Security+ Implementation
\John is performing a port scan of a network as part of a security audit. He notices that the domain controller is using secure LDAP. Which of the following ports would lead him to that conclusion? A. 389 B. 53 C. 443 D. 636
636; 53-DNS 389-LDAP 443-HTTP 636- Secure LDAP
What is the size of the wrapper TKIP places around the WEP encryption with a key that is based on the things such as the MAC address of your machine and the serial number of the packet? A. 128 bit B. 64 bit C. 56 bit D. 12 bit
A. 128-bit
What two ports are most commonly used for FTPS traffic? A. 21, 990 B. 433, 1433 C. 21, 22 D. 20, 21
A. 21, 990; FTP =29 FTPS=990
Isaac is designing his cloud datacenter's public facing network and wants to properly implement segmentation to protect his application servers while allowing his web servers to be access by customers. What design concept should he apply to implement this type of secure environment? A. A DMZ B. A forward proxy server C. A reverse proxy server D. A VPC
A. A DMZ
Nancy wants to protect and manage her RSA keys while using a mobile device. What type of solution could she purchase to ensure that the keys are secure so that she can perform public key authentication? A. A MicroSD HSM B. An offline CA C. An application-based PKI D. An OPAL- encrypted drive
A. A MicroSD HSM
When Amanda visits her local coffee shop, she can connect to the open wireless network without providing a password, but she is immediately redirected to a website that asks for her email address. Once she provides it, she is able to browse the internet normally. What type of technology has Amanda encountered? A. A captive portal B. Port security C. A Wi-Fi protected access D. A preshared key
A. A captive portal
Ben is using a tool that is specifically designed to send unexpected data to a web application that he is testing. The application is running in a test environment and configured to log events and changes. What type of tool is Ben using? A. A fuzzer B. A static code review tool C. A SQL injection proxy D. A web proxy
A. A fuzzer
Michael wants to use IP reputation information to protect his network and knows that third parties provide that information. How can he get this data, and what secure protocol is he most likely to use to retrieve it? A. A subscription service, HTTPS B. A subscription service, SAML C. An FDE, XML D. A VDI, XML
A. A subscription service, HTTPS
What IP address does a load balancer provide for external connections to connect to web servers in a load-balanced group? A. A virtual IP address B. The load balancer's IP address C. The IP address for each server, in a prioritized order D. The IP address for each server in a round-robin order
A. A virtual IP address
During a security review, Matt notices that the vendor he is working with lists their IPSec VPN as using AH protocol for the security of the packets that it sends. What concern should Matt note to his team about this? A. AH does not provide confidentiality B. AH does not provide data integrity C. AH does not provide replay protection D. None of the above; AH provides confidentiality, authentication, and replay protection
A. AH does not provide confidentiality; AH provides integrity but not confidentiality
Brian wants to limit access to a federated service that uses Single Sign-On based on user attributes and group membership, as well as which federation member the user is logging in from. Which of the following options is best suited to his needs? A. Access policies B. Geolocation C. Time-based logins D. Account auditing
A. Access policies; built using information and attributes about access request
Jackie wants to deploy a network access control (NAC) system that will stop systems that are not fully patched from connecting to his network. If he wants to have full details of system configuration, antivirus version, and patch level, what type of NAC deployment is most likely to meet his needs? A. Agent-based, preadmission B. Agent-based, post admission C. Agentless, preadmission D. Agentless, post admission
A. Agent-based, preadmission; provides greater insight into the configuration of a system using the agent, and the preadmission model will allow the system configuration be tested before the system is allowed to connect to the network.
As part of the certificate issuance process from the CA that her company works with, Marie is required to prove that she is a valid representative of her company. The CA goes through additional steps to ensure that she is who she says she is and that her company is legitimate, and not all CAs can issue this type of certificate. What type of certificate has she been issued? A. An extended validation (EV) certificate B. An organization validation certificate C. An OCSP certificate D. A domain-validate certificate
A. An extended validation (EV) certificate
Jenny is considering using infrastructure as a service cloud provider to host her organization's web application, database, and web servers. Which of the following is not a reason she would choose to deploy to a cloud service? A. Direct control of underlying hardware B. Replication of multiple geographic zones C. Support for high availability D. Reliability of the underlying storage
A. Direct control of underlying hardware
Elio is reviewing log files for authentication events and notices that one of his users has logged in from a system at his company's home office in Chicago. Less than an hour later, the same user is recorded as logging in from an IP address that geo-IP tools say comes from Australia. What type of issue should he flag this as? A. An impossible travel time, risky login issue B. A geo-IP lookup issue C. A misconfigured IP address D. None of the above
A. An impossible travel time, risky login issue
Dami has designed and built a website that is accessible only inside of a corporate network. What term is used to describe this type of internal resource? A. An intranet B. An extranet C. A TTL D. A DMZ
A. An intranet
Raymon is building a new web service and is considering which parts of the service should use Transport Layer Security (TLS). Components of the application include: 1. Authentication 2. Payment form 3. User data, including address and shopping cart 4. A user comments and reviews section Where should he implement TLS? A. At all points in the infrastructure B. At points 1,2, &3 C. At points 2,3, & 4 D. At points 1,2, &4
A. At all points in the infrastructure
Naomi wants to use information about her users like their birthdays, addresses, and job titles as part of her identity management system. What term is used to describe this type of information? A. Attributes B. Roles C. Identifiers D. Factors
A. Attributes; Identity attributes are characteristics of identity and are used to differentiate the identity from others.
Edward is responsible for web application security at a large insurance company. One of the applications that he is particularly concerned about is used by insurance adjusters in the field. He wants to have strong authentication methods to mitigate misuse of the application. What would be his best choice? A. Authenticate the client with a digital certificate B. Implement a web application firewall (WAF) C. Secure application communication with Transport Layer Security (TLS) D. Implement a very strong password policy
A. Authenticate the client with a digital certificate; effective way to ensure that only authorized users can access the application
Matt has enabled port security on the network switches in his building. What does port security do? A. Filters by MAC address B. Prevents routing protocol updates from being sent from protected ports C. Establishes private VLANs D. Prevents duplicate MAC addresses from connecting to the network
A. Filters by MAC address
Fred sets up his authentication and authorization system to apply _____ to authenticated user's accounts that meet some specific conditions. A. Conditional access B. Time-based logins C. Role-based access D. Geofencing
A. Conditional Access
Mari wants to check on the status of the carrier unlocking for all mobile phones owned by and deployed by his company. What method is the most effective way to do this? A. Contact the cellular provider B. Use an MDM tool C. Use a UEM tool D. None of the above; carrier unlock must be verified manually on the phone
A. Contact the cellular provider
Nathan wants to ensure that the mobile devices his organization has deployed can be used in the company's facilities. What type of authentication should he deploy to ensure this? A. Context-aware authentication B. Biometric C. Content-aware authentication D. PINs
A. Context-aware authentication
Tara is concerned with staff in her organization sending emails with sensitive information like customer Social Security numbers (SSNs) included in it. What type of solution can she implement to help prevent inadvertent exposures of this type of sensitive data? A. Data Loss Prevention (DLP) B. S/MIME C. POP3S D. Full Disk Encryption (FDE)
A. Data Loss Prevention (DLP)
Claire has been notified of a zero-day flaw in a web application. She has the exploit code, including a SQL injection attack that is being actively exploited. How can she quickly react to prevent this issue from impacting her environment if she needs the application to continue to function? A. Deploy a fix via her Web Application Firewall (WAF) B. Deploy a detection rule to her Intrusion Detection System (IDS) C. Manually update the application code after reverse-engineering it D. Install the vendor-provided patch
A. Deploy a fix via her Web Application Firewall (WAF);
Patrick has been asked to identify a UTM appliance for his organization. Which of the following capabilities NOT a common feature for a UTM device? A. Antivirus B. Data Loss Prevention (DLP) C. Mobile Device Management (MDM) D. Intrusion Detection System (IDS) or Intrusion Prevention System (IPS)
C. Mobile Device Management (MDM)
Gabriel has been laid off from the organization that he worked at for almost a decade. Mark needs to make sure that Gabriel's account is securely handled after his last day of work. What can he do to his account as an interim step to best ensure that files are still accessible and that the account could be returned to use if Gabriel returns after the layoff? A. Disable the account and re-enable it if needed B. Leave the account active in case Gabriel returns C. Change the password to one Gabriel doesn't know D. Delete the account and recreate it when needed
A. Disable the account and re-enable it if needed
Users in your network are able to assign permissions to their own shared resources. Which of the following access control models is used in your network? A. Discretionary Access Control (DAC) B. Mandatory Access Control (MAC) C. Attribute-Based Access Control (ABAC) D. Role-Based Access Control (RBAC)
A. Discretionary Access Control (DAC)
Tina wants to ensure that rogue DHCP servers are not permitted on the network she maintains. What can she do to protect against this? A. Enable DHCP snooping B. Deploy an IDS to stop rogue DHCP packets C. Disable DHCP snooping D. Block traffic on the DHCP ports to all systems
A. Enable DHCP snooping; used to monitor and stop rogue DHCP traffic from unknown servers
Sandra is concerned about attacks against her network's Spanning Tree Protocol (STP). She wants to ensure that a new switch introduced by an attacker cannot change the topology by asserting a lower bridge ID than the current configuration. What should she implement to prevent this? A. Enable Root Guard B. Set the bridge ID to a negative number C. Disable Spanning Tree Protocol D. Enable BrdigeProtect
A. Enable Root Guard
Greg knows that when a switch doesn't know where a node is, it will send out a broadcast to attempt to find it. If other switches inside its broadcast domain do not know about the node, they will broadcast that query, and this can create a massive amount of traffic that can quickly amplify out of control. He wants to prevent this scenario without causing the network to be unable to function. What port-level security feature can he enable to prevent this? A. Enable storm control B. Use ARP blocking C. Block all broadcast packets D. None of the above
A. Enable storm control; Enabling storm control on a switch will limit the amount of total bandwidth that broadcast packets can use, preventing broadcast storms from taking down the network.
