Security+ Practice Test C

Which of the following invalidates SQL injection attacks that were launched from a lookup field of a web server? A. Security template B. Input validation C. Buffer overflow protection D. NIDS

Answer B is correct. Input validation is a process that ensures the correct usage of data. It is important when dealing with any types of forms on a web server. Because these forms can be compromised by various attacks, forms should be coded in such a way that any input from the user will be validated by the web page before it is accepted. For example, if you were to type six digits in a ZIP code field when it expects only a maximum of five digits, input validation should deny that entry, and if coded properly it will ask you to re-enter the information. Security templates import many secure policies at one time. A NIDS protects an entire network from intrusion. Buffer overflow protection ensures that memory is storing data the way that the developer intended. Input validation also prevents buffer overflow attacks in addition to other types of attacks such as SQL injection attacks.

What would be an example of a device used to shield a server room from data emanation? A. Faraday cage B. TEMPEST C. EMI D. Crosstalk

Answer A is correct. A Faraday cage is used to shield a server room from data emanation or signal emanation. Data emanation is the electromagnetic (EM) field generated by a network cable or network device. These cables and devices can be affected by external EMI (electromagnetic interference), and cables can be affected by crosstalk. TEMPEST refers to a group of standards that investigates emissions conducted from electrical and mechanical devices.

Which of the following might be used to start a DDoS attack? A. Botnet B. Rootkit C. Spyware D. Worm

Answer A is correct. A botnet is often used to start a coordinated DDoS (distributed denial-of-service) attack. One master computer synchronizes many compromised zombie computers, which form the botnet, launching an all-out attack at the same time. Spyware is software that tracks a user's actions on the Internet. A worm is malicious code that can self-replicate. A rootkit is software that subverts the operating system so that a person can gain access at the level of an administrator.

You have critical backups that are made at night and taken to an offsite location. Which of the following would allow for a minimal amount of downtime in the case of a disaster? A. Make the offsite location into a hot site. B. Have a backup server at the offsite location. C. Make the offsite location into a cold site. D. Make the offsite location into a warm site.

Answer A is correct. A hot site would be the best option in the case of a disaster because it can be up and running faster than any of the other solutions in the list of answers. A backup server is only a single facet of many organizations' disaster recovery plans. Warm sites and cold sites do not offer as little downtime as hot sites.

Which of the following enables a person to view the IP headers on a data packet? A. Protocol analyzer B. NIDS C. Firewall D. L2 switch

Answer A is correct. A protocol analyzer (or packet sniffer) allows a person to break down a packet and view its contents, including IP headers. A network intrusion detection system (NIDS) detects malicious activity on a network. Firewalls are used to protect the entire network from malicious activity by closing and securing ports. L2 switches are used as central connecting devices for computers on a LAN—they identify each computer by its MAC address.

Jane is a system administrator and must revoke the access of a user who has been terminated. Which policy must she implement? A. Disable user account B. Password expiration C. Password recovery D. Account lockout

Answer A is correct. If an employee is terminated, the employee's account should be disabled. This way, the employee will not be able to log in to the system, but the history of the user account is still intact and can be viewed by administrators if necessary. There is no need to modify the password recovery or expiration settings. The password will no longer do the user any good, and the administrator should be able to access anything the employee did. Even if the user password is required, the administrator can reset it. It would be unwise to lock out the user, because many policies have a timeout on the lockout, thus allowing the user to log back in later on.

Users on your network are identified with tickets. Which of the following systems is being used? A. Kerberos B. RADIUS C. TACACS+ D. LDAP

Answer A is correct. Kerberos is the only authentication system listed that uses tickets to identify users; the ticketing system proves the identity of users. RADIUS uses authentication schemes such as CHAP and EAP. RADIUS and TACACS+ are normally used for remote authentication of users, whereas Kerberos is used in domains. TACACS+ uses TCP, and RADIUS uses UDP for connections. LDAP is used for accessing and modifying directory services data.

What is the purpose of LDAP authentication services? A. To act as a single point of management B. To implement MAC C. To issue one-time passwords D. To prevent multifactor authentication

Answer A is correct. LDAP (Lightweight Directory Access Protocol) contains the directory for a network and allows for a single point of user management of that directory. Multifactor authentication is when more than one type of identification is required to gain access to a system, network, or building. MAC (mandatory access control) is a type of access control system not usually associated with LDAP. One-time passwords can be issued by several technologies, including RSA tokens.

Which of the following is the best reason to perform a penetration test? A. To determine the potential impact of a threat against your network B. To passively test security controls C. To identify all vulnerabilities and weaknesses within your network D. To find the security posture of the network

Answer A is correct. Penetration tests are usually designed to simulate a particular attack, allowing the administrator to determine the potential impact of that threat to the network. Penetration tests are not designed to identify all vulnerabilities and weaknesses; to do that, you would use a vulnerability scanner, among other things. Penetration tests are not passive; they are active tests that should be done off-hours and with much preparation beforehand. The security posture of the network is usually discerned by security assessments and baseline reporting.

Which of the following descriptions is true concerning external security testing? A. External security testing is conducted from outside the organization's security perimeter. B. External security testing is conducted from outside the perimeter switch but inside the organization's firewall. C. External security testing is conducted from outside the building where an organization's servers are hosted. D. External security testing is conducted from outside the perimeter switch but inside the border router.

Answer A is correct. Proper external security testing should be conducted from outside the organization's security perimeter, wherever that might be. It is generally outside of devices such as switches, routers, firewalls, and so on. The security perimeter may encompass more than one building; a proper external security test in this case can test an entire campus-area network.

RAID is most concerned with what? A. Availability B. Integrity C. Confidentiality D. Baselining

Answer A is correct. RAID is most concerned with availability—the uptime of hard drives and the accessibility of data regardless of faults. Baselining can be accomplished with various tools, such as Performance Monitor. Confidentiality can be achieved with encryption. Integrity can be brought about by way of hashing.

Which of the following is not a record of the tracked actions of users? A. Application log B. Security log C. Previous logon notification D. Audit trails

Answer A is correct. The Application log is not a record of the tracked actions of users. The Application log does show events that have occurred concerning built-in Windows applications or third-party applications. Previous logon notation, audit trails, and security logs are all records of the tracked actions of users.

Ann has been asked by her boss to periodically ensure that a domain controller/DNS server maintains the proper security configuration. Which of the following should she review? A. User rights B. WINS configuration C. NIPS logs D. Firewall logs

Answer A is correct. The best answer is user rights. A domain controller is in charge of user accounts and the permissions (rights) associated with those users. The domain controller might have a host-based firewall, but that is doubtful. Chances are that the firewall is network-based or, less commonly, is running on a separate server. The NIPS is the network intrusion prevention system, which is external from the server and usually resides on the perimeter of the network. The WINS configuration can be reviewed to verify the security of the WINS database and service but does not allow for review of the security configuration of the server as described, which is a domain controller/DNS server. Also, if the server is running the DNS server, it likely isn't also running the WINS service.

