CompTIA Security+ Practice Exam SY0-701: Domain #3
Malia is reviewing potential considerations for her ICS deployment. Which of the following is typically not a consideration that Malia can control or change for embedded devices? Ease of deployment Patch availability Risk transference Compute
D. Compute is rarely a significant concern for embedded systems. They're designed to function for long periods of time performing a specific function and do not have additional software or functions added. How easy they are to deploy, if they can be patched and updated, and the support lifespan as guaranteed or promised by the vendor, and risk transference by engaging third‐party vendors are all likely concerns for a major industrial control system (ICS) deployment that Malia can control through the selection process.
Madhuri has configured a backup that will back up all of the changes to a system since the last time that a full backup occurred. What type of backup has she set up? A snapshot A full backup An incremental backup A differential
D. Differential backups back up all of the changes since the last full backup. An incremental backup backs up all changes since the last incremental backup. A snapshot captures machine state and the full drive at a bitwise level, and full backups are a complete copy of a system but typically do not include the memory state.
Nick wants to protect Microsoft Excel files in transit across a network. Which of the following is not a method he could use to protect data in transit? TLS VPN File encryption Disk encryption
D. Disk encryption is used to protect data at rest, not data in use or data in transit. TLS, VPNs, and file encryption can all be used to protect files that are sent via a network.
Ben has been asked to explain the security implications for an embedded system that his organization is considering building and selling. Which of the following is not a typical concern for embedded systems? Limited processor power An inability to patch Lack of authentication capabilities Lack of bulk storage
D. Embedded systems can bring a broad range of security implications, many of which are driven by the limited capabilities of the processors and hardware they are frequently built with. Low‐power consumption designs may lack computational power and thus have challenges implementing strong cryptography, network connectivity, and other similar problems. Patching embedded systems can be challenging both because of where they are deployed and because of a lack of connectivity for them—in fact, in many environments, you may not want the devices to be connected to your network. Since many don't have a screen, keyboard, or a network connection, authentication is also a problem. Few embedded devices, however, need bulk storage, making the lack of bulk storage a problem that typically isn't a major concern.
What element of the CIA triad is geographic dispersion intended to help with? Confidentiality Integrity Assurance Availability
D. Geographic dispersion is intended to help with availability by ensuring that a single disaster does not take multiple datacenters or other facilities offline. It does not directly impact confidentiality or integrity, and assurance is not part of the CIA triad.
John is running an IDS on his network. Users sometimes report that the IDS flags legitimate traffic as an attack. What describes this? False positive False negative False trigger False flag
A. When an intrusion detection system (IDS) or antivirus/antimalware mistakes legitimate traffic for an attack, this is called a false positive. A false negative is when the IDS mistakes an attack for legitimate traffic. It is the opposite of a false positive. Options C and D are both incorrect. Although these may be grammatically correct, these are not the terms used in the industry. In military operations, false flag operations attempt to transfer blame to another organization or adversary, thus a "false flag."
Jason wants to implement a remote access virtual private network (VPN) for users in his organization who primarily rely on hosted web applications. What common VPN type is best suited to this if he wants to avoid deploying client software to his end‐user systems? A TLS VPN An RDP (Remote Desktop Protocol) VPN An Internet Control Message Protocol (ICMP) VPN An IPSec VPN
A. A Transport Layer Security (TLS) VPN is frequently chosen when ease of use is important, and web applications are the primary usage mode. RDP is a remote access tool, not a VPN tool, and ICMP is used for things like ping, not for VPN. IPSec VPNs are used for site‐to‐site VPNs and for purposes where other protocols may be needed, because they make the endpoint system appear to be on the remote network.
Derek has been asked to implement his organization's service‐oriented architecture as a set of microservices. What does he need to implement? A set of loosely coupled services with specific purposes A set of services that run on very small systems A set of tightly coupled services with custom‐designed protocols to ensure continuous operation A set of services using third‐party applications in a connected network enabled with industry standard protocols
A. A microservice architecture builds applications as a set of loosely coupled services that provide specific functions using lightweight protocols. It doesn't specifically define the size of the systems, but it is not a tightly coupled environment. Protocol choice is often open standards-based, but the emphasis is on lightweight protocols. There is not a requirement that services be in‐house or third party exclusively.
Eva wants to deploy a network security device that will provide firewall services as well as IPS and email filtering. Which device should she deploy? A UTM An FWSM A WAF An ELB
A. A unified threat management (UTM) device combines multiple security services including firewall, IDS or IPS, antivirus/antimalware, email filtering, WAF, and similar services into a single solution. An FWSM, or firewall service module, is an older Cisco chassis‐based firewall; a WAF is a web application firewall; and an ELB is Elastic Load Balancer, a load‐balancing service available via AWS.
Nathaniel wants to improve the fault tolerance of a server in his datacenter. If he wants to ensure that a power outage does not cause the server to lose power, what is the first control he should deploy from the following list? A UPS A generator Dual power supplies Managed power units (PDUs)
A. An uninterruptable power supply (UPS) should be Nathaniel's first priority. Ensuring that power is not disrupted during an outage and can be maintained for a short period until alternate power like a generator can come online is critical, and a UPS can provide that capability. A generator alone will take longer to come online, resulting in an outage. Dual power supplies can help to build resilience by allowing multiple power sources and avoiding issues if a power supply does fail, but that is not the focus of the question. A managed power distribution unit (PDU) provides remote management and power monitoring but will not prevent power loss in an outage.
Binary data is an example of what type of data? Non‐human‐readable Encrypted Human‐readable Masked
A. Binary data is a form of non‐human‐readable data. Encrypted data may be in binary format, but not all binary data is encrypted. Binary data is not human‐readable, nor is it masked, which hides elements of data to allow for it to be used without exposing the underlying data.
Hrant is deploying a network tap that supports an IPS for monitoring. If he wants to ensure that his organization's security remains the same even if the tap and IPS fails, and prefers downtime to a lack of monitoring, what type of failure mode and monitoring deployment should he select? In‐line, fail‐closed In‐line, fail‐open Tap, fail‐closed Tap, fail‐open
A. Hrant's use of an IPS means he wants to be in‐line to allow him to block traffic. Since he prefers that a failure remain secure rather than potentially allowing attacks through, he should select a fail‐closed implementation.
Theresa implements a network‐based IDS. What can she do to traffic that passes through the IDS? Review the traffic based on rules and detect and alert about unwanted or undesirable traffic. Review the traffic based on rules and detect and stop traffic based on those rules. Detect sensitive data being sent to the outside world and encrypt it as it passes through the IDS. All of the above.
A. IDSs, or intrusion detection systems, can only detect unwanted and malicious traffic based on the detection rules and signatures that they have. They cannot stop traffic or modify it. An IPS, or intrusion prevention system, that is placed in line with network traffic can take action on that traffic. Thus, IDSs are often used when it is not acceptable to block network traffic, or when a tap or other network device is used to clone traffic for inspection.
