SEC + 501 EXAM C

C51. A company is writing a new application that will authenticate users over TCP port 389. Which of the following would be the BEST choice for securing this data? ❍ A. LDAPS ❍ B. HTTPS ❍ C. FTPS ❍ D. SSH

The Answer: A. LDAPS LDAP (Lightweight Directory Access Protocol) commonly uses TCP port 389 for non-encrypted directory and authentication requests. The secure version of this protocol is LDAPS (LDAP Secure). LDAPS is commonly used over TCP port 636, although it can sometimes also be found in use over the original port 389

C58. After exploiting a vulnerability to gain access to a web server, an attacker created a user account on the server. Which of the following would describe this activity? ❍ A. Persistence ❍ B. Credentialed scan ❍ C. Passive scanning ❍ D. Data injection

The Answer: A. Persistence It's common for an attacker to build a backdoor after exploiting a system. This persistent account would allow future access to the system if the vulnerability is patched or mitigated.

C61. Which of these cloud deployment models would BEST describe a company that would build a cloud for their own use and would use systems and storage platforms in their data center? ❍ A. Private ❍ B. Community ❍ C. Hybrid ❍ D. Publi

The Answer: A. Private A private model requires that the end user purchase, install, and maintain their own application hardware and software. This model also provides a high level of security

C89. A receptionist at a manufacturing company recently received an email from the CEO that asked for a copy of the internal corporate employee directory. The receptionist replied to the email and attached a copy of the directory. It was later determined that the email address was not sent from the CEO and the domain associated with the email address was not a corporate domain name. What type of training could help prevent this type of situation in the future? ❍ A. Recognizing social engineering ❍ B. Using emails for personal use ❍ C. Proper use of social media ❍ D. Understanding insider threats

The Answer: A. Recognizing social engineering Impersonating the CEO is a common social engineering technique. There are many ways to recognize a social engineering attack, and it's important to train everyone to spot these situations when they are occurring

C13. An organization has contracted with a third-party to perform a vulnerability scan of their Internet-facing web servers. The report shows that the web servers have multiple Sun Java Runtime Environment (JRE) vulnerabilities, but the server administrator has verified that JRE is not installed. Which of the following would be the BEST way to handle this report? ❍ A. Install the latest version of JRE on the server ❍ B. Quarantine the server and scan for malware ❍ C. Harden the operating system of the web server ❍ D. Ignore the JRE vulnerability alert

The Answer: D. Ignore the JRE vulnerability alert It's relatively common for vulnerability scans to show vulnerabilities that don't actually exist, especially if the scans are not credentialed. An issue that is identified but does not actually exist is a false positive, and it can be dismissed once the alert has been properly researched.

C6. A finance company is legally required to maintain seven years of tax records for all of their customers. Which of the following would be the BEST way to implement this requirement? ❍ A. Create an automated script to remove all tax information more than seven years old ❍ B. Print and store all tax records in a seven-year cycle ❍ C. Allow users to download tax records from their account login ❍ D. Create a separate daily backup archive for all applicable tax records

D. Create a separate daily backup archive for all applicable tax records The important consideration for a data retention mandate is to always have access to the information over the proposed time frame. In this example, a daily backup would ensure that tax information is constantly archived over a seven year period and could always be retrieved if needed. If data was inadvertently deleted from the primary storage, the backup would still maintain a copy.

C44. A security administrator would like to minimize the number of certificate status checks made by web site clients to the certificate authority. Which of the following would be the BEST option for this requirement? ❍ A. OCSP stapling ❍ B. Certificate chaining ❍ C. CRL ❍ D. Certificate pinning

The Answer: A. OCSP stapling OCSP (Online Certificate Status Protocol) stapling is a method of having the certificate holder verify their own certificate status. The OCSP status is commonly "stapled" into the SSL handshake process. Instead of contacting the certificate authority to verify the certificate, the verification is part of the initial network connection to the server

C59. A penetration tester is researching a company using information gathered from user profiles and posts on a social media site. Which of the following would describe this activity? ❍ A. Pivot ❍ B. Passive reconnaissance ❍ C. White box testing ❍ D. Persistence

The Answer: B. Passive reconnaissance Passive reconnaissance gathers information from as many open sources as possible without performing any vulnerability checks or scans. Passive reconnaissance would include gathering information from social media, online forums, or social engineering.

C69. During a regional power outage, a company was unable to process credit card transactions through the point of sale terminal. To work around this issue, the cashiers manually recorded the card information and called the credit card clearinghouse for approval. Which of these would BEST describe this recovery process? ❍ A. Alternate business practice ❍ B. Tabletop exercise ❍ C. Failover ❍ D. Differential recovery

The Answer: A. Alternate business practice Modifying the normal business process for another working option is an alternate business practice. This alternate can be less efficient, but it can provide a useful option while the original business practice is unavailable

C62. Which of the following malware types would cause a workstation to participate in a DDoS? ❍ A. Bot ❍ B. Logic bomb ❍ C. Ransomware ❍ D. Keylogger

The Answer: A. Bot A bot (robot) is malware that installs itself on a system and then waits for instructions. It's common for botnets to use thousands of bots to perform DDoS (Distributed Denial of Service) attacks

C18. A security administrator is connecting two remote locations across the Internet using an IPsec tunnel. The administrator would like the IPsec tunnel to securely transfer symmetric keys between IPsec endpoints during the tunnel initialization. Which of the following would provide this functionality? ❍ A. Diffie-Hellman ❍ B. 3DES ❍ C. RC4 ❍ D. AES ❍ E. Twofish

The Answer: A. Diffie-Hellman Diffie-Hellman is a method of securely exchanging encryption keys over an insecure communications channel. DH uses asymmetric cryptography to create an identical symmetric key between devices without ever sending the symmetric key over the network

C31. Sam, a user in the purchasing department, would like to send an email to Jack, a user in the manufacturing department. Which of these should Sam do to allow Jack to verify that the email really came from Sam? ❍ A. Digitally sign it with Sam's private key ❍ B. Digitally sign it with Sam's public key ❍ C. Digitally sign it with Jack's private key ❍ D. Digitally sign it with Jack's public key

The Answer: A. Digitally sign it with Sam's private key The sender of a message digitally signs with their own private key to ensure integrity, authentication, and non-repudiation of the signed contents. The digital signature is validated with the sender's public key.

