Intro to Cybersecurity - Final Exam Study Guide

When Mike receives the message that David encrypted for him, what key should he use to decrypt the message? A. David's Public key B. David's Private key C. Mike's Public key D. Mike's Private key

D. In an asymmetric encryption algorithm, the recipient of a message uses their own private key to decrypt messages that they receive.

Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden's activities? (Choose two.) A. Insider B. State Actor C. Hacktivist D. APT E. Organized Crime

A, C. As a government contractor, Snowden had authorized access to classified information and exploited this access to make an unauthorized disclosure of that information. This clearly makes him fit into the category of an insider. He did so with political motivations, making him fit the category of hacktivist as well.

Sally is working to restore her organization's operations after a disaster took her datacenter offline. What critical document should she refer to as she restarts systems? A. The restoration order documentation B. The TOTP documentation C. The HOTP documentation D. The last-known good configuration documentation

A. A documented restoration order helps ensure that systems and services that have dependencies start in the right order and that high-priority or mission-critical services are restored first. TOTP and HOTP are types of one-time password technology, and last-known good configurations are often preserved with a snapshot or other technology that can allow a system to return to a known good status after an issue such as a bad patch or configuration change.

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred? A. False positive B. False negative C. True positive D. True negative

A. A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.

Which one of the following attackers is most likely to be associated with an APT? A. Nation-state actor B. Hacktivist C. Script Kiddie D. Insider

A. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. It is unlikely that an APT group would leverage the unsophisticated services of a script kiddie. It is also unlikely that a hacktivist would have access to APT resources. Although APTs may take advantage of insider access, they are most commonly associated with nation-state actors.

What compliance regulation most directly affects the operations of a healthcare provider? A. HIPAA B. PCI DSS C. GLBA D. SOX

A. Although a health-care provider may be impacted by any of these regulations, the Health Insurance Portability and Accountability Act (HIPAA) provides direct regulations for the security and privacy of protected health information and would have the most direct impact on a health-care provider.

Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin's work? A. White Hat B. Gray Hat C. Green Hat D. Black Hat

A. Attacks that are conducted as part of an authorized penetration test are white-hat hacking attacks, regardless of whether they are conducted by internal employees or an external firm. Kolin is, therefore, engaged in white-hat hacking. If he were acting on his own, without authorization, his status would depend on his intent. If he had manicous intent, his activity would be considered black-hat hacking. If he simply intended to report vulnerabilities to the hospital, his attack would be considered gray hat. Green hat is not a commonly used category of attacker.

Henry wants to use an open source forensic suite. Which of the following tools should he select? A. Autopsy B. EnCase C. FTK D. WinHex

A. Autopsy is the only open source forensic suite on this list. Both EnCase and FTK are commercial tools, and WinHex is also a commercial tool but isn't a forensic suite.

Which of the following threat actors typically has the greatest access to resources? A. Nation-state Actors B. Organized Crime C. Hacktivist D. Insider Threats

A. Nation-state actors are government sponsored, and they typically have the greatest access to resources, including tools, money, and talent.

Tina is tuning her organization's intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing? A. Technical Control B. Physical Control C. Managerial Control D. Operational Control

A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Naomi is preparing to migrate her organization to a cloud service and wants to ensure that she has the appropriate contractual language in place. Which of the following is not a common item she should include? A. Right-to-audit clauses B. Right to forensic examination C. Choice of jurisdiction D. Data breach notification timeframe

B. Contracts commonly include right to audit, choice of jurisdiction, and data breach notification timeframe clauses, but a right to forensically examine a vendor's systems or devices is rarely included. Naomi may want to ask about their incident response process and for examples of previous breach notification and incident documentation shared with customers instead.

What term best describes data that is being sent between two systems over a network connection? A. Data at rest B. Data in motion C. Data in processing D. Data in use

B. Data being sent over a network is data in motion. Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. Data in processing, or data in use, is data that is actively in use by a computer system.

What term is given to an individual or organization who determines the reasons for processing personal information? A. Data steward B. Data controller C. Data processor D. Data custodian

B. Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law, and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.

Ben searches through an organization's trash looking for sensitive documents, internal notes, and other useful information. What term describes this type of activity? A. Waste engineering B. Dumpster diving C. Trash pharming D. Dumpster harvesting

B. Dumpster diving is a broad term used to describe going through trash to find useful information, often as part of a penetration test or by attackers looking for information about an organization. As you may have guessed, the other answers were made up.

Which of the following is not a common constraint of an embedded system? A. Compute B. Form factor C. Network D. Authentication

B. Embedded systems are available in a broad range of physical form factors, allowing them to be placed in many different types of systems and devices. Common constraints for embedded systems as described by the Security+ exam outline include power, compute, network, crypto, inability to patch, authentication, range, cost, and implied trust.

Melissa wants to capture network traffic for forensic purposes. What tool should she use to capture it? A. A forensic suite B. Wireshark C. dd D. WinHex

B. Even though Wireshark is not a dedicated network forensic tool, since network traffic is ephemeral, capturing it with a packet sniffer like Wireshark is Melissa's best option. Forensic suites are useful for analyzing captured images, not capturing network traffic, and dd and WinHex are both useful for packet capture, but not for network traffic analysis.

Laura wants to deploy a WPA2 secured wireless for her small business, but she doesn't have a RADIUS server set up. If she wants her Wi-Fi to be encrypted, what is her best option for wireless authentication? A. EAP B. PSK C. EAP-TLS D. Open Wi-Fi with a captive portal

B. In small business and home environments, preshared keys (PSKs) allow encryption without enterprise authentication and a RADIUS server. Both EAP and EAP-TLS are used in enterprise authentication environments, and open Wi-Fi doesn't use encryption.

Naomi receives a report of smishing. What type of attack should she be looking for? A. Compressed files in phishing B. Text message-based phishing C. Voicemail-based phishing D. Server-based phishing

B. Smishing is a type of phishing that occurs via text (SMS) message.

Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into? A. Low B. Medium C. High D. Critical

B. Vulnerabilities with CVSS base scores between 4.0 and 6.9 fit into the medium risk category.

Amanda is assessing a vehicle's internal network. What type of bus is she most likely to discover connecting its internal sensors and controllers? A. Narrowband bus B. A Zigbee bus C. A CAN bus D. An SoC bus

C. A controller area network (CAN) is a vehicle-specific standard designed to allow microcontrollers, sensors, and other components of the vehicle to communicate. Zigbee, a wireless protocol used for home automation and similar short-ranged purposes, would be poorly suited to use in vehicles. Narrowband describes a channel, not a bus type, and an SoC bus was made up for this question.

Chris is responding to a security incident that compromised one of his organization's web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate? A. Confidentiality B. Nonrepudiation C. Integrity D. Availability

C. The defacement of a website alters content without authorization and is, therefore, a violation of the integrity objective. The attackers may also have breached the confidentiality or availability of the website, but the scenario does not provide us with enough information to draw those conclusions.

David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message? A. David's Public key B. David's Private key C. Mike's Public key D. Mike's Private key

C. When encrypting a message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient's public key.

Which of the following is the best example of a hacktivist group? A. Chinese Military B. U.S. government C. Russian Mafia D. Anonymous

D. The Chinese military and U.S. government are examples of nation-state actors and advanced persistent threats (APTs). The Russian mafia is an example of a criminal syndicate. Anonymous is the world's most prominent hacktivist group.

Elaine wants to securely erase the contents of a tape used for backups in her organization's tape library. What is the fastest secure erase method available to her that will allow the tape to be reused? A. Use a degausser. B. Wipe the tape by writing a random pattern of 1s and 0s to it. C. Incinerate the tape. D. Wipe the tape by writing all 1s or all 0s to it.

A. A degausser is a quick and effective way to erase a tape before it is reused. Wiping a tape by writing 1s, 0s, or a pattern of 1s and 0s to it will typically be a slow operation and is not a common method of destroying data on a tape. Incinerating the tape won't allow it to be reused!

Naomi wants to deploy a tool that can allow her to scale horizontally while also allowing her to patch systems without interfering with traffic to her web servers. What type of technology should she deploy? A. A load balancer B. NIC teaming C. Geographic diversity D. A multipath network

A. A load balancer will fit Naomi's needs perfectly. Load balancers can spread traffic across multiple systems while allowing specific systems to be added or removed from the service pools in use. NIC teaming is used to increase bandwidth or to provide multiple network connections to a system, geographic diversity helps ensure that a single disaster impacting an organization cannot take the organization offline, and a multipath network prevents the disruption of a single network path from causing an outage.

Precompiled SQL statements that only require variables to be input are an example of what type of application security control? A. Parameterized queries B. Encoding data C. Input validation D. Appropriate access controls

A. A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data. Encoding data helps to prevent cross-site scripting attacks, as does input validation. Appropriate access controls can prevent access to data that the account or application should not have access to, but they don't use precompiled SQL statements. Stored procedures are an example of a parameterized query implementation.

Bart knows that there are two common connection methods between Wi-Fi devices. Which of the following best describes ad hoc mode? A. Point-to-point B. NFC C. Point-to-multipoint D. RFID

A. Ad hoc networks work without an access point. Instead, devices directly connect to each other in a point-to-point fashion. Infrastructure mode Wi-Fi networks use a point-to-multipoint model.

What type of NAC will provide Isaac with the greatest amount of information about the systems that are connecting while also giving him the most amount of control of systems and their potential impact on other systems that are connected to the network? A. Agent-based, pre-admission NAC B. Agentless, post-admission NAC C. Agent-based NAC, post-admission NAC D. Agent-based, post-admission NAC

A. Agent-based, pre-admission NAC will provide Isaac with the greatest amount of information about a machine and the most control about what connects to the network and what can impact other systems. Since systems will not be connected to the network, even to a quarantine or pre-admission zone, until they have been verified, Isaac will have greater control.

Which one of the following statements about cryptographic keys is incorrect? A. All cryptographic keys should be kept secret B. Longer keys are better than shorter keys when the same algorithm is used. C. Asymmetric algorithms generally use longer keys than symmetric algorithms D. Digital Certificates are designed to share public keys

A. All of these statements are correct except for the statement that all cryptographic keys should be kept secret. The exception to this rule are public keys used in asymmetric cryptography. These keys should be freely shared.

What is the key difference between hashing and checksums? A. Both can validate integrity, but a hash also provides a unique digital fingerprint. B. A hash can be reversed, and a checksum cannot be. C. Checksums provide greater security than hashing. D. Checksums have fewer message collisions than a hash.

A. Although both a checksum and a hash can be used to validate message integrity, a hash has fewer collisions than a checksum and will also provide a unique fingerprint for a file. Checksums are primarily used as a quick means of checking that that integrity is maintained, whereas hashes are used for many other purposes such as secure password validation without retaining the original password. A checksum would not be useful for proving a forensic image was identical, but it could be used to ensure that your work had not changed the contents of the drive.

Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting? A. Command and control B. A hijacked web browser C. A RAT D. A worm

A. Amanda has most likely discovered a botnet's command-and-control (C&C) channel, and the system or systems she is monitoring are probably using IRC as the C&C channel. A RAT is more likely to use a different control channel, worms spread by attacking vulnerable services, and a hijacked web browser would probably operate on common HTTP or HTTPS ports (80/443).

Michelle wants to ensure that attackers who breach her network security perimeter cannot gain control of the systems that run the industrial processes her organization uses as part of their business. What type of solution is best suited to this? A. An air gap B. A Faraday cage C. A cold aisle D. A screened subnet

A. An air gap is a physical separation of devices. By implementing an air gap, Michelle can ensure that devices cannot be accessed via the network, thus preventing intruders who have breached her network perimeter security from accessing the industrial control systems she is responsible for securing. A Faraday cage stops electromagnetic signals and emissions (EMI), a cold aisle is the air-conditioned aisle in a datacenter where cold air is pulled into systems, and a screened subnet is where systems that deal with untrusted traffic are placed.

What term best describes an organization's desired security state? A. Control Objectives B. Security priorities C. Strategic Goals D. Best Practices

A. As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state.

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the annualized rate of occurrence (ARO)? A. 0.05 B. 0.20 C. 2.00 D. 5.00

A. Aziz's threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.

What type of assessment is particularly useful for identifying insider threats? A. Behavioral B. Instinctual C. Habitual D. IOCs

A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.

What type of malware connects to a command-and-control system, allowing attackers to manage, control, and update it remotely? A. A bot B. A drone C. A vampire D. A worm

A. Bots connect to command-and-control systems, allowing them to be updated, controlled, and managed remotely. Worms spread via vulnerabilities, and drones and vampires aren't common terms for malware.

James is concerned about preventing broadcast storms on his network. Which of the following solutions is not a useful method of preventing broadcast storms on his network? A. Disable ARP on all accessible ports B. Enable Spanning Tree Protocol C. Enable loop protect features on switches D. Limit the size of VLANs

A. Broadcast storms occur when broadcast packets are received and retransmitted by switches in a network, amplifying the traffic and causing heavy traffic loads. Spanning Tree Protocol, loop prevention features, and limited VLAN sizes can all reduce the potential for a broadcast storm. Disabling ARP on a network is not a recommended solution for a TCP/IP network.

Ursula would like to link the networks in her on-premises datacenter with cloud VPCs in a secure manner. What technology would help her best achieve this goal? A. Transit gateway B. HSM C. VPC endpoint D. SWG

A. Cloud providers offer VPC endpoints that allow the connection of VPCs to each other using the cloud provider's secure network backbone. Cloud transit gateways extend this model even further, allowing the direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations. Secure web gateways (SWGs) provide a layer of application security for cloud-dependent organizations. Hardware security modules (HSMs) are special purpose computing devices that manage encryption keys and also perform cryptographic operations in a highly efficient manner.

Brian would like to limit the ability of users inside his organization to provision expensive cloud server instances without permission. What type of control would best help him achieve this goal? A. Resource policy B. Security group C. Multifactor authentication D. Secure web gateway

A. Cloud providers offer resource policies that customers may use to limit the actions that users of their accounts may take. Implementing resource policies is a good security practice to limit the damage caused by an accidental command, a compromised account, or a malicious insider.

Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance? A. Code signing B. Code endorsement C. Code encryption D. Code obfuscation

A. Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

Hitesh wants to keep a system online but limit the impact of the malware that was found on it while an investigation occurs. What method from the following list should he use? A. Containment B. Isolation C. Segmentation D. Black holing

A. Containment activities focus on preventing further malicious actions or attacks. In this case, Hitesh might opt to prevent the malware from spreading but leave the system online due to a critical need or a desire to preserve memory and other artifacts for investigation. Isolation walls a system or systems off from the rest of the world, whereas segmentation is frequently used before incidents occur to create zones or segments of a network or system with different security levels and purposes.

Kira would like to implement a security control that can implement access restrictions across all of the SaaS solutions used by her organization. What control would best meet her needs? A. Security group B. Resource policy C. CASB D. SWG

A. Controls offered by cloud service providers have the advantage of direct integration with the provider's offerings, often making them cost-effective and user-friendly. Third-party solutions are often more costly, but they bring the advantage of integrating with a variety of cloud providers, facilitating the management of multicloud environments.

Ryan is selecting a new security control to meet his organization's objectives. He would like to use it in their multicloud environment and would like to minimize the administrative work required from his fellow technologists. What approach would best meet his needs? A. Third-party control B. Internally developed control C. Cloud-native control D. Any of the above

A. Controls offered by cloud service providers have the advantage of direct integration with the provider's offerings, often making them cost-effective and user-friendly. Third-party solutions are often more costly, but they bring the advantage of integrating with a variety of cloud providers, facilitating the management of multicloud environments.