What failure mode is typically preferred for in‐line network taps? Fail‐open Fail over Fail‐closed Fail‐reset
A. In‐line network taps are typically configured to fail‐open since they are used to create a copy of the network traffic. Devices that provide in‐line security like IPS systems may be configured to fail‐closed because their failure removes critical security functionality. Fail over describes the ability to fail to another device, which is not a common function for an in‐line tap. Fail‐reset was made up for this question.
What are the key limiting factors for cryptography on low‐power devices? There are system limitations on memory, CPU, and storage. The devices cannot support public key encryption due to an inability to factor prime numbers. There is a lack of chipset support for encryption. Legal limitations for low‐power devices prevent encryption from being supported.
A. Low‐power devices typically have limited processor speed, memory, and storage, meaning that encryption can be a challenge. Fortunately, solutions exist that implement low‐power cryptographic processing capabilities, and continued advances in processor design continue to make lower‐power processors faster and more efficient. Legal limitations do not typically take into account whether a device is a low‐power device, and public key encryption can be implemented on a wide range of CPUs and embedded systems, so factoring prime numbers is unlikely to be an issue.
Valerie is concerned that the data obfuscation technique that her organization is using to ensure customer data is not visible to staff members who do not need to see it for their jobs may be vulnerable to client‐side tampering. Which of the following techniques is most likely to be vulnerable to client‐side tampering resulting in de‐obfuscation? Masking Tokenization Encryption Hashing
A. Masking may be conducted in client‐side code, resulting in potential exposures of data. Secure designs require masking to occur in server‐side code rather than in the client‐side web application. Tokenization typically relies on a separate database or field, making it less likely to be a problem. Encryption and hashing are both unlikely to have problems with client‐side tampering, making them less secure.
Valentine wants to choose an appropriate obfuscation method to allow her customer service representatives to validate credit card numbers without exposing the full number to the staff member. What obfuscation method should she select? Masking Tokenization Steganography Hashing
A. Masking replaces some characters with an alternate character, allowing tasks like validating credit card numbers without exposing all of a data field. Tokenization replaces values with a replacement value allowing data to be accessed without exposing the actual value. Steganography hides data in images and is not a useful solution in this scenario. Hashing is a mathematical technique that analyzes a file and computes a unique fingerprint, known as a message digest or hash, for that file.
Mila wants to generate a unique digital fingerprint for a file, and needs to choose between a checksum and a hash. Which option should she choose and why should she choose it? A hash, because it is unique to the file A checksum, because it verifies the contents of the file A hash, because it can be reversed to validate the file A checksum, because it is less prone to collisions than a hash
A. Mila should select a hash because a hash is designed to be unique to each possible input. That means that multiple files could have the same checksum value, whereas a hashing algorithm will be unique for each file that it is run against.
Mikayla wants to prevent unauthorized users from plugging network devices into her wired network. What control would be most effective for this if she needs Ethernet jacks to be available in publicly accessible spaces for her staff to plug devices in as they move around the facility, but also wants to ensure those devices are secure? NAC Port security IPS Jump servers
A. Network access control (NAC) has the ability to both profile device security and validate that a given user is authorized to plug a device into a specific Ethernet jack makes this the best solution for Mikayla's use case. Port security's list of recognized MAC addresses is both potentially vulnerable to MAC spoofing and does not meet the device security check requirements described. An IPS can help prevent network attacks but does not control port‐level access, and jump servers are used to allow access to secured network segments, not to protect individual network jacks.
Abigail is responsible for setting up a network‐based intrusion prevention system (NIPS) on her network. The NIPS is located in one particular network segment. She is looking for a passive method to get a copy of all traffic to the NIPS network segment so that it can analyze the traffic. Which of the following would be her best choice? Using a network tap Using port mirroring Setting the NIPS on a VLAN that is connected to all other segments Setting up a NIPS on each segment
A. Network taps copy all traffic to another destination, allowing traffic visibility without a device inline. They are completely passive methods of getting network traffic to a central location. Port mirroring would get all the traffic to the network‐based intrusion prevention system (NIPS) but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configurations can cause looping. Configuring loop detection can prevent looped ports. Putting a network NIPS on every segment can be very expensive and require extensive configuration work. Setting up a NIPS on each segment would also dramatically increase administrative efforts.
Nancy wants to adopt a backup strategy that will meet her organization's desires about the amount of data that could be lost in a scenario where a restoration from backup was required and also wants to establish guidelines for how long a restoration should take. What two key objectives should she set? An RPO and an RTO An RFBT and an RPO An RPO and an MTBF An MTBF and an RFBT
A. Organizations set recovery point objectives (RPOs) which describe how much data is acceptable to lose in a data loss event, and recovery time objectives (RTOs), which describe the maximum amount of time that it should take to recover data. Together these two objectives help guide backup strategy and infrastructure design and implementation. MTBF (mean time before failure) describes the mean time before a device like a hard drive, power supply, or network switch will fail, typically described in hours of powered‐on operation. RFBT was made up for this question.
The company that Alex works for is preparing to adopt a platform as a service tool for their customer relationship management needs. Alex knows that third‐party vendors are responsible for some, but not all, security in a PaaS environment. Which of the following is the PaaS vendor responsible for? Network security Endpoint security User account security Application security
A. PaaS vendors are responsible for the underlying service and platform, including the networks, systems, and infrastructure that it runs on, including their security. Customers are responsible for their use of the platform, including endpoints, users, and applications built on the platform, again including their security.
Yasmine wants to ensure that her organization has appropriate connectivity as part of their infrastructure design for their primary site. Which of the following concerns should she review to ensure that physical disasters do not disable her company's operations? Service provider path diversity Ensuring both fiber and copper connectivity are used Implementing SD‐WAN Geographic dispersion
A. Path diversity ensures that the connectivity to the facility does not take the same path. This helps to prevent the moment network managers dread when a single accident—or construction equipment in the wrong place—tears up multiple fiber or copper paths, taking organizations offline. Diversity of the cabling type is not a requirement or need, SD‐WAN does not directly address physical disasters, and geographic dispersion is not possible at a single site.
Matt has enabled port security on the network switches in his building. What does port security do? Filters by MAC address Prevents routing protocol updates from being sent from protected ports Establishes private VLANs Prevents duplicate MAC addresses from connecting to the network
A. Port security filters by MAC address, permitting allow listed MAC addresses to connect to the port and blocking block listed MAC addresses. Port security can be static, using a predetermined list or dynamically allowing a specific number of addresses to connect, or it can be run in a combination mode of both static and dynamic modes.
