Security + review questions
Which of the following ports enable(s) retrieving email messages from a remote server? (Select all that apply) 139 53 110 443 143
110 Pop3 143 IMAP
FTP runs by default on ports: (Select 2 answers) 25 23 20 22 21
20 21
You need to manage a remote server. Which of the following ports should you open on the firewall between your system and the remote server? 22 and 443 25 and 3389 22 and 3389 21 and 23
22 and 3389 You can manage a remote server using Secure Shell (SSH) on TCP port 22 and Remote Desktop Protocol (RDP) on TCP port 3389. You could also use Telnet on TCP port 23, but SSH is the preferred alternative. Simple Mail Transfer Protocol (SMTP) uses TCP port 25. Hypertext Transfer Protocol Secure (HTTPS) uses TCP port 443. File Transfer Protocol (FTP) uses TCP port 21.
Which of the following TCP ports is used by SMTP? 25 53 80 23
25
Which of the following answers lists a /27 subnet mask? 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224
255.255.255.224
Lightweight Directory Access Protocol (LDAP) runs on port: 49 389 3389 636
389
TACACS+ runs on TCP port: 389 49 636 88
49
The non-standard, enhanced version of the LDAP protocol providing the capability for encrypted transmission runs on port: 49 3389 636 389
636
Which of the following port numbers is used by Kerberos? 23 80 22 88
88
Looking at logs for an online web application, you see that someone has entered the following phrase into several queries: ' or '1'='1′ — Which of the following is the MOST likely explanation for this? An XSS attack A buffer overflow attack A SQL injection attack An LDAP injection attack
A SQL injection attack Attackers use the phrase in SQL injection attacks to query or modify databases. A buffer overflow attack sends more data or unexpected data to an application with the goal of accessing system memory. A crosssite scripting (XSS) attack attempts to insert HTML or JavaScript code into a web site or email. A Lightweight Directory Application Protocol (LDAP) injection attack attempts to inject LDAP commands to query a directory service database. See "Identifying Advanced Attacks"
Checking the logs of a web server, you see the following entry: 198.252.69.129 -[1/Sep/2013:05:20]"GET /index.php? username=ZZZZZZZZZZZZZZZZZZZZBBBBBBBBCCCCCCCHTTP/1.1″ "http://gcgapremium.com/security/" "Chrome31" Which of the following is the BEST choice to explain this entry? A phishing attack A pharming attack A SQL injection attack A buffer overflow attack
A buffer overflow attack A buffer overflow attack sends more data or unexpected data to a system in the hopes of overloading it and causing a problem. In this case, it is sending a series of letters as the username (?username=ZZZZ....), which is likely longer than any expected username. Input validation can prevent this from succeeding. A SQL injection attack uses specific SQL code, not random letters or characters. A pharming attack attempts to redirect users from one web site to another website. A phishing attack sends unwanted email to users. See "Identifying Advanced Attacks"
Developers are planning to develop an application using rolebased access control. Which of the following would they MOST likely include in their planning? A matrix of functions matched with their required privileges A listing of labels reflecting classification levels A listing of owners A requirements list identifying need to know
A matrix of functions matched with their required privileges A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a rolebased access control model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. MAC is effective at restricting access based on a need to know. The discretionary access control model specifies that every object has an owner and it might identify owners in a list.
A user complains that his system is no longer able to access the blogs.getcertifiedgetahead.com site. Instead, his browser goes to a different site. After investigation, you notice the following entries in the user's hosts file: 127.0.0.1 localhost 72.52.230.233 blogs.getcertifiedgetahead.com What is the BEST explanation for this entry? A phishing attack A pharming attack Session hijacking A whaling attack
A pharming attack A pharming attack attempts to redirect users from one website to another website. Although this is often done using DNS poisoning, it can also be done by rewriting the hosts file in a user's system. The 127.0.0.1 localhost entry is the default entry in the hosts file, and the second entry redirects the user to a different site. Whaling is a phishing attack that targets highlevel executives. In session hijacking, an attacker records a user's credentials and uses them to impersonate the user. Phishing is the practice of sending email to users with the purpose of tricking them into revealing personal information (such as bank account information).
