Security+ Assessment Exam 1 (DG)
14. You are redesigning your password policy. You want to ensure that users change their passwords regularly, but they are unable to reuse passwords. What settings should you configure? (Select THREE.) A. Maximum password age B. Password length C. Password history D. Password complexity E. Minimum password age
A, C, E. The maximum password age ensures users change their passwords regularly. The password history records previously used passwords (such as the last 24 passwords) to prevent users from reusing the same passwords. The minimum password age prevents users from changing their password repeatedly to get back to their original password and should be used with the password history setting. Password length requires a minimum number of characters in a password. Password complexity requires a mix of uppercase and lowercase letters, numbers, and special characters. See Chapter 2.
53. Your organization recently purchased several new laptop computers for employees. You're asked to encrypt the laptop's hard drives without purchasing any additional hardware. What would you use? A. TPM B. HSM C. VM escape D. DLP
A. A Trusted Platform Module (TPM) is included in many new laptops and it provides a mechanism for vendors to perform hard drive encryption. Because the TPM components are included, this solution does not require purchasing additional hardware. An HSM is a removable hardware device and is not included with laptops, so it requires an additional purchase. A VM escape attack runs on a virtual system, and if successful, it allows the attacker to control the physical host server and all other virtual servers on the physical server. A network-based data loss prevention (DLP) system can examine and analyze network traffic and detect if confidential company data is included. See Chapter 5.
93. A web site is using a certificate. Users have recently been receiving errors from the web site indicating that the web site's certificate is revoked. Which of the following includes a list of certificates that have been revoked? A. CRL B. CA C. OCSP D. CSR
A. A certificate revocation list (CRL) is a list of certificates that a Certificate Authority (CA) has revoked. The CA stores a database repository of revoked certificates and issues the CRL to anyone who requests it. The Online Certificate Status Protocol (OCSP) validates trust with certificates, but only returns short responses such as good, unknown, or revoked. A certificate signing request (CSR) is used to request certificertificates. See Chapter 10.
51. Management within your company is considering allowing users to connect to the corporate network with their personally owned devices. Which of the following represents a security concern with this policy? A. Inability to ensure devices are up to date with current system patches B. Difficulty in locating lost devices C. Cost of the devices D. Devices might not be compatible with applications within the network
A. A core security concern with bring your own device (BYOD) policies is ensuring that they are up to date with current patches and have up-to-date antivirus signature files. Tools are available to locate lost devices even if they are employee-owned. The cost of the devices is not a security concern and not a concern to the company because employees pay for their own devices. Although ensuring that the devices are compatible with network applications is a concern, it only affects availability of the application for a single user. See Chapter 5.
54. Management within your organization wants to limit documents copied to USB flash drives. Which of the following can be used to meet this goal? A. DLP B. Content filtering C. IPS D. Logging
A. A data loss prevention (DLP) solution can limit documents copied to a USB drive using content filters. Many devices, such as unified threat management (UTM) devices use content filters, so content filtering alone won't limit copies sent to a flash drive. An intrusion prevention system (IPS) scans traffic coming into a network to block attacks. Logging can record what documents were copied, but it won't limit copying. See Chapter 5.
58. You are troubleshooting an intermittent connectivity issue with a web server. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring? A. DDoS attack B. DoS attack C. Smurf attack D. Salting attack
A. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target's resources and this scenario indicates multiple connection attempts from different IP addresses. A DoS attack comes from a single system, and a SYN flood is an example of a DoS attack. A smurf attack doesn't attempt to connect to systems but instead sends pings. Salting is a method used to prevent brute force attacks to discover passwords. See Chapter 7.
55. Bart installed code designed to enable his account automatically, three days after anyone disables it. What does this describe? A. Logic bomb B. Rootkit C. Armored virus D. Ransomware
A. A logic bomb is code that executes in response to an event. In this scenario, the logic bomb executes when it discovers the account is disabled (indicating Bart is no longer employed at the company). In this scenario, the logic bomb is creating a backdoor. A rootkit includes hidden processes, but it does not activate in response to an event. An armored virus uses techniques to resist reverse engineering. Ransomware demands payment as ransom. See Chapter 6.
71. Which of the following tools is the MOST invasive type of testing? A. Pentest B. Protocol analyzer C. Vulnerability scan D. Host enumeration
A. A pentest (or penetration test) is the invasive type of test listed, and can potentially compromise a system. A protocol analyzer is not invasive, but it cannot determine if security controls are in place. A vulnerability scan can verify if security controls are in place and it does not try to exploit these controls using any invasive methods. Host enumeration identifies hosts on a network, but does not check for security controls. See Chapter 8.
70. You need to ensure that several systems have all appropriate security controls and patches. However, your supervisor specifically told you not to attack or compromise any of these systems. Which of the following is the BEST choice to meet these goals? A. Vulnerability scan B. Penetration test C. Command injection D. Virus scan
A. A vulnerability scan tests systems and can identify unapplied security controls and patches without attacking or compromising the systems. A penetration test potentially attacks or compromises a system. A command injection attack can also potentially cause damage. A virus scan detects viruses, but it doesn't check for security controls or patches. See Chapter 8.
59. Your organization includes the following statement in the security policy: "Security controls need to protect against both online and offline password brute force attacks. Which of the following controls is the LEAST helpful to meet these goals? A. Account expiration B. Account lockout C. Password complexity D. Password length
A. Account expiration is not an effective defense against brute force attacks. Account lockout helps protect against online brute force attacks. Password complexity and password length help protect against offline brute force attacks. See Chapters 1 and 7.
26. You are configuring a switch and need to ensure that only authorized devices can connect to it and access the network through this switch. Which of the following is the BEST choice to meet this goal? A. Implement 802.1x B. Use a Layer 3 switch. C. Create a VLAN D. Enable RSTP.
A. An 802.1x server provides port-based authentication and can prevent unauthorized devices from connecting to a network. Although you can configure an 802.1x server with a VLAN to redirect unauthorized clients, the VLAN by itself will not block unauthorized devices. A Layer 3 switch does not provide port-based authentication. Rapid Spanning Tree Protocol (RSTP) will prevent switching loop problems but doesn't authenticate clients.
99. A technician confiscated an employee's computer after management learned the employee had unauthorized material on his system. Later, a security expert captured a forensic image of the system disk. However, the security expert reported the computer was left unattended for several hours before he captured the image. Which of the following is a potential issue if this incident goes to court? A. Chain of custody B. Order of volatility C. Time offset D. Lack of metrics
A. Chain of custody is the primary issue here because the computer was left unattended for several hours. It's difficult to prove that the data collected is the same data that was on the employee's computer when it was confiscated. Data captured from a disk is not volatile so is not an issue in this scenario. The time offset refers to logged times and is not related to this question. Metrics are measurement tools, such as those used to measure the success of a security awareness program.
42. Attackers recently attacked a web server hosted by your organization. Management has tasked administrators with reducing the attack surface of this server to prevent future attacks. Which of the following will meet this goal? A. Disabling unnecessary services B. Installing and updating antivirus software C. Identifying the baseline D. Installing a NIDS
A. Disabling unnecessary services is a primary method of reducing the attack surface of a host. Installing up-to-date antivirus software is valid preventive control, but it doesn't reduce the attack surface. Identifying the baseline should be done after disabling unnecessary services. A network-based intrusion detection system (NIDS) helps protect the server, but it doesn't reduce its attack surface. See Chapter 5.
