CompTIA Cybersecurity CySA+ (CS0-001): Practice Test #2 of 2 - Results
You are registering for a domain name in Canada. Which regional Internet Registry would you use? A.ARIN B.RIPE NCC C.AFRINIC D.APNIC
A.ARIN Explanation Correct Answer: ARIN handles the registries for Canada, many Caribbean and North Atlantic islands, and the United States. Incorrect Answers: AFRINIC is responsible for Africa and portions of the Indian Ocean. APNIC handles portions of Asia and Oceania. RIPE NCC takes care of registries for Europe, the Middle East, and Central Asia.
Which of the following is a method used to sniff traffic in a switched network environment? A.ARP poisoning B.DNS poisoning C.ICMP flooding D.MAC flooding
A.ARP poisoning Explanation Correct Answer: ARP poisoning involves sending false entries to the ARP table contained on each host, tricking the host into sending traffic to a different MAC address. Incorrect Answers: MAC flooding involves sending a high volume of traffic into the switch in hopes of overpowering it and causing it to act as a hub. ICMP flooding involves sending a high volume of ICMP packets into a host in an effort to cause a denial of service attack. DNS poisoning is used to cause a host to resolve an IP address to an incorrect DNS name, thereby redirecting it to a different host.
Which of the following is a method of vulnerability scanning that involves hosts that self-report to a central scanner? A.Agent-based scanner B.Noncredentialed scan C.Server-based scanner D.Credentialed scan
A.Agent-based scanner Explanation Correct Answer: Agent-based scanners work on the host, where software agents reside and automatically run scans on a predetermined basis. The agent then reports the results of the scan back to a centralized server. Incorrect Answers: The server-based scanner requires no agents on each individual host. Both credentialed and noncredentialed scans are run from a server-based scanner.
Your supervisor asks you to explain why implementing a Kerberos-based authentication system is to the organization's advantage. You are attempting to explain the process Kerberos uses to authenticate users. Which of the following checks the key distribution center database of existing users to verify that the user exists, when a user first attempts to authenticate? A.Authentication server (AS) B.Key distribution center (KDC) C.Ticket-granting server (TGS) D.Ticket-granting ticket (TGT)
A.Authentication server (AS) Explanation Correct Answer: When a client attempts to log on and authenticate, the authentication server (AS) will check the KDC database of existing users to verify the user's existence. Incorrect Answers: If a user is successfully located, the AS will return two messages to the client—one that contains a TGS session key and another that has a ticket-granting ticket (TGT). The ticket-granting server issues a service ticket, which allows users to access resources. The key distribution server contains the user database itself. The TGT has information about the client and the timestamp as well as has a copy of the TGS session key.
You are attempting to collect data from syslogd, deployed on several Linux hosts. The syslog server does not seem to be sending logs. You suspect that the firewall that sits between you and the syslog servers may be interfering with the syslog traffic. What would you need to check to determine if this is the issue? A.Check to see if UDP Port 514 is open on the firewall. B.Check to see if UDP Port 524 is open on the firewall. C.Check to see if UDP Port 524 is open on the host. D.Check to see if UDP Port 514 is open on the host.
A.Check to see if UDP Port 514 is open on the firewall. Explanation Correct Answer: You should check to see if UDP Port 514 is open on the firewall if you suspect it is causing issues. Incorrect Answers: UDP Port 524 is not the correct port for syslogd traffic. Checking to see if UDP port 514 is open on the host should be done only if you suspect there is a host issue. If the service is running, the chances are good that the port is in fact open.
During an incident response, preserving evidence is an important part of which response process? A.Containment B.Initial response C.Eradication D.Sanitization
A.Containment Explanation Correct Answer: Preserving evidence is an important part of the containment process. Incorrect Answers: During the initial response, the nature of the incident is assessed. Notification of the incident also occurs. During sanitization, media is wiped if necessary. During eradication, malware or any other cause of the incident is eliminated.
Which of the following statements best describes the concept of containment and its goal? A.Containment is the set of actions that attempt to deny the threat agent the ability or means to cause further damage. The goal is to prevent or reduce the spread of this incident. B.Containment is the set of actions that are intended as the initial response to an incident. The goal is to identify the nature of the incident and escalate the notification of the incident. C.Containment is the set of actions that attempt to prevent the threat agent from initiating a threat, causing an incident. The goal is to prevent the incident through the threat agent. D.Containment is the set of actions that attempt to resolve and investigate the response. The goal is to investigate and conclude the incident.
A.Containment is the set of actions that attempt to deny the threat agent the ability or means to cause further damage. The goal is to prevent or reduce the spread of this incident. Explanation Correct Answer: Containment is the set of actions that attempt to deny the threat agent the ability or means to cause further damage. The goal is to prevent or reduce the spread of this incident. This usually occurs during an incident. Incorrect Answers: None of these other choices is the definition of containment and its goal.
Which of the following describes the integration of security, operations, and software development functional areas? A.DevSecOps B.DevSec C.DevOps D.OPSEC
A.DevSecOps Explanation Correct Answer: The term DevSecOps consolidates development, security, and quality assurance, as well as the operations aspect of developing code. Incorrect Answers: DevOps is a term associated with combining the development and QA functions in order to produce quality code. It does not include security. OPSEC is a military term denoting operations security. DevSec is a nonexistent term.
Which of the following statements is true about vulnerability assessments under the Health Insurance Portability and Accountability Act (HIPAA)? A.HIPAA does not explicitly require vulnerability assessments, but does require mitigations for any discovered vulnerabilities. B.HIPAA requires vulnerabilities to be remediated within 90 days. C.HIPAA requires vulnerability assessments on a quarterly basis. D.HIPAA specifically excludes medical devices from vulnerability assessments.