Christina wants to ensure that session persistence is maintained by her load balancer. What is she attempting to do? Ensure that all of a client's requests go to the same server for the duration of a given session or transaction. Assign the same internal IP address to clients whenever they connect through the load balancer. Ensure that all transactions go to the current server in a round‐robin during the time it is the primary server. Assign the same external IP address to all servers whenever they are the primary server assigned by the load balancer.
A. Session persistence makes sure that all of a client's traffic for a transaction or session goes to the same server or service. The remaining options do not properly describe how session persistence works.
Mila gives her team a scenario, and then asks them questions about how they would respond, what issues they expect they might encounter, and how they would handle those issues. What type of exercise has she conducted? A tabletop exercise A walk‐through A simulation A drill
A. Tabletop exercises are used to talk through a process. Unlike walk‐throughs, which focus on a step‐by‐step review of an incident, Mila will focus more on how her team responds and on learning from those answers. A tabletop exercise can involve gaming out a situation. A simulation actually emulates an event or incident, either on a small or a large scale. Drills are not defined as part of the Security+ exam outline.
Ramon wants to conduct an exercise for his organization with the least potential to cause disruption. Which of the following testing methodologies is least likely to cause potential issues with service delivery? Tabletop exercises Fail over exercises Simulation exercises Parallel processing exercises
A. Tabletop exercises do not involve an actual technical system and instead are gamed out in a room. This means they're least likely to cause disruptions. Fail over and parallel processing exercises can have actual impact to live systems, and simulation exercises require care because simulated calls and actions may inadvertently become real if staff are not fully aware of the scenario being an exercise or accidentally execute a command that can cause actual impact.
Emily manages the IDS/IPS for her network. She has a network‐based intrusion prevention system (NIPS) installed and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most efficient way for her to address this? Implement port mirror/monitor mode for that segment. Install a NIPS on that segment. Upgrade to a more effective NIPS. Isolate that segment on its own VLAN.
A. The NIPS is not seeing the traffic on that network segment. By implementing port mirroring, the traffic from that segment can be copied to the segment where the NIPS is installed. Installing a network IPS on the segment would require additional resources. This would work but is not the most efficient approach. Nothing in this scenario suggests that the NIPS is inadequate. It just is not seeing all the traffic. Finally, isolating the segment to its own VLAN would isolate that network segment but would still not allow the NIPS to analyze the traffic from that segment.
Fred sets up his authentication and authorization system to apply the following rules to authenticated users: Users who are not logging in from inside the trusted network must use multifactor authentication. Users who have logged in from geographic locations that are more than 100 miles apart within 15 minutes will be denied. What type of access control is Fred using? Geographic restrictions Time‐based logins Supervisory control Role‐based access
A. This is an example of using geographic restrictions to protect data. Fred has rules that require additional authentication for those who are off‐site and also those who may be performing impossible travel. Time is not part of both rules, there's no role description, and supervisory control is not a term used for this.
Casey's organization has proprietary information models that they use to analyze the market that they operate in. What data type best describes this information? Trade secret Regulated Financial information Public information
A. Trade secrets are intellectual property that is commercially valuable and is limited to a small group of individuals. Regulated information is controlled by law or has legal requirements around it. Financial information involves things related to monetary transactions or accounts. Public information is not controlled and is available to the public or could be without causing harm or concern.
Which of the following is not a common type of incident response exercise? Drills Simulations Tabletop Walk‐throughs
A. Typical exercise types for most organizations include simulations that emulate an actual incident response process, walk‐throughs that guide staff through an event, and tabletop exercises that are gamed out without taking actual action. Drills are classified as more focused on specific actions or functions, and they are less common because they can result in inadvertent action or mistakes and do not cover the breadth of an incident.
Charles wants to adopt an encryption tool. What encryption standard should he look for the tool to support to ensure that he is using a current secure standard to protect his data? AES‐512 AES‐256 AES‐128 AES‐192
B. AES‐256 is the current mainstream standard for encryption. AES 128 and 192 are both less secure, and AES‐512 is not an implemented or commonly used standard.
Which of the following is the most important benefit from implementing SDN? It will stop malware. It provides scalability. It will detect intrusions. It will prevent session hijacking.
B. Software‐defined networking (SDN) makes the network very scalable. It is relatively easy to add on new resources or remove unneeded resources, and it helps with high availability efforts. SDN does not stop malware, detect intrusions, or prevent session hijacking.
Dani wants to protect HTTP traffic that is sent from SCADA devices on her network to a cloud‐hosted controller. The devices don't natively support an HTTPS connection. What could she do to transparently protect the data? Set up a VPN connection from each SCADA device to the remote server. Set up a TLS‐enabled proxy between the devices and the server. Set up SD‐WAN. Install X.509 certificates on each SCADA device.
B. A TLS‐enabled proxy between the devices and server doesn't require anything else to be installed on the devices, which is typically impossible with SCADA devices. That means the VPN connection and the X.509 certificates are unlikely to work. SD‐WAN helps to manage external connectivity, not to directly protect traffic in this scenario.
Elaine wants to adopt appropriate response and recovery controls for natural disasters. What type of control should she use to prepare for a multi‐hour power outage caused by a tornado? A hot site A generator A PDU A UPS
B. A generator is the most appropriate answer to a multi‐hour outage. Although a hot site would allow her organization to stay online, the cost of a hot site is much higher than that of a generator. A PDU, or power distribution unit, is used to manage and distribute power, not to handle power outages. Finally, UPS systems are not typically designed to handle long outages. Instead, they condition power and ensure that systems remain online long enough for a generator to take over providing power.
Enrique is concerned about backup data being infected by malware. The company backs up key servers to digital storage on a backup server. Which of the following would be most effective in preventing the backup data being infected by malware? Place the backup server on a separate VLAN. Air gap the backup server. Place the backup server on a different network segment. Use a honeynet.
B. Air gapping refers to the server not being on a network. This means literally that there is "air" between the server and the network. This prevents malware from infecting the backup server. A separate virtual local area network (VLAN) or physical network segment can enhance security but is not as effective as air gapping. A honeynet is used to detect attacks against a network, but it doesn't provide effective defense against malware in this scenario.
Alaina is planning how to staff her warm site in the case of a natural disaster that disables her primary site. What concern is most likely to impact her capacity planning for staff in this scenario? Whether staff will be able to reach the site Whether staff will be impacted by the disaster Whether the site will be impacted by the disaster Whether generator fuel will be available
B. Capacity planning for disaster operations needs to take the impact on staff themselves into account. While modern operations can frequently be conducted remotely, reducing the number of staff required to be physically able to reach the site, staff members may not have power, Internet access, or even housing in disaster scenarios. The remote site's ability to operate is not directly a staff capacity planning issue, nor is how generators will be fueled.