89. You are planning to encrypt data in transit with IPsec. Which of the following is MOST likely to be used with IPsec? A. HMAC B. Blowfish C. Twofish D. MD5
A. Hash-based Message Authentication Code (HMAC) is used with Internet Protocol security (IPsec) and is more likely to be used than any of the other choices. RFC 4835 mandates the use of HMAC for authentication and integrity. When encryption is used, it also mandates the use of either Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES). It does not list Blowfish or Twofish. Message Digest 5 (MD5) is a hashing algorithm. See Chapter 10.
91. An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, Acme realized it couldn't meet the requirements of the contract. Acme instead stated that it never submitted the bid. Which of the following would provide proof to the organization that Acme did submit the bid? A. Digital signature B. Integrity C. Repudiation D. Encryption
A. If Acme submitted the bid via email using a digital signature, it would provide proof that the bid was submitted by Acme. Digital signatures provide verification of who sent a message, non-repudiation preventing them from denying it, and integrity verifying the message wasn't modified. Integrity verifies the message wasn't modified. Repudiation isn't a valid security concept. Encryption protects the confidentiality of data, but it doesn't verify who sent it or provide non-repudiation. See Chapter 10.
28. Your organization has implemented a network design that allows internal computers to share one public IP address. Of the following choices, what did they MOST likely implement? A. PAT B. STP C. DNAT D. TLS
A. Port Address Translation (PAT) is a form of Network Address Translation (NAT) and it allows many internal devices to share one public IP address. Dynamic Network Address Translation (DNAT) uses multiple public IP addresses instead of just one. Spanning Tree Protocol (STP) prevents switch loop problems and is unrelated to sharing IPs. Transport Layer Security (TLS) secures transmissions for data in transit.
75. Your organization security policy requires that personnel notify security administrators if an incident occurs. However, this is not occurring consistently. Which of the following could the organization implement to ensure security administrators are notified in a timely manner? A. Routine auditing B. User rights and permissions reviews C. Design review D. Incident response team
A. Routine auditing of the help desk or administrator logs can discover incidents and then match them with reported incidents. A review of user rights and permissions helps ensure they are assigned and maintained appropriately, but do not help with ensuring incidents are reported correctly. A design review ensures that systems and software are developed properly. An incident response team responds to incidents, but they wouldn't necessarily ensure administrators are informed of incidents. See Chapter 8.
48. Of the following choices, what are valid security controls for mobile devices? A. Screen locks, device encryption, and remote wipe B. Host-based firewalls, pop-up blockers, and SCADA access C. Antivirus software, voice encryption, and NAC D. Remote lock, NAC, and locking cabinets
A. Screen locks, device encryption, and remote wipe are all valid security controls for mobile devices. It's rare for mobile devices to have firewalls, but granting them access to supervisory control and data acquisition (SCADA) systems doesn't protect mobile devices or SCADA systems. Network access control (NAC) provides protection for networks, not mobile devices. See Chapter 5.
87. Network administrators in your organization need to administer firewalls, security appliances, and other network devices. These devices are protected with strong passwords, and the passwords are stored in a file listing these passwords. Which of the following is the BEST choice to protect this password list? A. File encryption B. Database field encryption C. Full database encryption D. Whole disk encryption
A. The best choice is file encryption to protect the passwords in this list. If the passwords were stored in a database, it would be appropriate to encrypt the fields in the database holding the passwords. It's rarely desirable to encrypt an entire database. Whole disk encryption is appropriate for mobile devices. See Chapters 5 and 10.
17. Your organization routinely hires contractors to assist with different projects. Administrators are rarely notified when a project ends and contractors leave. Which of the following is the BEST choice to ensure that contractors cannot log on with their account after they leave? A. Enable account expiration. B. Enable an account enablement policy. C. Enable an account recovery policy. D. Enable generic accounts.
A. The best choice is to enable account expiration so that the contractor accounts are automatically disabled at the end of their projected contract time period. If contracts are extended, it's easy to enable the account and reset the account expiration date. Account disablement policies help ensure that any user accounts (not just contractors) are disabled when the user leaves the organization, but an account enablement policy isn't a valid term. An account recovery policy allows administrators to recover accounts and associated security keys for ex-employees. It's best to prohibit the use of generic accounts (such as the Guest account), so enabling generic accounts is not recommended. See Chapter 2.
36. Your organization is hosting a wireless network with an 802.1x server using PEAP. On Thursday, users report they can no longer access the wireless network. Administrators verified the network configuration matches the baseline, there aren't any hardware outages, and the wired network is operational. Which of the following is the MOST likely cause for this problem? A. The RADIUS server certificate expired. B. DNS is providing incorrect host names. C. DHCP is issuing duplicate IP addresses. D. MAC filtering is enabled.
A. The most likely cause is that the Remote Authentication Dial-In User Service (RADIUS) server certificate expired. An 802.1x server is implemented as a RADIUS server and Protected Extensible Authentication Protocol (PEAP) requires a certificate. If Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP) failed, it would affect both wired and wireless users. Media access control (MAC) address filtering might cause this symptom if all MAC addresses were "blocked, but the scenario states that there weren't any network configuration changes. See Chapter 4.
76. A security administrator is reviewing an organization's security policy and notices that the policy does not define a time frame for reviewing user rights and permissions. Which of the following is the MINIMUM time frame that she should recommend? A. At least once a year B. At least once every five years C. Anytime an employee leaves the organization D. Anytime a security incident has been identified
A. User rights and permissions reviews should occur at least once year, and some organizations do them more often. Every five years is too long. Organizations with a high turnover rate might have employees leaving every week and it's not feasible to do a review that often. Performing a review in a response to incidents won't necessarily prevent incidents. See Chapter 8.
44. An updated security policy defines what applications users can install and run on company-issued mobile devices. Which of the following technical controls will enforce this policy? A. Whitelisting B. Blacklisting C. AUP D. BYOD
A. Whitelisting identifies authorized software and prevents users "from installing or running any other software. Blacklisting identifies what isn't authorized, but in this scenario the policy defines what can be installed, not what cannot be installed. An acceptable use policy is not a technical control. Bring your own device (BYOD) doesn't apply here because the devices are company-issued. See Chapter 5.
25. Your organization has several switches used within the network. You need to implement a security control to secure the switch from physical access. What should you do? A. Disable unused ports. B. Implement an implicit deny rule. C. Disable STP. D. Enable SSH.
A. You can provide added security by disabling unused physical ports on the switch. If someone gains physical access to the switch by plugging in a computer to one of its unused ports, that person will not be able to connect to the network. An implicit deny rule is placed at the end of an access control list on a router to deny traffic that hasn't been explicitly allowed, but it doesn't not affect physical ports differently. Spanning Tree Protocol (STP) prevents switching loop problems and should be enabled. Secure Shell (SSH) encrypts traffic but doesn't protect a switch.
20. Your organization's security policy requires that PII data at rest and PII data in transit be encrypted. Of the following choices, what would the organization use to achieve these objectives? (Select TWO.) A. FTP B. SSH C. SMTP D. PGP/GPG E. HTTP
B, D. You can use Secure Shell (SSH) to encrypt Personally Identifiable Information (PII) data when transmitting it over the network (data in transit). While Pretty Good Privacy (PGP)/GNU Privacy Guard (GPG) is primarily used to encrypt email, it can also be used to encrypt data at rest. File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) transmit data in cleartext unless they are combined with an encryption protocol. See Chapters 3 and 10.
