ExamCram Practice Tests
Which one of the following best describes the four primary phases of a penetration test? Planning, discovery, attack, reporting Exploit, escalation, pivot, persistence Planning, exploit, attack, persistence Discovery, attack, pivot, reporting
A
Describe Resident and Non-Resident virus
A resident virus resides in memory, which means it is loaded each time the system starts and can infect other areas based on specific actions. A non-resident virus looks for targets locally and even across the network. The virus then infects these areas and exits. Unlike a resident virus, it does not remain active.
Which of the following processes occurs first when a user or device presents information such as a username, a process ID, a smart card, or another unique identifier? Identification Authenication Authorization Accounting
A.
Which of the following uses a secure cryptoprocessor that accelerates cryptographic processes and provides strong access authentication for critical application encryption keys? Hardware security module Full disk encryption File-level encryption Public key infrastructure
A.
A user calls the help desk saying that she changed her password yesterday. She did not get any email on her mobile phone last night and she cannot log on this morning. Which password policy is most likely at fault for her difficulties? Account lockout Password complexity Expiration Password history
A. If the user failed to also change her password on her phone, its repeated attempts to access email during the night would have triggered the account lockout protections and temporarily disabled her account. Password complexity and history would not lock out her account after successfully changing it, making answers B and D incorrect. Answer C is incorrect because, although account expiration is possible, it is unlikely that this happened unless it was near the end of her employment.
An organization is looking to add a layer of security by implementing a solution that protects hosts against known and unknown malicious attacks from the network layer up through the application layer. Which of the following fulfills this requirement? HIPS Encryption DLP Whitelisting
A. A HIPS protects hosts against known and unknown malicious attacks from the network layer up through the application layer.
In cryptographic systems, to derive a key based upon the password as just the origin point, a password is used as input into which of the following? KDF Key exchange MD5 AES
A. A key derivation function (KDF) is used in cryptography to derive the actual key based on the password as just the origin point. Key exchange is the concept within cryptography that involves the secure exchange of cryptographic keys. MD5 is a hashing algorithm, and AES is a symmetric key encryption algorithm.
Your security team has detected a virus that infected executable files and attacked the master boot record of a system. Which of the following is most likely the virus type? Multipartite virus Armored virus Polymorphic virus Stealth virus
A. A multipartite virus infects executable files and also attacks the master boot record of the system. If the boot sector is not cleaned along with the infected files, the files can easily be infected again. An armored virus makes it difficult to analyze functions, thus creating a metaphorical layer of armor around the virus. Polymorphic viruses are also difficult to detect because each time a polymorphic virus infects a new file or system, for example, it changes its code. A stealth virus is a memory-resident virus that removes itself from an infected file and places a copy of itself in a different location.
During which phase of a penetration test does a tester try to gain access or penetrate the system? Attack Discovery Planning Reporting
A. A penetration test involves four primary phases: planning, discovery, attack, and reporting. During the attack phase, the tester tries to gain access or penetrate the system. This often is a result of exploiting an identified vulnerability during the previous phase. Within the attack phase, the progressive steps include initial exploitation, escalation of privilege, pivot, and persistence.
Which of the following principles of influence might be used in a social engineering attack to play upon someone's fear of getting in trouble or getting fired? Intimidation Trust Authority Familiarity
A. A social engineer might use intimidation to play upon a fear of getting in trouble or getting fired. Intimidation does not need to necessarily be so severe that one fears physical harm. Trust, authority, and familiarity are other principles of influence used in social engineering attacks that rely upon other tactics.
The organization requires that users of the "production" domain are allowed access to resources in any domain that the "services" domain trusts. Which type of trust relationship would be established? Transitive trust One-way trust Two-way trust External trust
A. A transitive trust occurs when a domain trust is configured so that any domain trusting Domain A will then trust all other domains that Domain A trusts. A one-way trust (Domain A trusts Domain B) allows resources in Domain A to be accessed by security principals (users, services, and so on) in Domain B. A two-way trust allows each domain to trust members of either domain. (Domain A and Domain B resources can be accessed by authorized requests from user accounts in either Domain A or Domain B.) An external trust is used to form a one-way or two-way nontransitive trust with domains that are located in a separate forest.
Which of the following provides a sandboxed environment that can be used to investigate unsafe executables? Virtualization Network storage Host software baselining Application baselining
A. A virtualized sandboxed environment can help in computer security research, which studies the effects of unsafe executables without the possibility of compromising the host system.
Which type of system logs provides information about requests and connections between systems? Access logs System event logs Audit logs Security logs
A. Access logs provide information about requests and connections between systems. For example, this can include connections between an LDAP client and a directory server (which might include details such as the IP address) and records related to the binding operation. System event logs record the events that occur across the system and are related to the operating system. Audit logs help ensure proper process and provide a useful record for auditors. Security logs contain the events specific to systems and application security.
You have been tasked with measuring the normal activity of the user computers on the network. Which of the following tools is the best choice to help accomplish this task? Baselining software System logging and monitoring A security awareness program Asset management software
A. Baselining software is used to measure normal activity of a device or network. Logging is the process of collecting data to be used for monitoring and auditing purposes. A security awareness program has to do with user education and security awareness. Asset tracking provides effective management of assets so that the device location is known at all times.
The organization is implementing biometrics for authentication. Which of the following is the greatest concern associated with the implementation of biometric methods? Error ratios Data sanitization Account lockouts Cross-contamination
A. Biometric devices are susceptible to false acceptance and false rejection rates. When using biometrics, each method has its own degree of error ratios. Data sanitization is the process of removing or destroying the data stored in a device. Account lockouts have to do with passwords. Cross-contamination is a physical concern not associated with biometric solutions.
The organization is faced with selecting a mobile device deployment model. The main factors in choosing a model are reducing corporate costs and increasing productivity. Which of the following deployment models best fits the requirements? BYOD CYOD COPE VDI
A. Bring your own device (BYOD) focuses on reducing corporate costs and increasing productivity by allowing employees, partners, and guests to connect to the corporate network for access to resources. In most implementations of CYOD, the organization purchases the device and pays the data usage costs. This method of managing user devices can reduce the hardware and management costs of corporate-owned devices, but it cannot completely eliminate them. With a corporate-owned, personally enabled (COPE) model, the organization has to supply, update, and monitor the device. The cost of this implementation method is much higher than with BYOD or CYOD, and is generally not cost effective for small businesses. VDI allows the organization to securely publish personalized desktops for each user through a managed infrastructure, but can be costly.
Which of the following should ensure that alternate processing sites and alternate business practices are available for your organization? COOP BPA BIA RPO
A. Continuity of Operations Planning (COOP) and BCPs ensure that the restoration of organizational functions occurs in the shortest possible time, even if services resume at a reduced level of effectiveness or availability. This includes planning for alternate processing sites and alternate business practices. A BPA is an interoperability agreement and specifically a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners. BIA is the process of only determining the potential impacts resulting from the interruption of time-sensitive or critical business processes. RPO is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds business continuity planning's maximum allowable threshold.
You have been tasked with minimizing the number of false positives when performing this month's vulnerability scan. Which of the following should you consider doing? A credentialed scan A non-credentialed scan A penetration test Reduce false negatives
A. Credentials (for example, username and password) provide authorized access to the system, and can help reduce false positives, because the scans have further access to understand the system. Non-credentialed scans are less invasive and provide an outsider's point-of-view, but are likely to result in more false positives. A penetration test tries to exploit known vulnerabilities. Reducing false negatives is important; however, reducing the number of false negatives won't necessarily minimize the number of false positives.
Which of the following best describes data exfiltration? Unauthorized transfer of data Release of private or confidential information Algorithm mismatch error Prevention of legitimate content
A. Data exfiltration is the unauthorized transfer of data. A more basic definition is data theft. Answer B is incorrect because a data breach is the release of private or confidential information. Answer C is incorrect because an algorithm mismatch is associated with certificate issues. Answer D is incorrect because prevention of legitimate content is associated with a misconfigured web content filter.
You are required to implement a solution to identify baseline deviations for application performance based on seasonal usage. Which of the following solutions would you choose? Dynamic baselining Alarms Static baselining Alerts
A. Dynamic baselining is ideal for analyzing application performance based on seasonal usage or varying workloads across different days. Static thresholds are not good for analyzing application performance based on seasonal usage because they do not allow analysis of patterns and contrasts over time. The purpose of an alarm is to report a critical event that typically requires some type of immediate response. An alert is similar to an alarm, but it is less critical and likely does not require an immediate response.
If an organization wants to implement an enterprise access solution that does not require a user to remember passwords across multiple distinct business units, which of the following is the best choice? Federation Single sign-on Transitive trusts Retinal scanning
A. Federation eliminates the requirement to use a password. The federation server stores the username in each application and presents that application with a token that is then used for authentication. Answer B is incorrect because SSO still requires the user to remember passwords. Answer C is incorrect because transitive trusts work only across trusted domains. Answer D is incorrect because retinal biometric identification involves the scanning and identification of blood vessels and tissues in the back of the eye, requiring specialized equipment.
Which of the following provides validation that the forensic analysis itself has not produced unexpected modifications of evidentiary data? Hashes Witness statements Video capture Chain of custody
A. Hashes allow validation that the forensic analysis itself has not produced unexpected modifications of evidentiary data. Witnesses provide statements about what they saw, including when, where, and how. Videotaping the actual entrance of a forensics team into the area helps refute claims that evidence was planted at the scene. The chain of custody provides a clear record of the path evidence takes from acquisition to disposal.
You need to log in as the domain administrator to perform a function not permitted under your normal account. The domain administrator account is considered which of the following types of account? Shared account Guest account User account Service account
A. IT organizations often use shared accounts for privileged users, administrators, or applications. This practice presents security and compliance risks. The Guest account is a user account used to allow temporary access to server resources for a user who does not have a network user account. A user account allows a user to sign on to a computer or network. A standard user may be prevented from performing tasks such as installing applications. Service accounts often are installed for interaction with the operating system. Local service accounts typically interact with the Windows OS and tend to have default passwords.
An organization is experiencing suspicious activity that is not being caught by the IDS, but is setting off alarms elsewhere in the network. As a result, the organization is re-evaluating its IDS system. Which of the following types of IDS would be the best option for the organization to choose? Anomaly-based Signature-based Knowledge-based Pattern matching based
A. In anomaly-based detection methods, after the application is trained, the established profile is used on real data to detect deviations. Anomaly-based methods target behavior that is out of the ordinary instead of classifying all behavior. Signature-based methods only detect known signatures or patterns. They are more reactive because an attack must be known before it can be added to the database. Knowledge-based methods use a database of previous attack signatures and known system vulnerabilities. In pattern matching, the algorithm checks the presence of a signature in the incoming packet sequence and outputs the location of the string within the packet.
The organization is implementing DNSSEC. Which of the following is a correct statement about this implementation? DNSSEC must be implemented at each domain level. Signature-generating keys are issued at the top domain level. DNSSEC encrypts all traffic. DNSSEC must be implemented only at the top domain level.
A. In order to properly validate the path, DNSSEC must be implemented at each domain level. All individual domain levels are in control of their own signature-generating keys. Validation is done through the use of a key and a signature. The higher organization level signs the key of the lower domain level. DNSSEC does not encrypt data; it provides a way to validate the address of a site by using a sequence of digital signatures through the DNS hierarchy.
Which of the following methods is the most effective way to automate managing application restrictions installed through whitelisting and digitally signing applications? Mobile application management Onboarding Mobile device management Device access controls
A. Mobile application management (MAM) focuses on application management. Onboarding describes the process of registering an asset and provisioning the asset so that it can be used to access the corporate network. Mobile device management (MDM) allows the enrollment of enterprise devices for management functions such as provisioning devices, tracking inventory, changing configurations, updating, managing applications, and enforcing policies. Device access controls are used to control network access, not to manage devices or applications.
A vulnerability assessment has revealed that legacy internal heart monitors of a hospital's intensive care unit (ICU) are visibly exposed to the Internet. Which of the following should be implemented? Network segmentation Code wrappers Control diversity Manual updates
A. Network segmentation is one of the most effective controls an organization can implement to mitigate the effect of a network intrusion. In sensitive systems such as SCADA networks, applying segmentation in layers, from the data link layer through the application layer, can go a long way in protecting vital infrastructure services. Answer B is incorrect because wrappers are used in several types of implementations, such as smart grids and integration of legacy systems. They reduce the risk of web-based attacks. Answer C is incorrect because control diversity refers to having multiple versions of software packages in which redundant software versions differ. Answer D is incorrect because although manual updates are inconvenient, they might also be necessary when the system contains sensitive data and is segmented.
You have recently had problems with clients in one particular area of the network not being able to connect to a server. Which of the following tools should you use to begin troubleshooting? Ping Nslookup Telnet Netstat
A. Packet Internet Grouper (ping) is a utility that tests network connectivity by sending an Internet Control Message Protocol (ICMP) echo request to a host. Answer B is incorrect because Nslookup is a command-line utility used to troubleshoot a Domain Name Service (DNS) database. It queries the DNS server to check whether the correct information is in the zone database. Answer C is incorrect because Telnet is a terminal emulation program used to access remote routers and UNIX systems. Answer D is incorrect because Netstat displays all the ports on which the computer is listening. It can also be used to display the routing table and preprotocol statistics.
Which of the following terms refers to when multiple, underutilized virtualized servers take up more space and consume more resources than is justified by their workload? VM sprawl VDE VM escape VDI
A. One drawback associated with virtual environments is VM sprawl. In this situation, multiple, underutilized virtualized servers take up more space and consume more resources than is justified by their workload. Virtual desktop environments (VDE) are similar in form to server virtualization, but with some differences in their usage and the performance demands made on them. VM escape happens when the virtual machine breaks out of or escapes from isolation and can interact with the host operating system. Virtual desktop infrastructure (VDI) is the server-based virtualization technology that hosts and manages the virtual desktops.