Which one of the following would not commonly be available as an IaaS service offering? A. CRM B. Storage C. Networking D. Computing

A. Customer relationship management (CRM) packages offered in the cloud would be classified as software-as-a-service (SaaS), since they are not infrastructure components. Storage, networking, and computing resources are all common IaaS offerings.

What technique is used to ensure that DNSSEC-protected DNS information is trustworthy? A. It is digitally signed. B. It is sent via TLS. C. It is encrypted using AES256. D. It is sent via an IPSec VPN.

A. DNSSEC does not encrypt data but does rely on digital signatures to ensure that DNS information has not been modified and that it is coming from a server that the domain owner trusts. DNSSEC does not protect confidentiality, which is a key thing to remember when discussing it as a security option. TLS, an IPSec VPN, or encryption via AES are all potential solutions to protect the confidentiality of network data.

Amanda wants to securely destroy data held on DVDs. Which of the following options is not a suitable solution for this? A. Degaussing B. Burning C. Pulverizing D. Shredding

A. Degaussing only works on magnetic media, and DVDs are optical media. Amanda could burn, pulverize, or even shred the DVDs to ensure that data is properly destroyed.

Charles wants to find out about security procedures inside his target company, but he doesn't want the people he is talking to realize that he is gathering information about the organization. He engages staff members in casual conversation to get them to talk about the security procedures without noticing that they have done so. What term describes this process in social engineering efforts? A. Elicitation B. Suggestion C. Pharming D. Prepending

A. Elicitation is the process of using casual conversation and subtle direction to gather information without the targets realizing they have disclosed details to that social engineer. Suggestion is not one of the terms used in the Security+ exam outline, pharming redirects traffic to malicious sites, and prepending can include a variety of techniques that add data or terms.

Of the threat vectors listed here, which one is most commonly exploited by attackers who are at a distant location? A. Email B. Direct Access C. Wireless D. Removable Media

A. Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here, direct access, wireless, and removable media, all require physical proximity to an organization and are not easily executed from a remote location.

What term is used to describe tools focused on detecting and responding to suspicious activities occurring on endpoints like desktops, laptops, and mobile devices? A. EDR B. IAM C. FDE D. ESC

A. Endpoint detection and response (EDR) systems provide monitoring, detection, and response capabilities for systems. EDR systems capture data from endpoints and send it to a central repository, where it can be analyzed for issues and indicators of compromise or used for incident response activities. IAM is identity and access management, FDE is full-disk encryption, and ESC is not a commonly used security acronym.

Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed? A. Use forensic memory acquisition techniques. B. Use disk forensic acquisition techniques. C. Remove the firmware chip from the system. D. Shut down the system and boot to the firmware to copy it to a removable device.

A. Firmware can be challenging to access, but both memory forensic techniques and direct hardware interface access are viable means in some cases. Firmware is not typically stored on the disk and instead is stored in a BIOS or UEFI chip. Removing the chip from the system will leave it unable to run and thus this is not a preferred method. Also, many chips are not removable. Shutting down the device and booting it to the firmware does not provide a means of copying the firmware for most devices. Although the firmware is likely to allow updates, most do not allow downloads or copying.

What type of security solution provides a hardware platform for the storage and management of encryption keys? A. HISM B. IPS C. SIEM D. SOAR

A. Hardware security modules (HSMs) provide an effective way to manage encryption keys. These hardware devices store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys.

During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report? A. Improper error handling B. Code exposure C. SQL injection D. A default configuration issue

A. Improper error handling often exposes data to users and possibly attackers that should not be exposed. In this case, knowing what SQL code is used inside the application can provide an attacker with details they can use to conduct further attacks. Code exposure is not one of the vulnerabilities we discuss in this book, and SQL code being exposed does not necessarily mean that SQL injection is possible. While this could be caused by a default configuration issue, there is nothing in the question to point to that problem.

What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server? A. Man-in-the-middle B. Session hijacking C. Buffer overflow D. Meet-in-the-middle

A. In a man-in-the-middle attack, the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user's behalf and obtain the cookie. This is slightly different from a session hijacking attack, where the attacker steals the cookie associated with an active session.

Helen's organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen's organization? A. Data processor B. Data controller C. Data owner D. Data steward

A. In this case, the physicians maintain the data ownership role. They have chosen to outsource data processing to Helen's organization, making that organization a data processor.

Jim configures a Windows machine with the built-in BitLocker full disk encryption tool. When is the machine least vulnerable to having data stolen from it? A. When the machine is off B. When the machine is booted and logged in but is locked C. When the machine is booted and logged in but is unlocked D. When the machine is booted and logged in but is asleep

A. Jim knows that once a BitLocker-enabled machine is booted, the drive is unlocked and could be accessed. He would be least worried if the machine were off and was stolen, or if the drive itself were stolen from the machine, since the data would not be accessible in either of those cases.

During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity? A. Lateral movement B. Privilege escalation C. Footprinting D. OSINT

A. Moving from one compromised system to other systems on the same network is known as lateral movement. Privilege escalation attacks increase the level of access that an attacker has to an already compromised system. Footprinting and OSINT are reconnaissance techniques.

Elaine wants to implement an AAA system. Which of the following is an AAA system she could implement? A. RADIUS B. SAML C. OAuth D. LDAP

A. Of all the listed options, only RADIUS is an authentication, authorization, and accounting service.

Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization's systems. What role is Kevin playing in this exercise? A. Red team B. Blue team C. Purple team D. White team

A. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. Blue teams are responsible for managing the organization's defenses. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Which of the following is not a typical reason to use an IP addressing schema in an enterprise? A. Avoiding use of other organizations' IP addresses B. Avoiding IP address exhaustion in a subnet C. Asset and system inventory D. Consistency of practice with gateway and other IP addresses

A. Organizations should use IP addresses that are specifically allocated to the organization or that are RFC 1918 addresses that are non-Internet routable. That means that an addressing scheme should not be necessary to avoid using another organization's IP addresses. IP address schemas are commonly used to avoid IP address exhaustion when working in a subnet. The same tracking means that they are helpful when conducting asset and system inventory, since they help match a device on the network to a known physical system. Finally, consistently using the same IP address for default gateways and other common network components means that support staff do not have to learn unique configurations in each location or network.

Which one of the following statements is not true about compensating controls under PCI DSS? A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement B. Controls must meet the intent of the original requirement C. Controls must meet the rigor of the original requirement D. Compensating Controls must provide a similar level of defense as the original requirement.

A. PCI DSS compensating controls must be "above and beyond" other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

Which one of the following statements is not true about compensating controls under PCI DSS? A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. B. Controls must meet the intent of the original requirement. C. Controls must meet the rigor of the original requirement. D. Compensating controls must provide a similar level of defense as the original requirement.

A. PCI DSS compensating controls must be "above and beyond" other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

A PIN is an example of what type of factor? A. Something you know B. Something you are C. Something you have D. Something you set

A. PINs and passwords are both examples of something you know. Something you set is not a type of factor. Biometric factors are an example of something you are, and a physical USB token would be a common example of something you have.

Which of the following technologies is the least effective means of preventing shared accounts? A. Password complexity requirements B. Requiring biometric authentication C. Requiring one-time passwords via a token D. Requiring a one-time password via an application

A. Password complexity requirements do not prevent sharing of complex passwords, making it the least effective option from the list. Biometric authentication measures will require the enrolled user to be there, although in some cases such as fingerprint systems, multiple users could each enroll a valid fingerprint for a single account. Both types of one-time passwords could be shared but make it harder and less convenient to share accounts.

Which one of the following servers is almost always an offline CA in a large PKI deployment? A. Root CA B. Intermediate CA C. RA D. Internal CA

A. Root CAs are highly protected and not normally used for certificate issuance. A root CA is usually run as an offline CA that delegates authority to intermediate CAs that run as online CAs.

Brian has deployed a system that monitors sensors and uses that data to manage the power distribution for the power company that he works for. Which of the following terms is commonly used to describe this type of control and monitoring solution? A. SCADA B. AVAD C. SIM D. HVAC

A. SCADA (supervisory control and data acquisition) is a system architecture that combines data acquisition and control devices with communications methods and interfaces to oversee complex industrial and manufacturing processes, just like those used in utilities. A SIM (subscriber identity module) is the small card used to identify cell phones; HVAC stands for heating, ventilation, and air-conditioning; and AVAD was made up for this question.

Alaina suspects that her organization may be targeted by a SPIM attack. What technology is she concerned about? A. Spam over Instant Messaging B. Social Persuasion and Intimidation by Managers C. Social Persuasion by Internet Media D. Spam over Internal Media

A. SPIM is Spam over Internet Messaging (originally "Instant Messenger," but this acronym was updated after IM tools became less common). Alaina will need to consider a variety of messaging tools where external and internal communications could also include spam. The other answers were made up.

Daniel knows that WPA3 has added a method to ensure that brute-force attacks against weak preshared keys are less likely to succeed. What is this technology called? A .SAE B. CCMP C. PSK D. WPS

A. Simultaneous Authentication of Equals (SAE) is used to establish a secure peering environment and to protect session traffic. Since the process requires additional cryptographic steps, it causes brute-force attacks to be much slower and thus less likely to succeed while also providing more security than WPA2's preshared key (PSK) mode. WPS is Wi-Fi Protected Setup, a quick setup capability; CCMP is the encryption mode used for WPA2 networks. WPA3 moves to 128-bit encryption for Personal mode and can support 192-bit encryption in Enterprise mode.

Brian discovers that a user suspected of stealing sensitive information is posting many image files to a message board. What technique might the individual be using to hide sensitive information in those images? A. Steganography B. Homomorphic encryption C. Replay attack D. Birthday attack

A. Steganography is the art of using cryptographic techniques to embed secret messages within another file.

Theresa has implemented a technology that keeps data for personal use separate from data for her company on mobile devices used by members of her staff. What is this concept called? A. Storage segmentation B. Multifactor storage C. Full-device encryption D. Geofencing

A. Storage segmentation is the concept of splitting storage between functions or usage to ensure that information that fits a specific context is not shared or used by applications or services outside of that context. Full-device encryption encrypts the entire device, geofencing is used to determine geographic areas where actions or events may be taken by software, and multi-actor storage was made up for this question.

Which of the following is the best description of tailgating? A. Following someone through a door they just unlocked B. Figuring out how to unlock a secured area C. Sitting close to someone in a meeting D. Stealing information from someone's desk

A. Tailgating is best defined as following someone through a door they just unlocked, thus gaining access to a secured area without presenting credentials or having the key or other access required to open the door. D. Vishing involves combining phishing with Voice over IP. Whaling focuses on targeting important targets for phishing attacks, spoofing is a general term that means faking things, and spooning is not a technical term used for security practices.

Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack? A. Supply Chain B. Removable Media C. Cloud D. Direct Access

A. Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Security+ questions often use this type of misdirection.

Greg would like to find a reference document that describes how to map cloud security controls to different regulatory standards. What document would best assist with this task? A. CSA CCM B. NIST SP 500-292 C. ISO 27001 D. PCI DSS

A. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards. NIST SP 500-292 is a reference model for cloud computing and operates at a high level. ISO 27001 is a general standard for cybersecurity, and PCI DSS is a regulatory requirement for organizations involved in processing credit card transactions.

Elle is implementing a VoIP telephony system and wants to use secure protocols. If she has already implemented SIPS, which other protocol is she most likely to use? A. SRTP B. UDP/S C. S/MIME D. SFTP

A. The Secure Real-Time Transfer Protocol is used for media streaming in many VoIP implementations. UDP/S is not an actual protocol, S/MIME is used for email, and SFTP is a replacement for FTP and is not typically associated with VoIP systems.

Nick wants to display the ARP cache for a Windows system. What command should he run to display the cache? A. arp /a B. arp -d C. showarp D. arpcache -show

A. The arp command will show the system's ARP cache using the /a flag on Windows systems. Other flags are /d to delete the cache or a single address if one is supplied, and /s , which will allow you to add an entry. In most cases, security professionals will use the /a flagmost frequently to see what exists in an ARP cache on a system.

When a caller was recently directed to Amanda, who is a junior IT employee at her company, the caller informed her that they were the head of IT for her organization and that she needed to immediately disable the organization's firewall due to an ongoing issue with their e-commerce website. After Amanda made the change, she discovered that the caller was not the head of IT, and that it was actually a penetration tester hired by her company. Which social engineering principle best matches this type of attack? A. Authority B. Consensus C. Scarcity D. Trust

A. The caller relied on their perceived authority to require Amanda to make the change. They likely also used urgency, which isn't mentioned here, but that would cause Amanda to potentially skip the validation or verification processes she would have normally used in a scenario like this. There is no effort to build consensus or establish trust, nor is there a sense of scarcity as described in the scenario.

Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology? A. Shadow IT B. System integration C. Vendor management D. Data exfiltration

A. The developers in question are using unapproved technology for business purposes. This is the classic definition of shadow IT. It is possible to describe this as data exfiltration, but there is no indication that the data security has been compromised, so shadow IT is a better description here. Remember, you will often be asked to choose the best answer from multiple correct answers on the exam.

Darren is working with an independent auditor to produce an audit report that he will share with his customers under NDA to demonstrate that he has appropriate security controls in place. The auditor will not be assessing the effectiveness of those controls. What type of audit report should Darren expect? A. SOC 2 Type 1 B. SOC 2 Type 2 C. SOC 3 Type 1 D. SOC 3 Type 2

A. The fact that the auditor will not be assessing the effectiveness of the controls means that this is a Type 1 report, not a Type 2 report. The fact that it will be shared only under NDA means that it is a SOC 2 assessment.

What does an SSL stripping attack look for to perform an on-path attack? A. An unencrypted HTTP connection B. A DNS query that is not protected by DNSSEC C. An unprotected ARP request D. All of the above

A. The original implementation of SSL stripping attacks relied heavily on unencrypted HTTP connections, and the updated version of SSLStrip+ continues to leverage HTTP connections, and then adds the ability to rewrite HTTPS links to HTTP links, allowing it even greater access to unencrypted links. DNSSEC and ARP are not involved in this technique.

If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature? A. David's Public key B. David's Private key C. Mike's Public key D. Mike's Private key

A. The recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message.

Tony is reviewing the status of his organization's defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering? A. Strategic B. Reputational C. Financial D. Operational

A. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.

Bonita has discovered that her organization is running a service on TCP port 636. What secure protocol is most likely in use? A. LDAPS B. IMAPS C. SRTP D. SNMPv3

A. The secure version of LDAP runs on TCP port 636. IMAPS runs on 993, SRTP runs on UDP 5004, and SNMPv3 runs on the standard UDP 161 and 162 ports used for all versions of the protocol.