24. While reviewing logs on a firewall, you see several requests for the AAAA record of gcgapremium.com. What is the purpose of this request? A. To identify the IPv4 address of gcgapremium.com B. To identify the IPv6 address of gcgapremium.com C. To identify the mail server for gcgapremium.com D. To identify any aliases used by gcgapremium.com
B. A Domain Name System (DNS) AAAA record identifies the IPv6 address of a given name. An A record identifies the IPv4 address of a given name. An MX record identifies a mail server. A CNAME record identifies aliases.
32. A security company wants to gather intelligence about current methods attackers are using against its clients. What can it use? A. Vulnerability scan B. Honeynet C. MAC address filtering D. Evil twin
B. A honeynet is a fake network designed to look valuable to attackers and can help security personnel learn about current attack methods. In this scenario, the security company can install honeynets in its customers' networks to lure the attackers. A vulnerability scan detects vulnerabilities, but attackers may not try to exploit them. Media access control (MAC) address filtering is a form of network access control, but can't be used to detect or learn about attacks. An evil twin is a rogue access point with the same SSID as an authorized access point. See Chapter 4.
13. A security professional has reported an increase in the number of tailgating violations into a secure data center. What can prevent this? A. CCTV B. Mantrap C. Proximity card D. Cipher lock
B. A mantrap is highly effective at preventing unauthorized entry and can also be used to prevent tailgating. CCTV provides video surveillance and it can record unauthorized entry, but it can't prevent it. A proximity card is useful as an access control mechanism, but it won't prevent tailgating, so it isn't as useful as a mantrap. A cipher lock is a door access control, but it can't prevent tailgating. See Chapter 2.
78. You are a technician at a small organization. You need to add fault-tolerance capabilities within the business to increase the availability of data. However, you need to keep costs as low as possible. Which of the following is the BEST choice to meet these needs? A. Failover cluster B. RAID-6 C. Backups D. UPS
B. A redundant array of inexpensive disks 6 (RAID-6) subsystem provides fault tolerance for disks, and increases data availability. A failover cluster provides fault tolerance for servers and can increase data availability but is significantly more expensive than a RAID subsystem. Backups help ensure data availability, but they do not help with fault tolerance. An uninterruptible power supply (UPS) provides fault tolerance for power, but not necessarily for data. See Chapter 9.
85. Which of the following is a symmetric encryption algorithm that encrypts data one bit at a time? A. Block cipher B. Stream cipher C. AES D. DES E. MD5
B. A stream cipher encrypts data a single bit or a single byte at a time and is more efficient when the size of the data is unknown, such as streaming audio or video. A block cipher encrypts data in specific-sized blocks, such as 64-bit blocks or 128-bit blocks. Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Message Digest 5 (MD5) are all block ciphers. See Chapter 10.
50. You want to deter an attacker from using brute force to gain access to a mobile device. What would you configure? A. Remote wiping B. Account lockout settings C. Geo-tagging D. RFID
B. Account lockout settings are useful on any type of device, including mobile devices and desktop systems. An account lockout setting locks a device after a specified number of incorrect password or PIN guesses; some devices can be configured to erase all the data on the device after too many incorrect guesses. Remote wiping erases all the data. Geo-tagging provides geographic location for pictures posted to social media sites. Radio-frequency identification (RFID) can be used for automated inventory control to detect movement of devices. See Chapters 1 and 5.
98. You work as a help-desk professional in a large organization. You have begun to receive an extraordinary number of calls from employees related to malware. Using common incident response procedures, what should be your FIRST response? A. Preparation B. Identification C. Escalation D. Mitigation
B. At this stage, the first response is incident identification. The preparation phase is performed before an incident, and includes steps to prevent incidents. After identifying this as a valid incident (malware infection), the next step is escalation and notification and then mitigation steps.
35. Which of the following represents the BEST action to increase security in a wireless network? A. Replace dipole antennas with Yagi antennas. B. Replace TKIP with CCMP. C. Replace WPA with WEP. D. Disable SSID broadcast.
B. Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) provides stronger encryption than Temporal Key Integrity Protocol (TKIP) and is the best choice. Replacing omnidirectional dipole antennas with directional Yagi antennas doesn't necessarily increase security and will likely limit availability. Wired Equivalent Privacy (WEP) should not be used and is not an improvement over Wi-Fi Protected Access (WPA). Disabling service set identifier (SSID) broadcast hides the network from casual users, but is not a security step. See Chapter 4.
64. A security tester is using fuzzing techniques to test a software application. Which of the following does fuzzing use to test the application? A. Formatted input B. Unexpected input C. Formatted output D. Unexpected output
B. Fuzzing sends random or unexpected input into an application to test the application's ability to handle it. Command injection attacks use formatted input. Fuzzing does not test the application using any outputs. See Chapter 7.
4. An organization wants to provide protection against malware attacks. Administrators have installed antivirus software on all computers. Additionally, they implemented a firewall and an IDS on the network. Which of the following BEST identifies this principle? A. Implicit deny B. Layered security C. Least privilege D. Flood guard
B. Layered security (or defense in depth) implements multiple controls to provide several layers of protection. In this case, the antivirus software provides one layer of protection while the firewall and the intrusion detection system (IDS) provide additional layers. Implicit deny blocks access unless it has been explicitly allowed. Least privilege ensures that users are granted only the access they need to perform their jobs, and no more. A flood guard attempts to block SYN Flood attacks. See Chapter 1.
38. A small business owner modified his wireless router with the following settings: PERMIT 1A:2B:3C:4D:5E:6F DENY 6F:5E:4D:3C:2B:1A After saving the settings, an employee reports that he cannot access the wireless network anymore. What is the MOST likely reason that the employee cannot access the network? A. IP address filtering B. Hardware address filtering C. Port filtering D. URL filtering
B. Media access control (MAC) address filtering can block or allow access based on a device's MAC address, also known as the hardware address. Both addresses in the scenario are MAC addresses. These addresses are not Internet Protocol (IP) addresses, port numbers, or Uniform Resource Locators (URLs). See Chapter 4.
9. Your company recently began allowing workers to telecommute from home one or more days a week. However, your company doesn't currently have a remote access solution. They want to implement an AAA solution that supports different vendors. Which of the following is the BEST choice? A. TACACS+ B. RADIUS C. Circumference D. SAML
B. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting (AAA) protocol and is the best choice. TACACS+ is proprietary to Cisco, so it won't support different vendor solutions. Diameter is preferable to RADIUS, but there is no such thing as a Circumference protocol. SAML is an SSO solution used with web-based applications. See Chapter 1.
3. Lisa manages network devices in your organization and maintains copies of the configuration files for all the managed routers and switches. On a weekly basis, she creates hashes for these files and compares them with hashes she created on the same files the previous week. Which security goal is she pursuing? A. Confidentiality B. Integrity C. Availability D. Safety
B. She is pursing integrity by verifying the configuration files have not changed. By verifying that the hashes are the same, she also verifies that the configuration files are the same. Confidentiality is enforced with encryption, access controls, and steganography. Availability ensures systems are up and operational when needed. Safety goals help ensure the safety of personnel and/or other assets. See Chapters 1 and 10.