An organization that has several small branches in North Dakota, Minnesota, and Ontario, Canada, is planning for a fire-suppression system installation. Which of the following bests fit the needs of the organization? Dry pipe Wet pipe Deluge Preaction
A. One reason for using a dry-pipe system is that, when the outside temperature drops below freezing, any water in the pipes will freeze, causing them to burst. Therefore, answer B is incorrect. Answer C is incorrect because deluge systems are used in places that are considered high hazard areas, such as power plants, aircraft hangars, and chemical storage or processing facilities. Deluge systems are needed where high-velocity suppression is necessary to prevent fire spread. Answer D is incorrect because conventional preaction systems are relatively complex and expensive. That tends to preclude the benefits of their use in low-cost, water-sensitive applications such as small areas and residential applications where the need to avoid inadvertent water damage is as important as providing protection against fire damage.
For disaster recovery, which option should you consider as an alternate processing site, given the requirement that it is fully operational? Hot Cold Warm Full
A. Recovery sites include hot, warm, and cold sites. Hot sites are fully operational and ready to go. While a hot site is a full duplicate of a source data center, a hot site is the correct term for an alternate processing site. A warm site is a scaled-down version of a hot site. The warm site is generally configured with power, phone, and network jacks. Cold sites are merely a prearranged request to use facilities if needed. Electricity, bathrooms, and space are about the only facilities a cold site contract provides.
Eliminating email to avoid the risk of email-borne viruses is an effective solution but is not likely to be a realistic approach for which of the following? Risk avoidance Risk transference Risk acceptance Risk mitigation
A. Risk avoidance involves eliminating the vulnerability that gives rise to a particular risk so that it is avoided altogether. This is the most effective solution, but it often not possible due to organizational requirements. Answer D is incorrect because risk mitigation involves reducing the likelihood or impact of a risk's exposure by putting systems and policies into place to mitigate a risk and guard against the exploitation of vulnerabilities.
Which of the following is most likely to use network segmentation as a security method? SCADA systems Mainframes Android devices Gaming consoles
A. SCADA systems would most likely use network segmentation. Answer B is incorrect because mainframes would most likely use security layers.
Which of the following federated services is an XML framework for creating and exchanging security information between online partners? SAML OAuth JSON OpenID Connect
A. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. Open Authorization (OAuth) is a framework used for Internet token-based authorization. OAuth 2.0 uses the JSON and HTTP protocols. Because it only provides authorization services, it does not support secure methods such as client verification, encryption, or channel binding. OpenID Connect is an identity layer based on OAuth 2.0 specifications that is used for consumer single sign-on. (ch. 23)
The organization is bound by regulation to properly protect data. Which of the following technologies would best protect data stored on disk drives? SEDs Secure boot HSM UEFI
A. Self-encrypting drives (SEDs) automatically encrypt all data on the drive, preventing attackers from accessing the data through the operating system. The premise behind secure boot is that the PC will boot using only trusted software from the PC manufacturer. Secure boot is basically an extension of UEFI. A hardware security module (HSM) is a removable or external device used in asymmetric encryption. Unified Extensible Firmware Interface (UEFI) is a newer version of BIOS.
Session keys are also known as which of the following? Symmetric keys Asymmetric keys Public keys Private keys
A. Session keys, sometimes called symmetric keys, are randomly generated keys to perform both encryption and decryption during the communication of a session between two parties. They are described as being symmetric because the key is used for both encryption and decryption. The remaining answers are not also referred to as session keys.
Which of the following VPN solutions is implemented based on IPsec policies assigned to VPN topologies and connects entire networks to each other? Site-to-site Always-on Split tunnel Full tunnel
A. Site-to-site VPNs are implemented based on IPsec policies assigned to VPN topologies and connect entire networks to each other. Instead of depending on the user to establish a VPN connection, the always-on VPN client immediately and automatically establishes a VPN connection when an Internet connection is made. The choice to use split tunneling is made mainly to reserve bandwidth while the users are on the Internet and to reduce the load on the VPN concentrator, especially when the organization has a large remote workforce. Split tunneling can also be useful when employees are treated as contractors on client sites and require access to both employer resources and client resources. Full tunnel works exactly as it implies; all requests are routed and encrypted through the VPN.
An organization requires the use of Kerberos authentication, but also needs authorization and accounting functions. Which of the following protocols would be used? TACACS+ SAML LDAP RADIUS
A. TACACS+ uses the AAA architecture. This allows the use of TACACS+ for authorization and accounting with separate authentication methods. SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. LDAP is a directory services protocol. RADIUS combines the authentication and authorization features of AAA, making it difficult to use the functions separately.
Which of the following is a nonproprietary protocol that provides authentication and authorization in addition to accounting of access requests against a centralized service for the authorization of access requests? TACACS+ SAML LDAP OAuth
A. TACACS+, released as an open standard, is a protocol that provides authentication and authorization, as well as accounting of access requests against a centralized service for authorization of access requests. TACACS+ is similar to RADIUS but uses TCP instead of UDP transport. Answer B is incorrect because SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. Answer C is incorrect because LDAP is a directory services protocol. Answer D is incorrect because OAuth is an authorization framework.
Two users want to securely communicate. What PKI component is responsible for signing their digital certificates? CA RA CRL OCSP
A. The Certificate Authority (CA) is responsible for signing and issuing certificates. The RA provides authentication to the CA on the validity of a client's certificate request.
In AAA functionality, which of the following core components is responsible for making the final decision of whether to grant access to the client? PDP PIP PEP Accounting and Reporting System
A. The Policy Decision Point (PDP) is responsible for making the final decision on whether to grant access to the client. The Policy Information Point (PIP) holds data relevant to the decision of whether to grant access to the client. The Policy Enforcement Point (PEP) is the authenticator and enforces the conditions of the client's access. The Accounting and Reporting System tracks the client network usage and reports the "who, what, where, when, and why." (ch. 22)
An organization is implementing a server-side application using OAuth 2.0. Which of the following grant types should be used? Authorization code Implicit Password credentials Client credentials
A. The authorization code grant type is used for server-side applications. Answer B is incorrect because the implicit grant type is used for client-side web applications. This grant type does not have a server-side component. Answer C is incorrect because the password credentials grant type is used for first-class web applications or mobile applications. Answer D is incorrect because the client credentials grant type is used for application code to allow an application to access its own resources.
Which of the following is the best way to secure NoSQL databases such as MongoDB? Implement separate authentication methods Use the default port Bind the interface to multiple IPs Encrypt the data after it is written to the database
A. The best way to secure NoSQL databases such as MongoDB is to implement separate authentication methods. Best practices for protecting NoSQL databases include changing the default ports, binding the interface to only one IP, and encrypting data in the application before writing it to the database. Databases such as MongoDB have added support for Kerberos authentication, more granular access controls, and SSL encryption, which allows for the implementation of separate authentication methods. Based on the explanation for answer A, answers B, C, and D are incorrect.
Which type of biometric authentication system records and measures the unique patterns of weight shift and leg kinematics while walking? Gait Hand/palm geometry Signature Blood vessels
A. The gait biometric authentication system records and measures the unique patterns of weight shift and leg kinematics while walking. Hand/palm geometry systems measure the length and width of a hand's profile, including hand and bone measures. The signature biometric authentication system records and measures the speed, shape, and kinematics of a signature provided to an electronic pad. The blood vessels biometric authentication system identifies and measures unique patterns of blood vessels in the hand or face.
During which phase of the incident response process should the team define the hardware and software needed for analysis? Preparation Identification and analysis Containment, eradication, and recovery Post-incident activities
A. The incident response process consists of four primary phases: 1) preparation; 2) identification and analysis; 3) containment, eradication, and recovery; and 4) post-incident events. The preparation phase includes identifying the roles and responsibilities, as well as the hardware and software that will be required for incident response and analysis.
If the organization requires a switch feature that makes additional checks in Layer 2 networks to prevent STP issues, which of the following safeguards should be implemented? Loop protection Flood guard Implicit deny Port security
A. The loop guard feature makes additional checks in Layer 2 switched networks to prevent loops. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with DoS attacks. Answer C is incorrect because implicit deny is an access control practice in which resource availability is restricted to only logons that are explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.
The organization is subject to regulation and required to comply with PCI-DSS. Which of the following will help the organization ensure that processes are followed and enforced in order to detect organizational compliance and risk? Continuous monitoring Automation Snapshots Distributive allocation
A. The purpose of continuous monitoring is to ensure that the processes are followed and enforced so that they detect organizational compliance and risk. In certain instances, such as to comply with industry regulations, continuous monitoring is required. Automation makes managing and securing the environment easier. However, when done incorrectly, automation breaks more than it fixes. A snapshot preserves the entire state and data of the virtual machine at the time it is taken. The idea behind distributive allocation is to distribute the environment among different providers or components.
An organization is concerned about targeted terrorist attacks against the SCADA network. Which of the following would be the best course of action for the organization? Create a separate security group to manage the SCADA network. Implement a DMZ. Add additional rules to the firewall monitoring traffic coming in from the Internet. Use integrity measurement.
A. Two separate security and IT groups should manage the network infrastructure and the ICS or SCADA network. Because ICS security requirements differ, IT architects and managers who do not have previous experience on this type of system need to be trained specifically in ICS security and must be familiar with guidance documents. One of the first lines of defense against attacks is to implement physical segregation of internal and external networks, to reduce the attack surface by segregating the SCADA network from the corporate LAN. Additional firewall rules, DMZ, and using integrity measurement are not the correct type of protections.
Many of the systems on your network are older and don't support 802.11i. Which of the following is the strongest wireless encryption algorithm you can deploy, while still supporting those legacy systems? WPA-TKIP WPA2-CCMP WPA2-TKIP WPA2-AES
A. WPA-TKIP, while not the strongest option, does provide the strongest wireless encryption algorithm given the requirement around legacy systems not supporting 802.11i. WPA2 is based on the IEEE 802.11i standard and can't be used.
During a vulnerability assessment, it was discovered that users are continually reusing weak passwords. Setting which of the following password policies will mitigate this issue? Select 2 answers. Password complexity Password history Maximum password age Account lockout duration
AB
The security team is reviewing the plan for Wi-Fi access throughout the campus. Which of the following attacks should the team be concerned about that is specific to enabling Wi-Fi? (select 2 answers) Jamming IV Bluesnarfing Bluejacking Watering hole
AB.
Which of the following individual items are examples of PII? (Choose 2 answers.) Social security number Home address Gender State of residence
AB.
You just started as the security lead for a new organization and discover that their data labeling scheme uses public and private. Your manager suggests that you consider including a third label of proprietary. For what reasons would this decision make sense? (select 2 answers) For data that may be disclosed outside the organization on a limited basis To better ensure that labels match their value and level of sensitivity, so an appropriate level of control can be applied For data that should never be exposed outside the company Only if NDAs won't be used when data is shared with others
AB. Information must be classified according to its value and level of sensitivity, so that the appropriate level of security can be used and access to data can be controlled. The public and private classifications are too limiting, particularly for data that could be disclosed outside on a limited basis. Data that should never be exposed outside the company is already covered by the private classification. A label such as proprietary should be included, regardless of whether NDAs are used or not, if that data is sensitive and may be shared outside the organization.
The organization is bound by regulation to properly protect data. There is a large mobile workforce that has Windows-based laptops. In order to properly protect data on the laptops using FDE, which of the following technologies will be required (select 2 answers) TPM BitLocker HSM UEFI
AB. Trusted platform module (TPM) refers to a secure cryptoprocessor used to authenticate hardware devices such as a PC or laptop. BitLocker is a full disk encryption feature included with Windows Vista and later versions. It is designed to protect data by providing encryption for entire volumes. A hardware security module (HSM) is a removable or external device used in asymmetric encryption. Unified Extensible Firmware Interface (UEFI) is a newer version of BIOS.
Due to some recent threats, the security administrator is directed to deploy secure LDAP. Which of the following will the administrator need to do? (select 2 answers) Install a certificate. Verify that LDAPS is enabled. Enable port 389. Enable SSH.
AB. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA, and then verifying that LDAPS is enabled. LDAPS communication occurs over port TCP 636. Older SSL encryption methods can be used by selecting a separate TCP port such as the default LDAP port 389. The Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection.
Which of the following are elements provided by nonrepudiation? (Choose three correct answers.) Proof of origin Proof of submission Proof of delivery Proof of concept
ABC.
Which of the following information should be collected when collecting volatile data? (Select 3 answers.) System date and time Current network connections Current open ports and applications listening on those ports Full disk image
ABC. The following volatile information should be collected: system date and time, current network connections, current open ports and applications listening on those ports, and applications currently running. Answer D is incorrect because a full disk image is not volatile data.
The startup company that you work for has had recent challenges with the use of network access. You have been tasked with creating an AUP. Which of the following should be contained within the AUP?Select 3 answers. Detailed standards of behavior Detailed enforcement guidelines and standards Memorandum of understanding Consent forms
ABD. An organization's acceptable use policy (AUP) must provide details that specify what users may do with their network access. An acceptable use policy should contain these main components: clear, specific language; detailed standards of behavior; detailed enforcement guidelines and standards; acceptable and unacceptable uses; consent forms; privacy statement; and disclaimer of liability. A memorandum of understanding is an interoperability agreement document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities.
A business application installed on a Windows server has been compromised. You find out that a business unit purchased and deployed the new application and server without going through the proper process, and without the security department's oversight. Which of the following are most likely the cause of the compromise? (select 2 answers) Default configurations Data exfiltration Unnecessary applications and services Lack of proper backups
AC.
A security researcher sends you a link to your own website, demonstrating that an alert box can be made to pop up. The researcher explains that the site is vulnerable to XSS. Which of the following are methods to prevent this type of attack? (select 2 answers) Validate and filter user input. Use only HTML and not JavaScript within the site. Restrict the use of special characters. Ensure that all HTML tags contain the proper brackets.