An organization is implementing a data policy and wants to designate a recovery agent. Which of the following indicates what a recovery agent can do? A recovery agent can restore a system from backups. A recovery agent can retrieve a user's public key. A recovery agent can encrypt data if users lose their private key. A recovery agent can decrypt data if users lose their private key.
A recovery agent can decrypt data if users lose their private key. Recovery agents can decrypt data and messages if users lose their private key. Public keys are publicly available, so recovery agents aren't needed to retrieve them. A recovery agent wouldn't encrypt a user's data. Although backups are important, this isn't the role of a recovery agent. See "Understanding Cryptography"
Which of the following can be used by a security administrator to successfully recover a user's forgotten password on a password protected file? A) Brute force B) Password sniffing C) Social engineering D) Cognitive password
A) Brute force
Separation of duties is often implemented between developers and administrators in order to separate which of the following? A) Changes to program code and the ability to deploy to production B) The network access layer from the application access layer C) Upper level management users from standard development employees D) More experienced employees from less experienced employees
A) Changes to program code and the ability to deploy to production Employees with access to the development AND deployment processes could pose a security hazard, which is why separation of duty and need to know policies should be in place.
Which of the following describes the most secure firewall configuration? A) Deny all, with exceptions for required applications and ports B) Allow all, deny malicious applications and ports C) Deny all UPD, allow all TCP D) Deny all protocols, allow TCP/IP
A) Deny all, with exceptions for required applications and port Implicit Deny describes a configuration where everything is denied by default, and exceptions are granted only when absolutely necessary. This is the most restrictive and secure method to securing a network, but also requires a high level of administration.
What device will work best for servers that need to store private keys? A) Hardware Security Module B) Network firewall C) SSD hard drive D) Host firewall
A) Hardware Security Module A Hardware Security Module (HSM) is a physical device used to manage digital signatures and certificates and keys.
Which of the following BEST explains the use of an HSM within the company servers? A) Hardware encryption is faster than software encryption. B) Data loss by removable media can be prevented with DLP. C) Thumb drives present a significant threat which is mitigated by HSM. D) Software encryption can perform multiple functions required by HSM.
A) Hardware encryption is faster than software encryption. Hardware and software encryptions do essentially the same thing, but a Hardware Security Module (HSM) will allow a server to function much faster, improving response time and allowing for stronger encryptions.
Which of the following protocols is used to encrypt emails? A) PGP B) SMTP C) SMAP D) HTTPS
A) PGP PGP - Pretty Good Privacy ■ OpenPGP is a PGP standard that circumvents licensing ■ GNU Privacy Guard is free and based on OpenPGP ■ PGP uses asymmetric and symmetric, and some versions follow S/MIME
Which answer properly describes the purpose of the CA role in Public Key Infrastructure? A) To issue a public certificate for a private key B) To sign key escrow lists to CRLs C) To issue and signs all root certs D) To verify keys for authenticity
A) To issue a public certificate for a private key A system administrator will create a private key and use this key to create a Certificate Signing Request (CSR). The CSR will be sent to a Certificate Authority (CA) which will issue a public certificate for the administrator to use. Certificate Authority ○ Issues, manages, validates, and revokes certificates. ○ Large companies like Verisign, which services Amazon, or small service. ○ CA's must be trusted, because they make money by selling certs. ● Certificate Trust Paths and Trust Models ○ CAs are trusted by placing their root certificate into a trusted root CA store. ○ CAs have to negotiate with web browsers to get their certificates added into that browset
Which of the following assets is MOST likely considered for DLP? A) USB mass storage device B) Print server C) Reverse proxy D) Application server content
A) USB mass storage device USB mass storage devices are commonly used in Data Loss Prevention (DLP) as a backup medium.
Which of the following are symmetric-key algorithms? (Select 3 answers) AES DES RSA Diffie-Hellman 3DES
AES DES 3DES DES and 3DES • Data Encryption Standard - DES and Triple DES • One of the Federal Information Processing Standards (FIPS) • 64-bit block cipher • 56-bit key (very small in modern terms) • 3DES - Use the DES algorithm three times • Three keys, two keys, or the same key three times • SUPERSEDED by AES (Advanced Encryption Standard) !!!
