Question_Ans
Which of the below choices should an organization start with when implementing an effective risk management process? A. Implement an incident response plan B. Define security policy requirements C. Conduct periodic reviews D. Design controls and develop standards for each technology you plan to deploy
B. Define security policy requirements
What type of attack can be performed against a wireless network using the tool Kismet? A. IP spoofing B. Eavesdropping C. Masquerading D. Denial of Service
B. Eavesdropping
What is the main reason that DES is faster than RSA? A. DES is less secure. B. DES is implemented in hardware and RSA is implemented in software. C. Asymmetric cryptography is generally much faster than symmetric. D. Symmetric cryptography is generally much faster than asymmetric.
D. Symmetric cryptography is generally much faster than asymmetric.
What is the unnoticed theft of sensitive data from a laptop owned by an organization's CEO an example of in information warfare? A. Non-zero sum game B. Win-win situation C. Zero-sum game D. Symmetric warfare
D. Symmetric warfare
You are an Intrusion Detection Analyst and the system has alerted you to an Event of Interest (EOI) that appears to be activity generated by a worm. You investigate and find that the network traffic was normal. How would this type of alert be categorized? A. False Positive B. True Negative C. True Positive D. False Negative
A. False Positive
Which of the following is an advantage of an Intrusion Detection System? A. It is a mature technology. B. It is the best network security. C. It never needs patching. D. It is a firewall replacement.
A. It is a mature technology.
One of your Linux systems was compromised last night. According to change management history and a recent vulnerability scan, the system's patches were up-to-date at the time of the attack. Which of the following statements is the Most Likely explanation? A. It was a zero-day exploit. B. It was a Trojan Horse exploit. C. It was a worm exploit. D. It was a man-in-middle exploit.
A. It was a zero-day exploit.
Which of the following is a type of countermeasure that can be deployed to ensure that a threat vector does not meet a vulnerability? A. Prevention controls B. Detection controls C. Monitoring controls D. Subversive controls
A. Prevention controls
What file instructs programs like Web spiders NOT to search certain areas of a site? A. Robots.txt B. Restricted.txt C. Spider.txt D. Search.txt
A. Robots.txt
Which of the following is an Implementation of PKI? A. SSL B. 3DES C. Kerberos D. SHA-1
A. SSL
Which of the following is a required component for successful 802.lx network authentication? A. Supplicant B. 3rd-party Certificate Authority C. Ticket Granting Server (TGS) D. IPSec
A. Supplicant
When a host on a remote network performs a DNS lookup of www.google.com, which of the following is likely to provide an Authoritative reply? A. The local DNS server B. The top-level DNS server for .com C. The DNS server for google.com D. The root DNS server
A. The local DNS server
If a DNS client wants to look up the IP address for good.news.com and does not receive an authoritative reply from its local DNS server, which name server is most likely to provide an authoritative reply? A. The news.com domain name server B. The .com (top-level) domain name server C. The .(root-level) domain name server D. The .gov (top-level) domain name server
A. The news.com domain name server
True or False: Command injection is possible due improper filtering of potentially harmful characters passed to the system() function.
True
True or False: Log formatting from various types of systems is problematic for SIEM products.
True
What is the name of the protocol used in IPv4 when the MAC address of a system is needed in order to build the frame header? a. ARP b. DHCP c. MPLS d. OSPF
a. ARP
Which of the following about BitLocker is true? a. BitLocker can be disabled temporarily for BIOS changes. b. BitLocker can support the use of SecureID Tokens. c. BitLocker cannot run without a TPM. d. BitLocker was not available until Windows 7. e. None of the above
a. BitLocker can be disabled temporarily for BIOS changes.
Which of the following would prevent a negative event from occurring at the hostlevel? a. HIPS b. NIPS c. HIDS d. NIDS
a. HIPS
What type of steganography relies on filling up slack space? a. Injection b. Substitution c. Generation d. Downgrade
a. Injection
Group Policy Objects are applied when? a. Logoff b. Prior to a Backup c. Before installing an application d. Every 12 hours
a. Logoff
Which of the following offers little protection to wireless networking? a. MAC Address Access Filtering b. 802.1x c. WPA-2 d. VPN
a. MAC Address Access Filtering
Which of the following are the most common ways to administratively allow an IDS to see all traffic on a switch? (Choose Two) a. Network Tap b. MAC Address Flooding c. ARP Cache Poisoning d. SPAN Port
a. Network Tap d. SPAN Port
Which of the following is a public key encryption algorithm? a. RSA b. 3DES c. AES d. RC4
a. RSA
Which of the following could be described as a high-level strategic document focused on technology? a. Standard b. Policy c. Procedure d. Baseline e. Guideline
a. Standard
Which one of the following protocols permitted through a firewall would generate the most concern to a Security Professional? a. Telnet b. IKE c. SSL d. HTTP
a. Telnet
Which of the following is NOT true? a. DRP is a part of BCP b. MTD is the primary output metric of the BIA c. Lack of testing is a top BCP planning mistake d. DRP focuses on identifying problems and proactively fixing them before they occur
b. MTD is the primary output metric of the BIA
Which of the following is an illegal TCP flag combination? a. SYN, ACK b. SYN, RST c. ACK, PSH d. ACK, RST
b. SYN, RST
When generating a digital signature, the hash of the clear text message is signed by which of the following: a. Senders Public Key b. Senders Private Key c. Recipients Public Key d. Recipients Private Key
b. Senders Private Key
___________ is calculated by multiplying the asset value x exposure factor. a. Annual Rate of Occurrence (ARO) b. Single Loss Expectancy (SLE) c. Annual Loss Expectancy (ALE) d. Return On Security Investment (ROSI)
b. Single Loss Expectancy (SLE)
Which of the following is of least concern to the IDS monitoring team? a. False Positive b. True Negative c. True Positive d. False Negative
b. True Negative
What "type" of password is trivial for Cain & Abel to decode? a. Type 9 b. Type 7 c. Type 1 d. Type 11
b. Type 7
Which of the following keeps track of currently logged in users? a. wtmp b. btmp c. utmp d. rtmp
b. btmp
Which of the following package managers is the default for most Debian Linux operating systems? a. apt b. yum c. dpkg d. rpm
b. yum
Which of the following indicates a file when running the ls command? a.drwxr-xr-x b.-rwxr-xr-x c.lrwxr-xr-x d.+rwxr-xr-x
b.-rwxr-xr-x
Which of the following permissions would allow read access by anyone? a. 763 b. 743 c. 664 d. 641
c. 664
How many bytes are being transferred in this packet? 11:30:45.363878 IP 192.168.0.102.1134 > 151.151.111.9.443: P 44760:44843(83) ack 42899 win 63464 a. 44760 b. 63464 c. 83 d. 44843
c. 83
Which of the following is NOT a user right? a. Debugging b. Backup c. Change Access d. Take Ownership
c. Change Access
Which of the following is NOT used to start services on a Linux system? a. Systemd b. Modprobe c. Init d. Upstart
c. Init
Which of the following is typically the fastest password cracking method? a. Dictionary Attack b. Brute Force Attack c. Rainbow Tables d. Hybrid Attack
c. Rainbow Tables
Which of the following operating systems requires a license? a. Kali b. Ubuntu c. Red Hat d. Fedora
c. Red Hat
From a multi-factor authentication perspective, which of the following is an example of "something you have"? a. Password b. Username c. Smart Card d. Fingerprint
c. Smart Card
Active Directory was introduced in which Windows OS? a. NT 4.0 b. Server 2008 c. Windows 2000 Server d. Windows 10
c. Windows 2000 Server
Which of the following tools changes the root of the file system from the perspective of an application, but was not initially designed as a security control? a. BSD Jail b. Solaris Container c. grsecurity d. chroot
c. grsecurity
A network administrator needs to disable World Wide Web Publishing on all desktops in the domain. What tool will allow this task to be completed quickly with minimal effort? (A) SC.EXE (B) Group Policy (C) Services Tool (D) PowerShell
(B) Group Policy The System Services section of a GPO is more-or-less the Services applet; here you can disable any service you want, and that service will be disabled on all the systems to which the GPO applies. Services Tool is scaled through the system services section of the GPO. PowerShell and SC.EXE can be scripted but that would require more work than using Group Policy. SC.EXE is available through a resource kit and it may not be installed on all desktops in the domain.
A security minded Linux administrator is carving out separate partitions for some key logical file systems. Which of the following can be safely mounted as read only? (A) /usr (B) /home (C) /var (D) /dev
(A) /usr /usr is the place where most of the critical components of the operating system live, including system binaries, programming libraries and tools, and online documentation. You can think of this directory structure being read-only after the operating system is loaded; not many changes under /usr should occur unless the operating system is upgraded or patches are installed. /var is the place where the system keeps frequently changing data, such as log files and temporary queues for system services such as email and printing. /var is for logs that will need to be written too. /home is for users and user's will need to write to their home directories /dev is for device files including the system disk drives... some of which will need to be written to in order to function.
In which directory can executable programs that are part of the operating system be found? (A) /usr/bin (B) /dev (C) /home (D) / (E) /var/lib
(A) /usr/bin Although programs provided with the operating system end up in directories like /usr/bin and /usr/sbin, other programs can be found throughout the system. A standard convention is to put thirdparty software obtained from the Internet into the /usr/local directory. SYSV-derived systems, such as Solaris and HP-UX, often put third-party software (particularly commercial software) into /opt. Different sites may choose to use a different directory naming scheme for third-party software, however, such as /pkg or /sw.