Tim needs to collect data from users who utilize an Internet-based application. Which of the following should he reference before doing so? A. Privacy policy B. Secure code review C. SOX D. Acceptable use policy

Answer A is correct. Tim should refer to his organization's privacy policy before collecting any data from users of the Internet-based application. This policy will dictate whether he is allowed to collect the information he requires. Secure code reviews check for incorrect and possibly risky coding techniques in applications. SOX stands for Sarbanes-Oxley Act, which sets standards for management and public accounting organizations. Acceptable use policies (AUPs) state how a network or system may be used.

What type of cloud service is webmail known as? A. Software as a Service B. Infrastructure as a Service C. Platform as a Service D. Remote Desktop

Answer A is correct. Webmail can be classified as Software as a Service (SaaS). This is when an external provider (in the cloud) offers e-mail services that a user can access with a web browser. Examples include Gmail and Outlook.com. Remote Desktop, or RDP, allows a person to remotely control another computer. Platform as a Service (PaaS) is when a cloud-based service provider offers an entire application development platform that can be accessed via a web browser or other third-party application. Infrastructure as a Service (IaaS) is when a cloud-based service provider offers an entire network located on the Internet.

What is the purpose of a chain of custody as it is applied to forensic image retention? A. To provide data integrity B. To provide documentation as to who handled the evidence C. To provide a baseline reference D. To provide proof the evidence hasn't been tampered with

Answer B is correct. A chain of custody is the chronological documentation of evidence. A procedure is involved when creating the chain of custody that logically defines how the documentation will be entered. Baseline references and baseline reporting deal with checking the security posture of a system, as in a security posture assessment. To prove that the image hasn't been tampered with (to prove its integrity), a security professional will hash the image.

Which of the following devices is used to optimize and distribute data workloads across multiple computers or networks? A. Proxy server B. Load balancer C. VPN concentrator D. Protocol analyzer

Answer B is correct. A load balancer is used to distribute workloads across multiple computers or a computer cluster. The distribution of the workload could be administered through dedicated hardware or with software. VPN concentrators are devices used for remote access. Protocol analyzers are used to examine packets of information that are captured from a computer. Proxy servers act as go-betweens for client computers and the Internet and often cache information that comes from websites.

Which of the following is used to cache content? A. Load balancer B. Proxy C. VPN concentrator D. Firewall

Answer B is correct. A proxy is used to cache or store content for later use. An example of this would be an HTTP proxy that remembers the content of a web page that a client computer accessed. This information can then be accessed by other client computers without the computer having to access the Internet. Firewalls are used to protect a network and secure ports. Load balancers are used to distribute workload across two or more computers or networks. VPN concentrators allow for secure, encrypted remote access.

Which of the following methods will identify which network services are running on a computer? A. Calculate risk B. Determine open ports C. Review baseline reporting D. Review firewall logs

Answer B is correct. By using a port scanner (and some vulnerability scanners), you can identify which ports are open on a computer (or other device), which in turn will tell you the corresponding services that are running on that computer. For example, if you see that port 80 is open, then you know that the HTTP service is running, and most likely that the computer is also acting as a web server. All other answers are incorrect because they are unrelated to identifying services running on a computer.

Your organization has implemented cloud computing. Which of the following security controls do you no longer possess? A. Administrative control of data B. Physical control of data C. Logical control of data D. Executive control of data

Answer B is correct. Cloud computing relies on an external service provider. Your organization would still be able to logically manipulate data services and have administrative control over them similar to if the data and services were administered locally. But physical control would be lost and the organization would rely solely on the cloud computing service for hardware, servers, network devices, and so on. In security there is no "executive control" per se as part of a standard security plan, and even if there was, your organization, by definition, would still maintain that control.

A programmer wants to prevent cross-site scripting. Which of the following should the programmer implement? A. Validation of input to remove batch files B. Validation of input to remove hypertext C. Validation of input to remove bit code D. Validation of input to remove shell scripts

Answer B is correct. Cross-site scripting (XSS) is a vulnerability to web applications. For example, a malicious attacker might attempt to inject hypertext into a standard text-based web form. Shell scripts, batch files, and Java bit code are not associated with XSS attacks.

Your boss has instructed you to shred some confidential documents. Which threat does this mitigate? A. Tailgating B. Dumpster diving C. Baiting D. Shoulder surfing

Answer B is correct. Dumpster diving is a type of social engineering where a person sifts through an organization's paper recycling and garbage in the hopes of finding sensitive or confidential information. Shredding documents makes it nearly impossible for a dumpster diver to re-create the confidential information. Tailgating is when an unauthorized person follows an authorized person into a secured area. Shoulder surfing is when a person attempts to read another user's screen—usually covertly—in an attempt to gain personally identifiable information or secrets. Baiting is when an attacker leaves an infected USB flash drive (or other similar media) in plain view in the hopes that it will be picked up and accessed by a user.

James wants to set up a VPN connection between his main office and a satellite office. Which protocol should he use? A. 802.1X B. IPsec C. RDP D. Telnet

Answer B is correct. IPsec is used to secure VPN connections (such as L2TP tunnels). 802.1X specifies port-based network access control (NAC). RDP is the Remote Desktop Protocol. Telnet is used to remotely connect to other computers and routers, but it is insecure and deprecated and is not used in VPNs.

A user is required to have a password that is 14 characters or more. What is this an example of? A. Password recovery B. Password length C. Password expiration D. Password complexity

Answer B is correct. If a user is required to have a password that is longer than a set number of characters, this is known as a password length requirement. Password recovery deals with self-service resets and password recovery programs. Password complexity refers to passwords that require capital letters, numbers, and special characters. Password expiration is associated with a policy that a system administrator sets that defines how long a password is valid before it needs to be changed.

Kate is allowed to perform a self-service password reset. What is this an example of? A. Password complexity B. Password recovery C. Password length D. Password expiration

Answer B is correct. If a user performs a self-service password reset, this would fall into the category of password recovery. For example, if Kate couldn't log in to a shopping portal website, she could ask the website to reset her password and e-mail the new one to her. Password expiration entails a minimum and maximum expiration date and specifies how long a user can make use of a password before the user is required to change it. Password length is a policy that requires a user to type a password at least x characters long. If the user enters anything shorter than the policy dictates, the computer will request a new password from the user. Password complexity refers to passwords that require capital letters, numerical characters, and special characters.

Your web server's private key has been compromised by a malicious intruder. What, as the security administrator, should you do? A. Submit the private key to the CRL. B. Submit the public key to the CRL. C. Issue a new CA. D. Use key escrow.

Answer B is correct. In a PKI, an asymmetric key pair is created. The private key is kept secret, but the public key is distributed as needed. It is this public key that should be submitted to the CRL so that no other entities utilize it. A new key pair will then be created at the CA. A new CA is not necessary. It would only be necessary if the entire CA was compromised, which is not part of the scenario. The private key is not seen by other entities, so only the public key should be submitted to the CRL. Key escrow is when copies of keys are kept in the case a third party needs access to data.

Which of the following asymmetric keys is used to encrypt data to be decrypted by an intended recipient only? A. Private key B. Public key C. Secret key D. Session key

Answer B is correct. In an asymmetric key system, the public key is used to encrypt data, while the intended recipient uses a private key to decrypt the data. Secret keys is another name for private keys. Session keys is also sometimes used synonymously with private keys, but session keys encrypt all messages in a particular communications session.