Which of the following exploits takes advantage of the spoofed MAC address? DNS poisoning Bluesnarfing MAC filtering Bluejacking ARP poisoning
ARP poisoning
Which of the following answers refer to the Rule-Based Access Control (RBAC) model? (Select 2 answers) Access to resources granted or denied depending on Access Control List (ACL) entries Every object has an owner who at his/her own discretion determines what kind of permissions other users can have to that object Implemented in network devices such as firewalls in order to control inbound and outbound traffic based on filtering rules Every resource has a sensitivity label matching a clearance level assigned to a user; labels and clearance levels can only be applied and changed by an administrator An access control method based on user identity
Access to resources granted or denied depending on Access Control List (ACL) entries Implemented in network devices such as firewalls in order to control inbound and outbound traffic based on filtering rules
Lisa recently completed an external security audit for an organization. She discovered that Otto left the organization to become a school bus driver, but his account was not disabled. Which of the following did the organization fail to implement? User rights and permissions review Routine account audits Account management processes Change management procedures
Account management processes Account management processes include disabling and/or deleting accounts that are no longer needed. If this process was followed, Otto's account would be either disabled or deleted. Routine account audits would discover the original problem (not disabling or deleting the account). However, the question isn't specific about when the user left. For example, if the user left last week, a monthly audit scheduled for next week would discover the problem. Because of this, routine audits isn't the best answer based on how this question is worded. A user rights and permissions review helps ensure that users don't have more rights and permissions than they need for their job. They aren't related to previous employees. Change management refers to making changes to systems. They aren't related to disabling accounts of previous employees. Objective: 5.3 Install and configure security controls when performing account management, based on best practices.
Your organization hosts a webbased server that remote administrators access via Telnet. Management wants to increase their rights to prosecute unauthorized personnel who access this server. Which of the following is the BEST choice? Enable FTP logging. Enable SSH instead of Telnet. Enable banner ads. Add a warning banner.
Add a warning banner. A warning banner displayed when personnel log on could inform them that unauthorized access is restricted and is the best choice of those given. Although Secure Shell (SSH) is a more secure alternative than Telnet, it doesn't impact the ability of prosecuting personnel. Banner ads are used on websites, not within a Telnet session. File Transfer Protocol (FTP) logging wouldn't log Telnet sessions.
Company management suspects an employee is stealing critical project information and selling it to a competitor. They'd like to identify who is doing this, without compromising any live data. What is the BEST option to meet this goal? Install antivirus software on all user systems. Implement an IPS. Implement an IDS. Add fabricated project data on a honeypot.
Add fabricated project data on a honeypot. Fabricated data on a honeypot could lure the malicious insider and entice him to access it. Antivirus software blocks malware. An intrusion prevention system (IPS) and an intrusion detection system (IDS) each detect attacks, but won't detect someone accessing data on a server. See "Securing Your Network"
Your organization has been receiving a significant amount of spam with links to malicious websites. You want to stop the spam. Of the following choices, what provides the BEST solution? Use a URL filter Add the domain to a block list Add antivirus software Use a MAC filter
Add the domain to a block list You can block emails from a specific domain sending spam by adding the domain to a block list. While the question doesn't indicate that the spam is coming from a single domain, this is still the best answer of the given choices. A URL filter blocks outgoing traffic and can be used to block the links to the malicious web sites in this scenario, but it doesn't stop the email. Switches use MAC filters to restrict access within a network. Antivirus software does not block spam. See "Understanding Malware and Social Engineering
Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with the following two rules in the ACL along with an implicit allow rule at the end: PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80 You have detected DNS requests and zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal? (Select TWO. Each answer is a full solution.) Add the following rule to the firewall: DENY IP ALL ALL 53. Add the following rule to the firewall: DENY TCP ALL ALL 53. Add the following rule to the firewall: DENY UDP ALL ALL 53. Add the following rule to the firewall: DENY TCP ALL ALL 25. Change the implicit allow rule to implicit deny
Add the following rule to the firewall: DENY IP ALL ALL 53. Change the implicit allow rule to implicit deny The easiest way is to change the implicit allow rule to implicit deny and that is preferred because it will protect the server from unwanted traffic. You can also deny all IP traffic using port 53 with DENY IP ALL ALL 53. DNS requests use UDP port 53, and zone transfers use TCP port 53 so both UDP 53 and TCP port 53 need to be blocked. You can achieve that goal with DENY IP ALL ALL 53.