AC. By placing a malicious client-side script on a website, an attacker can cause an unknowing browser user to conduct unauthorized access activities, expose confidential data, and log successful attacks back to the attacker without users being aware of their participation. Proper input validation is one primary means of preventing such attacks. This includes validating input and restricting the use of special characters. Limiting sites to just HTML and JavaScript won't prevent cross-site scripting (XSS). Lack of proper bracketing on HTML tags doesn't make a site vulnerable to XSS either.
You are designing a network in which both external and internal users require access to services. Select the servers that would have placement in the DMZ. (Select 2 answers) Web server Database server Email server File server
AC. The DMZ is an area that allows external users to access information that the organization deems necessary, but will not compromise any internal organizational information. Web and email servers often are placed in the DMZ. Database and file servers belong in the internal network in order to be properly protected.
For what reasons might you want to consider providing users with hardware or software-based tokens that change every 30 seconds? (select 2 answers) To prevent brute-force password attacks To provide SSO capabilities across corporate applications To mitigate risks from users sharing their password To provide strong authentication to all internal and public web sites
AC. Tokens that change every 30 seconds provide a one-time code, which helps prevent brute-force attacks against passwords that tend to remain static for long periods. When paired with a password, these tokens also mitigate risk should one's password become compromised, discovered, or previously shared. The other party with the password would still require the one-time code. While such technology may be paired with SSO solutions, they in themselves do not provide SSO capabilities. Additionally, these tokens may be used on internal and external sites, but each site would need to specifically support that token type, and support your assigned token credential not making this feasible for all sites.
Which of the following are included within a digital certificate? (Choose all the correct answers.) User's public key User's private key Information about the user Digital signature of the issuing CA
ACD.
Which of the following algorithms are examples of a symmetric encryption algorithm? (Choose three correct answers.) Rijndael Diffie-Hellman RC6 AES
ACD. Because Rijndael and AES are now the same, they both can be called symmetric encryption algorithms. RC6 is symmetric, too. Answer B is incorrect because Diffie-Hellman uses public and private keys, so it is considered an asymmetric encryption algorithm.
You are tasked with configuring your web server with strong cipher suites. Which of the following should you choose as part of your cipher suite? (Choose three correct answers.) RSA RC4 AES SHA
ACD. RSA, AES, and SHA comprise a suite for strong key exchange, authentication, bulk cipher, and message authentication. Answer B is incorrect because RC4 is considered a weak bulk cipher.
Which of the following are the most compelling reasons that secure configuration baselines have been established? (Select 3 answers.) Industry standards Organizational requests Governmental mandates Regulatory bodies
ACD. Security baselines are often established by governmental mandate, regulatory bodies, or industry representatives - for example, think of the PCI requirements established by the credit card industry for businesses that collect and transact using credit information. Answer B is incorrect because organizational requests are merely requests, and security baselines are often established to comply with some type of regulation or standard.
Your CIO has asked you to provide reasons for conducting a vulnerability scan. Which of the following reasons should you provide to her? (select 2 answers) To identify system vulnerabilities To identify zero-day vulnerabilities To exploit system vulnerabilities in a non-intrusive manner To identify common misconfigurations
AD
You have been tasked with implementing Kerberos authentication. Which of the following ports will have to be open for client communication? (select 2 answers) UDP 88 TCP 25 UDP 49 TCP 88
AD. Kerberos is primarily a UDP protocol, although it falls back to TCP for large Kerberos tickets. Kerberos clients send UDP and TCP packets on port 88 and receive replies from the Kerberos servers. Port 88 is the standard port for Kerberos V5 for the KDC, and port 749 is used for the administrative server. TCP port 25 is used for SMTP. UDP port 49 is used for TACACS.
You have been tasked with ensuring the safety of stored passwords. Which of the following are KDFs that you might choose to provide protection against brute-force attacks of stored passwords?Select 2 answers. PBKDF2 AES RIPEMD Bcrypt
AD. PBKDF2 and Bcrypt are key derivation functions that are known for their capability to perform key stretching.
It is imperative for employees to use removable drives due to the nature of business. Which of the following is the best way to secure organizational data that is taken outside of the managed environment? Implement AppLocker Require drive encryption Require employees to use company-issued drives Implement a GPO to only allow approved devices on the network
B
Which of the following keys get placed into key escrow? Shared Private Public Revoked keys
B
An organization that operates a small web-based photo backup business is evaluating single points of failure. The organization has three servers, four switches, and 100 client systems. Which of the following is the most likely component(s) to be the single point of failure? Servers ISP connection Client systems Switches
B.
Which of the following is not true about the expiration dates of certificates? Certificates may be issued for a week. Certificates are issued only at 1-year intervals. Certificates may be issued for 20 years. Certificates must always have an expiration date.
B.
Which one of the following best describes diffusion? A principle that the plain-text input should be significantly changed in the resulting cipher text A principle that if the plain text is changed, no matter how minor, then at least half of the cipher text should change A principle that states only secrecy of the key provides security A key stretching technique in which a password is used as part of a KDF
B.
Wired traffic must be encrypted because there is concern about protecting the security of login and password information for internal high-level users. Which technology should you implement? DMZ VPN VLAN NAT
B. A VPN concentrator can be used internally to encrypt WLAN or wired traffic, where there is concern about protecting the security of login and password information for high-level users and sensitive information. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer C is incorrect because the purpose of a VLAN is to unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.
As a member of the healthcare industry, an organization is interested in a cloud environment that can increase cross-organizational and collaborative processes. Which of the following would be the appropriate cloud model for the organization? IaaS Community cloud Hybrid cloud PaaS
B. A community cloud is best suited for organizations that want to increase cross-organizational or collaborative processes when in-house implementation is not possible due to conditions such as geographically distributed participants, fluctuating resource requirements, or resource limitations. Infrastructure as a Service (IaaS) delivers the computer infrastructure in a hosted service model over the Internet. A hybrid cloud environment is the best choice when an organization offers services that need to be configured for diverse vertical markets or wants to use a SaaS application, but is concerned about security. Platform as a Service (PaaS) delivers a computing platform (often an operating system with associated services) over the Internet without downloads or installation.
Which of the following types of certificates is the quickest to acquire and the least expensive? EV DV OV SAN
B. A domain validation (DV) certificate includes only the domain name. DV certificates are inexpensive and quick to acquire, so if trust is important or a public-facing website is desired, organizations should consider another type of validated certificate. An extended validation (EV) certificate provides a high level of trust and security features, including protection against phishing attacks. EV certificates require a comprehensive validation of the business; this can take a few weeks to acquire. Organizational validation (OV) certificates require a more manual review and verification process than DV certificates; this can take days to process. SAN is a special certificate type that provides for the use of multiple domain names or even IP addresses within a single certificate.
Which of the following represents the primary function of a firewall for an organization's network? To allow multiple external users to access internal network resources using secure features that are built into the device To mitigate threats by monitoring all traffic entering or leaving a network To analyze data, identify attacks, and respond to the intrusion by sending alerts None of the above
B. A firewall is the first line of defense for the network. The primary function of a firewall is to mitigate threats by monitoring all traffic entering or leaving a network. A VPN concentrator is used to allow multiple external users to access internal network resources using secure features that are built into the device. Intrusion detection systems are designed to analyze data, identify attacks, and respond to the intrusion by sending alerts. They differ from firewalls, which control the information that gets into and out of the network: an IDS also can identify unauthorized activity.
If the organization requires a firewall feature that controls network activity associated with DoS attacks, which of the following safeguards should be implemented? Loop protection Flood guard Implicit deny Port security
B. A flood guard is a firewall feature to control network activity associated with DoS attacks.
Which of the following technologies is a removable or external device used in asymmetric encryption? UEFI HSM Secure boot SEDs
B. A hardware security module (HSM) is a removable or external device used in asymmetric encryption. Unified Extensible Firmware Interface (UEFI) is a newer version of BIOS. The premise behind secure boot is that the PC will boot using only trusted software from the PC manufacturer; secure boot is basically an extension of UEFI. Self-encrypting drives (SEDs) automatically encrypt all data on the drive, preventing attackers from accessing the data through the operating system.
An iris scanner that is used to authenticate into a computer system is an example of which of the following types of controls? Physical Logical Deterrent Corrective
B. A logical control is a technical control put in place that is executed by technical systems. These include logical access control systems, such as biometric iris scanners, as well as security systems, encryption, and data classification solutions. Physical controls pertain to facility design details, including layout, doors, guards, locks, and surveillance systems. Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. Corrective controls are reactive and provide measures to lessen harmful effects or restore the system being impacted.
What type of interoperability agreement outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities? BPA MOU ISA SLA
B. A memorandum of understanding (MOU) is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities. A business partner agreement (BPA) is a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners. An interconnection security agreement (ISA) is an agreement between organizations that have connected or shared IT systems. A service level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer.
Which certificate-based authentication method is a contactless smart card used to identify civilian users who work for the federal government? CAC PIV NIST None of the above
B. A personal identity verification (PIV) card is a contactless smart card used to identify federal employees and contractors. A smart card becomes a common access card (CAC) if it is used by the U.S. Department of Defense; a CAC is for DoD users. Civilian users who work for the federal government use PIV cards. NIST developed the standard Personal Identity Verification (PIV) of Federal Employees and Contractors, published as Federal Information Processing Standards (FIPS) Publication 201.
The organization is implementing a technology solution to help protect against web-based attacks. Which of the following devices or methods is most likely being implemented? Network firewall Web application firewall Application whitelisting A DLP solution
B. A web application firewall is software or a hardware appliance used to protect the organization's web server from attack. A web application firewall can be an appliance, server plug-in, or filter that is used specifically for preventing execution of common web-based attacks such as Cross-Site Scripting (XSS) and SQL injection on a web server. A network firewall filters network traffic. Application whitelisting is used for preventing users and attackers from executing unauthorized applications. DLP products are used to identify confidential or sensitive information through content analysis.
Advanced malware tools use which of the following analysis methods? Static analysis Context based Signature analysis Manual analysis
B. Advanced malware tools use behavior- and context-based detection methods instead of signature-based methods. Advanced malware tools tend to be complex enterprise solutions that are built to protect organizations before, during, and after a malware attack. Therefore, static, signature, and manual analysis methods are not effective, making answers A, C, and D incorrect.
An organization wants to be sure that certain application data is protected. Which of the following fulfills this requirement? Blacklisting Encryption Lockout Whitelisting
B. Application encryption is used to encrypt sensitive information stored by the app or to limit content accessibility to users who have the appropriate access key.
Which of the following is the first step to follow when performing an overall risk assessment? Determine the risk. Identify threats. Determine the magnitude of the impact. Identify vulnerabilities.
B. Assessing risk is largely a function of threat, vulnerability, and impact. However, an important factor must be considered between the threat and the vulnerability: the likelihood that a threat will occur to exploit a vulnerability. As a result, the overall risk assessment consists of the following five steps: 1) Identify threats; 2) Identify vulnerabilities; 3) Determine the likelihood of occurrence; 4) Determine the magnitude of the impact; and 5) Determine the risk.
You are required to check user permissions for the finance group that includes specific registry keys. Which of the following should you choose? Content filter Audit user permissions HTTPS DNS
B. Auditing user permissions identifies access violations and issues. Tools such as AccessChk show the permissions specific users and groups have for files, folders, registry keys, Windows services, and other objects. Answer A is incorrect because content filters are used to control Internet content that is available for use in the organizational environment. Answer C is incorrect because HTTPS helps prevent malicious users from capturing clear-text passwords. Answer D is incorrect because DNS is used to resolve IP addresses and domain names.
Which one of the following is not true regarding DER-encoded certificates? They are binary encoded. They include the BEGIN CERTIFICATE header. The .cer and .crt extensions can be used instead of .der. They are common to Java platforms.
B. Because they are binary encoded and not Base64 ASCII, DER certificates cannot be edited with a text editor and do not contain such text, as PEM certificates do, for example. Answers A, C, and D are incorrect because these are all true of DER-encoded certificates.
You have been tasked with testing the strength of user passwords. Which of the following tools is the best choice to help accomplish this task? Metasploit Brutus Nmap OpenPuff
B. Brutus is a common password cracker. Password crackers are software utilities that allow direct testing of user logon password strength by conducting a brute force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Answer A is incorrect because Metasploit is an exploitation framework. Answer C is incorrect because Network Mapper (Nmap) is a network scanning tool used for locating network hosts, detecting operating systems, and identifying services. Answer D is incorrect because OpenPuff is a common steganography tool.
Which of the following statements is true when comparing CCMP and TKIP? TKIP is more resource intensive than CCMP, but it supports longer keys. CCMP is more resource intensive than TKIP, but it supports longer keys. CCMP is less resource intensive than TKIP, and it supports longer keys. TKIP is less resource intensive than CCMP, and it supports longer keys.
B. CCMP replaced TKIP with the introduction of WPA2, providing for much longer keys and more advanced security. Although CCMP is more resource intensive, modern systems can handle the additional resources required.
Buffer overflows, format string vulnerabilities, and utilization of shell escape codes can be mitigated by using which of the following practices to test an application? Fuzzing Testing Input validation Browser initiated token request
C
Which of the following asymmetric cryptographic algorithms is a U.S. standard for the generation and verification of digital signatures to ensure authenticity? D-H DSA El Gamal PGP
B. Digital Signature Algorithm (DSA) is a U.S. standard for the generation and verification of digital signatures to ensure authenticity. The Diffie-Hellman key exchange (D-H) is an early key exchange design in which two parties, without prior arrangement, can agree on a secret key that is known only to them. El Gamal works as an extension to the Diffie-Hellman design. Pretty Good Privacy (PGP) encrypts and decrypts email messages using asymmetric encryption schemes.
