Sec+ Domain 3.0 Implementation Assessment

C. Key escrow

A company with archived and encrypted data looks to archive the associated private keys needed for decryption. The keys should be externally archived and heavily guarded. Which option should the company use? A. Self-signed certificate B. Offline CA C. Key escrow D. Intermediate CA

D. CASB

A company would like to deploy a software service to monitor traffic and enforce security policies in their cloud environment. What tool should the company consider using? A. IaaS B. Attestation C. Allow list D. CASB

A. Regional replication D. High availability

Cloud service providers make services available around the world through a variety of methods. The concept of a zone assumes what type of service level? (Select all that apply.) A. Regional replication B. Microsegmentation C. Next-generation secure web gateway D. High availability

A. Trust model

In a Public Key Infrastructure (PKI), which option best describes how users and multiple Certificate Authorities (CA) interact with each other in a large environment? A. Trust model B. Key escrow C. Stapling D. Key revocation

A. Provide secure access to DMZ servers.

What is a jump server commonly used for? A. Provide secure access to DMZ servers. B. Provide protocol-specific outbound traffic. C. Provide inline intrusion detection. D. Provide an open-source firewall.

A. Static code analysis

Which of the following is used to review application code for signatures of known issues before it is packaged as an executable? A. Static code analysis B. Input validation C. Normalization D. Dead code removal

A. Dynamic resource allocation

Which of the following makes it possible for cloud service providers (CSP) to create a virtual instance and container simultaneously? A. Dynamic resource allocation B. Security groups C. Network segmentation D. Secrets management

A. TLS 1.2

A company recently implemented a Secure Sockets Layer/Transport Layer Security (SSL/TLS) version that supports Secure Hashing Algorithm-256 (SHA-256) cipher. Which SSL/TLS version was deployed? A. TLS 1.2 B. SSL 3.0 C. TLS 1.1 D. SSL 2.0

C. Allow list

A company set up controls to allow only a specific set of software and tools to install on workstations. A user navigates to a software library to make a selection. What type of method prevents installation of software that is not a part of a library? A. Application hardening B. Anti-malware C. Allow list D. Block list

B. Tunnel D. Transport

A Transport Layer Security (TLS) Virtual Private Network (VPN) requires a remote access server listening on port 443 to encrypt traffic with a client machine. An IPSec (Internet Protocol Security) VPN can deliver traffic in two modes. One mode encrypts only the payload of the IP packet. The other mode encrypts the whole IP packet (header and payload). What are these two modes? (Select all that apply.) A. Cipher B. Tunnel C. Counter D. Transport

A. Message authentication D. Block source routed packets

A company is renovating a new office space and is updating all Cisco routers. The up-to-date Internetwork Operating System (IOS) will provide the best protection from zero-day exploits. What other options could a network administrator configure for route security? (Select all that apply.) A. Message authentication B. IPv6 on clients C. SNMP trap collections D. Block source routed packets

B. Configure VPC endpoint interface.

A cloud administrator deploys two cloud servers on the Amazon Web Services (AWS) platform, each in a separately defined virtual network. How does the administrator get both servers to communicate with each other without using an Internet gateway? A. Set up a public subnet. B. Configure VPC endpoint interface. C. Use third-party solutions. D. Configure monitoring and track usage.

A. Use separate VPCs for each network segment.

A cloud customer prefers separating storage resources that hold different sets of data in virtual private clouds (VPCs). One of those data sets must comply with Health Insurance Portability and Accountability Act (HIPAA) guidelines for patient data. How should the customer configure these VPCs to ensure the highest degree of network security? A. Use separate VPCs for each network segment. B. Create multiple security groups. C. Monitor the virtual instance usage. D. Use third-party next generation firewall.

B. Spike in API calls C. 78% average error rate

A cloud service provider (CSP) dashboard provides a view of all applicable logs for cloud resources and services. When examining the application programming interface (API) logs, the cloud engineer sees some odd metrics. Which of the following are examples that the engineer would have concerns for? (Select all that apply.) A. High native-cloud firewall cost B. Spike in API calls C. 78% average error rate D. Low latency responses

A. An online root is required to add an intermediate CA. C. An online CA is needed in order to publish a CRL.

A company has a two-level certificate authority (CA) hierarchy. One of the CA servers is offline, while the others are online. Which statements are TRUE of online and offline CAs? (Select all that apply.) A. An online root is required to add an intermediate CA. B. An offline CA is able to publish an up-to-date CRL. C. An online CA is needed in order to publish a CRL. D. An offline CA is a security measure that prevents MitM.