57. A recent change in an organization's security policy states that monitors need to be positioned so that they cannot be viewed from outside any windows. What is the purpose of this policy? A. Reduce success of phishing B. Reduce success of shoulder surfing C. Reduce success of dumpster diving D. Reduce success of impersonation
B. Shoulder surfing is the practice of viewing data by looking over someone's shoulder and it includes looking at computer monitors. Positioning monitors so that they cannot be viewed through a window reduces this threat. Phishing is an email attack. Dumpster diving is the practice of looking through dumpsters. Social engineers often try to impersonate others to trick them. See Chapter 6.
80. Monty Burns is the CEO of the Springfield Nuclear Power Plant. What would the company have in place in case something happens to him? A. Business continuity planning B. Succession planning C. Separation of duties D. IT contingency planning
B. Succession planning identifies people within an organization who can fill leadership positions if they become vacant. It is also helpful during a disaster by ensuring people understand their roles and responsibilities. A succession planning chart is often in a business continuity plan (BCP), but business continuity planning is much broader than just succession planning. A separation of duties policy separates individual tasks of an overall function between different people. IT contingency planning focuses on recovery of IT systems. See Chapter 9.
66. You are asked to identify the number of times a specific type of incident occurs per year. Which of the following BEST identifies this? A. ALE B. ARO C. MTTF D. SLE
B. The annual rate of occurrence (ARO) is the best choice to identify how many times a specific type of incident occurs in a year. Annual loss expectancy (ALE) identifies the expected monetary loss for an incident and single loss expectancy (SLE) identifies the expected monetary loss for a single incident. ALE = SLE × ARO and if you know any two of these values, you can identify the third value. For example, ARO = ALE / SLE. Mean time to failure (MTTF) is not an annual figure. See Chapter 8.
83. A software company occasionally provides application updates and patches via its web site. It also provides a checksum for each update and patch. Which of the following BEST describes the purpose of the checksum? A. Availability of updates and patches B. Integrity of updates and patches C. Confidentiality of updates and patches D. Integrity of the application
B. The checksum (also known as a hash) provides integrity for the patches and updates so that users can verify they have not been modified. Installing patches and updates increases the availability of the application. Confidentiality is provided by encryption. The checksums are for the updates and patches, so they do not provide integrity for the application. See Chapter 10.
19. An organization has implemented an access control model that enforces permissions based on data labels assigned at different levels. What type of model is this? A. DAC B. MAC C. Role-BAC D. Rule-BAC
B. The mandatory access control (MAC) model uses labels assigned at different levels to restrict access. The discretionary access control (DAC) model assigns permissions based on object ownership. The role-based access control (role-BAC) model uses group-based privileges. The rule-based access control (rule-BAC) model uses rules that trigger in response to events. See Chapter 2.
15. An outside security auditor recently completed an in-depth security audit on your network. One of the issues he reported was related to passwords. Specifically, he found the following passwords used on the network: Pa$$, 1@W2, and G7bT3. What should be changed to avoid the problem shown with these passwords? A. Password complexity B. Password length C. Password history D. Password reuse
B. The password policy should be changed to increase the minimum password length of passwords. These passwords are only four and five characters long, which is too short to provide adequate security. They are complex because they include a mixture of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters. Password history and password reuse should be addressed if users are reusing the same passwords, but the scenario doesn't indicate this is a problem. See Chapter 2.
8. Users are required to log on to their computers with a smart card and a PIN. Which of the following BEST describes this? A. Single-factor authentication B. Multifactor authentication C. Mutual authentication D. TOTP
B. Users authenticate with two factors of authentication in this scenario, which is multifactor authentication or dual-factor authentication. The smart card is in the something you have factor of authentication, and the PIN is in the something you know factor of authentication. They are using more than a single factor. Mutual authentication is when both entities in the authentication process authenticate with each other, but it doesn't apply in this situation. A Time-based One-Time Password (TOTP) is a protocol used to create passwords that expire after 30 seconds. See Chapter 1.
73. Testers are analyzing a web application your organization is planning to deploy. They have full access to product documentation, including the code and data structures used by the application. What type of test will they MOST likely perform? A. Gray box B. White box C. Black box D. White hat
B. White box testers are provided full knowledge about the product or network they are testing. A black box tester does not have access to product documentation, and a gray box tester would have some access to product documentation. White hat refers to a security professional working within the law. See Chapter 8.
94. Which of the following is a management control? A. Encryption B. Security policy C. Least privilege D. Change management
B. Written security policies are management controls. Encryption and the principle of least privilege are technical controls. Change management is an operational control. See Chapter 11.
2. You need to transmit PII via email and you want to maintain its confidentiality. Of the following choices, what is the BEST solution? A. Use hashes. B. Encrypt it before sending. C. Protect it with a digital signature. D. Use RAID.
B. You can maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption. Hashes provide integrity, not confidentiality. A digital signature provides authentication, non-repudiation, and integrity. A redundant array of inexpensive disks (RAID) provides higher availability for a disk subsystem. See Chapters 1 and 10.
74. A network administrator is attempting to identify all traffic on an internal network. Which of the following tools is the BEST choice? A. Black box test B. Protocol analyzer C. Penetration test D. Baseline review
B. You can use a protocol analyzer (or sniffer) to capture traffic on a network, and then analyze the capture to identify and quantify all the traffic on the network. Penetration tests (including black box tests) attempt to identify and exploit vulnerabilities. A baseline review can identify changes from standard configurations, but they don't necessarily identify all traffic on a network. See Chapter 8.
56. Lisa recently completed an application used by the Personnel department to store PII and other employee information. She programmed in the ability to access this application with a username and password that only she knows, so that she can perform remote maintenance on the application if necessary. What does this describe? A. Armored virus B. Polymorphic virus C. Backdoor D. Trojan
C. A backdoor provides someone an alternative way of accessing the system, which is exactly what Lisa created in this scenario. It might seem as though she's doing so with good intentions, but if attackers discover a backdoor, they can exploit it. A virus tries to replicate itself, but this account doesn't have a replication mechanism. A Trojan looks beneficial but includes a malicious component. See Chapter 6.
47. A security analyst is evaluating a critical industrial control system. The analyst wants to ensure the system has security controls to support availability. Which of the following will BEST meet this need? A. Using at least two firewalls to create a DMZ B. Installing a SCADA system C. Implementing control redundancy and diversity D. Using an embedded system
C. A critical industrial control system implies a supervisory control and data acquisition (SCADA) system and ensuring that the system incorporates diversity into a redundant design will best meet this need of the available choices. A demilitarized zone (DMZ) provides some protection against Internet attacks, but critical industrial control systems rarely have direct Internet access. The goal in the question is to protect the SCADA system, but the SCADA system isn't a security control. The scenario is describing an embedded system. See Chapter 5.
33. Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA systems. Although they removed the malware, management is still concerned. Lisa needs to continue using her system and it's not possible to update the SCADA systems. What can mitigate this risk? A. Install HIPS on the SCADA systems. B. Install a firewall on the border of the SCADA network. C. Install a NIPS on the border of the SCADA network. D. Install a honeypot on the SCADA network.