A.HIPAA does not explicitly require vulnerability assessments, but does require mitigations for any discovered vulnerabilities. Explanation Correct Answer: Although HIPAA does not explicitly call out a requirement to conduct vulnerability assessments, Section 164.308(a)(1)(i) requires organizations to conduct accurate and thorough vulnerability assessments and to implement security measures that are sufficient to reduce the risks presented by those vulnerabilities to a reasonable level. Incorrect Answers: HIPAA has no requirements for the particulars of the vulnerability management program with regard to frequency, inclusion, or exclusion of any devices and remediation time frames; these are left to the organization, based on its needs and circumstances.
Which of the following types of data is the primary type protected from a business perspective? A.Intellectual property B.PHI C.PII D.Financial information
A.Intellectual property Explanation Correct Answer: Intellectual property is the lifeblood of a business. It's the special knowledge on how to make something, or a unique creation that allows an organization to distinguish itself from others. Incorrect Answers: Although all these other types of data are important to protect, intellectual property is what keeps the business in the market.
Which of the following are examples of context-based authentication? (Choose all that apply.) A.Location data B.Passwords C.Time D.Typing patterns
A.Location data C.Time D.Typing patterns Explanation Correct Answers: All of these are context-based factors that can be used in conjunction with multifactor authentication. Incorrect Answer:Passwords may be used as one factor in a multifactor authentication scheme (something you know), but they are not context based.
Which network-scanning tool is often used to generate an inventory of hosts on the network? A.Nmap B.Nikto C.Metaspolit Framework D.Netcat
A.Nmap Explanation Correct Answer: Nmap, typically used to scan for open ports and services, can also be used to scan for hosts on the network, which can then be compared with an earlier scan or a known inventory of hosts to determine whether there are any changes to the number of hosts on the network. Incorrect Answers: Metaspolit Framework is an exploitation tool. Nikto is a web vulnerability scanner, and netcat is a tool used by hackers to create a covert channel between two hosts.
Which of the following data classification labels within an organization would be most appropriate to protect engineering processes the company uses to remain competitive in the market? A.Proprietary B.Public C.Confidential D.Private
A.Proprietary Explanation Correct Answer: Proprietary information is data that could cause some damage, such as loss of competitiveness to the organization. Incorrect Answers: Private data, if improperly disclosed, could raise personal privacy issues. Confidential data is information that could cause grave damage to the organization if disclosed. This could include salary information, disciplinary information, or other potentially embarrassing information. Public data is information that can be disclosed to the public without any adverse effect to the organization. This data might be posted on a public website, for example.
You are adapting the Cybersecurity Framework (CSF) to your organization. You feel you have adequately covered all five core functions, but you have doubts that your organization could roll back data to a previous secure state with good integrity. In which of the following five functions might your organization be weak? A.Recover B.Detect C.Respond D.Protect
A.Recover Explanation Correct Answer: The Recover function means to return to a secure state that enables business activities after an incident. Incorrect Answers: Here are the five core functions of the CSF: Identify: Understand your organization's business context, resources, and risks. Protect: Develop appropriate controls to mitigate risk in ways that make sense Detect: Discover in a timely manner anything that threatens your security.Respond: Quickly contain the effects of anything that threatens your security. Recover: Return to a secure state that enables business activities after an incident.
All the following are considerations in the decision to preserve or rebuild a compromised host, EXCEPT: A.Replacement value of the system B.Crime scene evidence C.Ability to restore D.Threat intelligence value
A.Replacement value of the system Explanation Correct Answer: Normally, the replacement value in terms of dollars for the system is not a consideration in the decision to preserve it or rebuild it. Typically the value of the data makes the decision. Incorrect Answers: These other choices are all considerations when making the decision to preserve or rebuild a system.
You are examining a packet capture you have just performed on a network. You are attempting to determine the sequence of events that occurred while a user was accessing an unencrypted web page. Which solution would be the best in determining the sequence of events and viewing the appropriate traffic from the capture? A.TCP streams B.UDP streams C.Filtering on TCP sequence numbers D.IP streams
A.TCP streams Explanation Correct Answer: TCP streams is a useful functionality built into the popular Wireshark protocol analyzer. TCP streams allows you to reconstruct a TCP conversation between two hosts. Because the communications session is a web browsing session, uses HTTP, which uses the TCP transport protocol. Incorrect Answers: HTTP does not use UDP, nor is UDP streams a valid functionality in protocol analyzers. IP streams is also not a valid functionality. Filtering on TCP sequence numbers would not be effective because you have to know the beginning and ending sequence numbers for both hosts. TCP streams performs this function for you.
Which of the following is an example of a packet sniffer tool? A.Tshark B.Nikto C.Nmap D.Nessus
A.Tshark Explanation Correct Answer: Tshark is a packet sniffer/analyzer that can capture both header information and full packets. Incorrect Answers: Nmap scans for open ports and services on remote host. Nessus is a host vulnerability scanner, and Nikto is a web vulnerability scanner.
You are responding to an incident involving data exfiltration from your organization. Which of the following events might require that you notify law enforcement? A.Unauthorized disclosure of 600 patient records B.Unauthorized disclosure of corporate officer salaries C.Exfiltration of a proprietary manufacturing process D.Exfiltration of company telephone numbers and e-mail addresses
A.Unauthorized disclosure of 600 patient records Explanation Correct Answer: Federal law requires that records containing PHI be disclosed to law enforcement and other regulatory agencies if the number of records exceeds 500. Incorrect Answers: Although it may be a good idea to involve law enforcement, the exfiltration of proprietary manufacturing processes does not require that you notify them. Corporate officer salaries are generally public knowledge, as required by the Securities and Exchange Commission—particularly for publicly held companies. The disclosure of company telephone numbers and e-mail addresses, although they may be sensitive in nature, is not required to be reported to law enforcement.