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples: http://www.mycompany.com/servicestatus.php?serviceID=1 http://www.mycompany.com/servicestatus.php?serviceID=2 http://www.mycompany.com/servicestatus.php?serviceID=3 http://www.mycompany.com/servicestatus.php?serviceID=4 http://www.mycompany.com/servicestatus.php?serviceID=5 http://www.mycompany.com/servicestatus.php?serviceID=6 What type of vulnerability was the attacker likely trying to exploit? A. Insecure direct object reference B. File upload C. Unvalidated redirect D. Session hijacking

A. The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting? A. Timing-based SQL injection B. HTML injection C. Cross-site scripting D. Content-based SQL injection

A. The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.

Wanda is responsible for a series of seismic sensors placed at remote locations. These sensors have low-bandwidth connections and she would like to place computing power on the sensors to allow them to preprocess data before it is sent back to the cloud. What term best describes this approach? A. Edge computing B. Client-server computing C. Fog computing D. Thin client computing

A. This approach may be described as client-server computing, but that is a general term that describes many different operating environments. The better term to use here is edge computing, which involves placing compute power at the client to allow it to perform preprocessing before sending data back to the cloud. Fog computing is a related concept that uses IoT gateway devices that are located in close physical proximity to the sensors.

Tony purchases virtual machines from Microsoft Azure and uses them exclusively for use by his organization. What model of cloud computing is this? A. Public cloud B. Private cloud C. Hybrid cloud D. Community cloud

A. This is an example of public cloud computing because Tony is using a public cloud provider, Microsoft Azure. The fact that Tony is limiting access to virtual machines to his own organization is not relevant because the determining factor for the cloud model is whether the underlying infrastructure is shared, not whether virtualized resources are shared.

Lou mounted the sign below on the fence surrounding his organization's datacenter. What control type best describes this control? "BEWARE OF DOG" Sign on fence.... A. Compensating B. Detective C. Physical D. Deterrent

A. This question is a little tricky. The use of an actual guard dog could be considered a deterrent, physical, or detective control. It could even be a compensating control in some circumstances. However, the question asks about the presence of a sign and does not state that an actual dog is used. The sign only has value as a deterrent control. Be careful when facing exam questions like this to read the details of the question.

During a vulnerability scan, Brian discovered that a system on his network contained this vulnerability: What security control, if deployed, would likely have addressed this issue? A. Patch management B. File integrity monitoring C. Intrusion detection D. Threat hunting

A. This vulnerability is corrected by a patch that was released by Microsoft in 2017. A strong patch management program would have identified and remediated the missing patch.

Which one of the following threat research tools is used to visually display information about the location of threat actors? A. Threat Map B. Predictive analysis C. Vulnerability feed D. STIX

A. Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.

What data minimization technique replaces personal identifiers with unique identifiers that may be cross-referenced with a lookup table? A. Tokenization B. Hashing C. Salting D. Masking

A. Tokenization replaces personal identifiers that might directly reveal an individual's identity with a unique identifier using a lookup table. Hashing uses a cryptographic hash function to replace sensitive identifiers with an irreversible alternative identifier. Salting these values with a random number prior to hashing them makes these hashed values resistant to a type of attack known as a rainbow table attack.

Which one of the following data protection techniques is reversible when conducted properly? A. Tokenization B. Masking C. Hashing D. Shredding

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can't be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Tom's organization recently learned that the vendor is discontinuing support for their customer relationship management (CRM) system. What should concern Tom the most from a security perspective? A. Unavailability of future patches B. Lack of Technical Support C. Theft of customer information D. Increased costs

A. Tom's greatest concern should be that running unsupported software exposes his organization to the risk of new, unpatchable vulnerabilities. It is certainly true that they will no longer receive technical support, but this is a less important issue from a security perspective. There is no indication in the scenario that discontinuing the product will result in the theft of customer information or increased costs.

Which of the following controls helps prevent insider threats? A. Two-person control B. Visitor logs C. Air gaps D. Reception desks and staff

A. Two-person control is specifically intended to prevent insider threats by requiring two individuals to take a given action. Visitor logs help determine who may have been admitted to a facility but would not stop an insider threat. Air gaps protect from network-based attacks, but an insider can bypass the air gap intentionally. Reception staff allow insiders into a facility if they are permitted to enter, which will not stop an insider threat either.

Under the European Union's GDPR, what term is assigned to the individual who leads an organization's privacy efforts? A. Data protection officer B. Data controller C. Data steward D. Data processor

A. Under the GDPR, the data protection officer (DPO) is an individual assigned direct responsibility for carrying out an organization's privacy program.

What type of malware is VBA code most likely to show up in? A. Macro viruses B. RATs C. Worms D. Logic bombs

A. Visual Basic for Applications (VBA) code is most likely to show up in macro viruses. VBA is used inside Microsoft Office as a scripting language.

Selah infects the ads on a website that users from her target company frequently visit with malware as part of her penetration test. What technique has she used? A. A watering hole attack B. Vishing C. Whaling D. Typosquatting

A. Watering hole attacks rely on compromising or infecting a website that targeted users frequently visit, much like animals will visit a common watering hole. Vishing is phishing via voice, whaling is a targeted phishing attack against senior or important staff, and typo squatting registers similar URLs that are likely to be inadvertently entered in order to harvest clicks or conduct malicious activity.

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is being used in this situation? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

A. When an organization decides to take no further action to address remaining risk, they are choosing a strategy of risk acceptance.

Alyssa wants to use her Android phone to store and manage cryptographic certificates. What type of solution could she choose to do this using secure hardware? A. SEAndroid B. A microSD HSM C. A wireless TPM D. MDM

B. A hardware security module (HSM) in a microSD form factor allows a mobile device like an Android phone to securely store and manage certificates. Alyssa will also need an application to access and use the HSM, but she will have a complete, portable, and secure solution for her PKI needs. SEAndroid allows mandatory access control to be enforced on an Android device. TPMs are connected to systems and are often integrated into the motherboard or added as plug-in module, not a wireless component. MDM is not a secure hardware solution, but it is a software solution for managing mobile devices.

What type of physical security control is shown here? A. A Faraday cage B. An access control vestibule C. A bollard D. An air gap

B. A mantrap uses a pair of doors. When an individual enters, the first door must be closed and secured before the second door can be opened. This helps prevent tailgating, since the person entering will notice anybody following them through the secured area. A Faraday cage is used to stop EMI, a bollard prevents vehicular traffic, and an air gap is a physical separation of networks or devices.

Password complexity, password history, and password reuse are all examples of what? A. Account audits B. Account policies C. Access policies D. Credential attributes

B. Account policies include password complexity requirements; password history to prevent password reuse; and the time of day, geolocation, and similar settings that control elements of an account. Account audits check settings and account status. Access policies determine who can use systems or devices and other related items. Credential attributes is a made-up phrase for this question and the phrase does not appear in the Security+ exam outline.

Madhuri is designing a load-balancing configuration for her company and wants to keep a single node from being overloaded. What type of design will meet this need? A. A daisy chain B. Active/active C. Duck-duck-goose D. Active/passive

B. Active/active designs spread traffic among active nodes, helping to ensure that a single node will not be overwhelmed. Active/passive designs are useful for disaster recovery and business continuity, but they do not directly address heavy load on a single node. There are many load-balancing schemes, but daisy chains and duck, duck, goose are not among them.

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting? A. Mutation testing B. Static code analysis C. Dynamic code analysis D. Fuzzing

B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.

What organization is known for creating independent security benchmarks covering hardware and software platforms from many different vendors? A. Microsoft B. Center for Internet Security C. Cloud Security Alliance D. Cisco

B. All of these organizations produce security standards and benchmarks. However, only the Center for Internet Security (CIS) is known for producing independent benchmarks covering a wide variety of software and hardware.

Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol's technical specification. What resource would best meet his needs? A. Academic journal B. Internet RFCs C. Subject matter experts D. Textbooks

B. All of these resources might contain information about the technical details of TLS, but Internet Request for Comments (RFC) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken's best option.

Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information? A. Port scanning B. Footprinting C. Vulnerability scanning D. Packet capture

B. All of these techniques might provide Grace with information about the operating system running on a device. However, footprinting is a technique specifically designed to elicit this information.

Which of the following measures is not commonly used to assess threat intelligence? A. Timeliness B. Detail C. Accuracy D. Relevance

B. Although higher levels of detail can be useful, they aren't a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

Every time Susan checks code into her organization's code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this? A. Continuous integration B. Continuous delivery C. A security nightmare D. Agile development

B. Although this example includes continuous integration, the key thing to notice is that the code is then deployed into production. This means that Susan is operating in a continuous deployment environment, where code is both continually integrated and deployed. Agile is a development methodology and often uses CI/CD, but we cannot determine if Susan is using Agile.

Michelle wants to prevent unauthorized applications from being installed on a system. What type of tool can she use to allow only permitted applications to be installed? A. A hardening application B. An allow list application C. A deny list application D. A HIPS

B. An allow list application will allow only specific permitted programs to be installed on a system. Deny list applications will prevent specified applications from being installed. Hardening applications are not a specific category of tool, although hardening scripts are in use, and a HIPS is a host intrusion prevention system.

Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation? A. NDA B. AUP C. Data ownership D. Data classification

B. An organization's acceptable use policy (AUP) should contain information on what constitutes allowable and unallowable use of company resources. This policy should contain information to help guide Tonya's next steps.

The company that Hui works for has built a device based on an Arduino and wants to standardize its deployment across the entire organization. What type of device has Hui's organization deployed, and where should Hui place her focus on securing it? A. An FPGA, and on network security B. A microcontroller, and on physical security C. A GPU, and on network security D. An ICS, and on physical security

B. Arduinos are a form of microcontroller, and since Arduinos in their default form do not have wired or wireless networking built in, Hui should focus on the physical security of the device.

Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity? A. Confidentiality B. Integrity C. Alteration D. Availability

B. By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications.

Megan's organization uses the Diamond Model of Intrusion Analysis as part of their incident response process. A user in Megan's organization has discovered a compromised system. What core feature would help her determine how the compromise occurred? A. Adversary B. Capability C. Infrastructure D. Victim

B. Capability analysis is used to determine what an attacker can do and what the tools that are used in the attack may be capable of. Megan should analyze the capability of the adversary and tool, and then consider infrastructure and adversary information to enhance her threat model.

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

B. Changing business processes or activities to eliminate a risk is an example of risk avoidance.

Which element of the SCAP framework can be used to consistently describe vulnerabilities? A. CPE B. CVE C. CVSS D. CCE

B. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws.

Which one of the following is not an advantage of database normalization? A. Preventing data inconsistencies B. Preventing injection attacks C. Reducing the need for database restructuring D. Making the database schema more informative

B. Database normalization has four main benefits. Normalized designs prevent data inconsistencies, prevent update anomalies, reduce the need for restructuring existing databases, and make the database schema more informative. They do not prevent web application attacks, such as SQL injection.

Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in? A. Test B. Development C. Staging D. Production

B. Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.

Florian wants to ensure that systems on a protected network cannot be attacked via the organization's network. What design technique should he use to ensure this? A. A hot aisle B. An air gap C. A cold aisle D. Protected cable distribution

B. Florian can use an air gapped network. An air gapped network or system is one without a connection to other systems or networks, requiring data and files to be manually copied to it. Hot and cold aisles are used in datacenters as part of airflow and thermal regulation, and protected cable distribution is used to ensure that cables cannot be accessed or tapped without network administrators or security professionals being aware.

Samantha wants to set an account policy that ensures that devices can be used only while the user is in the organization's main facility. What type of account policy should she set? A. Time of day B. Geofencing C. Time-based logins D. Impossible travel time

B. Geofencing sets a geographic boundary that can be used as part of a ruleset. In this case, Samantha should set the ruleset to prevent devices from allowing users to use them when they are outside of the geofenced area. Time-of-day limitations and time-based logins are both related account policies that are used to ensure that users cannot log in when they shouldn't be at work. This can prevent compromised credential reuse and insider threat abuses during off-hours. Finally, impossible travel time is a type of geographic login data usage that maps when logins occur and compares them to the distance between them. If the time is impossible, with a login in China 5 minutes after one in the United States, for example, the login may be reported and stopped.

Michelle has deployed iPads to her staff who work her company's factory floor. She wants to ensure that the devices work only in the factory and that if they are taken home they cannot access business data or services. What type of solution is best suited to her needs? A. Context-aware authentication B. Geofencing C. Geolocation D. Unified endpoint management (UEM)

B. Geofencing will allow Michelle to determine what locations the device should work at. The device will then use geolocation to determine when it has moved and where it is. In this case, the correct answer is therefore geofencing—simply having geolocation capabilities would not provide the solution she needs. Context-aware authentication can help by preventing users from logging in when they aren't in the correct location, but a device that was logged in may not require reauthentication. Finally, UEM, much like mobile device management, can be used to enforce these policies, but the most correct answer is geofencing.

Gurvinder wants to select a mobile device deployment method that provides employees with devices that they can use as though they're personally owned to maximize flexibility and ease of use. Which deployment model should he select? A. CYOD B. COPE C. BYOD D. MOTD

B. Gurvinder's requirements fit the COPE (corporate-owned, personally enabled) mobile device deployment model. Choose your own device (CYOD) allows users to choose a device but then centrally manages it. BYOD allows users to use their own device, rather than have the company provide it, and MOTD means message of the day, not a mobile device deployment scheme.

What is a HSM used for? A. To capture biometric enrollment data B. To generate, manage, and securely store cryptographic keys C. To generate one-time passwords via a time-based code algorithm D. To enable federation between organizations

B. Hardware security modules (HSMs) are used to create, securely store, and manage digital signatures, cryptographic key pairs, and other cryptographic functions. They are not used for biometric enrollment data, to enable federation, or to generate one-time passwords.

Helen designed a new payroll system that she offers to her customers. She hosts the payroll system in AWS and her customers access it through the web. What tier of cloud computing best describes Helen's service? A. PaaS B. SaaS C. FaaS D. IaaS

B. Helen is using IaaS services to create her payroll product. She is then offering that payroll service to her customers as an SaaS solution.

Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What should he adjust on his SIEM to reduce the false positive rate? A. Trend analysis B. Sensitivity C. Correlation rules D. Dashboard configuration

B. Ian's first step should be changing the sensitivity for his alerts. Adjusting the alerts to ignore safe or expected events can help reduce false positives. Correlation rules may then need to be adjusted if they are matching unrelated items. Dashboards are used to visualize data, not for alerting, and trend analysis is used to feed dashboards and reports.

Tracy is concerned about attacks against the machine learning algorithm that her organization is using to assess their network. What step should she take to ensure that her baseline data is not tainted? A. She should scan all systems on the network for vulnerabilities and remediate them before using the algorithm. B. She should run the ML algorithm on the network only if she believes it is secure. C. She should disable outbound and inbound network access so that only normal internal traffic is validated. D. She should disable all firewall rules so that all potential traffic can be validated.

B. If Tracy is worried about baselining her network and having tainted data, she needs to ensure that no malicious activity is occurring when she runs the baseline data capture. That way, the machine learning algorithm will only be working with normal traffic patterns and behaviors and can then detect and alert on things that are abnormal.

Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this? A. Run multiple antimalware tools and use them to remove all detections. B. Wipe the drive and reinstall from known good media. C. Use the delete setting in her antimalware software rather than the quarantine setting. D. There is no way to ensure the system is safe and it should be destroyed.

B. In most malware infection scenarios, wiping the drive and reinstalling from known good media is the best option available. If the malware has tools that can infect the system BIOS, even this may not be sufficient, but BIOS-resident malware is relatively uncommon. Multiple antivirus and antimalware tools, even if they are set to delete malware, may still fail against unknown or advanced malware packages. Destroying systems is uncommon and expensive and is unlikely to be acceptable to most organizations as a means of dealing with a malware infection.

Gwen is exploring a customer transaction reporting system and discovers the table shown here. What type of data minimization has most likely been used on this table? Values on the table were expressed like this: **** **** **** 4868 A. Destruction B. Masking C. Tokenization D. Hashing

B. In this case, the first 12 digits of the credit card have been removed and replaced with asterisks. This is an example of data masking.