Which form of access control enables data owners to extend access rights to other logons, such as online social network users choosing who can access their data? MAC DAC RBAC ABAC
B. Discretionary access control (DAC) systems enable data owners to extend access rights to other logons. A common scenario for DAC is online social network users choosing who can access their data. Mandatory access control (MAC) systems require assignment of labels to extend access. Both RBAC access control forms rely on conditional assignment of access rules either inherited (role-based) or by environmental factors such as time of day or secured terminal location (rule-based). Attribute Based Access Control (ABAC) is a logical access control model that the Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends as the preferred access control model for information sharing among diverse organizations.
Because of seasonal business fluctuations, an organization uses cloud environments to purchase resources for a short period of time based on demand. Which of the following terms best describes this principle? Snapshots Elasticity Scalability Server redundancy
B. Elasticity is most often found in cloud environments where resources can be purchased for a short period of time, based on demand, and then deleted when they are no longer needed. Answer A is incorrect because a snapshot preserves the entire state and data of the virtual machine at the time it is taken. Answer C is incorrect because scalability is the capacity to expand the amount of production from the current infrastructure without negatively impacting performance.
Which of the following physical topologies for load balancers acts as a Layer 3 device and routes traffic flows between clients and servers? Single VLAN one-armed mode Routed mode One-armed mode None of the above
B. Generally, web and application load balancers are often placed parallel to firewalls. The load balancer is placed in front of web and application servers to maximize availability, security, and application acceleration. There are three possible physical topologies. Routed mode acts as a Layer 3 device and routes traffic flows between clients and servers. Single VLAN one-armed mode resides on the same network as the actual servers and clients. One-armed mode is implemented off to the side of the data/network layer infrastructure, and receives only traffic that is specifically destined for it. (ch. 14)
Which of the following types of antivirus scanning looks for instructions or commands that are not typically found in application programs? Manual Heuristic Static Pattern matching
B. Heuristic scanning looks for instructions or commands that are not typically found in application programs. Therefore, manual, static, and pattern matching analysis methods do not perform this function, making answers A, C, and D incorrect.
Which of the following technologies protects hosts against known and unknown malicious attacks from the network layer up through the application layer? NIDS HIPS NIPS HIDS
B. Host intrusion prevention systems (HIPS) are a necessity in any enterprise environment. HIPS protects hosts against known and unknown malicious attacks from the network layer up through the application layer. Network intrusion detection systems (NIDS) examine data traffic to identify unauthorized access attempts and generate alerts. Network intrusion prevention systems (NIPS) are intended to provide direct protection against identified attacks. Host-based IDS (HIDS) solutions involve processes running on a host monitoring event, application logs, port access, and other running processes to identify signatures or behaviors that indicate an attack or unauthorized access attempt.
According to industry professionals, U.S. hospitals currently average how many connected medical devices per hospital bed? 5 to 8 10 to 15 20 to 25 30 to 35
B. If an attacker were able to exploit a vulnerability in a medical device and laterally move within the network, sensitive medical records could be at risk. According to industry professionals, U.S. hospitals currently average 10 to 15 connected devices per bed, amounting to 10 million to 15 million medical devices.
An organization wants to use a service provider to implement processes for the organization such as identity and access management (IAM) and encryption. Which of the following should the organization choose? IaaS SecaaS DRaaS SaaS
B. In SecaaS, a security service provider uses a subscription-based model to implement security for the organization. SecaaS providers offer a wide variety of security services, including but not limited to identity and access management (IAM), email security, and encryption. Answer A is incorrect because IaaS is a cloud computing model in which hardware, storage, and networking components are virtualized and provided by an outsourced service provider. Answer C is incorrect because DRaaS is the replication and hosting of physical or virtual servers by a third party to provide failover in case of a man-made or natural catastrophe. Answer D is incorrect because SaaS is a cloud computing model in which software applications are virtualized and provided by an outsourced service provider.
Which of the following methods of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department? SaaS IaaS PaaS DaaS
B. Infrastructure as a Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. This method of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department. Saas is incorrect because Software as a Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Platform as a Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Desktop as a Service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider.
Which one of the following is a best practice to prevent code injection attacks? Session cookies Input validation Implementing the latest security patches Using unbound variables
B. Input validation is the one of the most important countermeasures to prevent code injection attacks. Answer A is incorrect because session cookies pertain to maintaining state within a visit to a website. Answer C is incorrect because, although ensuring that systems are patched is a good practice, it is not specifically a best practice to prevent code injection attacks. Answer D is incorrect because proper input validation to prevent code injection relies on bound variables.
In which of the following are attestation challenges from computed hashes of system or application information used to obtain confidence in the trustworthiness and identity of a platform or software? Application baselines Integrity measurement Staging environments Sandboxing
B. Integrity measurement is a method that uses attestation challenges from computed hashes of system or application information to obtain confidence in the trustworthiness and identity of a platform or software. Answer A is incorrect because application baselining is similar to operating system baselining: It provides a reference point for normal and abnormal activity. Answer C is incorrect because a staging environment is primarily used to unit test the actual deployment of code. Answer D is incorrect because the basic idea of sandboxing is to provide a safe execution environment for untrusted programs.
Lynn needs access to the Accounting order-entry application but keeps getting an error that indicates inadequate access permissions. Bob assigns Lynn's account to the Administrator's group to overcome the error until he can work on the problem. Which access control constraint was violated by this action? Implicit deny Least privilege Separation of duties Account expiration
B. Least privilege is a principle of assigning only those rights necessary to perform assigned tasks. By making Lynn a member of the Administrators group, Bob not only bypassed the application's access control protocols, but may also have granted Lynn access to additional application features or administrative-only tools that often lack the same safeguards as user-level APIs. The default assignment of an implicit denial is overridden by explicit grants of access aids in protecting resources against accidental access, and is not directly violated by this action because Lynn's account now has full Administrator rights assigned. Separation of duties is focused on ensuring that action and validation practices are performed separately. Account expiration protocols ensure that individual accounts do not remain active past their designated lifespan, but Lynn's account is current and enabled so is unaffected.
Which of the following token-based solutions is considered the most secure? OTP TOTP HOTP OATH
B. TOTP passwords keep changing and are valid for only a short period of time. Because of this difference, TOTP is considered to be more secure. Answer A is incorrect because one-time passwords (OTPs) are passwords that can be only used one time. The term is too generic since because the two main standards for generating OTPs are TOTP and HOTP. Answer C is incorrect because HOTP passwords can be valid for an unknown amount of time, making it less secure than TOTP. Answer D is incorrect because OAUTH is the Initiative for Open Authentication that governs TOTP and HOTP.
Which of the following is a social engineering attack that is executed by someone masquerading as a trustworthy entity via electronic communication, usually email? Tailgating Phishing Hoax Impersonation
B. Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via electronic communication, usually email. Tailgating is a simple yet effective form of social engineering that involves piggybacking or following closely behind someone who has authorized physical access within an environment. Hoaxes are events that are not real, but can manifest themselves in a way causing unnecessary fears and irrational behavior. Impersonation is simply a method in which someone assumes the character or appearance of someone else.
How do relationship and capability pertain to understanding specific threat actors? They indicate the likelihood of vulnerabilities being discovered. They are characteristics associated with building a threat profile. They describe attributes that apply equally to all threats. They are the two most important attributes when analyzing threat actors.
B. Relationship and capability are characteristics that can be attributed to threat actors. Other common attributes include motive and intent, both of which are associated with building a threat profile. Answer A is incorrect because these do not pertain to the discovery of vulnerabilities. Answer C is incorrect because each attribute varies, based on specific threat actors. Answer D is incorrect because threat actors and overall risk are unique to each organization.
Which of the following is considered best practice when formulating minimum standards for developing password policies? Password length set to six characters Required password change at 90 days Maximum password age set to 0 Account lockout threshold set to 0
B. Require users to change passwords every 90 to 180 days, depending on how secure the environment needs to be. Remember that the more often users are required to change passwords, the greater the chance that they will write them down, potentially exposing them to unauthorized use. Answer A is incorrect because making the password length at least eight characters and requiring the use of combinations of uppercase and lowercase letters, numbers, and special characters is good practice.
Which of the following protocols is used to secure email? SFTP S/MIME SNMP SSH
B. S/MIME is a widely accepted technology for sending digitally signed and encrypted messages that provides authentication, message integrity, and nonrepudiation for email.
An organization that relies heavily on cloud and SaaS service providers, such as Salesforce.com, WebEx, or Google, would have security concerns about which of the following? TACACS+ SAML LDAP OpenID Connect
B. SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. The weakness in the SAML identity chain is the integrity of users. To mitigate risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS. Answer A is incorrect because the TACACS+ protocol provides authentication and authorization in addition to accounting of access requests against a centralized service for authorization of access requests. Answer C is incorrect because LDAP is used for directory services. Answer D is incorrect because OpenID Connect uses a JSON Web Token (JWT) for authentication.
You are implementing a network solution to detect emerging threats and improve overall security by defining events of interest (EOI) and resulting actions. Which of the following best describes this type of technology? DLP SIEM NAC VPN
B. SIEM output is used in a proactive manner to detect emerging threats and improve overall security by defining events of interest (EOI) and resulting actions. The purpose of SIEM is to turn a large amount of data into knowledge that can be acted upon. DLP systems are basically designed to detect and prevent unauthorized use and transmission of confidential information. The premise behind NAC is to secure the environment by examining the user's machine and then grant (or not grant) access accordingly. It is based on assessment and enforcement. Implementing a VPN concentrator allows multiple external users to access internal network resources using secure features.
Which of the following is not a certificate trust model for arranging Certificate Authorities? Bridge CA architecture Sub-CA architecture Single-CA architecture Hierarchical CA Architecture
B. Sub-CA architecture does not represent a valid trust model. Answers A, C, and D all represent legitimate trust models. Another common model is cross-certification; however, implementing a bridge architecture usually makes more sense than using this type of model.
Attackers used the university's own vending machines to attack the university's network. This is an example of which of the following security concerns? SCADA IoT SoC UAV
B. The Internet of Things (IoT) is described as the enabling of embedded system devices or components to interact with physical devices for the collection and exchange of data. Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS) include critical infrastructure systems such as networks related to manufacturing, logistics and transportation, energy and utilities, telecommunication services, agriculture, and food production. System-on-a-chip (SoC) technology is found in many of our electronic devices and is basically a hardware module in a small form factor. Unmanned Aerial Vehicles (UAVs), or drones, are most often used for aerial photography, surveillance, and surveying.
Which of the following best describes the Policy Decision Point (PDP) component of AAA functions? Data holder Final decision maker Authenticator Auditor
B. The Policy Decision Point (PDP) is responsible for making the final decision on whether to grant access to the client The PEP enforces the conditions of the client's access. Answer A is incorrect because the Policy Information Point (PIP) holds data relevant to the decision of whether to grant access to the client. Answer C is incorrect because the Policy Enforcement Point (PEP) is the authenticator. Answer D is incorrect because the accounting and reporting system tracks the client network usage and reports the "who, what, where, when, and why."
Which type of fire extinguisher is best for putting out burning wires? Water Carbon dioxide Sodium chloride Copper powder
B. The carbon dioxide extinguisher replaces the halon extinguisher for putting out electrical (Class C) fires. Answer A is incorrect because water is used for Class A fires (trash, wood, and paper). Answers C and D are incorrect because both sodium chloride and copper-based dry powder extinguishers are used for Class D (combustible materials) fires.
An organization has a large number of remote employees that are treated like contractors. Which of the following is the best VPN solution? Full tunnel Split tunnel Site-to-site Always-on
B. The choice to use split tunneling is made mainly to reserve bandwidth while the users are on the Internet and to reduce the load on the VPN concentrator, especially when the organization has a large remote workforce. Split tunneling can also be useful when employees are treated as contractors on client sites and require access to both employer resources and client resources. Full tunnel works exactly as it implies; all requests are routed and encrypted through the VPN. Site-to-site VPNs are implemented based on IPsec policies assigned to VPN topologies and connect entire networks to each other. Instead of depending on the user to establish a VPN connection, the always-on VPN client immediately and automatically establishes a VPN connection when an Internet connection is made.
An organization is implementing a client-side web application using OAuth 2.0. Which of the following grant types would be used? Authorization code Implicit Password credentials Client credentials
B. The implicit grant type is used for client-side web applications. This grant type doesn't have a server-side component. The authorization code grant type is used for server-side applications. The password credentials grant type is used for first-class web applications or mobile applications. The client credentials grant type is used for application code to allow an application to access its own resources. ch. 23
Which phase of the incident response process includes notifying the proper individuals and teams, according to procedures defined in the incident response program? Preparation Identification and analysis Containment, eradication, and recovery Post-incident activities
B. The incident response process consists of four primary phases: 1) preparation; 2) identification and analysis; 3) containment, eradication, and recovery; and 4) post-incident activities. The identification and analysis phase includes notifying the proper individuals and teams, according to procedures defined in the incident response program.
A user calls the help desk saying that his machine is acting strange and appears unresponsive at times. This activity started happening after he downloaded and installed a new PDF reader. Which of the following can be used to determine if there is a problem with the user's machine? DEP File integrity checker Web application firewall Internet content filter
B. The primary purpose of a file integrity checker is to detect when a file has been improperly modified. Often, a file integrity checker is included as part of an IDS.
Which of the following is included in a BYOD, CYOD, or COPE policy? Key management None of the above Credential management Transitive trusts
B. When formulating a BYOD, CYOD, or COPE policy, the organization should clearly state who owns the data stored on the device, specifically addressing what data belongs to the organization. Answer A is incorrect because key management is intended to provide a single point of management for keys and to enable users to both manage the life cycle of keys and store them securely; it also makes key distribution easier. Answer C is incorrect because the use of credentials is to validate the identities of users, applications, and devices. Answer D is incorrect because transitive trusts enable decentralized authentication through trusted agents.