Which of the following is an advantage of a Host Intrusion Detection System (HIDS) versus a Network Intrusion Detection System (NIDS)? (A) Ability to detect malicious traffic after it has been decrypted by the host (B) Ability to detect malicious traffic before it has been decrypted (C) Ability to listen to network traffic at the perimeter (D) Ability to decrypt network traffic
(A) Ability to detect malicious traffic after it has been decrypted by the host Notably, a Host Intrusion Detection System (HIDS) does not suffer from the same restrictions of the Network Intrusion Detection System (NIDS) when processing encrypted traffic, since the HIDS can process the traffic after it is unencrypted by the host.
Which of the following is used to protect passwords from successful pre-computation attacks? (A) Adding a random value to a password before hashing (B) Configuring account lockout after failed login attempts (C) Using a strong key with AES to encrypt passwords (D) Storing private keys separate from password values
(A) Adding a random value to a password before hashing By pre-computing hashes of possible passwords and storing the results in a database or table, matching hashes with passwords is only a matter of searching through the pre-computed tables. Adding a random value, or a salt, to a password hash makes this process much more difficult for the attacker. As pre-computation attacks are offline attacks, lockout thresholds don't apply. They are not typically associated with symmetric encryption
Which of the following is a characteristic of a cookie? (A) Can keep track of user authentication data and application session state (B) Can contain data which the web server searched for and found on the user's hard drive (C) Sent using SSL when the browser initially sets the optional secure flag (D) Editable by users when stored on the hard drive, but not when residing in memory (E) Set when the browser adds the set-cookie header to one of its requests
(A) Can keep track of user authentication data and application session state Cookies normally keep track of user authentication data and the session state of the application. They are set when the server adds the set-cookie header to one of its responses. The web server does not search a client's hard drive to find information to put into cookies, the user provides the web server with that type of information. The server can set an optional secure flag on a cookie to notify the browser to send it only using SSL. Cookies can be edited when they are on the hard drive, or in memory using a proxy like Paros or ZAP.
If a Windows user wanted to run basic Linux commands in his native environment, which of the following tools/software would he need to install? (A) Cygwin (B) GIMP (C) Ninite (D) Parallels
(A) Cygwin Cygwin consists of GNU and Open Source tools which provide Linux functionality on Windows. Ninite is a package management system for Windows. Parallels is software which provides virtualization on Macintosh computers. GIMP, or GNU Image Manipulation Program, is a program used for photo retouching, image composition, etc.
You've enabled egress traffic filtering on your organization's firewall. This action would help you prevent or eradicate which of the following incidents? (A) Four unknown computers on your network are part of a distributed. Denial of Service attack against an external website. (B) A competitor is spoofing the email address of several employees in your organization, causing those employees to receive replies to emails they never sent. (C) An unknown employee downloaded confidential information from the accounting file server to his office computer and saved the data to a thumb drive. (D) An attacker from the Ukraine used an SQL injection technique on your website's order form, which inserted an unauthorized record into your customer database.
(A) Four unknown computers on your network are part of a distributed Denial of Service attack against an external website. With egress traffic logging turned on, you can prevent or identify the four unknown computers participating in the DoS attack against an external website. Because the accounting data leakage incident occurred entirely on the organization's internal network, egress filtering would not prevent or eradicate the incident. The SQL injection attack relies on ingress (inbound) traffic from your public website, so egress (outbound) filtering would not prevent this incident. Spoofing an employee's email address occurs entirely outside of your network, so egress filtering would not prevent it.
A security analyst is preparing a vulnerability assessment against her organization's network. Which is the appropriate first step? (A) Get signed permission from the data owner (B) Configure the scanning tool for passive activity (C) Determine which hosts are in-scope for the scan (D) Get a network diagram from the administrator
(A) Get signed permission from the data owner The difference between a penetration tester and an attacker is permission! Be sure you have it. If you are just now coming up with a scanning policy in your organization, get written permission from the highest level possible in your organization (like your Chief Information Officer).
Which of the following is considered a recommended practice but not a business requirement? (A) Guideline (B) Standard (C) Baseline (D) Procedure
(A) Guideline Guidelines, unlike standards and policies, are not mandatory. Guidelines are more of a recommendation of how something should be done.
Where are most of the configuration settings for a Windows computer's hardware, operating system, applications and its user's preferences stored? (A) In the registry (B) In %SystemRoot% (C) In the Local Administrator's directory (D) At a local copy of the SAM database
(A) In the registry Virtually all configuration settings for the computer's hardware, operating system, applications and its users' preferences are stored in a special miniature database called the "registry".
Which of the following is a characteristic of a Windows NT File System (NTFS)? (A) The CHKDSK.EXE program is run automatically after a power failure or Blue Screen of Death (B) Permissions on a file or folder are not enforced when that object is accessed using FTP (C) Allow permissions take precedence over Deny permissions on a file or folder (D) The driver does not provide compression on the file system, a separate application is required
(A) The CHKDSK.EXE program is run automatically after a power failure or Blue Screen of Death NTFS uses transaction oriented processing on write operations to keep the file system in a consistent state, even after a power failure or Blue Screen of Death. In these cases, the system runs chkdsk.exe when the machine reboots. If a user is a member of two groups with conflicting permissions on a file or folder, DENY always takes precedence over ALLOW. On NTFS, file and folder permissions are always enforced by the operating system regardless of how the file is accessed. Compression is provided by the NTFS driver, no third party application is required.
What is the preferred method of setting up decoy ports on a server? (A) Use software which makes ports appear to be open but is not related to the real services (B) Enable the actual services for the decoy ports and then keep them patched and up to date (C) Set up the host to use a very small window size to manage flow control to the ports (D) Configure a host-based firewall to respond with RST packets when the decoy port is the destination port
(A) Use software which makes ports appear to be open but is not related to the real services To set up decoy ports, the systems administrator should not enable the actual services. Even if fully patched, each additional service would make the system more vulnerable. Installing software which makes the ports appear to be open but are not running the actual services is a better option. Another recommended option is to set up a gateway device which would lead an outsider to believe more ports were open. Configuring a host based firewall to send reset packets for ports would not give the illusion the ports were open. Changing the window size to manage flow control could be used to tie up an attacker's resources, but would have nothing to do with decoy ports.
You discover that the password hashes on your system are a combination of the hash of the base password, the username, the domain name and the client and server challenges. This technique for handling passwords is best described by which of the following: (A) a method used by Windows to prevent generic password precomputation attacks (B) a method used by Windows to prevent LAN MAN passwords from being broken into easily decrypted 7-character chunks (C) a method for ensuring minimum password complexity on the Linux operating system (D) a method for ensuring minimum password complexity on the macOS operating system
(A) a method used by Windows to prevent generic password precomputation attacks The inclusion of a hash of the base password with other data (such as the user and domain names) into the password hash is a technique used in NTLMv2 in Windows to defend against generic pre-computation attacks. Linux systems use a method that is similar in concept, but rather than incorporating the same information that Windows systems use (i.e. domain names, etc) Linux uses strings to "salt" the hashes. This generates unique hashes, even if two given passwords are the same. This particular method is used on Windows, not on the Mac operating system This method is used to improve the security of NTLMv2 passwords, not LAN MAN passwords.
An attacker performs a scan of all ports on a device and receives SYN/ACK responses on every port. What could be the cause of this? (A) A DNS sink hole (B) A network device with decoy ports (C) A routing loop on the device (D) A crashed system that was set to fail open
(B) A network device with decoy ports An implementation of active defense would be to set up decoy ports on network devices that instead of responding with a RST packet to ports that are not open, they response with a SYN/ACK to any requests aimed at them. This can significantly slow down an attacker as not only will their scan take longer to complete, but also because they'll have to vet each individual port to see if it actually is open.
How is a TCP/IP Packet generated as it moves down through the TCP/IP stack? (A) Application Layer -> Internet Layer -> Transport Layer -> Network Layer (B) Application Layer -> Transport Layer -> Internet Layer -> Network Layer (C) Network Layer -> Transport Layer -> Internet Layer -> Application Layer (D) Network Layer -> Internet Layer -> Transport Layer -> Application Layer
(B) Application Layer -> Transport Layer -> Internet Layer -> Network Layer As a packet is generated the packet goes from the Application Layer to the Transport Layer to the Internet Layer and finally to the Network Layer.
A pen tester found a page on the secured website she was testing that allowed her to access the site's content without asking for a login. What is the term for what she discovered? (A) One-time pad (B) Authentication bypass (C) Hidden form field (D) Brute force attack
(B) Authentication bypass An authentication bypass attack avoids accessing the authentication mechanism. An attacker might know or be able to guess the names of files or folders related to the web application that do not check for proper authentication before displaying the page. In this case, the attacker will try to type these addresses into his browser without first authenticating through the login page. Brute force attacks repeatedly try username/password combinations, changing a value with each attempt, trying to discover a set that works. One-time pad authentication schemes rely on something you have - the user is generally provided a list of onetime passwords, or a bingo card style grid they can use to create a one-time password for each authentication attempt. Hidden fields within a website are fields that are never displayed to the user.
What is the set of NTFS permissions on a folder or file called? (A) ACE (B) DACL (C) XCACL (D) SACL
(B) DACL A set of NTFS permissions on a folder or file is called a "Discretionary Access Control List (DACL)".