C19. A company's security cameras have identified an unknown person walking into a fenced disposal area in the back of the building and then leaving with a box containing printed documents. Which of the following attacks is this person attempting? ❍ A. Dumpster diving ❍ B. Shoulder surfing ❍ C. Tailgating ❍ D. Phishing

The Answer: A. Dumpster diving A company can often throw out useful information, and attackers will literally climb through the trash bin to obtain this information.

C78. A system administrator has configured MAC filtering on the corporate access point, but access logs show that unauthorized users are accessing the network. The administrator has confirmed that the address filter includes only authorized MAC addresses. Which of the following should the administrator configure to prevent this authorized use? ❍ A. Enable WPA2 encryption ❍ B. Remove unauthorized MAC addresses from the filter ❍ C. Modify the SSID name ❍ D. Modify the channel

The Answer: A. Enable WPA2 encryption A MAC (Media Access Control) address can be spoofed on a remote device, which means anyone within the vicinity of the access point can view legitimate MAC addresses and spoof them to avoid the MAC filter. To ensure proper authentication, the system administrator can enable WPA2 (Wi-Fi Protected Access version 2) and use a shared password or configure 802.1X to integrate with an existing name service.

C52. A system administrator has added a new user to the network and has categorized this user to have "secret" level access. With this setting, the user will be able to access all files and folders with secret level access and lower. Which of the following describes this access control method? ❍ A. Mandatory ❍ B. Role-based ❍ C. Discretionary ❍ D. Rule-based

The Answer: A. Mandatory Mandatory access controls provide access based on security clearance levels. The operating system will limit the operation on an object to users that meet the minimum clearance.

C81. A security administrator would like use employee-owned mobile phones to unlock the door of the data center using a sensor on the wall. The users would authenticate on their phones with a fingerprint before the door would unlock. Which of the following features should the administrator use? (Select TWO) ❍ A. NFC ❍ B. Remote wipe ❍ C. Containerization ❍ D. Biometrics ❍ E. Push notification

The Answer: A. NFC and D. Biometrics The wall sensor will be activated with the phone's NFC (Near-field Communication) electronics and would authenticate using the biometric fingerprint reader on the phone.

C68. A company has identified a web server data breach that resulted in the theft of 150 million customer account records containing financial information. A study of the events leading up to the breach show that a security update to the company's web server software was available for two months prior to the breach. Which of the following would have prevented this breach from occurring? ❍ A. Patch management ❍ B. Full disk encryption ❍ C. Disable unnecessary services ❍ D. Application whitelisting

The Answer: A. Patch management This question describes an actual breach that occurred in 2017 to web servers at a large credit bureau. This breach resulted in the release of almost 150 million customer names, Social Security numbers, addresses, and birth dates. A web server vulnerability announced in March of 2017 was left unpatched, and attackers exploited the vulnerability two months later in May. The attackers were in the credit bureau network for 76 days before they were discovered. A formal patch management process would have clearly identified this vulnerability and would have given the credit bureau the opportunity to mitigate or patch the vulnerability well before it would have been exploited.

C20. A technology company is manufacturing a military-grade radar tracking system that can instantly identify any nearby unmanned aerial vehicles (UAVs). The UAV detector must be able to instantly identify and react to a vehicle without delay. Which of the following would BEST describe this tracking system? ❍ A. RTOS ❍ B. IoT ❍ C. ICS ❍ D. MFD

The Answer: A. RTOS This tracking system requires an RTOS (Real-Time Operating System) that can instantly react to input without any significant delays or queuing in the operating system. Operating systems used by the military, automobile manufacturers, and industrial equipment developers often use RTOS to ensure that certain transactions can be processed without any significant delays.

C23. During a ransomware outbreak, an organization was forced to rebuild database servers from known good backup systems. In which of the following incident response phases were these database servers brought back online? ❍ A. Recovery ❍ B. Lessons learned ❍ C. Containment ❍ D. Identification

The Answer: A. Recovery The recovery phase focuses on getting things back to normal after an attack. This is the phase that removes malware, fixes vulnerabilities, and recovers the damaged systems

C83. A manufacturing company is working with a third-party to perform a vulnerability scan of their application services. The company would like a list of vulnerabilities that employees could possibly exploit on the company's internal networks. Which of the following would be the BEST way for the third-party to meet this requirement? ❍ A. Run a credentialed vulnerability scan ❍ B. Capture packets of the application traffic flows from the internal network ❍ C. Identify an exploit and perform a privilege escalation ❍ D. Scan the network during normal working hours

The Answer: A. Run a credentialed vulnerability scan A credentialed scan would provide login access and allow the scan to run as a standard user on the network.

C41. A medical imaging company is expanding to multiple cities, and it would like to connect all remote locations together with high speed network links. The network connections must maintain high throughput rates and must always be available during working hours. In which of the following should these requirements be enforced with the network provider? ❍ A. Service level agreement ❍ B. Interconnection security agreement ❍ C. Non-disclosure agreement ❍ D. Acceptable use policy

The Answer: A. Service level agreement A service level agreement (SLA) is used to contractually define the minimum terms for services. In this example, the medical imaging company would require an SLA from the network provide for the necessary throughput and uptime metrics.