Cassandra is considering transitioning from an on‐premises to a hybrid cloud environment. Which of the following concerns will she need to consider that would not have been required in a single on‐premises datacenter previously? RPOs Data sovereignty RTOs Power resilience
B. Data sovereignty is a new concern for organizations that host services and data outside of their local area, including across state or national boundaries. Recovery point objectives (RPOs), recovery time objectives (RTOs), and power resilience are all common concerns for on‐premises datacenters.
Devin is building a cloud system and wants to ensure that it can adapt to changes in its workload by provisioning or deprovisioning resources automatically. His goal is to ensure that the environment is not overprovisioned or underprovisioned and that he is efficiently spending money on his infrastructure. What concept describes this? Vertical scalability Elasticity Horizontal scalability Normalization
B. Elasticity is a cloud computing concept that matches resources to demand to ensure that an infrastructure closely matches the needs of the environment. Scalability is the ability to grow or shrink as needed but does not directly include the concept of matching to workload. Normalization is a code development concept used to ensure that data is in a consistent form.
Olivia needs to ensure an IoT device does not have its operating system modified by third parties after it is sold. What solution should she implement to ensure that this does not occur? Set a default password. Require signed and encrypted firmware. Check the MD5sum for new firmware versions. Patch regularly.
B. If Olivia wants to ensure that third parties will be unable to modify the operating system for Internet of Things (IoT) devices, requiring signed and encrypted firmware for operating system updates is an effective means of stopping all but the most advanced threats. Setting a default password means that a common password will be known. Checking the MD5sum for new firmware versions will help administrators validate that the firmware is legitimate, but signed and encrypted firmware is a much stronger control. Finally, regular patching may help secure the devices but won't prevent OS modifications.
Nicole wants to protect her SMTP email exchanges from being read by others while on the wire. What can she implement to protect SMTP? SPF TLS DKIM EXIF
B. Implementing Transport Layer Security (TLS) to encapsulate Simple Mail Transfer Protocol (SMTP) would allow the traffic to be encrypted in transit, protecting it from being read. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are both used to prevent spoofing, and Exchangeable Image File Format (EXIF) is information found in an image file.
Asher's organization has created a list of potential customers based on an analysis of their use of their site, buying habits, and ability to spend money on new products. What type of data is a list like this? Legal information Trade secrets Regulated data Classified data
B. Intellectual property that would have value to competitors and that is kept confidential to preserve it for competitive advantage is a trade secret. Legal information is typically related to contracts, regulations, or similar matters. Regulated data is covered by law, and classified data is used by governments.
Janice is explaining how IPSec works to a new network administrator. She is trying to explain the role of IKE. Which of the following most closely matches the role of IKE in IPSec? It encrypts the packet. It establishes the SAs. It authenticates the packet. It establishes the tunnel.
B. Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel. The security associations have all the settings (i.e., cryptographic algorithms, hashes) for the tunnel. IKE is not directly involved in encrypting or authenticating. IKE itself does not establish the tunnel—it establishes the SAs.
What is the biggest downside of using journaling as part of a backup restoration process? Larger volumes of data may be lost. The time it takes to restore from a journal. Journals cannot be encrypted for security. Journaling does not support live databases.
B. Journaling replays transactions, which can take an extended period of time if the time between the last backup and the data loss event was longer and there was a high volume of transactions. Journals typically minimize the amount of transaction data that is lost; they can be encrypted, although care must be taken to ensure that they can be recovered; and journaling is used with live databases to ensure transactions are recoverable to as close to the point in time of a data loss event as possible.
Theresa's organization operates in multiple countries. She knows that there are different laws that apply to her organization's use of data in each country they operate in. What concept describes this? Obfuscation Legal hold Data sovereignty Geographic restrictions
C. Data sovereignty means that governments have the ability to control data within their borders via law and regulations. Theresa's organization will need to comply with the laws of each country they operate in. Obfuscation refers to making something difficult to understand or read. Legal holds are used to require preservation of data when legal action is occurring or pending. Geographic restriction is used to limit where data can be accessed from and is a technical control used by organizations as part of data security efforts.
Brandon deploys a server in a VLAN used for IoT devices. He then creates firewall rules that allow users in a system administration network to SSH to that server so that they can manage systems in the protected network segment. What type of solution has Brandon deployed? A UTM A jump server An ICS server A VPN
B. Jump servers are used to access secured zones and are typically carefully controlled and monitored because they are the single point of entry from untrusted environments. A Unified Threat Management (UTM) is a security device that combines firewall features with a variety of other security functions. ICS stands for Industrial Control System. This is not an ICS, although the IoT devices it allows connections to may be a form of ICS. VPNs, or virtual private networks, encapsulate and protect network traffic as it moves through untrusted networks.
What layer is Layer 7 in the OSI model? The physical layer The application layer The transport layer The session layer
B. Layer 7 is the application layer. In order the layers are: 1 - physical, 2 - data link, 3 - network, 4 - transport, 5 - session, 6 - presentation, and 7 - application. The Security+ exam outline only focuses on Layer 4 and Layer 7 in the context of network security devices that can operate at those layers.
Which of the following is a common part of technology capacity planning for resilience? Cross‐training staff Using load balancers Using multiple geographically diverse datacenters Deploying uninterruptible power supplies
B. Load balancers are commonly used to help provide resilience by allowing applications and servers to be clustered. Cross‐training staff is a people‐ or staff‐based capacity planning solution. Both geographically diverse datacenters and UPS are examples of infrastructure resilience options.
Maria is a security engineer with a manufacturing company. During a recent investigation, she discovered that an engineer's compromised workstation was being used to connect to SCADA systems while the engineer was not logged in. The engineer is responsible for administering the SCADA systems and cannot be blocked from connecting to them. What should Maria do to mitigate this threat? Install host‐based antivirus/antimalware software on the engineer's system. Implement account usage auditing on the SCADA system. Implement an NIPS on the SCADA system. Use FDE on the engineer's system.
B. Maria should implement ongoing auditing of the account usage on the SCADA system. This will provide a warning that someone's account is being used when they are not actually using it. Host‐based antivirus/antimalware is almost never a bad idea, but this scenario did not indicate that the compromise was due to malware, so antimalware may not address the threat. Since the engineer has access to the SCADA system, a network intrusion prevention system (NIPS) is unlikely to block them from accessing the system, and full‐disk encryption (FDE) will not mitigate this threat because the system is live and running, meaning that the disk will be decrypted in use.
Nathaniel has deployed the control infrastructure for his manufacturing plant without a network connection to his other networks. What term describes this type of configuration? Screened subnet Air gap Vaulting A hot aisle
B. Nathaniel has created an air gap, a physical separation that will require manual transport of files, patches, and other data between the two environments. This helps to ensure that attackers cannot access critical systems and that insiders cannot export data from the environment easily. A screened subnet, also known as a demilitarized zone (DMZ), is a separate network segment or zone that is exposed to the outside world or other lower trust area. A vault is a secured space or room. Hot and cold isles are equipment arrangements used in server rooms or datacenters to efficiently circulate air and keep server racks and other equipment cool.