C. A network intrusion prevention system (NIPS) installed on the supervisory control and data acquisition (SCADA) network can intercept malicious traffic coming into the network and is the best choice of those given. The scenario states you cannot update the SCADA systems, so you cannot install a host-based IPS (HIPS) on any of them. A firewall provides a level of protection. However, it wouldn't be able to differentiate between valid traffic sent by Lisa and malicious traffic sent by malware from Lisa's system. A honeypot might be useful to observe malicious traffic, but wouldn't prevent it. See Chapter 4.
7. Which type of authentication is a retina scan? A. Multifactor B. TOTP C. Biometric D. Dual-factor
C. A retina scan is a biometric method of authentication in the something you are factor of authentication. You need to combine two or more factors of authentication for dual-factor and multifactor authentication. A Time-based One-Time Password (TOTP) is a protocol used to create passwords that expire after 30 seconds. See Chapter 1.
41. A network administrator needs to open a port on a firewall to support a VPN using PPTP. What ports should the administrator open? A. UDP 47 B. TCP 50 C. TCP 1723 D. UDP 1721
C. A virtual private network (VPN) using Point-to-Point Tunneling Protocol (PPTP) requires Transmission Control Protocol (TCP) port 1723 open. It would also need protocol ID 47 open, but the protocol ID is not a port. Internet Protocol security (IPsec) uses protocol ID 50 and User Datagram Protocol (UDP) port 1721. See Chapters 3 and 4.
31. You are preparing to deploy an anomaly-based detection system to monitor network activity. What would you create first? A. Flood guards B. Signatures C. Baseline D. Honeypot
C. An anomaly-based (also called heuristic or behavior-based) detection system compares current activity with a previously created baseline to detect any anomalies or changes. Flood guards help protect against SYN flood attacks. Signature-based systems use signatures similar to antivirus software. A honeypot is a server designed to look valuable to an attacker and can divert attacks. See Chapter 4.
63. Looking at logs for an online web application, you see that someone has entered the following phrase into several queries: ' or '1'='1' -- Which of the following is the MOST likely explanation for this? A. A buffer overflow attack B. An XSS attack C. A SQL injection attack D. An LDAP injection attack
C. Attackers use the phrase in SQL injection attacks to query or modify databases. A buffer overflow attack sends more data or unexpected data to an application with the goal of accessing system memory. A cross-site scripting (XSS) attack attempts to insert HTML or JavaScript code into a web site or email. A Lightweight Directory Application Protocol (LDAP) injection attack attempts to inject LDAP commands to query a directory service database. See Chapter 7.
11. Your organization issues users a variety of different mobile devices. However, management wants to reduce potential data losses if the devices are lost or stolen. Which of the following is the BEST technical control to achieve this goal? A. Cable locks B. Risk assessment C. Disk encryption D. Hardening the systems
C. Disk encryption is a strong technical control that can mitigate potential data losses if mobile devices are lost or stolen. Cable locks are preventive controls that can prevent the theft of mobile devices such as laptops, but they don't protect the data after the device is stolen. A risk assessment is a management control. Hardening systems helps make them more secure than their default configuration, but doesn't necessarily protect data after the device is lost. See Chapters 2 and 5.
92. Application developers are creating an application that requires users to log on with strong passwords. The developers want to store the passwords in such a way that it will thwart brute force attacks. Which of the following is the BEST solution? A. 3DES B. MD5 C. PBKDF2 D. Database fields
C. Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching technique designed to protect against brute force attempts and is the best choice of the given answers. Another alternative is bcrypt. Both salt the password with additional bits. Triple DES (3DES) is an encryption protocol. Passwords stored using Message Digest 5 (MD5) are easier to crack because they don't use salts. Storing the passwords in encrypted database fields is a possible solution, but just storing them in unencrypted database fields does not protect them at all. See Chapter 10.
49. A new mobile device security policy has authorized the use of employee-owned devices, but mandates additional security controls to protect them if devices are lost or stolen. Which of the following meets this goal? A. Screen locks and geo-tagging B. Patch management and change management C. Screen locks and device encryption D. Full device encryption and IaaS
C. Screen locks provide protection for lost devices by making it more difficult for someone to access the device. Device encryption protects the data. Geo-tagging includes location information on pictures posted to social media sites. Patch management keeps devices up to date and change management helps prevent outages from unauthorized changes. Infrastructure as a Service (IaaS) is a cloud computing option. See Chapter 5.
1. A security administrator is implementing a security program that addresses confidentiality and availability. Of the following choices, what else should the administrator include? A. Ensure critical systems provide uninterrupted service. B. Protect data in transit from unauthorized disclosure. C. Ensure systems are not susceptible to unauthorized changes. D. Secure data to prevent unauthorized disclosure.
C. The administrator should ensure systems are not susceptible to unauthorized changes, an element of integrity. A security program should address the three core security principles of confidentiality, integrity, and availability; the system in the example is already addressing confidentiality and availability. Protecting data and securing data to prevent unauthorized disclosure addresses confidentiality. Ensuring critical systems provide uninterrupted service addresses availability. See Chapter 1.
67. Lisa needs to calculate the total ALE for a group of servers used in the network. During the past two years, five of the servers failed. The hardware cost to replace each server is $3,500, and the downtime has resulted in $2,500 of additional losses. What is the ALE? A. $7,000 B. $10,000 C. $15,000 D. $30,000
C. The annual loss expectancy (ALE) is $15,000. The single loss expectancy (SLE) is $6,000 ($3,500 + $2,500). The annual rate of occurrence (ARO) is 2.5 (five failures in two years or 5 / 2). You calculate the ARO as SLE × ARO ($6,000 × 2.5). See Chapter 8.
81. A continuity of operations plan for an organization includes the use of a warm site. The BCP coordinator wants to verify that the organization's backup data center is prepared to implement the warm site if necessary. Which of the following is the BEST choice to meet this need? A. Perform a review of the disaster recovery plan. B. Ask the managers of the backup data center. C. Perform a disaster recovery exercise. D. Perform a test restore.
C. The best way to test elements of a business continuity plan (BCP) or disaster recovery plan (DRP) is to test the plan by performing a disaster recovery exercise. Asking managers if they are ready and reviewing the plan are both helpful, but not as effective as an exercise. Performing a test restore verifies the backup capabilities, but not necessarily the steps required when implementing a warm site. See Chapter 9.
60. A code review of a web application discovered that the application is not performing boundary checking. What should the web developer add to this application to resolve this issue? A. XSRF B. XSS C. Input validation D. Fuzzing
C. The lack of input validation is a common coding error and it includes boundary or limit checking to validate data before using it. Proper input validation prevents many problems such as cross-site request forgery (XSRF), cross-site scripting (XSS), buffer overflow, and command injection attacks. Fuzzing injects extra data and tests the effectiveness of input validation. See Chapter 7.
88. Bart, an employee at your organization, is suspected of leaking data to a competitor. Investigations indicate he sent several email messages containing pictures of his dog. Investigators have not been able to identify any other suspicious activity. Which of the following is MOST likely occurring? A. Bart is copying the data to a USB drive. B. Bart is encrypting the data. C. Bart is leaking data using steganography. D. Bart is sending the data as text in the emails.