Isaac is reviewing his organization's secure coding practices document for customer-facing web applications; and he would like to make sure that their input validation recommendations are appropriate. Which of the following is NOT a common practice for input validation? A. Ensure validation occurs on a trusted client B. Ensure validation occurs on a trusted server C. Validate expected data types and ranges D. Validate all client-supplied data before it is processed
A. Ensure that validation occurs on a trusted client
In which of the following scenarios would using a shared account pose the least security risk? A. For guest Wi-Fi access B. For a group of tech support personnel C. For accounts with few privileges D. For students logging in at a university
A. For guest Wi-Fi access
What is the main use of hashing in databases? A. For indexing and retrieval B. To obfuscate data C. To substitute for sensitive data, allowing it to be used without exposure D. To encrypt stored data, thus preventing exposure
A. For indexing and retrieval
Clover wants to test her company's web application to see if it is handling input validation and data validation properly. Which testing method would be most effective for this? A. Fuzzing B. Version Control C. Baselining D. Static code analysis
A. Fuzzing; tester intentionally enters incorrect values into input fields to see how application will handle it
Mason is responsible for security at a company that has traveling salespeople. The company has been using Attribute Based Access Control (ABAC) for access control to the network. Which of the following is an issue that is specific to ABAC and might cause it incorrectly reject logins? A. Geographic location B. Wrong password C. Remote access is not allowed by ABAC D. Firewalls usually block ABAC
A. Geographic location
Kathleen wants to implement a zero-trust network design and knows that she should segment the network. She remains worried about the east/west traffic inside the network segments. What is the first security tool she should implement to ensure hosts remain secure from network threats? A. Host-based firewalls B. FDE C. Antivirus D. Host-based IPS
A. Host-based firewalls
Emily manages the IDS/IPS for her network. She has a network-based intrusion prevention system (NIPS) installed and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most efficient way for her to address this? A. Implement port mirroring for that segment B. Isolate that segment on its own VLAN C. Install a NIPS on that segment D. Upgrade to a more effective NIPS
A. Implement port mirroring for that segment; traffic from unsecured segment copied and sent to the segment where the NIPS is installed
David uses a tool that lists the specific applications that can be installed and run on a system. The tool uses hashes of the application's binary to identify each application to ensure that the application matches the filename provided for it. What type of tool is David using? A. Whitelisting B. Antivirus C. Antimalware D. Blacklisting
A. Whitelisting
Madi's web application converts numbers that are input into fields by specifically typing them and then applies strict exception handling. It also sets a minimum and maximum length for the inputs that it allows and uses predefined arrays of allowed values for inputs like months or dates. What term describes the actions that Madi's application is performing? A. Input validation B. Schema validation C. String injection D. Buffer overflow prevention
A. Input validation; validation techniques that are used to ensure that unexpected or malicious input does not cause problems with the application
Denny wants to deploy antivirus for his organization and wants to ensure that it will stop most malware. What deployment model should Denny select? A. Install antivirus from one vendor on PCs and from another vendor on the server to provide a greater chance of catching malware B. Install antivirus only on workstations to avoid potential issues with server performance C. Install antivirus from the same vendor on individual PCs and servers to best balance visibility, support, and security D. Install antivirus from more than one vendor on all PCs and servers to maximize coverage
A. Install antivirus from one vendor on PCs and from another vendor on the server to provide a greater chance of catching malware;
Charles has been asked to implement DNSSEC for his organization. This will provide which of the following advantages? A. Integrity B. Availability C. Confidentiality D. All of the above
A. Integrity
Gary's organization uses a NAT gateway at its network edge. What security benefit does a NAT gateway provide? A. It allows systems to connect to another network without being directly exposed to it B. It can detect malicious traffic and stop it from passing through C. It statefully blocks traffic based on port and protocol as a type of firewall D. It allows non-IP-based addressed to be used behind a legitimate IP address
A. It allows systems to connect to another network without being directly exposed to it
Mark is responsible for managing his company's load balancer and wants to use a load balancing scheduling technique that will take into account the current server load and active sessions. Which of the following techniques should he choose? A. Least connection B. Round robin C. Source IP hash D. Weighted response time
A. Least-connection; sends the next request to the server with the least amount of active sessions
You work for a social media website. You wish to integrate your user's accounts with other web resources. To do so, you need to allow authentication to be used across different domains, without exposing your users' passwords to these other services. Which of the following would be most helpful in accomplishing this goal? A. Open Authorization (OAuth) B. Security Assertion Markup Language (SAML) C. Kerberos D. OpenID
A. Open Authorization
From a physical security perspective, which of the following is the equivalent of a VLAN? A. Partitioning B. Security Zones C. Firewall D. Perimeter Security
A. Partitioning; VLAN emulates physical partitioning
What is the most common format for certificates issued by certificate authorities? A. Privacy Enhanced Mail (PEM) B. PKCS#7 (P7B) C. PFX D. Distinguished Encoding Rules (DER)
A. Privacy Enhanced Mail (PEM)
Maria wants to ensure that her wireless controller and access points are as secure as possible from attack via her network. What control should she put in place to protect them from brute-force password attacks and similar attempts to take over her wireless network's hardware infrastructure? A. Put the access points and controllers on a separate management VLAN B. Regularly patch the devices C. Disable administrative access D. All of the above
A. Put the access points and controllers on a separate management VLAN; prevents attackers from being able to connect to the device's administrative interfaces
Cynthia wants to issue contactless cards to provide access to the buildings she is tasked with securing. Which of the following technologies should she deploy? A. RFID B. Magstripe C. HOTP D. Wi-Fi
A. RFID
Sally has been asked to provide a recommendation for her organization about password security practices. Users have complained that they have to remember too many passwords as part of their job and that they need a way to keep track of them. What should Sally recommend? A. Recommend a password vault or manager application B. Recommend that users write passwords down near their workstations C. Recommend that users change their standard passwords slightly based on the site they are using D. Recommend that users use the same password for sites with similar data or risk profiles
A. Recommend a password vault or manager application
Liam is setting up a public key infrastructure (PKI) and knows that keeping the passphrases and encryption keys used to generate new keys is a critical part of ensuring that the root certificate authority remains secure. Which of the following techniques is NOT a common solution to help prevent insider threats? A. Require a new passphrase every time the certificate is used B. Require dual control C. Implement separation of duties D. Use a split knowledge process for the password or a key
A. Require a new passphrase every time the certificate is used; NOT A REASONABLE SOLUTION
Chloe has noticed that users on her company's network frequently have simple passwords made up of common words. Therefore they have weak passwords. How could Chloe best mitigate this issue? A. Require password complexity B. Have users change passwords more frequently C. Implement Single Sign-On (SSO) D. Increase minimum password length
A. Require password complexity
Nadia is concerned with the content of her emails to her friend Danielle being read as they move between servers. What technology can she use to encrypt her emails, and whose key should she use to encrypt the message? A. S/MIME, Danielle's public key B. Secure POP3, Danielle's private key C. S/MIME, her private key D. Secure POP3, her public key
A. S/MIME, Danielle's public key; Secure/Multipurpose Internet Mail Extensions (S/MIME), which functions as asymmetric encryption and then using Danielle's public key to encrypt the email so that only Danielle can decrypt the messages and read them
Fiona knows that SNMPv3 provides additional security features that previous versions of SNMP did not. Which of the following is NOT a security feature provided SNMPv3? A. SQL injection prevention B. Message authentication C. Message confidentiality D. Message integrity
A. SQL injection prevention
Next-gen firewalls include many cutting edge features. Which of the following is NOT a common next-gen firewall capability? A. SQL injection B. IPS and or IDS C. Geolocation D. Sandboxing
A. SQL injection; SQL injection is an attack not a defense
Laura is reviewing the configuration for an email server in her organization and discovers that there is a service running on TCP port 993. What secure email service has she most likely discovered? A. Secure IMAP (IMAPS) B. Secure MIME (SMIME) C. Secure POP3 D. Secure SMTP
A. Secure IMAP (IMAPS)
Freddie is building a web application that will receive information from a service provider. What open standard should he design his application to use to work with many modern-third party identity providers? A. Security Assertion Markup Language (SAML) B. Lightweight Directory Access Protocol (LDAP) C. New Technology LAN Manager (NTLM) D. Kerberos
A. Security Assertion Markup Language (SAML)
Derek is designing his cloud infrastructure and needs to provide a firewall-like capability for the virtual systems he is running. Which of the following cloud capabilities acts like a virtual firewall? A. Security groups B. VPC endpoints C. Dynamic resource allocation D. Instance awareness
A. Security groups; best example of a virtual firewall
What does the OPAL standard specify? A. Self-encrypting drives B. The origin of personal accounts and libraries C. Drive sanitization modes for degaussers D. Online personal access licenses
A. Self-encrypting drives; defines how to protect confidentiality for stored user data and how storage devices from storage device manufacturers can work together.