C26. Which of the following stores session information on a client device? ❍ A. Token-based authentication ❍ B. Federation ❍ C. Server-based authentication ❍ D. LDAP

The Answer: A. Token-based authentication Token-based authentication stores session information using a token that is stored on the local client. The token is provided with each request to the server, and the server validates the token before providing a response

C86. Two companies have merged, but they will be maintaining separate network infrastructures. However, the security administrators of both companies would like to share information between the two companies. If a user is properly authenticated on either network, they should automatically gain access to resources on the other network without any additional authentication. Which of the following would provide this functionality? ❍ A. Two-way trust ❍ B. Multi-factor authentication ❍ C. Non-transitive trust ❍ D. Single-factor authentication

The Answer: A. Two-way trust A two-way trust creates a trust relationship between two domains that act as peers. The two domains trust each other equally.

C66. A security engineer is capturing packets on an internal company network and is documenting the IP addresses and MAC addresses associated with the local network devices. Which of these commands would provide the MAC address of the default gateway at 10.11.1.1? ❍ A. ping 10.11.1.1 arp -a ❍ B. tracert 10.11.1.1 ❍ C. dig 10.11.1.1 ❍ D. ipconfig /all

The Answer: A. ping 10.11.1.1 arp -a The arp (Address Resolution Protocol) command can be used to view the local ARP cache. The cache contains a lookup table containing IP addresses and their associated MAC (Media Access Control) address. If an engineer pings a device on the local network and then views the ARP cache, they will see the MAC address that was resolved during the ARP process.

C64. The clients in a small office authenticate to a secure wireless access point using WPA2-Enterprise. Which of the following would be MOST commonly associated with this connection? ❍ A. RC4 ❍ B. AES ❍ C. IPsec ❍ D. 3DES

The Answer: B. AES WPA2 (Wi-Fi Protected Access II) is a wireless encryption protocol, and WPA2-Enterprise indicates that the authentication to the WPA2- protected wireless network uses a centralized authentication database using a protocol such as RADIUS (Remote Authentication Dial-In User Service). In this question, however, the answers focused on different encryption protocols and their use, regardless of the authentication method used. CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) and AES (Advanced Encryption Standard) are the primary protocols used in WPA2

C65. A company would like to install an IPS that can observe normal network activity and block any traffic that deviates from this baseline. Which of these IPS types would be the BEST fit for this requirement? ❍ A. Heuristic ❍ B. Anomaly-based ❍ C. Behavior-based ❍ D. Signature-based

The Answer: B. Anomaly-based Anomaly-based detection will build a baseline of what it considers to be normal. Once the baseline is established, the IPS (Intrusion Prevention System) will then block any traffic that deviates from the baseline.

C32. The contract of a long-term temporary employee is ending. Which of these would be the MOST important part of the off-boarding process? ❍ A. Perform an on-demand audit of the user's privileges ❍ B. Archive the decryption keys associated with the user account ❍ C. Document the user's outstanding tasks ❍ D. Obtain a signed copy of the Acceptable Use Policies

The Answer: B. Archive the decryption keys associated with the user account Without the decryption keys, it will be impossible to access any of the user's protected files once they leave the company. Given the other possible answers, this one is the only one that would result in unrecoverable data loss if not properly followed

C70. A system administrator has identified an unexpected username on a database server, and can see that the user has been transferring database files to an external server over the company's Internet connection. The administrator then performed these tasks: • Physically disconnected the Ethernet cable on the database server • Disabled the unknown account • Configured a firewall rule to prevent file transfers from the server Which of the following would BEST describe this part of the incident response process? ❍ A. Eradication ❍ B. Containment ❍ C. Lessons learned ❍ D. Preparation

The Answer: B. Containment The containment phase isolates events that can quickly spread and get out of hand. A file transfer from a database server can quickly be contained by disabling any ability to continue the file transfer.

C72. A technology startup has hired sales teams that will travel to different cities for product demonstrations. Each salesperson will receive a laptop with applications and data to support their sales efforts. The IT manager would like to prevent third-parties from gaining access to this information if the laptop is stolen. Which of the following would be the BEST way to protect this data? ❍ A. Remote wipe ❍ B. Full disk encryption ❍ C. Biometrics ❍ D. BIOS user password

The Answer: B. Full disk encryption With full disk encryption, everything written to the laptop's local drive is stored as encrypted data. If the laptop was stolen, the thief would not have the credentials to decrypt the drive data.

C7. A system administrator is designing a data center for an insurance company's new private cloud. Which of the following technologies would be commonly included in this design? ❍ A. SCADA ❍ B. HVAC ❍ C. SoC ❍ D. IoT

The Answer: B. HVAC An HVAC (Heating, Ventilation, and Air Conditioning) system would be an important consideration for any data center environment.

C30. A pentest engineer is using a banner grabbing utility on the local network. Which of the following would be the MOST likely use of this utility? ❍ A. Create a list of open ports on a device ❍ B. Identify a web server version ❍ C. Create a honeypot ❍ D. Brute force the encryption key of a wireless network

The Answer: B. Identify a web server version A banner grabbing utility will show the banner information that's commonly only seen in the network packets. Many services will provide a greeting banner that includes the name and version of the service, and this information can provide useful reconnaissance.

C40. A security administrator has installed a network-based DLP solution to determine if file transfers contain PII. Which of the following describes the data during the file transfer? ❍ A. In-use ❍ B. In-transit ❍ C. At-rest ❍ D. Highly available

The Answer: B. In-transit Data in-transit is data that is in the process of moving across the network. As the information passes through switches and routers, it is considered to be in-transit.