Which one of the following tools is most likely to detect an XSS vulnerability? A. Static application test B. Web application vulnerability scanner C. Intrusion detection system D. Network vulnerability scanner

B. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web applications.

Joanna recovers a password file with passwords stored as MD5 hashes. What tool can she use to crack the passwords? A. MD5sum B. John the Ripper C. GPG D. Netcat

B. Joanna needs to use a password cracking tool. Although John the Ripper is a useful password cracking tool, an even faster technique for most passwords with a known hashing scheme would be to use a rainbow table-based password cracker like OphCrack to look up the hashes using a precomputed database of likely passwords. MD5sum is a tool for creating MD5 hashes, not for cracking passwords, GPG is an encryption tool, and netcat is a great network tool with many uses, but password cracking is not one of them!

Charles has implemented LDAP for his organization. What type of service has he enabled? A. A federation B. A directory service C. An attestation service D. A biometric identity provider

B. LDAP, the Lightweight Directory Access Protocol, is an open industry standard for directory services. LDAP is not itself a federation or an attestation service, nor does it provide biometric authentication services.

Wayne is concerned that an on-path attack has been used against computers he is responsible for. What artifact is he most likely to find associated with this attack? A. A compromised router B. A browser plug-in C. A compromised server D. A modified hosts file

B. Man-in-the-browser attacks take advantage of malicious browser plug-ins or proxies to modify traffic at the browser level. They do not involve compromised routers or servers, and a modified hosts file is more likely to be involved in a man-in-the-middle attack.

Mark unplugs the network connection from a system that is part of an incident and places tape over its Ethernet jack with a sign that says "Do not reconnect without approval from IR team." How is this method best described? A. Containment B. Isolation C. Segmentation D. Zoning

B. Mark has isolated the system by removing it from the network and ensuring that it cannot communicate with other systems. Containment would limit the impact of the incident and might leave the system connected but with restricted or protected access. Segmentation moves systems or groups of systems into zones that have similar purposes, data classification, or other restrictions on them.

What major difference is likely to exist between on-premises identity services and those used in a cloud-hosted environment? A. Account policy control will be set to the cloud provider's standards. B. The cloud service will provide account and identity management services. C. Multifactor authentication will not be supported by the cloud vendor. D. None of the above.

B. Most cloud services provide identity and authorization tools for their services. Most, although not all, allow customers to set some or even many of the account policies they will use, and most major vendors support some form of multifactor capability.

Olivia wants to install a host-based security package that can detect attacks against the system coming from the network, but she does not want to take the risk of blocking the attacks since she fears that she might inadvertently block legitimate traffic. What type of tool could she install that will meet this requirement? A. A host firewall B. A host intrusion detection system C. A host intrusion prevention system D. A data loss prevention tool

B. Olivia should install a host-based intrusion detection system. An IDS can detect and report on potential attacks but does not have the ability to stop them. A host-based IPS can be configured to report only on attacks, but it does have the built-in ability to be set up to block them. Firewalls can block known ports, protocols, or applications, but they do not detect attacks—although advanced modern firewalls blur the line between firewalls and other defensive tools. Finally, a data loss prevention tool focuses on preventing data exposures, not on stopping network attacks.

Maria has acquired a disk image from a hard drive using dd, and she wants to ensure that her process is forensically sound. What should her next step be after completing the copy? A. Securely wipe the source drive. B. Compare the hashes of the source and target drive. C. Securely wipe the target drive. D. Update her chain-of-custody document.

B. Once a copy is made, hashes for the original and target drive should be compared to ensure that the copy was successful. After that, the chain-of-custody document can be updated to note that a copy was made and will be tracked as it is analyzed while the original is preserved. Wiping either drive after a copy is not part of the process, although a target drive may be wiped after a case is complete.

Which one of the following software development models focuses on the early and continuous delivery of software? A. Waterfall B. Agile C. Spiral D. Butterfly

B. One of the core principles of the Agile approach to software development is to ensure customer satisfaction via early and continuous delivery of software.

Alaina discovers that someone has set up a website that looks exactly like her organization's banking website. Which of the following terms best describes this sort of attack? A. Phishing B. Pharming C. Typosquatting D. Tailgating

B. Pharming best fits this description. Pharming attacks use web pages that are designed to look like a legitimate site but that attempt to capture information like credentials. Typo squatting relies on slightly incorrect hostnames or URLs, and nothing like that is mentioned in the question. Tailgating is an in-person attack, and phishing is typically done via email or other means to request information, not by setting up a site like this, although some phishing attacks may direct to a pharming website!

Michelle enables the Windows 10 picture password feature to control logins for her laptop. Which type of attribute will it provide? A. Somewhere you are B. Something you can do C. Something you exhibit D. Someone you know

B. Picture password asks users to click on specific, self-defined parts of a picture. This means that clicking on those points is something you can do. Somewhere you are involves a location, something you exhibit is typical of personality traits, and someone you know would involve a third party, which can be useful for verification when someone can't otherwise prove their identity!

What scripting environment is native to Windows systems? A. Python B. PowerShell C. Bash D. CMD

B. PowerShell is a native scripting environment for Windows systems. Although Python and Bash can be installed, they are not automatically part of the operating system. CMD.exe will start the command prompt, but it is not a scripting environment.

Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious? A. Run a decompiler against it to allow him to read the code. B. Open the file using a text editor to review the code. C. Test the code using an antivirus tool. D. Submit the Python code to a malware testing website.

B. Python is an interpreted rather than a compiled language, so Ben doesn't need to use a decompiler. Instead, his best bet is to open the file and review the code to see what it does. Since it was written by an employee, it is unlikely that it will match an existing known malicious package, which means antivirus and antimalware tools and sites will be useless.

Alex has been handed a flash media device that was quick-formatted and has been asked to recover the data. What data will remain on the drive? A. No data will remain on the drive. B. Files will remain but file indexes will not. C. File indexes will remain, but the files will be gone. D. Files and file indexes will remain on the drive.

B. Quick-formatting a drive removes the file indexes but leaves the file content on the drive. Recovery tools look for those files on the drive and piece them back together using metadata, headers, and other clues that help to recover the files.

Gabby wants to implement a mirrored drive solution. What RAID level does this describe? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 6

B. RAID 1 mirrors drives, providing higher read speeds and a redundant copy of the data while using twice the storage space. RAID 0 is striping; RAID 5 and 6 do striping with parity, using additional space to provide checksums for data.

What type of malware is frequently called stalkerware because of its use by those in intimate relationships to spy on their partners? A. Worms B. RATs C. Crypto malware D. PUPs

B. RATs, or remote access Trojans, are sometimes called stalkerware because they are often utilized by those in intimate relationships to spy on their partners. They provide remote access and other capabilities to computers and mobile devices.

Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs a virus scan, the system doesn't show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system? A. Rerun the antimalware scan. B. Mount the drive on another system and scan it that way. C. Disable the systems antivirus because it may be causing a false negative. D. The system is not infected and he should move on.

B. Rootkits are designed to hide from antimalware scanners and can often defeat locally run scans. Mounting the drive in another system in read-only mode, or booting from a USB drive and scanning using a trusted, known good operating system, can be an effective way to determine what malware is on a potentially infected system.

Madhuri disables SMS, MMS, and RCS on phones in her organization. What has she prevented from being sent? A. Phone calls and texts B. Text messages and multimedia messages C. Text messages and firmware updates D. Phone calls and multimedia messages

B. SMS (Short Message Service) is used to send text messages, and MMS and RCS provide additional multimedia features. Neither provides phone calls or firmware updates.

Which type of multifactor authentication is considered the least secure? A. HOTP B. SMS C. TOTP D. Biometric

B. SMS messages are not secure and could be accessed by cloning a SIM card or redirecting VoIP traffic, among other possible threat models. Both HOTP and TOTP tokens and applications as well as biometric factors are generally considered more secure than an SMS-based factor.

Which one of the following would not normally be found in an organization's information security policy? A. Statement of the importance of cybersecurity B. Requirement to use AES-256 encryption C. Delegation of authority D. Designation of responsible executive

B. Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.

Alan reads Susan's password from across the room as she logs in. What type of technique has he used? A. A man-in-the-room attack B. Shoulder surfing C. A man-in-the-middle attack D. Pretexting

B. Shoulder surfing is the process of watching what someone is doing to acquire passwords or other information. A man-in-the-middle attack is a technical attack that inserts an attacker between a victim and a legitimate server or other destination to capture traffic. Pretexting is a social engineering technique that presents a reason or excuse why something is needed or done. A man-in-the-room attack was made up for this question.

What type of phishing targets specific groups of employees, such as all managers in the financial department of a company? A. Smishing B. Spear phishing C. Whaling D. Vishing

B. Spear phishing is aimed at specific groups. Whaling would target VIPs and executives, smishing uses SMS (text) messages, and vishing is done via voice or voicemail.

Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information? A. Vulnerability Feed B. IoC C. TTP D. RFC

B. Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing? A. Policy B. Standard C. Guideline D. Procedure

B. Standards describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.

Susan wants to ensure that the threat of a lost phone creating a data breach is minimized. What two technologies should she implement to do this? A. Wi-Fi and NFC B. Remote wipe and FDE C. Containerization and NFC D. Geofencing and remote wipe

B. Susan's best options are to use a combination of full-device encryption (FDE) and remote wipe. If a device is stolen and continues to be connected to the cellular network, or reconnects at any point, the remote wipe will occur. If it does not, or if attackers attempt to get data from the device and it is locked, the encryption will significantly decrease the likelihood of the data being accessed. Of course, cracking a passcode, PIN, or password remains a potential threat. NFC and Wi-Fi are wireless connection methods and have no influence on data breaches due to loss of a device. Geofencing may be useful for some specific organizations that want to take action if devices leave designated areas, but it is not a general solution. Containerization may shield data, but use of containers does not immediately imply encryption or other protection of the data, simply that the environments are separated.

Valerie wants to replace the telnet access that she found still in use in her organization. Which protocol should she use to replace it, and what port will it run on? A. SFTP, port 21 B. SSH, port 22 C. HTTPS, port 443 D. RDP, port 3389

B. Telnet provides remote command-line access but is not secure. SSH is the most common alternative to telnet, and it operates on port 22.

Selah is following the Cyber Kill Chain model and has completed the delivery phase. What step is next according to the Kill Chain? A. Weaponization B. Exploitation C. Installation D. Actions on Objective

B. The Cyber Kill Chain describes the phase after delivery when a weapon is delivered to the target as exploitation. In this phase, the malware is triggered and it exploits vulnerabilities on the system to acquire access. Weaponization is the creation of tools to exploit vulnerabilities. Installation occurs when remote access tools are installed. Actions on Objective is the final phase in the Kill Chain when attackers take action to accomplish their goals.

Charles wants to monitor changes to a log file via a command line in real time. Which of the following command-line Linux tools will let him see the last lines of a log file as they change? A. logger B. tail C. chmod D. head

B. The Linux tail command with the -f flag will follow a file as it changes, showing the last 10 lines by default. Charles can use this to monitor a log file as it changes. logger adds text to the syslog file, chmod changes permissions, and head shows the first 10 lines of a file, which will typically be the oldest entries in a log file on a Linux system.

Chris has turned on logon auditing for a Windows system. Which log will show them? A. The Windows Application log B. The Windows Security log C. The Windows System log D. All of the above

B. The Windows Security log records logon events when logon auditing is enabled. The Application and System logs do not contain these events.

The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have? A. De-referencing B. A race condition C. An insecure function D. Improper error handling

B. The application has a race condition, which occurs when multiple operations cause undesirable results due to their order of completion. De-referencing would occur if a memory location was incorrect, an insecure function would have security issues in the function itself, and improper error handling would involve an error and how it was displayed or what data it provided.

Jade's organization recently suffered a security breach that affected stored credit card data. Jade's primary concern is the fact that the organization is subject to sanctions for violating the provisions of the Payment Card Industry Data Security Standard. What category of risk is concerning Jade? A. Strategic B. Compliance C. Operational D. Financial

B. The breach of credit card information may cause many different impacts on the organization, including compliance, operational, and financial risks. However, in this scenario, Jade's primary concern is violating PCI DSS, making his concern a compliance risk.

Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework? A. Identify B. Contain C. Respond D. Recover

B. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.

Joe is authoring a document that explains to system administrators one way in which they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing? A. Policy B. Guideline C. Procedure D. Standard

B. The key word in this scenario is "one way." This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.

Isaac is performing a forensic analysis on two systems that were compromised in the same event in the same facility. As he performs his analysis, he notices that the event appears to have happened almost exactly one hour earlier on one system than the other. What is the most likely issue he has encountered? A. The attacker took an hour to get to the second system. B. One system is set to an incorrect time zone. C. The attacker changed the system clock to throw off forensic practitioners. D. The forensic tool is reading the timestamps incorrectly.

B. The most common cause of an hour of difference between two systems in an environment is an incorrectly set time zone. Isaac should check the time zone settings, and then correct his findings based on the time zones set on the systems if necessary.

Gabby wants to capture the pagefile for a system. Where will she find the pagefile stored? A. In memory B. On disk C. In a CPU register D. In device firmware

B. The pagefile is disk space used to extend or expand memory. Thus, Gabby can find the pagefile on the disk and can capture it as she would other files on the disk.

When Mike receives the digitally signed message from David, what key should he use to verify the digital signature? A. David's Public key B. David's Private key C. Mike's Public key D. Mike's Private key

B. The sender of a message may digitally sign the message by encrypting a message digest with the sender's own private key.

Kevin would like to ensure that his software runs on a platform that is able to expand and contract as needs change. Which one of the following terms best describes his goal? A. Scalability B. Elasticity C. Cost effectiveness D. Agility

B. The situation described in the scenario, expanding capacity when demand spikes and then reducing that capacity when demand falls again, is the definition of elasticity.

Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats? A. Integrity B. Nonrepudiation C. Availability D. Confidentiality

B. The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Tina works for a hospital system and manages the system's patient records. What category of personal information best describes the information that is likely to be found in those records? A. PCI B. PHI C. PFI D. PII

B. This is a tricky question, as it is possible that all of these categories of information may be found in patient records. However, they are most likely to contain protected health information (PHI). PHI could also be described as a subcategory of personally identifiable information (PII), but PHI is a better description. It is also possible that the records might contain payment card information (PCI) or personal financial information (PFI), but that is less likely than PHI.

Cynthia wants to clone a virtual machine. What should she do to capture a live machine, including the machine state? A. A full backup B. A snapshot C. A differential backup D. A LiveCD

B. Virtual machine snapshots capture the machine state at a point in time and will allow Cynthia to clone the system. A full backup and a differential backup can be used to capture the disk for the machine but typically will not capture the memory state and other details of the system state. A LiveCD allows you to boot and run a nonpersistent system from trusted media.

What type of recovery site has some or most systems in place but does not have the data needed to take over operations? A. A hot site B. A warm site C. A cloud site D. A cold site

B. Warm sites have systems, connectivity, and power but do not have the live or current data to immediately take over operations. A hot site can immediately take over operations, whereas a cold site has space and power, and likely connectivity, but will require that systems and data be put in place to be used. Cloud sites are not one of the three common types of recovery sites.