Two companies have decided to work together on a project and implemented an MOU. Which of the following represents the GREATEST security risk in this situation? An MOU includes monetary penalties if one party doesn't meet its responsibilities. An MOU doesn't define responsibilities. An MOU doesn't have strict guidelines to protect sensitive data. An MOU can impose strict requirements for connections.
An MOU doesn't have strict guidelines to protect sensitive data. A memorandum of understanding (MOU) represents an agreement and it doesn't have strict guidelines to protect sensitive data. An MOU does define responsibilities between the parties. A service level agreement (SLA) might include monetary penalties, but an MOU does not. An interconnection security agreement (ISA) includes strict requirements for connections and is often used with an MOU
While analyzing a packet capture log, you notice the following entry: 16:12:50, src 10.80.1.5:3389, dst 192.168.1.100:8080, syn/ack Of the following choices, what is the BEST explanation of this entry? An RDP connection attempt An FTP connection attempt A buffer overflow attack An HTTP connection attempt
An RDP connection attempt This log entry indicates that a source (src) system with an IP of 10.80.1.5 sent a connection attempt using port 3389, which is the Remote Desktop Protocol (RDP) port, at time 4:12:50 p.m. The destination (dst) was sent to IP 192.168.1.100 using a common proxy server listening port of 8080. Hypertext Transfer Protocol (HTTP) uses port 80, not port 3389. File Transfer Protocol (FTP) uses ports 20 and 21, not port 3389. A buffer overflow attack sends unexpected data, but this entry indicates that it is a SYN/ACK (synchronize/acknowledge) packet establishing a connection.
Your organization is planning to implement a wireless network using WPA2 Enterprise. Of the following choices, what is required? An authentication server with DHCP installed on the authentication server An authentication server with a digital certificate installed on the authentication server An authentication server with DNS installed on the authentication server An authentication server with WEP running on the access point
An authentication server with a digital certificate installed on the authentication server WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server. The network will likely have Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) services, but it isn't necessary to install them on the authentication server. Wired Equivalent Privacy (WEP) provides poor security and is not compatible with WPA2 Enterprise
Management is concerned about malicious activity on your network and wants to implement a security control that will detect unusual traffic on the network. Which of the following is the BEST choice to meet this goal? Signaturebased IDS Anomalybased IDS Network firewall Honeypot
Anomalybased IDS An anomalybased (also called heuristic or behaviorbased) detection system compares current activity with a previously created baseline to detect any anomalies or changes. A network firewall blocks and allows traffic, but does not detect unusual traffic. Signaturebased systems use signatures similar to antivirus software. A honeypot is a server designed to look valuable to an attacker and can divert attacks.
Your local library is planning to purchase new computers that patrons can use for Internet research. Which of the following are the BEST choices to protect these computers? (Choose TWO.) Mantrap Antimalware software Popup blockers Cable locks Disk encryption
Antimalware software Cable locks Antimalware software and cable locks are the best choices to protect these computers. Antimalware software protects the systems from viruses and other malware. The cable locks deter theft of the computers. A mantrap prevents tailgating, but this is unrelated to this question. Popup blockers are useful, but they are often included with antimalware software, so antimalware software is most important. Disk encryption is useful if the computers have confidential information, but it wouldn't be appropriate to put confidential information on a public computer. See "Exploring Control Types and Methods" and "Understanding Malware and Social Engineering"
Your organization wants to ensure that employees do not install or play operating system games, such as solitaire and FreeCell, on their computers. Which of the following is the BEST choice to prevent this? Antimalware software Security policy Antivirus software Application whitelisting
Application whitelisting Application whitelisting identifies authorized applications and prevents users from installing or running any other applications. Alternately, you can use a blacklist to identify specific applications that cannot be installed or run on a system. A security policy (such as an acceptable use policy) can state a rule to discourage this behavior, but it doesn't enforce the rule by preventing users from installing or running the software. Antimalware software and antivirus software can detect and block malware, but not applications.