Which key element provided by nonrepudiation services ensures that the client gets proof that the data (or authentication) has been received correctly? Proof of submission Proof of receipt Proof of origin Proof of delivery
B. With proof of receipt, the client gets proof that the data (or authentication) has been received correctly. With proof of submission, the client gets proof that the data (or authentication) has been sent. With proof of origin, the host gets proof that the client is the originator of particular data or an authentication request from a particular time and location. With proof of delivery, the client gets proof that the data (or authentication) has been received. (ch. 34)
Your security team informs you that malware is spreading through email and the network, and is not attaching itself to any file or programs. What type of malware is this? Virus Worm Spyware Logic bomb
B. Worms are similar in function and behavior to a virus, with one exception: Worms are self-replicating and do not need a host file. Spyware is undesirable code that sometimes arrives with commercial software distributions. Spyware is associated with behaviors such as advertising, collecting personal information, and changing your computer configuration without first obtaining consent. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or after a certain period of time. For a virus to be considered a logic bomb, the user of the software must be unaware of the payload.
As the software QA manager, you have been told that applications are suffering from improper error handling. What impacts are likely being seen as a result? (select 2 answers) An attacker is immediately able to gain control of the system. Data is being disclosed to end users, providing sufficient information to attempt to further attack the system. Diagnostic information sensitive to the inner workings of the system has been revealed. The attacker was able to inject a script for remote execution.
BC.
Which of the following are used as a most basic form of security in handheld devices? (Choose two correct answers.) Encryption PIN Passcode Fingerprint biometrics
BC. PINs/passcodes and pattern locks are used as a most basic form of security and a first line of defense. Answer A is incorrect because mobile device encryption is difficult to implement. Answer D is incorrect because fingerprint biometrics require additional internal hardware.
Which of the following are steps an organization can take to be sure compliance and performance standards are met in third-party or partner agreements? (Select two correct answers.) Implement an acceptable use policy Take appropriate action if the relationship presents elevated risk Review third-party arrangements and performance annually Sign a data ownership agreement
BC. Some additional steps an organization can take to ensure that compliance and performance standards are met include approving and reviewing third-party arrangements and performance annually, maintaining an updated list of all third-party relationships and reviewing the list periodically, taking appropriate action with any relationship that presents elevated risk, and reviewing all contracts for compliance with expectations and obligations. Answer A is incorrect because an acceptable use policy is geared toward terms a user must agree to follow to be provided with access service. Answer D is incorrect because a data ownership agreement is an agreement that some cloud service providers offer that specifically identifies the data owner and outlines ownership of relevant data.
Which of the following access control methods would be used to manage the access permissions on a large number of users in large, complex enterprises?Select 2 answers. Rule-based access model Group-based access model Role-based access model User-based security model
BC. The role/group-based model is best for large, complex enterprises because each group can have associated access rights that are inherited by individuals and other groups assigned to that group. In a rule-based access control solution, access rights may vary by account, by time of day, or through other forms of conditional testing. In a user-based security model, permissions are uniquely assigned to each account. One example of this is a peer-to-peer network or a workgroup where access is granted based on individual needs.
Which of the following is necessary to implement an effective BYOD, CYOD, or COPE program? (Choose two correct answers.) Key management Legal considerations Infrastructure considerations Storage limitations
BC. To establish an effective BYOD, CYOD, or COPE program, all legal concerns should be addressed before program implementation. Implementing a BYOD, CYOD, or COPE program requires planning and understanding infrastructure considerations, such as the access methods and device management options for the devices. Answer A is incorrect because key management is intended to provide a single point of management for keys and to enable users to both manage the life cycle of keys and store them securely; it also makes key distribution easier. Answer D is incorrect because storage limitations are not a primary consideration in BYOD, CYOD, or COPE.
Which of the following are uses for proxy servers? (Choose 3 answers.) Intrusion detection Internet connectivity Load balancing Web content caching
BCD. You can place proxy servers between the private network and the Internet for Internet connectivity or internally for web content caching. If the organization is using the proxy server for both Internet connectivity and web content caching, you should place the proxy server between the internal network and the Internet, with access for users who are requesting the web content. In some proxy server designs, the proxy server is placed in parallel with IP routers. This facilitates network load balancing by forwarding all HTTP and FTP traffic through the proxy server and forwarding all other IP traffic through the router. Answer A is incorrect because proxy servers are not used for intrusion detection.
Which of the following can result from the exploitation of a BIOS vulnerability? (Select 2 correct answers.) Hard drive failure occurs System cannot boot System locks up Denial of service occurs
BD. A vulnerability in the BIOS can allow local users to cause a denial of service and result in the system not booting. Answer A is incorrect because a hard drive failure has to do with the hard disk itself and nothing to do with the BIOS. Answer C is incorrect because system lockup implies that the machine was already booted; this is associated more with attacks that happen after the machine is up and running.
Which of the following is considered good practice for separation of development and test environments? (Select two correct answers.) Different physical locations Firewall VPN VLAN
BD. In a physical isolation environment, a firewall normally separates the environments from each other and the outside world. In VLAN segmentation, VLANs are often mapped into security zones. Traffic between zones must pass through a firewall, which enforces the segmentation rules between the environments. Answer A is incorrect because physical separation, unless air gapped, does not guarantee that the two environments cannot access each other. Answer C is incorrect because a VPN is used for remote access.
Which of the following parties typically are notified first when a confirmed incident has occurred? (Select two correct answers.) Press CISO End users Legal
BD. The exact reporting requirements vary among organizations, but parties that are typically notified include the Chief Information Officer (CIO), Chief Information Security Officer (CISO), other internal incident response team members, human resources officers, public affairs personnel, the legal department, and law enforcement officers, when necessary. Answer A is incorrect because the press is not normally notified when an incident occurs. Answer C is incorrect because the users are not normally notified initially when an incident occurs.
A Windows system is software DEP enabled. An attacker runs an exploit that injects code into a program, and the program uses known memory space. What will the result be? The code will run with limited functionality. The machine will automatically blue screen and shutdown. The malware will be blocked from running the injected code. The malware code will run because it was injected into a known process.
C.
Which standard port is used to establish a web connection using the 40-bit RC4 encryption protocol? 21 80 443 8250
C. A connection using the HTTP protocol over SSL (HTTPS) is made using the RC4 cipher and port 443. Answer A is incorrect because port 21 is used for FTP connections. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. Answer D is incorrect because port 8250 is not designated to a particular TCP/IP protocol.
An organization is interested in using a vendor SaaS application but is concerned about the lack of cloud security. What type of cloud architecture is the most appropriate? Public Private Hybrid Community
C. A hybrid cloud environment is the best choice when an organization offers services that need to be configured for diverse vertical markets or wants to use a SaaS application but is concerned about security. Answer A is incorrect because using a public cloud increases concern about security. Answer B is incorrect because a private cloud does not allow the public vendor SaaS implementation. Answer D is incorrect because a community cloud provides collaborative business processes in a cloud environment.
The organization maintains an unsecured lab environment that operates on a part-time basis. Which of the following methods would be the most effective method to physically secure computers and laptops that are used in the lab? Security cables Server cages Locking cabinets Hardware dongle
C. A locked cabinet is an alternative for equipment that is not used or that does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as a security cabinet locker that secures CPU towers. The housing is made of durable, heavy-duty steel for strength. Security cables with combination locks can provide such security and are easy to use, but are used mostly to secure laptops and leave the equipment exposed. Server cages are designed to bolt to the floor and are meant to be in an environment that is static. A hardware lock dongle is used for license enforcement.
You have numerous partnerships with business customers to help manage their trade secrets. Because of some software issues, you need to involve a third party to help debug code. Which of the following should you FIRST consider before sending sensitive data or having the third party gain access? Encrypting all potentially sensitive data Having the third party helping you to debug code sign an NDA Potential violations under NDA with your business customers Ensuring that the third party helping to debug code has performed background checks on their employees
C. A nondisclosure agreement (NDA) is a legally binding document that organizations might require of both their own employees and anyone else who comes into contact with confidential information. This can include vendors, consultants, and contractors. The purpose of an NDA is to protect an organization's intellectual property and trade secrets. Encrypting data protects data confidentiality, but may still violate an NDA if the encrypted information is provided to a third party. Having the third party sign an NDA or ensuring the party has done background checks does not absolve one of their original responsibilities under the original NDA.
Which of the following software development environments is often implemented to reduce the risk of introducing issues upon final deployment? Development Testing Staging Production
C. A staging environment is often implemented to reduce the risk of introducing issues upon final deployment in the production environment. The development environment is used to consolidate and validate the project team's work so that it can be tested. During the testing phase, the code is tested to determine how it interacts with a normal environment. The production environment is the final stage in the process and is the actual "live" environment that will be running the code.
A user reports odd behavior with their computer while browsing the web. Specifically, the computer is running slower, their browser toolbar has been modified, and they are receiving random pop-ups. Which of the following is most likely the culprit? Macro virus RAT Adware Ransomware
C. Advertising-supported software, or adware, is another form of spyware that gives advertisers an online way to make a sale. Companies offer to place banner ads in their products. It's common for adware to change the browser behavior and install toolbars. Pop-ups from the browser or system is also a common symptom of adware, in addition to causing resource constraints on the affected system. A macro virus is inserted into a Microsoft Office document and emailed to unsuspecting users. A macro virus uses the macro language and executes when the document opens. A RAT describes a Trojan, which provides remote access into the infected system. Ransomware makes demands upon the user, typically by asking for money in exchange for allowing access to files which had been taken or encrypted.
You are tasked with implementing a network architecture design for a large data center. The design must improve switch visibility and redundancy while reducing overall costs. Which of the following will meet this requirement? SPAN ports TAPs Aggregation switches SSL accelerators
C. Aggregation switches are most often found in data centers or large networks. An aggregation switch is used in a manner similar to a load balancer. Essentially, aggregation takes the multitude of edge switch uplinks and aggregates them into higher-speed links. SPAN ports, also known as mirror ports, are used to access traffic moving through a SPAN-supporting network switch. Test Access Points (TAPs) are designed to copy the information in a network connection, thereby eliminating it as a point of failure in the network. SSL accelerators are devices that accept SSL connections from users and then send the connection to the server unencrypted.
Which of the following is associated with certificate issues? Unauthorized transfer of data Release of private or confidential information Algorithm mismatch error Prevention of legitimate content
C. An algorithm mismatch is associated with certificate issues. Answer A is incorrect because data exfiltration is the unauthorized transfer of data. A more basic definition is data theft. Answer B is incorrect because a data breach is the release of private or confidential information. Answer D is incorrect because prevention of legitimate content is associated with a misconfigured web content filter.
Which of the following is useful in preventing users and attackers from executing unauthorized applications but does not prevent malicious code from executing? DLP Patch management Application whitelisting Malware inspection filter
C. Application whitelisting is useful in preventing users and attackers from executing unauthorized applications, but it does not prevent malicious code from executing. Answer A is incorrect because DLP products identify confidential or sensitive information through content analysis.
In which of the following type of analysis might an examiner have difficulty proving that the evidence is original? Disk-to-image file Disk-to-disk image Big data Log files
C. Because big data is unstructured and located in diverse environments, the examiner might have difficulty proving that the evidence is original: The data has neither a validating hash nor a forensic image of the device. Answer A is incorrect because disk-to-image files are hashed to prove originality. Answer B is incorrect because disk-to-disk images are hashed to prove originality. Answer D is incorrect because when logs are needed as court evidence, organizations can collect copies of the original log files, the centralized log files, and interpreted log data.
Users returning from an event report that they had issues with their mobile devices, which included Bluetooth connection requests. After further investigation, you identify that many of the devices had been paired with an unknown device, which enabled unauthorized activity. What type of attack was this? Bluejacking Jamming Bluesnarfing Buffer overflow
C. Bluesnarfing allows for unauthorized access. This is usually preceded by bluejacking, which can generate messages that appear to come from the device itself. Users then follow prompts and establish an open Bluetooth connection to the attacker's device. When paired with the attacker's device, the user's device makes data available for unauthorized access, modification, or deletion, which is the more aggressive bluesnarfing. Jamming involves disrupting or interfering with a wireless signal. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service.
Which type of bridge is used in a network to interpret the routing information field (RIF) in the LAN frame header? Transparent spanning bridge Transparent basic bridge Source routing bridge Transparent learning bridge
C. Bridges are often used when two different network types need to be accessed. The source routing bridge interprets the routing information field (RIF) in the LAN frame header. The transparent spanning bridge contains a subnet of the full topology for creating a loop-free operation. The transparent basic bridge acts similarly to a repeater; it merely stores traffic until it can move on. The transparent learning bridge locates the routing location using the source and destination addresses in its routing table; as new destination addresses are found, they are added to the routing table. (ch. 7)
You are tasked with creating a secure server configuration and technology performance posture for the organization. Which of the following will best help you complete this task? The General Purpose Operating System Security Requirements Guide (SRG) The Operating System Security Requirements Guide CIS benchmarks SOX requirements
C. CIS benchmarks provide guidance on creating a secure configuration posture for an organization. Each CIS benchmark undergoes two phases of consensus review by subject matter experts and allows for feedback from the community. The General Purpose Operating System Security Requirements Guide (SRG) and the Operating System Security Requirements Guide are used as informational tools to improve the security of Department of Defense (DoD) systems. Sarbanes-Oxley (SOX) governs financial and accounting disclosure information.
Which of the following is a security technology that can prevent security threats from executing code on a system? HIDS File integrity checker DEP Heuristic scanning
C. Data execution prevention (DEP) is a security technology that can prevent security threats from executing code on a system. Host-based IDS (HIDS) solutions involve processes running on a host monitoring event, application logs, port access, and other running processes to identify signatures or behaviors that indicate an attack or unauthorized access attempt. The primary purpose of a file integrity checker is to detect when a file has been improperly modified. Heuristic scanning looks for instructions or commands that are not typically found in application programs.