You and several others on the IT team are deciding on an access control model. The IT director wants to implement the strictest access control model available, ensuring that data is kept as secure as possible. Which of the following access control models should you and your IT team implement? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control

Answer B is correct. Mandatory access control (MAC) is the strictest access control model listed in the answers. It is a well-defined model used primarily by the government. It uses security labels to define resources. In the discretionary access control (DAC) model, the owner decides which users are allowed to have access to objects; it is not as strict as MAC. Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system but differs from MAC in the way permissions are configured; it is not as strict as MAC.

Which of the following best describes a NIDS? A. Redirects malicious traffic B. Detects malicious network activities such as port scans and DoS attacks C. Filters out various types of Internet activities such as websites accessed D. Used to attract and trap potential attackers

Answer B is correct. NIDS, or network intrusion detection system, detects malicious network activities such as port scans and DoS attacks. A honeypot or honeynet is used to attract and trap potential attackers. An Internet filter filters out various types of Internet activities such as websites accessed. A NIPS, or network intrusion prevention system, removes, detains, or redirects malicious traffic.

A NOP slide is an indication of what kind of attack? A. Smurf attack B. Buffer overflow C. SQL injection D. XSS

Answer B is correct. NOP slide is a technique used to exploit a buffer overflow. This is done by corrupting the stack with no-op machine instructions. A NOP slide is sometimes referred to as an NOP sled or NO-OP sled. SQL injections exploit databases. XSS (cross-site scripting) attacks exploit web servers and web pages. Smurf attacks are DoS attacks.

You are the systems administrator for your organization. You have been tasked to block database ports at the firewall. Which port should you block? A. 443 B. 1433 C. 3389 D. 53

Answer B is correct. Port 1433 is used by Microsoft SQL Server databases and should be blocked at the firewall if you want to block SQL Server activity. Port 3389 is used by the Remote Desktop Protocol. Port 443 is used by HTTPS. Port 53 is used by DNS.

A proximity card is an example of what? A. Something a user does B. Something a user has C. Something a user is D. Something a user knows

Answer B is correct. Proximity cards are something that a person has; they are tangible items that a person carries with her. In the world of authentication, an example of something the user is would be a thumbprint. An example of something a user knows is a password. An example of something a user does would be a written signature.

Your boss asks you to purchase additional insurance in an effort to reduce risk. What is this an example of? A. Risk elimination B. Risk transference C. Risk avoidance D. Risk acceptance

Answer B is correct. Risk transference is when risk is passed on to an external agency, such as an insurance company. In reality, some insurance companies have a clause that states the risk is still the responsibility of the organization in question, but the term is still the best answer choice listed. There is no such thing as risk elimination; it is impossible to remove all risk. Risk acceptance is when a company is okay with a certain amount of risk and considers it the cost of doing business if a risk does manifest itself. An example of risk avoidance would be if a company decided to shut down a server that was being attacked by botnets sending DDoS attacks every day.

Which is the most secure option when transferring files from one host to another? A. Telnet B. SFTP C. TFTP D. FTP

Answer B is correct. SFTP (Secure File Transfer Protocol) is a secure version of regular FTP that is based on SSH, which enables it to run over a secure channel. TFTP (Trivial FTP) is a simplistic, insecure, and somewhat deprecated protocol. Telnet is also insecure and deprecated.

Which of the following makes use of three components: a managed device, an agent, and a network management system? A. Security log file B. SNMP C. Wireshark D. Performance Monitor

Answer B is correct. SNMP (Simple Network Management Protocol) aids in monitoring a network attached to devices and computers. It can be broken down into three components: managed devices, agents, and a network management system (NMS). Wireshark is a protocol analyzer. Performance Monitor is a Windows program that analyzes the performance of the resources on a computer, and a Security log file is a log file within the Event Viewer used to audit systems.

An attacker uses a method that is meant to obtain information from a specific person. What type of attack is this? A. Fraggle B. Spear phishing C. DNS poisoning D. Pharming

Answer B is correct. Spear phishing is the attempt at fraudulently obtaining information from specific individuals, usually through e-mail. DNS poisoning is a compromise of a DNS server's name cache database. Pharming is an attack that redirects a website's traffic to another illegitimate website. A Fraggle attack contains UDP traffic sent to ports 7 and 19; it is a type of DoS attack.

Where would you store a revoked certificate? A. PKI B. CRL C. Recovery agent D. Key escrow

Answer B is correct. The CRL (certificate revocation list) is where revoked certificates should be stored. Key escrow is when certificate keys are held in the case that third parties need to access information. The recovery agent recovers lost keys. PKI stands for public-key infrastructure and is the entire system of parts that allows for certificates, certificate authorities, and so on.

You scan the network and find a counterfeit access point that is using the same SSID as an already existing access point. What is this an example of? A. Rogue access point B. Evil twin C. War-driving D. AP isolation

Answer B is correct. The evil twin is another access point or base station that uses the same SSID as an existing access point. It attempts to fool users into connecting to the wrong AP, compromising their wireless session. War-driving is the act of using a vehicle and laptop to find open, unsecured wireless networks. AP isolation compartmentalizes the wireless network and separates each client. Rogue access points are ones that are not part of your wireless network infrastructure.

Sandy is comparing six different computers on a network. She wants to know which of the systems is more susceptible to attack. Which is the best tool for her to use? A. Port scanner B. Vulnerability scanner C. Baseline reporting D. Ping scanner

Answer B is correct. The vulnerability scanner will be able to scan for various vulnerabilities on multiple computers. A port scanner would be the next choice but will only tell Sandy which ports are open, not what vulnerabilities the computers have, and by default it will only work with one computer at a time (although this is configurable). Ping scanners can find out which computers exist on the network, but ping scanners won't display vulnerabilities. Baseline reporting is used to compare a system's current configuration to an older configuration to find out its security posture.

Which of the following gives the user a one-time password? A. PIV B. Tokens C. Single sign-on D. Biometrics

Answer B is correct. Tokens can incorporate a one-time password (OTP), which is a password that is valid for only one session. For example, RSA SecurID time synchronization tokens utilize an OTP. PIV stands for Personal Identity Verification. Single sign-on means that a user can use a single username/password to access multiple systems. Biometrics is the science of authenticating humans by way of their physical characteristics.

You are configuring an 802.11n wireless network. You need to have the best combination of encryption and authorization. Which of the following options should you select? A. WEP and 802.1X B. WPA-Enterprise C WPA and TKIP D. WPA2-PSK

Answer B is correct. WPA-Enterprise offers a decent level of encryption (WPA) as well as a powerful means of authorization (Enterprise). Enterprise usually means you are using a separate RADIUS server, or something similar, to handle the authorization side of things and are not relying on the wireless device itself. Although WPA2-PSK offers a better level of encryption, it does not offer authorization the way an enterprise configuration does. The combination of WEP and 802.1X does offer a form of authorization, but WEP is deprecated and is not recommended in any scenario. Combining WPA and TKIP offers the same level of encryption as WPA-Enterprise but does not offer authorization.