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the annualized loss expectancy (ALE)? A. $5,000 B. $25,000 C. $100,000 D. $500,000

B. We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.

Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful? A. Session ticket B. Session cookie C. Username D. User password

B. Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of the user's session cookie, she can use that cookie to impersonate the user's browser and hijack the authenticated session.

Lucca is prototyping an embedded system and wants to use a device that can run a full Linux operating system so that he can install and use a firewall and other security software to protect a web service he will run on it. Which of the following solutions should he use? A. An Arduino B. An FPGA C. A Raspberry Pi D. None of the above

C. A Raspberry Pi supports Linux natively and has the resources and hardware to run the operating system and services described. An Arduino is a microcontroller and is better suited to handling a limited set of sensors, actuators, or similar hardware. An FPGA is a specific type of integrated chip that can be programmed to handle specific tasks, but it is not a full computer.

What type of cryptographic attack attempts to force a user to reduce the level of encryption that they use to communicate with a remote server? A. Birthday B. Frequency C. Downgrade D. Rainbow Table

C. A downgrade attack is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes. The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.

Ben wants to observe malicious behavior targeted at multiple systems on a network. He sets up a variety of systems and instruments to allow him to capture copies of attack tools and to document all the attacks that are conducted. What has he set up? A. A honeypot B. A beartrap C. A honeynet D. A tarpit

C. A honeynet is a group of systems that intentionally exposes vulnerabilities so that defenders can observe attacker behaviors, techniques, and tools to help them design better defenses.

Gurvinder has been asked to assist a company that recently fired one of their developers. After the developer was terminated, the critical application that they had written for the organization stopped working and now displays a message reading "You shouldn't have fired me!" If the developer's access was terminated and the organization does not believe that they would have had access to any systems or code after they left the organization, what type of malware should Gurvinder look for? A. A RAT B. A PUP C. A logic bomb D. A keylogger

C. A logic bomb is a type of malware that activates after specific conditions are met. Here, the developer no longer showing up in payroll, not entering a specific input, or another activation scheme could have been used. A RAT is a remote access Trojan, a PUP is a potentially unwanted program, and a keylogger steals user input.

Melissa is planning on implementing biometric authentication on her network. Which of the following should be a goal for any biometric solution she selects? A. High FRR, low FAR B. High FAR, low FRR C. Low CER D. High CER

C. A low crossover error rate will ensure that there's a low false rejection rate and a low false acceptance rate. The other options each have a high element, which isn't desirable.

A person's name, age, location, or job title are all examples of what? A. Biometric factors B. Identity factors C. Attributes D. Account permissions

C. A person's name, age, location, job title, and even things like their height or hair color are all attributes that may be associated with a person's identity. None of these describe biometric factors used for authentication, and identity factors are something you know, something you are, or something you have. Account permissions determine what you can do, not attributes like these.

Which of the following is not typically part of a SoC? A. A CPU B. A display C. Memory D. I/O

C. A system on a chip (SoC) is a chip that has most of the functions of a complete computer built into it. In fact, most SoCs have a CPU, memory, input/output, and storage as part of the chip. Adding a display to the chip is unlikely, but adding a display that the SoC can access and display to is very common in things like smartphones, smart watches, and other devices.

What type of malware is adware typically classified as? A. A DOG B. A backdoor C. A PUP D. A rootkit

C. Adware is typically classified as a type of potentially unwanted program, or PUP. Backdoors and rootkits are definitely malicious, whereas adware may simply be unwanted and annoying. A DOG is not a term commonly used to describe malware.

Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository? A. Product manuals B. Source code C. API keys D. Open Source Data

C. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.

Which one of the following data elements is not commonly associated with identity theft? A. Social Security Number B. Driver's License Number C. Frequent Flyer Number D. Passport Number

C. Although it is possible that a frequent flyer account number, or any other account number for that matter, could be used in identity theft, it is far more likely that identity thieves would use core identity documents. These include drivers' licenses, passports, and Social Security numbers.

Charles needs to know about actions an individual performed on a PC. What is the best starting point to help him identify those actions? A. Review the system log. B. Review the event log. C. Interview the individual. D. Analyze the system's keystroke log.

C. Although it may be tempting to use a technical answer, interviewing the individual involved is the best starting point when a person performed actions that need to be reviewed. Charles can interview the staff member, and then move on to technical means to validate their responses. System and event logs may have some clues to what occurred, but normal systems do not maintain a keystroke log. In fact, the closest normal element is the command log used by both Windows and Linux to allow command-line input to be recalled as needed.

Danielle wants to capture traffic from a network so that she can analyze a VoIP conversation. Which of the following tools will allow her to review the conversation most effectively? A. A network SIPper B. tcpdump C. Wireshark D. netcat

C. Although tcpdump can be used to view packets sent as part of a VoIP connection, Wireshark has built-in VoIP analysis and protocol-specific tools. Danielle will have greater success using those built-in tools. A network SIPper is a made-up tool, and netcat is not a packet sniffer.

Amanda wants to create a view of her buildings that shows Wi-Fi signal strength and coverage. What is this type of view called? A. A channel overlay B. A PSK C. A heatmap D. A SSID chart

C. Amanda wants to create a heatmap which shows the signal strength and coverage for each access point in a facility. Heatmaps can also be used to physically locate an access point by finding the approximate center of the signal. This can be useful to locate rogue access points and other unexpected or undesired wireless devices. PSK stands for preshared key, a channel overlay is not a commonly used term (although channel overlap is a concern for channels that share bandwidth), and SSID chart was made up for this question.

Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit? A. High B. Medium C. Low D. Severe

C. An attack complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions.

Gurvinder wants to follow the order of volatility to guide his forensic data acquisition. Which of the following is the least volatile? A. RAM B. Data on the hard drive C. Backups D. Remote logs

C. Backups are the least volatile of these options according to the order of volatility. Backups will be kept until they are aged out, which may be days, weeks, or even months in some cases. From most to least volatile, these are RAM, data on the hard drive, remote logs, and then backups.

Angela wants to limit the potential impact of malicious Bash scripts. Which of the following is the most effective technique she can use to do so without a significant usability impact for most users? A. Disable Bash. B. Switch to another shell. C. Use Bash's restricted mode. D. Prevent execution of Bash scripts.

C. Bash's restricted shell mode removes many of the features that can make Bash useful for malicious actors. You can read more about Bash in restricted shell mode at www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html .

Octavia discovers that the contact list from her phone has been acquired via a wireless attack. Which of the following is the most likely culprit? A. Bluejacking B .An evil maid C. Bluesnarfing D. An evil twin

C. Bluesnarfing is the theft of information from a Bluetooth enabled device. If Octavia left Bluetooth on and has not properly secured her device, then an attacker may have been able to access her contact list and download its contents. A bluejacking attack occurs when unwanted messages are sent to a device via Bluetooth. Evil twins are malicious access points configured to appear to be legitimate access points, and an evil maid attack is an in-person attack where an attacker takes advantage of physical access to hardware to acquire information or to insert malicious software on a device.

Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities? A. Threat hunting B. Penetration testing C. Bug bounty D. Vulnerability scanning

C. Bug bounty programs are designed to allow external security experts to test systems and uncover previously unknown vulnerabilities. Bug bounty programs offer successful testers financial rewards to incentivize their participation.

Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done? A. Removed the threat B. Reduced the threat C. Removed the vulnerability D. Reduced the vulnerability

C. By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.

Alaina has implemented WPA2 and uses enterprise authentication for access points in infrastructure mode. What encryption protocol is her network using? A. WEP B. TKIP C. CCMP D. IV

C. CCMP is the encryption protocol used for WPA2. A block cipher, CCMP provides confidentiality, authentication, and access control features. WEP is the protocol used before WPA, TKIP was used in WPA prior to the use of CCMP in WPA2, and IV is an initialization vector.

Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs? A. logger B. syslog-ng C. journalctl D. tail

C. CentOS and Red Hat Enterprise Linux both use journalctl to view journal logs that contain application information. Jim should use journalctl to review the logs for the information he needs. The tool also provides functionality that replicates what head and tail can do for logs. Syslog-ng is a logging infrastructure, and though logs may be sent via syslog-ng, it is not mentioned here. logger is a logging utility used to make entries in the system log.

Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns? A. Using secure session management B. Enabling logging on the database C. Performing user input validation D. Implementing TLS

C. Charles should perform user input validation to strip out any SQL code or other unwanted input. Secure session management can help prevent session hijacking, logging may provide useful information for incident investigation, and implementing TLS can help protect network traffic, but only input validation helps with the issue described.

Chris wants systems that connect to his network to report their boot processes to a server where they can be validated before being permitted to join the network. What technology should he use to do this on the workstations? A. UEFI/Trusted boot B. BIOS/Trusted boot C. UEFI/Measured boot D. BIOS/Measured boot

C. Chris knows that BIOS-based systems do not support either of these modes, and that trusted boot validates every component before loading it, whereas measured boot logs the boot process and sends it to a server that can validate it before permitting the system to connect to the network or perform other actions.

Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image? A. Run dd from within the running machine. B. Use FTK Imager from the virtual machine host. C. Use the VM host to create a snapshot. D. Use WinHex to create a copy from within the running machine.

C. Creating a snapshot will provide a complete copy of the system, including memory state that can then be analyzed for forensic purposes. Copying a running system from a program running within that system can be problematic, since the system itself will change while it is trying to copy itself. FTK Imager can copy drives and files, but it would not handle a running virtual machine.

Crypto malware is a type of what sort of malware? A. Worms B. PUP C. Ransomware D. Rootkit

C. Crypto malware, a type of ransomware, typically demands payment to decrypt critical files or entire drives. PUPs are potentially unwanted programs like spyware and adware, whereas rootkits are used to gain control of systems without being detected and worms self-spread by exploiting vulnerabilities.

What are the two most commonly deployed biometric authentication solutions for mobile devices? A. Voice recognition and face recognition B. Fingerprint recognition and gait recognition C. Face recognition and fingerprint recognition D. Voice recognition and fingerprint recognition

C. Current mobile device implementations have focused heavily on facial recognition via services like Apple's FaceID and fingerprint recognition like Android's fingerprint scanning and Apple's TouchID. Gait recognition is not a widely deployed biometric technology and would be difficult for most mobile device users to use. Voice recognition as a biometric authenticator has not been broadly deployed for mobile devices, whereas voice-activated services are in wide usage.

In which of the following cloud categories are customers typically charged based on the number of virtual server instances dedicated to their use? A. IaaS only B. SaaS only C. IaaS and PaaS D. IaaS, SaaS, and PaaS

C. Customers are typically charged for server instances in both IaaS environments, where they directly provision those instances, and PaaS environments, where they request the number of servers needed to support their applications. In an SaaS environment, the customer typically has no knowledge of the number of server instances supporting their use.

Gwen is building her organization's documentation and processes and wants to create the plan for what the organization would do if her datacenter burned down. What type of plan would typically cover that type of scenario? A. An incident response plan B. A business continuity plan C. A disaster recovery plan D. A stakeholder management plan

C. Disaster recovery plans describe what will occur if a natural or man-made disaster has a significant impact on an organization. Business continuity plans describe how the business will continue to operate. IR plans deal with incidents, and stakeholder management is part of many plans.

What technique is most commonly associated with the use of malicious flash drives by penetration testers? A. Mailing them to targets B. Sneaking them into offices and leaving them in desk drawers C. Distributing them in parking lots as though they were dropped D. Packing them to look like a delivery and dropping them off with a target's name on the package

C. Distributing malicious flash drives in a parking lot or other high-traffic area, often with a label that will tempt the person who finds it into plugging it in, is a technique used by penetration testers.

Gary wants to use secure protocols for email access for his end users. Which of the following groups of protocols should he implement to accomplish this task? A. DKIM, DMARC, HTTPS B. SPF, POPS, IMAPS C. POPS, IMAPS, HTTPS D. DMARC, DKIM, SPF

C. End users may use secure POP (POPS), secure IMAP (IMAPS), and secure HTTP (HTTPS) to retrieve email. SPF, DKIM, and DMARC are used to identify and validate email servers, not to access email by end users.

During a site survey, Chris discovers that there are more access points broadcasting his organization's SSID than he expects there to be. What type of wireless attack has he likely discovered? A. An identical twin B. An alternate access point C. An evil twin D. A split SSID

C. Evil twins are access points configured to appear to be legitimate access points. In this case, Chris should determine where his access points are, and then use his wireless surveying tools to locate the potentially malicious access point. Although it is possible that a member of his organization's staff has configured their own access point, Chris needs to be sure that attackers have not attempted to infiltrate his network. Identical twin, alternate access point, and split SSD were made up for this question.

Why are Faraday cages deployed? A. To prevent tailgating B. To assist with fire suppression C. To prevent EMI D. To prevent degaussing

C. Faraday cages prevent electromagnetic emissions and are used to stop wireless signals and other unwanted EMI. Mantraps are used to prevent tailgating; Faraday cages are not used for fire suppression; and though a Faraday cage would likely stop a degausser, it isn't typically used for that purpose.

Kathleen wants to discourage potential attackers from entering the facility she is responsible for. Which of the following is not a common control used for this type of preventive defense? A. Fences B. Lighting C. Robotic sentries D. Signs

C. Fences, lighting, and signs can all help discourage potential malicious actors from entering an area, although a determined adversary will ignore or bypass all three. Robotic sentries appear in the exam outline but are not a common solution for most organizations.

Gurvinder identifies a third-party datacenter provider over 90 miles away to run his redundant datacenter operations. Why has he placed the datacenter that far away? A. Because it is required by law B. Network traffic latency concerns C. Geographic dispersal D. Geographic tax reasons

C. Geographic dispersal helps ensure that a single natural or man-made disaster does not disable multiple facilities. This distance is not required by law; latency increases with distance; and though there may be tax reasons in some cases, this is not a typical concern for a security professional.

What is the most frequent concern that leads to GPS tagging being disabled by some companies via an MDM tool? A. Chain of custody B. The ability to support geofencing C. Privacy D. Context-aware authentication

C. Geotagging places a location stamp in documents and pictures that can include position, time, and date. This can be a serious privacy issue when pictures or other information are posted, and many individuals and organizations disable GPS tagging. Organizations may want to enforce GPS tagging for some work products, meaning that the ability to enable or disable it in an MDM tool is quite useful. Chain of custody is a forensic concept, the ability to support geofencing does not require GPS tagging, and context-aware authentication may need geolocation but not GPS tagging.

Trevor is deploying the Google Authenticator mobile application for use in his organization. What type of one-time password system does Google Authenticator use in its default mode? A. HMAC-based one-time passwords B. SMS-based one-time passwords C. Time-based one-time passwords D. Static codes

C. Google Authenticator implements time-based one-time passwords, with continuously generated codes provided to the user that expire and are refreshed on an ongoing basis.

Alan's team needs to perform computations on sensitive personal information but does not need access to the underlying data. What technology can the team use to perform these calculations without accessing the data? A. Quantum Computing B. Blockchain C. Homomorphic encryption D. Certificate pinning

C. Homomorphic encryption technology protects privacy by encrypting data in a way that preserves the ability to perform computation on that data.

Which of the following statements about the security implications of IPv6 is not true? A. Rules based on static IP addresses may not work. B. IPv6 reputation services may not be mature and useful. C. IPv6's NAT implementation is insecure. D. IPv6 traffic may bypass existing security controls.

C. IPv6 does not include network address translation (NAT) because there are so many IP addresses available. That means that there is not a NAT implementation, and thus, IPv6 can't have an insecure version. Rules based on static IPv6 addresses may not work since dynamic addresses are heavily used in IPv6 networks, reputation services remain relatively rare and less useful for IPv6 traffic, and IPv6 traffic may bypass many existing IPv4 security tools.