Which of the following approaches to security is rooted in military strategy and requires a balanced emphasis on people, technology, and operations to maintain information assurance? Layered security Administrative controls Defense-in-depth Vendor diversity
C. Defense-in-depth is rooted in military strategy and requires a balanced emphasis on people, technology, and operations to maintain information assurance (IA). Layered security is based on the premise that implementing security at different levels or layers to form a complete security strategy provides better protection than implementing an individual security defense. Administrative controls consist of management constraints, operational procedures, and supplemental administrative controls established to provide an acceptable level of protection for resources. Vendor diversity is a business concept that requires a variety of suppliers for the purchase of goods and services for the organization.
Which of the following is used for penetrating testing and risk assessments? Honeypot Configuration compliance scanner Exploitation framework Banner grabbing
C. Exploitation frameworks are used for penetrating testing and risk assessments. Each exploitation framework contains a set of exploits for known vulnerabilities that are run against a host to determine whether the host is vulnerable to the exploit. Answer A is incorrect because honeypots are often used to identify the level of aggressive attention directed at a network and to study and learn from an attacker's common methods of attack. Answer B is incorrect because a configuration compliance scanner audits network device configurations against a set policy.
An organization is located in a geographical area that has inclement weather during six months of the year. As a result, there is a high rate of illness and minor injuries incurred by the employees. Which type of biometric authentication system would be the best choice for the organization? Fingerprint Voiceprint Facial recognition Retina
C. Facial recognition systems measure relative spacing between underlying features such as the bone structure and eye placement, requiring more than a minor injury to modify this biometric signature. Fingerprint signatures can be modified by minor cuts, abrasions, and exposure to chemicals. Both voiceprint and retinal signatures can be modified due to illness and injury.
The security administration has been tasked with implementing a solution in which organizational users can seamlessly and securely authenticate across Internet domains. Which of the following technologies would best meet this requirement? SSO Transitive trust Federation Multifactor authentication
C. Federation is a way to connect identity management systems together by allowing identities to cross multiple jurisdictions. Thus, accounts in one area can be granted access rights to any other resource, whether local or remote within the communicating domains. With Single Sign-On (SSO), a user can log in to multiple applications during a session while authenticating only once. A transitive trust occurs when a domain trust is configured so that any domain trusting Domain A will then trust all other domains that Domain A trusts. Multifactor authentication provides additional security because account access is no longer possible with only a password.
Which of the following methods is the most effective way to automate managing mobile devices, such as tracking inventory, changing configurations, updating, and enforcing policies? Mobile application management Onboarding Mobile device management Device access controls
C. Mobile device management (MDM) allows the enrollment of enterprise devices for management functions such as provisioning devices, tracking inventory, changing configurations, updating, managing applications, and enforcing policies. Mobile application management focuses on application management. Onboarding describes the process of registering an asset and provisioning the asset so that it can access the corporate network. Device access controls are used to control network access, not to manage devices.
An organization is looking to add a layer of security by maintaining strict control over the devices employees are approved to use. Which of the following fulfills this requirement? HIPS Encryption DLP Whitelisting
C. Most DLP solutions have the capability to control or manage removable media such as USB devices, mobile devices, email, and storage media. Answer A is incorrect because a HIPS protects hosts against known and unknown malicious attacks from the network layer up through the application layer. Answer B is incorrect because encrypting media devices does not provide the same functionality as the capability to control use of the media device.
You have been tasked with updating the current list of user workstations. The report must include the installed OS and open ports on the system. Which of the following tools is the best choice to help accomplish this task? Metasploit Brutus Nmap OpenPuff
C. Network Mapper (Nmap) is a network scanning tool used for locating network hosts, detecting operating systems, and identifying services. Nmap is most often used in security auditing, but it can also be useful for routine administrative tasks, such as monitoring host uptime or host inventory. Metasploit is an exploitation framework. Brutus is a password cracker. OpenPuff is a common steganography tool.
Which of the following is a use case for subscription services? Regulatory mandates that require accurate time stamping Arrangement of hosts into the different logical groups that isolate each subnet Network automation and data analytics Reduced risks during data exchanges
C. Network automation and data analytics subscription services are part of XaaS and are offered so that organizations do not have the expense of upgrading hardware and software. The organization pays a monthly fee for a certain number of users or devices, and the service provider takes care of the software or hardware requirements. Answer A is incorrect because timestamping is a time function, and this is a use case for NTP. Answer B is incorrect because splitting one network into two or more and using routers to connect each subnet is a function of subnetting and network address allocation. Answer D is incorrect because reducing risks during data exchanges is a common use case for the implementation of FTPS and SFTP.
Which of the following threat actor attributes is about the goal, which may be for example to destroy, steal, or disrupt by causing downtime? Relationship Motive Intent Capability
C. Relationship, motive, intent, and capability are attributes applied to varying threat actors. Intent is about the goal, which may be for example to destroy, steal, or disrupt by causing downtime. Relationships can be internal or external to the organization, such as a partner organization. Motive describes the drive or the reason for the attack, such as financial gain or ideological differences. Capability refers to the attacker's wherewithal, or for example, their technical ability, financial means, and political or social support.
Which of the following is used to create a user identity profile and get the necessary information required to describe the identity? Least privilege Offboarding Onboarding Recertification
C. Onboarding is the process for creating an identity profile and the necessary information required to describe the identity. Answer A is incorrect because least privilege is an access control practice in which a logon is provided only the bare minimum access to resources required to perform its tasks. Answer B is incorrect because offboarding is the process used when user identities that no longer require access to the environment are disabled or deactivated. Answer D is incorrect because access recertification is a more formal form of user access review.
Which of the following is one of the first steps that must be taken to provide a secure account access environment? Set user-assigned privileges Implement user access reviews Eliminate the use of shared accounts Initiate continuous account monitoring
C. One of the first steps that must be taken to provide a secure account access environment is to eliminate the use of shared accounts. Their use cannot be attributed to a particular user's credentials, which precludes the determination of specific access rights and audit of access use. Answers A, B, and D are incorrect because they should be considered after original configuration and after the shared accounts have been eliminated. Answer A is incorrect because, in a user-based model, permissions are uniquely assigned to each user account; this happens after any shared accounts are eliminated. This access type is also found in government and military situations, as well as in private companies where patented processes and trademark products require protection. Answer B is incorrect because user access reviews allow the identification of misapplied changes or other access control adjustments through direct assignment or inherited nesting of role access rights. This is done after accounts are created. Answer D is incorrect because the purpose of continuous monitoring is to ensure that the processes for user account provisioning, life cycle management, and termination are followed and enforced. This process happens after the accounts have been secured.
You are implementing network access to a new business partner that will work with the development team on a new product. Which of the following best mitigates risk associated with allowing this new partner access to the network? Log analysis ACLs NAC implementation VPN implementation
C. One the most effective ways to protect the network from malicious hosts is to use network access control (NAC). The premise behind NAC is to secure the environment by examining the user's machine and then grant (or not grant) access accordingly. It is based on assessment and enforcement. Logging is the process of collecting data to be used for monitoring and auditing purposes. Access control generally refers to the process of making resources available to accounts that should have access, while limiting that access to only what is required. Implementing a VPN does not separate the networks.
Which of the following type of control is a surveillance system? Logical control Technical control Physical control Management control
C. Physical controls form the outer line of defense against direct access to data, such as protection of backup media; secure output and mobile file storage devices; and facility design details such as layout, doors, guards, locks, and surveillance systems. Answer A is incorrect because logical controls are the same as technical controls. Answer B is incorrect because technical controls include logical access control systems, security systems, encryption, and data classification solutions. Answer D is incorrect because management and administrative controls include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change management procedures.
How should you best plan to respond to incidents? Plan for every possibility regarding an incident. All possible incidents should be planned for and responded to in the same way. Plan strategies based upon broader categories of attack vectors. The focus of the plan should be on prevention rather than response.
C. Planning for every possible incident is impractical. Response strategies should be considered based on broader categories of attack vectors. While both prevention and response are important, it's becoming increasingly important to assume that one will be breached and to have a proper response. In addition, the incident response process specifically applies to response more than prevention.
An educational institution requires a secure solution that is capable of interfacing with state systems and other state-run universities. Which of the following is the best solution? OAuth SAML Shibboleth OpenID Connect
C. Shibboleth is a flexible solution because it is based on standards. Some federated systems are designed to work only when the identity provider and the service provider are in the same organization. Shibboleth, however, works across organizations. Answer A is incorrect because OAuth provides only authorization services; it does not support secure methods such as client verification, encryption, or channel binding. Answer B is incorrect because the main purpose of SAML is single sign-on for enterprise users; it has a weakness in handling the integrity of users. Answer D is incorrect because OpenID Connect is an identity layer based on OAuth 2.0 specifications used for consumer single sign-on.
A user called the help desk to report that his system is running slow, especially when browsing the Internet. The browser's home page has changed and unfamiliar web pages have been added to the favorites list. Which of the follow is most likely the culprit? Adware Ransomware Spyware Logic bomb
C. Spyware is software that communicates information from a user's system to another party. It can change a computer's configuration without first obtaining consent. Advertising-supported software, or adware, is a form of spyware that gives advertisers an online way to make a sale through the use of banner ads. Ransomware is specifically designed to find potentially valuable data on a system and encrypt it. This type of malware attempts to hold a user ransom, often for monetary gain. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or after a certain period of time.
System sprawl and lack of clear documentation of systems and software can have a negative impact on an organization. Which of the following is an example of one of these negative impacts? Lack of downtime Too many backups Unpatched software More resiliency to change
C. System sprawl and lack of clear documentation of systems and software can result in a loss of visibility and control, which can have negative impacts upon an organization. Examples include: unpatched software, weak configurations, poor access management controls, lack of backups, downtime, and less resiliency to change. Systems need to be managed to ensure operational efficiency and effective security practices.
Which of the following modes of operation for block ciphers offers both integrity and confidentiality and works in 128-bit blocks? Counter (CTR) Mode Cipher Block Chaining (CBC) Galois/Counter Mode (GCM) Electronic Codebook (ECB)
C. The Galois/Counter Mode (GCM) mode offers both integrity and confidentiality and works in 128-bit blocks. The Counter (CTR) Mode essentially turns a block cipher into a stream cipher. Cipher Block Chaining (CBC) is a commonly used mode that provides for confidentiality only, not integrity. Electronic Codebook (ECB) is a simple deterministic mode that divides the message into blocks and then encrypts each block on its own. ECB is not recommended for use because the same plain-text block is encrypted into the same cipher-text block each time.
Which of the following is the first step in the OCSP stapling process? The CA responds with the certificate status that includes a digitally signed time stamp. The client web browser verifies the signed time stamp. A TLS-encrypted web server presents its certificate to the CA to check the validity. The web server "staples" the CA's signed time stamp to the certificate when a client web browser connects.
C. The OCSP stapling process involves the following steps: 1) A TLS-encrypted web server presents its certificate to the CA to check the validity; 2) The CA responds with the certificate status that includes a digitally signed time stamp; 3) The web server "staples" the CA's signed time stamp to the certificate when a client web browser connects; 4) The client web browser verifies the signed time stamp. (ch. 37)
Which of the following best describes the Policy Enforcement Point (PEP) component of AAA functions? Data holder Final decision maker Authenticator Auditor
C. The Policy Enforcement Point (PEP) is the authenticator. The PEP enforces the conditions of the client's access. Answer A is incorrect because the Policy Information Point (PIP) holds data relevant to the decision of whether to grant access to the client. Answer B is incorrect because the Policy Decision Point (PDP) is responsible for making the final decision on whether to grant access to the client. Answer D is incorrect because the accounting and reporting system tracks the client network usage and reports the "who, what, where, when, and why."
Which form of access control dynamically assigns roles to users based on criteria that the data custodian or system administrator defines? MAC DAC RBAC ABAC
C. The designation RBAC is sometimes used to refer to rule-based access control in addition to role-based access control. Rule-based access control dynamically assigns roles to users based on criteria that the data custodian or system administrator defines. Mandatory access control (MAC) systems require assignment of labels to extend access. Discretionary access control (DAC) systems enable data owners to extend access rights to other logons. Attribute Based Access Control (ABAC) is a logical access control model that the Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends as the preferred access control model for information sharing among diverse organizations.
Which of the following software development environments consolidates and validates the project team's work? Testing Production Development Staging
C. The development environment is used to consolidate and validate the project team's work so that it can be tested. During the testing phase, the code is tested to determine how it interacts with a normal environment. A staging environment is often implemented to reduce the risk of introducing issues upon deployment in the production environment. The production environment is the final stage in the process and is the actual "live" environment that will be running the code.
Which phase of the incident response process applies to how evidence is handled at the scene of an incident? Preparation Identification and analysis Containment, eradication, and recovery Post-incident activities
C. The incident response process consists of four primary phases: 1) preparation; 2) identification and analysis; 3) containment, eradication, and recovery; and 4) post-incident activities. The containment, eradication, and recovery phase includes the process by which evidence is handled at the scene, which is often much more important than the laboratory analysis work done later.
Which type of reporting mechanism would most likely be used to report a critical event that typically requires some type of immediate response? Alerts Trends Alarms None of the above
C. The purpose of an alarm is to report a critical event that typically requires some type of immediate response, such as a broken window that occurs after hours. An alert is similar to an alarm, but it is less critical and likely does not require an immediate response. For example, several failed logon attempts would likely generate an alert. Identifying and understanding trends is vital to detecting and responding to incidents. Furthermore, trends help prevent the unnecessary response to something that initially seems warranted but is actually not.
Which recovery site has only power, telecommunications, and networking active all the time? Hot site Cold site Warm site Shielded site
C. The warm site has basics such as power, networking, and telecommunications active all the time. Although alternate computers might be present, they are not loaded and operational as in a hot site, making answer A incorrect. Answer B is incorrect because a cold site generally includes only power and physical space when not in use. Answer D is incorrect because any of the recovery site types might or might not be shielded against electromagnetic interference.