Your organization's network has a main office and has two remote sites that connect back to the main office solely. You have been tasked with blocking Telnet access into the entire network. Which would be the best way to go about this? A. Block port 23 on each of the L2 switches at the remote sites. B. Block port 23 on the main office's firewall. C. Block port 25 on the main office's firewall. D. Block port 25 on each of the L2 switches at the remote sites.

Answer B is correct. You should block port 23 on the main office's firewall because, by default, Telnet uses port 23. By blocking port 23 on the main office's firewall, you will by default be blocking it for the entire network in the scenario. Port 25 is used by SMTP. L2 (Layer 2) switches deal with MAC addresses and other principles of the data link layer of the OSI model. They do not usually have the option to block particular TCP/IP ports.

HIDS and NIDS are similar intrusion detection systems. However, one is for individual computers, and the other is for networks. Which of the following would a HIDS be installed to monitor? A. Network adapter performance B. Temporary Internet files C. System files D. CPU performance

Answer C is correct. A HIDS, or host-based intrusion detection system, is software installed to an individual computer to monitor important files and watch for intrusions. System files are some of the most important files that will be monitored by a HIDS. Temporary Internet files are not nearly as important and are usually removed automatically by way of a policy in many organizations. CPU and network adapter performance is usually monitored by some type of performance monitoring program; these are often built into the operating system.

Your boss speculates that an employee in a sensitive position is committing fraud. What is the best way to identify if this is true? A. Separation of duties B. Due diligence C. Acceptable usage policy D. Mandatory vacations

Answer D is correct. Mandatory vacations should be implemented to help detect (and possibly stop) fraud, sabotage, or other malicious activity on the part of a person working in a sensitive position in an organization. Separation of duties (and job rotation) is employed when more than one person is utilized to complete a task. Although this might be a way to identify fraud, it does not take into account the possibility that one user is still committing fraud without the other user(s) noticing. It also doesn't take into account the chance that all users involved in the job rotation system could be committing fraud together. Mandatory vacations are a better method of detecting ongoing fraud. Due diligence ensures that IT risks are known and managed. Acceptable usage policies define the rules that restrict how a system may be used.

Which of the following only encrypts the password portion of a packet between the client and server? A. TACACS+ B. XTACACS C. TACACS D. RADIUS

Answer D is correct. RADIUS only encrypts the password portion of an access-request packet that is transmitted between the client and the server. TACACS, TACACS+, and XTACACS encrypt the entire body of the packet.

Which of the following provides a user with a rolling password for one-time use? A. PIV card B. CAC card C. Multifactor authentication D. RSA tokens

Answer D is correct. RSA tokens (and other tokens, for that matter) can provide a user with an OTP (one-time password). PIV cards are Personal Identity Verification cards, which are special ID cards used by NIST. CAC cards are Common Access Cards used by the DoD. Neither of these cards uses OTPs. Multifactor authentication is when a user must provide two types of identification before being authenticated to a building, computer, or network—for example, a username/password and a smart card used in conjunction.

You need to monitor network devices on your network. Which of the following protocols will best help you complete this task? A. ICMP B. NetBIOS C. SMTP D. SNMP

Answer D is correct. SNMP (Simple Network Management Protocol) is meant to be used within network monitoring programs, which monitor the parameters of devices on your network. ICMP stands for Internet Control Message Protocol, which, among other things, is an integral part of the ping command. SMTP stands for Simple Mail Transfer Protocol, which is used to send mail. NetBIOS stands for Network Basic Input/Output System and provides name services.

What should be incorporated with annual awareness security training? A. Implementation of security controls B. User rights and permissions review C. Succession planning D. Signing of a user agreement

Answer D is correct. Security awareness training should be coupled with the signing of a user agreement. This agreement states that the user acknowledges and accepts specific rules of behavior, conduct, and nondisclosure of the training. Some organizations might add other policies that the user must agree to as well. Security controls deal with the proper implementation of a security plan. User rights and permissions reviews are part of security audits. Succession planning is the process of developing and readying new servers and other equipment if the current equipment fails, is compromised, or becomes outdated.

You have been hired by an organization to design the security for its banking software. You need to implement a system where tasks involving the transfer of money require action by more than one user. Activities should be logged and audited often. What access control method should you implement? A. Job rotation B. Least privilege C. Implicit deny D. Separation of duties

Answer D is correct. Separation of duties is when more than one person is required to complete a task. If one person has too much control and completes too many portions of a task, it can become a security risk. Checks and balances are employed to make sure that the proper equilibrium of users is maintained. Job rotation is one of the checks and balances that might be employed to enforce the proper separation of duties. Job rotation might be incorporated to increase user insight as to overall operations or increase operation security in general. Implicit deny denies access to resources by default unless the user is specifically granted access to that resource. Least privilege is when a user or a program is given only the amount of privileges needed to do the job and not one bit more.

Which of the following should you install to stop unwanted and unsolicited e-mails? A. Virus definitions B. Spyware definitions C. Pop-up blockers D. Spam filters

Answer D is correct. Spam filters will help to filter out spam (unwanted e-mail). They can be configured in most e-mail programs or can be implemented as part of an anti-malware package. Spyware definitions are used to update a spyware application, making web browsing sessions more safe. Pop-up blockers remove a percentage of the pop-up windows common with many websites. Virus definitions should be updated often to prevent a virus from executing on a computer.

Which of the following can prevent tailgating? A. Proximity cards B. Video cameras C. Biometrics D. Mantraps

Answer D is correct. Tailgating is when an unauthorized user follows an authorized user into a secured area (usually without the person's consent). The mantrap is meant to allow only one person to pass through a secure area at a time. Locking doors surround the area so that a tailgater cannot exit. Video cameras and video surveillance are used to report when a person entered or exited a building or other area. Biometrics are used to authenticate people according to their physical attributes. Proximity cards are used in electronic door systems.

You have been asked by your boss to protect the confidentiality of sensitive data entered into a database table. What is the quickest and easiest method to use? A. Secure Copy B. Biometrics C. Encryption D. Hashing

Answer C is correct. Encryption is commonly used to protect the confidentiality of sensitive data entered into a database table. It is the process of changing information using an algorithm into another form that is unreadable by others, unless they possess the key to that data. Encryption enforces confidentiality of data. Hashing is used in databases for indexing and file retrieval and is used to protect the integrity of data in database tables. Secure Copy (SCP) is used to securely transfer files between two computers. Biometrics is the science of identifying humans from their physical characteristics.

Jake is in the process of running a bulk data update. However, the process writes incorrect data throughout the database. What has been compromised? A. Availability B. Accountability C. Integrity D. Confidentiality

Answer C is correct. If incorrect data has been written throughout the database, then the integrity of the data has been compromised. The data is still secret, or as confidential as it is supposed to be. It is still available, although the data will now have errors. Someone (or something) needs to be held accountable for this problem, but accountability isn't necessarily something that can be compromised in the way that the other three concepts of the CIA triad can be.