Olivia wants to deploy a new firewall. What type of firewall should she select if the ability to operate at layer 7 is important to her? A WAF An NGFW A stateful firewall A packet filter
B. Next‐generation firewalls (NGFWs) typically provide the ability to inspect traffic at both the transport layer (layer 4) and the application layer (layer 7). This means an NGFW will best fit the need. Web application firewalls also work at this level, but only focus on web applications, which does not fully meet the broad application inspection requirement in the question. Stateful firewalls and packet filters both operate at layer 4 only.
Nora has rented a building with access to bandwidth and power in case her organization ever experiences a disaster. What type of site has she established? A hot site A cold site A warm site A MOU site
B. Nora has established a cold site. A cold site is a location that can be brought online but does not have systems; cold sites typically have access to power and bandwidth, but they need to be fully equipped to operate after a disaster since they are just rented space. Warm sites have some or all of the infrastructure and systems Nora needs but does not have data. A hot site is a fully functional environment with all of the hardware, software, and data needed to operate an organization. They are expensive to maintain and run but are used by organizations that cannot take the risk of downtime. A MOU is a memorandum of understanding and is not a type of disaster recovery site.
Yuri wants to use an off‐site backup location. What challenge can off‐site backup locations create for organizations? It is difficult to validate the integrity of the backups. Retrieving the backups may slow down recovery. The backups cannot be easily updated. Off‐site backups may be impacted by the same disaster.
B. Off‐site backup locations are typically chosen so that they will not be impacted by the same disaster. That means that recovery may be slow if the backups either need to be physically retrieved or must be downloaded via an Internet connection. Backup integrity is typically verified as part of the backup process, and this can be checked easily. Off‐site backups are typically updated as part of the backup process, and this should not be an issue.
Pete's organization has had a system fail and Pete wants to recover from backup. Which of the following backup methods will typically result in the fastest restoration timeframe? Snapshots Replication Journaling Tape backup
B. Replication is typically the fastest means to recovery since the replica system is running and ready to take over. Snapshot recovery is normally the next fastest, followed by restoration from other storage. Journaling can introduce additional slowdowns depending on how long it has been since the last backup, as the journal is replayed from the time that occurred to the time of failure.
What type of system is used to control and monitor power plant power generation systems? IPG SEED SCADA ICD
C. SCADA, or supervisory control and data acquisition systems, are commonly used to manage facilities like power plants. The remaining options were made up.
Nick's organization houses tape‐based backups for their critical data in their primary datacenter. What resilience issue could result in the event of a major disaster? The tapes may not have been validated and might not be able to be restored. A single disaster could destroy both the facility and the tapes. The tapes may not last for the expected lifetime of the backups. Tapes are relatively slow and may not allow for timely restoration.
B. The biggest issue for resilience is that placing backups in the same facility as the devices or systems they are backing up means that a single disaster could destroy both. Nick should consider off‐site backup storage. Tape recovery can be slow, but this is a restoration timeframe issue, not a resilience issue. Tape lifetime is typically quite long, and backups are usually rolled over in time periods shorter than a year for most organizations. Finally, validation of backups can be a concern, but there is no description in the question that would lead to conclusions about testing.
Ryan is concerned about the security of his company's web application. Since the application processes confidential data, he is most concerned about data exposure. Which of the following would be the most important for him to implement? WAF TLS NIPS NIDS
B. The correct answer is to encrypt all the web traffic to this application using Transport Layer Security (TLS). This is one of the most fundamental security steps to take with any website. A web application firewall (WAF) is probably a good idea, but it is not the most important thing for Ryan to implement. While a network‐based intrusion prevention system (NIPS) or network‐based intrusion detection system (NIDS) may be a good idea, those should be considered after TLS is configured.
Chris is preparing to implement an 802.1X‐enabled wireless infrastructure. He knows that he wants to use an Extensible Authentication Protocol (EAP)‐based protocol that does not require client‐side certificates. Which of the following options should he choose? EAP‐MD5 PEAP LEAP EAP‐TLS
B. The option that best meets the needs described is PEAP, the Protected Extensible Authentication Protocol. PEAP relies on server‐side certificates and on tunneling to ensure communications security. EAP‐MD5 is not recommended for wireless networks and does not support mutual authentication of the wireless client and network. LEAP, the Lightweight Extensible Authentication Protocol, uses WEP keys for its encryption and is not recommended due to security issues. Finally, EAP‐TLS, or EAP Transport Layer Security, requires certificates on both the client and server, consuming more management overhead.
Chris wants to create a token to substitute for data in a database. Which of the following is not a common attribute for tokens? They don't have exploitable meaning themselves. They are easily reversible to identify the original data, even without the tokenization scheme. They frequently rely on one‐way hash functions. Tokens must be mapped to matching original data.
B. Tokens should not be easily reversible. Instead, they should require access to the original tokenization function or a mapping to the original data. Tokens should not have intrinsic meaning or value, and frequently rely on hash functions as part of their generation process to ensure this.
Marcellus wants to ensure that his organization has sufficient capacity to handle the failure of a web server. What type of technology could he deploy to ensure that individual web server failures are handled gracefully without using an overly complex solution? Platform diversity A multi‐cloud system A load balancer A warm site
C. A load balancer can help handle individual web server failures gracefully by moving load to the functioning web servers in a cluster. In scalable environments, this can also result in more servers being instantiated. Platform diversity helps to protect against failures or vulnerabilities in a single vendor, platform, or system. Multi‐cloud systems could help in this case but are much more complex than required by the relatively simple need to handle an individual web server's failure. A warm site would be suited to a datacenter failure, not a single web server failing.
Mike is a security analyst and has just removed malware from a virtual server. What feature of virtualization would he use to return the virtual server to a last known good state? Sandboxing Hypervisor Snapshot Elasticity
C. A snapshot is an image of the virtual machine (VM) at some point in time. It is standard practice to periodically take a snapshot of a virtual system so that you can return that system to a last known good state. Sandboxing is the process of isolating a system or software. The hypervisor is the mechanism through which the virtual environment interacts with the hardware, and elasticity is the ability for the system to scale.
Murali is building his organization's container security best practices document and wants to ensure that he covers the most common items for container security. Which of the following is not a specific concern for containers? The security of the container host Securing the management stack for the container Insider threats Monitoring network traffic to and from the containers for threats and attacks
C. Although insider threats are a concern, they're not any different for containers than any other system. Ensuring container host security, securing the management stack, and making sure that network traffic to and from containers is secure are all common container security concerns.