Which of the following technologies is used in larger virtual environments, provides improved performance, and has superior management tools? Type II hypervisor VDI Type I hypervisor Virtual containers
C. Type I hypervisors offer better management tools and performance and are used in larger environments. Type II hypervisors tend to have better hardware compatibility because they use software-based virtualization. Virtual desktop infrastructure (VDI) is the server-based virtualization technology that hosts and manages the virtual desktops. Virtual containers only hold applications and follow the minimal requirements to run the application in the container package.
It has been reported that some clear-text passwords are being transmitted within your organization. Which of the following can mitigate this situation? Auditing of user permissions Content filtering HTTPS DNS
C. When an application or service stores or sends passwords in clear text, risk to the organization can be reduced by sending the credentials via an encrypted channel such as HTTPS. This helps prevent malicious users from capturing the clear-text passwords. Answer A is incorrect because auditing user permissions works for identifying access violations and issues. Answer B is incorrect because content filters are used to control Internet content that is available for use in the organizational environment.
The organization is faced with selecting a mobile device deployment model and needs to meet certain compliance requirements. The requirements are strict enough that the organization has to be able to control the installation of updates and disconnect devices from the network in case of a compromise or malware infection. Which of the following deployment models best fits the requirements? BYOD CYOD COPE VDI
C. With a corporate-owned, personally enabled (COPE) model, the devices are the organization's responsibility, so monitoring policies must be in place and devices must be kept up-to-date. As with corporate-owned devices, this deployment model allows the organization to disconnect devices from the network in case of a compromise or malware. Bring your own device (BYOD) allows many different devices on the network and the organization has no control over the software or applications users have installed. With choose your own device (CYOD), employees still have some control over the device because they are still responsible for the cost and maintenance of the device. Virtual desktop infrastructure (VDI) is the process by which an organization hosts virtual desktops on a centralized server. Generally, employees use a client app to securely connect to the virtual infrastructure that hosts a user's desktop.
An organization is looking for a mobile solution that will allow executives and employees to have some control over the device, because they are responsible for its cost and maintenance. Which of the following deployment models best fits the requirements? COPE BYOD CYOD UWYT
C. With choose your own device (CYOD), employees still have some control over the device because they are still responsible for the cost and maintenance of the device. With a corporate-owned, personally enabled (COPE) model, the devices are the organization's responsibility, so monitoring policies must be in place and devices must be kept up-to-date. Bring your own device (BYOD) allows many different devices on the network and the organization has no control over the software or applications users have installed. In the use what you are told (UWYT) model, the mobile devices available for use are predetermined. Users are issued a device based on corporate policy, which often depends on the role of the employee.
An organization is implementing a domain policy where the employees are primarily shift workers. Which of the following would be the best solution to implement? Mandatory password changes Increased account lockout time Time-of-day restrictions Software restriction policies
C. You can assign time-of-day restrictions as a means to ensure that employees are using computers only during specified hours. This setting is useful for organizations where users require supervision, security certification requires it, or employees are mainly temporary or shift workers. Mandatory password changes, increased lockout times, and software restriction policies affect all employees, not shift workers exclusively.
A web application firewall is software or a hardware appliance used to protect the organization's web server from attack. A web application firewall can be an appliance, server plug-in, or filter that is used specifically for preventing execution of common web-based attacks such as __ and __ on a web server.
Cross-Site Scripting (XSS); SQL injection
When measuring impact for a business impact analysis (BIA), an organization should consider which of the following categories of potential consequences? Intellectual property Reputation Life and safety All of the above
D. A business impact analysis requires careful examination of the potential business impact. The loss of a business process or function will likely result in some sort of impact, which is measured as part of a BIA to understand the severity. When measuring impact, an organization should consider potential consequences across a broad set of categories, including life and safety, facilities and physical property, intellectual property, finance, and reputation.
What is the plenum? A mesh enclosure designed to block EMI A mechanism for controlling condensation A type of dry-pipe fire control system A mechanism for thermal management
D. A plenum is the space below a raised floor or above a drop ceiling that can be used in hot aisle/cold aisle server rooms to efficiently manage thermal dissipation.
Which of the following operating systems is run in a SoC environment? Windows Server 2016 RedHat Enterprise Linux (RHEL) CAN bus RTOS
D. A real-time operating system (RTOS) is a small operating system used in embedded systems and IoT applications that is typically run in a SoC environment. Answer A is incorrect because Windows 2016 is a server operating system. Answer B is incorrect because Red Hat Enterprise Linux (RHEL) is a server operating system. Answer C is incorrect because a CAN bus is associated with internal vehicle communications.
After conducting a vulnerability assessment, which of the following is the best action to perform? Disable all vulnerable systems until mitigating controls can be implemented Contact the network team to shut down all identified open ports Immediately conduct a penetration test against identified vulnerabilities Organize and document the results based on severity
D. After an assessment, the results should be organized based on the severity of risk to the organization. Answer A is incorrect because it is generally an extreme response, except in rare situations. Answer B is incorrect because many open ports are required for a network to function. Answer C is incorrect because, although a penetration test often does follow a vulnerability scan, it is not an immediate necessity and certainly is not required to be run against all identified vulnerabilities.
An organization is partnering with another organization that requires shared systems. Which of the following documents outlines how the shared systems will interface? SLA BPA MOU ISA
D. An interconnection security agreement (ISA) is an agreement between organizations that have connected IT systems. Answer A is incorrect because a service level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. Answer B is incorrect because a business partner agreement (BPA) is a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners.
You have been tasked with performing a software licensing audit to determine any compliance violations. Which of the following tools is the best choice to accomplish this task? Baselining software System logging and monitoring A security awareness program Asset management software
D. Asset tracking provides effective management of assets so that the device location is known at all times. Automated asset discovery and management software can alert the organization to software license compliance violations. Baselining software is used to measure normal activity of a device or network. Logging is the process of collecting data to be used for monitoring and auditing purposes. A security awareness program has to do with user education and security awareness.
The organization has just completed implementing a Federated Identity solution. Which of the following access control models would best integrate with a Federated Identity Service when there is a large, diverse enterprise? MAC DAC RBAC ABAC
D. Attribute Based Access Control (ABAC) is a logical access control model that the Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends as the preferred access control model for information sharing among diverse organizations. Mandatory access control (MAC) systems require assignment of labels such as PUBLIC, SECRET, and SENSITIVE to provide resource access. Discretionary access control (DAC) systems allow data owners to extend access rights to other logons based on explicit assignments or inherited group membership. Both RBAC access control forms rely on conditional assignment of access rules either inherited (role-based) or by environmental factors such as time of day or secured terminal location (rule-based).
A retail organization recently implemented procedures that include performing employee register till audits by two different individuals and two-factor authentication for all employees. This is an example of which of the following? Technical control Administrative control Logical control Control diversity
D. Control diversity refers to using more than one type of control, such as having both administrative controls and technical controls. Control diversity must be part of a layered security approach. Technical controls include encryption, data loss prevention, and information rights management. Technical controls are sometimes referred to as logical controls. Administrative controls consist of management constraints, operational procedures, and supplemental administrative controls established to provide an acceptable level of protection for resources.
Which one of the following federal laws address privacy, data protection, and breach notification? HIPAA Gramm-Leach-Bliley Act Children's Online Privacy Protection Act All of the above
D. Federal laws addressing privacy, data protection, and breach notification include HIPAA and HITECH, Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children's Online Privacy Protection Act.
In an effort to mitigate risk, the organization implemented a comprehensive security approach, which includes disaster recovery plans and forensic analysis processes. This is an example of which of the following? Administrative controls Layered security Control diversity Defense-in-depth
D. Defense-in-depth focuses on a wider, holistic approach that includes components such as disaster recovery and forensic analysis. Administrative controls consist of management constraints, operational procedures, and supplemental administrative controls established to provide an acceptable level of protection for resources. Layered security can be considered a subset of defense-in-depth. Layered security focuses on protecting IT resources. Control diversity must be part of a layered security approach.
You are required to implement a solution to identify baseline deviations for varying workloads across different days. Which of the following should you choose? Static baselining Alarms Alerts Dynamic baselining
D. Dynamic baselining is ideal for analyzing varying workloads across different days or application performance based on seasonal usage. Answer A is incorrect because static thresholds are not good for analyzing varying workloads across different days.
Which one of the following EAP authentication protocols should you deploy to avoid having to deploy client or server certificates? EAP-TLS PEAP EAP-TTLS EAP-FAST
D. EAP-FAST does not require either client or server certificates; instead, it uses a Protected Access Credential (PAC). Answer A is incorrect because EAP-TLS requires both client and server certificates. Answer B is incorrect because PEAP requires a server certificate. Answer C is incorrect because EAP-TTLS requires a server certificate.
You are required to deploy an authentication protocol for your wireless network that uses a shared secret and doesn't require a client or server certificate. Which of the following will meet these requirements? EAP-TLS PEAP EAP-TTLS EAP-FAST
D. EAP-FAST works like PEAP, but does not require client or server certificates. Instead, it uses a Protected Access Credential, which is essentially a shared secret between the client and the authentication server to establish a tunnel where authentication is then performed. EAP-TLS requires both a client and server certificate. EAP-TTLS requires a server certificate
The organization is concerned with technological inefficiency and high equipment and service costs. Which of the following would address this concern? Technical controls Administrative controls Layered security Vendor diversity
D. Having a larger, more diversified list of vendors helps to mitigate risk, reduces single point of failure, and lessens the likelihood of unnecessary or unplanned expenditures. Technical and administrative controls are put in place after users have been granted permission to access information, to restrict users from their ability to redistribute or modify data. Layered security is based on the premise that by implementing security at different levels or layers to form a complete security strategy, better protection is provided than by implementing an individual security defense.
An organization is implementing DevOps methodologies to make it easier to add servers when the workload increases and support faster disaster recovery. Which of the following is being used? Baselining Continuous integration IaC Immutability
D. Immutability increases the reliability of system and software behavior while reducing software development and deployment time. This process also makes adding servers easier when the workload increases and supports a faster recovery from disaster because the same deployment files are used in new deployments. An SDLC baseline is a reference point in the process that is noted by the completion and subsequent approval of a set of predefined project requirements. The primary goal of a baseline is to prevent uncontrolled change and lessen project vulnerability. Continuous integration (CI) is a process in which the source code updates from all developers working on the same project are continually monitored and merged from a central repository when a new commit is detected. Infrastructure as code (IaC) is also known as programmable infrastructure, meaning that infrastructure configuration can be incorporated into application code.
In which of the following phases should code security first be implemented? Testing Review Implementation Design
D. It is important to implement security from the very beginning. In the early design phase, potential threats to the application must be identified and addressed. Ways to reduce the associated risks must also be taken into consideration. Therefore, answers A, B, and C are incorrect.
Using a combination of firewalls, intrusion detection systems, content filters, encryption, and auditing procedures in the organization for protection against intrusions is an example of which of the following? Defense in depth Infrastructure as a Service Community cloud Layered security
D. Layered security is based on the premise that, by implementing security at different levels or layers to form a complete security strategy, better protection is provided than by implementing an individual security defense. Answer A is incorrect. Defense in depth is rooted in military strategy and requires a balanced emphasis on people, technology, and operations to maintain information assurance (IA). Answer B is incorrect because Infrastructure as a Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. Answer C is incorrect because a community cloud provides collaborative business processes in a cloud environment.
Which of the following directory services protocols provides access to directory services, including those used by the Microsoft Active Directory? X.500 NTLM Kerberos LDAP
D. Lightweight Directory Access Protocol (LDAP) provides access to directory services, including those used by the Microsoft Active Directory. The main purpose of LDAP is to query user directories. LDAP was created as a "lightweight" alternative to earlier implementations of the X.500 Directory Access Protocol and communicates on port 389. NTLM (NT LAN Manager) is an older Microsoft authentication protocol that requires Active Directory and relies on Microsoft Windows user credentials in the authentication process. NTLM was replaced with Kerberos starting with Windows 2000. Kerberos is an authentication protocol that has been around for decades and is an open standard.
Which of the following is a security issue that may arise from the use of printers and multifunction devices (MFDs)? Unpatched OSs Improper IP addressing Unattended sensitive information printouts All of the above
D. Most organizations have a multitude of printers and multifunction devices (MFDs) connected to the network. These devices are just as susceptible to attacks as the PCs and devices that send print jobs to them, but they are often overlooked when it comes to security and employee security awareness training. The following security issues may arise from the use of printers and multifunction devices (MFDs): improper IP addressing, unsecured wireless printers, unattended sensitive information printouts, unpatched OSs, unnecessary services running, exclusion from data destruction policies, and default login and passwords that have not been changed.
Which type of vulnerability scan helps organizations mitigate disruptions as a result of the vulnerability assessment? Intrusive Credentialed Non-credentialed Non-intrusive
D. Non-intrusive or non-invasive testing helps organizations mitigate disruptions as a result of the vulnerability assessment. Intrusive scans combine verification of actual vulnerabilities by trying to exploit the vulnerability. Such tests can be highly intrusive, and organizations should take care before initiating such tests. Credentials (for example, username and password) provide authorized access to the system. Non-credentialed scans are less invasive and provide an outsider's point of view.
Which of the following describes the process of registering an asset and provisioning the asset so that it can be used to access the corporate network? Mobile device management Sandboxing Mobile application management Onboarding
D. Onboarding describes the process of registering an asset and provisioning the asset so that it can be used to access the corporate network. Mobile device management allows the enrollment of enterprise devices for management functions such as provisioning devices, tracking inventory, changing configurations, updating, managing applications, and enforcing policies. Sandboxing is a security method that keeps running applications separate. Mobile application management focuses on application management.
Which of the following is used with OAuth 2.0 as an extension to the authorization process? Shibboleth NTLM LDAP OpenID Connect
D. OpenID Connect takes attacks into consideration and resolves many of the security issues with OAuth 2.0. Answer A is incorrect because Shibboleth is a SAML-based, open-source federated identity solution that provides single sign-on capabilities and federated services popular in research and educational institutions. Answer B is incorrect because NTLM is an older Microsoft authentication protocol that requires Active Directory and relies on Microsoft Windows user credentials in the authentication process. Answer C is incorrect because LDAP is used for directory services.