The perimeter firewall blocks 3389/tcp as RDP is not used within the organization. An attacker bypasses the perimeter and uses a 0- day vulnerability in RDP to pivot inside the organization. Which is the best option that would have prevented the pivot? (A) Install all RDP patches to clients on the network (B) Disable RDP in Group Policy updates (C) Use a smartcard SSO system for RDP (D) Require 128-bit RC4 for the service
(B) Disable RDP in Group Policy updates Removing unused services is the best way of ensuring they are not exploited, zero day vulnerabilities are always a possibility so patching or securing is not the best way if you do not use the service.
What could a systems administrator do to protect data in a virtualized cloud environment? (A) Build on third party application programming interfaces (B) Encrypt the snapshots of the virtual machines (C) Avoid using data fragmentation for public servers (D) Apply the same security patches to the hypervisor and virtual machines
(B) Encrypt the snapshots of the virtual machines Encrypting VM snapshots helps prevent them from being stolen or cloned. If an attacker is able to access a snapshot, he would have access to the data for that particular VM. Depending upon the security of an API, and then building upon it, increases risk and is not a sound security practice. Oftentimes in a virtual environment, the hypervisor is running a different OS than the virtual machines. In that case, and administrator could not apply the same patches to different OSes. Data fragmentation in a cloud environment is splitting a file over multiple locations so that a user (or attacker) has to get a certain number of file fragments in order to read the file. This is a security enhancement.
What defensive measure could have been taken that would have protected the confidentiality of files that were divulged by systems that were compromised by malware? (A) Monitoring for abnormal traffic flow (B) Encrypting the files locally when not in use (C) Installing file integrity monitoring software (D) Ingress filtering at the host level
(B) Encrypting the files locally when not in use Egress filtering, not ingress, may have prevented some files from getting out, but the best guarantee of preserving the confidentiality of files is to store them in encrypted form, so that even if they do get exposed, they cannot be exploited.
What alert types are a nuisance with IDS technology, but a much more significant problem with IPS technology? (A) True Negative (B) False Positive (C) True Positive (D) False Negative
(B) False Positive Where false-positive detects can be a nuisance with IDS technology, they are a much more significant problem in IPS technology.
Which of the following characterizes UDP as compared to TCP? (A) Guaranteed delivery (B) Faster (C) More complex (D) Connection oriented
(B) Faster UDP is a simpler protocol than TCP which also makes it faster. UDP is a connectionless protocol and is used when a small amount of packet loss is acceptable.
What is Advanced Application Shielding as it pertains to HIPS software? (A) Preventing an application from accessing a system resource (B) Isolating an application so it can't interact with other applications (C) Stopping malicious network traffic from accessing a listening application (D) Preventing a compromised system binary from accessing an application
(B) Isolating an application so it can't interact with other applications Advanced Application Shielding sandboxes, or isolates, a local application so it can't interact with another application. Preventing an application from accessing a system resource is system call interception. Sandboxing occurs locally, not over the network. An HIPS could identify a compromised system binary through file integrity checking, but that is not Advanced Application Shielding.
In a non-proprietary cryptosystem, which component is most likely to be compromised? (A) Ciphertext (B) Key (C) Message digest (D) Algorithm
(B) Key Good cryptography is very strong and usually hard to break, but humans are still involved in managing and controlling the key. Cryptographic keys are simply values used to initialize a particular algorithm. The important aspect of keys regarding cryptosystems is that only the key, not the algorithm, needs to be protected. That protection is provided by humans who introduce uncertainty into how effectively the key is protected. Also, the keyspace (size of the key) determines the likelihood of a successful brute force attack. Algorithms are often widely distributed and their internal workings publicly documented. The message digest - the result of a hash - by design is strong. Hash collisions, in which two files produce the same message digest using the same algorithm, are rare. By design, in good cryptography ciphertext is very difficult to crack
What is one obstacle to successfully spoofing a TCP connection? (A) Reliable authentication on the local host (B) Predicting the Initial Sequence Number (ISN) that the destination host will choose (C) Predicting the initial window size that the remote host will use for the connection (D) Getting detected by the authentication service
(B) Predicting the Initial Sequence Number (ISN) that the destination host will choose When spoofing a connection, ACKs (connection request replies) do not go back to the attacker. The ACK, however, has the ISN, a large number which uniquely identifies the connection and without which spoofing will fail. So to complete the connection, the attacker needs to somehow figure out the correct ISN. This is non-trivial... unless you are clever.
There are three key factors in selecting a biometric mechanism. What are they? (A) Encryption strength, authorization method, and cost (B) Reliability, user acceptance, and cost (C) User acceptance, encryption strength, and cost (D) Reliability, encryption strength, and cost
(B) Reliability, user acceptance, and cost The key factors in selecting a biometric mechanism are usually reliability, user acceptance, and cost.
Some of your users are complaining that they cannot access web sites and email. They are able to SSH to your corporate SSH gateway at 10.10.10.13, and ping their local gateway 10.10.10.24. What port (TCP and UDP) is the users' host based firewall blocking that would cause this behavior? (A) The firewall is blocking port 35 (B) The firewall is blocking port 53 (C) The firewall is blocking port 23 (D) The firewall is blocking port 32
(B) The firewall is blocking port 53 The fact that the users are able to ping multiple IP addresses indicates that this is not a network connectivity problem. Before the clients can connect the computer must convert the domain name to an IP address. This is generally done via the DNS service. The DNS service typically runs on TCP and UDP port 53 (UDP for queries, TCP for zone transfers). Port 23 is used for Telnet. The other ports are not typically found on most networks.
A security administrator downloads a template from NIST and applies it to user workstations. Complaints about not being able to access some network services soon flood the helpdesk. Which of the following choices is the most likely cause of the incident? (A) The firewall doesn't recognize changes made by the template (B) The template needs to be customized for the network (C) NIST templates are designed for stand alone systems (D) Security configurations need to be built on the individual machines
(B) The template needs to be customized for the network Security templates may have to be customized to fit a specific network, as not everything can be taken into account, an administrator must know their own network but they don't have to start from scratch.
Which of the following is characteristic of a procedure? (A) Sets a starting point (B) Presents a recommendation (C) Addresses the how to do it (D) Addresses the what to do
(C) Addresses the how to do it Procedures address the HOW to do it; are referenced when having trouble following the policy; are detailed and step by step; and are tactical. Policies address the WHAT to do; are read cover to cover; are concise and focused; and are strategic - high level. Guidelines present a recommendation as they are neither binding nor enforceable. Baselines set a starting point for comparison. Procedures are derived from policies; if you can characterize the procedures you follow (and you should be able to do that easily), then you can derive the parent policy. This is true even if it has not yet been written and signed. By walking through the who, what, when, where, and why, the parent policy is derived from an understanding of the procedure.
Which of the following is a characteristic of public key crypto algorithms? (A) No key encryption (B) 1-key encryption (C) Asymmetric key (D) Symmetric key
(C) Asymmetric key Public key crypto algorithms are asymmetric and have a dual or 2- key encryption scheme.
Idaho Taco Company has decided they want to deploy a honeypot to detect potential attack traffic against their public facing web server. Which network segment would be best suited for the placement of the honeypot? (A) Research & Development (B) File Storage (C) DMZ (D) Userland
(C) DMZ When using honeypots to detect potential attack traffic, it is best to patch the honeypots to similar levels as the target system and to place it on the same network segment.
Which of the following should be ensured before initiating a vulnerability scan? (A) Ensure that all denial of service filters are enabled (B) Ensure that the entire network is configured to be assessed at the same time (C) Ensure that IT staff and system owners have plenty of warning (D) Ensure that only commercial vulnerability scanners are utilized
(C) Ensure that IT staff and system owners have plenty of warning You should also be sure to give people plenty of warning before starting your scan. Things can go very wrong when you are scanning. Scans often crash systems, and people will be a lot more forgiving if you warn them ahead of time and make sure it is easy for them to find you.
Which of the following is a steganographic technique that places information into unused areas of a carrier file? (A) Generation (B) Permutation (C) Injection (D) Substitution
(C) Injection Injection is a steganography technique that places information into "holes," or unused areas of the file. Substitution is a popular steganography technique used to hide data in a host file. The concept is that elements are replaced on a bit-by-bit basis with information that is being hidden in the host document. Substitution also covers some cryptographic techniques. Arbitrary substitution requires a mapping for every character in the alphabet. An alternate substitution method that does not require mapping is rotation. Permutation, also called transposition, shuffles the order in which characters (or bytes) appear. Generation is another steganography technique that involves the actual generation of a new file from the data to be hidden. This is the only form of stego where a carrier isn't needed beforehand. A carrier file is needed, but it is generated on the fly by the stego program. The carrier file is actually created from the source information to be concealed. This can be used to generate such output as readable text or fractals. With each unique input file, a completely new and unique output file is generated..
What type of network design is needed to understand how network traffic is flowing in and out of an organization? (A) Virtual (B) Netflow (C) Logical (D) Conceptual
(C) Logical A logical design gives a more detailed view of the conceptual network design which will include major components such as business usage labels and specific application names. The logical architecture design can give you a clear understanding of how and where data is communicating in and out of your network. Conceptual design an abstract view of the network that gives an understandable picture of the network. Virtual network designs are network designed that only outlines the interconnection of virtual machines within and organization or data center.
What technique do Network Intrusion Prevention Systems use to identify host operating systems, network architecture, and vulnerabilities present on the network? (A) Protocol Scrubbing (B) Application Behavior Monitoring (C) Passive Analysis (D) Anomaly Analysis
(C) Passive Analysis In order to help the NIPS identify false-positive traffic, vendors make use of passive analysis techniques to identify host operating systems, network architecture and what vulnerabilities are present on the network. Once this information is gathered, the NIPS can use it to classify attacks against internal systems based on their operating system and vulnerabilities.