Tom is responsible for VPN connections in his company. His company uses IPSec for VPNs. What is the primary purpose of AH in IPSec? Encrypt the entire packet. Encrypt just the header. Authenticate the entire packet. Authenticate just the header.
C. Authentication headers (AHs) provide complete packet integrity, authenticating the packet and the header. Authentication headers do not provide any encryption at all, and authentication headers authenticate the entire packet, not just the header.
Claire has been notified of a zero‐day flaw in a web application. She has the exploit code, including a SQL injection attack that is being actively exploited. How can she quickly react to prevent this issue from impacting her environment if she needs the application to continue to function? Deploy a detection rule to her IDS. Manually update the application code after reverse‐engineering it. Deploy a fix via her WAF. Install the vendor‐provided patch.
C. Claire's best option is to deploy a detection and fix via her web application firewall (WAF) that will detect the SQL injection (SQLi) attempt and prevent it. An intrusion detection system (IDS) only detects attacks and cannot stop them. Manually updating the application code after reverse‐engineering it will take time, and she may not even have the source code or the ability to modify it. Finally, vendor patches for zero days typically take some time to come out even in the best of circumstances, meaning that Claire could be waiting on a patch for quite a while if that is the option she chooses.
Mike is concerned about data sovereignty for data that his organization captures and maintains. What best describes his concern? Who owns the data that is captured on systems hosted in a cloud provider's infrastructure? Can Mike's organization make decisions about data that is part of its service, or does it belong to users? Is the data located in a country subject to the laws of the country where it is stored? Does data have rights on its own, or does the owner of the data determine what rights may apply to it?
C. Data sovereignty refers to the concept that data that is collected and stored in a country is subject to that country's laws. This can be a complex issue with multinational cloud services and providers that may store data in multiple countries as part of their normal architecture. It may also create compliance and other challenges based on differences in national laws regarding data, data privacy, and similar issues.
Mateo wants to conduct a fail over test for his datacenter. What will he need to do to accomplish this? Turn off all systems in his datacenter. Simulate what would occur during a datacenter outage. Force a fail over using his network or other systems. Cause an outage of a critical system.
C. Datacenters should have a fail over process that can be manually executed in case of emergency. Mateo should use that process to fail over to his organization's fail over site. Turning off every system in a datacenter is not recommended as this may lead to other unexpected failures. Simulation is not a fail over test, and creating an outage of a critical system typically will not cause an entire datacenter to fail over.
Geoff wants to establish a contract with a company to have datacenter space that is equipped and ready to go so that he can bring his data to the location in the event of a disaster. What type of disaster recovery site is he looking for? A hot site A cold site A warm site An RTO site
C. Geoff is looking for a warm site, which has some or all of the infrastructure and systems he needs but does not have data. If a disaster occurs, Geoff can bring any equipment that he needs or wants to the site along with his organization's data to resume operations. A hot site is a fully functional environment with all the hardware, software, and data needed to operate an organization. They are expensive to maintain and run but are used by organizations that cannot take the risk of downtime. A cold site is a location that can be brought online but does not have systems; cold sites typically have access to power and bandwidth but need to be fully equipped to operate after a disaster since they are just rented space. An RTO is a recovery time objective, and it measures how long it should take to resume operations; it is not a type of disaster recovery site.
Which of the following is not a common practice used to secure data in transit? Encryption TLS Geolocation VPN
C. Geolocation is used to control where data can be accessed from but does not protect data in transit. Encrypting data, encapsulating via TLS, or use of a VPN are all common methods to protect data in transit.
What two connection methods are used for most geofencing applications? Cellular and GPS USB and Bluetooth GPS and Wi‐Fi Cellular and Bluetooth
C. Global Positioning System (GPS) data and data about local Wi‐Fi networks are the two most commonly used protocols to help geofencing applications determine where they are. When a known Wi‐Fi signal is gained or lost, the geofencing application knows it is within range of that network. GPS data is even more useful because it can work in most locations and provide accurate location data. Although Bluetooth is sometimes used for geofencing, its limited range means that it is a third choice. Cellular information would require accurate tower‐based triangulation, which means it is not typically used for geofencing applications, and of course USB is a wired protocol.
What protocol is commonly used to allow for secured tunnels between corporate networks through untrusted networks? RTOS SHA‐1 IPSec RSA
C. IPSec virtual private networks are commonly established to tunnel through public or untrusted networks. A RTOS, or real‐time operating system, is used for embedded systems. SHA‐1 is a hashing algorithm, and RSA is an encryption algorithm that is used for IPSec as part of its authentication process. IPSec tunnels themselves commonly use AES, but may use other algorithms as well.
Mark is responsible for managing his company's load balancer and wants to use a load‐balancing scheduling technique that will take into account the current server load and active sessions. Which of the following techniques should he choose? Round‐robin Weighted response time Least connection Source IP hashing
C. Least connection-based load balancing takes load into consideration and sends the next request to the server with the least number of active sessions. Round‐robin simply distributes requests to each server in order, whereas weighted time uses health checks to determine which server responds the most quickly on an ongoing basis and then sends the traffic to that server. Finally, source IP hashing uses the source and destination IP addresses to generate a hash key and then uses that key to track sessions, allowing interrupted sessions to be reallocated to the same server, and thus allowing the sessions to continue.
Olivia is implementing a load‐balanced web application cluster. Her organization already has a redundant pair of load balancers, but each unit is not rated to handle the maximum designed throughput of the cluster by itself. Olivia has recommended that the load balancers be implemented in an active/active design. What concern should she raise as part of this recommendation? The load balancer cluster cannot be patched without a service outage. The load balancer cluster is vulnerable to a denial‐of‐service attack. If one of the load balancers fails, it could lead to service degradation. The load balancer cannot handle the throughput due to having two active nodes.
C. Olivia should make her organization aware that a failure in one of the active nodes would result in less maximum throughput and a potential for service degradation. Since services are rarely run at maximum capacity, and many can have maintenance windows scheduled, this does not mean that the load balancers cannot be patched. There is nothing in this design that makes the load balancers more vulnerable to denial‐of‐service than they would be under any other design. Having two active nodes will typically increase throughput over a single node.
Troy wants to physically isolate a device. What does he need to do to accomplish this? Move it to a secure VLAN. Implement 802.1X. Create a physical air gap. Unplug the device from power and the network.
C. Physical isolation requires the creation of an air gap. This means unplugging the device from the network. A secure VLAN won't accomplish this, nor will 802.1X. Unplugging the device from power isn't required for physical isolation.
George is a network administrator at a power plant. He notices that several turbines had unusual ramp‐ups in cycles last week. After investigating, he finds that an executable was uploaded to the system control console and caused this. Which of the following would be most effective in preventing this from affecting the SCADA system in the future? Implement SDN. Improve patch management. Place the SCADA system on a separate VLAN. Implement encrypted data transmissions.