Organizations need to consider vulnerabilities across various factors, including which of the following? Existing security controls The threat likelihood The goals of the business All of the above
D. Organizations need to consider vulnerabilities across various factors, including existing security controls, the threat likelihood, the goals of the business, and the impact on the systems and business if the vulnerability is exploited. Identifying vulnerabilities gives an organization the opportunity to consider the impact and criticality and to evaluate an approach to remediate the weaknesses.
Which of the following is a binary-encoded certificate format used with Windows systems? PEM DER P7B PFX
D. PFX is a binary-encoded certificate format that is common to the Windows operation system for importing and exporting certificates and private keys. The PEM format is a Base64 ASCII-encoded text file which is mostly associated with Apache web servers. The binary form of a PEM certificate is DER. DER-encoded certificates are common on Java platforms. P7B is another Base64-encoded certificate, which is commonly supported on the Windows operating system and Java Tomcat.
Which of the following is information that is unlikely to result in a high-level financial loss or serious damage to the organization but whose confidentiality should still be protected? Public data Confidential data Sensitive data Private data
D. Private data is information that is unlikely to result in a high-level financial loss or serious damage to the organization but that still should be protected. Public data is incorrect because the unauthorized disclosure, alteration, or destruction of public data would result in little or no risk to the organization. Confidential data is incorrect because confidential information is internal information that defines the way in which the organization operates. Security should be high. Sensitive data is considered confidential data.
Which data classification category often includes information that is exchanged with prospective customers and business partners, and is usually protected by a signed NDA? Private Sensitive Confidential Proprietary
D. Proprietary data often includes information that is exchanged with prospective customers and business partners. Such data is usually protected by a signed nondisclosure agreement (NDA). Typically, private data does not cause the company much damage if it is disclosed, but it should be protected for confidentiality reasons. Sensitive data typically should not be broadly shared internally or externally. Confidential data might be widely distributed within an organization, but is typically reserved for employees only and should not be shared outside.
Which of the following tools, also known as a packet sniffer, is used to capture network traffic and generate statistics for creating reports? Port scanner Vulnerability scanner Network scanner Protocol analyzer
D. Protocol analyzers, also known as packet sniffers, help you troubleshoot network issues by gathering packet-level information across the network and generating statistics for creating reports. Port scanners are often part of a more comprehensive vulnerability assessment solution. They scan a range of specific ports to determine what ports are open on a system. A vulnerability scanner is a software utility that scans a range of IP addresses and tests for the presence of known vulnerabilities in software configuration and accessible services. Network scanners identify active network hosts.
Which of the following is a protocol that incorporates enhanced security features for VoIP (Voice over IP) or video network communications? LDAPS HTTPS NTP SRTP
D. SRTP is an extension to RTP that incorporates enhanced security features. As with RTP, it is intended particularly for VoIP (voice over IP) or video network communications. Answer A is incorrect because LDAPS is used to protect the authentication session when an application authenticates with Active Directory Domain Services (AD DS). Answer B is incorrect because HTTPS is used to establish a secured connection between a client and a web server. Answer C is incorrect because Network Time Protocol (NTP) is a UDP communication protocol used to synchronize devices with a network time server.
Which of the following devices is used to accept encrypted connections from users and then send the connection to the server unencrypted? VPN DMZ DDoS mitigation appliance SSL accelerator
D. SSL accelerators are devices that accept SSL connections from users and then send the connection to the server unencrypted. They are typically positioned in-line between the users and a server. Answer A is incorrect because a VPN is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer B is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer C is incorrect because DDoS mitigation appliances are used to mitigate DDoS attacks and can be implemented through external ISP-based solutions, on-premises solutions, or third-party based solutions.
Which of the following types of account is often installed to allow interaction with the operating system? User account Shared account Guest account Service account
D. Service accounts often are installed for interaction with the operating system. Local service accounts typically interact with the Windows OS and tend to have default passwords. A user account allows a user to sign on to a computer or network. A standard user may be prevented from performing tasks such as installing applications. IT organizations often use shared accounts for privileged users, administrators, or applications. The Guest account is a user account used to allow temporary access to server resources for a user who does not have a network user account.
An organization is having application performance issues. Currently, a round-robin load balancing method is being used. Which of the following changes would be the best option in order to increase application performance? Use a weighted round-robin algorithm. Add another load balancer. Implement a reverse proxy. Use session affinity.
D. Session affinity is a method in which all requests in a session are sent to a specific application server by overriding the load balancing algorithm. Session affinity is also called a sticky session. This ensures that all requests from the user during the session are sent to the same instance. Session affinity enhances application performance by using in-memory caching and cookies to track session information. A weighted algorithm is used when the load balancing servers have disproportionate components, such as processing power and drive capacity or RAM. Adding another load balancer is an expensive solution for an issue that can be resolved in a more efficient manner. A reverse proxy is a server-side concept for caching static HTTP content where the server accepts requests from external Internet clients.
Which of the following is a suggested activity for troubleshooting certificate errors? Verify the browser settings. Test the credentials path. Clear the browser cache. All of the above
D. Suggested activities for troubleshooting certificate errors include clearing the browser cache, verifying the browser settings, testing the credentials path, and checking the client configuration for valid server credentials. For Windows-based machines, the computer Event Viewer logs can provide additional information that can help troubleshoot the problem.
Which of the following uses a secure cryptoprocessor to authenticate hardware devices such as a PC or laptop? Public key infrastructure Full disk encryption File-level encryption Trusted platform module
D. TPM refers to a secure cryptoprocessor used to authenticate hardware devices such as a PC or laptop. The idea behind TPM is to allow any encryption-enabled application to take advantage of the chip. Answer A is incorrect because the public key infrastructure (PKI) is a set of hardware, software, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Answer B is incorrect because full disk encryption involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. Answer C is incorrect because, in file- or folder-level encryption, individual files or folders are encrypted by the file system itself.
Which of the following is a ASCII (Base 64) encoded certificate format that can easily be cut and pasted between documents and applications? DER CER CRT PEM
D. The PEM format is a base64 ASCII-encoded text file, which makes copying the contents from one document to another simple. In addition to the PEM extension, PEM-formatted certificates may also use the CER or CRT extension. Unlike the encoded format, CER and CRT are just extensions. The binary encoded form of a PEM is the DER certificate format.
In AAA functionality, which of the following is the component that holds data relevant to the decision of whether to grant access to the client? PEP PDP Accounting and Reporting System PIP
D. The Policy Information Point (PIP) holds data relevant to the decision of whether to grant access to the client. The Policy Enforcement Point (PEP) is the authenticator and enforces the conditions of the client's access. The Policy Decision Point (PDP) is responsible for making the final decision on whether to grant access to the client. The Accounting and Reporting System tracks the client network usage and reports the "who, what, where, when, and why."
Which of the following is a type of "something you have" that uses a time-shifting key token? Smart card CAC PIV SecurID
D. The RSA SecurID is an example of a time-shifting key token. Answer A is incorrect because it is a generic term and many smart card variations exist. Answer B is incorrect because the common access card (CAC) is used by the U.S. military, the military reserve, and military contractors. Answer C is incorrect because the personal identity verification (PIV) card is used by U.S. federal employees and contractors under HSPD 12.
The Secure Multipurpose Internet Mail Extension (S/MIME) protocol is based on which of the following standards? Symmetric Cryptography using Advanced Encryption Standard (AES) Cryptographic Messaging Standard that provides the underlying key security Asymmetric Cryptography using the following algorithms: RSA, DSA, or Elliptic Curve All of the above
D. The Secure Multipurpose Internet Mail Extension (S/MIME) protocol is based on the following standards: Asymmetric Cryptography using the following algorithms: RSA, DSA, or Elliptic Curve; Symmetric Cryptography using Advanced Encryption Standard (AES); and Cryptographic Messaging Standard that provides the underlying key security.
An organization is implementing an application that needs service access to its own resources using OA 2.0. Which of the following grant types should be used? Authorization code Implicit Password credentials Client credentials
D. The client credentials grant type is used for application code to allow an application to access its own resources. Answer A is incorrect because the authorization code grant type is used for server-side applications. Answer B is incorrect because the implicit grant type is used for client-side web applications. This grant type does not have a server-side component. Answer C is incorrect because the password credentials grant type is used for first-class web applications or mobile applications.
The organization is implementing new door access technology. Which of the following would be best suited to grant access to physical areas through the doors? Mantrap Biometrics Bollard Proximity card
D. The most common use of a proximity card is for door access. The main purpose of the card is to determine access by matching the card identification number to information in a database. If the number is in the database, access is granted. A mantrap is a physical security control that is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Biometrics typically incorporate something about the person, such as a retina scan or fingerprint, to allow access. A bollard is a short post used to prevent vehicles from entering an area.
Your company wants to connect with a third party to share IT systems for the purpose of offloading data processing capabilities. Your management team wants to ensure that controls to protect the data and other technical requirements are documented. What type of interoperability agreement is needed? SLA BPA MOU ISA
D. Third-party risk includes determining expectations, which can then be spelled out in SLAs, BPAs, MOUs, and ISAs. Depending on the situation, an SLA, MOU, and ISA might all be necessary. An Interconnection Security Agreement (ISA) is the only document that specifically outlines any technical solution and addresses security requirements.
Which of the following enables decentralized authentication through trusted agents? Key management Data ownership Credential management Transitive trusts
D. Transitive trusts enable decentralized authentication through trusted agents. Answer A is incorrect because key management is intended to provide a single point of management for keys and to enable users to both manage the life cycle of keys and store them securely; it also makes key distribution easier. Answer B is incorrect because ownership of data stored on the device is part of a BYOD or CYOD policy. Answer C is incorrect because credentials validate the identities of users, applications, and devices.
The organization requires a load balancing strategy that allows servers to have disproportionate components, including processing power and RAM. Which of the following methods should you implement? Round-robin Random Least connections Weighted round-robin
D. When the load balancing servers have disproportionate components, such as processing power and drive capacity or RAM, a weighted algorithm allows the servers with the maximum resources to be utilized properly. The round-robin, random, and least connections algorithms are used when servers have identical equipment and capacity.
Your CISO has suggested that you investigate using WPS for the Wi-Fi networks. He had read that WPS makes it simple for users to connect to the wireless network and could reduce support costs. Which of the following is the best response? Consider the suggestion, because WPS is a future standard for simple and secure wireless networking. Inform the CISO that WPS is subject to a major vulnerability and will require a firmware upgrade before it can be used. Consider the suggestion, but advise your CISO to wait until WPS is further tested and standardized. Inform the CISO that WPS is deprecated and subject to major vulnerabilities, and should not be used.
D. While WPS did make it simple for users to connect to a wireless network, WPS is outdated and has been deprecated. WPS suffers from serious vulnerabilities and should not be used. A firmware upgrade will not fix WPS, but in some cases a firmware upgrade is required to completely disable WPS.
Although they are closely related, layered security and defense-in-depth are two different concepts.
Layered security is based on the premise that implementing security at different levels or layers to form a complete security strategy provides better protection than implementing an individual security defense. A layered security approach includes using firewalls, intrusion detection systems, content filters, encryption, and auditing procedures. Each component provides a different type of security protection, so when they are implemented together, they help improve the overall security posture of the organization. Defense-in-depth is rooted in military strategy and requires a balanced empha- sis on people, technology, and operations to maintain information assurance (IA). Defense-in-depth stems from a philosophy that complete security against threats can never be achieved; the components that comprise a layered security strategy only impede threat progress until either the attacker gives up or the organization can respond to the threat. Although they are closely related, layered security and defense-in-depth are two different concepts. Layered security can be considered a subset of defense-in- depth. Layered security focuses on protecting IT resources. Defense-in-depth focuses on a wider, holistic approach that includes components such as disaster recovery and forensic analysis. With layered security, the idea is to create rational security layers within the environment for improved security. Security layers can be logical, physical,or a combination of both, allowing proper alignment between resources and security requirements. For example, applications can be monitored for anoma- lous activity by being placed behind heuristic engines. Implementing layered security begins with understanding the organization's current risk, mapping the architecture, and then implementing security layers. Layered security can be a good alternative solution for mainframes. Enforcing security policies, using perimeter devices with access control lists, detecting malicious activity, mitigat- ing vulnerabilities, and patching systems can all be considered layers of security.
__(4) are attributes applied to varying threat actors.
Relationship, motive, intent, and capability
Compare alert and alarm
The purpose of an alarm is to report a critical event that typically requires some type of immediate response. An alert is similar to an alarm, but it is less critical and likely does not require an immediate response.
Which one of the following is not a type of phishing attack? Spear phishing Wishing Whaling Smishing
Wishing is not a type of phishing attack. Answers A, C, and D are incorrect because these all do describe a type of phishing attack. Spear phishing is targeted. Whaling is spear phishing that specifically targets high-profile personnel. Smishing is SMS-based phishing.
Camouflage is
a common steganography tool.
Netstumbler is
a common wireless discovery tool.
The primary purpose of a file integrity checker is to detect when a file has been improperly modified. Often, a file integrity checker is included as part of
an IDS.
A hardware security module (HSM) is a removable or external device used in
asymmetric encryption.
Although they are closely related, layered security and defense-in-depth are two different concepts. Layered security can be considered a subset of defense-in- depth. Layered security focuses on protecting IT resources. Defense-in-depth focuses on a wider, holistic approach that includes components such as (2)
disaster recovery and forensic analysis.
A penetration test involves four primary phases:
planning, discovery, attack, and reporting. Within the attack phase, the progressive steps include initial exploitation, escalation of privilege, pivoting, and persistence.
The OAuth framework consists of the following: (3) (describe)
the resource owner, the OAuth provider, which is the hosting resource server, and the OAuth consumer, which is the resource consumer. User is a generic term for an end user. An identity provider is part of the SAML framework.
A security awareness program has to do with
user education and security awareness.