Which of the following is a common vulnerability found on an organization's servers? A.Lack of encryption for all traffic entering and leaving the server B.Allowing the server to run unnecessary services and open ports C.Allowing too many users to access the server D.Lack of two-factor authentication to access the server
B.Allowing the server to run unnecessary services and open ports Explanation Correct Answer: It is a common vulnerability for servers to run multiple services and have an excessive number of open ports. Services should be dedicated to a specific task, and only run the minimum number of services and open ports needed. Incorrect Answers: Although lack of two-factor authentication provides less security, it may not necessarily be required for the organization's use of the server. Not all traffic entering and leaving a server requires encryption. DNS queries, for example, are typically not encrypted if the server is a DNS server. The same applies to a DHCP server, where queries and responses are not encrypted. Finally, as many users as needed to access to the server for legitimate purposes should be allowed. Too many users might cause a performance issue, requiring load balancing, but this is typically not a vulnerability or security issue.
A manager has asked you to help her decide on the classification levels for a particular data type that she uses in her department. She wants to know what the criteria are that would help her decide on the sensitivity levels. All of the following are considerations in determining data sensitivity, EXCEPT: A.The level of damage that could be caused if the data were disclosed B.Existing procedures and processes available to protect the data C.The level of damage that could be caused if the data were modified corrupted D.Legal, regulatory, or contractual responsibility to protect the data
B.Existing procedures and processes available to protect the data Explanation Correct Answer: Existing procedures and processes available to protect the data have nothing to do with the sensitivity of the data. If existing procedures and processes are not sufficient to protect the data at the level of sensitivity required, then the procedures and processes will have to be modified or added to. Simply because you don't have the processes in place to protect the data does not mean that the data is not as sensitive as determined. Incorrect Answers: All of these are important considerations in the decisions to determine data sensitivity levels.
You are performing a scan of your company's network. The technicians performing the scan also want to assist you in verifying the inventory of devices connected to the network. You also want to know which devices, by operating system, are connected to the network. Which of the following techniques would you use to accomplish this? A.Service discovery B.Fingerprinting C.SYN scanning D.Stealth scanning
B.Fingerprinting Explanation Correct Answer: OS fingerprinting is an option used in tools such as nmap to determine which type of operating system is running on the target system. Incorrect Answers: These other choices are different types of scans available in nmap but will not accurately determine what operating system is running on the host.
Which one of the following types of analyses looks at how a piece of executable code is behaving, to determine if it is malware or otherwise malicious in nature? A.Signature analysis B.Heuristic analysis C.Pattern analysis D.Result analysis
B.Heuristic analysis Explanation Correct Answer: Heuristic analysis looks at how a piece of code behaves in its environment to determine whether or not it is malicious. Incorrect Answers: Signature analysis looks for particular patterns or signatures that may match a known event or piece of code. Pattern analysis is the same as signature analysis. Result analysis is not a valid choice.
Which network device might an attacker use to intercept all traffic on a network segment? A.Switch B.Hub C.Wireless router D.Router
B.Hub Explanation Correct Answer: A hub is a network device that allows any connected host to see all traffic from all hosts connected to the hub. An attacker might introduce a hub into the network in order to view all traffic on a segment. Hubs are not typically seen in modern networks. Incorrect Answers: A switch limits the amount of traffic that can be seen to only the switch, the sending host, and the receiving host. A router sends traffic from one logical network to another. A wireless router serves as an access point for wireless clients.
Which the following worldwide acceptable standards covers vulnerability management under control number A.12.6.1? A.National Institute of Standards and Technology Special Publication 800-53 B.International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) 27001 C.Payment Card Industry standard D.Health Insurance Portability and Accountability Act (HIPAA)
B.International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) 27001 Explanation Correct Answer: The International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) 27001 addresses vulnerability management under control number A.12.6.1. This is the only one of the choices that is an international standard. Incorrect Answers: All of these other choices are either U.S. government national standards or industry standards, and are not necessarily used worldwide.
Which of the following statements best describes heuristic analysis? A.Relies on preloaded signatures for various attacks and threats. B.Observes and analyzes changes in normal system behavior to detect potential threats. C.Does not analyze system behavior. D.Must be periodically updated with new threats.
B.Observes and analyzes changes in normal system behavior to detect potential threats. Explanation Correct Answer: A heuristic analysis system, sometimes referred to as an anomalous detection system, observes and analyzes changes in normal system behavior to detect potential threats. It learns the typical behaviors of the network and detects changes in those behaviors. Incorrect Answers: These other choices are all characteristics of signature-based analysis systems.
Which of the following describes data that relates to an individual's past, present, or future physical or mental health condition? A.Trade secrets B.PHI C.PII D.PCI
B.PHI Explanation Correct Answer: Personal health information (PHI) is any data that relates to an individual's past, present, or future physical or mental health condition. Usually, this information is handled by a healthcare provider, employer, public health authority, or school. HIPAA requires appropriate safeguards to protect the privacy of personal health information, and it regulates what can be shared and with whom without patient authorization. HIPAA prescribes specific reporting requirements for violations. Incorrect Answers: Personally identifiable information (PII) is information that can be used to distinguish an individual's identity. It is protected under several different laws. Payment card information is protected under the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was created to reduce credit card fraud and protect cardholder information. Trade secrets are protected under several international laws.
If an intruder has physical access to the network, which of the following is a common tool for the intruder to use to gain network access and capture packets? A.Honeypot B.Passive tap C.IDS/IPS D.Bastion host
B.Passive tap Explanation Correct Answer: A passive tap is a device used to eavesdrop on the signal on a network cable to intercept traffic. Incorrect Answers: A bastion host is a security device that separates two disparate networks. A honeypot is used to attract potential attackers in order to learn their attack patterns and distract them from valuable targets. An IDS/IPS is used to detect and prevent network attacks.
Your company has been selected to provide information security services for a small chain of merchant stores. They currently are not adhering to any particular governance or standard to protect their data. They are especially concerned with protecting their customers' financial transaction data. Which of the following is an industry standard used to protect consumer financial data? A.ISO/IEC 27000 Series B.Payment Card Industry Data Security Standard C.NIST Special Publication 800-37 D.COBIT
B.Payment Card Industry Data Security Standard Explanation Correct Answer: The Payment Card Industry Data Security Standard (PCI-DSS) applies to any organization that is involved in processing credit card payments using cards branded by the five major issuers (Visa, MasterCard, American Express, Discover, and JCB). Incorrect Answers: These other standards are applied to protect all types of data, not specifically financial data. Merchants that deal with credit card transactions are required to use the PCI-DSS.