Madhuri wants to check a PNG-formatted photo for GPS coordinates. Where can she find that information if it exists in the photo? A. In the location.txt file appended to the PNG B. On the original camera C. In the photo's metadata D. In the photo as a steganographically embedded data field

C. If the photo includes GPS data, it will be included in the photo's metadata. Madhuri can use a tool like ExifTool to review the metadata for useful information. None of the other answers are places where data is stored for a PNG image as a normal practice.

Fred receives a call to respond to a malware-infected system. When he arrives, he discovers a message on the screen that reads "Send .5 Bitcoin to the following address to recover your files." What is the most effective way for Fred to return the system to normal operation? A. Pay the Bitcoin ransom. B. Wipe the system and reinstall. C. Restore from a backup if available. D. Run antimalware software to remove malware.

C. In most cases, if a backup exists it is the most effective way to return to normal operation. If no backup exists, Fred may be faced with a difficult choice. Paying a ransom is prohibited by policy in many organizations and does not guarantee that the files will be unlocked. Wiping and reinstalling may result in the loss of data, much like not paying the ransom. Antimalware software may work, but if it did not detect the malware in the first place, it may not work, or it may not decrypt the files encrypted by the malware.

oe's adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request http://www.mycompany.com/../../../etc/passwd What type of attack was most likely attempted? A. SQL injection B. Session hijacking C. Directory traversal D. File upload

C. In this case, the .. operators are the tell-tale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server's root directory and access the /etc/passwd file on the server.

Which one of the following is not an example of infrastructure as code? A. Defining infrastructure in JSON B. Writing code to interact with a cloud provider's API C. Using a cloud provider's web interface to provision resources D. Defining infrastructure in YAML

C. Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC.

You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk? A. Reduced the magnitude B. Eliminated the vulnerability C. Reduced the probability D. Eliminated the threat

C. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

C. Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.

Isabelle needs to select the EAP protocol that she will use with her wireless network. She wants to use a secure protocol that does not require client devices to have a certificate, but she does want to require mutual authentication. Which EAP protocol should she use? A. EAP-FAST B. EAP-TTLS C. PEAP D. EAP-TLS

C. Isabelle should select PEAP, which doesn't require client certificates but does provide TLS support. EAP-TTLS provides similar functionality but requires additional software to be installed on some devices. EAP-FAST focuses on quick reauthentication, and EAP-TLS requires certificates to be deployed to the endpoint devices.

What legal concept determines the law enforcement agency or agencies that will be involved in a case based on location? A. Nexus B. Nonrepudiation C. Jurisdiction D. Admissibility

C. Jurisdiction is the legal authority over an area or individuals based on laws that create the jurisdiction. Nexus defines whether a relationship or connection exists, such as a local branch or business location. Admissibility determines whether evidence can be used in court. Nonrepudiation ensures that evidence or materials can be connected to their originator.

Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organizations does with a vendor. What type of agreement should Greg use? A. BPA B. MOU C. MSA D. SLA

C. Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.

Which team member acts as a primary conduit to senior management on an IR team? A. Communications and public relations B. Information security C. Management D. Technical expert

C. Members of management or organizational leadership act as a primary conduit to senior leadership for most incident response teams. They also ensure that difficult or urgent decisions can be made without needing escalated authority. Communications and PR staff focus on internal and external communications but are typically not the direct conduit to leadership. Technical and information security experts do most of the incident response work itself.

James notices that a macro virus has been detected on a workstation in his organization. What was the most likely path for the infection? A. A drive-by download via a web browser B. A worm spread the macro virus C. A user intentionally enabled macros for an infected file D. A remote access Trojan was used to install the macro virus

C. Modern versions of Microsoft Office disable macros by default. For most macro viruses to successfully attack systems, users must enable macros. Social engineering and other techniques are used to persuade users that they want or need to enable macros in infected files, allowing the malicious scripts to run.

Madhuri wants to implement a camera system but is concerned about the amount of storage space that the video recordings will require. What technology can help with this? A. Infrared cameras B. Facial recognition C. Motion detection D. PTZ

C. Motion-detecting cameras can be used to help conserve storage space for video by recording only when motion is detected. In low-usage spaces like datacenters, this means recording will occur only occasionally. In more heavily used areas, the impact on total space used will be smaller but can still be meaningful, particularly after business hours. Infrared cameras, facial recognition, and the ability to pan, tilt, and zoom (PTZ) a camera are important features, but they do not help conserve storage space.

Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test? A. Nmap B. Nessus C. Metasploit D. Nslookup

C. Nmap is a port scanning tool used to enumerate open network ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information gathering utility. All three of these tools may be used to gather information and detect vulnerabilities. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test.

Which one of the following statements about cloud computing is incorrect? A. Cloud computing offers ubiquitous, convenient access. B. Cloud computing customers store data on hardware that is shared with other customers. C. Cloud computing customers provision resources through the service provider's sales team. D. Cloud computing resources are accessed over a network.

C. One of the key characteristics of cloud computing is that customers can access resources on-demand with minimal service provider interaction. Cloud customers do not need to contact a sales representative each time they wish to provision a resource but can normally do so on a self-service basis.

Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated? A. Data minimization B. Data retention C. Purpose limitation D. Data sovereignty

C. Organizations should only use data for the purposes disclosed during the collection of that data. In this case, the organization collected data for technical support purposes and is now using it for marketing purposes. That violates the principle of purpose limitation.

Fred wants to ensure that the administrative interfaces for the switches and routers are protected so that they cannot be accessed by attackers. Which of the following solutions should he recommend as part of his organization's network design? A. NAC B. Trunking C. Out-of-band management D. Port security

C. Out-of-band management places the administrative interface of a switch, router, or other device on a separate network or requires direct connectivity to the device to access and manage it. This ensures that an attacker who has access to the network cannot make changes to the network devices. NAC and port security help protect the network itself, whereas trunking is used to combine multiple interfaces, VLANs, or ports together.

The company that Theresa works for has deployed IoT sensors that have built-in cellular modems for communication back to a central server. What issue may occur if the devices can be accessed by attackers? A. Attackers may change the baseband frequency used by the devices, causing them to fail. B. Attackers may switch the devices to a narrowband radio mode that limits the range of the cellular modems. C. Attackers may steal the SIM cards from the devices and use them for their own purposes. D. Attackers may clone the SIM cards from the devices to conduct attacks against one-time password systems.

C. Physical theft of SIM cards is a threat that cellular-connected devices may face. Using an integrated SIM rather than a removable SIM, or making the SIM difficult or impossible to access without significant effort, may help. Although cloning SIM cards to help defeat one-time password systems is an actual attack, IoT devices typically do not use a cellular connection to present a one-time password since no users are involved. Both the narrowband and baseband answers are not concerns in this scenario.

Which one of the following information sources would not be considered an OSINT source? A. DNS lookup B. Search Engine research C. Port Scans D. WHOIS queries

C. Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.

Frank's organization is preparing to deploy a data loss prevention (DLP) system. What key process should they undertake before they deploy it? A. Define data lifecycles for all nonsensitive data. B. Encrypt all sensitive data. C. Implement and use a data classification scheme. D. Tag all data with the name of the creator or owner.

C. Protecting data using a DLP requires data classification so that the DLP knows which data should be protected and what policies to apply to it. Defining data lifecycles can help prevent data from being kept longer than it should be and improves data security by limiting the data that needs to be secured, but it isn't necessary as part of a DLP deployment. Encrypting all sensitive data may mean the DLP cannot recognize it and may not be appropriate for how it is used. Tagging all data with a creator or owner can be useful but is not required for a DLP rollout—instead, knowing the classification of the data is more important.

Theresa's organization has received a legal hold notice for their files and documents. Which of the following is not an action she needs to take? A. Ensure that changes to existing documents related to the case are tracked and that originals can be provided. B. Preserve all existing documents relevant to the case. C. Delete all sensitive documents related to the case. D. Prevent backups that contain files related to the case from being overwritten on their normal schedule.

C. Removing information relevant to a legal hold is exactly what the hold is intended to prevent. Theresa's organization could be in serious legal trouble if they were to intentionally purge or change related information.

Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son's school and she visits the site. She notices that the URL for the site looks like this: https://www.myschool.edu/grades.php&studentID=1023425 She realizes that 1023425 is her son's student ID number and she then attempts to access the following similar URLs: https://www.myschool.edu/grades.php&studentID=1023423 https://www.myschool.edu/grades.php&studentID=1023424 https://www.myschool.edu/grades.php&studentID=1023426 https://www.myschool.edu/grades.php&studentID=1023427 When she does so, she accesses the records of other students. She closes the records and immediately informs the school principal of the vulnerability. What term best describes Renee's work? A. White-hat hacking B. Green-hat hacking C. Gray-hat hacking D. Black-hat hacking

C. Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.

Which one of the following items is not normally included in a request for an exception to security policy? A. Description of a compensating control B. Description of the risks associated with the exception C. Proposed revision to the security policy D. Business justification for the exception

C. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Naomi wants to provide guidance on how to keep her organization's new machine learning tools secure. Which of the following is not a common means of securing machine learning algorithms? A. Understand the quality of the source data B. Build a secure working environment for ML developers C. Require third-party review for bias in ML algorithms D. Ensure changes to ML algorithms are reviewed and tested

C. Requiring third-party review of ML algorithms is not a common requirement, but ensuring that you use high-quality source data, that the working environment remains secure, and that changes are reviewed and tested are all common best practices for ML algorithm security.

Theresa wants to implement an access control scheme that sets permissions based on what the individual's job requires. Which of the following schemes is most suited to this type of implementation? A.ABAC B. DAC C. RBAC D. MAC

C. Role-based access control (RBAC) sets permissions based on an individual's role, which is typically associated with their job. Attribute-based access control (ABAC) is typically matched to attributes other than the job role. Discretionary access control (DAC) and mandatory access control (MAC) are commonly implemented at the operating system level.

Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan? A. Run the scan against production systems to achieve the most realistic results possible. B. Run the scan during business hours. C. Run the scan in a test environment. D. Do not run the scan to avoid disrupting the business.

C. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.

What language is STIX based on? A. PHP B. HTML C. XML D. Python

C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.

What factor is a major reason organizations do not use security guards? A. Reliability B. Training C. Cost D. Social engineering

C. Security guards can be one of the most costly physical security controls over time, making the cost of guards one of the most important deciding factors guiding when and where they will be employed. Reliability, training, and the potential for social engineering are all possible issues with security guards, but none of these is the major driver in the decision process.

What tool is specifically designed to support incident responders by allowing unified, automated responses across an organization? A. IPS B. COOP C. SOAR D. IRC

C. Security orchestration, automation, and response (SOAR) tools are designed to automate security responses, to allow centralized control of security settings and controls, and to provide strong incident response capabilities. IPS is an intrusion prevention system, COOP is the federal government's standards for continuity of operations, and Internet Relay Chat (IRC) is an online chat tool.

What type of cipher operates on one character of text at a time? A. Block Cipher B. Bit Cipher C. Stream Cipher D. Balanced Cipher

C. Stream ciphers operate on one character or bit of a message (or data stream) at a time. Block ciphers operate on "chunks," or blocks, of a message and apply the encryption algorithm to an entire message block at the same time.

Alex discovers that the network routers that his organization has recently ordered are running a modified firmware version that does not match the hash provided by the manufacturer when he compares them. What type of attack should Alex categorize this attack as? A. An influence campaign B. A hoax C. A supply chain attack D. A pharming attack

C. Supply chain attacks occur before software or hardware is delivered to an organization. Influence campaigns seek to change or establish opinions and attitudes. Pharming attacks redirect legitimate traffic to fake sites, and hoaxes are intentional deceptions.

Michael wants to log directly to a database while also using TCP and TLS to protect his log information and to ensure it is received. What tool should he use? A. syslog B. rsyslog C. syslog-ng D. journalctl

C. Syslog-ng allows logging directly to common databases, uses TCP, and supports TLS, making it a secure and reliable option. Rsyslog does not allow direct logging to a database, and syslog itself does not provide these functions by default.

What law creates privacy obligations for those who handle the personal information of European Union residents? A. HIPAA B. FERPA C. GDPR D. PCI DSS

C. The General Data Protection Regulation (GDPR) implements privacy requirements for handling the personal information of EU residents. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Payment Card Industry Data Security Standard (PCI DSS) applies to credit and debit card information.

What ISO standard provides guidance on privacy controls? A. 27002 B. 27001 C. 27701 D. 31000

C. The International Organization for Standardization (ISO) publishes ISO 27701, covering privacy controls. ISO 27001 and 27002 cover cybersecurity, and ISO 31000 covers risk management.

Kevin is configuring a web server to use digital certificates. What technology can he use to allow clients to quickly verify the status of that digital certificate without contacting a remote server? A. CRL B. OCSP C. Certificate stapling D. Certificate pinning

C. The Online Certificate Status Protocol (OCSP) provides real-time checking of a digital certificate's status using a remote server. Certificate stapling attaches a current OCSP response to the certificate to allow the client to validate the certificate without contacting the OCSP server. Certificate revocation lists (CRLs) are a slower, outdated approach to managing certificate status. Certificate pinning is used to provide an expected key, not to manage certificate status.

Which one of the following certificate formats is closely associated with Windows binary certificate files? A. DER B. PEM C. PFX D. P7B

C. The PFX format is most closely associated with Windows systems that store certificates in binary format, whereas the P7B format is used for Windows systems storing files in text format.

Gene recently conducted an assessment and determined that his organization can be without its main transaction database for a maximum of two hours before unacceptable damage occurs to the business. What metric has Gene identified? A. MTBF B. MTTR C. RTO D. RPO

C. The Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. That is the metric that Gene has identified in this scenario.

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the asset value (AV)? A. $5,000 B. $100,000 C. $500,000 D. $600,000

C. The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.

Scott notices that one of the systems on his network contacted a number of systems via encrypted web traffic, downloaded a handful of files, and then uploaded a large amount of data to a remote system. What type of infection should he look for? A. A keylogger B. A backdoor C. A bot D. A logic bomb

C. The behaviors that Scott is seeing are characteristic of a bot infection. The bot was likely contacting command-and-control hosts, then downloading updates and/or additional packages, then uploading data from his organization. He will need to determine if sensitive or important business information was present on the system or accessible from it. Keyloggers will capture keystrokes and user input but would typically require additional malware packages to display this behavior. A logic bomb might activate after an event, but no event is described, and a backdoor is used for remote access.

What type of security policy often serves as a backstop for issues not addressed in other policies? A. Account management B. Data ownership C. Code of conduct D. Continuous monitoring

C. The code of conduct is often used as a backstop for employee behavior issues that are not addressed directly by another policy.

Nolan is writing an after action report on a security breach that took place in his organization. The attackers stole thousands of customer records from the organization's database. What cybersecurity principle was most impacted in this breach? A. Availability B. Nonrepudiation C. Confidentiality D. Integrity

C. The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality.

Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack? A. AV B. C C. PR D. AC

C. The privileges required (PR) metric indicates the type of system access that an attacker must have to execute the attack.

Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information? A. Contract B. Statement of work C. Rules of engagement D. Lessons learned report

C. The rules of engagement provide technical details on the parameters of the test. This level of detail would not normally be found in a contract or statement of work. The lessons learned report is not produced until after the test.