B. Use correct certificate path.

A company has two web servers using a load-balance configuration. Users report having periodic trust errors connecting to the website. Both servers are using web-server certificates and show the same path. Which of the following actions would most likely resolve the issue? A. Remove certificate from CRL. B. Use correct certificate path. C. Change the trust model. D. Use a wildcard certificate.

D. Reverse Proxy

A company hosts internal web servers between two firewalls: one firewall at the edge network and another near the internal gateways. A recent security audit advised the company to utilize filtering rules for connections between remote clients and these internal web servers. Which of the following will satisfy the security advice? A. DLP B. DMZ C. Load balancer D. Reverse Proxy

A. The provider is responsible for the availability of any application software.

A company is looking into integrating on-premises services and cloud services with a cloud service provider (CSP) under an Infrastructure as a Service (IaaS) plan. Which of the following statements would NOT apply in this case? A. The provider is responsible for the availability of any application software. B. The provider must update the firmware and security patches of physical servers. C. The company is liable for legal and regulatory requirements for customer data. D. The company must establish separation of duties mechanisms.

C. Input validation

A developer writes code for a new application, and wants to ensure protective countermeasures against the execution of SQL injection attacks. What secure coding technique will provide this? A. DLL injection B. Code reuse C. Input validation D. Code obfuscation

A. openssl genrsa -aes256 -out server.key 2048

A public key infrastructure (PKI) is being set up for a logistics company, utilizing OpenSSL hosted on Red Hat Enterprise Linux. Which of the following commands can the team use, when setting up the PKI, to create an encrypted RSA private key? A. openssl genrsa -aes256 -out server.key 2048 B. openssl rsa -in server.key -pubout C. openssl rsa -check -in server.key D. openssl x509 -x509toreq -in cert.pem -out server.csr -signkey server.key

B. Hardware root of trust

A laptop arrives at the company technology lab with a private key embedded, providing full disk encryption. When matched with a public key, what does this system provide? A. Hardware security module B. Hardware root of trust C. Access point D. SSL decryptor

A. CASB

A large firm requires better control over mobile users' access to business applications in the cloud. This will require single-sign on and support for different device types. What solution should the company consider using? A. CASB B. Allow list C. Attestation D. IaaS

A. Root

A network administrator is importing a list of certificates from an online source, so that employees can use a chain of trust and communicate securely with public websites. Which type of certificates are the network administrator currently importing? A. Root B. SAN C. Computer D. Wildcard

B. Block TCP ports D. Allow network protocols

A network administrator set up a basic packet filtering firewall using an open-source application running on a Linux virtual machine. The immediate benefit to this deployment is the quick configuration of basic firewall rules. What other functionality would influence a decision to deploy a stateless, rather than stateful, firewall? (Select all that apply.) A. Hardware-specific features B. Block TCP ports C. Analyze HTML code D. Allow network protocols

C. Broadcast storms

A network engineer is plugging in new patch cables and wants to prevent inadvertent disruptions to the network while doing so. What will the engineer prevent if Spanning Tree Protocol (STP) is configured on the switches? A. MAC floods B. DHCP spoofing C. Broadcast storms D. Signature-based intrusion

C. Public cloud

A new cloud service provider (CSP) leases resources to multiple organizations (or customers) around the world. Each customer is independent and does not share the same logical cloud storage resource. The customers use an on-demand payment plan. Which cloud model is the CSP most likely providing to its customers? A. Community cloud B. Hybrid Cloud C. Public cloud D. On-premise Cloud

B. Convert to a .pem file.

A security engineer must install an X.509 certificate to a computer system, but it is not accepted. The system requires a Base64 encoded format. What must the security engineer execute to properly install this certificate? A. Convert to a .der file. B. Convert to a .pem file. C. Convert to a .pfx file. D. Convert to a .p12 file.

A. Prevent malicious traffic between VMs D. Protection from zero day attacks

A small organization operates several virtual servers in a single host environment. The physical network utilizes a physical firewall with NIDS for security. What would be the benefits of installing a Host Intrusion Prevention System (HIPS) at the end points? (Select all that apply.) A. Prevent malicious traffic between VMs B. Update with latest patches C. Secure login with smart card D. Protection from zero day attacks

B. Measured boot will record the presence of unsigned kernel-level code.

A support technician reviews a computer's boot integrity capabilities and discovers that the system supports a measured boot process. Which statement accurately describes this process? A. Measured boot is configured with digital certificates from valid OS vendors. B. Measured boot will record the presence of unsigned kernel-level code. C. Measured boot is the process of transmitting a boot log report signed by the TPM in the system. D. Measured boot encrypts the entire contents of the system drive (or volume).