C. Separating the SCADA (supervisory control and data acquisition) system from the main network makes it less likely that the SCADA system can be affected from the main network. This includes malware as well as human action. Software‐defined networking (SDN) would make isolating the SCADA system easier but would not actually isolate it. Patch management is always important, but in this case, it would not have prevented the issue. Encrypted data transmissions, such as TLS, would have no effect on this situation.
Selah's organization is conducting a simulation exercise. Which of the following is not a common element of a simulation? Testing of notification processes Testing of procedures Testing of fail over capabilities Testing of communication systems
C. Simulations try to avoid causing potential outages and work to simulate a scenario. They may validate that notification processes communication systems and procedures all work.
Which of the following data types best describes data covered by the European Union's GDPR? Trade secrets Intellectual property Regulated data Legal information
C. The European Union's (EU) General Data Protection Regulation (GDPR) is a privacy regulation, and thus, data covered by the GDPR is regulated data. The GDPR does include language that addresses not adversely impacting the rights of others, including intellectual property rights, particularly in terms of software, but the best answer remains that this is regulated data. Trade secrets and legal information are not broad enough to describe this data.
Abigail is responsible for datacenters in a large, multinational company. She has to support multiple datacenters in diverse geographic regions. What would be the most effective way for her to manage these centers consistently across the enterprise? Hire datacenter managers for each center. Implement enterprise‐wide SDN. Implement infrastructure as code (IaC). Automate provisioning and deprovisioning.
C. The correct answer is to implement IaC. Infrastructure as code (IaC) is the process of managing and provisioning computer datacenters through machine‐readable definition files, rather than physical hardware configuration or interactive configuration tools. Whether the datacenter(s) use physical machines or virtual machines, this is an effective way to manage the datacenters. Although datacenter managers may be needed, that won't necessarily provide consistent management across the enterprise. Software‐defined networking (SDN) will not fix this problem, but it would help if Abigail needed to configure and manage her network based on usage and performance. Finally, this issue is not just about provisioning; it is about management.
Network connected devices built into washing machines, microwaves, and other household appliances are examples of what type of network device? ICS SCADA Embedded systems Virtualization
C. These are all examples of embedded systems, computers built into devices to allow them to function. Other examples include computers built into cars, digital cameras, and thermostats. They often receive fewer (or no) updates, and are required to function for long periods of time as part of other devices or systems.
Which of the following is not a commonly used business data classification? Sensitive Confidential Top Secret Public
C. Top Secret and Secret are examples of government classifications. Businesses typically use classifications like sensitive, confidential, and public.
Patrick has been asked to identify a UTM appliance for his organization. Which of the following capabilities is not a common feature for a UTM device? IDS and or IPS Antivirus/antimalware MDM DLP
C. UTM, or unified threat management, devices commonly serve as firewalls, intrusion detection system (IDS)/intrusion prevention system (IPS), antivirus/antimalware, web proxies, web application and deep packet inspection, secure email gateways, data loss prevention (DLP), security information and event management (SIEM), and even virtual private networking (VPN) devices. They aren't mobile device management (MDM) or universal endpoint management devices, however, since their primary focus is on network security, not systems or device management.
Jill wants to design her organization for high availability. Which of the following design elements best supports power resilience for a high‐availability environment for an on‐site datacenter? Using generators Using UPS systems Using UPS systems backed up by generators Using a warm site on a separate power grid
C. Using UPS with generators will allow systems to remain online during a power outage even if the power outage extends for some time. Generators alone will not spin up fast enough to avoid an outage, and UPS systems will run out of battery power in extended outages. A warm site requires setup time to bring it online, resulting in an outage.
Naomi wants to secure a real‐time operating system (RTOS). Which of the following techniques is best suited to providing RTOS security? Disable the web browser. Install a host firewall. Use secure firmware. Install antimalware software.
C. Using secure firmware, as well as using an RTOS with time and space partitioning, are both common methods to help ensure RTOS security. Unlike traditional operating systems, real‐time operating systems are used in applications where they need to deal with inputs immediately. That means that adding additional load like firewalls and antimalware is not a typical component in RTOS applications. For similar reasons, you're unlikely to find a web browser on most devices running an RTOS.
Mark's organization is preparing to move to an infrastructure as code model. He's worried about what to do if a change in code causes issues. What common IaC practice will help the most with this? Threat modeling Least privilege Version control Artifact signing
C. Version control will allow staff from Mark's organization to identify a bad version and revert to a previous known‐good version if needed. Threat modeling, least privilege, and artifact signing are all common best practices for IaC, but don't directly impact version changes.
Which of the following is not a common security concern with real‐time operating systems? Inability to install security tools Lack of updates or patches Likelihood of malware infection Vulnerability concerns
C. While RTOS issues with vulnerabilities, the inability to install security tools. and a lack of patches for RTOS‐based devices are all common security concerns, they are not as frequently targeted by malware infections.
Jason is considering deploying a network intrusion prevention system (IPS) and wants to be able to detect advanced persistent threats (APTs). What type of IPS detection method is most likely to detect the behaviors of an APT after it has gathered baseline information about normal operations? Signature‐based IPS detections Heuristic‐based IPS detections Malicious tool hash IPS detections Anomaly‐based IPS detections
D. Anomaly‐based detection systems build a behavioral baseline for networks and then assess differences from those baselines. They may use heuristic capabilities on top of those, but the question specifically asks about baselined operations pointing to an anomaly‐based system. Heuristic‐based detections look for behaviors that are typically malicious, and signature‐based or hash‐based detections look for known malicious tools or files.
Carlos uses a remote desktop tool to connect to a server through a firewall that protects his organization's database servers. He then uses software on the server to manage the database servers. What type of solution is Carlos using? A network tap SASE SD‐WAN A jump server
D. Carlos is using a jump server that is used to connect from an untrusted or lower trust zone from outside of a firewall. A network tap is used to provide copies of network traffic for analysis. SASE combines SD‐WAN and other security technologies to provide network security services regardless of where systems are for enterprises. SD‐WAN (software‐defined wide area networking) is used to manage network connectivity through commodity Internet providers and other services.
Maria is responsible for security at a small company. She is concerned about unauthorized devices being connected to the network. She is looking for a device authentication process. Which of the following would be the best choice for her? CHAP Kerberos 802.11i 802.1X
D. 802.1X is the IEEE standard for port‐based network access control. This protocol is frequently used to authenticate devices. Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol but not the best choice for device authentication. Kerberos is an authentication protocol but not the best choice for device authentication. 802.11i is the Wi‐Fi security standard and is fully implemented in WPA2 and WPA3. It is not a device authentication procedure.