In keeping with the Principle of Least Privilege, which of the following NTFS group permissions should be assigned for Authenticated Users? (A) Encrypt & save (B) Create (C) Read & execute (D) Write
(C) Read & execute Principle of Least Privilege is this: Grant users the fewest permissions and privileges possible that still allow them to get their legitimate work done, but grant no more than that. If you're not sure where to start, a reasonable default set of permissions would be Full Control for System, Administrators and CREATOR OWNER, and just Read & Execute for Authenticated Users. In a more lax environment, you might grant Modify to Authenticated Users, which would also allow editing and deleting files.
A company allows RDP to be used for remote management of specific servers on the network. An attacker uses a Helpdesk employee's stolen credentials to remotely access a file server that is not on the list of approved RDP servers. Which security control would have prevented this attack vector? (A) Centralized logging (B) Anti-malware signatures (C) System hardening (D) Patch management
(C) System hardening Disable any and all services that are not essential to a system's function. Many operating systems come with unnecessary services installed and enabled out of the box, which can place a system at immediate risk once connected to a network. By carefully selecting options during installation and routinely auditing systems for unnecessary services or applications, risk can be significantly reduced
A user with local admin rights on a computer that is a member of a domain sets the group policy on their machine to allow a service not allowed in the domain group policy. After the user returns 2 hours later the service is disabled. Why is the service disabled? (A) A domain administrator noticed the discrepancy and restored the setting (B) Local GPO changes cannot enable services that are not enabled in the domain group policy (C) The domain GPO overwrote the local GPO when the system checked for updates (D) Local GPO changes only lasts for 1 hour
(C) The domain GPO overwrote the local GPO when the system checked for updates The computer will check for a group policy update every 90min by default for the domain and overwrite the local versions.
Which of the following is a trait of persistent cookies? (A) Additional authentication could be required to establish a session (B) They are stored in memory (C) They can create privacy concerns (D) They are the preferred mechanism to track web session state
(C) They can create privacy concerns Persistent cookies can create privacy concerns. Persistent cookies are stored on the disk. Because of this they create security concerns when used to track session state and additional authentication is required to establish a session.
Which of these log-monitoring detections is the highest priority security event for the log analyst performing daily log review? (A) Connections denied by the firewall (B) Web browsing to non-work-related websites (C) Unauthorized configuration changes (D) Collection of baseline data from a new logging source
(C) Unauthorized configuration changes Unauthorized configuration changes are indicators of compromise, and so should be investigated promptly. The remaining answers are tasks that typically are dealt with monthly or quarterly if at all.
What is a recommended action to take to make a wireless network more secure? (A) Implement per-packet authentication per the wired equivalency protocol spec (B) Implement MAC based access control on the Access Points (C) Use network authentication software like PEAP or TTLS (D) Use equipment which generates a strong signal to reduce interference (E) Configure the Access Points to hide or cloak the SSID
(C) Use network authentication software like PEAP or TTLS To prevent an attacker from spoofing the identity of an access point or legitimate node, an administrator can implement software like PEAP or TTLS which requires mutual authentication. If a wireless network is configured to hide or cloak its SSID, all an attacker has to do is sniff packets and wait until a client authenticates. Then he can grab the SSID. MAC based access control doesn't work effectively as a security mechanism because the attacker can sniff packets and determine "allowable" MAC addresses and then use one himself. To reduce the likelihood of eavesdropping, the recommendation is to limit signal strength through range-limiting antennas, placing access points as far from the exterior of the building as possible, etc. The wired equivalency protocol (802.11) spec does not address per-packet authentication.
A software engineer is expected to present on some lessons learned from a secure coding seminar they attended. Which best-practice would be included in the software engineer's presentation? (A) Ensure all alternative access methods are well hidden so that an adversary cannot take advantage of them (B) Display detailed error messages to facilitate speedy bug fixes (C) Validate all user input so that systems do not end up in an unintended state (D) Develop encryption algorithms using a reliable coding language so that the encryption will be robust
(C) Validate all user input so that systems do not end up in an unintended state User input always needs to be validated in order to protect against various input attacks. Clear error messages should not be displayed to the end user because that information would be valuable to a potential adversary. Detailed error messages should be logged, and vague error messages should be displayed to the end user. Homegrown encryption should be avoided because it is fragile and easy to break. Secrets should not be built into your code, no matter how well hidden. Code should be reviewed by a peer that understands the common mistakes that lead to vulnerabilities.
When two guest machines on the same physical host communicate, what is needed to make sure all traffic is properly analyzed? (A) Physical firewall (B) VLAN (C) Virtual firewall (D) NIDS
(C) Virtual firewall As a result of virtualization, standard network-based security controls are blind to this traffic and cannot perform monitoring or in-line blocking. In-line virtual appliances help to solve this problem; another approach to this issue is hardware-assisted virtualization, which requires integration with hardware hypervisors and virtualization management frameworks
What is the name of the registry key that is used to manage remote registry share permissions for the whole registry? (A) rrsreg (B) regkey (C) winreg (D) regmng
(C) winreg Whatever permissions you set on the "winreg" key regulate not only access to that key itself, but also the share permissions for the registry as a whole.
How many concurrent TCP streams can a firewall handle, using port address translation and a single, public, IP address? (A) 255 (B) 262140 (C) 10000 (D) 65535
(D) 65535 The port field was two bytes long or 16 bits - 2^16 is 65,536; because 0 is not typically a legal port value, this leaves us with 65,535 possible source or destination ports. This means that a firewall can track up to 65,535 concurrent UDP streams and 65,535 TCP connections from a single NAT address.
Which is a HIPS feature that locks an application into a sandbox, preventing communication with other applications? (A) Host Intrusion Process Sandboxing (B) Application Process Whitelisting (C) Application Process Validation (D) Advanced Application Shielding
(D) Advanced Application Shielding Advanced Application Shielding has recently been introduced in many vendor products over the last year. Often exploits rely on a systems applications to launch its attack(s). Advanced Application Shielding essentially locks an application into a sandbox where it is unable to communicate with other applications. Preventing an application from communicating with other applications in this case can mitigate a large threat. Neither Application Process Whitelisting, Host Intrusion Process Sandboxing, or Application Process Validation are recognized established features or methods of a Host Intrusion Prevention System.
Which of the following active defense tools opens up ports on a system to mislead, monitor, track, and block connections? (A) Decloak (B) NOVA (C) Honey Badger (D) BearTrap
(D) BearTrap BearTrap opens up ports on a system to mislead, monitor, track, and block connections. Decloak tries to discover an attackers "true" IP address. Honey Badger determines the physical location of a system. NOVA has the ability to launch several virtual machines.
Which class of IDS events occur when the IDS fails to alert on malicious data? (A) False Positive (B) True Positive (C) True Negative (D) False Negative
(D) False Negative False Negative events occur when the IDS identifies data as benign when in fact it is malicious.
Which of the following services/protocols does NOT integrate with Kerberos authentication under Windows 2000/2003? (A) Hypertext Transfer Protocol (HTTP) (B) Remote Procedure Calls (RPC) (C) Common Internet File System (CIFS) (D) File Transfer Protocol (FTP)
(D) File Transfer Protocol (FTP) The Kerberos authentication protocol can be used to authenticate many of the services that Microsoft Windows 2000/2003 utilizes regularly, including HTTP, Server Message Block (SMB)/CIFS, RPC and more. However, it cannot be used to authenticate telnet or FTP sessions.
A network uses 10.1.1.0/24 addressing for client systems and 10.5.5.0/24 for internal servers. Which of the following would prevent a host on the client network from sending packets with a spoofed source address of 10.5.5.101 to a host on the server network? (A) HIDS (B) Anti-virus (C) DHCP (D) Firewall
(D) Firewall Firewalls know which IP addresses should appear only inside a network segment and reject external traffic bearing those addresses. Spoofing will fail because the firewall will reject spoofed packets, which originated from outside the network yet appeared to use an internal IP address
When malware adds files or backdoors to a system, it violates which of the core CIA principles? (A) Availability (B) Identity (C) Authentication (D) Integrity
(D) Integrity By adding files, and possibly backdoor programs, to a system, worms and other malicious code create a problem of integrity. The system is no longer able to be altogether trusted. These do not inherently affect the availability of the system. Identity and Authentication are not part of CIA.
Which of the following best describes Defense-in-Depth? (A) Separation of duties (B) Risk management (C) Hardened perimeter security (D) Layered controls
(D) Layered controls Defense-in-depth is best characterized by layered defenses. The idea is that any layer of defense may eventually fail, but a Layered Defense offers better protection. Risk management, separation of duties, and hardened perimeters are part of a layered defense but do not describe the full concept of DiD.
What is a disadvantage of virtualizing a DMZ infrastructure? (A) Forensics analysis of a web server is more difficult (B) Still requires physical switches and firewalls (C) Guest hosts on the DMZ need to be running the same OS (D) Multiple systems running on the same physical hardware
(D) Multiple systems running on the same physical hardware If multiple virtual guests are running on the same hardware platform, and that system fails, all of the guest hosts will fail. Forensics analysis is easier in a virtual environment because a systems administrator could keep multiple instances of a server running at once, and if the instance bound to the network interface fails, he can unbind it and bind another instance to the network interface. In this case, he would have the compromised instance available for forensics analysis and it would not accessible to the network. Guest machines running different OSes can run in the same virtual environment. In a fully collapsed DMZ environment, switches and firewalls may be virtualized.