B. HTTP Strict Transport Security (HSTS) C. Content Security Policy (CSP) D. Cache-Control

A web administrator notices a few security vulnerabilities that need to be addressed on the company Intranet site. The portal must force a secure browsing connection, mitigate script injection, and prevent caching on shared client devices. Determine the secure options to set on the web server's response headers. (Select all that apply.) A. Secure Cookies B. HTTP Strict Transport Security (HSTS) C. Content Security Policy (CSP) D. Cache-Control

B. LDAPS

A web server will utilize a directory protocol to enable users to authenticate with domain credentials. A certificate will be issued to the server to set up a secure tunnel. Which protocol is ideal for this situation? A. HTTPS B. LDAPS C. S/MIME D. ESP

A. Signature-based

An administrator deploys a basic network intrusion detection system (NIDS) device to identify known attacks. What detection method does this device use? A. Signature-based B. Anomaly-based C. Heuristic-based D. Behavioral-based

B. ACL

An administrator navigates to the Windows Firewall with Advanced Security. The inbound rules show a custom rule, which assigned the action, "Allow the connection" to all programs, all protocols, and all ports with a scope of 192.168.0.0/24. This is an example of what type of security setting? A. TLS B. ACL C. DLP D. SSL

C. DNS Security Extensions

An authoritative Domain Name System (DNS) server for a zone creates a Resource Records Set (RRSet) signed with a zone signing key. What is the result of this action? A. DNS Server Cache Poisoning B. DNS Spoofing C. DNS Security Extensions D. Dynamic Host Configuration Protocol

A. Use certificate transparency framework

An independent penetration testing company is invited to test a company's legacy banking application developed for Android phones. It uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. Penetration tests reveal the connections with clients were vulnerable to a Man-in-the-Middle (MITM) attack. How does the company prevent this from happening in the public Internet? A. Use certificate transparency framework B. Use only TLS C. Use extended validation D. Use certificate chaining

A. A solution that is known as zone-redundant storage. C. Access is available if a single data center is destroyed.

An organization moves its data to the cloud. Engineers utilize regional replication to protect data. Review the descriptions and conclude which ones apply to this configuration. (Select all that apply.) A. A solution that is known as zone-redundant storage. B. Replicas are often located in separate fault domains. C. Access is available if a single data center is destroyed. D. Safeguards data within a single availability zone.

D. SRTP

An organization uses a Session Initiation Protocol (SIP) endpoint for establishing communications with remote branch offices. Which of the following protocols will provide encryption for streaming data during the call? A. SIPS B. ESP C. HTTPS D. SRTP

A. Establish a guest zone B. Upload files using SSH C. Use configuration templates

Consider the principles of web server hardening and determine which actions a system administrator should take when deploying a new web server in a demilitarized zone (DMZ). (Select all that apply.) A. Establish a guest zone B. Upload files using SSH C. Use configuration templates D. Place the server within the corporate network

A. Next-generation secure web gateway

Determine a solution that can combine with a cloud access security broker (CASB) to provide a wholly cloud-hosted platform for client access. A. Next-generation secure web gateway B. Virtual private cloud endpoint C. On-demand machine resources D. Geo-redundant storage

A. Dynamic code analysis

During the functional testing phase of application development, an application tests for vulnerabilities against the running code. What type of code testing is this? A. Dynamic code analysis B. Stress testing C. Static code analyzing D. Model verification

B. Code signing

Employees have the ability to download certain applications onto their workstations to complete work functions. The CIO enacted a policy to ensure that no modifications to the application have occurred. What method of validation did the CIO implement? A. Input validation B. Code signing C. Race conditions D. Code obfuscation

A. Set up efficient east-west traffic. B. Set up zero trust.

Engineers are considering network options that will maintain data transfers between systems within the same cloud-based data center. They also look to configure security on these systems. Which of the following would ensure this type of implementation? (Select all that apply.) A. Set up efficient east-west traffic. B. Set up zero trust. C. Set up perimeter DMZ. D. Set up BPDU guard.