Lisa is setting up accounts for her company. She wants to set up accounts for the Oracle database server. Which of the following would be the best type of account to assign to the database service? A. Service B. User C. Admin D. Guest
A. Service; service accounts given the least privileges the service needs and are used by the service without the need for a human user
Michael wants to implement a zero-trust network. Which of the following steps is not a common step in establishing a zero-trust network? A. Simplify the network B. Use strong identity and access management C. Configure firewalls for least privilege and application awareness D. Log security events and analyze them
A. Simplify the network
Naomi wants to deploy a firewall that will protect her endpoint systems from other systems in the same security zone of her network as part of a zero-trust design. What type of firewall is best suited to this type of deployment? A. Software firewalls B. Hardware firewalls C. Virtual firewalls D. Cloud firewalls
A. Software firewalls; best option particularly when endpoint systems are being protected
What type of code analysis is manual code review? A. Static code review B. Fuzzing C. Dynamic code review D. Fagan code review
A. Static code review
Mike's manager has asked him to verify that the certificate chain for their production website is valid. What has she asked Mike to do? A. That users who visit the website can verify that the site and the CAs in the chain are all trustworthy B. That the certificate has not been revoked C. That the certificate was issued properly and that prior certificates issued for the same system have also been issued properly D. That the encryption used to create the certificate is strong and has not been cracked
A. That users who visit the website can verify that the site and the CAs in the chain are all trustworthy; Certificate chain list certificates and certificate authority (CA) certificates, allowing those who receive the certificate to validate that the certificates can be trusted
Gary uses a wireless analyzer to perform a site survey of his organization. Which of the following is NOT a common feature of a wireless analyzer's ability to provide information about the wireless networks around it? A. The ability to show the version of the RADIUS server used for authentication B. The ability to show signal strength of access points on a map of the facility C. The ability to show the version of the 802.11 protocol (n, ac, ax) D. The ability to show a list of SSIDs available in a given location
A. The ability to show the version of the RADIUS server used for authentication; wireless analyzers are not typically able to provide the version of the RADIUS server used for authentication
Darif uses the command in Linux to set the permissions to a file using the command "chmod 700 example.txt". What permission has he set on the file? A. The user has full access to the file B. The user has execute access to the file C. All users have execute access to the file D. All users have write access to the file
A. The user has full access to the file; rwx notation and the first number sets the user's rights
What is the primary advantage of cloud-native security solutions when compared to third-party solutions deployed to the same cloud environment? A. Tighter integration B. Better security C. Lower cost D. All of these
A. Tighter integration; generally have better and deeper integration into the cloud platform than third-party solutions will. (i.e Apple ecosystem)
Mark has configured systems in his network to perform boot attestation. What has he configured the systems to do? A. To notify a remote system or management tool that the boot process was secure using measurements from the boot process B. To run only trusted software based on previously stored hashes using a chained root process C. To hash the BIOS of the system to ensure that the boot process has occurred securely D. To notify a BOOTP server when the system has booted up
A. To notify a remote system or management tool that the boot process was secure using measurements from the boot process
Dana wants to protect data in a database without changing characteristics like the data length and type. What technique can she use to do this most effectively? A. Tokenization B. Rotation C. Hashing D. Encrypting
A. Tokenization; used to protect data by substituting tokens for sensitive data without changing the length or data type.
Melissa's website provides users who access it via HTTPS with a Transport Layer Security (TLS) connection. Unfortunately, Melissa forgot to renew her certificate, and it is presenting users with an error. What happens to the HTTPS connection when a certificate expires? A. Trust will be reduced, but traffic will still be encrypted B. All traffic will be unencrypted C. Traffic for users who do not click OK at the certificate error will be unencrypted D. Users will be redirected to the certificate authority's site for a warning until the certificate is renewed
A. Trust will be reduced, but traffic will still be encrypted
Sheila is concerned that some users on her network may be accessing files that they should not—specifically, files that are not required for their job tasks. Which of the following would be most effective in determining if this is happening? A. Usage auditing and review B. Permissions auditing and review C. Account maintenance D. Policy review
A. Usage auditing and review
Abigail is responsible for setting up a network-based intrusion prevention system (NIPS) on her network. The NIPS is located in one particular network segment. She is looking for a passive method to get a copy of all traffic to the NIPS network segment so that it can analyze the traffic. Which of the following would be her best choice? A. Using a network tap B. Setting up a NIPS on each segment C. Use port mirroring D. Setting the NIPS on a VLAN that is connected to all other segments
A. Using a network tap
Henry wants to deploy a web service to his cloud environment for his customers to use. He wants to be able to see what is happening and stop abuse without shutting down the service if customer cause issues. What two things should he implement to allow this? A. An API-centric IPS and an API proxy B. API keys and logging via an API gateway C. An API gateway and logging D. All of the above
API keys and logging via an API gateway; gives the option to disable problematic API keys rather than all users and using logging tools allows scalability, logging, and monitoring, as well as firewalls
What channels do not cause issues with channel overlap or overlap in U.S installations of 2.4 GHz Wi-Fi networks? A. 1, 3, 5, 7, 9, and 11 B. 1, 6, and 11 C. 2, 6, and 10 D. Wi-Fi channels do not suffer from channel overlap
B. 1, 6, and 11; in an ideal installation, these three channels can be used to maximize throughput and minimize interference
What element is most often used as the foundation for a hardware root of trust for a modern PC? A. A Hardware Security Module (HSM) B. A Trusted Platform Module (TPM) C. The CPU D. The hard drive or SSD
B. A Trusted Platform Module (TPM)
Megan wants to set up an account that can be issued to visitors. She configures a kiosk application that will allow users in her organization to sponsor the visitor, set the amount of time that the user will be on site, and then allow them to log into the account, set a password, use Wi-Fi, and other services. What type of account has Megan created? A. A shared account B. A guest account C. A service account D. A user account
B. A guest account; guest accounts typically have very limited privileges to keep them more secure
Dennis wants to deploy a firewall that can provide URL filtering. Which type of firewall should he deploy? A. A stateful packet inspection firewall B. A next-generation firewall C. A packet filter D. None of the above
B. A next-generation firewall; typically have built in capabilities like URL filtering
Which of the following best describes a TPM? A. Total Patch Management B. A secure cryptoprocessor C. Transport Protection Mode D. A DNSSEC extension
B. A secure cryptoprocessor; Trusted Platform Module is a secure cryptoprocessor used to provide a hardware root of trust for systems.
Greg's company has a remote location that uses an IP-based streaming security camera system. How could Greg ensure that the remote location's networked devices can be managed as if they are local devices and that the traffic to that remote location is secure? A. An as-needed IPSec VPN B. An always-on IPSec VPN C. An always-on TLS VPN D. An as-needed TLS VPN
B. An always-on IPSec VPN; can make a remote location appear as though it is connected to your local network
Tom is responsible for VPN connections in his company. His company uses IPSec for VPNs. What is the primary purpose of Authentication Headers (AH) in IPSec? A. Encrypt the entire packet B. Authenticate the entire packet C. Encrypt just the header D. Authenticate just the header
B. Authenticate the entire packet
What happens when a certificate is stapled? A. Both the host certificate and the root certificate authority's private key are attached to validate the authenticity of the chain B. Both the certificate and OCSP responder are sent together to prevent additional retrievals during certificate path validation C. The certificate is attached to other certificates to demonstrate the entire certificate chain D. The certificate is stored in a secure location that prevents the certificate from being easily removed or modified
B. Both the certificate and OCSP responder are sent together to prevent additional retrievals during certificate path validation; provides greater security because clients know the certificate is valid, and greater efficiency because they don't have to perform a separate retrieval to check the certificate's status
Barbara wants to implement WPA3 Personal. Which of the following features is a major security improvement in WPA3 over WPA2? A. B. Brute-force attack prevention C. D.