A company has network segments consisting of 200 machines each, with a firewall separating each segment. They use standard configuration for the workstations, firewalls, and switches in each segment that is appropriate for the security needs of that segment. This is an example of what type of defense strategy? (A) Vector-Oriented (B) Uniform Protection (C) Information-Centric (D) Protected Enclaves
(D) Protected Enclaves Protected enclaves involve segmenting your network. This can be done by implementing many VPNs across a single network, VLAN segmentation of switches, or firewalls to separate out the network. This is a simple, yet effective, technique. Reducing the exposure or visibility of a system can greatly reduce the impact malicious code can have. For example, if you have 5,000 systems on a network and a virus infection breaks out, it could spread to all systems. However if you create separate segments with 100 systems per segment, the virus would now impact only a small percent of your systems and cleanup and damage would be minimal.
From a security perspective, what should ALWAYS be used in conjunction with HTTP Basic Authentication? (A) Hypertext Markup Language (HTML) (B) Open Shortest Path First (OSPF) (C) Internet Control Message Protocol (ICMP) (D) Secure Sockets Layer (SSL)
(D) Secure Sockets Layer (SSL) Basic authentication sends passwords unencrypted. SSL should be used whenever basic authentication is required.
What information would an attacker need to carry out a TCP RST attack? (A) Routing table for the router (B) Router admin account and password (C) Target host MAC address (D) Source and target port numbers
(D) Source and target port numbers To carry out a TCP RST attack, an attacker would need to sniff packets exchanged between two hosts and determine the source and destination IP addresses, source and destination ports, and the changing sequence number. Then he could craft a packet with the Reset flag set by spoofing the original source port, IP address, and sequence number to make the target system think the original source wanted to end the conversation. An attacker with administrative access to a router would not be able to craft and inject packets into an ongoing TCP conversation. The TCP protocol does not include the MAC address. A routing table is used by a router to determine where to send packets based on IP addresses.
An analyst noticed that an internal database server exceeded its baseline outbound traffic. She then found the events below in syslog. What tool would accelerate this type of investigation? • External port scans on three external systems • Several login failures on the three external systems • Several login failures on a different internal server • Privileged account login on the database server (A) MySQL (B) Kiwi (C) grep (D) Splunk
(D) Splunk The events were from diverse systems and required investigation of many different log sources. By correlating the information across web servers, firewalls, and other security devices, tools such as Splunk can help identify those anomalies quickly. Kiwi (another syslog server) and MySQL centralize and store various logs, but won't correlate these events. Grep is useful for searching, but doesn't provide correlation.
Which is a property of an APT? (A) Automation (B) Opportunistic (C) Consistency (D) Stealth
(D) Stealth One of the properties of an APT is Stealthy. Three properties of a traditional threat are automated, consistent, and opportunistic.
Which type of steganography imposes limits on the amount of data that can be hidden? (A) Differential (B) Injection (C) File Generation (D) Substitution
(D) Substitution Substitution is the most popular stego method used to hide data in a host file. The concept is that elements are replaced on a bit-by-bit basis with information that is being hidden in the host document. Because the information is substituted in place of existing information, the file size of the carrier remains the same. However, since data is overwritten there are limits to how much data can be hidden. Both injection and file generation will increase carrier file size to accommodate the data to be hidden. Differential is a cryptanalysis technique.
What assurance do users have from a server using SSL? (A) The domain can be trusted for active content (B) The cookies will not store private information (C) The site has not been hacked (D) The certificate matches the domain
(D) The certificate matches the domain Server identity verification: Basically the name on the web server SSL certificate needs to exactly match the domain name in the browser's address bar. This confirms to the users that they are talking to the server to which they think they are talking.
Which of the following is necessary to detect unusual events through log correlation for the devices in an organization? (A) Visualization software for the combined system log files for the organization (B) Triggering for incident response team activation when anomalies are detected (C) Methodology for rotating and hashing central log files to prevent tampering (D) Understanding the normal network traffic and host activity for the organization
(D) Understanding the normal network traffic and host activity for the organization You first want to establish a baseline (what does the system look like under normal load?). This gives you something to compare to as utilization grows or when problems or incidents occur.
An organization is using RDP services to provide help desk support to their employees. They are using TLS encryption for the connections. What other action will improve the security of this process? (A) Use Group Policy to ensure that port 3389/tcp is blocked (B) Set the Terminal Services Authentication setting to "Negotiate" (C) Set the client to only connect through RDP Web Access (D) Use two-factor authentication for account sign-on
(D) Use two-factor authentication for account sign-on If possible, use Windows Server 2008 or later on the server to benefit from Network Level Authentication (NLA) and RDP single sign-on. The single sign-on works with either password or smart card authentication, so prefer smart cards too.
How is a Windows 2008 or 2012 server affected when the administrator disables the NetBIOS service? (A) The server's File and Print Sharing services will run over TCP port 139 (B) The server will be immune to null user session attacks (C) It will disable the Remote Procedure Call service on TCP port 135 (D) The server will not be able to access SMB shares on remote hosts (E) It will not have full backward compatibility with legacy systems like Windows NT
(E) It will not have full backward compatibility with legacy systems like Windows NT Disabling the NetBIOS service on a Windows server causes the server to not have full backward compatibility with old systems like Windows NT or legacy applications. The server will, however, be able to access SMB shares on other hosts as long as the NetBIOS Helper service is still running. Null Session user attacks do not require NetBIOS. The RPC service will not be affected if the NetBIOS service is disabled. When NetBIOS is running, file and print sharing services run over TCP port 139, otherwise they run on TCP port 445.
Which of the following quantifies the effects of a potential disaster over a period of time? A. Risk Assessment B. Business Impact Analysis C. Disaster Recovery Planning D. Lessons Learned
B. Business Impact Analysis
How is a Distributed Denial of Service (DDOS) attack distinguished from a regular DOS attack? A. DDOS attacks are perpetrated by many distributed hosts. B. DDOS affects many distributed targets. C. Regular DOS focuses on a single router. D. DDOS affects the entire Internet.
A. DDOS attacks are perpetrated by many distributed hosts.
What would the following IP tables command do? IP tables -I INPUT -s 99.23.45.1/32 -j DROP A. Drop all packets from the source address B. Input all packers to the source address C. Log all packets to or from the specified address D. Drop all packets to the specified address
A. Drop all packets from the source address
You have an automated system for patching the operating systems of all your computers. All patches are supposedly current. Yet your automated vulnerability scanner has just reported vulnerabilities that you believe have been patched. Which of the actions below should you take next? A. Check some systems manually. B. Rerun the system patching routines. C. Contact the incident response team. D. Ignore the findings as false positives.
A. Check some systems manually.
Your software developer comes to you with an application that controls a user device. The application monitors its own behavior and that of the device and creates log files. The log files are expected to grow steadily and rapidly. Your developer currently has the log files stored in the /bin folder with the application binary. Where would you suggest that the developer store the log files? A. /var/log B. /etc/log C. /usr/log D. /tmp/log E. /dev/log
A. /var/log
Which of the following is an advantage of a Host Intrusion Detection System (HIDS) versus a Network Intrusion Detection System (NIDS)? A. Ability to detect malicious traffic after it has been decrypted by the host B. Ability to decrypt network traffic C. Ability to listen to network traffic at the perimeter D. Ability to detect malicious traffic before it has been decrypted
A. Ability to detect malicious traffic after it has been decrypted by the host
Which choice best describes the line below? alert tcp any any -> 192.168.1.0/24 80 (content: /cgi-bin/test.cgi"; msg: "Attempted CGI-BIN Access!!";) A. Tcpdump filter B. IP tables rule C. Wire shark filter D. Snort rule
D. Snort rule
What does an attacker need to consider when attempting an IP spoofing attack that relies on guessing Initial Sequence Numbers (ISNs)? A. These attacks work against relatively idle servers. B. These attacks rely on a modified TCP/IP stack to function. C. These attacks can be easily traced back to the source. D. These attacks only work against Linux/Unix hosts.
A. These attacks work against relatively idle servers.
What is the function of the TTL (Time to Live) field in IPv4 and the Hop Limit field in IPv6 In an IP Packet header? A. These fields are decremented each time a packet is retransmitted to minimize the possibility of routing loops. B. These fields are initialized to an initial value to prevent packet fragmentation and fragmentation attacks. C. These fields are recalculated based on the required time for a packet to arrive at its destination. D. These fields are incremented each time a packet is transmitted to indicate the number of routers that an IP packet has traversed.