You are performing a business impact assessment and are considering four servers that support a particular business unit. This business unit acts as a second-tier customer assistance desk. One server manages customer data and is backed up nightly. One server manages product inventory and is also back up nightly. The third server contains administrative data, including copies of policies and procedures, as well as employee data. It is backed up nightly as well. The fourth server is a duplicate of the customer data server and receives updates from the primary server on a weekly basis. When developing your business impact assessment for this business unit, which servers would be considered critical to the operations of the business unit? (Choose all that apply.) A.Backup customer data server B.Product inventory server C.Administrative data server D.Customer data server
B.Product inventory server D.Customer data server Explanation Correct Answer: Because the primary mission of this unit is customer service, it would obviously need the customer data server and the product inventory server in order to process customer requests and fulfillment transactions. Incorrect Answers: The administrative data server contains data that is not critical to the operations of the business unit and could likely be found elsewhere in the company, such as human resources. Additionally, it is backed up nightly, so it can be restored from previous days' data easily at the unit's leisure, without interrupting the business unit's mission. The backup customer data server only receives updates weekly, so recovering it would not be a priority because the primary server is backed up on a nightly basis and its data is more current.
Which of the following terms best describes the amount of risk that an organization is willing to assume in pursuit of its business ventures? A.Risk tolerance B.Risk appetite C.Mitigated risk D.Residual risk
B.Risk appetite Explanation Correct Answer: The risk appetite of an organization is the amount of risk that its senior executives are willing to assume in pursuit of business opportunities or ventures. Incorrect Answers: Risk tolerance is the amount of variance an organization is willing to accept from its risk appetite. Residual risk is the amount of risk left over after all risk has been mitigated. Mitigated risk is risk that is reduced from its initial assessment.
Which feature in Wireshark allows an analyst to reconstruct data streams? A.UDP streams B.TCP streams C.IP streams D.ICMP streams
B.TCP streams Explanation Correct Answer: TCP streams is a feature of Wireshark that allows an analyst to reconstruct complete data streams from full packet captures. Incorrect Answers: None of these protocols is a connection-oriented protocol. Therefore, without sequence numbers or some other way to connect the pieces of the communication stream, these protocols cannot reconstruct a complete data conversation.
You are responsible for managing security on a corporate wireless network. In the past six months, you have discovered two rogue wireless access points, set up by internal users. Of the following, which would be the most effective security measure you can take to prevent this from occurring again? A.Use IPSec. B.Use WPA Enterprise and IEEE 802.1x. C.Use MAC address filtering. D.Use SSID cloaking.
B.Use WPA Enterprise and IEEE 802.1x.
You are responsible for managing security on a corporate wireless network. In the past six months, you have discovered two rogue wireless access points, set up by internal users. Of the following, which would be the most effective security measure you can take to prevent this from occurring again? A.Use IPSec. B.Use WPA Enterprise and IEEE 802.1x. C.Use MAC address filtering. D.Use SSID cloaking.
B.Use WPA Enterprise and IEEE 802.1x. Explanation Correct Answer: When using WPA Enterprise, you can set up IEEE 802.1x authentication between clients and wireless access points, ensuring that the devices are mutually authenticated to each other. This would prevent a client from authenticating to a rogue wireless access point. Incorrect Answers: MAC address filtering only permits or denies connection to a wireless access based on hardware address, which can be easily spoofed. IPSec encrypts and authenticates traffic on local networks or VPNs. It could be used on a wireless network, but it would not be the most effective solution. SSID cloaking merely hides the wireless network name and is not a valid security measure.
Which of the following processes is focused on ensuring that you have identified the corresponding attack vectors and implemented effective countermeasures against them? A.Eradication B.Validation C.Verification D.Containment
B.Validation Explanation Correct Answer: The validation process in an incident response is focused on ensuring that you have identified the corresponding attack vectors and implemented effective countermeasures against them. This stage presumes that you have analyzed the incident and verified the manner in which it was conducted. This analysis can be a separate post-mortem activity or can take place in parallel with the response. Incorrect Answers: The verification process tells you what has caused the incident. The containment process prevents the spread of the malicious activities in an incident, in order to contain damage to systems and data. The eradication process involves eliminating the cause of the incident, such as malware.
What is the maximum packet size for IPv4 packets? A.1500 bytes B.64 bytes C.65,535 bytes D.128 bytes
C.65,535 bytes Explanation Correct Answer: The maximum packet size for IPv4 is 65,535 bytes. Incorrect Answers: None of these other values represents the maximum packet size for IPv4 packets.
Which of the following statements regarding events and incidents are correct? (Choose two.) A.An incident is one or more related events that compromise the organization's security posture. B.An incident is any occurrence that can be observed, verified, and documented. C.An event is any occurrence that can be observed, verified, and documented. D.An event is any negative occurrence that can be observed, verified, and documented.
C.An event is any occurrence that can be observed, verified, and documented. Explanation Correct Answers: An event is any occurrence (positive, neutral, or negative) that can be observed, verified, and documented. An incident is one or more related events that compromise the organization's security posture, and is usually a negative occurrence. Incorrect Answers: An incident is any negative occurrence that can be observed, verified, and documented.
Which of the following techniques are necessary to ensure the correct data is collected and analyzed in order to detect security issues on the network? (Choose two.) A.Data prioritization B.Data dissemination C.Data correlation D.Data aggregation
C.Data correlation D.Data aggregation Explanation Correct Answer: Data aggregation involves the ability to collect data from various disparate sources into a form that allows you to analyze it, regardless of source. Data correlation involves the ability to pull discrete pieces of data from each of these disparate sources that are related to each other and establish a pattern. Incorrect Answers: Data dissemination involves sending specific data to the appropriate user. Data privatization involves determining which data should be collected. Both of these are important to the entire process of data collection, analysis, and dissemination as well.