B. Brute-force attack prevention
Eric wants to provide company-purchased devices, but his organization prefers to provide end-users with choices among devices that can be managed and maintained centrally. What mobile device deployment model best fits this need? A. BYOD B. CYOD C. COPE D. VDI
B. CYOD
Sam is looking for an authentication method that incorporates the X.509 standard and will allow authentication to be digitally signed. Which of the following authentication methods would best meet these requirements? A. OAuth B. Certificate-based authentication C. Kerberos D. Smartcards
B. Certificate-based authentication; digital certificates use the x.509 standard (PGP) and allow the user to digitally sign authentication requests
Mika is designing her organization's wireless network and wants to make sure that the design places access points in areas where they will provide optimum coverage. She also wants to plan for any sources of RF interference as part of her design. What should Mika do first? A. Disable all existing access points B. Conduct a site survey C. Conduct a port scan to find all existing access points D. Contact the FCC for a wireless map
B. Conduct a site survey
Eric is responsible for his organization's mobile device security. They use a modern mobile device management (MDM) tool to manage a BYOD mobile device environment. Eric needs to ensure that the applications and data that his organization provides to users of those mobile devices remains as secure as possible. Which of the following technologies will provide him with the best security while keeping changes to the mode? A. Remote wipe B. Containerization C. Storage segmentation D. Full device encryption
B. Containerization; will allow Eric's company's tools and dat to be run inside of an application-based container, isolating the data and programs from the self-controlled BYOD devices
Charlene wants to provision her organization's standard set of marketing information to mobile devices throughout her organization. What MDM feature is best suited for this task? A. Application management B. Content management C. Remote wipe D. Push notifications
B. Content management; allows Charlene to provision files, documents, and media to the devices that staff members in her organization are issued
Gabe is setting up a new e-commerce server. He is concerned with security issues. Which of the following would be the best location to place an e-commerce server? A. Intranet B. DMZ C. Extranet D. Guest network
B. DMZ
Elenora is responsible for log collection and analysis for a company with locations around the country. She has discovered that remote sites generate high volumes of log data, which can cause bandwidth consumption issues for those sites. What type of technology could she deploy to each site to help with this? A. Deploy a honeypot B. Deploy a log aggregator C. Deploy a bastion host D. None of the above
B. Deploy a log aggregator
Charline wants to use the HTTP headers built-in security features. Which of the following is NOT an HTTP header security option? A. Requiring transport security B. Disabling SQL injection C. Helping prevent MIME sniffing D. Preventing cross-site scripting
B. Disabling SQL injection; THERE IS NO HEADER TO DISABLE SQL INJECTION
Claire wants to check whether a certificate has been revoked. What protocol is used to validate certificates? A. RTCP B. Online Certificate Status Protocol (OCSP) C. CRBL D. PKCRL
B. Online Certificate Status Protocol (OCSP); the other options don't exist
Daniel is performing a dynamic code analysis technique that sends a broad range of data as inputs to the application he is testing. The inputs include data that is both within the expected ranges and types for the program and data that is different and, thus, unexpected by the program. What code testing technique is Daniel using? A. Buffer overflow B. Fuzzing C. Timeboxing D. Input validation
B. Fuzzing; automated dynamic software testing technique that sends unexpected and often invalid data to a program to test how it responds
What two connection methods are used for most geofencing applications? A. Cellular and GPS B. GPS and Wi-Fi C. USB and Bluetooth D. Cellular and Bluetooth
B. GPS and Wi-Fi
Trixie wants to prevent corporate mobile devices from being used outside of her company's buildings and corporate campus. What MDM capability should he use to allow this? A. IP filtering B. Geofencing C. Patch management D. Network restrictions
B. Geofencing
John is designing a security architecture for his organization to move into an infrastructure-as-a-service cloud environment. In his on-site data center, he has deployed a firewall in front of the data center network to protect it, and he has built rules that allow necessary services in, as well as outbound traffic for updates and similar needs. He knows that his cloud environment will be different. Which of the following is not a typical concern for cloud firewall designs? A. Segmentation requirements for virtual private clouds B. Hardware access for updates C. The cost of operating firewall services in the cloud D. OSI layers and visibility of traffic to cloud firewalls
B. Hardware access for updates
Tracy wants to protect desktop and laptop systems in her organization from network attacks. She wants to deploy a tool that can actively stop attacks based on signatures, heuristics, and anomalies. What type of tool does she deploy? A. Host based IDS B. Host based IPS C. Firewall D. Antimalware
B. Host based IPS
Dan configures a resource-based policy on his Amazon account. What control has he deployed? A. A control that determines the amount that service can cost before an alarm is sent B. A control that determines what an identity can do C. A control that determines who has access to the resource, and the actions they can take on it D. A control that determines the amount of a finite resource that can be consumed before an alarm is set
C. A control that determines who has access to the resource, and the actions they can take on it
Sarah is the CIO for a small company. The company uses several custom applications that have complicated interactions with the host operating system. She is concerned about ensuring that system on her network are all properly patched. What is the best approach in her environment? A. Implement automatic patching B. Immediately deploy patches to a test environment, then as soon as testing is complete, have a staged rollout to the production network C. Delegate patch management to managers of departments so that they can find the best patch management for their departments D. Implement a policy that has individual users patch their systems
B. Immediately deploy patches to a test environment, then as soon as testing is complete, have a staged rollout to the production environment
Muriel is looking for an authentication protocol for her network. She is especially concerned with highly skilled attackers. As part of mitigating that concern, he wants an authentication protocol that never actually transmits a user's password, in any form. Which authentication protocol would be a good fit for Muriel's needs? A. CHAP B. Kerberos C. Type II D. RBAC
B. Kerberos
David has provided the BitLocker encryption keys for computers in his department to his organization's security office so that they can decrypt them in the event of a breach of investigation. What is this concept called? A. Key submission B. Key escrow C. AES jail D. A BitLocker Locker
B. Key escrow
Charles is a CISO for an insurance company. He recently read about an attack where an attacker was able to enumerate all the network devices in an organization. All this was done by sending queries using a single protocol. Which protocol should Charles secure to mitigate this attack? A. Dynamic Host Configuration Protocol (DHCP) B. Lightweight Directory Access Protocol (LDAP) C. Internet Message Access Protocol (IMAP) D. Simple Network Management Protocol (SNMP)v3 E. Post Office Protocol (POP3) 3
B. Lightweight Directory Access Protocol (LDAP); attacks on LDAP can give an attacker a very thorough inventory of your network
Gary wants to implement EAP-based protocols for his wireless authentication and wants to ensure that he uses only versions that support Transport Layer Security (TLS). Which of the following EAP-based protocols does not support TLS? A. Protected Extensible Authentication Protocol (PEAP) B. Lightweight Extensible Authentication Protocol (LEAP) C. EAP-TLS D. EAP-TTLS
B. Lightweight Extensible Authentication Protocol (LEAP)
You are responsible for an e-commerce site. This site is hosted in a cluster. Which of the following techniques would be best in ensuring availability? A. An SSL accelerator B. Load balancing C. A VPN concentrator D. Aggregate switching
B. Load balancing; will prevent any single server from being overloaded
Jade is considering deploying a network intrusion prevention system (IPS) and wants to be able to detect advanced persistent threats. What type of IPS detection method is most likely to detect the behaviors of an APT after it has gathered baseline information about normal operations? A. Heuristic-based IPS detections B. Malicious tool hash IPS detections C. Anomaly-based IPS detections D. Signature-based IPS detections
C. Anomaly-based IPS detections
Olivia has issued Android tablets to staff in her production facility, but cameras are banned due to sensitive data in the building. What type of tool can she use to control camera use on all of her organization's corporate devices that she issues? A. Data Loss Prevention (DLP) B. Mobile Device Management (MDM) C. MMC D. OPAL Encryption Standard
B. Mobile Device Management (MDM)
What type of topology does an ad hoc wireless network use? A. Star B. Point-to-point C. Point-to-multipoint D. Bus
B. Point-to-point
What does UEFI-measured boot do? A. Record how long it takes for a system to boot up B. Records information about each component that is loaded, stores it in the TPM, and can report it to a server C. Compares the hash of every component that is loaded against a known hash stored in the TPM D. Checks for updated versions of the UEFI, and compares it to the current version; if it is measured as being too far out of date, it updates the UEFI
B. Records information about each server component that is loaded, stores it in the TPM, and can report it to a server
Ben is responsible for a new application with a worldwide user base that will allow users to sign up to access existing data about them. He would like to use a method of authentication that will allow him to verify that users are the correct people to match up with their accounts. How can he validate these users? A. Require that they present their Social Security number B. Require them to use knowledge-based authentication C. Require them to validate an email sent to the account they signed up with D. Require them to use a federated identity via Google
B. Require them to use knowledge-based authentication
What term describes random bits that are added to a password before it is hashed and stored in a database? A. Bit-rot B. Salt C. Rainbow-armor D. Flavoring
B. Salt
Ian needs to connect to a system via an encrypted channel so that he can use a command-line shell. What protocol should he use? A. HTTPS B. Secure Shell (SSH) C. Transport Layer Security (TLS) D. Telnet
B. Secure Shell (SSH); secure protocol used to connect to command-line shells
Claire is concerned with an attacker getting information about network devices and their configuration in her company. Which protocol should she implement that would be most helpful in mitigating this risk while providing management and reporting about network devices? A. SFTP B. Simple Network Management Protocol (SNMPv3) C. Remote Authentication Dial In User Service (RADIUS) D. Transport Layer Security (TLS)
B. Simple Network Management Protocol (SNMPv3)
Susanne has configured a VPN so that traffic destined for systems on her corporate network are routed over the VPN but traffic is sent to other destinations via the VPN user's local network. What is this configuration called? A. Split horizon B. Split-tunnel C. Half pipe D. Full-tunnel
B. Split tunnel; Sends only traffic destined for the remote network over the VPN, with all other traffic split away to use the VPN system or a user's primary network connection.