A. These fields are decremented each time a packet is retransmitted to minimize the possibility of routing loops.
Your organization is developing a network protection plan. No single aspect of your network seems more important than any other. You decide to avoid separating your network into segments or categorizing the systems on the network. Each device on the network is essentially protected in the same manner as all other devices. This style of defense-in-depth protection is best described as which of the following? A. Uniform protection B. Threat-oriented C. Information-centric D. Protected enclaves
A. Uniform protection
Which Defense-in-Depth model involves identifying various means by which threats can become manifest and providing security mechanisms to shut them down? A. Vector-oriented B. Uniform protection C. Information centric defense D. Protected enclaves
A. Vector-oriented
What would the file permission example "rwsr-sr-x" translate to in absolute mode? A. 1755 B. 6755 C. 6645 D. 1644
B. 6755
A new data center is being built where customer credit information will be processed and stored. Which of the following actions will help maintain the confidentiality of the data? A. Environmental sensors in the server room B. Access control system for physical building C. Automated fire detection and control systems D. Frequent off-site backup of critical databases
B. Access control system for physical building
A Host-based Intrusion Prevention System (HIPS) software vendor records how the Firefox Web browser interacts with the operating system and other applications, and identifies all areas of Firefox functionality. After collecting all the data about how Firefox should work, a database is created with this information, and it is fed into the HIPS software. The HIPS then monitors Firefox whenever it's in use. What feature of HIPS is being described in this scenario? A. Signature Matching B. Application Behavior Monitoring C. Host Based Sniffing D. Application Action Modeling
B. Application Behavior Monitoring
IPS devices that are classified as "In-line NIDS" devices use a combination of anomaly analysis, signature-based rules, and what else to identify malicious events on the network? A. Firewall compatibility rules B. Application analysis C. ICMP and UDP active scanning D. MAC address filtering
B. Application analysis
You are reviewing a packet capture file from your network intrusion detection system. In the packet stream, you come across a long series of "no operation" (NOP) commands. In addition to the NOP commands, there appears to be a malicious payload. Of the following, which is the most appropriate preventative measure for this type of attack? A. Limits on the number of failed logins B. Boundary checks on program inputs C. Controls against time of check/time of use attacks D. Restrictions on file permissions
B. Boundary checks on program inputs
Why would someone use port 80 for deployment of unauthorized services? A. Google will detect the service listing on port 80 and post a link, so that people all over the world will surf to the rogue service. B. If someone were to randomly browse to the rogue port 80 service they could be compromised. C. This is a technique commonly used to perform a denial of service on the local web server. D. HTTP traffic is usually allowed outbound to port 80 through the firewall in most environments.
B. If someone were to randomly browse to the rogue port 80 service they could be compromised.
During which of the following steps is the public/private key-pair generated for Public Key Infrastructure (PKI)? A. Key Recovery B. Initialization C. Registration D. Certification
B. Initialization
The TTL can be found in which protocol header? A. It is found in byte 8 of the ICMP header. B. It is found in byte 8 of the IP header. C. It is found in byte 8 of the TCP header. D. It is found in byte 8 of the DNS header.
B. It is found in byte 8 of the IP header
When designing wireless networks, one strategy to consider is implementing security mechanisms at all layers of the OSI model. Which of the following protection mechanisms would protect layer 1? A. Hardening applications B. Limit RF coverage C. Employing firewalls D. Enabling strong encryption
B. Limit RF coverage
Which of the following choices accurately describes how PGP works when encrypting email? A. PGP encrypts the message with the recipients public key, then encrypts this key with a random asymmetric key. B. PGP creates a random asymmetric key that it uses to encrypt the message, then encrypts this key with the recipient's public key C. PGP creates a random symmetric key that it uses to encrypt the message, then encrypts this key with the recipient's public key D. PGP encrypts the message with the recipients public key, then encrypts this key with a random symmetric key.
B. PGP creates a random asymmetric key that it uses to encrypt the message, then encrypts this key with the recipient's public key
Which of the following is an advantage of private circuits versus VPNs? A. Flexibility B. Performance guarantees C. Cost D. Time required to implement
B. Performance guarantees
Which of the following best describes the level of risk associated with using proprietary crypto algorithms.? A. Proprietary cryptographic algorithms are required by law to use shorter key lengths in the United States, so the risk is high. B. Proprietary algorithms have not been subjected to public scrutiny, so they have been checked less throughly for vulnerabilities. C. Proprietary algorithms are less likely be vulnerable than algorithms that have been publicly disclosed because of enhanced secrecy of the algorithm. D. Proprietary algorithms are not known to generally be any more or less vulnerable than publicly scrutinized algorithms.
B. Proprietary algorithms have not been subjected to public scrutiny, so they have been checked less throughly for vulnerabilities.
Which type of risk assessment results are typically categorized as low, medium, or high-risk events? A. Technical B. Qualitative C. Management D. Quantitative
B. Qualitative
An IT security manager is trying to quickly assess the risks associated with not implementing a corporate firewall system. What sort of risk assessment is most appropriate? A. Annualized Risk Assessment B. Qualitative risk assessment C. Quantitative risk assessment D. Technical Risk Assessment E. Iterative Risk Assessment
B. Qualitative risk assessment
What is the first thing that should be done during the containment step of incident handling? A. Change all the passwords B. Secure the area C. Prepare the Jump bag D. Notify management E. Prepare a report
B. Secure the area
Who is responsible for deciding the appropriate classification level for data within an organization? A. Data custodian B. Security auditor C. End user D. Data owner
B. Security auditor
How are differences in configuration settings handled between Domain and Local Group Policy Objects (GPOs)? A. Local and Domain GPOs control different configuration settings, so there will not be conflicts. B. Settings in the domain-wide GPO override conflicting settings in the local GPO on each computer. C. Settings in the local GPO override conflicting settings when the domain-wide GPO is applied. D. Precedence depends on which GPO was updated first.
B. Settings in the domain-wide GPO override conflicting settings in the local GPO on each computer.
What is the process of simultaneously installing an operating system and a Service Pack called? A. Synchronous Update B. Slipstreaming C. Simultaneous Update D. Synchronizing
B. Slipstreaming
A sensor that uses a light beam and a detecting plate to alarm if the light beam is obstructed is most commonly used to identify which of the following threats? A. Power B. Smoke C. Natural Gas D. Water E. Toxins
B. Smoke
When a packet leaving the network undergoes Network Address Translation (NAT), which of the following is changed? A. TCP Sequence Number B. Source address C. Destination port D. Destination address
B. Source address
During a scheduled evacuation training session the following events took place in this order: 1. Evacuation process began by triggering the building fire alarm. 2a. The meeting point leader arrived first at the designated meeting point and immediately began making note of who was and was not accounted for. 2b. Stairwell and door monitors made it to their designated position to leave behind a box of flashlights and prop the stairway doors open with a garbage can so employees can find exits and dispose of food and beverages. 2c. Special needs assistants performed their assigned responsibility to help employees out that require special assistance. 3. The safety warden communicated with the meeting point leader via walkie talkie to collect a list of missing personnel and communicated this information back to the searchers. 4. Searchers began checking each room and placing stick-it notes on the bottom of searched doors to designate which areas were cleared. 5. All special need assistants and their designated wards exited the building. 6. Searchers complete their assigned search pattern and exit with the Stairwell/door monitors. Given this sequence of events, which role is in violation of its expected evacuation tasks? A. Safety warden B. Stairwell and door monitors C. Meeting point leader D. Searchers E. Special needs assistants
B. Stairwell and door monitors
Which Windows event log would you look in if you wanted information about whether or not a specific diver was running at start up? A. Application B. System C. Startup D. Security
B. System
Which of the following statements about Microsoft's VPN client software is FALSE? A. The VPN interface can be figured into the route table. B. The VPN interface has the same IP address as the interface to the network it's been specified to protect. C. The VPN client software is built into the Windows operating system. D. The VPN tunnel appears as simply another adapter.
B. The VPN interface has the same IP address as the interface to the network it's been specified to protect.
Which layer of the TCP/IP Protocol Stack Is responsible for port numbers? A. Network B. Transport C. Internet D. Application
B. Transport
An attacker gained physical access to an internal computer to access company proprietary data. The facility is protected by a fingerprint biometric system that records both failed and successful entry attempts. No failures were logged during the time periods of the recent breach. The account used when the attacker entered the facility shortly before each incident belongs to an employee who was out of the area. With respect to the biometric entry system, which of the following actions will help mitigate unauthorized physical access to the facility? A. Try raising the Crossover Error Rate (CER) B. Try to lower the False Accept Rate (FAR) C. Try setting the Equal Error Rate (EER) to zero D. Try to set a lower False Reject Rate (FRR)
B. Try to lower the False Accept Rate (FAR)
Validating which vulnerabilities in a network environment are able to be exploited by an attacker is called what? A. Anomaly detection B. Vulnerability scanning C. Perimeter assessment D. Penetration testing
B. Vulnerability scanning
You have reason to believe someone with a domain user account has been accessing and modifying sensitive spreadsheets on one of your application servers. You decide to enable auditing for the files to see who is accessing and changing them. You enable the Audit Object Access policy on the files via Group Policy. Two weeks later, when you check on the audit logs, you see they are empty. What is the most likely reason this has happened? A. You cannot enable auditing on files, just folders B. You did not enable auditing on the files C. The person modifying the files turned off auditing D. You did not save the change to the policy
B. You did not enable auditing on the files
You are doing some analysis of malware on a Unix computer in a closed test network. The IP address of the computer is 192.168.1.120. From a packet capture, you see the malware is attempting to do a DNS query for a server called iamabadserver.com so that it can connect to it. There is no DNS server on the test network to do name resolution. You have another computer, whose IP is 192.168.1.115, available on the test network that you would like for the malware connect to it instead. How do you get the malware to connect to that computer on the test network? A. You modify the HOSTS file on the computer you want the malware to connect to and add an entry that reads: 192.168.1.120 iamabadserver iamabadserver.com B. You modify the HOSTS file on the Unix computer your malware is running on and add an entry that reads: 192.168.1.115 iamabadserveriamabadserver.com C. You modify the HOSTS file on the Unix computer your malware is running on and add an entry that reads: 192.168.1.120 iamabadserver iamabadserver.com D. You modify the HOSTS file on the computer you want the malware to connect to and add an entry that reads: 192.168.1.115 iamabadserver iamabadserver.com
B. You modify the HOSTS file on the Unix computer your malware is running on and add an entry that reads: 192.168.1.115 iamabadserveriamabadserver.com
Which of the following Unix syslog message priorities is the MOST severe? A. err B. emerg C. crit D. alert
B. emerg
Which of the following tools is also capable of static packet filtering? A. netstat.exe B. ipsecpol.exe C. ipconfig.exe D. net.exe
B. ipsecpol.exe
Which command would allow an administrator to determine if a RPM package was already installed? A. rpm -s B. rpm -q C. rpm -a D. rpm -t
B. rpm -q
When you log into your Windows desktop what information does your Security Access Token (SAT) contain? A. The Security ID numbers (SIDs) of all the groups to which you belong B. A list of cached authentications C. A list of your domain privileges D. The Security ID numbers (SIDs) of all authenticated local users
C. A list of your domain privileges
What type of formal document would include the following statement? Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal application of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies, and if there is any uncertainty, employees should consult their supervisor or manager. A. Company privacy statement B. Remote access policy C. Acceptable use policy D. Non-disclosure agreement
C. Acceptable use policy
Which of the following features of Windows 7 allows an administrator to both passively review installed software and configure policies to prevent out-of-date or insecure software from running? A. Direct Access B. Software Restriction Policies C. App Locker D. User Account Control
C. App Locke
When discussing access controls, which of the following terms describes the process of determining the activities or functions that an Individual is permitted to perform? A. Authentication B. Identification C. Authorization D. Validation
C. Authorization
When should you create the initial database for a Linux file integrity checker? A. Before a system is patched B. After a system has been compromised C. Before a system has been compromised D. During an attack
C. Before a system has been compromised
If Linux server software is a requirement in your production environment which of the following should you NOT utilize? A. Debian B. Mandrake C. Cygwin D. Red Hat
C. Cygwin
Which of the following elements is the most important requirement to ensuring the success of a business continuity plan? A. Disaster Recover Plans B. Anticipating all relevant threats C. Executive buy-in D. Clearly defining roles and responsibilities E. Training
C. Executive buy-in
In preparation to do a vulnerability scan against your company's systems. You've taken the steps below: You've notified users that there will be a system test. You've priontized and selected your targets and subnets. You've configured the system to do a deep scan. You have a member of your team on call to answer questions. Which of the following is a necessary step to take prior to starting the scan? A. Placing the incident response team on call. B. Clear relevant system log files. C. Getting permission to run the scan. D. Scheduling the scan to run before OS updates.