Eliot just finished taking a forensic image of a server's memory. What should he employ to ensure image integrity? A. Run the image through AES-128. B. Make a duplicate of the image. C. Compress the image. D. Run the image through SHA-2.

Answer D is correct. The SHA-2 hash function family consists of four algorithms, the most common of which are the 256-bit and 512-bit varieties. Hashes are used to prove integrity of data and images. Compressing the image would only decrease the storage space needed for the image; it would not ensure integrity. Running the image through AES-128 would encrypt it, ensuring confidentiality but not integrity. Making a duplicate would allow for availability but not integrity; in fact, integrity might be compromised if this is done, but that will depend on several factors.

A thumb drive has been used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive? A. Logic bomb B. Bot C. Trojan D. Virus

Answer C is correct. Trojans are used to access a system without authorization. They can be installed to USB flash drives, can be remote access programs, or could be unwittingly stumbled upon when accessing disreputable websites. The key phrase here is "unauthorized access"; that is what the Trojan is trying to do. A bot is a computer that performs actions without the user's consent and is often controlled by a remote master computer. Although the bot doesn't enable unauthorized access, a Trojan might carry a bot program as part of its payload. Logic bombs are generally a method of transferring malware and are meant to initiate a malicious function at a specific time. Viruses infect a computer but are not used for unauthorized access.

You surmise that a user's session was interrupted by an attacker who inserted malicious code into the network traffic. What attack has occurred? A. DoS B. Spoofing C. Phishing D. Man-in-the-middle

Answer D is correct. A man-in-the-middle (MITM) attack occurs when an attacker intercepts data between a client and a server and modifies the data in transit. DoS attacks are denial-of service attacks meant to disrupt a server. Spoofing is when an attacker masquerades as another person. Phishing is when a person attempts to obtain information from a person via e-mail.

Which of the following describes an application that accepts more input than it was originally expecting? A. Denial of service (DoS) B. Sandbox C. Brute force D. Buffer overflow

Answer D is correct. Buffer overflows occur when an application or an operating system accepts more input than it expects. This could cause a radical behavior in applications, especially if the affected memory already has other data in it. A denial of service is a network attack perpetuated on servers to stop them from performing their proper functions for users. A sandbox is when a web script runs in its own environment so that it won't interfere with other processes; this is often used in testing environments. Brute force is a type of password-cracking attack.

You want to stop malicious eavesdroppers from capturing network traffic. What should you implement? A. HVAC shielding B. Hot and cold aisles C. Video surveillance D. EMI shielding

Answer D is correct. EMI shielding can be implemented as shielded network cable or as something that protects network devices or even entire server rooms. If a malicious user cannot access the data emanation from EMI, then they cannot capture network traffic. Hot and cold aisles are used for heating and cooling in data centers and server rooms. Video surveillance is used to find out when a person entered or left a building or secure area. HVAC shielding is used to prevent interference with network cables and network devices.

Your organization uses a type of cryptography that provides good security but uses smaller key sizes and utilizes logarithms that are calculated against a finite field. Which type of cryptography does your organization use? A. Quantum cryptography B. Diffie-Hellman C. RSA D. Elliptic curve

Answer D is correct. Elliptic curve cryptography (ECC) is based on the difficulty of solving certain math problems and is calculated against a finite field. It uses smaller key sizes than most other encryption methods. Quantum cryptography is a newer type of encryption method based on quantum mechanics. The Diffie-Hellman method of key exchange relies on a secure key exchange based on each computer's equation; however, it can be adapted for use with ECC. RSA is an asymmetric algorithm that uses much larger key sizes.

A co-worker's laptop has been compromised. What is the best way to mitigate data loss? A. Common Access Card B. Strong password C. Biometric authentication D. Full disk encryption

Answer D is correct. Full disk encryption is the best way (listed) to mitigate data loss in the case of a stolen or otherwise compromised laptop because it will be difficult to decrypt the data on the laptop. A Common Access Card is a smart card/photo ID used by the DoD. Strong passwords are a good idea on portable devices but can be cracked or circumvented more easily than a full disk encryption solution. Biometric authentication can also be cracked given enough time.

What is one reason to implement security logging on a DNS server? A. To measure server performance B. To perform penetration testing on the server C. To prevent DNS DoS D. To watch for unauthorized zone transfers

Answer D is correct. It is important to log your DNS server to monitor for unauthorized zone transfers. This type of logging can only let you know if an unauthorized zone transfer has occurred; it will not prevent it, nor will it prevent any types of denial-of-service (DoS) attacks. Penetration testing is usually done with some type of vulnerability scanning software, and performance measuring is usually done with some type of performance monitoring software.

Your organization wants you to set up a wireless router so that only certain wireless clients can access the wireless network. Which of the following is the best solution? A. Disable the SSID broadcast. B. Enable 802.11n only. C. Configure AP isolation. D. Implement MAC filtering.

Answer D is correct. MAC filtering enables you to specify which MAC addresses will be allowed to access the wireless AP—and by extension the rest of the wireless network. Disabling the SSID will stop all new wireless clients from connecting (unless they know the SSID and do it manually). Enabling 802.11n will allow connections by 802.11n clients only, but won't allow you to pick and choose particular wireless clients that you want to connect. AP isolation separates and isolates each wireless client connected to it.

What is the best reason for security researchers to use virtual machines? A. To offer an environment where network applications can be tested B. To offer an environment where they can discuss security research C. To offer a secure virtual environment where they can conduct online deployments D. To offer an environment where malware might be executed but with minimal risk to equipment

Answer D is correct. The best reason why security researchers use virtual machines is to offer an environment whereby malware might be executed but with minimal risk to the equipment. The virtual machine is isolated from the actual operating system, and the virtual machine can simply be deleted if it is affected by viruses or other types of malware. Although the other answers are possible reasons why a security researcher would use a virtual machine, the best answer is that it offers the isolated environment where a malicious activity can occur but be easily controlled and monitored.

Robert has been asked to make sure that a server is highly available. He must ensure that hard drive failure will not affect the server. Which of the following methods allows for this? Each correct answer represents a complete solution. Choose all that apply. A. Load balancing B. Hardware RAID 5 C. Software RAID 0 D. True clustering E. Software RAID 1

Answers B and E are correct. RAID 1 (mirroring) and RAID 5 (striping with parity) are both fault-tolerant methods that will allow for high availability and ensure that hard drive failure will not affect the server. True clustering is when multiple computers' resources are used together to create a faster, more efficient system; it often uses load balancing to accomplish this. However, true clustering does not necessarily allow for fault tolerance of data. RAID 0 (striping) is not fault tolerant because there is no parity information.

Which of the following are PII that are used in conjunction with each other? Choose all that apply. A. Marital status B. Pet's name C. Birthday D. Full name E. Favorite food

Answers C and D are correct. PII stands for personally identifiable information. Of the answer choices listed, the two used in conjunction the most often to identify a person are the person's full name and the person's birthday. The other answers are secondary information that won't identify the person nearly as well.