Jason wants to implement a remote access VPN for users in his organization who primarily rely on hosted web applications. What common VPN type is best suited to this if he wants to avoid deploying client software to his end-user systems? A. An Internet Control Message Protocol (ICMP) VPN B. A TLS VPN C. A Remote Desktop Protocol (RDP) VPN D. An IPSec VPN
B. TLS VPN; frequently chosen when ease of use is important, and web applications are the primary usage mode
Gary has enabled automatic updates for the Windows systems that are used in the small business he works for. What hardening process will still need to be tackled for those systems if he wants a complete patch management system? A. Registry hardening B. Third-party software and firmware patching C. Automated installation of Windows patches D. Windows Update regression testing
B. Third-party software and firmware patching
Oliver just became the new security officer for a university. He is concerned with student workers who work late on campus that may try to log in with faculty credentials. Which of the following would be most effective in preventing this? A. Password length B. Time-of-day restrictions C. Credential management D. Usage auditing
B. Time-of-day Restrictions
Alaina is looking for a network authentication method that can use digital certificates and does not require users to remember passwords. Which of the following would best fit her requirements? A. RBAC B. Tokens C. OAuth D. OpenID
B. Tokens
Jane is the security administrator for a small company. She is trying to improve security throughout the network. Which of the following steps should she take first? A. Set password reuse policies B. Turn off unneeded services on all computers C. Implement acceptable use policies D. Implement antimalware on all computers
B. Turn off unneeded services on all computers
Isaac wants to implement mandatory access controls on an Android-based device. What can he do to accomplish this? A. Run Android in single-user mode B. Use SEAndroid C. Install MACDroid D. Change the Android registry to MAC mode
B. Use SEAndroid; SEAndroid is an Android implementation of SELinux
Patrick regularly connects to untrusted networks when he travels and is concerned that an on-path attack could be executed against him as he browses websites. He would like to validate certificates for those websites. What technique can he use to do this? A. Compare their private key to their public key B. Use certificate pinning C. Check the CRL D. Compare his private key to their public key
B. Use certificate pinning; associates a known certificate with a host and then compares that known certificate with the certificate that is presented.
What type of communications is Secure Real-Time Transport Protocol (SRTP) most likely used for? A. Email B. VoIP C. Web D. File Transfer
B. VoIP ; SRTP primarily used for VoIP and multimedia streaming or broadcasts
Which Wi-Fi protocol implements simultaneous authentication of equals (SAE) to improve on security models? A. WPA2 B. WPA3 C. WEP D. WPA
B. WPA3; replaces the pre-shared key mode found in WPA2 with SAE
Mark wants to provide a wireless connection with the highest possible amount of bandwidth. Which of the following should he select? A. Near Field Communication (NFC) B. LTE cellular C. 802.11ac Wi-Fi D. Bluetooth
C. 802.11ac Wi-Fi; Wi-Fi usually trumps everything except 5G in the right conditions
Chris wants to securely generate and store cryptographic keys for his organization's server, while also providing the ability to offload TLS encryption processing. What type of solution should he recommend? A. A TPM B. A GPU in cryptographic acceleration mode C. A HSM D. A CPU in cryptographic acceleration mode
C. A HSM
Ed needs to securely connect to a DMZ from an administrative network using Secure Shell (SSH). What type of system is frequently deployed to allow this to be done securely across security boundaries for network segments with different security levels? A. An Intrusion Prevention System (IPS) B. A Network Address Translation (NAT) gateway C. A jump box D. a router
C. A jump box; common solution for providing access to a network with a different security profile
John wants to deploy a solution that will provide content filtering for web applications, CASB functionality, DLP, and threat protection. What type of solution can he deploy to provide these features? A. A reverse proxy B. A VPC gateway C. A next-gen secure web gateway D. A next-gen firewall
C. A next-gen secure web gateway
Sarah has implemented an OpenID-based authentication system that relies on existing Google accounts. What role does Google play in a federated environment like this? A. A Service Provider (SP) B. A Registration Authority (RA) C. An Identity Provider (IdP) D. A Relying Party (RP)
C. An Identity Provider (IdP)
Greg is setting up a public key infrastructure (PKI). He creates an offline root certificate authority (CA) and then needs to issue certificates to users and devices. What system or device in a PKI receives certificate signing requests (CSRs) from applications, systems, and users? A. An intermedia CA B. A CRL C. An RA D. None of the above
C. An RA; registration authority
Alaina has implemented a HSM. Which of the following is not a typical HSM feature? A. Secure management of digital keys B. Encryption and decryption for digital signatures C. Boot attestation D. Strong authentication report
C. Boot attestation
The company that Angela works for has deployed Voice over IP (VoIP) environment that uses SIP. What threat is the most likely issue for their phone calls? A. War dialing B. Vishing C. Call interception D. Denial of service attacks
C. Call interception
You are selecting an authentication method for your company's servers. You are looking for a method that periodically re-authenticates clients to prevent session hijacking. Which of the following would be your best choice? A. Password Authentication Protocol (PAP) B. OAuth C. Challenge Handshake Authentication Protocol (CHAP) D. Shiva Password Authentication Protocol (SPAP)
C. Challenge Handshake Authentication Protocol (CHAP)
What does setting the secure attribute for an HTTP cookie result in? A. Cookies must be accessed using a cookie key B. Cookies will be stored in hashed form C. Cookies will only be sent over HTTPS D. Cookies will be stored in encrypted form
C. Cookies will only be sent over HTTPS
Which of the following steps is a common way to harden the Windows registry? A. Set the registry to read-only mode B. Encrypt all user-mode registry keys C. Disable remote registry access if not required D. Ensure the registry is fully patched
C. Disable remote registry access if not required; recommended best practices whenever possible
Olivia is building a wireless network and wants to implement an Extensible Authentication Protocol (EAP)- based protocol for authentication. What EAP version should she use if she wants to prioritize reconnection speed and DOESN'T want to deploy client certificates for authentication? A. EAP-TLS B. PEAP C. EAP-FAST D. EAP-TTLS
C. EAP-FAST
What term is commonly used to describe lateral traffic movement within a network? A. Slider traffic B. Sidestepping C. East-west traffic D. Peer interconnect
C. East-west traffic; traffic sent laterally within a network
Christine wants to make sure that session persistence is maintained by her load balancer. What is she attempting to do? A. Ensure that all transactions go to the current server in a round-robin during the time it is in the primary server B. Assign the same external IP address to all servers wherever they are in the primary server assigned by the load balancer C. Ensure that all of a client's requests go to the same server for the duration of a given session or transaction D. Assign the same internal IP address to clients whenever they connect through the load balancer
C. Ensure that all of a client's request go to the same server for the duration of a given session or transaction
Casey is considering implementing password key devices in her organization. She wants to use a broadly adopted open standard for authentication and needs her keys to support that. Which of the following standards should she look for her keys to implement, in addition to being able to connect via USB, Bluetooth, and NFC? A. OpenID B. Security Assertion Markup Language (SAML) C. Fast IDentity Online Alliance (FIDO) D. ARF
C. Fast IDentity Online Alliance (FIDO)
You're trying to increase security at your company. You are currently creating an outline of all the aspects of security that will need to be examined and acted on. Which of the following terms describes the process of improving security in a trusted OS? A. Self-Encrypted Drives (SED) B. Baselining C. Hardening D. Full Disk Encryption
C. Hardening
Olivia is implementing a load-balanced web application cluster. Her organization has a redundant pair of load balancers, but each unit is not rated to handle the maximum designed throughput of the cluster by itself. Olivia ahs recommended that the load balancers be implemented in an active/active design. What concern should she raise as part of this recommendation? A. The load balancer cluster is vulnerable to a denial-of-service attack B. The load balancer cluster cannot be patched without a service outage C. If one of the load balancers fails , it could lead to service degradation D. None of the above
C. If one of the load balancers fails, it could lead to service degradation
Daniel works for a mid-sized financial institution. The company has recently moved some of its data to a cloud solution. Daniel is concerned that the cloud provider may not support the same security policies as the company's internal network. What is the best way to mitigate this concern? A. Establish cloud security policies B. Perform integration testing C. Implement a cloud access security broker D. Implement security as a service
C. Implement a cloud access security broker
A company-wide policy is being created to define various security levels. Which of the following systems of access control would use documented security levels like Confidential or Secret for Information? A. Discretionary Access Control (DAC) B. BAC C. Mandatory Access Control (MAC) D. Role-based Access Control (RBAC)
C. Mandatory Access Control (MAC)
Which of the following connection methods only work via a line-of-sight connection? A. Bluetooth B. Wi-Fi C. Infrared D. NFC
C. Infrared
Brandy wants to make sure that his intrusion prevention system (IPS) is able to stop attack traffic. Which deployment method is most appropriate for this requirement? A. Inline, deployed as an IDS B. Passive via a tap, deployed as an IPS C. Inline, deployed as an IPS D. Passive via a tap, deployed as an IDS
C. Inline, deployed as an IPS; IPS must be deployed inline to stop attack traffic
Jani is explaining how IPSec works to a new network administrator. She is trying to explain the role of Internet Key Exchange (IKE). Which of the following most closely matches the role of IKE in IPSec? A. It encrypts the packet B. It establishes the tunnel C. It establishes the Security Associations (SAs) D. It authenticates the packet
C. It establishes the Security Associations (SAs)
What does Unified Extensible Firmware Interface (UEFI) Secure Boot do? A. it validates the system BIOS version B. It protects against worms during the boot process C. It validates a signature for each binary loaded during boot D. All of the above
C. It validates a signature for each binary loaded during boot; does this to ensure the hash is valid by checking against either a locally trusted certificate or a checksum on an allow list.
