CompTIA Security+

¡Supera tus tareas y exámenes ahora con Quizwiz!

What protocol may be used to secure passwords in transit to a web application?

TLS

What data obfuscation technique is intended to be reversible?

Tokenization

Bob is planning to use a cryptographic cipher that rearranges the characters in a message. What type of cypher is Bob planning to use?

Transposition cipher

It is difficult to develop defenses against APT attackers True or False

True

It is generally a bad practice to run software after the vendor's end-of-life True or False

True

Privelege escalation attacks require a normal user account to execute True or False

True

The main purpose of a code repository is to store the source files used in software development in a centralized location that allows for secure storage. True or False

True

What Java clause is critical for error handling

Try...Catch

The attacker called a help desk employee and persuaded her that she was a project manager on a tight deadline and locked out of her account. The help desk technician provided the attacker with access to the account. What social engineering principle was used?

Urgency

What phase of the capability maturity model introduces the reuse of code across projects?

(Quantitatively) Managed

Which one of the following is not a possible hash length from the SHA-2 function? a. 224 bits b. 128 bits c. 384 bits d. 512 bits

128 bits

How many keys should be used with 3DES to achieve the greatest level of security?

3

What CVSS value is the threshold at which PCI DSS requires remediation to achieve a passing scan?

4

What length encryption key does the Data Encryption Standard use?

56 bits

What type of phishing attack focuses specifically on senior executives of a targeted organization?

Whaling

What is the name of the application control technology built-in to Microsoft Windows?

AppLocker

What approach to threat identification begins with a listing of all resources owned by the organization?

Asset-focused

What is the basic principle underlying threat hunting activities?

Assumption of Compromise

What algorithm uses Blowfish cipher along with a salt to strengthen cryptographic keys?

Bcrypt

In a _____ penetration test, the attacker has no prior knowledge of the environment.

Black box

What input validation approach works to exclude prohibited input?

Blacklisting

Alice would like to send a message to Bob using RSA encryption. What key should she use to encrypt the message?

Bob's public key

What type of attack seeks to write data to areas of memory reserved for other purposes?

Buffer overflow

As Dave works with his colleagues in other IT disciplines, he notices that they use different names to refer to the same products and vendors. Which SCAP component would best assist him in reconciling these differences?

CPE (Common Platform Enumeration)

What technology can you use to tell clients that a certificate is unlikely to change over time?

Certificate pinning

In the early 1990s, the NSA attempted to introduce key escrow using what failed technology?

Clipper chip

CCE

Common Configuration Enumeration

CPE

Common Platform Enumeration

CVE

Common Vulnerabilities and Exposures

CVSS

Common Vulnerability Scoring System

The reuse of passwords across multiple sites makes an individual susceptible to ______ attacks?

Credential stuffing

Alan is analyzing his web server logs and sees several strange entries that contain strings similar to "../../" in URL requests. What type of attack was attempted against his server?

Directory traversal

What attack technique wraps malicious code around a legitimate driver?

Driver shimming

Which one of the following encryption approaches is most susceptible to a quantum computing attack? a. quantum cryptography b. RSA cryptography c. AES cryptography d. Elliptic Curve Cryptography

Elliptic Curve Cryptography

What operation uses a cryptographic key to convert plaintext into ciphertext?

Encryption

What type of digital certificate offers the highest possible level of trust?

Extended Validation (EV)

XCCDF

Extensible Configuration Checklist Description Format

Companies should always manage bug bounty programs internally. True or False

False

Database normalization should always be used to improve database security True or False

False

Removing names and identification numbers is usually all that is necessary to deidentify a dataset True or False

False

The DevOps model prioritizes development efforts over operational tasks. True or False

False

Static code testing software executes code to verify that it is functioning properly. True or False

False *Static code testing software does NOT execute code, only analyzes it

The analysis of adversary TTP includes tools, techniques, and policies. True or False

False Correct definition of TTP includes tools, techniques and *procedures

Jason recently investigated a vulnerability discovered during a scan and, after exhaustive research, determined that the vulnerability did not exist. What type of error occurred?

False Positive

What type of attacker is primarily concerned with advancing an ideological agenda?

Hacktivist

What is a common command and control mechanism for botnets?

IRC (Internet Relay Chat)

What type of organization facilitates cybersecurity information sharing among industry-specific communities?

ISAC

What is the most effective defense against cross-site scripting attacks?

Input validation

What action can users take to overcome security flaws in RC4?

It is not possible to use RC4 securely.

______ consist of shared code objects that perform related functions.

Libraries

What type of malware delivers its payload only after certain conditions are met?

Logic bomb

Maloof would like to digitally sign a message that he is sending to Clementine. What key does he use the create the digital signature?

Maloof's private key

What type of fuzz testing captures real software input and modifies it?

Mutation Fuzzing

Alice would like to be able to prove to Charlie that a message she received actually came from Bob. What cryptographic goal is Alice trying to enforce?

Non-repudiation

Harold works for a certificate authority and wants to ensure that his organization is able to revoke digital certificates that it creates. What is the most effective method of revoking digital certificates?

Online Certificate Status Protocol

OVAL

Open Vulnerability and Assessment Language

What is the first step of a Fagan inspection?

Planning

Matt would like to limit the tests performed by his vulnerability scanner to only those that affect operating systems installed in his environment. Which setting should he modify?