Which of the following is the most common entry point for attackers into the network? A.Servers B.Routers C.End-user devices, such as workstations and mobile devices D.Firewalls
C.End-user devices, such as workstations and mobile devices Explanation Correct Answer: End-user devices, such as workstations and mobile devices, are typically the least secure devices in the enterprise, simply because of the people who use them. Untrained users are the most common security vulnerability for endpoints. Incorrect Answers: In an organization that has a mature security program, these infrastructure devices are almost always far more secure than endpoints, because, in addition to other security measures, these devices do not have general user populations. They're typically only accessed by administrative or security personnel.
Which of the following is the most common entry point for attackers into the network? A.Servers B.Routers C.End-user devices, such as workstations and mobile devices D.Firewalls
C.End-user devices, such as workstations and mobile devices Explanation Correct Answer: reason you cannot read the payload is that the traffic is encrypted. Encryption is one of the ways that packet analysis can be prevented. Incorrect Answers: If you are collecting full packet captures from all hosts on the network, then the capture interface is already in monitor mode. If you are able to read any payloads at all, then you are capturing full packets, not just headers. A switch would not cause you to be able to read some payloads and not others. It would simply prevent you from capturing traffic at all.
All of the following are valid methods used to sanitize a drive, EXCEPT: A.Encrypting B.Degaussing C.Formatting D.Overwriting
C.Formatting Explanation Correct Answer: Formatting does not remove data from the drive; it merely deletes the file table entry for the data. The data is still there until overwritten by other data. Incorrect Answers: Overwriting, encrypting, and degaussing are all valid methods for sanitizing media.
Which of the following vulnerabilities associated with virtual machines might allow an attacker to escape the VM and attack the host operating system? A.Host operating system vulnerability B.Virtual machine vulnerability C.Hypervisor vulnerability D.Virtual hardware vulnerability
C.Hypervisor vulnerability Explanation Correct Answer: A vulnerability in the hypervisor that manages virtual machines could allow an attacker to actually escape a virtual machine and access the host operating system. Incorrect Answers: A host operating system vulnerability would affect the host. A virtual machine vulnerability would only affect that particular virtual machine, as would a virtual hardware vulnerability.
You are working to ensure your organization meets internationally accepted standards in securing its information systems and data. You also want to have your organization certified by a third party as being compliant with these standards. Implementing which of the following frameworks will meet your stated goals? A.National Institute of Standards and Technology Special Publications B.Control Objectives for Information and related Technology (COBIT) C.Information Security Management System (ISMS) standards, known as the ISO/IEC 27000 series D.Information Technology Infrastructure Library (ITIL)
C.Information Security Management System (ISMS) standards, known as the ISO/IEC 27000 series Explanation Correct Answer: The Information Security Management System (ISMS) standards, known as the ISO/IEC 27000 series, is an internationally recognized set of standards, created by international bodies, that helps organizations meet standards for information security. Additionally, organizations can be formally certified by an approved third party that they meet or exceed the ISO/IEC 27000 series standards. Incorrect Answers: The National Institute of Standards and Technology (NIST) Special Publications are produced by the U.S. Department of Commerce and are not necessarily used or recognized internationally. ISACA's Control Objectives for Information and related Technology (COBIT) defines goals for security controls that should be used to properly manage IT, and to ensure that IT maps to business needs. It is not necessarily recognized as an international standard. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. It does not specifically cover information security, although parts of it do address this topic.
You are monitoring your wireless traffic. You have a very good inventory of what devices exist on the wireless network. One day, you notice that another wireless access point has been added to the network. Its naming convention is similar to what your other access points are named, and it has a valid IP address assigned. You check with other technicians, but no one can find any record of installing another access point. What could be the issue with this access point? A.It is not broadcasting its SSID. B.It is configured with the incorrect WPA2 passphrase. C.It is a rogue wireless access point. D.It is not beaconing out properly, so that is why it has not shown up in inventory previously.
C.It is a rogue wireless access point. Explanation Correct Answer: This is likely a rogue wireless access point, since no administrator can find any documentation relating to its installation. Simply because it is named similarly and has a valid IP address in the correct range does not mean that it's a valid access point. Incorrect Answers: If the wireless access point was not beaconing properly, it would cause connection issues on the wireless network. An incorrect WPA2 passphrase would cause the wireless access point to simply not connect to anything. Clients would not be able to connect to it at all. Broadcasting the SSID would not affect the router showing up on the network, simply because you're monitoring known wireless access points and you would still be able to detect it.
You are involved in an incident response and have discovered that data has been stolen that requires protection under federal law. Which the following levels of technical expertise or management determines both when and where to bring law enforcement into the response? A.Incident response team lead and legal department B.Technical experts and management C.Legal department and management D.Technical experts and legal department
C.Legal department and management Explanation Correct Answer: Management must be involved in any decision regarding bringing law enforcement into the picture. Additionally, the legal department can advise management when and where to bring law enforcement agencies into the incident response effort. Incorrect Answers: Technical experts and the incident response team lead can advise both management and the legal department, but cannot make a decision on when or how to bring law enforcement agencies into the incident response.
Which of the following are factors contributing to a determination of the scope of impact of an incident? (Choose two.) A.Loss of availability B.Reduction of vulnerability C.Loss of revenue D.Reduction of threat
C.Loss of revenue Explanation Correct Answer: Loss of revenue and loss of availability are definitely factors that contribute to the scope of an impact. Additional factors might include loss of confidentiality or integrity, loss of the asset itself to any degree, loss of productivity, and even loss of reputation or consumer confidence. Although some of these may be difficult to quantify, all would impact the organization to some degree. Incorrect Answers: A reduction in the threat (typically in the likelihood of exploitation of a vulnerability) and a reduction of the vulnerability (that is, reducing its exposure) also reduce risk and therefore reduce the impact to the organization.