What are the features of Elliptic Curve Cryptography (ECC)? (Select 2 answers) Asymmetric encryption Shared key Suitable for small wireless devices High processing power requirements Symmetric encryption
Asymmetric encryption Suitable for small wireless devices Asymmetric encryption • Need large integers composed of two or more large prime factors • Instead of numbers, use curves! • Smaller storage and transmission requirements • Perfect for mobile devices
Which part of the AAA framework deals with verification of the identity of a person or process? Authorization Non-repudiation Authentication Accounting
Authentication
A network includes a ticketgranting ticket server. Which of the following choices is the primary purpose of this server? Authorization Identification Access control Authentication
Authentication Kerberos uses a ticketgranting ticket server for authentication. Users claim an identity with a username for identification. They prove their identity with credentials for authentication and Kerberos incorporates these credentials in tickets. Users are authorized access to resources with permissions, but only after they have been authenticated by an authentication service such as Kerberos. Access controls restrict access to resources after users are identified and authenticated.
Which part of the AAA framework deals with granting or denying access to resources? Authentication Identification Accounting Authorization
Authorization
Which part of the AAA framework incorporates the time-of-day restrictions requirement? Authentication Non-repudiation Accounting Authorization
Authorization
A company with a US-based sales force has requested that the VPN system be configured to authenticate the sales team based on their username, password and a client side certificate. How many authentication factors are in use by the VPN system? A) 1 B) 2 C) 3 D) 4
B) 2 The three types of authentication factors are something you know, something you have, and something you are. In this case 2 factors are used: 1. The user must know the username and password. 2. The user must have a valid client side certificate.
When converted into binary, how many bits are present in an IPv4 Address? A) 128 B) 32 C) 48 D) 64
B) 32 IPv4 addressing consists of four octets of eight bits each. 8x4=32 bits per address. Example: 192.168.1.1 in binary is 11000000.10101000.00000001.00000001, which is 32 bits.
Sara, a security manager, has decided to force expiration of all company passwords by the close of business day. Which of the following BEST supports this reasoning? A) Implementation of account lockout procedures. B) A recent security breach in which passwords were cracked C) Enforcement of password complexity requirements D) Implementation of configuration management processes
B) A recent security breach in which passwords were cracked Forcing all users to renew their login credentials is commonly done if there was a recent breach in security.
Select the answer that properly describes IPSec in tunnel mode: A) Packet contents are encrypted, headers are not B) Entire packet is encrypted and wrapped with new IP headers C) IPSec encrypts packets using SSL, similar to SSH D) IPSec is incompatible with OSPF WAN encryptions
B) Entire packet is encrypted and wrapped with new IP headers IPsec offers both Tunnel Mode and Transport Mode ■ Tunnel Mode is used with VPN, and encapsulates the entire IP packet ■ Transport Mode only encrypts the payload and is more efficient in private networks
Which of the following should be deployed to prevent the transmission of malicious traffic between virtual machines hosted on a singular physical device on a network? A) NIPS on the network B) HIPS on each virtual machine C) NIDS on the network D) HIDS on each virtual machine
B) HIPS on each virtual machine In this case, a NIDS or NIPS will not prevent malicious traffic, because traffic between virtual machines on the same physical machine may not be transmitted on network devices. Because of this, we need Host Intrusion PROTECTION Systems (HIPS).
Which of the following would satisfy wireless network implementation requirements to use mutual authentication and usernames and passwords? A) EAP-MD5 B) PEAP-MSCHAPv2 C) WEP D) EAP-TLS
B) PEAP-MSCHAPv2 Protected Extensible Authentication Protocol (PEAP) provides encrypted, mutual authentication, while the Microsoft Challenge Handshake Authentication Protocol provides network authentication through username and password.
An administrator is receiving an error in browser stating a website's certificate is invalid. Which of the following is the browser referring to? A) Private key B) Public key C) Recovery agent D) CRL
B) Public key Browser load web certificates when a web server uses the HTTPS protocol. The certificate given to the browser will always be the public certificate, which will contain the public key. The private key is kept by the administrator who created the certificate and should never be shared.
George, an employee, is terminated from the company and the legal department needs documents from his encrypted hard drive. Which of the following could be used to accomplish this task? A) Private hash B) Recovery agent C) Public key D) CRL
B) Recovery agent A Recovery Agent is a user capable of decrypting data that was encrypted by a local user.