A. Development

Following a secure deployment methodology for custom applications, early code testing would run in which type of environment? A. Development B. Staging C. Production D. Integration

C. Resource policies

If managed improperly, which of the following would be most detrimental to access management of cloud-based storage resources? A. Private subnet B. Encryption C. Resource policies D. Container namespaces

A. Directory services

Implementing Lightweight Directory Access Protocol Secure (LDAPS) on a web server secures direct queries to which of the following? A. Directory services B. Remote access C. E-mail D. Web

D. Provision SSO access.

Management has set up a feed or subscription service to inform users on regular updates to the network and its various systems and services. The feed is only accessible from the internal network. What else can systems administrators do to limit the service to internal access? A. Configure RSS feeds. B. Set up NTP settings. C. Use SIP endpoints. D. Provision SSO access.

A. Source routing C. Route injection D. Software exploits

Select the vulnerabilities that can influence routing. (Select all that apply.) A. Source routing B. Traffic blocking C. Route injection D. Software exploits

C. HTML5 VPN

Systems administrators want to set up a way to perform remote administration from home. Rather than installing a software agent, the solution should use an underlying technology that is available to an application, such as a web browser. Which option would best support these requirements? A. L2TP B. HSM C. HTML5 VPN D. ACL

D. Disk encryption

The IT team has purchased a few devices that are compatible with the Trusted Computing Group Security Subsystem Class called Opal. Which of these device specifications will take advantage of Opal's security features? A. Registry settings B. Operating system C. Automatic vendor updates D. Disk encryption

A. S/MIME

The administrator in an Exchange Server needs to send digitally signed and encrypted messages. What should the administrator use? A. S/MIME B. SSH C. SIP D. POP3

B. In the Subject Alternative Name (SAN)

The system administrator is installing a web server certificate and receives an error indicating the server does not accept wildcard certificates. After examining the certificate, the system admin notices the problem. Determine the specific location where the admin found the problem. A. In the Certificate Signing Request (CSR) B. In the Subject Alternative Name (SAN) C. In the Certificate Revocation List (CRL) D. In the X.509 certificate standard

B. OCSP stapling

There are several ways to check on the status of an online certificate, but some introduce privacy concerns. Consider how each of the following is structured, and select the option with the best ability to hide the identity of the certificate status requestor. A. OCSP responder B. OCSP stapling C. OCSP D. CRL

C. Use 802.1p header.

Users are reporting jittery video communication during routine video conferences. What can a system administrator implement to improve video quality and overall use of the network bandwidth? A. Use web application firewall. B. Use out-of-band management. C. Use 802.1p header. D. Use IPSec.

B. Survey a site for signal strength D. Determine where to place access points

What are the benefits of using Wi-Fi heat maps for existing wireless networks? (Select all that apply.) A. Stop electromagnetic interference B. Survey a site for signal strength C. Restrict SSID overlap D. Determine where to place access points

C. Unlike WPA, WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) instead of the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). D. Unlike WPA, WPA2 uses the Advanced Encryption Standard (AES) cipher with 128-bit keys.

What are the differences between WPA and WPA2? (Select all that apply.) A. Unlike WPA, WPA2 is more secure than WEP. B. Unlike WPA, WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks. C. Unlike WPA, WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) instead of the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). D. Unlike WPA, WPA2 uses the Advanced Encryption Standard (AES) cipher with 128-bit keys.

C. Configure scheduling.

What can a system administrator configure on two load balanced servers to achieve a round robin configuration? A. Configure active/passive settings. B. Configure virtual IP address. C. Configure scheduling. D. Configure persistence settings.

A. Layer 7

When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content? A. Layer 7 B. Layer 4 C. Layer 3 D. Layer 1

D. Storage

Which aspect of certificate and key management should an administrator practice when trying to prevent the loss of private keys? A. Revocation B. OCSP C. Expiration D. Storage

D. PFX

Which certificate format allows the transfer of private keys and is password protected? A. P7B B. CER C. DER D. PFX

C. LDAPS

Which of the following protocols would secure a tunnel for credential exchange using port 636? A. FTPES B. SFTP C. LDAPS D. DNSSEC

B. Measured boot

Which of the following provides attestation and is signed by a trusted platform module (TPM)? A. Endpoint detection and response (EDR) B. Measured boot C. Host intrusion prevention system (HIPS) D. Secure cookies

C. Namespaces D. Control groups

Which of the following reduces the risk of data exposure between containers on a cloud platform?(Select all that apply.) A. Public subnets B. Secrets management C. Namespaces D. Control groups

A. WPA3 B. SAE

Which wireless configurations provide the most up-to-date and secure way of connecting wireless devices to an office or home network? (Select all that apply.) A. WPA3 B. SAE C. PEAP D. EAP-TTLS