All of the following are used to troubleshoot DNS issues, EXCEPT: A.Host B.Dig C.Netstat D.Nslookup
C.Netstat Explanation Correct Answer: Netstat is not used to resolve DNS issues; it lists the inbound and outbound connection status to a host. Incorrect Answers: All of these are useful tools to troubleshoot DNS issues as well as gather information on an organization's network.
You are using a Linux laptop on a network in order to capture traffic. In which mode must a network card be run in order to capture network traffic destined for any device on the network? A.Open mode B.Closed mode C.Promiscuous mode D.Switched mode
C.Promiscuous mode Explanation Correct Answer: A network card must be placed in a mode that will capture all traffic destined for all hosts on the network segment. This mode is called either "monitor mode" or "promiscuous mode." Incorrect Answers: These other choices are all invalid answers because they are not modes that a network card can be placed in.
Which of the following terms describes the earliest time within which a business process must be restored after an incident to avoid unacceptable consequences associated with a break in business processes? A.Maximum tolerable downtime (MTD) B.Mean time between failures (MTBF) C.Recovery time objective (RTO) D.Recovery point objective (RPO)
C.Recovery time objective (RTO) Explanation Correct Answer: The recovery time objective (RTO) describes the earliest time within which a business process must be restored after an incident to avoid unacceptable consequences associated with a break in business processes. It is typically less than the maximum tolerable downtime (MTD), which can cause complete catastrophic failure of a business if that time is exceeded. Incorrect Answers: The recovery point objective (RPO) is the maximum amount of data, in terms of time, the organization can afford to lose before it suffers a critical business impact. Mean time between failures (MTBF) is a measure of the length of time before a piece of hardware requires repairs. The maximum tolerable downtime (MTD) is the maximum outage time that can be tolerated by the company as a result of an incident, after which the organization will suffer a complete failure.
Which of the following are the most serious vulnerabilities involved with wireless access points? (Choose two.) A.Lack of MAC address filtering B.Using the Wi-Fi Protected Access 2 (WPA2) protocol C.Rogue access points D.Using the Wired Equivalent Privacy (WEP) protocol
C.Rogue access points D.Using the Wired Equivalent Privacy (WEP) protocol Explanation Correct Answer: Use of weak encryption protocols, such as WEP, is a serious vulnerability, because WEP is easily cracked. Rogue access points are another serious issue because they entice users to connect to insecure access points where passwords and other data can be easily intercepted. Incorrect Answers: Using the Wi-Fi Protected Access 2 (WPA2) protocol is actually recommended because of its stronger encryption mechanisms. MAC address filtering is largely ineffective because an attacker can spoof his hardware address. Not performing this particular action on a wireless access point is really not a vulnerability.
Which of the following is the greatest technical concern when performing full packet captures on the network? A.Type of traffic B.Network interface throughput C.Storage space D.Privacy
C.Storage space Explanation Correct Answer: Storage space is the greatest technical concern due to the fact that full packet captures occupy a great deal of storage space—far more than simply capturing header information. You must ensure you have enough storage space for extended full packet captures. Incorrect Answers: Privacy is not a technical issue. Network interface throughput typically has nothing to do with the decision to capture only headers or full packets. The type of traffic does not typically matter, although there may be small differences in sizes between headers and full packets for different types of traffic.
Which of the following authentication methods are NOT examples of multifactor authentication. A.Smart card and personal identification number (PIN) B.Smart card and fingerprint C.Username and password combination D.Fingerprint and PIN
C.Username and password combination Explanation Correct Answer: A username and password combination, while it seems to be composed of two items that you need to authenticate, only falls into the category of knowledge-based authentication (something you know). No other category of factor is used. Incorrect Answers: A smart card is a possession-based factor (something you have) and a personal identification number (PIN) is a knowledge-based factor (something you know). A fingerprint is an inherence factor (something you are). Multifactor authentication requires something from at least two of these categories.
Because packet capturing has trouble dealing with encrypted traffic, which the following methods is used to intercept and analyze traffic that otherwise would be encrypted? A.Dictionary attack B.Brute-force cracking C.Using an SSL or TLS proxy D.Initialization vector attack
C.Using an SSL or TLS proxy Explanation Correct Answer: In order to analyze the traffic, the organization must implement an SSL or TLS proxy that decrypts the traffic so it can be analyzed. Incorrect Answers: Brute-force cracking, dictionary attacks, and initialization vector attacks are attack methods used by hackers to crack either passwords and WEP. They cannot be used to decrypt encrypted traffic for analysis.
Which of the following Google search operators will restrict the search results to the specific domain you are looking for? A.intitle: B.inurl: C.site: D.link:
C.site: Explanation Correct Answer: The site: operator will restrict the search results to the specific domain or site for your target network or organization. Incorrect Answers: The link: operator returns pages that contain a link to the indicated site or URL. The intitle: operator returns pages with the indicated text in their title. The inurl: operator returns results having the specified text in the URL.
Which of the following best describes an example of the regulatory environment affecting your information security management program? A.A procedure stating that vulnerability scans will be performed after business hours B.Adapting an industry standard to your vulnerability management program C.An asset inventory list produced by management that specifically excludes certain devices from the vulnerability scan D.A federal statute requiring that data be protected to a certain level
D.A federal statute requiring that data be protected to a certain level Explanation Correct Answer: Federal statutes requiring data protection are legally enforceable and are part of the regulatory environment the organization operates within. Incorrect Answers: All of these other are internal organizational decisions that are subject to change without any involvement with legal authorities.
You are reviewing and revising security policies for your organization. You have been instructed by management that because there has been an increased number of incidents involving employee misuse of company systems and data, the policies need to be updated to address this problem. Which of the following policies do you need to pay special attention to in order to help resolve this issue? A.Password policy B.Data classification policy C.Data retention policy D.Acceptable use policy
D.Acceptable use policy Explanation Correct Answer: An acceptable use policy states restrictions on the actions users can and cannot take with regard to the organization's systems and data. Incorrect Answers: A data retention policy specifies how long certain types of data must be retained by the organization. A data classification policy details the various data sensitivity levels within the organization and how each must be protected. The organization's password policy defines how passwords will be constructed, in terms of length and complexity.