C12. A company maintains a server farm in a large data center. These servers are for internal use only and are not accessible externally. Updates to these servers are staged in groups to avoid any significant downtime. The security team has discovered that a group of servers was breached before the latest updates were applied. Breach attempts were not logged on any other servers. Which of these threat actors would be MOST likely involved in this breach? ❍ A. Competitor ❍ B. Insider ❍ C. Nation state ❍ D. Script kiddie

The Answer: B. Insider None of these servers were accessible from the outside, and the only servers with any logged connections were those that also were susceptible to the latest vulnerabilities. To complete this attack, you would need a very specific knowledge of the exact systems that were vulnerable and a way to communicate with those servers. For either of those reasons, the Insider threat as would be the most likely from the available list.

C15. A company has installed a computer in a public area that will allow anyone to submit job applications. What operating system type should the security administrator configure? ❍ A. Appliance ❍ B. Kiosk ❍ C. Network ❍ D. Workstation

The Answer: B. Kiosk An operating system running in kiosk mode has a locked-down operating system and is designed to be used as a public device without any particular security authentication requirements.

C11. The IT department of a transportation company maintains an on-site inventory of chassis-based network switch interface cards. If a failure occurs with any of the interface cards in the company's core switch, the on-site technician can replace the interface card and have the system running again in sixty minutes. Which of the following BEST describes this recovery metric? ❍ A. MTBF ❍ B. MTTR ❍ C. RPO ❍ D. MTTF

The Answer: B. MTTR MTTR (Mean Time To Restore) is the amount of time required to get back up and running. This is sometimes called Mean Time To Repair.

C39. In an environment using discretionary access controls, which of these would control the rights and permissions associated with a file or directory? ❍ A. Administrator ❍ B. Owner ❍ C. Group ❍ D. System

The Answer: B. Owner The owner of an object is the one who controls access in a discretionary access control model. The object and type of access is at the discretion of the owner, and they can determine who can access the file and the type of access they would have.

C45. A security administrator is configuring the encryption for a series of web servers, and he has been provided with a password protected file containing private and public X.509 key pairs. What type of certificate format is MOST likely used by this file? ❍ A. PEM ❍ B. PFX ❍ C. P7B ❍ D. CER

The Answer: B. PFX Microsoft PFX certificate file format is similar to the PKCS #12 (Public Key Cryptography Standards #12), and the two standards are often referenced interchangeably. PFX is a container format for many certificates, and it is often used to transfer a public and private key pair. The container can be password protected to provide additional security of the contents.

A systems engineer is running a vulnerability scan from a browser. What type of vulnerability would be associated with the following code? GET http://www.example.com/post.php?article=-1 UNION SELECT 1,pass,cc FROM users ❍ A. Buffer overflow ❍ B. SQL injection ❍ C. DoS ❍ D. Cross-site scripting

The Answer: B. SQL injection A SQL (Structured Query Language) injection commonly uses the browser as an entry-point to the back-end SQL database. SQL commands appended to vulnerable web server code can be used to query and retrieve information from the database without any additional rights or permissions. The UNION SQL command combines the results of a query, and the SELECT SQL command returns a list of values from the database tables.

C85. An attacker has circumvented a web-based application to send commands directly to a database. Which of the following would describe this attack type? ❍ A. Session hijack ❍ B. SQL injection ❍ C. Cross-site scripting ❍ D. Man-in-the-middle

The Answer: B. SQL injection A SQL (Structured Query Language) injection takes advantage of poorly written web applications. These web applications do not properly restrict the user input, and the resulting attack bypasses the application and "injects" SQL commands directly into the database itself.

C42. A security administrator would like to encrypt all telephone communication on the corporate network. Which of the following protocols would provide this functionality? ❍ A. TLS ❍ B. SRTP ❍ C. SSH ❍ D. S/MIME

The Answer: B. SRTP SRTP (Secure Real-Time Transport Protocol) is an encrypted version of the RTP (Real-Time Transport Protocol) VoIP (Voice over IP) protocol. SRTP uses AES (Advanced Encryption Standard) to encrypt the voice and video over a VoIP connection.

C38. A transportation company maintains a scheduling application and a database in a virtualized cloud-based environment. Which of the following would be the BEST way to backup these services? ❍ A. Full ❍ B. Snapshot ❍ C. Differential ❍ D. Incremental

The Answer: B. Snapshot Virtual machines (VMs) have a snapshot backup feature that can capture both a full backup of the virtual system and incremental changes that occur over time. It's common to take a snapshot of a VM for backup purposes and before making any significant changes to the VM. If the changes need to be rolled back, a previous snapshot can be selected and instantly applied to the VM.

C28. Which of these would be used to provide HA for a web-based database application? ❍ A. SIEM ❍ B. UPS ❍ C. DLP ❍ D. VPN concentrator

The Answer: B. UPS HA (High Availability) means that the service should always be on and available. The only device on this list that would provide HA is the UPS (Uninterruptible Power Supply). If power is lost, the UPS will provide electricity using battery power or a gas-powered generator.

C56. An access point in a corporate headquarters office has the following configuration: IP address: 10.1.10.1 Subnet mask: 255.255.255.0 DHCPv4 Server: Enabled SSID: Wireless Wireless Mode: 802.11g Security Mode: WEP-PSK Frequency band: 2.4 GHz Software revision: 2.1 MAC Address: 60:3D:26:71:FF:AA IPv4 Firewall: Enabled Which of the following would apply to this configuration? ❍ A. Invalid frequency band ❍ B. Weak encryption ❍ C. Incorrect IP address and subnet mask ❍ D. Invalid software version

The Answer: B. Weak encryption A common issue is weak or outdated security configurations. Older encryptions such as DES and WEP should be updated to use newer and stronger encryption technologies.