Sherry must prevent users from accessing the network after 6 p.m. She must also prevent them from accessing the accounting department's shares at all times. Which of the following should Sherry implement? Choose two choices. A. Job rotation B. MAC C. Access control lists D. Single sign-on E. Time-of-day restrictions

Answers C and E are correct. To prevent users from accessing the network after 6 p.m., Sherry should implement time-of-day restrictions. If these restrictions are configured properly, the users will not be able to log in except during the times Sherry allows. To prevent the users from accessing the accounting department shares, she should set up access control lists. In most operating systems these access control lists (or ACLs) are referred to as rights or permissions. Single sign-on is when a user can supply one set of credentials but be able to access multiple systems or networks. MAC is mandatory access control, in which the system defines the rights and permissions, not a user or administrator. Job rotation is when multiple users work together to complete a task.

One of the users in your organization is attempting to access a secure website. However, the certificate is not recognized by his web browser. Which of the following is the most likely reason? A. Self-signed certificate B. Weak certificate cipher C. No key escrow was implemented D. Intermittent Internet connection

Answer A is correct. A self-signed certificate is one that the website creator has created and signed. Because the certificate did not come from a known third-party security company, the web browser does not recognize it in this scenario. A weak certificate cipher is usually recognized, but the web browser will display a warning of some sort or perhaps block initial attempts to access the web page. Key escrow is when keys are held for third-party organizations in case they need access to data. Intermittent Internet connections would either allow access to the web page or not and are otherwise not associated with certificates. Although a secure page with a certificate might take longer to access in a web browser than a standard page, this has nothing to do with the Internet connection; rather, it has to do with the speed of the secure connection to the website.

Which of the following is the most complicated centralized key management scheme? A. Asymmetric B. Symmetric C. Whole disk encryption D. Steganography

Answer A is correct. Asymmetric systems such as PKI (public-key infrastructure) have a complicated centralized key management scheme. A system such as PKI creates asymmetric key pairs that include a public key and a private key. The private key is kept secret, whereas the public key can be distributed. Symmetric systems use two keys, but they are the same type of key, usually identical, thus the name symmetric. Whole disk encryption schemes such as BitLocker use trusted platform modules (TPMs) that store the symmetric encrypted keys; these keys are often based on the Advanced Encryption Standard (AES). Steganography is the science of hiding messages within files, and it doesn't use keys

A security assessment of an existing application has never been made. Which of the following is the best assessment technique to use to identify an application's security posture? A. Baseline reporting B. Threat modeling C. Functional testing D. Protocol analysis

Answer A is correct. Baseline reporting is the best answer for identifying the application's security posture. A Security Posture Assessment (SPA) is used to find out the baseline security of an application, a system, or a network, as long as the application (or system or network) already exists. By checking past results and comparing them with current (and future) results, a security professional can see whether an application is secure or has a "secure posture." Some applications come with built-in baseline reporting tools, which allow you to tell whether a system is compliant and secure. The other three answers don't (by definition) associate with the "security posture" of an application. Functional testing is a method of verifying a program by inputting information to the program and analyzing the output. Threat modeling defines a set of possible attacks that could exploit a vulnerability. Protocol analysis deals with examining packet streams with a sniffer or protocol analyzer.

Which of the following security actions should be completed before a user is given access to the network? A. Identification and authentication B. Authentication and authorization C. Identification and authorization D. Authentication and biometrics

Answer A is correct. Before users are given access to a network, they need to identify themselves in one or more ways and be authenticated via whatever system is in place. After they are given access to the network, they can later be authorized to individual resources. The authentication step cannot be skipped.

Stephen has been instructed to update all three routers' firmware for his organization. Where should he document his work? A. Change management system B. Chain of custody C. Event Viewer D. Router system log

Answer A is correct. Change management is the structured way of making changes to systems and devices. It includes implementation, testing, monitoring, and documentation. Routers will have logs, not necessarily called a system log, that can identify what has happened on the router in the past, but these aren't used to document work done to the router. The Event Viewer contains the log files in Microsoft operating systems. A chain of custody is the chronological documentation of evidence but does not include work done on a regular basis to routers or other equipment.

A user can enter improper input into a new computer program and is able to crash the program. What has your organization's programmer most likely failed to implement? A. Error handling B. Data formatting C. SDLC D. CRC

Answer A is correct. Error handling is the practice of anticipating, detecting, and resolving programming errors. Programs should be thoroughly tested with various user input before being implemented in a real environment. A CRC (cyclic redundancy check) is a hash function that produces a checksum that can detect errors in data to be sent across a network. SDLC is the systems development life cycle, a process for creating computing systems. Data formatting deals with the type of data in question and the organization of that data.

Which of the following would be installed on a single computer to prevent intrusion? A. Host-based firewall B. Host intrusion detection system C. VPN concentrator D. Network firewall

Answer A is correct. Firewalls are designed to prevent intrusion. To prevent intrusion on a single computer, install a host-based firewall. Another viable option would be to install a host-based intrusion prevention system (HIPS) but not a host-based intrusion detection system (HIDS) because the HIDS will only detect the intrusion, not prevent it. A network firewall prevents intrusion for the entire network, not just a single computer (although it could be used, with added expense). A VPN concentrator is used to enable secure remote connections between hosts and networks.

If you were to deploy your wireless devices inside a TEMPEST-certified building, what could you prevent? A. War-driving B. Bluejacking C. Weak encryption D. Bluesnarfing

Answer A is correct. If a building is TEMPEST-certified, it can prevent war-driving, the act of accessing an organization's wireless networks in a malicious manner. This would require various shielding, Faraday cages, shielded cabling, and so on. Bluesnarfing and bluejacking are attacks on devices equipped with Bluetooth. Weak encryption invites war-driving; for example, if an organization used WEP, the wireless access point would be much easier to hack.

You want to curtail users from e-mailing confidential data outside your organization. Which of the following would be the best method? A. Block port 110 on the firewall. B. Prevent the usage of USB flash drives. C. Install a network-based DLP device. D. Implement PGP.

Answer C is correct. A network-based DLP (data loss prevention) device is the best solution listed. This device normally sits on the perimeter of the network and can be configured to analyze traffic for confidential information and prevent it from going outside the network. DLP devices can also be storage-based and endpoint-based, but in this question's scenario the network-based DLP would be best. Blocking port 110 on the firewall might stop all outbound POP3 e-mails from leaving the network, and while that would probably stop confidential e-mails from going out, it would cause a whole slew of other problems. Preventing the usage of flash drives probably wouldn't affect the scenario either way. PGP is used to encrypt and digitally sign e-mails, which is a decent option when attempting to keep data confidential, but PGP won't help when you want to keep that confidential data from leaving the network.

A critical system in the server room was never connected to a UPS. The security administrator for your organization has initiated an authorized service interruption of the server to fix the problem. Which of the following best describes this scenario? A. Disaster recovery B. Succession planning C. Fault tolerance D. Continuity of operations

Answer C is correct. Because the security administrator is deliberately interrupting service in a proactive effort to fix the problem, this scenario would be best described as fault tolerance. Also, the fact that a UPS is being installed to make the system tolerant of power loss lends to the fault tolerance answer. If the administrator was planning how to implement a new server, then it would be succession planning. Continuity of operations and disaster recovery deal with the scenario of an actual disaster and the planning for recovery from that disaster.