Which device would most likely process the following rules? PERMIT IP ANY EQ 443 DENY IP ANY ANY NIPS HIPS Content filter Firewall
D. A firewall has two types of rules. One type is to allow specific traffic on a given port. The other type of rule is to deny traffic. What is shown here is a typical firewall rule. Options A, B, and C are incorrect. The rule shown is clearly a firewall rule.
Next‐generation firewalls include many cutting‐edge features. Which of the following is not a common next‐generation firewall capability? Geolocation IPS and/or IDS Sandboxing SQL injection
D. Although next‐generation firewalls (NGFWs) provide may defensive capabilities, SQL injection (SQLi) is an attack instead of a defense. In addition to geolocation, intrusion detection system (IDS) and intrusion prevention system (IPS), and sandboxing capabilities, many next‐generation firewalls include web application firewalls, load balancing, IP reputation and URL filtering, and antimalware and antivirus features.
Jack wants to ensure that files have not changed. What technique can he use to compare current versions of the files to an original copy? Encryption. Check the file size. Check the file metadata. Compare hashes of the files.
D. Comparing hashes is an effective way of determining if a file is different from the original. While file length may be the same and metadata can be modified, hashes will still show changes. Encrypting the files does not compare them, and should not be used for this purpose.
Jerome needs to explain the key difference between high availability and fault tolerance to his management. What is the major difference between the two? High availability is designed to avoid service interruptions almost entirely, whereas fault‐tolerant environments have minimal service disruptions. High availability provides services, whereas fault tolerance handles issues. High availability focuses on data, whereas fault tolerance focuses on infrastructure. High availability has minimal service interruptions, whereas fault‐tolerant environments are designed to avoid service interruptions almost entirely.
D. High‐availability designs are less expensive because they attempt to minimize service interruptions, whereas fault‐tolerant designs seek to avoid service interruptions almost entirely, and thus cost significantly more. Both focus on service availability and typically use both hardware and software tools to meet their goals.
What IP address does a load balancer provide for external connections to connect to web servers in a load‐balanced group? The IP address for each server, in a prioritized order The load balancer's IP address The IP address for each server in a round‐robin order A virtual IP address
D. Load balancers provide a virtual IP, or VIP. Traffic sent to the VIP is directed to servers in the pool based on the load‐balancing scheme that that pool is using—often a round‐robin scheme, but other versions that include priority order and capacity tracking or ratings are also common. The load balancer's IP address is normally used to administer the system, and individual IP addresses for the clustered hosts are shielded by the load balancer to prevent traffic from consistently going to those hosts, thus creating a failure or load point.
You are responsible for an e‐commerce site. The site is hosted in a cluster. Which of the following techniques would be best in assuring availability? A VPN concentrator Aggregate switching An SSL accelerator Load balancing
D. Load‐balancing the cluster will prevent any single server from being overloaded. And if a given server is offline, other servers can take on its workload. A VPN concentrator, as the name suggests, is used to initiate virtual private networks (VPNs). Aggregate switching can shunt more bandwidth to the servers but won't mitigate the threat of one or more servers being offline. SSL accelerators are a method of offloading processor‐intensive public key encryption for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to a hardware accelerator.
Tim wants to ensure that his web servers can scale horizontally during traffic increases, while also allowing them to be patched or upgraded without causing outages. What type of network device should he deploy? A firewall A switch A horizontal scaler A network load balancer
D. Network load balancers distribute traffic among systems, allowing systems to be added or removed, and making patching and upgrades easier by draining connections from systems and removing them from the pool when work needs to be done on them. They can also help monitor systems for performance, report on issues, and ensure that loads match the capabilities of the systems that they are in front of. Firewalls are used for security, switches are a network device used to transfer traffic to the correct system, and a horizontal scaler was made up for this question.
Which of the following is not an advantage of a serverless architecture? It does not require a system administrator. It can scale as function call frequency increases. It can scale as function call frequency decreases. It is ideal for complex applications.
D. Serverless architectures do not require a system administrator because the provider manages the underlying function‐as‐a‐service (FaaS) capability. It can also scale up or scale down as needed, allowing it to be very flexible. Serverless architectures are typically not ideal for complex applications and instead tend to work better for microservices.
What key network technology is the core of an SASE implementation? TLS VLANs IPSec SD‐WAN
D. Software‐defined wide area networks (SD‐WANs) are the core component of secure access, secure edge technology. Additional tools like zero trust functionality, cloud access security brokers, and firewalls are all combined to build a complete SASE implementation.
Henry accesses a database server from his workstation. What data state best describes the data while it is on the network? Data at rest Data in use Data on the wire Data in transit
D. The Security+ exam outline recognizes three data states: data at rest, data in transit, and data in use. When Henry accesses the data and it is transferred via the network, it is data in transit. When he is working with the data, including modifying or otherwise using it, it is data in use. When it resides on the drives the database is stored in, it is data at rest. Data on the wire is not a common term for this—data in motion and data in transit are both common in industry usage, and the Security+ exam outline uses data in transit.
Ramon is building a new web service and is considering which parts of the service should use Transport Layer Security (TLS). Components of the application include: 1. Authentication 2. A payment form 3. User data, including address and shopping cart 4. A user comments and reviews section Where should he implement TLS? At points 1 and 2, and 4 At points 2 and 3, and 4 At points 1, 2, and 3 At all points in the infrastructure
D. The safest and most secure answer is that Ramon should simply implement TLS for the entire site. Although TLS does introduce some overhead, modern systems can handle large numbers of simultaneous TLS connections, making a secure website an easy answer in almost all cases.
Mia is a network administrator for a bank. She is responsible for secure communications with her company's customer website. Which of the following would be the best for her to implement? SSL PPTP IPSec TLS
D. Transport Layer Security (TLS) provides a reliable method of encrypting web traffic. It supports mutual authentication and is considered secure. Although Secure Sockets Layer (SSL) can encrypt web traffic, TLS was created in 1999 as its successor. Although many network administrators still use the term SSL, in most cases today what you are using is actually TLS, not the outdated SSL. Point‐to‐point Tunneling Protocol (PPTP) and Internet Protocol Security (IPSec) are protocols for establishing a VPN, not for encrypting web traffic.
Charles wants to use IPSec and needs to be able to determine the IPSec policy for traffic based on the port it is being sent to on the remote system. Which IPSec mode should he use? IPSec tunnel mode IPSec PSK mode IPSec IKE mode IPSec transport mode
D. Unlike IPSec's tunnel mode, IPSec transport mode allows different policies per port. The IP addresses in the outer header for transport mode packets are used to determine the policy applied to the packet. IPSec doesn't have a PSK mode, but WPA2 does. IKE is used to set up security associations in IPSec but doesn't allow this type of mode setting.