C80. During an initial network connection, a supplicant communicates to an authenticator, which then sends an authentication request to an Active Directory database. Which of the following would BEST describe this authentication technology? ❍ A. RADIUS Federation ❍ B. AES ❍ C. 802.1X ❍ D. PKI

The Answer: C. 802.1X IEEE 802.1X is a standard for port-based network access control (NAC). When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end authentication server is a centralized user database such as Active Directory

C29. An IT manager is building a quantitative risk analysis related to corporate laptops used by the field engineering team. Each year, a certain number of laptops are lost or stolen and must be replaced by the company. Which of the following would describe the total cost the company spends each year on laptop replacements? ❍ A. SLE ❍ B. SLA ❍ C. ALE ❍ D. ARO

The Answer: C. ALE The ALE (Annual Loss Expectancy) is the total amount of the loss over an entire year.

C75. A set of corporate security policies is what kind of security control? ❍ A. Compensating ❍ B. Detective ❍ C. Administrative ❍ D. Physical

The Answer: C. Administrative An administrative control is a guideline that would control how people act, such as security policies and standard operating procedures.

C88. A company runs two separate applications out of their data center. The security administrator has been tasked with preventing all communication between these applications. Which of the following would be the BEST way to implement this security requirement? ❍ A. Firewall ❍ B. Protected distribution ❍ C. Air gap ❍ D. VLANs

The Answer: C. Air gap An air gap is a physical separation between networks. Air gapped networks are commonly used to separate networks that must never communicate to each other

C90. A company's security engineer is working on a project to simplify the employee onboarding and offboarding process. One of the project goals is to allow individuals to use their personal phones for work purposes. If the user leaves the company, the company data will be removed but the user's data would remain intact. Which of these technologies would meet this requirement? ❍ A. Policy management ❍ B. Geofencing ❍ C. Containerization ❍ D. Storage encryption

The Answer: C. Containerization The storage segmentation of containerization keeps the enterprise apps and data separated from the user's apps and data. During the offboarding process, only the company information is deleted and the user's personal data is retained.

C17. Which of these items would commonly be used by a field engineer to provide multi-factor authentication? ❍ A. USB-connected storage drive with FDE ❍ B. Employee policy manual ❍ C. Null-modem serial cable ❍ D. Smart card with picture ID

The Answer: D. Smart card with picture ID A smart card commonly includes a certificate that can be used as a multifactor authentication of something you have. These smart cards are commonly combined with an employee identification card, and often require a separate PIN (Personal Identification Number) as an additional authentication factor.

C27. A system administrator has installed a new firewall between the corporate user network and the data center network. When the firewall is turned on, users complain that the application in the data center is no longer working. The firewall is running with the default settings, and no additional firewall rules have been added to the configuration. Which of the following would be the BEST way to correct this application issue? ❍ A. Create a single firewall rule with an explicit deny ❍ B. Build a separate VLAN for the application ❍ C. Create firewall rules that match the application traffic flow ❍ D. Disable spanning tree protocol on the data center switches

The Answer: C. Create firewall rules that match the application traffic flow By default, firewalls implicitly deny all traffic. Firewall rules must be built that match the traffic flows, and only then will traffic pass through the firewall.

C77. An application team has been provided with a hardened version of Linux to use for a new application rollout, and they are installing a web service and the application code on the server. Which of the following should the application team implement to BEST protect the application from attacks? ❍ A. Build a backup server for the application ❍ B. Run the application in a cloud-based environment ❍ C. Implement a secure configuration of the web service ❍ D. Send application logs to the SIEM via syslog

The Answer: C. Implement a secure configuration of the web service The support pages for many services will include a list of hardening recommendations. This hardening may include account restrictions, file permission settings, internal service configuration options, and other settings to ensure that the service is as secure as possible.

C53. A security administrator would like to implement an authentication system that uses cryptographic tickets to validate users. Which of the following would provide this functionality? ❍ A. RADIUS ❍ B. LDAP ❍ C. Kerberos ❍ D. TACACS

The Answer: C. Kerberos Kerberos is a network authentication protocol that provides single sign-on and mutual authentication using cryptographic "tickets" for the behindthe-scenes authentication process.

C63. Which of these are used to force the preservation of data for later use in court? ❍ A. Chain of custody ❍ B. Data loss prevention ❍ C. Legal hold ❍ D. Order of volatility

The Answer: C. Legal hold A legal hold is a legal technique to preserve relevant information. This process will ensure the data remains accessible for any legal preparation that occurs prior to litigation.

C76. Which of the following would be the MOST significant security concern when protecting against organized crime? ❍ A. Prevent users from posting passwords near their workstations ❍ B. Require identification cards for all employees and guests ❍ C. Maintain reliable backup data ❍ D. Use mantraps at all data center locations

The Answer: C. Maintain reliable backup data Organized crime is often after data, and can sometimes encrypt or delete data on a service. A good set of backups can often resolve these issues quickly and without any ransomware payments to an organized crime entity

C57. When an application does not properly release unused memory and eventually grows so large that it uses all available memory, it is called a(n): ❍ A. Integer overflow ❍ B. NULL pointer dereference ❍ C. Memory leak ❍ D. Data injection

The Answer: C. Memory leak A memory leak is when a poorly written application allocates memory for use by the application, but then does not release that memory after it is no longer needed. If the application runs on a system for an extended period of time, this memory leak can grow so large that it eventually uses all available memory and crashes the operating system.