C. The most likely issue is that Bart is embedding data in the pictures using steganography techniques. The scenario doesn't give any indications that he is copying the data to a USB drive or encrypting the data, and these actions don't indicate he is leaking the data. If he was sending the data as text in the emails, it would be apparent. See Chapter 10.
86. A supply company has several legacy systems connected together within a warehouse. An external security audit discovered the company is using DES and mandated the company upgrade DES to meet minimum security requirements. The company plans to replace the legacy systems next year, but needs to meet the requirements from the audit. Which of the following is MOST likely to be the simplest upgrade for these systems? A. AES B. HMAC C. 3DES D. SSL
C. The simplest upgrade is Triple Data Encryption Standard (3DES). Advanced Encryption Standard (AES) is stronger, but considering these are legacy systems, their hardware is unlikely to support AES and 3DES is a suitable alternative. Hash-based Message Authentication Code (HMAC) is a hashing algorithm used to verify the integrity and authenticity of messages. Secure Sockets Layer (SSL) requires the use of certificates, so it would require a Public Key Infrastructure (PKI), which is not a simple solution. See Chapter 10.
10. Your organization has implemented a system that stores user credentials in a central database. Users log on once with their credentials. They can then access other systems in the organization without logging on again. What does this describe? A. Same sign-on B. SAML C. Single sign-on D. Biometrics
C. This describes a single sign-on (SSO) solution in which users only have to log on once. Same sign-on indicates users can access multiple systems using the same credentials, but they still have to enter their credentials again each time they access a new resource. Security Assertion Markup Language (SAML) is an SSO solution used for web-based applications, but not all SSO solutions are using SAML. Biometrics is a method of authentication, such as a fingerprint, but it isn't an SSO solution. See Chapter 1.
23. You need to manage a remote server. Which of the following ports should you open on the firewall between your system and the remote server? A. 25 and 3389 B. 22 and 443 C. 22 and 3389 D. 21 and 23
C. You can manage a remote server using Secure Shell (SSH) on TCP port 22 and Remote Desktop Protocol (RDP) on TCP port 3389. You could also use Telnet on TCP port 23, but SSH is the preferred alternative. Simple Mail Transfer Protocol (SMTP) uses TCP port 25. Hypertext Transfer Protocol Secure (HTTPS) uses TCP port 443. File Transfer Protocol (FTP) uses TCP port 21.
27. You need to configure a UTM security appliance to restrict access to peer-to-peer file sharing web sites. What are you MOST likely to configure? A. Content inspection B. Malware inspection C. URL filter D. Stateless inspection
C. You would most likely configure the Uniform Resource Locator (URL) filter on the unified thread management (UTM) security appliance. This would block access to the peer-to-peer sites based on their URL. Content inspection and malware inspection focus on inspecting the data as it passes through the UTM, but they do not block access to sites. Stateless inspection is packet filtering and would be extremely difficult to configure on a firewall for all peer-to-peer web sites.
6. Which type of authentication does a hardware token provide? A. Biometric B. PIN C. Strong password D. One-time password
D. A hardware token (such as an RSA token) uses a one-time password for authentication in the something you have factor of authentication. Biometric methods are in the something you are factor of authentication, such as a fingerprint. A PIN and a password are both in the something you know factor of authentication and do not require a hardware token. See Chapter 1.
84. A function converts data into a string of characters and the string of characters cannot be reversed to recreate the original data. What type of function is this? A. Symmetric encryption B. Asymmetric encryption C. Stream cipher D. Hashing
D. A hash function creates a string of characters (typically displayed in hexadecimal) when executed against a file or message, and hashing functions cannot be reversed to recreate the original data. Encryption algorithms (including symmetric encryption, asymmetric encryption, and stream ciphers) create ciphertext from plaintext data, but they include decryption algorithms to recreate the original data. See Chapter 10.
18. Developers are planning to develop an application using role-based access control. Which of the following would they MOST likely include in their planning? A. A listing of labels reflecting classification levels B. A requirements list identifying need to know C. A listing of owners D. A matrix of functions matched with their required privileges
D. A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a role-based access control model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. MAC is effective at restricting access based on a need to know. The discretionary access control model specifies that every object has an owner and it might identify owners in a list. See Chapter 2.
79. An organization needs to identify a continuity of operations plan that will allow it to provide temporary IT support during a disaster. The organization does not want to have a dedicated site. Which of the following provides the best solution? A. Cold site B. Warm site C. Hot site D. Mobile site
D. A mobile site is a self-contained transportable unit that can be moved around without having a dedicated site. Cold sites, warm sites, and hot sites are dedicated locations. See Chapter 9.
95. Security personnel recently identified potential fraud committed by a network administrator. Investigators discovered this administrator performs several job functions within the organization, including database administration and application development. Which of the following is the BEST solution to reduce risk associated with this activity? A. Mandatory vacations B. Mandatory access control C. Change management D. Separation of duties
D. A separation of duties policy prevents any single person from performing multiple job functions that might allow the person to commit fraud. A mandatory vacation policy is useful to discover fraud committed by an individual, but this scenario clearly indicates this individual controls too many job functions. Although mandatory access control is the strongest access control method available, it doesn't separate job functions. Change management ensures changes are reviewed before being implemented.
97. Your company is considering implementing SSO capabilities to company applications and linking them to a social media site. When implemented, users can log on to Facebook and then access company applications without logging on again. What is a potential risk related to this plan? A. A data breach exposing passwords on the company site will affect the social media site. B. SAML lacks adequate security when used on the Internet. C. XML lacks adequate security when used on the Internet. D. A data breach exposing passwords on the social media site will affect the company application.
D. A successful attack on the social media site resulting in a data breach can expose the passwords and ultimately affect the company application. Users won't use their company credentials to access the social media site, so this doesn't present a risk to the social media site. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)-based data format used for SSO on web browsers and it is commonly used on the Internet.
69. Bart is performing a vulnerability assessment. Which of the following BEST represents the goal of this task? A. Identify services running on a system. B. Determine if vulnerabilities can be exploited. C. Determine if input validation is in place. D. Identify the system's security posture.
D. A vulnerability assessment identifies a system or network's security posture. A port scanner identifies services running on a system. A penetration test determines if vulnerabilities can be exploited. Although a vulnerability assessment might verify if input validation methods are in place, it includes much more. See Chapter 8.
77. Security personnel recently performed a security audit. They identified several employees who had permissions for previously held jobs within the company. What should the organization implement to prevent this in the future? A. Role-BAC model B. Account disablement policy C. Vulnerability assessment D. Account management controls
D. Account management controls ensure that accounts only have the permissions they need and no more, and would ensure that user permissions are removed when users no longer need them. User rights and permission reviews also help ensure the controls are effective. A role-based access control (role-BAC) model uses group-based permissions, but it doesn't force administrators to take a user out of a security group when the user moves to a different job. An account disablement policy ensures accounts are disabled when an employee leaves. A vulnerability assessment might detect this as it reviews the organization's security posture, but it won't prevent it. See Chapters 2 and 8.
68. Security experts at your organization have determined that your network has been repeatedly attacked from multiple entities in a foreign country. Research indicates these are coordinated and sophisticated attacks. What BEST describes this activity? A. Fuzzing B. Sniffing C. Spear phishing D. Advanced persistent threat
D. An advanced persistent threat is a group of highly organized individuals, typically from a foreign country, with the ability to coordinate sophisticated attacks. Fuzzing is the practice of sending unexpected input to an application for testing and can be used in a security assessment. Sniffing is the practice of capturing traffic with a protocol analyzer. Spear phishing is a targeted phishing attack. See Chapter 8.