The Chief Information Officer (CIO) of your employer has mandated that the internal payroll software be moved to a new cloud based application. The platform is an industry standard and will be licensed for use by the company. Which of the following best describes this situation? A) Platform as a Service B) Software as a Service C) Hosted virtualization service D) Infrastructure as a Service
B) Software as a Service Software as a Service (SaaS) is a service model where software and applications are hosted by a service provider for use through a network, normally the internet.
Which of the following is a protocol that could be used to support authentication services for several local devices from a central location without the use of tokens or tickets? A) Kerberos B) TACACS+ C) Smartcards D) Biometrics
B) TACACS+ The Terminal Access Controller Access-Control System Plus (TACACS+) protocol handles authentication, authorization, and accounting (AAA) using username and passwords. TACACS+ ■ Cisco proprietary alternative to RADIUS. ■ Interoperable with Kerberos. ■ Works on a wide host of environments ■ Encrypts full authentication ■ Uses TCP for guaranteed connections ■ Also used to secure network devices like routers by corporations
Which of the following is a difference between TFTP and FTP? A) TFTP is slower than FTP B) TFTP utilizes UDP and FTP uses TCP C) TFTP is more secure than FTP D) TFTP utilizes TCP and FTP uses UDP
B) TFTP utilizes UDP and FTP uses TCP Trivial File Transfer Protocol (TFTP) is designed to be a simpler, less secure version of FTP. It uses little to no authentication, and UDP instead of TCP.
A router has a single Ethernet connection to a switch. In the router configuration, the Ethernet interface has three sub-interfaces, each configured with ACLs applied to them and 802.1q trunks. Which of the following is MOST likely the reason for the sub-interfaces? A) The sub-interfaces each implement quality of service B) The switch has several VLANs configured on it C) The sub-interfaces are configured for VoIP traffic D) The network uses the subnet of 255.255.255.128
B) The switch has several VLANs configured on it Switches can also group several computers into a VLAN, isolating network traffic ○ This allows people who are not in the same physical proximity to work together securely VLANs • Logically separate your switch ports into subnets • VLANs cannot communicate to each other without a router • Group users together by function
Tom, an individual, has recently been calling various financial offices pretending to be another person to gain financial information. Which of the following attacks is being described? A) Pharming B) Vishing C) Tailgating D) Phishing
B) Vishing Voice phishing (Vishing) is the act of using social engineering over a telephone system.
A security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential lost sales, fines, and impact on the organization's customers. Which of the following documents is she MOST likely creating? BCP BIA RPO DRP
BIA A business impact analysis (BIA) includes information on potential monetary losses and is the most likely document of those listed that would include this information. A business continuity plan (BCP) includes a BIA, but the BIA is more likely to include this information than the BCP is. A disaster recovery plan (DRP) includes methods used to recover from an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose but does not include monetary losses. See "Preparing for Business Continuity"
After a recent attack causing a data breach, an executive is analyzing the financial losses. She determined that the attack is likely to cost at least $1 million. She wants to ensure that this information is documented for future planning purposes. Where is she MOST likely to document it? BIA DRP COOP RTO
BIA A business impact analysis (BIA) includes information on potential losses and is the most likely document of those listed where this loss would be documented. A disaster recovery plan (DRP) includes methods used to recover from an outage. Continuity of operations planning (COOP) includes methods, such as alternate sites, used to keep an organization operational after an outage. The recovery time objective (RTO) identifies the time period when you plan to restore a system after an outage; it is not a document.