What does Kerberos use to issue tickets? A. Certificate authority B. Ticket-granting service C. Key distribution center D. Authentication service
C. Key distribution center
Ben is preparing to implement a firewall for his network and is considering whether to implement an open source firewall or a proprietary commercial firewall. Which of the following is not an advantage of an open source firewall? A. Community code validation B. Lower cost C. Maintenance and support D. Speed of acquisition
C. Maintenance and support; typically don't have the same level of vendor support and maintenance that commercial firewalls do.
Endpoint detection and responses has three major components that make up its ability to provide visibility into endpoints. Which of the following is not one of those three parts? A. Data exploration B. Suspicious activity detection C. Malware analysis D. Data search
C. Malware analysis; not design to be a malware analysis tool
Cynthia is preparing a new server for deployment and her process includes turning off unnecessary services, setting security settings to match her organization's baseline configuration, and installing patches and updates. What is this process known as? A. Configuration management B. Security uplift C. OS hardening D. Endpoint lockdown
C. OS hardening
Charles is concerned that users of Android devices in his company are delaying OTA updates. Why would Charles be concerned about this, and what should he do about it? A. OTA updates update device encryption keys and are necessary for security, and a PKI would track encryption certificates and keys B. OTA updates patch applications and a NAC agent would report all phones in the organization C. OTA updates patch firmware and update phone configurations and an MDM tool would provide reports on firmware versions and phone settings D. OTA updates are sent by phones to report online activity, and tracking and an MDM tool receives OTA updates to monitor phones.
C. OTA updates patch firmware and update phone configurations and an MDM tool would provide reports on firmware versions and phone settings
Henry is an employee at Acme Company. The company requires him to change his password every three months. He has trouble remembering new passwords, so he keeps switch between two passwords. Which of the following policies would be most effective in preventing this? A. Password complexity B. Multi-factor authentication C. Password history D. Password length
C. Password history
Izzy is responsible for security at a mid-sized company. She wants to prevent users on her network from visiting job-hunting sites while at work. Which of the following would be the best device to accomplish this goal? A. Network Address Translation (NAT) B. Network-based Intrusion Prevention System (NIPS) C. Proxy server D. A packet filter firewall
C. Proxy server; proxy can be used to block certain websites
Nikki is responsible for cryptographic keys in his company. What is the best way to deauthorize a public key? A. Notify the registration authority (RA) B. Delete the digital certificate C. Publish that certificate in the certificate revocation list (CRL) D. Send out a network alert
C. Publish that certificate in the certificate revocation list (CRL)
Amanda wants to allow users from other organizations to log into her wireless network. What technology would allow her to do this using their own home organization's credentials? A. OpenID Connect B. 802.11q C. RADIUS federation D. Pre-shared keys
C. RADIUS federation
Many smartcards implement wireless technology to permit them to be used without a card reader. What wireless technology is frequently used to allow the use of smartcards for entry-access readers and similar access controls? A. Wi-Fi B. Bluetooth C. RFID D. Infrared
C. RFID
Theresa implements a network based IDS. What can she do to traffic that passes through that IDS? A. Review the traffic based on rules and detect and stop traffic based on those rules B. Detect sensitive data being sent to the outside world and encrypt it as it passed through the IDS C. Review the traffic based on rules and detect and alert about unwanted or undesirable traffic D. All of the above
C. Review the traffic based on rules and detect and alert about unwanted or undesirable traffic
Alana is concerned with the security of her NTP time synchronization service because she knows that protocols like TLS and BGP are susceptible to problems if fake NTP messages were able to cause time mismatches between systems. What tool could she use to quickly protect her NTP traffic between Linux systems? A. A TLS VPN B. RDP C. SSH tunneling D. An IPSec VPN
C. SSH tunneling
Shurrell is concerned that users on his network may have too many passwords to remember and might write down their passwords, therefore creating a significant security risk. Which of the following would be most helpful in mitigating this issue? A. SAML B. LDAP C. SSO D. Multi-factor authentication
C. SSO
Victor is a network administrator for a medium-sized company. He wants to be able to access servers remotely so that he can perform small administrative tasks from remote locations. Which of the following would be the best protocol for him to use? A. Remote Shell (RSH) B. Telnet C. Secure Shell (SSH) D. Simple Network Management Protocol(SNMP)
C. Secure Shell (SSH); encrypted protocol, also authenticates the user with public-key cryptography
Lucas is looking for an XML-based open standard for exchanging authentication information. Which of the following would best meet his needs? A. OAuth B. New Technology LAN Manager (NTLM) C. Security Assertion Markup Language (SAML) D. Remote Authentication Dial-In User Service (RADIUS)
C. Security Assertion Markup Language (SAML)
Hans is a security administrator for a large company. Users on his network visit a wide range of websites. He is concerned they might get malware from one of these many websites. Which of the following would be the best approach to mitigate this threat? A. Implement host-based antivirus B. Set browsers to block all active content (ActiveX, JavaScript, etc.) C. Set browsers to allow only signed components D. Blacklist known infected sites
C. Set browsers to allow only signed components
Charlene's company uses rack mounted sensor appliances in their datacenter. What are sensors like these typically monitoring? A. Power quality and reliability B. Smoke and fire C. Temperature and humidity D. None of the above
C. Temperature and humidity
Megan is preparing a certificate signing request (CSR) and knows that she needs to provide a CN for her web server. What information will she put into the CN field for the CSR? A. The hostname B. The company's name C. Common Name/The fully qualified domain name of the system D. Her name
C. The fully qualified domain name of the system; The CN, Common Name, for a system is typically the fully qualified domain name (FQDN) of the system
Maria is responsible for security at a small company. She is concerned about unauthorized devices being connected to the network. She is looking for a device authentication process. Which of the following would be the best choice for her? A. 802.11i B. Kerberos C. CHAP D. 802.1X