C37. The manager of the corporate security team maintains a large storage array of archived video from security cameras. Historically, the security manager has been responsible for searching the video archive, but he would now like to assign those responsibilities to others in his department. Which of the following would allow the manager to limit access to the video archive to members of the corporate security team group? ❍ A. Mandatory access control ❍ B. Certificate-based authentication ❍ C. Role-based access control ❍ D. Attribute-based access control

The Answer: C. Role-based access control Role-based access control uses groups to control access for individual users. Rights and permissions are associated with the group, and administrators can add users to the group to provide access

A system administrator is viewing this output from Microsoft's System File Checker: 15:43:01 - Repairing corrupted file C:\Windows\System32\kernel32.dll 15:43:03 - Repairing corrupted file C:\Windows\System32\netapi32.dll 15:43:07 - Repairing corrupted file C:\Windows\System32\user32.dll 15:43:43 - Repair complete Which of the following malware types is the MOST likely cause of this output? ❍ A. RAT ❍ B. Logic bomb ❍ C. Rootkit ❍ D. Bot

The Answer: C. Rootkit A rootkit modifies operating system files to become part of the core OS. The kernel, user, and networking libraries in Windows are core operating system files

C74. Which of the following would be the BEST way for application developers to test their code without affecting production systems? ❍ A. Use a firewall to separate the development network ❍ B. Configure the developer accounts for least functionality ❍ C. Run the applications in a sandbox ❍ D. Disable unnecessary services

The Answer: C. Run the applications in a sandbox A sandbox ensures that code will run in its own private environment without any interaction with outside devices or services.

C50. A developer has created an application that will store password information in a database. Which of the following BEST describes a way of protecting these credentials by adding random data to the password? ❍ A. Hashing ❍ B. PFS ❍ C. Salting ❍ D. Asymmetric encryption

The Answer: C. Salting Passwords are often stored as hashes, but the hashes themselves are often subject to brute force or rainbow table attacks. It's common to add some additional random data (a salt) to a password before the hashing process. This ensures that each password is truly random when stored, and it makes it more difficult for an attacker to discover all of the stored passwords

C36. A server administrator is building a new web server and needs to provide operating system access to the web server executable. Which of the following account types should be configured? ❍ A. User ❍ B. Privileged ❍ C. Service ❍ D. Gues

The Answer: C. Service A service account is commonly used by local services on a system, but service accounts are not generally enabled for interactive logins. Web servers, database servers, and other local servers use service accounts.

A network IDS has alerted on this SQL injection attack: Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured Ethernet II, Src: HewlettP_82:d8:31), Dst: Cisco_a1:b0:d1 Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244 Transmission Control Protocol, Src Port: 3863, Dst Port: 80 Hypertext Transfer Protocol, http://www.example.com/index.php?option=com_ glossary&func=display&Itemid=s@bun&catid=-1%20union%20 select%201,username,password,4,5,6,7,8,9,10,11,12,13,14%20 from%20mos_users--] The security administrator would like to protect against future attacks from this IP address without interrupting service for other users. Which of the following firewall rules would be the BEST choice for this requirement? ❍ A. Source: 172.16.22.7, Destination: 10.8.122.244, Protocol: TCP, Deny ❍ B. Source 172.16.22.0/24, Destination: 10.8.122.0/24, Protocol: UDP, Deny ❍ C. Source: 172.16.22.7/32, Destination: ANY, Protocol: IP, Deny ❍ D. Source: ANY, Destination: 10.8.122.244, Protocol: TCP, Deny

The Answer: C. Source: 172.16.22.7/32, Destination: ANY, Protocol: IP, Deny In this example, all future attacks from this IP address must be blocked, regardless of the type of attack or the target of the attack. This rule would effectively block all traffic from this source IP address, and it summarizes this requirement by selecting just the single source of 172.16.22.7/32. The /32 CIDR-block notation designates that this address range is for the single IP of 172.16.22.7. Using the /32 option is optional for most firewalls, but using /32 clearly shows that this rule will only affect one IP address. The destination IP address of the rule is ANY, which prevents any future attacks to any other device. Specifying the protocol as IP restricts both TCP- and UDP-based attack types

C16. A security administrator has installed a new firewall to protect a web server VLAN. The application owner requires that all web server sessions communicate over an encrypted channel. Which of these rules should the security administrator include in the firewall rulebase? (Select TWO) ] ❍ A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny ❍ B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny ❍ C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny ❍ D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow ❍ E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow

The Answer: C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny and D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow Most web servers use tcp/80 for HTTP (Hypertext Transfer Protocol) communication and tcp/443 for HTTPS (Hypertext Transfer Protocol Secure). HTTP traffic sends traffic in the clear, so the first firewall rule would block any tcp/80 traffic before it hits the web server. The second rule allows HTTPS encrypted traffic to continue to the web server over tcp/443

C9. A security administrator has identified an internally developed application that allows the modification of SQL queries through a web-based front-end. To prevent this modification, the administrator has recommended that all queries be completely removed from the application front-end and placed onto the back-end of the application server. Which of the following would describe this implementation? ❍ A. Input validation ❍ B. Code signing ❍ C. Stored procedures ❍ D. Obfuscation

The Answer: C. Stored procedures Stored procedures are SQL queries that execute on the server side instead of the client application. The client application calls the stored procedure on the server, and this prevents the client from making any changes to the actual SQL queries

C22. A security administrator is concerned that a user may have installed a rogue access point on the corporate network. Which of the following could be used to confirm this suspicion? ❍ A. UTM log ❍ B. WAF log ❍ C. Switch log ❍ D. DLP log

The Answer: C. Switch log A rogue access point would be difficult to identify once it's on the network, but at some point the access point would need to physically connect to the corporate network. An analysis of switch interface activity would be able to identify any new devices and their MAC addresses.

C79. Walter, a security administrator, is evaluating a new application that uses HTTPS to transfer information between a database and a web server. Walter wants to ensure that this traffic flow will not be vulnerable to a man-in-the-middle attack. Which of the following should Walter examine while the application is executing to check for this type of vulnerability? ❍ A. The FQDN of the web server ❍ B. The IP address of the database server ❍ C. The digital signature on the web server certificate ❍ D. The session ID associated with the authenticated session

The Answer: C. The digital signature on the web server certificate The digital signature on the certificate is signed by a trusted certificate authority (CA). If the certificate viewed in the browser is not signed by the expected CA, then a man-in-the-middle attack may be in progress.