C. Getting permission to run the scan.
Which of the following protocols describes the operation of security In H.323? A. H.239 B. H.245 C. H.235 D. H.225
C. H.235
Which of the following is a benefit of using John the Ripper for auditing passwords? A. John's Blowfish cracking routine uses a complex central computing loop that increases the cost of each hash computation. B. John the Ripper is much slower for auditing passwords encrypted with MD5 and Blowfish. C. John's MD5 cracking routine uses a simplified central computing loop that decreases the cost of each hash computation. D. John cannot use the DES bit-slicing technique, so it is much slower than other tools, especially when used against DES-encrypted passwords.
C. John's MD5 cracking routine uses a simplified central computing loop that decreases the cost of each hash computation.
Which common firewall feature can be utilized to generate a forensic trail of evidence and to identify attack trends against your network? A. NAT B. State Table C. Logging D. Content filtering
C. Logging
Which aspect of UNIX systems was process accounting originally developed for? A. Data warehouse B. Time sharing C. Process tracking D. Real time
C. Process tracking
In order to capture traffic for analysis, Network Intrusion Detection Systems (NIDS) operate with network cards in what mode? A. Discrete B. Reporting C. Promiscuous D. Alert
C. Promiscuous
A folder D:\Files\Marketing has the following NTFS permissions: • Administrators: Full Control • Marketing: Change and Authenticated • Users: Read It has been shared on the server as "MARKETING", with the following share permissions: • Full Control share permissions for the Marketing group Which of the following effective permissions apply if a user from the Sales group accesses the \\FILESERVER\MARKETING shared folder? A. No access B. Full Control C. Read D. Change
C. Read
There are three key factors in selecting a biometric mechanism. What are they? A. Reliability, encryption strength, and cost B. Encryption strength, authorization method, and cost C. Reliability, user acceptance, and cost D. User acceptance, encryption strength, and cost
C. Reliability, user acceptance, and cost
Which of the following is a Layer 3 device that will typically drop directed broadcast traffic? A. Hubs B. Bridges C. Routers D. Switches
C. Routers
What is the discipline of establishing a known baseline and managing that condition known as? A. Condition deployment B. Observation discipline C. Security establishment D. Configuration management
C. Security establishment
Which of the following fields CANNOT be hashed by Authentication Header (AH) in transport mode? A. Length B. Source IP C. TTL D. Destination IP
C. TTL
A US case involving malicious code is brought to trial. An employee had opened a helpdesk ticket to report specific instances of strange behavior on her system. The IT helpdesk representative collected information by interviewing the user and escalated the ticket to the system administrators. As the user had regulated and sensitive data on her computer, the system administrators had the hard drive sent to the company's forensic consultant for analysis and configured a new hard drive for the user. Based on the recommendations from the forensic consultant and the company's legal department, the CEO decided to prosecute the author of the malicious code. During the court case, which of the following would be able to provide direct evidence? A. The IT helpdesk representative B. The company CEO C. The user of the infected system D. The system administrator who removed the hard drive
C. The user of the infected system
What is the command-line tool for Windows XP and later that allows administrators the ability to get or set configuration data for a very wide variety of computer and user account settings? A. IPCONFIG.EXE B. NETSTAT.EXE C. WMIC.EXE D. C0NF1G.EXE
C. WMIC.EXE
The Linux command to make the /etc/shadow file, already owned by root, readable only by root is which of the following? A. chmod 444/etc/shadow B. chown root: root/etc/shadow C. chmod 400/etc/shadow D. chown 400 /etc/shadow
C. chmod 400/etc/shadow
What is the following sequence of packets demonstrating? A. telnet.com.telnet > client.com.38060: F 4289:4289(0) ack 92 win 1024 B. client.com.38060 > telnet.com.telnet: .ack 4290 win 8760 (DF) C. client.com.38060 > telnet.com.telnet: F 92:92(0) ack 4290 win 8760 (DF) D. telnet.com.telnet > client.com.38060: .ack 93 win 1024
C. client.com.38060 > telnet.com.telnet: F 92:92(0) ack 4290 win 8760 (DF)
What database can provide contact information for Internet domains? A. dig B. who C. who is D. ns look up
C. who is
What is the name of the registry key that is used to manage remote registry share permissions for the whole registry? A. regkey B. regmng C. winreg D. rrsreg
C. winreg
Which of the following BEST describes the two job functions of Microsoft Baseline Security Analyzer (MBSA)? A. Vulnerability scanner and auditing tool B. Auditing tool and alerting system C. Configuration management and alerting system D. Security patching and vulnerability scanner
D. Security patching and vulnerability scanner
For which of the following reasons does UDP work well for applications like real-time video? (A) It guarantees that all the packets will reach the destination. (B) It can set Quality-of-Service to a high level for better transmission. (C) The network prioritizes UDP higher than TCP. (D) The loss of one or two packets is tolerable.
D) The loss of one or two packets is tolerable. UDP is typically used in situations in which it is okay if some packets are lost or reordered. In a streaming audio application, for example, each packet contains such a small amount of audio data that the client probably can afford to lose one or two, packets in succession without suffering a noticeable lack of quality
Which of the following statements would be seen in a Disaster Recovery Plan? A. "Instructions for notification of the media can be found in Appendix A" B. "The Emergency Response Plan should be executed in the case of any physical disaster listed on page 3." C. "The target for restoration of business operations is 72 hours from the declaration of disaster." D. "After arriving at the alternate site, utilize the server build checklist to rebuild all servers on the server rebuild list."
D. "After arriving at the alternate site, utilize the server build checklist to rebuild all servers on the server rebuild list."
Regarding the UDP header below, what is the length in bytes of the UDP datagrarn? 04 1a 00 a1 00 55 db 51 A. 161 B. 81 C. 219 D. 85
D. 85
Which of the following statements would describe the term "incident" when used in the branch of security known as Incident Handling? A. Any observable network event B. Harm to systems C. Significant threat of harm to systems D. A and C E. A, B, and C F. B and C G. A and B
D. A and C
With regard to defense-in-depth, which of the following statements about network design principles is correct? A. A secure network design requires that systems that have access to the Internet should not be accessible from the Internet and that systems accessible from the Internet should not have access to the Internet. B. A secure network design requires that networks utilize VLAN (Virtual LAN) implementations to insure that private and semi-public systems are unable to reach each other without going through a firewall. C. A secure network design will seek to provide an effective administrative structure by providing a single choke-point for the network from which all security controls and restrictions will be enforced. D. A secure network design will seek to separate resources by providing a security boundary between systems that have different network security requirements.
D. A secure network design will seek to separate resources by providing a security boundary between systems that have different network security requirements.