D. 802.1X; The IEEE standard for port-based network access control.
Brian is concerned with the security of his company's web application. Since the application process confidential data, he is the most concerned with data exposure. Which of the following would be the most important for him to implement? A. Network-based Intrusion Prevention System (NIPS) B. Network-based Intrusion Detection System (NIDS) C. Transport Layer Security (TLS) D. Web Application Firewall (WAF)
C. Transport Layer Security (TLS); most fundamental step to take with any website
Emily is a network administrator and is concerned with the security of peripheral devices. Which of the following would be a basic step she could take to improve security for those devices? A. Implement Full Disk Encryption (FDE) B. Utilize fuzz testing for all peripherals C. Turn off remote access (SSH, Telnet, etc.) if not necessary D. Implement digital certificates for all peripherals
C. Turn off remote access (SSH, Telnet, etc.) if not necessary
Michael wants to secure mail being retrieved via the Post Office Protocol Version 3 (POP3) because she knows that it is unencrypted by default. What is her best option to do this while leaving POP3 running on its default port? A. Use IKE via port 25 B. Use TLS via port 25 C. Use TLS via port 110 D. Use IKE via port 110
C. Use TLS via port 110
You work at a large company. You are concerned about assuring that all workstations have a common configuration, that no rogue software is installed, and that all patches are kept up to date. Which of the following would be the most effective for accomplishing this? A. Implement strong patch management B. Use an image for all workstations C. Use a Virtual Desktop Infrastructure (VDI) D. Implement restrictive policies
C. Use a Virtual Desktop Infrastructure (VDI); if all desktops are virtualized, then you can manage patches, configuration, and software installation from one central location
Katy's organization uses File Transfer Protocol (FTP) for contractors to submit their work product to her organization. The contractors work on sensitive customer information, and then use organizational credentials provided by Katie's company to log and transfer the information. What sensitive information could attackers gather if they were able to capture the network traffic involved in this transfer? A. Nothing because FTP is a secure protocol B. The content of the files that were uploaded C. Usernames, passwords, and file content D. IP addresses for both client and server
C. Usernames, passwords, and file content
Which wireless standard uses CCMP to provide encryption for network traffic? A. WEP B. Bluetooth C. WPA2 D. Infrared
C. WPA2; uses AES-based Counter Mode Block Chaining Message Authentication (CBC-MAC) Protocol to encapsulate traffic, providing confidentiality
Greg has implemented a system that allows users to access accounts like administrator and root without knowing the actual passwords for the accounts. When users attempt to use the elevated accounts, their request is compared to policies that determine if the request should be allowed. The system generates a new password each time a trusted user requests access and then logs the access request. What type of system has Greg implemented? A. A Full Disk Encryption (FDE) system B. A Transport Layer Security (TLS) system C. A Mandatory Access Control (MAC) system D. A Privileged Access Management (PAM) system
D. A Privileged Access Management (PAM) system
Patrik wants to deploy VPN technology that is as easy for end-users to use as possible. What type of VPN should he deploy? A. An HTML5 L2TP VPN B. An IPSec VPN C. A SAML VPN D. An SSL/TLS VPN
D. A SSL/TLS VPN; easiest to use as it doesn't require a client
Frank knows that the systems he is deploying have a built-in TPM module. Which of the following capabilities is not a feature provided by TPM? A. The ability to bind and seal data B. Remote attestation capabilities C. A random number generator D. A cryptographic processor used to speed up SSL/TLS
D. A cryptographic processor used to speed up SSL/TLS; TPM includes ability to bind and seal data, remote attestation, and RNG
What term describes a cloud system that stores, manages, and allows auditing of API keys, passwords, and certificates? A. A hush service B. A cloud PKI C. A cloud TPM D. A secrets manager
D. A secrets manager; secrets management services provide the ability to store sensitive data, as well as the ability to manage, retrieve, and audit those secrets.
Manus is concerned with someone using a password cracker on computers in his company. He is worried that crackers will attempt common passwords to log in to a system. Which of the following would be the best for mitigating this threat? A. Account usage auditing B. Password age restrictions C. Password minimum length requirement D. Account lockout policies
D. Account lockout policies; accounts should lock after a certain number of attempts for enhanced security
What security benefits are provided by enabling DHCP snooping or DHCP sniffing on switches in your network? A. Collection of information about DHCP bindings B. Prevention of malicious or malformed DHCP traffic C. Prevention of rogue DHCP servers D. All of the above
D. All of the above
The certificate authority (CA) that Sam is responsible for is kept physically isolated and is never connected to a network. When certificates are issued, they are generated then manually transferred via removable media. What type of CA is this, and why would Sam's organization run a CA using this model? A. An online CA; it is faster to generate and provide codes B. An online CA; it prevents the exposure of the CA's root certificate C. An offline CA; it is faster to generate and provide certificates D. An offline CA; it prevents potential exposure of the CA's root certificate
D. An offline CA; it prevents the exposure of the CA's root certificate
Josh is looking for an authentication protocol that would be effective at stopping session hijacking. Which of the following would be his best choice? A. Terminal Access Controller Access Control Server (TACACS+) B. Password Authentication Protocol (PAP) C. Remote Authentication Dial-In User Service (RADIUS) D. Challenge Handshake Authentication Protocol (CHAP)
D. Challenge Handshake Authentication Protocol (CHAP)
Which of the following is not a common way to validate control over a domain for a domain-validated X.509 certificate? A. Responding to an email sent to a contact in the domain's WHOIS information B. Publishing a nonce provided by the certificate authority as part of the domain information C. Changing the DNS TXT record D. Changing the IP addresses associated with the domain
D. Changing the IP addresses associated with the domain
You're designing a new network infrastructure so that your company can allow unauthenticated users connecting from the Internet to access certain areas. Your goal is to protect the internal network while providing access to those areas. You decide to put the web server on a separate subnet open to public contact. What is this called? A. Intranet B. VLAN C. Guest network D. DMZ
D. DMZ; separate subnet coming from a separate router interface. Public traffic not allowed to pass to the interface that connects to the internal private network.
Which design concept limits access to systems from outside users while protecting users and systems inside the LAN? A. Router B. Guest network C. Virtual Local Area Network (VLAN) D. Demilitarized Zone (DMZ)
D. Demilitarized Zone (DMZ)
Lisa has been tasked with hardening the systems in her environment and wants to ensure that data cannot be recovered from systems if they are stolen or their disk drives are stolen and accessed. What is her best option to ensure data security in these situations? A. Deploy folder level encryption B. Degauss all the drives C. Deploy file-level encryption D. Deploy full disk encryption
D. Deploy full disk encryption
Stefan needs to explain the access control scheme used by both the Windows and Linux filesystems. What access control scheme do they implement by default? A. Role-based access control B. Rule-based access control C. Mandatory access control D. Discretionary access control
D. Discretionary access control
Jen wants to prevent the bulk gathering of email addresses and other directory information from her web-exposed Lightweight Directory Access Protocol (LDAP) directory. Which of the following options would NOT help with this? A. Rate limiting queries B. Requiring authentication C. Using a back-off algorithm D. Implementing LDAPS
D. Implementing LDAPS; provides security for the queried information as it transits networks
Juan is a network administrator for an insurance company. His company has a number of traveling salespeople. He is concerned about confidential data on their laptops. What is the best way for him to address this? A. Trusted Platform Module (TPM) B. Demilitarized Zone (DMZ) C. Software-Defined Network (SDN) D. Full Disk Encryption (FDE)
D. Full Disk Encryption
Derek is in charge of his organization's certificate authorities and wants to add a new certificate authority. His organization already has three certificate authorities operating in a mesh: I. South American CA II. United States CA III. European Union CA As they want expand into Australia, Derek wants to add 'IV. Australian CA'. Which CA will Derek need to issue certificates from IV to ensure that systems in the Australian domain are able to access servers in I, II, and III's domain? A. He needs to provide the private key from IV to each of the other CAs B. He needs to receive the private key from each of the other CAs and use it to sign the root certificate for IV C. He needs all the other systems to issue IV certificates so that his systems will be trusted there D. He needs to issue certificates from IV to each of the other CAs systems and then have the other CAs issue IV a certificate
D. He needs to issue certificates from IV to each of the other CAs systems and then have the other CAs issue D a certificate
Sam has used ssh-keygen to generate new SSSH keys. Which SSH key should she place on the server she wants to access, and where is it typically stored on a Linux system? A. Her public SSH key, / etc/ B. Her private SSH key, / etc/ C. Her private SSH key, ~/.ssh D. Her public SSH key , ~/.ssh
D. Her public SSH key, ~/.ssh
Naomi has deployed her organization's cloud-based virtual datacenters to multiple Google datacenter locations around the globe. What does this design provide for her systems? A. Resistance to insider attacks B. Vendor diversity C. Decreased costs D. High availability across multiple zones
D. High availability across multiple zones
Charles wants to use IPSec and needs to be able to determine the IPSec policy for traffic based on the port it is being sent to on the remote system. Which IPSec mode should he use? A. IPSec IKE mode B. IPSec PSK mode C. IPSec tunnel mode D. IPSec transport mode
D. IPSec transport mode
Martin is building his organization's container security best practices document and wants to ensure that he covers the most common items for container security. Which of the following is NOT a specific concern for containers? A. The security of the container host B. Securing the management stack for the container C. Monitoring network traffic to and from containers for threats and attacks D. Insider threats
D. Insider threats
What is the primary advantage of allowing only signed code to be installed on computers? A. It guarantees that malware will not be installed B. It executes faster on computers with a TPM C. It improves patch management D. It verifies who created the software
D. It verifies who created the software