46. An organization recently suffered a significant outage after a technician installed an application update on a vital server during peak hours. The server remained down until administrators were able to install a previous version of the application on the server. What could the organization implement to prevent a reoccurrence of this problem? A. Do not apply application patches to server applications. B. Apply the patches during nonpeak hours. C. Apply hardening techniques. D. Create a patch management policy.
D. An application patch management policy includes plans for identifying, testing, scheduling, and deploying updates. Patches are often applied to test systems before they are applied to live production systems and this would prevent this outage. Server applications should be kept up to date with patches. Although applying patches during nonpeak hours is a good recommendation, it would have still caused an outage in this scenario. Hardening techniques makes a system more secure, but won't protect systems from a faulty patch. See Chapter 5.
40. Which of the following is an attack against a mobile device? A. War chalking B. SSID hiding C. Evil twin D. Bluejacking
D. Bluejacking is the practice of sending unsolicited messages to other Bluetooth devices. War chalking is the practice of marking the location of wireless networks, sometimes using chalk. You can disable service set identifier (SSID) broadcasting to hide the SSID from casual users, but this isn't an attack. An evil twin is a rogue access point with the same SSID as a legitimate access point. It can be used to launch attacks against any wireless devices, but it isn't an attack against only mobile devices. See Chapter 4.
82. Users are complaining of intermittent connectivity issues. When you investigate, you discover that new network cables for these user systems were run across several fluorescent lights. What environmental control will resolve this issue? A. HVAC system B. Fire suppression C. Humidity controls D. EMI shielding
D. Electromagnetic interference (EMI) shielding provides protection against EMI sources such as fluorescent lights. Heating, ventilation, and air conditioning systems provide protection from overheating. Fire suppression systems provide protection from fire. Humidity controls provide protection against electrostatic discharge (ESD) and condensation. See Chapter 9.
52. Your organization is planning to issue mobile devices to some employees, but they are concerned about protecting the confidentiality of data if the devices are lost or stolen. Which of the following is the BEST way to secure data at rest on a mobile device? A. Strong passwords B. Hashing C. RAID-6 D. Full device encryption
D. Encryption is the best way to protect data, and full device encryption protects data stored on a mobile device. Although strong passwords are useful, if a thief gets a mobile device, it's just a matter of time before the thief bypasses the password. Hashing is used for integrity, but the confidentiality of the data needs to be protected with encryption. Redundant array of inexpensive disks 6 (RAID-6) can increase availability, but not confidentiality. See Chapter 5.
22. Bart wants to block access to all external web sites. Which port should he block at the firewall? A. TCP 22 B. TCP 53 C. UDP 69 D. TCP 80
D. He should block port 80 because web sites use Hypertext Transfer Protocol (HTTP) over TCP port 80. Secure Shell (SSH) uses TCP port 22. Domain Name System (DNS) uses TCP port 53 for zone transfers. Trivial File Transfer Protocol (TFTP) uses UDP port 69.
90. Bart wants to send a secure email to Lisa, so he decides to encrypt it. He wants to ensure that only Lisa can decrypt it. Which of the following does Lisa need to meet this requirement? A. Bart's public key B. Bart's private key C. Lisa's public key D. Lisa's private key
D. Lisa would decrypt the email with her private key and Bart would encrypt the email with Lisa's public key. Although not part of this scenario, if Bart wanted Lisa to have verification that he sent it, he would create a digital signature with his private key and Lisa would decrypt the private key with Bart's public key. Bart does not need his keys to encrypt email sent to someone else. See Chapter 10.
34. Your organization maintains a separate wireless network for visitors in a conference room. However, you have recently noticed that people are connecting to this network even when there aren't any visitors in the conference room. You want to prevent these connections, while maintaining easy access for visitors in the conference room. Which of the following is the BEST solution? A. Disable SSID broadcasting. B. Enable MAC filtering. C. Use wireless jamming. D. Reduce antenna power.
D. Reducing the antenna power will make it more difficult for users outside of the conference room to connect, but will not affect visitors in the conference room. Disabling service set identifier (SSID) broadcasting will require visitors to know the SSID and enter it in their device, making it more difficult to access the wireless network. Enabling media access control (MAC) address filtering will block visitors until an administrator adds their MAC address. Wireless jamming will prevent all mobile devices from connecting to the wireless network. See Chapter 4.
21. Which of the following list of protocols use TCP port 22 by default? A. FTPS, TLS, SCP B. SCP, SFTP, FTPS C. HTTPS, SSL, TLS D. SSH, SCP, SFTP E. SCP, SSH, SSL
D. Secure Shell (SSH) uses Transmission Control Protocol (TCP) port 22 by default. Secure Copy (SCP) and Secure File Transfer Protocol (SFTP) both use SSH for encryption so they also use port 22 by default. File Transfer Protocol Secure (FTPS) uses either Secure Sockets Layer (SSL) or Transport Layer Security (TLS), typically on ports 989 or 990. Hypertext Transfer Protocol Secure (HTTPS) uses SSL or TLS on port 443. TLS and SSL do not have a default port by themselves, but instead use a default port based on the protocols they are encrypting.
100. Social engineers have launched several successful phone-based attacks against your organization resulting in several data leaks. Which of the following would be the MOST effective at reducing the success of these attacks? A. Implement a BYOD policy. B. Update the AUP. C. Provide training on data handling. D. Implement a program to increase security awareness.
D. The best choice of the available answers is to implement a program to increase security awareness, and it could focus on social engineering attacks. A bring your own device (BYOD) policy or an acceptable use policy (AUP) doesn't apply in this scenario. Training is useful, but training users on data handling won't necessarily educate them on social engineering attacks.
16. A recent security audit discovered several apparently dormant user accounts. Although users could log on to the accounts, no one had logged on to them for more than 60 days. You later discovered that these accounts are for contractors who work approximately one week every quarter. What is the BEST response to this situation? A. Remove the account expiration from the accounts. B. Delete the accounts. C. Reset the accounts. D. Disable the accounts.
D. The best response is to disable the accounts and then enable them when needed by the contractors. Ideally, the accounts would include an expiration date so that they would automatically expire when no longer needed, but the scenario doesn't indicate the accounts have an expiration date. Because the contractors need to access the accounts periodically, it's better to disable them rather than deleting them. Reset the accounts implies you are changing the password, but this isn't needed. See Chapter 2.
43. Network administrators identified what appears to be malicious traffic coming from an internal computer, but only when no one is logged on to the computer. You suspect the system is infected with malware. It periodically runs an application that attempts to connect to web sites over port 80 with Telnet. After comparing the computer with a list of services from the standard image, you verify this application is very likely the problem. What process allowed you to make this determination? A. Banner grabbing B. Hardening C. Whitelisting D. Baselining
D. The standard image is the baseline and by comparing the list of services in the baseline with the services running on the suspect computer, you can identify unauthorized services. In this scenario, Telnet must not be in the baseline, but it is running on the suspect computer. It's possible an attacker has hijacked the computer to perform banner-grabbing attacks against external web sites, but banner grabbing doesn't verify the problem on the computer. Hardening makes a computer more secure than the default configuration, but it is done before creating a baseline. Whitelisting identifies authorized applications and prevents unauthorized applications from running. See Chapter 5.