What are recovery point objectives and recovery time objectives related to? A. Risk management B. Single points of failure C. Business impact analysis D. Succession planning

Answer C is correct. Business impact analysis is the examination of critical versus noncritical functions. These functions are assigned two different values: recovery point objective (RPO), which is the acceptable latency of data, and recovery time objective (RTO), which is the acceptable amount of time to restore a function. Risk management is the identification, assessment, and prioritization of risks. Succession planning is a method for replacing servers and other equipment when they become outdated or if they fail permanently. A single point of failure is any hardware on a server or other device that will cause the device to shut down or otherwise stop serving users.

What is the best way to prevent ARP poisoning across a network? A. Log analysis B. Loop protection C. VLAN segregation D. MAC flooding

Answer C is correct. By segregating a network into multiple virtual LANs, ARP poisoning attacks hopefully will falter when trying to cross from one VLAN to the next. This isn't always successful, but it is one smart way to try to avoid ARP poisoning attacks. A MAC flood is an attack in which numerous packets are sent to a switch, each with a different MAC address. Log analysis is used to determine what happened at a specific time on a particular system. Loop protection can be enabled on some switches, which protects from a person connecting both ends of a patch cable to two different switch ports on a switch.

Which of the following is a type of photo ID that is used by government officials to gain access to secure locations? A. DAC B. RSA tokens C. CAC D. Biometrics

Answer C is correct. CAC (Common Access Card) is a smart card used by the Department of Defense (DoD) to identify military personnel, government employees, and so on. Biometrics is the science of using a human's physical characteristics for identification. DAC is the discretionary access control method. RSA tokens allow for rolling one-time passwords.

Which of the following statements is true about a certificate revocation list? A. It should be kept secret. B. It should be used to sign other keys. C. It should be kept public. D. It must be encrypted.

Answer C is correct. Certificate revocation lists (CRLs) should be published regularly so that users know whether an issuer's certificate is valid. If the CRL were secret, it would defy its purpose. The CRL is not usually encrypted but will be digitally signed by the certificate authority (CA). The CRL does not sign keys; instead, the CA takes care of this.

o be proactive, you use your vehicle to take several war-driving routes each month through your company's campus. Recently you have found a large number of unauthorized devices. Which of the following security breaches have you most likely encountered? A. Interference B. IV attack C. Rogue access points D. Bluejacking

Answer C is correct. Chances are that there are rogue APs that need to be named properly and added to a network or disabled altogether. Bluejacking is the sending of unsolicited messages to Bluetooth devices. Interference happens when devices share channels, devices are too close to each other, or multiple technologies share the same frequency spectrum. Interference could be happening in the scenario described, but it is difficult to determine exactly without more information. In addition, interference isn't necessarily an attack. IV attacks are attacks on wireless stream ciphers.

Which of the following reduces the chances of a single point of failure on a server when it fails? A. Cold site B. Virtualization C. Clustering D. RAID

Answer C is correct. Clustering enables a technician to use two or more servers together. In a failover cluster, a failure on the working server will cause that server to be disabled, but the next server in the cluster will then become active, so most single points of failure can be overcome. Virtualization of a server creates an entirely new server in a virtual machine, but it will have the same possibility of a single point of failure as a physical server. RAID (Redundant Array of Inexpensive Disks) reduces the chances of a server's single point of failure by allowing for fault-tolerant disks—but only for disks, and only certain kinds of RAID. If any other points on the server fail, RAID will not be able to recover. A cold site does not have servers ready to go if there is a single point of failure on a particular server. Hot sites could usually recover from these types of issues, but the users might have to physically go to the building, depending on the configuration.

Jennifer has been tasked with configuring multiple computers on the WLAN to use RDP on the same wireless router. Which of the following might be necessary to implement? A. Turn on AP isolation on the wireless router. B. Enable a DMZ for each wireless computer. C. Forward each computer to a different RDP port. D. Turn off port forwarding for each computer.

Answer C is correct. If there are multiple computers allowing incoming Remote Desktop Protocol (RDP) sessions on the WLAN, you might have to configure the wireless router to forward each computer to a different RDP port. For example, the standard RDP port is 3389 (also known as Terminal Services). If that is open on the router, then clients on the Internet will be able to initiate RDP sessions to your network. But usually, the port on the router can only be forwarded to one computer. It might be necessary to set up additional port numbers and have each one map to a separate computer on the WLAN. Of course, the users on the Internet would need to know the special port number that corresponds to the computer they want to connect to. Often this will be used for remote access by the employee who would otherwise be working at the computer in the office. You would not normally create a DMZ for each computer, and this would make it difficult to configure so that the computers could communicate with each other. Turning off port forwarding would make the situation worse and would stop any remote connections from flowing through the router. AP isolation would also separate the wireless clients and would not have an effect on the goal at hand.

Your organization has a PKI. Data loss is unacceptable. What method should you implement? A. Web of trust B. CA C. Key escrow D. CRL

Answer C is correct. Key escrow should be implemented if data loss is unacceptable. This is when keys are held in case another party needs access to secured communications. The CRL is the certificate revocation list. A web of trust is a decentralized model used for the management of keys. A CA (certificate authority) is a centralized model used for the management of keys.

What would a password be characterized as? A. Something a user is B. Something a user does C. Something a user knows D. Something a user has

Answer C is correct. Passwords, pin numbers, and other types of passphrases and codes are characterized as something a user knows. Examples of something a user has include smart cards or other ID cards. Examples of something a user is include thumbprints, retina scans, and other biometric information. An example of something a user does could be a signature or voice recognition.

You analyze the network and see that a lot of data is being transferred on port 22. Which of the following set of protocols is most likely being used? A. SCP and Telnet B. SSL and SFTP C. SCP and SFTP D. FTP and TFTP

Answer C is correct. SCP (Secure Copy) and SFTP (Secure FTP) both rely on SSH, which uses port 22. SSL uses port 443. Telnet uses port 23. FTP uses port 21, and TFTP uses port 69.

Why would a system administrator have both a user-level account and an administrator-level account? A. To prevent password sharing B. To prevent loss of access through implicit deny C. To prevent privilege escalation D. To prevent admin account lockout

Answer C is correct. Some organizations that use User Account Control (UAC) might employ a policy in which all administrators are expected to log on as their standard user account. With UAC enabled, the "administrator" will not be able to accomplish administrative tasks without typing an administrator-level account username and password at the UAC prompt. It's really UAC that is used to prevent privilege escalation for all users. Administrator account lockout might occur if the admin types the logon incorrectly more than a set amount of times (for example, 3). UAC cannot prevent this and, in fact, does the reverse by requiring the password of an administrator. Password sharing is something that users might do that can be completely outside the system—a company should have written policies advising against this. An implicit deny would mean that users, by default, do not have access. This is not the case—users can gain access if they have the appropriate permissions and know the correct username and password

Which of the following describes hiding data within other files? A. Encryption B. Digital signatures C. Steganography D. PKI

Answer C is correct. Steganography is the art and science of hiding messages within other messages or elsewhere. It is a form of security through obscurity. PKI is the public-key infrastructure that deals with encryption, which is the modification of data so that it cannot be read. Digital signatures are used for integrity and non-repudiation.