You need to reboot your DNS server. Of the following choices, which type of server are you MOST likely to reboot? Web server Apache server Unix server BIND server
BIND server Berkeley Internet Name Domain (BIND) is a type of Domain Name System (DNS) software commonly used on the Internet and in some internal networks, so a BIND server is a DNS server. BIND runs on Unix servers, but not all Unix servers are BIND servers. Apache is a type of web server software that runs on Unix and Linux systems
Which of the following answers refers to a key document governing the relationship between two business organisations? ISA ALE SLA BPA
BPA Business Partners Agreement (BPA) • Commonly seen between manufacturers and resellers
Bart wants to send a secure email to Lisa so he decides to encrypt it. Bart wants to ensure that Lisa can verify that he sent it. Which of the following does Lisa need to meet this requirement? Bart's private key Bart's public key Lisa's public key Lisa's private key
Bart's public key Lisa would decrypt the digital signature with Bart's public key and verify the public key is valid by querying a Certificate Authority (CA). The digital signature provides verification that Bart sent the message, nonrepudiation, and integrity for the message. Bart encrypts the digital signature with his private key, which can only be decrypted with his public key. Lisa's keys are not used for Bart's digital signature, but might be used for the encryption of the email. Although not part of this scenario, Bart would encrypt the email with Lisa's public key and Lisa would decrypt the email with Lisa's private key
You are preparing to deploy an anomalybased detection system to monitor network activity. What would you create first? Flood guards Honeypot Signatures Baseline
Baseline An anomalybased (also called heuristic or behaviorbased) detection system compares current activity with a previously created baseline to detect any anomalies or changes. Flood guards help protect against SYN flood attacks. Signaturebased systems use signatures similar to antivirus software. A honeypot is a server designed to look valuable to an attacker and can divert attacks. See "Securing Your Network"
You need to periodically check the configuration of a server and identify any changes. What are you performing? Attack surface review Code review Design review Baseline review
Baseline review A baseline review identifies changes from the original deployed configuration. The original configuration is also known as the baseline. A code review checks internally developed software for vulnerabilities. A design review verifies the design of software or applications to ensure they are developed properly. Determining the attack surface is an assessment technique, but it does not identify changes. See "Managing Risk"
Network administrators identified what appears to be malicious traffic coming from an internal computer, but only when no one is logged on to the computer. You suspect the system is infected with malware. It periodically runs an application that attempts to connect to web sites over port 80 with Telnet. After comparing the computer with a list of services from the standard image, you verify this application is very likely the problem. What process allowed you to make this determination? Hardening Banner grabbing Whitelisting Baselining
Baselining The standard image is the baseline and by comparing the list of services in the baseline with the services running on the suspect computer, you can identify unauthorized services. In this scenario, Telnet must not be in the baseline, but it is running on the suspect computer. It's possible an attacker has hijacked the computer to perform bannergrabbing attacks against external web sites, but banner grabbing doesn't verify the problem on the computer. Hardening makes a computer more secure than the default configuration, but it is done before creating a baseline. Whitelisting identifies authorized applications and prevents unauthorized applications from running. See "Securing Hosts and Data"
An application requires users to log on with passwords. The application developers want to store the passwords in such a way that it will thwart rainbow table attacks. Which of the following is the BEST solution? Bcrypt Blowfish SHA ECC
Bcrypt Bcrypt is a key stretching technique designed to protect against brute force attempts and is the best choice of the given answers. Another alternative is PasswordBased Key Derivation Function 2 (PBKDF2). Both salt the password with additional bits. Passwords stored using Secure Hash Algorithm (SHA) are easier to crack because they don't use salts. PBKDF2 is based on Blowfish, but Blowfish itself isn't commonly used to encrypt passwords. Elliptic curve cryptography (ECC) is efficient and sometimes used with mobile devices, but not to encrypt passwords.
A security professional is testing the functionality of an application, but does not have any knowledge about the internal coding of the application. What type of test is this tester performing? Black box White box Gray box Black hat
Black box A black box tester does not have prior knowledge when testing an application or network. White box testers have full knowledge and gray box testers have some knowledge. Black hat refers to a malicious attacker. See "Managing Risk"
An application developer needs to use an encryption protocol to encrypt credit card data within a database used by the application. Which of the following would be the FASTEST, while also providing strong confidentiality? DES AES256 Blowfish SHA2
Blowfish Blowfish would be the fastest in this scenario. Blowfish provides strong encryption so would provide strong confidentiality. Advanced Encryption Standard256 (AES256) is a strong encryption protocol, but Blowfish is faster than AES in some situations such as when comparing it against AES256. Data Encryption Standard (DES) is not secure and is not recommended today. Secure Hash Algorithm version 2 (SHA2) is a hashing algorithm used for integrity
An application on one of your database servers has crashed several times recently. Examining detailed debugging logs, you discover that just prior to crashing, the database application is receiving a long series of x90 characters. What is MOST likely occurring? XML injection Zeroday Buffer overflow SQL injection
Buffer overflow Buffer overflow attacks include a series of no operation (NOP) commands, such as hexadecimal 90 (x90). When successful, they can crash applications and expose memory, allowing attackers to run malicious code on the system. SQL injection attacks and Extensible Markup Language (XML) injection attacks do not use NOP commands. Zeroday attacks are unknown or undocumented, but attacks using NOP commands are known.