C24. A transportation company has been using a logistics application for many years on their local network. A researcher has been asked to test the security of the application, but the uptime and availability of the application is of primary importance. Which of the following techniques would provide a list of application security issues without performing an exploit? ❍ A. Penetration test ❍ B. Grey box test ❍ C. Vulnerability scan ❍ D. SQL injection

The Answer: C. Vulnerability scan A vulnerability scan is commonly performed as a minimally invasive scan, and it avoids performing exploits on the target systems

C55. A company has contracted with a third-party to provide penetration testing services. The service includes a port scan of each externally-facing device. This is an example of: ❍ A. Initial exploitation ❍ B. Escalation of privilege ❍ C. Pivot ❍ D. Active reconnaissance

The Answer: D. Active reconnaissance Active reconnaissance sends traffic across the network that can be viewed and/or logged. Performing a port scan will send network traffic to a server, and most port scan attempts can be identified and logged by an IPS.

C8. A security administrator is configuring a VPN concentrator with centralized authentication for remote VPN users. The VPN concentrator will authenticate users from a central LDAP database managed by the Windows Active Directory domain. Access to the VPN will only be granted if the user is a member of the authorized VPN group. Which of the following LDAP syntax would provide this type of access? ❍ A. LDAP SERVER 10.10.11.1 ❍ B. C=US, DC=domain, DC=local ❍ C. RADIUS SERVER 10.10.11.1 ❍ D. CN=concentrator, OU=vpn, DC=domain, DC=local

The Answer: D. CN=concentrator, OU=vpn, DC=domain, DC=local The LDAP (Lightweight Directory Access Protocol) DN (Distinguished Names) syntax provides a way to reference an LDAP database for specific information. In this example, the CN (Common Name) is concentrator, which references the name of the VPN (Virtual Private Network) device. The OU (Organizational Unit) is VPN, and this associates the VPN group with the LDAP query. The DC (Domain Component) attributes are associated with the company's domain name, domain.local

C21. A private company uses an SSL proxy to examine the contents of an encrypted application during transmission. How could the application developers prevent the use of this proxy examination in the future? ❍ A. OCSP stapling ❍ B. Offline CAs ❍ C. Certificate chaining ❍ D. Certificate pinning

The Answer: D. Certificate pinning Certificate pinning embeds or "pins" a certificate inside of an application. When the application contacts a service, the service certificate will be compared to the pinned certificate. If the certificates match, the application knows that it can trust the service. If the certificates don't match, then the application can choose to shut down, show an error message, or make the user aware of the discrepancy. An SSL proxy will use a different certificate than the service certificate, so an application using certificate pinning can identify and react to this situation

C46. To upgrade an internal application, the development team provides the operations team with a patch executable and instructions for backing up, patching, and reverting the patch if needed. The operations team schedules a date for the upgrade, informs the business divisions, and tests the upgrade process after completion. Which of the following describes this process? ❍ A. Agile ❍ B. Continuity planning ❍ C. Usage auditing ❍ D. Change management

The Answer: D. Change management Change management is the process for making any type of change. This could be a software upgrade, a hardware replacement, or any other type of modification to the existing environment. Having a formal change management process minimizes the risk of a change and makes everyone aware of the changes as they occur

C10. A system administrator is implementing a fingerprint scanner to provide access to the data center. Which of these metrics would be the most important to minimize so that unauthorized persons are prevented from accessing the data center? ❍ A. TOTP ❍ B. FRR ❍ C. HOTP ❍ D. FAR

The Answer: D. FAR FAR (False Acceptance Rate) is the likelihood that an unauthorized user will be accepted. The FAR should be kept as close to zero as possible.

C73. A company often invites vendors for meetings in the corporate conference room. During these meetings, the vendors often require an Internet connection for demonstrations. Which of the following should the company implement to maintain the security of the internal network resources? ❍ A. NAT ❍ B. Ad hoc wireless workstations ❍ C. Intranet ❍ D. Guest network with captive portal

The Answer: D. Guest network with captive portal A guest network would allow access to the Internet but prevent any access to the internal network. The captive portal would prompt each guest for authentication or to agree to terms of use before granting access to the network.

C71. A recent audit has found that an internal company server is using unencrypted FTP to transfer files from a building HVAC system. Which of the following should be configured to provide secure data transfers? ❍ A. Require secure LDAP ❍ B. Install web services with HTTPS ❍ C. Create a DNSSEC record ❍ D. Install an SSL certificate for the FTP service

The Answer: D. Install an SSL certificate for the FTP service FTP (File Troansfer Protocol) over SSL (Secure Sockets Layer) is the FTPS (FTP over SSL) protocol. To enable SSL, the server will need to have an SSL certificate that can be used by the FTP service.

C35. Which of the following would commonly be associated with an application's secure baseline? ❍ A. Secure baseline violations are identified in the IPS logs ❍ B. The baseline is based on the developer sandbox configurations ❍ C. Firewall settings are not included in the baseline ❍ D. Integrity measurements are used to validate the baseline

The Answer: D. Integrity measurements are used to validate the baseline It's important to constantly audit the security of an application instance, and the security baseline precisely defines the security settings for the firewall, patch levels, operating system file versions, and more. Since operating system patches are common, the secure baseline will tend to be updated often.

C33. Sam, a cybersecurity analyst, has been asked to respond to a denial of service attack against a web server. While gathering forensics data, Sam first collects information in the ARP cache, then a copy of the server's temporary file system, and finally system logs from the web server. What part of the forensics gathering process did Sam follow? ❍ A. Chain of custody ❍ B. Data hashing ❍ C. Legal hold ❍ D. Order of volatility

The Answer: D. Order of volatility Order of volatility ensures that data will be collected before it becomes unrecoverable. For example, information stored in a router table is more volatile than data stored on a backup tape, so the router table data will be collected first and the backup tape data will be collected second.