Review the following entry from a firewall's access control list:permit tcp any host 10.1.1.5 host 172.16.1.5 eq sshWhich of the following bests describes what the rule does? A.Allows traffic from 10.1.1.5 to 172.16.1.5 on port 23 B.Allows traffic to 10.1.1.5 from 172.16.1.5 on port 22 C.Allows traffic from 10.1.1.5 to 172.16.1.5 on any port D.Allows traffic from 10.1.1.5 to 172.16.1.5 on port 22
D.Allows traffic from 10.1.1.5 to 172.16.1.5 on port 22 Explanation Correct Answer: This rule allows traffic on port 22 (SSH) from 10.1.1.5 to 172.16.1.5.10.1.1.5 is the source address, and 172.16.1.5 the destination address. Only port 22, which SSH uses, is allowed. Incorrect Answers: Port 23 is used for Telnet, not SSH.
Which of the following statements best describes a zero-day exploit? A.An exploit for a flaw in a piece of software that the vendor is aware of but has not deemed to be important, and thus has not issued a patch or advisory for it B.A flaw in software for which an exploit is attempted after a patch is released for the exploit C.A theoretical exploit against a flaw in software that has not yet been proven D.An exploit for a flaw in a piece of software that the vendor is unaware of and thus has not issued patch or advisory for
D.An exploit for a flaw in a piece of software that the vendor is unaware of and thus has not issued patch or advisory for Explanation Correct Answer: A zero-day exploit is an exploit for a flaw in a piece of software that the vendor is unaware of and thus has not issued patch or advisory for. Incorrect Answers: The actual flaw in the software is a zero-day vulnerability, not an exploit. Zero-day exploits are for flaws that the vendor is unaware of or has not issued a patch or advisory for. Zero-day exploits are often not theoretical, but rather are practical and immediately exploitable.
Which of the following statements best describes the concept of containers in virtualization? A.Containers separate specific resources for virtual machines, such as CPU time, RAM, and hard disk space. B.Containers are Type-2 hypervisors. C.Containers are Type-1 hypervisors. D.Containers use the resources of the host operating system, instead of the guest operating system, enabling a user to run applications rather than entire operating systems.
D.Containers use the resources of the host operating system, instead of the guest operating system, enabling a user to run applications rather than entire operating systems. Explanation Correct Answer: Containers use the resources of the host operating system, instead of the guest operating system, enabling a user to run applications rather than entire operating systems. Incorrect Answers: Containers do not separate resources for virtual machines. Containers are also not a type of hypervisor.
Which of the following is required if your organization needs to make a general statement regarding its requirements for any aspect of its internal security? A.Procedural document B.Industry standard C.Federal law or statute D.Corporate security policy
D.Corporate security policy Explanation Correct Answer: A corporate security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Policies may cover a wide variety of items, and be very general or very specific. Examples of security policies include acceptable use policies, data classification policies, and access control policies. Incorrect Answers: Industry standards are not required to develop policy, but they are frequently used to support or enforce policy. A policy document must be created first to specify the organization's unique requirements. Federal laws, statutes, and other regulations dictate to organizations what they must do with regard to data protection in general. The policy supports those laws, but is organization specific. Procedure documents only give step-by-step instructions on how to perform a particular task. They do not give organizational requirements from management.
You have been authorized to perform a vulnerability scan on critical systems. Which of the following is NOT a consideration when planning the vulnerability scan for these systems? A.Regulatory guidance B.Time of day C.Type of data D.Cost
D.Cost Explanation Correct Answer: The cost of the scan does not affect how a vulnerability scan is planned and executed. It also does not affect potential loss of systems and data. Incorrect Answers: Regulatory guidance can affect constraints on scanning particular types of systems, such as those with healthcare data on them, in order to prevent data loss or disclosure. Type of data is a consideration because certain types of data, such as PHI and PII, cannot be exposed to a potential risk for loss or exposure. Time of day is a consideration because the scan cannot take place on critical systems when users require them to be fully operational and available.
Which of the following should never be allowed in relation to DNS servers? A.DNS response B.DNS lookup C.DNS query D.DNS zone transfer
D.DNS zone transfer Explanation Correct Answer: DNS zone transfers should never be allowed because they permit an attacker to map out your entire network. Incorrect Answers: DNS queries (also known as lookups) and DNS responses should be allowed because these are the basic functions of DNS.
You are helping management to draft an organizational data classification policy. After you have determined the different types of data the organization processes and decided on the various sensitivity levels, who should be consulted to assist in determining what sensitivity level each data type should be classified as? A.Chief Information Security Officer (CISO) B.Chief Information Officer (CIO) C.Data user D.Data owner
D.Data owner Explanation Correct Answer: The data owner is a member of management who is in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information. The data owner has due-care responsibilities and will be held responsible for any negligent act that results in the corruption or disclosure of the data. Data owners decide the classification of the data for which they are responsible and alter classifications if business needs arise. Incorrect Answers: The CIO and CISO positions have overall responsibility for the organization's IT assets and their security, respectively, but may not necessarily have the expertise needed to determine data classification for specific data types or data sets. The data user is responsible for any data he or she accesses and interact with, but cannot make any management decisions regarding what the sensitivity levels of the data should be.
You are reviewing a firewall log and are looking for HTTP traffic to a specific host on the internal network. Which of the following data elements in the firewall log contain the information you are looking for? A.Source port and source address B.Source port and destination address C.Source port and destination port D.Destination port and destination address
D.Destination port and destination address Explanation Correct Answer: Because you're looking for a particular host on the internal network, you're looking for inbound traffic (in other words, the destination address). The destination port will be the port you are concerned with because the traffic is inbound for HTTP (traditionally port 80) on the destination host. Incorrect Answers: Source ports and source addresses only tell you where the traffic originates from. The source port typically will not be the same as the destination port, and will usually be a random port above the well-known port range where HTTP is commonly found.