What is the name of the command-line tool for Windows that can be used to manage audit policies on remote systems? A. SECEDTT.EXE B. POLCLI.EXE C. REMOTEAUDIT.EXE D. AUDITPOL.EXE
D. AUDITPOL.EXE
Which of the following is more commonly used for establishing high-speed backbones that interconnect smaller networks and can carry signals over significant distances? A. Bluetooth B. Ethernet C. Token ring D. Asynchronous Transfer Mode (ATM)
D. Asynchronous Transfer Mode (ATM)
Which of the following statements best describes where a border router is normally placed? A. Between your firewall and your internal network B. Between your firewall and DNS server C. Between your ISP and DNS server D. Between your ISP and your external firewall
D. Between your ISP and your external firewall
Which of the following would be a valid reason to use a Windows workgroup? A. Lower initial cost B. Simplicity of single sign-on C. Centralized control D. Consistent permissions and rights
D. Consistent permissions and rights
Your IT security team is responding to a denial of service attack against your server. They have taken measures to block offending IP addresses. Which type of threat control is this? A. Detective B. Preventive C. Responsive D. Corrective
D. Corrective
Which class of IDS events occur when the IDS fails to alert on malicious data? A. True Negative B. True Positive C. False Positive D. False Negative
D. False Negative
What protocol is a WAN technology? A. 802.11 B. 802.3 C. Ethernet D. Frame Relay
D. Frame Relay
Which of the following SIP methods is used to setup a new session and add a caller? A. ACK B. BYE C. REGISTER D. INVITE E. CANCEL
D. INVITE
Many IIS servers connect to Microsoft SQL databases. Which of the following statements about SQL server security is TRUE? A. SQL Server patches are part of the operating system patches. B. SQL Server should be installed on the same box as your IIS web server when they communicate as part of the web application. C. It is good practice to never use integrated Windows authentication for SQL Server. D. It is good practice to not allow users to send raw SQL commands to the SQL Server.
D. It is good practice to not allow users to send raw SQL commands to the SQL Server.
In trace route results, what is the significance of an * result? A. A listening port was identified. B. A reply was returned in less than a second. C. The target host was successfully reached. D. No reply was received for a particular hop.
D. No reply was received for a particular hop.
Which of the following statements about policy is FALSE? A. A well-written policy contains definitions relating to "what" to do. B. A well-written policy states the specifics of "how" to do something. C. Security policy establishes what must be done to protect information stored on computers. D. Policy protects people who are trying to do the right thing.
D. Policy protects people who are trying to do the right thing.
Which of the following is a new Windows Server 2008 feature for the Remote Desktop Protocol (RDP)? A. The ability to allow the administrator to choose a port other than the default RDP port (TCP 3389) B. The ability to support connections from mobile devices like smart phones C. The ability to allow clients to authenticate over TLS D. The ability to allow clients to execute individual applications rather than using a terminal desktop
D. The ability to allow clients to execute individual applications rather than using a terminal desktop
What is the main problem with relying solely on firewalls to protect your company's sensitive data? A. Their value is limited unless a full-featured Intrusion Detection System is used. B. Their value is limited because they cannot be changed once they are configured. C. Their value is limited because operating systems are now automatically patched. D. Their value is limited because they can be bypassed by technical and non-technical means.
D. Their value is limited because they can be bypassed by technical and non-technical means.
Which of the following is a characteristic of hash operations? A. Asymmetric B. Non-reversible C. Symmetric D. Variable length output
D. Variable length output
Which of the following systems acts as a NAT device when utilizing VMware in NAT mode? A. Guest system B. Local gateway C. Host system D. Virtual system
D. Virtual system
What type of malware is a self-contained program that has the ability to copy itself without parasitically infecting other host code? A. Trojans B. Boot infectors C. Viruses D. Worms
D. Worms
Which of the following is the FIRST step in performing an Operational Security (OP5EC) Vulnerabilities Assessment? A. Assess the threat B. Assess vulnerabilities of critical information to the threat C. Conduct risk versus benefit analysis D. Implement appropriate countermeasures E. Identification of critical information
E. Identification of critical information
While building multiple virtual machines on a single host operating system, you have determined that each virtual machine needs to work on the network as a separate entity with its own unique IP address on the same logical subnet. You also need to limit each guest operating system to how much system resources it has access to. Which of the following correctly identifies steps that must be taken towards setting up these virtual environments? A. The virtual machine software must define a separate virtual network Interface to each virtual machine and then define which unique logical hard drive partition should be available to the guest operating system. B. The virtual machine software must define a separate virtual network interface since each system needs to have an IP address on the same logical subnet requiring they use the same physical interface on the host operating system. C. The virtual machine software must define a separate virtual network interface to each virtual machine as well as how much RAM should be available to each virtual machine. D. The virtual machine software establishes the existence of the guest operating systems and the physical system resources to be used by that system will be configured from within the guest operating system. E. The virtual machine software must define a separate physical network interface to each virtual machine so that the guest operating systems can have unique IP addresses and then define how much of the systems RAM is available to the guest operating system.
E. The virtual machine software must define a separate physical network interface to each virtual machine so that the guest operating systems can have unique IP addresses and then define how much of the systems RAM is available to the guest operating system.
What is TRUE about Workgroups and Domain Controllers? A. By default all computers running Windows 2008 can only form Domain Controllers not Workgroups B. Workgroups are characterized by higher costs while Domain Controllers by lower costs C. You cannot have stand-alone computers in the midst of other machines that are members of a domain D. Workgroup computers cannot share resources, only computers running on the same domain can E. You can have stand-alone computers in the midst of other machines that are members of a domain.
E. You can have stand-alone computers in the midst of other machines that are members of a domain.
True or False: Command injection is possible due improper filtering of potentially harmful characters passed to the system() function.
False
True or False: Fedora is based on Debian Linux.
False
True or False: For access to a file object via a network share, the object's NTFS DACL overrides share-level permissions when the share-level permissions are more restrictive.
False
True or False: Windows Nano allows Server 2012 to run as a command line only (headless) system.
False
What type of encryption is needed to help defeat wireless eavesdropping attacks? (A) Implement strong encryption in the highest layer protocol possible. (B) Implement weak encryption in the lowest layer protocol possible. (C) Implement strong encryption in the lowest layer protocol possible. (D) Implement weak encryption in the highest layer protocol possible.
What type of encryption is needed to help defeat wireless eavesdropping attacks? (A) Implement strong encryption in the highest layer protocol possible. (B) Implement weak encryption in the lowest layer protocol possible. (C) Implement strong encryption in the lowest layer protocol possible. (D) Implement weak encryption in the highest layer protocol possible.
Which Critical Control addresses concerns around unauthorized software running on a system? a. CSC 1 b. CSC 2 c. CSC 3 d. CSC 4 e. CSC 5
b. CSC 2
What is the type of Access Control List (ACL) that allows the owner of an object to set the permissions? a. SACL b. DACL c. VACL d. RBACL
b. DACL
Which of the following Active Defense tools attempts to identify the IP address of the attacker by injecting flash objects or similar? a. Honey Badger b. Decloak c. ADHD d. BearTrap
b. Decloak
Which of the following protocols delivers traffic in the clear? a. SSH b. HTTPS c. TFTP d. RDP
b. HTTPS
What is a system deployed with no legitimate business purpose called? a. Honeytoken b. Honeypot c. Honeynet d. Bastion Host
b. Honeypot
Which of the following is NOT a technique used by intrusion detection and prevention devices? a. Application/Protocol Analysis b. Log Correlation Analysis c. Signature Analysis d. Anomaly Analysis
b. Log Correlation Analysis
What well known TCP port does FTP-DATA run over? a. 21 b. 22 c. 23 d. 20
d. 20 21 is (FTP) control (command).
Which of the following Windows operating systems supports only 64-bit processors? a. 2003 Server b. Windows 7 c. Vista SP1 d. 2008 Server R2
d. 2008 Server R2
What processor architecture does Windows IoT use? a. MIPS b. x86 / Intel c. PowerPC d. ARM
d. ARM
Which of the following syslog levels would be considered the most important? a. Debug b. Info c. Critical d. Alert
d. Alert
Which of the following algorithms requires the largest key length to achieve equal security? a. 3DES b. AES-256 c. ECC d. Diffie-Hellman
d. Diffie-Hellman
Which of the following tools is best known for allowing the user to craft custom packets? a. Nmap b. Wireshark c. tcpdump d. Hping3
d. Hping3
Which of the following best describes the type of password cracking used in "wordlist mode" by John the Ripper ? a. Dictionary Attack b. Pre-Computation Attack c. Brute Force Attack d. Hybrid Attack e. Rainbow Tables Attack
d. Hybrid Attack
Which of the following can you NOT do with SECEDIT.EXE? a. Audit the security policy on a system b. Run from a shared folder to scan a remote machine c. Apply a security policy to a system d. Import a security template into a group policy object
d. Import a security template into a group policy object
Double-DES is vulnerable to what attack? a. Man-in-the-Middle b. Brute-Force c. Known Plaintext d. Meet-in-the-Middle
d. Meet-in-the-Middle
Which of the following is the correct order for the steps in an incident handling process? a. Preparation, Containment, Identification, Eradication, Recovery, Lessons Learned b. Preparation, Identification, Containment, Recovery, Eradication, Lessons Learned c. Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned d. Preparation, Containment, Recovery, Identification, Eradication, Lessons Learned
d. Preparation, Containment, Recovery, Identification, Eradication, Lessons Learned
Which of the following phases of a cyber attack does NOT leave evidence on a system? a. Exploitation b. Scanning c. Establishing a backdoor d. Reconnaissance
d. Reconnaissance
Which of the following encryption types is the preferred option for password security? a. Asymmetric b. Hash c. Symmetric d. Single Sign-On
d. Single Sign-On
Which of the following ICMP Type and Code indicates a TTL Expired in Transit? a. Type 8 b. Type 3, Code 0 c. Type 3, Code 9 d. Type 11, Code 0
d. Type 11, Code 0
Which of the following Nmap options will perform a port scan, version scan, and OS fingerprint? a. -sT b. -sS c. -sU d.-A
d.-A