Manny wants to download apps that aren't in the iOS App Store, as well as change settings at the OS level that Apple does not normally allow to be changed. What would he need to do to his iPhone to allow this? A. Buy an app via a third-party app store B. Install Android on the phone C. Install an app via side-loading D. Jailbreak the phone
D. Jailbreak the phone
Caroline is responsible for various network protocols at her company. The Network Time Protocol has been intermittently failing. Which of the following would be most affected? A. Lightweight Directory Access Protocol (LDAP) B. CHAP C. Remote Authentication Dial In User Service (RADIUS) D. Kerberos
D. Kerberos; uses various tickets, each of which has a time limit
Charlie is preparing a report on the most common security application security issues for cloud applications. Which of the following is NOT a major concern for cloud applications? A. Account compromise B. Insecure APIs C. Misconfiguration of the application D. Local machine access leading to compromise
D. Local machine access leading to compromise
Adam has experienced problems with users plugging in cables between switches on his network, which results in multiple paths to the same destinations being available to systems on the network. When this occurs, the network experiences broadcast storms, causing network outages. What network configuration setting should he enable on his switches to prevent this? A. Sticky port B. Storm watch C. Port inspection D. Loop protection
D. Loop protection
Carly has been asked to set up access control for a server. The requirements state that users at a lower privilege level should not be able to see or access files or data at a higher privilege level. What access control model would best fit these requirements? A. Role-based Access Control (RBAC) B. Discretionary Access Control (DAC) C. Security Assertion Markup Language (SAML) D. Mandatory Access Control (MAC)
D. Mandatory Access Control (MAC); will not allow lower privileged users to even see the data at a higher privilege level
Louis is designing the physical layout for her wireless access point (WAP) placement in her organization. Which of the following items is not a common concern when designing a WAP layout? A. Performing a site survey B. Determining construction material of the walls around the access points C. Accessing power levels from other access points D. Maximizing coverage overlap
D. Maximizing coverage overlap; focused on minimizing coverage overlap
Waleed's organization uses a combination of internally developed and commercial applications that they deploy to mobile devices used by staff throughout the company. What type of tool can he use to handle a combination of BYOD phones and corporate tablets that need to have these applications loaded onto them and removed from them when their users are no longer part of the organization? A. Microsoft Operations Manager (MOM) B. Multilevel Marketing (MLM) C. MIM D. Mobile Application Management (MAM)
D. Mobile Application Management (MAM)
Derek is making an effort to select an authentication method for his company. He needs one that will work with a broad range of services like those provided by Microsoft and Google so that users can bring their own identities. Which of the following would be his best solution? A. Shibboleth B. RADIUS C. OAuth D. OpenID Connect
D. OpenID Connect; supports multiple clients including mobile and web-based
You have been asked to find an authentication service that is handled by a third party. The service should allow users to access multiple websites as long as they support the third-party authentication service. What would be your best choice? A. Shibboleth B. Kerberos C. NTLM D. OpenID
D. OpenID; authentication service normally provided by a third-party
Wi-Fi Protected Setup (WPS) includes four modes for adding devices to a network. Which mode has significant security concerns due to a brute-force exploit? A. USB B. Push button C. Near-field communication D. PIN
D. PIN
Jennifer is concerned that some people in her company have more privileges than they should. This has occurred due to people moving from one position to another and having cumulative rights that exceed the requirements of their current jobs. Which of the following would be most effective in mitigating this issue? A. Preventing job rotation B. Separation of duties C. Job rotation D. Permission auditing
D. Permission auditing
You are the chief of security officer (CISO) for a large company. You have discovered malware on one of the workstations. You are concerned that the malware might have multiple functions and might have caused more security issues with the computer than you can currently detect. What is the best way to test this malware? A. It is not important to analyze or test it; just remove it from the machine B. Place the malware on a honeypot for testing C. Leave the malware on that workstation until it is tested D. Place the malware on a sandbox environment for testing
D. Place the malware on a sandbox environment for testing
Zana has implemented wireless authentication for her network using a passphrase that she distributed to each member of her organization. What type of authentication method has she implemented? A. Open B. Enterprise C. Captive Portal D. Pre-shared Key (PSK)
D. Pre-shared Key (PSK)
Jade is responsible for web application security for her company's e-commerce server. She is particularly concerned with XSS and SQL injection. Which technique would be most effective in mitigating these attacks? A. The use of stored procedures B. Proper error handling C. Code signing D. Proper input validation
D. Proper input validation
Michael's organization uses self-signed certificates throughout its internal infrastructure. After a compromise, Michael needs to revoke one of the self-signed certificates. How can he do that? A. Contact the certificate authority and request that they revoke the certificate. B. Reissue the certificate, causing the old version to be invalidated C. Add the certificate to the CRL D. Remove the certificate from the list of whitelisted certificates from each machine that trusts it
D. Remove the certificate from the list of whitelisted certificates for each machine that trusts it
Which of the following access control methods grants permission based on the user's position in the organization? A. Mandatory Access Control (MAC) B. Discretionary Access Control (DAC) C. Attribute-Based Access Control (ABAC) D. Role-Based Access Control (RBAC)
D. Role-Based Access Control (RBAC)
What certificate is most likely to be used by an offline certificate authority (CA)? A. Machine/computer B. Email C. User D. Root
D. Root
Frankie is a security administrator for a large company. Occasionally, a user needs access to a specific resource that they don't have permission to access. Which access control methodology would be most helpful in this situation? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Role-based access control D. Rule-based access control
D. Rule-based access control
Your company relies heavily on cloud and SaaS service providers such as salesforce.com, Office365, and Google. Which of the following would you have security concerns about? A. TACACS+ B. Lightweight Directory Access Protocol (LDAP) C. Transitive Trust D. Security Assertion Markup Language (SAML)
D. Security Assertion Markup Language (SAML); the integrity of users is the weakness in the SAML identity chain
Important data about the internal network of your company has been leaked online. There has been no breach of your network by an attacker. What type of issue is this? A. Host-based firewall B. File integrity check C. DLP failure for a malicious user D. Social media
D. Social media
Miley wants to ensure that her internal DNS cannot be queried by outside users. What DNS design pattern uses different internal and external DNS servers to provide potentially different DNS responses to users of those networks? A. DMZ DNS B. DNS proxying C. DNSSEC D. Split horizon DNS
D. Split horizon DNS; deploys distinct DNS servers for two or more environments ensuring that those environments receive DNS information appropriate to the DNS view.
Which type of firewall examines the content and context of each packet it encounters? A. Application layer firewall B. Packet filtering firewall C. D. Stateful packet filtering firewall
D. Stateful packet filtering; Stateful inspection firewall examines the content and context of each packet it encounters
The firewall that Walter has deployed looks at every packet sent by systems that travel through it, ensuring that each packet matches the rules that it operates and filters traffic by. What type of firewall is being described? A. Stateful B. Application layer C. Next generation D. Stateless
D. Stateless
Trixie is a software development team manager. She is concerned with memory leaks in code. What type of testing is most likely to find memory leaks? A. Stress testing B. Fuzzing C. Normalization D. Static code analysis
D. Static code analysis; can be used to check if all memory allocation commands have a matching deallocation command
Alaina has been told that her organization uses a SAN certificate in their environment. What does this tell Alaina about the certificate in use by her organization? A. It is provided by SANs, a network security organization B. It is used for a storage area network C. The certificate is part of a self-signed, self-assigned namespace D. The certificate allows multiple hostnames to be protected by the same certificate
D. The certificate allows multiple hostnames to be protected by the same certificate
What is the primary difference between Mobile Device Management (MDM) and Unified Endpoint Management (UEM)? A. MDM patches domain machines not enterprise machines B. MDM does not include patch management C. UEM does not include support for mobile devices D. UEM supports a broader range of devices
D. UEM supports a broader range of devices
Gabriel wants to enforce a wide variety of settings for devices used in her organization. Which of the following methods should she select if she needs to manage hundreds of devices while setting rules for use of SMS and MMS, audio and video recording, GPS tagging, and wireless connection methods like tethering and hotspot modes? A. Require users to configure their phones using a lockdown guide B. Use a CASB tool to manage the devices C. Use baseline settings automatically set for every phone before it is deployed using an imaging tool D. Use a UEM tool and application to manage the devices
D. Use a UEM tool and application to manage the devices
John is preparing to implement an 802.1X-enabled wireless infrastructure. He knows that he wants to use an Extensible Authentication Protocol (EAP) -based protocol that does not require client-side certificates. Which of the following option should he choose? A. EAP-MD5 B. EAP-TLS C. Protected Extensible Authentication Protocol (PEAP) D. Lightweight Extensible Authentication Protocol (LEAP)
Protected Extensible Authentication Protocol (PEAP); relies on server-side certificates and relies on tunneling to ensure communications security.
What does a stateful firewall do?
They pay attention to conversations and allow packets to pass through once they have been verified by the initial exchange.
You are outlining your plans for implementing a wireless network to upper management. What wireless security standard should you adopt if you DO NOT want to use enterprise authentication but want to provide secure authentication for users that doesn't require a shared password or passphrase? A. WEP B. WPA2 C. WPA D. WPA3
WPA3; uses SAE providing a more secure way to authenticate allowing users to use different passwords