Plug-ins

What language is commonly used to automate the execution of system administration tasks on Windows systems?

PowerShell

What type of AI technique is most commonly associated with optimization?

Prescriptive Analytics

In what technique do attackers pose as their victim to elicit information from third parties?

Pretexting

Dan is engaging in a password cracking attack where he uses precomputed hash values. What type of attack is Dan waging?

Rainbow table

CryptoLocker is an example of what type of malware?

Ransomware

What component of a change management program includes final testing that the software functions properly?

Release management

What security technology best assists with the automation of security workflows?

SOAR

Which of the following is a standardized language used to communicate security information between systems and organizations? a. ISAC b. OVAL c. STIX d. CVSS

STIX

In what type of social engineering attack does the attacker physically observe the victim's activity?

Shoulder Surfing

What type of website does the attacker use when waging a watering hole attack?

Site trusted by the end user

What device is often used in card cloning attacks?

Skimmer

What software development methodology uses four stages in an iterative process?

Spiral

Jasmine comes across a file sent out of her organization that she suspects contains proprietary trade secrets but appears to be an innocuous image. What technique might the sender have used to hide information in the image?

Steganography

In a cybersecurity exercise, what team is responsible for serving as moderators?

White Team

Where do fileless viruses often store themselves to maintain persistence?

Windows Registry

What standard governs the structure and content of digital certificates?

X.509

Which one of the following metrics does not contribute to the Exploitability score for a vulnerability in CVSS? a. Confidentiality b. User Interaction c. Attack Vector d. Attack Complexity

a. Confidentiality Reason: Confidentiality shows IMPACT not EXPLOITABILITY

Which one of the following is an example of an in-band approach to key exchange? a. Diffie-Hellman b. U.S. mail c. Physical meeting d. Phone call

a. Diffie-Hellman

Which one of the following is not an effective defense against XSRF attacks? a. Network segmentation b. User education c. Preventing the use of HTTP GET requests d. Automatic logouts

a. Network segmentation

Renee is creating a prioritized list of scanning targets. Which one of the following is the least important criteria for her prioritization? a. Operating System b. Targets c. Type of Scan d. None of these are low priority

a. Operating System

Which one of these file extensions is always associated with certificates stored in binary form? a. PFX b. PEM c. P7B d. CRT

a. PFX

Randy is developing a vulnerability management program. Which one of the following is not a common source of requirements for such a program? a. Sales team requests b. Legal requirements c. Security objectives d. Corporate policy

a. Sales team requests

Which one of the following is NOT critical to the security of one time pad operations? a. using AES in conjunction with the one-time pad b. choosing the key at random c. securely exchanging the pads d. only using the pad one time

a. using AES in conjunction with the one-time pad

Which one of the following is not a standard application hardening technique? a. Apply security patching b. Conduct cross-site scripting c. Validate user input d. Encrypt sensitive information

b. Conduct cross-site scripting

Helen has vulnerability scanners located at several points on her network. Which one of the following scanners is likely to provide the most complete picture of the vulnerabilities present on a public web server? a. Public Scanner b. DMZ Scanner c. Rough Scanner d. BNC Scanner

b. DMZ Scanner

Which one of the following issues is not generally associated with the use of default configurations? a. extraneous services running b. SQL injection flaws c. open ports d. vendor-assigned passwords

b. SQL injection flaws

Which one of the following is not a barrier to using the web of trust (WoT) approach? a. Technical knowledge required of users b. Use of weak cryptography c. Decentralized approach d. High barrier to entry

b. Use of weak cryptography

What basic cryptographic functions does the AES algorithm use to encrypt plaintext?

both substitution and transposition

Which of the following is an example of an open-source intelligence resource? a. social media b. vulnerability databases c. all of these answers d. security websites

c. all of these answers

Which one of the following controls is not particularly effective against insider threats? a. least privilege b. background checks c. firewalls d. separation of duties

c. firewalls

Data breaches violate which principle of cybersecurity?

confidentiality

What type of object must a hacker typically access in order to engage in a session hijacking attack?

cookie

Which one of the following technologies is an example of a parameterized query? a. Output encoding b. Masked identifier c. Hashed identifier d. Stored procedure

d. Stored Procedure

Which of the following is a race condition attack? a. SQLi b. XSRF c. XSS d. TOC/TOU

d. TOC/TOU

Developers wishing to sign their code must have a ______

digital certificate

When you communicate over the Tor network, which of the following entities do you communicate with directly? a. entry node b. delivery node c. destination server d. Network node

entry node

What is the simplest way to take an existing cipher and make it stronger?

increase the length of the encryption key

What condition occurs when a software package fails to release memory that it reserved for use?

memory leak

The difficulty of solving what mathematical problem provides the security underlying the Diffie-Hellman Algorithm?

prime factorization

What key is actually used to encrypt the contents of a message when using PGP?

randomly generated key

If Alice wants to send a message to Bob using symmetry cryptography, what key does she use to encrypt the message?

shared secret key

What type of malware can spread without user interaction?

worm


Conjuntos de estudio relacionados

Microbiology Chapters 16, 17, 18, 19, 20, 21

View Set

Developmental Neurobio Final Review

View Set

Bonds, Loans, and Interest Rates

View Set

Chapter 11- Metal Casting Process

View Set