Naomi has discovered the following TCP ports open on a system she wants to harden. Which ports are used for unsecure services and thus should be disabled to allow their secure equivalents to continue to be used? 21 22 23 80 443 A. 21, 22, and 80 B. 21 and 80 C. 21, 23, and 80 D. 22 and 443

C. The services listed are: 21 - FTP 22 - SSH 23 - Telnet 80 - HTTP 443 - HTTPS Of these services, SSH and HTTPS are secure options for remote shell access and HTTP. Although secure mode FTP (FTP/S) may run on TCP 21, there is not enough information to know for sure, and HTTPS can be used for secure file transfer if necessary. Thus, Naomi's best option is to disable all three likely unsecure protocols: FTP, Telnet, and HTTP.

Kevin discovered that his web server was being overwhelmed by traffic, causing a CPU bottleneck. Using the interface offered by his cloud service provider, he added another CPU to the server. What term best describes Kevin's action? A. Elasticity B. Horizontal scaling C. Vertical scaling D. High availability

C. This is an example of adding additional capacity to an existing server, which is also known as vertical scaling. Kevin could also have used horizontal scaling by adding additional web servers. Elasticity involves the ability to both add and remove capacity on demand and, though it does describe this scenario, it's not as good a description as vertical scaling. There is no mention of increasing the server's availability.

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ; DROP TABLE Services;-- What type of attack was most likely attempted? A. Cross-site scripting B. Session hijacking C. Parameter pollution D. Man-in-the-middle

C. This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise? A. Vulnerability scanning B. Penetration testing C. Threat hunting D. War driving

C. Threat hunting is an assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirm the assumption. Vulnerability scanning, penetration testing, and war driving are all assessment techniques that probe for vulnerabilities but do not assume that a compromise has already taken place.

Which one of the following U.S. government classification levels requires the highest degree of security control? A. Secret B. Confidential C. Top Secret D. Unclassified

C. Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.

Fran's organization uses a Type I hypervisor to implement an IaaS offering that it sells to customers. Which one of the following security controls is least applicable to this environment? A. Customers must maintain security patches on guest operating systems. B. The provider must maintain security patches on the hypervisor. C. The provider must maintain security patches on the host operating system. D. Customers must manage security groups to mediate network access to guest operating systems.

C. Type I hypervisors, also known as bare-metal hypervisors, run directly on top of the physical hardware and, therefore, do not require a host operating system.

Nicole accidentally types www.smazon.com into her browser and discovers that she is directed to a different site loaded with ads and pop-ups. Which of the following is the most accurate description of the attack she has experienced? A. DNS hijacking B. Pharming C. Typosquatting D. Hosts file compromise

C. Typo squatting uses misspellings and common typos of websites to redirect traffic for profit or malicious reasons. Fortunately, if you visit smazon.com , you'll be redirected to the actual amazon.com website, because Amazon knows about and works to prevent this type of issue. DNS hijacking and hosts file modifications both attempt to redirect traffic to actual URLs or hostnames to different destinations, and pharming does redirect legitimate traffic to fake sites, but typo squatting is the more specific answer.

What standard allows USB devices like cameras, keyboards and flash drives to be plugged into mobile devices and used as they normally would be? A. OG-USB B. USB-HSM C. USB-OTG D. RCS-USB

C. USB On-the-Go, or USB-OTG, is a standard that allows mobile devices to act as USB hosts, allowing cameras, keyboards, thumb drives, and other USB devices to be used. A USB HSM is a USB hardware security module, and both OG-USB and RCS-USB were made up.

Henry wants to check to see if services were installed by an attacker. What commonly gathered organizational data can he use to see if a new service appeared on systems? A. Registry dumps from systems throughout his organization B. Firewall logs C. Vulnerability scans D. Flow logs

C. Vulnerability scans are the best way to find new services that are offered by systems. In fact, many vulnerability scanners will flag new services when they appear, allowing administrators to quickly notice unexpected new services. Registry information is not regularly dumped or collected in most organizations. Firewall logs and flow logs could show information about the services being used by systems whose traffic passes through them, but this is a less useful and accurate way of identifying new services and would work only if those services were also being used.

Which one of the following techniques would be considered passive reconnaissance? A. Port scans B. Vulnerability scans C. WHOIS lookups D. Footprinting

C. WHOIS lookups use external registries and are an example of open source intelligence (OSINT), which is a passive reconnaissance technique. Port scans, vulnerability scans, and footprinting all require active engagement with the target and are, therefore, active reconnaissance.

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the single loss expectancy (SLE)? A. $5,000 B. $100,000 C. $500,000 D. $600,000

C. We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000.

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system? A. 1 B. 2 C. 10 D. 11

C. When the 11th employee joins Acme Widgets, they will need a shared secret key with every existing employee. There are 10 existing employees, so 10 new keys are required.

Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting? A. Gray-box test B. Blue-box test C. White-box test D. Black-box test

C. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Glenn recently obtained a wildcard certificate for *. mydomain.com. Which one of the following domains would not be covered by this certificate? A. mydomain.com B. core.mydomain.com C. dev. www.mydomain.com D. mail.mydomain.com

C. Wildcard certificates protect the listed domain as well as all first-level subdomains. dev.www.mydomain.com is a second-level subdomain of mydomain.com and would not be covered by this certificate.

Greg wants to use a tool that can directly edit disks for forensic purposes. What commercial tool could he select from this list? A. dd B. memdump C. WinHex D. df

C. WinHex is a commercial disk editor that provides a number of useful forensic tools that can help with investigations and data recovery. The other tools are open source tools.

Cynthia wants to make an exact copy of a drive using a Linux command-line tool. What command should she use? A. df B. cp C. dd D. ln

C. dd is a copying and conversion command for Linux and can be used to create a forensic image that can be validated using an MD5sum or SHA1 hash. The other commands are df for disk usage, cp for copying files, and ln to link files.

Bart needs to assess whether a three-way TCP handshake is occurring between a Linux server and a Windows workstation. He believes that the workstation is sending a SYN but is not sure what is occurring next. If he wants to monitor the traffic, and he knows that the Linux system does not provide a GUI, what tool should he use to view that traffic? A. dd B. tcpreplay C. tcpdump D. Wireshark

C. tcpdump is a command-line tool that will allow Bart to capture and analyze the traffic coming from the Windows workstation. If he does not see a three-way handshake, he will need to determine what is occurring with the traffic. Wireshark is a GUI (graphical) program, tcpreplay is used to replay traffic, and dd is used to clone drives.

The organization that Lynn works for wants to deploy an embedded system that needs to process data as it comes in to the device without processing delays or other interruptions. What type of solution does Lynn's company need to deploy? A. An MFP B. A HIPS C. An SoC D. An RTOS

D. A real-time operating system (RTOS) is an OS that is designed to handle data as it is fed to the operating system, rather than delaying handling it as other processes and programs are run. Real-time operating systems are used when processes or procedures are sensitive to delays that might occur if responses do not happen immediately. An MFP is a multifunction printer, a HIPS is a host intrusion prevention system, and an SoC is a system on a chip—which is hardware, which might run an RTOS, but the answer does not mention what type of OS the SoC is running.

Vince is choosing a symmetric encryption algorithm for use in his organization. He would like to choose the strongest algorithm from the choices below. What algorithm should he choose? A. DES B. 3DES C. RSA D. AES

D. AES is the successor to 3DES and DES and is the best choice for a symmetric encryption algorithm. RSA is a secure algorithm, but it is asymmetric rather than symmetric.

Brian is selecting a CASB for his organization and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs? A. Inline CASB B. Outsider CASB C. Comprehensive CASB D. API-based CASB

D. API-based CASB solutions interact directly with the cloud provider through the provider's API. Inline CASB solutions intercept requests between the user and the provider. Outsider and comprehensive are not categories of CASB solutions.

What type of attack does an account lockout policy help to prevent? A. Stolen password B. Race conditions C. Buffer overflows D. Brute force

D. Account lockout policies lock out an account after a specific number of failed login attempts. This type of response helps to prevent brute-force attacks by stopping them from using repeated attempts until they can successfully log in.

Alyssa wants to prevent a known Microsoft Word file from being downloaded and accessed on devices she is responsible for. What type of tool can she use to prevent this? A. An allow list tool B. A COOP C. A SIEM D. A deny list tool

D. Alyssa's best option is to use a deny list tool that can recognize the file, by filename, content, or hash value. An allow list tool would be far more difficult to use as she would have to approve all the files that were allowed, which can be exceptionally difficult and time consuming. A SIEM is used to view and analyze data but does not directly block files or data from being used. COOP (Continuity of Operations Planning) is a federal guideline on how to complete DR and BCP plans.

Angela has chosen to federate with other organizations to allow use of services that each organization provides. What role does Angela's organization play when they authenticate their users and assert that those users are valid to other members of the federation? A. Service provider B. Relying party C. Authentication provider D. Identity provider

D. Angela's organization is acting as an identity provider (IdP). Other members of the federation may act as a service provider or relying party when they allow her users to access their services. Authentication provider is not a named role in typical federation activities.

The board of directors of Kate's company recently hired an independent firm to review the state of the organization's security controls and certify those results to the board. What term best describes this engagement? A. Assessment B. Control review C. Gap analysis D. Audit

D. Any of these terms could reasonably be used to describe this engagement. However, the term audit best describes this effort because of the formal nature of the review and the fact that it was requested by the board.

Kyle is conducting a penetration test. After gaining access to an organization's database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action? A. Privilege escalation B. Lateral movement C. Maneuver D. Persistence

D. Backdoors are a persistence tool, designed to make sure that the attacker's access persists after the original vulnerability is remediated. Kyle can use this backdoor to gain access to the system in the future, even if the original exploit that he used to gain access is no longer effective.

As part of their yearly incident response preparations, Ben's organization goes through a sample incident step by step to validate what each person will do in the incident. What type of exercise is this? A. A checklist exercise B. A simulation C. A tabletop exercise D. A walk-through

D. Ben's organization is conducting a walk-through exercise that reviews each step, thus ensuring that every team member knows what they would do and how they would do it. Checklist exercises are not a specific type of exercise. Tabletop exercises are conducted with more flexibility—team members are given a scenario and asked how they would respond and what they would do to accomplish tasks they believe would be relevant. A simulation exercise attempts to more fully re-create an actual incident to test responses.

Mike wants to stop vehicles from traveling toward the entrance of his building. What physical security control should he implement? A. An air gap B. A hot aisle C. A robotic sentry D. A bollard

D. Bollards are physical security controls that prevent vehicles from accessing or ramming doors or other areas. They may look like pillars, planters, or other innocuous objects. An air gap is a physical separation of technology environments; a hot aisle is the aisle where systems in a datacenter exhaust warm air; and unlike in movies, robotic sentries are not commonly deployed and aren't ready to stop vehicles in most current circumstances.

Brenda's company provides a managed incident response service to its customers. What term best describes this type of service offering? A. MSP B. PaaS C. SaaS D. MSSP

D. Brenda's company is offering a technology service to customers on a managed basis, making it a managed service provider (MSP). However, this service is a security service, so the term managed security service provider (MSSP) is a better description of the situation.

Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place? A. Cross-site request forgery B. Server-side request forgery C. Command injection D. Buffer overflow

D. Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.

Alaina wants to maintain chain of custody documentation and has created a form. Which of the following is not a common element on a chain of custody form? A. Item identifier number B. Signature of the person transferring the item C. Signature of the person receiving the item D. Method of transport

D. Chain of custody tracks who has an item, how it is collected, where it is stored and how, how it is secured or protected, who collected it, and transfers, but it does not typically include how the items were transported because that is not relevant if the other data is provided.

What is the document that tracks the custody or control of a piece of evidence called? A. Evidence log B. Audit log C. Event report D. Chain of custody

D. Chain-of-custody documentation tracks evidence throughout its lifecycle, with information about who has custody or control and when transfers happened, and continues until the evidence is removed from the legal process and disposed of. The other terms are not used for this practice.

Skimming attacks are often associated with what next step by attackers? A. Phishing B. Dumpster diving C. Vishing D. Cloning

D. Cloning attacks often occur after a skimmer is used to capture card information. Skimming devices may include magnetic stripe readers, cameras, and other technology to allow attackers to make a complete copy of a captured card. Phishing focuses on acquiring credentials or other information but isn't a typical follow-up to a skimming attack. Dumpster diving and vishing are both unrelated techniques as well.

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain administrator B. Local administrator C. Root D. Read-only

D. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser? A. Reflected XSS B. Stored XSS C. Persistent XSS D. DOM-based XSS

D. DOM-based XSS attacks hide the attack code within the Document Object Model. This code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser.

Tonya is concerned about the risk that an attacker will attempt to gain access to her organization's database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement? A. Preventive B. Detective C. Corrective D. Deterrent

D. Deterrent controls are designed to prevent an attacker from attempting to violate security policies in the first place. Preventive controls would attempt to block an attack that was about to take place. Corrective controls would remediate the issues that arose during an attack.

Rick performs a backup that captures the changes since the last full backup. What type of backup has he performed? A. A new full backup B. A snapshot C. An incremental backup D. A differential backup

D. Differential backups back up the changes since the last full backup. Incremental backups back up changes since the last backup, and snapshots are a live copy of a system. This is not a full backup, because it is capturing changes since a full backup.

What technology uses mathematical algorithms to render information unreadable to those lacking the required key? A. Data loss prevention B. Data obfuscation C. Data minimization D. Data encryption

D. Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.

What type of digital certificate provides the greatest level of assurance that the certificate owner is who they claim to be? A. DV B. OV C. UV D. EV

D. Extended validation (EV) certificates provide the highest available level of assurance. The CA issuing an EV certificate certifies that they have verified the identity and authenticity of the certificate subject.

Which of the following biometric technologies is most broadly deployed due to its ease of use and acceptance from end users? A. Voice print recognition B. Gait recognition C. Retina scanners D. Fingerprint scanner

D. Fingerprint scanners are found on many mobile devices and laptops, making it one of the most broadly deployed biometric technologies. Facial recognition is also broadly deployed, but it is not offered as an option.

Frank is concerned about the admissibility of his forensic data. Which of the following is not an element he should be concerned about? A. Whether the forensic source data has remained unaltered B. Whether the practices and procedures would survive review by experts C. Whether the evidence is relevant to the case D. Whether the forensic information includes a timestamp

D. Forensic information does not have to include a timestamp to be admissible, but timestamps can help build a case that shows when events occurred. Files without a timestamp may still show other information that is useful to the case or may have other artifacts associated with them that can provide context about the time and date.

Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization? A. Policy B. Standard C. Procedure D. Guideline

D. Guidelines are the only element of the security policy framework that is optional. Compliance with policies, standards, and procedures is mandatory.

Which cloud computing deployment model requires the use of a unifying technology platform to tie together components from different providers? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud

D. Hybrid cloud environments blend elements of public, private, and/or community cloud solutions. A hybrid cloud requires the use of technology that unifies the different cloud offerings into a single, coherent platform.

What type of malicious actor is most likely to use hybrid warfare? A. A script kiddie B. A hacktivist C. An internal threat D. A nation-state

D. Hybrid warfare combines active cyberwarfare, influence campaigns, and real-world direct action. This makes hybrid warfare almost exclusively the domain of nation-state actors.

Mike is sending David an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message? A. Mike's public key B. Mike's private key C. David's public key D. Shared Secret key

D. In symmetric encryption algorithms, both the sender and the receiver use a shared secret key to encrypt and decrypt the message, respectively.

Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal? A. Watermarking B. Pattern Recognition C. Host-Based D. Network-Based

D. In this case, Greg must use a network-based DLP system. Host-based DLP requires the use of agents, which would not be installed on guest systems. Greg may use watermarking and/or pattern recognition to identify the sensitive information. but he must use network-based DLP to meet his goal.

Nina's organization uses SSH keys to provide secure access between systems. Which of the following is not a common security concern when using SSH keys? A. Inadvertent exposure of the private key B. Weak passwords/passphrases C. SSH key sprawl D. Weak encryption

D. Inadvertent exposure of private keys via upload to a service like GitHub; poor handling of the private key in user directories; use of weak or reused passwords and passphrases; and key sprawl, in which keys are used broadly across an organization, are all common concerns. Weak encryption is not a typical concern with the use of SSH, since it implements modern strong encryption.

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

D. Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.

Jerome wants to allow guests to use his organization's wireless network, but he does not want to provide a preshared key. What solution can he deploy to gather information such as email addresses or other contact information before allowing users to access his open network? A. WPS capture mode B. Kerberos C. WPA2 D. A captive portal

D. Jerome should deploy a captive portal that requires users to provide information before being moved to a network segment that allows Internet access. WPS capture mode was made up for this question, Kerberos is used for enterprise authentication, and WPA2 supports open, enterprise, or PSK modes but does not provide the capability Jerome needs by itself.

Which of the following is not a typical security concern with MFPs? A. Exposure of sensitive data from copies and scans B. Acting as a reflector for network attacks C. Acting as an amplifier for network attacks D. Use of weak encryption

D. MFPs, or multifunction printers, may contain sensitive data from copies or scans; some MFPs have built-in hard drives or other mass storage that can retain data for an extended period of time. They often have weak network security capabilities, making them useful as a reflector or amplifier in some network attacks. Fortunately, if a MFP supports protocols like TLS for web access, they support a reasonably secure implementation of the protocols needed to keep data transfers secure.

Matt is updating the organization's threat assessment process. What category of control is Matt implementing? A. Operational B. Technical C. Corrective D. Managerial

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Threat assessment is an example of one of these activities.

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need? A. Separation of duties B. Least privilege C. Dual control D. Mandatory vacations

D. Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.

Randy wants to prevent DHCP attacks on his network. What secure protocol should he implement to have the greatest impact? A. ARPS B. LDAPS C. SDHCP D. None of the above

D. None of the protocols listed will accomplish Randy's task. In fact, there is no secure DHCP or ARP version, and secure LDAP does not impact DHCP services.

Norm is using full-disk encryption technology to protect the contents of laptops against theft. What goal of cryptography is he attempting to achieve? A. Integrity B. Nonrepudiation C. Authentication D. Confidentiality

D. Norm's actions are designed to protect against the unauthorized disclosure of sensitive information. This is a clear example of protecting confidentiality.

Scott wants to allow users to bring their own credentials to his website so that they can log in using a Google or Microsoft account without giving him their passwords. What protocol can he use that will allow those users to grant the website access to their information? A. Kerberos B. OAuth C. RADIUS D. OpenID

D. OAuth is a protocol designed to allow users to grant third-party sites access to their information without providing that site with their password. It is typically used by OpenID identity providers to provide both authentication and authorization. Neither Kerberos nor RADIUS fits these requirements.

Matt uploads a malware sample to a third-party malware scanning site that uses multiple antimalware and antivirus engines to scan the sample. He receives several different answers for what the malware package is. What has occurred? A. The package contains more than one piece of malware. B. The service is misconfigured. C. The malware is polymorphic and changed while being tested. D. Different vendors use different names for malware packages.

D. One of the challenges security practitioners can face when attempting to identify malware is that different antivirus and antimalware vendors will name malware packages and families differently. This means that Matt may need to look at different names to figure out what he is dealing with.

Which one of the following documents must normally be approved by the CEO or similarly high-level executive? A. Standard B. Procedure C. Guideline D. Policy

D. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.

Naomi believes that an attacker has compromised a Windows workstation using a fileless malware package. What Windows scripting tool was most likely used to download and execute the malware? A. VBScript B. Python C. Bash D. PowerShell

D. PowerShell is the most likely tool for this type of exploit. VBScript would be used inside an application, and both Bash and Python are more likely to exist on a Linux system.

Ben wants to implement a RAID array that combines both read and write performance while retaining data integrity if a drive fails. Cost is not a concern compared to speed and resilience. What RAID type should he use? A. RAID 1 B. RAID 5 C. RAID 6 D. RAID 10

D. RAID 10 (1+0) combines the benefits and downfalls of both RAID 0, striping, and RAID 1 mirroring. In Ben's use case, where speed and resilience are important and cost is not, striped drives with full copies maintained via the mirror is his best option. RAID 5 and RAID 6 have slower performance but can survive a loss of a drive. RAID 1, mirroring, provides redundancy and read speeds but does not improve write speeds.

Which wireless technology is frequently used for door access cards? A. Wi-Fi B. Infrared C. Cellular D. RFID

D. Radio frequency identification (RFID) is commonly used for entry access cards. Wi-Fi, infrared, and cellular are not typically used for this purpose, but NFC may be.

Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his company's network. How should he describe or classify this malware? A. A worm B. Crypto malware C. A Trojan D. A backdoor

D. Remote access to a system is typically provided by a backdoor. Backdoors may also appear in firmware or even in hardware. None of the other items listed provide remote access by default, although they may have a backdoor as part of a more capable malware package.

Susan has discovered that an incident took place on her network almost six months ago. As she prepares to identify useful data for the incident, which common policy is most likely to cause her difficulties during her investigation? A. Configuration standards B. Communication policies C. Incident response policies D. Retention policies

D. Retention policies for many organizations mean that data is kept for only a limited period of time. Many organizations keep specific logs for as short a period as 30 or 45 days, with other data kept for longer periods of time. It is likely that Susan will not have all of the incident data she would have if she had discovered the incident within 30 days of it occurring. Configuration standards are not a policy; communication and incident response policies would both support her IR needs.

Scott sends his backups to a company that keeps them in a secure vault. What type of backup solution has he implemented? A. Nearline B. Safe C. Online D. Offline

D. Scott has implemented an offline backup scheme. His backups will take longer to retrieve because they are at a remote facility and will have to be sent back to him, but they are likely to survive any disaster that occurs in his facility or datacenter. Online backups are kept immediately accessible, whereas nearline backups can be retrieved somewhat more slowly than online backups but faster than offline backups. Safe backups is not an industry term.

Lucca's organization runs a hybrid datacenter with systems in Microsoft's Azure cloud and in a local facility. Which of the following attacks is one that he can establish controls for in both locations? A. Shoulder surfing B. Tailgating C. Dumpster diving D. Phishing

D. Shoulder surfing, tailgating, and dumpster diving are all in-person physical attacks and are not something that will be in Lucca's control with a major cloud vendor. Antiphishing techniques can be used regardless of where servers and services are located.

Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyber threat information. What should she choose? A. STIX 1.0 B. OpenIOC C. STIX 2.0 D. TAXII

D. TAXII, the Trusted Automated eXchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.

How does technology diversity help ensure cybersecurity resilience? A. It ensures that a vulnerability in a single company's product will not impact the entire infrastructure. B. If a single vendor goes out of business, the company does not need to replace its entire infrastructure. C. It means that a misconfiguration will not impact the company's entire infrastructure. D. All of the above.

D. Technology diversity helps ensure that a single failure—due to a vendor, vulnerability, or misconfiguration—will not impact an entire organization. Technology diversity does have additional costs, including training, patch management, and configuration management.

Which one of the following is not a common use of the NIST Cybersecurity Framework? A. Describe the current cybersecurity posture of an organization. B. Describe the target future cybersecurity posture of an organization. C. Communicate with stakeholders about cybersecurity risk. D. Create specific technology requirements for an organization.

D. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.

What compliance obligation applies to merchants and service providers who work with credit card information? A. FERPA B. SOX C. HIPAA D. PCI DSS

D. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.

What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals? A. DHS B. SANS C. CERTS D. ISACs

D. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and provide tools and assistance to their members.

Which of the following is a memory forensics toolkit that includes memdump? A. FTK Imager B. WinHex C. dd D. Volatility

D. The Volatility Framework is a memory forensics toolkit that includes memdump. FTK Imager does contain a capture memory function, WinHex can dump memory, and dd can be used in a limited fashion to capture memory, but none of these tools builds in a function called memdump.

Connor believes that there is an issue between his organization's network and a remote web server, and he wants to verify this by checking each hop along the route. Which tool should he use if he is testing from a Windows 10 system? A. tracert B. route C. traceroute D. pathping

D. The Windows pathping tool is specifically designed to show the network latency and loss at each step along a route. The tracert tool identifies the path to a remote system, and the route command can be used to view, add, and delete routes. traceroute is used in Linux, not Windows.

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the exposure factor (EF)? A. 5% B. 20% C. 50% D. 100%

D. The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.

A caller reached a member of the IT support person at Carlos's company and told them that the chairman of the company's board was traveling and needed immediate access to his account but had been somehow locked out. They told the IT support person that if the board member did not have their password reset, the company could lose a major deal. If Carlos receives a report about this, which of the principles of social engineering should he categorize the attacker's efforts under? A. Scarcity B. Familiarity C. Consensus D. Urgency

D. The caller was attempting to create a sense of urgency that would cause the help desk staff member to bypass normal procedures and let them set the board member's password to something that the social engineer would know. There is no implication of something scarce or that the caller is trying to get the help desk member to feel like others agree about the topic, thus using consensus. Familiarity takes more than using a board member's name or details about the company.

In what cloud security model does the cloud service provider bear the most responsibility for implementing security controls? A. IaaS B. FaaS C. PaaS D. SaaS

D. The cloud service provider bears the most responsibility for implementing security controls in an SaaS environment and the least responsibility in an IaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.

Which one of the following policies would typically answer questions about when an organization should destroy records? A. Data ownership policy B. Account management policy C. Password policy D. Data retention policy

D. The data retention policy outlines what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.

The following figure shows the Security+ incident response cycle. What item is missing? A. Planning B. Reporting C. Monitoring D. Preparation

D. The first item in the incident response cycle used by the Security+ exam is preparation.

Which of the following is not one of the four phases in COOP? A. Readiness and preparedness B. Activation and relocation C. Continuity of operations D. Documentation and reporting

D. The fourth phase of COOP is Reconstitution, which restores systems and services to operation. Documentation and reporting is not a phase in COOP, although it is likely to occur in multiple phases.

What phase in the incident response process leverages indicators of compromise and log analysis as part of a review of events? A. Preparation B. Containment C. Eradication D. Identification

D. The identification phase focuses on using various techniques to analyze events to identify potential incidents. Preparation focuses on building tools, processes, and procedures to respond to incidents. Eradication involves the removal of artifacts related to the incident, and containment limits the scope and impact of the incident.

What is the primary concern with SFlow in a large, busy network? A. It may allow buffer overflow attacks against the collector host. B. SFlow is not designed for large or complex networks. C. SFlow puts extreme load on the flow collector host. D. SFlow samples only network traffic, meaning that some detail will be lost

D. The primary concern for analysts who deploy SFlow is often that it samples only data, meaning some accuracy and nuance can be lost in the collection of flow data. Sampling, as well as the implementation methods for SFlow, means that it scales well to handle complex and busy networks. Although vulnerabilities may exist in SFlow collectors, a buffer overflow is not a primary concern for them.

Howard is assessing the legal risks to his organization based upon its handling of PII. The organization is based in the United States, handles the data of customers located in Europe, and stores information in Japanese datacenters. What law would be most important to Howard during his assessment? A. Japanese law B. European Union law C. U.S. law D. All should have equal weight

D. The principle of data sovereignty states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. In this case, Howard needs to assess the laws of all three jurisdictions.

Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk? A. Inherent risk B. Control risk C. Risk appetite D. Residual risk

D. The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

Which one of the following is not a common goal of a cybersecurity attacker? A. Disclosure B. Denial C. Alteration D. Allocation

D. The three primary goals of cybersecurity attackers are disclosure, alteration, and denial. These map directly to the three objectives of cybersecurity professionals: confidentiality, integrity, and availability.

Greg recently conducted an assessment of his organization's security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case? A. Detective B. Corrective C. Deterrent D. Preventive

D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

Sharif receives a bill for services that he does not believe his company requested or had performed. What type of social engineering technique is this? A. Credential harvesting B. A hoax C. Reconnaissance D. An invoice scam

D. This is an example of an invoice scam. Most invoice scams involve sending fake invoices hoping to be paid. No information is being gathered, so this isn't reconnaissance or credential harvesting. This could be a hoax, but the more accurate answer is an invoice scam. Note that some social engineering uses false invoices to deploy malware by including it as an attachment or by using an attachment with malicious scripts built into a Microsoft Office file.

Nancy is concerned that there is a software keylogger on the system she is investigating. What data may have been stolen? A. All files on the system B. All keyboard input C. All files the user accessed while the keylogger was active D. Keyboard and other input from the user

D. Though keyloggers often focus on keyboard input, other types of input may also be captured, meaning Nancy should worry about any user input that occurred while the keylogger was installed. Keyloggers typically do not target files on systems, although if Nancy finds a keylogger she may want to check for other malware packages with additional capabilities.

What protocol is used to securely wrap many otherwise insecure protocols? A. ISAKMP B. SSL C. IKE D. TLS

D. Transport Layer Security (TLS) is commonly used to wrap (protect) otherwise insecure protocols. In fact, many of the secure protocols simply add TLS to protect them. ISAKMP and IKE are both used for IPSec and can be used to wrap insecure protocols, but they aren't used alone. SSL is no longer used; TLS has almost entirely replaced it, although SSL is still often casually referred to as TLS.

Chuck wants to provide route security for his organization, and he wants to secure the BGP traffic that his routers rely on for route information. What should Chuck do? A. Choose a TLS-enabled version of BGP B. Turn on BGP route protection C. Use signed BGP by adopting certificates for each BGP peer D. None of the above

D. Unfortunately, BGP does not have native security methods, and BGP hijacks continue to appear in the news. Two solutions, SIDR and RPLS, have not been broadly adopted.

Fred's company issues devices in a BYOD model. That means that Fred wants to ensure that corporate data and applications are kept separate from personal applications on the devices. What technology is best suited to meet this need? A. Biometrics B. Full-device encryption C. Context-aware authentication D. Containerization

D. Using a containerization system can allow Fred's users to run corporate applications and to use corporate data in a secure environment that cannot be accessed by other applications outside of the container on the device. Containerization schemes for mobile devices typically use encryption and other isolation techniques to ensure that data and applications do not cross over. Biometrics and context-aware authentication are useful for ensuring that the right user is using a device but don't provide this separation. Full-device encryption helps reduce the risk of theft or loss of a device resulting in a data breach.

What component of a virtualization platform is primarily responsible for preventing VM escape attacks? A. Administrator B. Guest operating system C. Host operating system D. Hypervisor

D. Virtual machine (VM) escape vulnerabilities are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine. The hypervisor is supposed to prevent this type of access by restricting a virtual machine's access to only those resources assigned to that machine.

When you combine phishing with Voice over IP, it is known as: A. Spoofing B. Spooning C. Whaling D. Vishing

D. Vishing involves combining phishing with Voice over IP. Whaling focuses on targeting important targets for phishing attacks, spoofing is a general term that means faking things, and spooning is not a technical term used for security practices.