You need to control access to a network through a Cisco router. Which of the following authentication services should you use? A. Telnet B. SNMP C. TACACS+ D. SSH

Answer C is correct. TACACS+ is commonly used to control access to networks through Cisco routers. SSH is used primarily to remotely configure Linux/Unix hosts as well as routers but is not used for the actual authentication to the networks that the routers control. Telnet was used to administer network devices, but it is not the best answer because it is not an authentication protocol, and it is insecure and outdated. SNMP is used to monitor network devices and hosts.

One of the users in your organization informs you that her 802.11n network adapter is connecting and disconnecting to and from an access point that was recently installed. The user has Bluetooth enabled on the laptop. A neighboring company had its wireless network compromised last week. Which of the following is the most likely cause of the disconnections? A. A Bluetooth device is interfering with the user's laptop. B. The attacker that compromised the neighboring company is running a war-driving attack. C. The new access point was not properly configured and is interfering with another access point. D. An attacker in your organization is attempting a bluejacking attack.

Answer C is correct. The most likely cause is that the new access point the laptop is connecting to was not configured properly. Perhaps the antennas were not set to a high enough power level, or the placement of the AP is not close enough to the laptop. Less likely is the possibility that an attacker is running a war-driving attack against your network. It is possible that a Bluetooth device is causing interference (because both share the 2.4-GHz spectrum), but it is also less likely. A bluejacking attack (if successful) would probably not affect the ability of an 802.11n network adapter to connect with an access point.

Tom is getting reports from several users that they are unable to download specific items from particular websites, although they can access other pages of those websites. Also, they can download information from other websites just fine. Tom's IPS is also sending him alarms about possible malicious traffic on the network. What is the most likely cause why the users cannot download the information they want? A. The NIDS is blocking web activity from those specific websites. B. The firewall is blocking web activity. C. The router is blocking web activity. D. The NIPS is blocking web activity from those specific websites.

Answer D is correct. The most likely answer is that the network intrusion prevention system (NIPS) is blocking the specific traffic because it has detected that particular downloads could be malicious. A NIDS would only detect this and send alarms to Tom; it would not prevent the traffic. The firewall will usually block entire websites from being accessed, not just prevent specific downloads. The router will not block web activity, although it could block access to particular IP addresses. However, if this were the case, the users would not be able to access the website in question.

Your boss asks you to implement multifactor authentication. Which of the following should you use? A. Common Access Card B. Username and password C. ACL entry and password D. Pin number and smart card

Answer D is correct. The only answer choice listed that has two factors of authentication is pin number and smart card. Username and password is a single type of authentication. Common Access Card (CAC) is a type of photo ID/authentication card used by the DoD. An ACL entry is not a type of authentication but a way of defining whether a person can be authorized to network resources.

You are tasked with implementing an access point to gain more wireless coverage. What should you look at first? A. Encryption type B. Radio frequency C. SSID D. Power levels

Answer D is correct. The power levels will dictate how far an access point can transmit its signal. For more coverage, increase the power levels, but be careful not to go beyond your organization's work area, or other neighboring entities might try to compromise your network. The SSID (service set identifier) is the name of the wireless network. The radio frequency used could possibly increase coverage (for example, if you change from 802.11b to 802.11n), but that is not the first option you should consider. The encryption type will not have an effect on the coverage area.

You have identified a security threat on a server, but you have decided not to exploit it. What method have you implemented? A. NIDS B. Risk mitigation C. Penetration test D. Vulnerability scan

Answer D is correct. Vulnerability scans will identify threats but not exploit them the way a penetration test might. Nothing has been mitigated in this scenario, only identified. A NIDS (network intrusion detection system) will detect malicious traffic on the network but will not find security threats on a server.

The security company you work for has been contracted to discern the security level of a software application. The company building the application has given you the login details, production documentation, a test environment, and the source code. Which of the following testing types has been offered to you? A. Gray box B. Red teaming C. Black box D. White box

Answer D is correct. White box testing is when you are given as many details as possible about the application you are about to test. White box testing tests the internal workings of an application. Black box testing tests the functionality of an application without any real specific knowledge of the application. Gray box testing is when the owners of the application give you partial internal knowledge of the application to be tested. A red team is a group of penetration testers that assesses the security of an organization as opposed to an individual application.

Why is fiber-optic cable considered to be more secure than Category 6 twisted-pair cable? Each correct answer represents a complete solution. Choose two. A. It is hard to tap. B. It is not susceptible to interference. C. It is more difficult to install. D. It is made of glass instead of copper.

Answers A and B are correct. Fiber-optic cable is difficult to tap into because it does not emanate signal the way a twisted-pair cable would. More advanced tools are necessary to tap a fiber-optic cable as compared to a twisted-pair cable. Fiber-optic cable is not susceptible to interference because it does not run on electricity and is not copper-based. Fiber-optic cable does indeed have a glass core, but because it does not use electricity and is not susceptible to interference, it is safer than twisted-pair cable. Fiber-optic cable generally is more difficult to install than twisted-pair cable, but that does not make it more secure.

You have been asked to set up a web server that will service regular HTTP requests as well as HTTP Secure requests. Which of the following ports would you use by default? A. 443 B. 135 C. 80 D. 25 E. 21 F. 445

Answers A and C are correct. The default port for HTTP requests is port 80. The default port for HTTP Secure (HTTPS) requests is port 443. Port 21 is FTP. Port 25 is SMTP. Port 135 is known as the DCE endpoint manager port or RPC (Remote Procedure Call); it is a DCOM-related port that is used to remotely manage services and is generally considered insecure. Port 445 is the Server Message Block (SMB) port that deals with Microsoft directory services.

What are two reasons to use a digital signature? A. Non-repudiation B. Availability C. Confidentiality D. Integrity E. Encryption

Answers A and D are correct. A valid digital signature ensures to the recipient that the message was created by the sender, thereby validating the integrity of the message. Also, a sender cannot claim that he didn't send the message; this is an example of non-repudiation. Digital signatures do not affect the confidentiality or availability of a message. However, encryption will increase the confidentiality of a message.

What are the best reasons to use an HSM? Choose two. A. To generate keys B. To transfer keys to the hard drive C. To recover keys D. To store keys E. For a CRL

Answers A and D are correct. An HSM (hardware security module) is a device that manages digital keys for cryptography. It allows for onboard secure storage of data and is used to generate and store keys. Key recovery and the transferring of keys is done by other methods. Although an HSM can be used in conjunction with a PKI, it does not have the option of storing a CRL.

What are the three main goals of information security? A. Integrity B. Non-repudiation C. Confidentiality D. Risk assessment E. Availability F. Auditing

Answers A, C, and E are correct. Confidentiality, integrity, and availability (known as CIA or the CIA triad) are the three main goals of information security. Another goal within information security is accountability. While auditing, non-repudiation, and risk assessment are all important security concepts, they are not part of the CIA triad.