the same PMK.

Derives the PTK and installs keys.

Once encryption keys are in place, the Controlled Port is opened for data.

Incorrect:

A. The Controlled Port is what opens after successful authentication and key establishment.

B. IP addressing (via DHCP) happens after the Controlled Port is open.

D. Vendor-Specific Attributes may play a role in policy assignment but do not govern port control timing.

WIPS systems provide proactive security by continuously scanning for threats and ensuring WLAN policy compliance. Their capabilities include:

B. Wireless vulnerability assessment: Scanning for misconfigured APs, weak encryption, and unauthorized devices.

E. Policy enforcement and compliance: Ensuring security settings adhere to enterprise or regulatory requirements and alerting on deviations.

Other options like application-layer inspection and AP CPU monitoring are outside the WIPS function scope.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.