C84. A company has recently moved from one accounting system to another, and the new system includes integration with many other divisions of the organization. Which of the following would ensure that the correct access has been provided to the proper employees in each division? ❍ A. Location-based policies ❍ B. On-boarding process ❍ C. Account deprovisioning ❍ D. Permission and usage audit

The Answer: D. Permission and usage audit A permission and usage audit will verify that all users have the correct permissions and that all users meet the practice of least privilege

C82. A server administrator would like to enable an encryption mechanism on a web site that would also ensure non-repudiation. Which of the following should be implemented on the web server? ❍ A. 3DES ❍ B. MD5 ❍ C. ECB ❍ D. RSA

The Answer: D. RSA RSA (Rivest, Shamir, and Adelman) asymmetric encryption includes the ability to encrypt, decrypt, and digitally sign data to ensure nonrepudiation. Non-repudiation would ensure that the information received by a client can be verified as sent by the server.

C67. Daniel, a penetration tester, would like to gather some reconnaissance information before the formal penetration test begins. To provide a more focused test, Daniel would like to compile a list of open ports for each server participating in the test. Which of these would be the BEST way to gather this information? ❍ A. Capture network traffic with a protocol analyzer ❍ B. Send a phishing email with an application survey ❍ C. Use social engineering on the main switchboard operator ❍ D. Run a network scanner on each server's IP address

The Answer: D. Run a network scanner on each server's IP address A network scanner, or port scanner, is designed to query every possible port on an IP address and log any ports that appear to be open. This can sometimes be time consuming, so collecting this information prior to a penetration test can decrease the timeframe required for the pentest

C54. Richard is reviewing this information from an IPS log: MAIN_IPS: 22June2019 09:02:50 reject 10.1.111.7 Alert: HTTP Suspicious Webdav OPTIONS Method Request; Host: Server Severity: medium; Performance Impact:3; Category: info-leak; Packet capture; disable Proto:tcp; dst:192.168.11.1; src:10.1.111.7 Which of the following can be associated with this log information? (Select TWO) ❍ A. The attacker sent a non-authenticated BGP packet to trigger the IPS ❍ B. The source of the attack is 192.168.11.1 ❍ C. The event was logged but no packets were dropped ❍ D. The source of the attack is 10.1.111.7 ❍ E. The attacker sent an unusual HTTP packet to trigger the IPS

The Answer: D. The source of the attack is 10.1.111.7 and E. The attacker sent an unusual HTTP packet to trigger the IPS The second line of the IPS log shows the type of alert, and this record indicates that a suspicious HTTP packet was sent. The last line of the IPS log shows the protocol, destination, and source IP address information. The source IP address is 10.1.111.7.

C14. A security administrator has received a help desk ticket that states a user downloaded and installed a utility for compressing and decompressing files. Immediately after installing the utility, the user's overall workstation performance degraded, and it now takes twice as much time to perform any tasks on the computer. The compression utility does not appear on the list of authorized company software. Which of the following is the BEST description of this malware infection? ❍ A. Ransomware ❍ B. Adware ❍ C. Logic bomb ❍ D. Trojan

The Answer: D. Trojan A Trojan horse is malicious software that pretends to be something benign. The user will install the software with the expectation that it will perform a particular function, but in reality it is installing malware on the computer.

C43. A security administrator is preparing a phishing email that will be sent to employees as part of the company's periodic security test. The email is spoofed to appear as an unknown third-party and asks employees to immediately click a link or their state licensing will be revoked. Which of these social engineering principles are used by this email? ❍ A. Familiarity ❍ B. Social Proof ❍ C. Authority ❍ D. Urgency

The Answer: D. Urgency The need to complete this task as quickly as possible (immediately) is the primary social engineering principle in this description. Any task that encourages a person to act quickly (instead of thinking about it) is associated with urgency

C87. A development team has instituted a life-cycle that relies on a sequential design process. Each step of the process must be completed before the next step can begin. Which of the following life-cycle models is being used by the developers? ❍ A. Agile ❍ B. Rapid ❍ C. Anamorphic ❍ D. Waterfall

The Answer: D. Waterfall The waterfall life-cycle of software development separates the process into sequential phases where one phase occurs at a time, and the output of that phase provides the deliverable for the next phase. For example, the requirements process might occur first, and only after the requirements are complete can the process continue to the analysis phase.

C34. An attacker was able to download a list of ten thousand company employee login credentials containing usernames and hashed passwords. Less than an hour later, a list containing all ten thousand usernames and passwords in plain text were posted to an online file storage repository. Which of the following would BEST describe how this attacker was able to post this information? ❍ A. Improper certificate management ❍ B. Phishing ❍ C. Untrained users ❍ D. Weak cipher suite

The Answer: D. Weak cipher suite Creating a password hash is a one-way process that can't be reversed. If the hash has not been salted, then a rainbow table lookup would be an easy way to find the plaintext passwords. Since none of the answers in this question included rainbow tables as an option, the most reasonable of the remaining choices would be a weak cipher suite that allowed for a very fast brute force attack of the password hashes. Of the available options, this is the only choice that would BEST fit the results.

C60. A system administrator is configuring an IPsec VPN to a remote location and would like to ensure that the VPN provides confidentiality protection for both the original IP header and the data. Which of the following should be configured on the VPN? ❍ A. ECB ❍ B. AH ❍ C. PEAP ❍ D. HMAC ❍ E. ESP

The Answer: E. ESP ESP (Encapsulation Security Payload) encrypts the data in the IP packet. In IPsec (Internet Protocol Security) transport mode, the IP header is not encrypted and is used for routing. In tunnel mode, both the original IP header and data are encrypted and encapsulated within a separate IP header