Which of the following drives the frequency with which you would perform vulnerability scans? A.Patch cycle B.Configuration management procedures C.Penetration testing schedule D.Governance
D.Governance Explanation Correct Answer: Governance drives the frequency of vulnerability scans because each individual directive may require a certain frequency of scanning. Incorrect Answers: Each of these other choices is driven by management policy and are subject to change.
Which the following is the most commonly used protocol to protect virtual private networks? A.SSL B.HTTP C.SSH D.IPSec
D.IPSec Explanation Correct Answer: IPSec, when using tunnel mode, is the most commonly used protocol to protect traffic in a virtual private network. Incorrect Answers: HTTP is an insecure protocol used to access web-based Internet traffic and sites. SSL is used to protect HTTP traffic, but is now considered insecure and has been deprecated. SSH is used to secure communications from host to host, and is not typically used in virtual private network applications.
Which the following is the most likely scenario in which the human resources staff would become involved in an incident response? A.If an employee discovered the incident B.If an outsider is determined to be at fault for the incident C.If an employee responded to the incident D.If an employee had a role in causing the incident
D.If an employee had a role in causing the incident Explanation Correct Answer: If an employee had a role in causing the incident, human resources staff would become involved, due to potential disciplinary issues or, even if the role was accidental, in retraining the employee so that the incident does not happen again. Incorrect Answers: If an employee discovers or responds to an incident, this is not usually a scenario where human resources needs to be involved. If it is determined that an outsider is at fault for the incident, human resources has no reason to be involved.
Which the following statements best describes a signature-based detection system? A.It performs real-time analysis of threat behavior. B.It learns normal behavior patterns of the network. C.It looks for anomalies or departures from normal behavior. D.It relies on prior knowledge of a threat.
D.It relies on prior knowledge of a threat. Explanation Correct Answer: Signature-based systems rely on prior knowledge of a threat. They are usually preloaded with known attack patterns or signatures. Incorrect Answers: All of these others are characteristics of an anomaly-based or heuristic analysis system.
The outage time that can be tolerated by a company as a result of an incident, before it suffers a complete failure, is referred to as what? A.Recovery time objective (RTO) B.Mean time to failure (MTTF) C.Recovery point objective (RPO) D.Maximum tolerable downtime (MTD)
D.Maximum tolerable downtime (MTD) Explanation Correct Answer: The maximum tolerable downtime (MTD) is the maximum outage time that can be tolerated by the company as a result of an incident, after which the organization will suffer a complete failure. Incorrect Answers: The recovery point objective (RPO) is the maximum amount of data, in terms of time, the organization can afford to lose before it suffers a critical business impact. For example, the organization may not afford to lose more than two days' worth of data. The recovery time objective (RTO) is the maximum amount of time the organization can be down before it suffers a critical business impact. This period of time is usually less than the MTD. Mean time to failure (MTTF) is a measure of the length of time before a piece of hardware fails.
Which of the following types of firewalls includes advanced features, such as IDS/IPS, Active Directory integration, and whitelisting? A.Application-level firewall B.Stateless packet-filtering firewall C.Stateful packet inspection (SPI) firewall D.Next-generation firewall (NGF)
D.Next-generation firewall (NGF) Explanation Correct Answer: A Next-Generation Firewall (NGF) includes not only features of other firewalls, but also advanced features such as AD integration, IDS/IPS functions, proxy server functions, whitelisting, and many other features. Incorrect Answers: A stateless packet-filtering firewall is the most basic type of firewall; it only filters based on a limited set of data, such as IP address, protocol, and port. Stateful packet inspection (SPI) firewalls add the capability of maintaining connection state information. Application-level firewalls can do deep packet inspection for specific protocols. None of these offer the advanced features of a NGF.
You are performing a penetration test on a client's network. The client does not give you information on the target network, and also asks that you see what you can find on the Internet about the target company and network. Which of the following terms refers to the act of collecting data on a target network through third parties in legitimate ways? A.Enumeration B.Closed source intelligence collection C.Scanning D.Passive reconnaissance
D.Passive reconnaissance Explanation Correct Answer: Passive reconnaissance, oftentimes called open source intelligence collection, is a method of gathering data on a target network through third parties, such as Google, in legitimate ways. Incorrect Answers: Closed source intelligence collection refers to data that can only be gathered through active methods, or internally from the organization itself. Scanning and enumeration are both active technical steps in the penetration testing process.
You are a security administrator for a new company that is just starting up. Your manager tells you that you need to create a vulnerability management program. When designing a vulnerability management program, what is the first thing you should identify? A.Number of systems involved B.Personnel responsible for performing the scans C.Types of data the organization uses D.Scan requirements
D.Scan requirements Explanation Correct Answer: The first thing you should identify when designing a vulnerability management program is the requirements you have for the program. Requirements could include the type of governance you must satisfy when performing vulnerability scans, the scope of the scans, asset inventory, and organizational infrastructure, among others. Without knowing your requirements, you won't know what and how you're supposed to scan. Incorrect Answers: Although some of these other items are definitely needed to create and then execute a vulnerability management plan, you must know the requirements you need to satisfy first.
You are reviewing a full packet capture in Wireshark. Most of the traffic you see is readable, but in some traffic, the payload is gibberish. What could be the cause of this? A.The traffic is encrypted. B.The capture interface is not in monitor mode. C.You are attempting to capture traffic off of a switch. D.You're only capturing headers, not the full packet.
The traffic is encrypted. Explanation Correct Answer: reason you cannot read the payload is that the traffic is encrypted. Encryption is one of the ways that packet analysis can be prevented. Incorrect Answers: If you are collecting full packet captures from all hosts on the network, then the capture interface is already in monitor mode. If you are able to read any payloads at all, then you are capturing full packets, not just headers. A switch would not cause you to be able to read some payloads and not others. It would simply prevent you from capturing traffic at all.