30. What type of device would have the following entries used to define its operation? permit IP any any eq 80 permit IP any any eq 443 deny IP any any A. Layer 2 switch B. Proxy server C. Web server D. Firewall
D. These are rules in an access control list (ACL) for a firewall. The first two rules indicate that traffic from any IP address, to any IP address, using ports 80 or 443 is permitted or allowed. The final rule is also known as an implicit deny rule and is placed last in the ACL. It ensures that all traffic that hasn't been previously allowed is denied. Layer 2 switches do not use ACLs. A proxy server would not use an ACL, although it would use ports 80 and 443 for Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), respectively. A web server wouldn't use an ACL, although it would also use ports 80 and 443. See Chapter 8.
37. You are planning a wireless network for a business. A core requirement is to ensure that the solution encrypts user credentials when users enter their usernames and passwords. Which of the following BEST meets this requirement? A. WPA2-PSK B. WEP over PEAP C. WPS with LEAP D. WPA2 over EAP-TTLS
D. Wi-Fi Protected Access II (WPA2) over Extensible Authentication Protocol (EAP)-Tunneled Transport Layer Security (EAP-TTLS) is the best solution from the available answers. Because users must enter their usernames and passwords, an 802.1x solution is required and EAP-TTLS meets this requirement. WPA2-preshared key (PSK) does not authenticate users based on their usernames. Wired Equivalent Privacy (WEP) is not recommended for use even with Protected EAP (PEAP). Wi-Fi Protected Setup (WPS) is a standard designed to simplify the setup of a wireless network, but it does not implement usernames, and Cisco recommends using stronger protocols rather than Lightweight EAP (LEAP). See Chapter 4.
39. Homer recently implemented a wireless network in his home using WEP. He asks you for advice. Which of the following is the BEST advice you can give him? A. He should not use WEP because it uses a weak encryption algorithm. B. He should also ensure he disables SSID broadcast for security purposes. C. He should ensure it is in Enterprise mode. D. He should not use WEP because it implements weak IVs for encryption keys.
D. Wired Equivalent Privacy (WEP) is not recommended for use and one of the reasons is due to weak initialization vectors (IVs) used for key transmission. It uses the RC4 stream cipher, which is a strong encryption algorithm. Disabling the service set identifier (SSID) broadcast will hide the network from casual users, but it does not provide additional security. WEP doesn't support Enterprise mode. See Chapter 4.
29. What would you configure on a Layer 3 device to allow FTP traffic to pass through? A. Router B. Implicit deny C. Port security D. Access control list
D. You would configure an access control list (ACL) to allow traffic in or out of a network. A router is a Layer 3 device and you would configure the ACL on the router. The last rule in the ACL would be implicit deny to block all other traffic. Port security protects ports by disabling unused ports or using 802.1x, but it cannot block specific types of traffic.
65. An organization has purchased fire insurance to manage the risk of a potential fire. What method are they using? A. Risk acceptance B. Risk avoidance C. Risk deterrence D. Risk mitigation E. Risk transference
E. Purchasing insurance is a common method of risk transference. Organizations often accept a risk when the cost of the control exceeds the cost of the risk, and the risk that remains is residual risk. An organization can avoid a risk by not providing a service or not participating in a risky activity. Risk deterrence attempts to discourage attacks with preventive controls such as a security guard. Risk mitigation reduces risks through internal controls. See Chapter 8
61. A web developer is using methods to validate user input in a web site application. This ensures the application isn't vulnerable to all of the following attacks except one. Which of the following attacks are NOT prevented by validating user input? A. XSS B. SQL injection C. Buffer overflow D. Command injection E. Whaling
E. Whaling is a phishing attack using email that targets executives and cannot be prevented with input validation. Input validation can prevent cross-site scripting (XSS), SQL injection, buffer overflow, and command injection attacks. See Chapter 7.
5. Homer called into the help desk and says he forgot his password. Which of the following choices is the BEST choice for what the help-desk professional should do? A. Verify the user's account exists. B. Look up the user's password and tell the user what it is. C. Disable the user's account. D. Reset the password and configure the password to expire after the first use.
5. D. In this scenario, it's best to create a temporary password that expires after first use, which forces the user to create a new password. It's not necessary to verify the user's account exists, but the help-desk professional should verify the identity of the user. Passwords should not be available in such a way that allows help-desk professionals to look them up. It is not necessary to disable a user account to reset the password. See Chapter 1.
12. Your primary job activities include monitoring security logs, analyzing trend reports, and installing CCTV systems. Which of the following choices BEST identifies your responsibilities? (Select TWO.) A. Hardening systems B. Detecting security incidents C. Preventing incidents D. Implementing monitoring controls
B, D. Monitoring security logs and analyzing trend reports are detective controls with the goal of detecting security incidents. Installing closed-circuit television (CCTV) systems is one example of implementing a monitoring control. Hardening a system is a preventive control that includes several steps such as disabling unnecessary services, but the scenario doesn't describe these steps. Preventive controls attempt to prevent incidents, but the scenario describes detective controls. See Chapter 2.
72. A security professional is testing the functionality of an application, but does not have any knowledge about the internal coding of the application. What type of test is this tester performing? A. White box B. Black box C. Gray box D. Black hat
B. A black box tester does not have prior knowledge when testing an application or network. White box testers have full knowledge and gray box testers have some knowledge. Black hat refers to a malicious attacker. See Chapter 8.
96. Security experts want to reduce risks associated with updating critical operating systems. Which of the following will BEST meet this goal? A. Load balancing B. Change management C. Incident management D. Key management
B. A change management policy helps reduce risk associated with making any changes to systems, including updating them. Load balancing can increase the availability associated with an increased load but not with updates. Incident management refers to security incidents. Key management refers to encryption keys.
45. You want to test new security controls before deploying them. Which of the following technologies provides the MOST flexibility to meet this goal? A. Baselines B. Hardening techniques C. Virtualization technologies D. Patch management programs
C. Virtualization provides a high degree of flexibility when testing security controls because testers can easily rebuild virtual systems or revert them using a snapshot. Baselines provide a known starting point, but aren't flexible because they stay the same. Hardening techniques make systems more secure than their default configuration. Patch management programs ensure patches are deployed, but do not test security controls. See Chapter 5.
62. Checking the logs of a web server, you see the following entry: "198.252.69.129 --[1/Sep/2013:05:20]"GET index.php?username=ZZZZZZZZZZZZZZZZZZZZBBBBBBBBCCCCCCCHTTP1.1" "http://gcgapremium.com/security/" "Chrome31" Which of the following is the BEST choice to explain this entry? A. A SQL injection attack B. A pharming attack C. A phishing attack D. A buffer overflow attack
D. A buffer overflow attack sends more data or unexpected data to a system in the hopes of overloading it and causing a problem. In this case, it is sending a series of letters as the username (?username=ZZZZ....), which is likely longer than any expected username. Input validation can prevent this from succeeding. A SQL injection attack uses specific SQL code, not random letters or characters. A pharming attack attempts to redirect users from one web site to another web site. A phishing attack sends unwanted email to users. See Chapter 7.