While reviewing logs for a web application, a developer notices that it has crashed several times reporting a memory error. Shortly after it crashes, the logs show malicious code that isn't part of a known application. What is MOST likely occurring? XSS Buffer overflow Crosssite scripting ML injection
Buffer overflow Buffer overflow attacks often cause an application to crash and expose system memory. Attackers then write malicious code into the exposed memory and use different techniques to get the system to run this code. None of the other attacks inserts malicious code into memory. Attackers attempt to embed HTML or JavaScript code in crosssite scripting (XSS) attacks, often to read cookies on a user's system. Extensible Markup Language (XML) injection attacks attempt to access or modify XML formatted data.
Penetration testing: (Select all that apply) Bypasses security controls Only identifies lack of security controls Actively tests security controls Exploits vulnerabilities Passively tests security controls
Bypasses security controls Actively tests security controls Exploits vulnerabilities
Which of the following is true about asymmetric encryption? A) A message encrypted with the private key can be decrypted by the same key B) A message encrypted with a shared key, can be decrypted by the same key C) A message encrypted with the public key can be decrypted with the private key D) A message encrypted with the public key can be decrypted with a shared key
C) A message encrypted with the public key can be decrypted with the private key In asymmetric encryption, there are two keys (generally public and private keys), anything encrypted with one key, can only be decrypted with the opposite key.
A user ID and password together provide which of the following? A) Identifcation B) Auditing C) Authentication D) Authorization
C) Authentication The combination of User ID and password allows an application or system to authenticate the user.
A software test that does not examine the software's code is known as what? A) White Hat B) White Box C) Black Box D) Grey Box
C) Black Box
A server on your network needs to be accessed by external users. The content of the server should be publicly available and does not contain any confidential information. Where should you place it? A) Intranet B) Behind the firewall and NAT service C) DMZ D) Behind an IPsec tunneling firewall
C) DMZ DMZ ○ A section of the network available to external hosts, but segmented and secured so that it does not allow access to secure local data ○ Mail servers are often in the DMZ but surrounded by firewalls on both sides ○ Often servers within the DMZ can communicate with internal hosts/servers in order to relay info while remaining secure, because this requires special permissions with the second firewall
Which of the following application security testing techniques is implemented when an automated system generates random input data? A) Input validation B) XSRF C) Fuzzing D) Hardening
C) Fuzzing Fuzzing ■ Using a program to send random data to an app ■ Might crash or provide unexpected results, but may reveal a vulnerability
Which networking device makes it very easy for a malicious user to receive and save packets that were not intended for their workstation? A) Router B) Switch C) HUB D) Bridge
C) HUB A HUB forwards all packets out all interfaces, except the one the packet was received on. This means information sent from Host A to Host B, is very easily intercepted by Host C. Even if Host C wasn't addressed in the data header. A HUB is considered a layer 1 (Physical Layer) device in the OSI Model.
An attacker attempted to compromise a web form by inserting the following input into the username field: admin)(|(password=*)) Which of the following types of attacks was attempted? A) Command injection B) SQL injection C) LDAP injection D) XSS
C) LDAP injection This web based injection is targeting the LDAP server. Specifically, the admin account and its password.
Which of the following presents the STRONGEST access control? A) DAC B) TACACS C) MAC D) RBAC
C) MAC Mandatory Access Control (MAC) ○ Operates under the principle of least privilege ○ Both users and objects have sensitivity labels, and only if the user has equal or greater label, AND need to know, can they access the file ○ In high security situations, multiple levels of checks are enabled before deciding a user is need to know in any given matter ○ This system is slow and inflexible, but very secure
A network analyst received a number of reports that impersonation was taking place on the network. Session tokens were deployed to mitigate this issue and defend against which of the following attacks? A) DDos B) Phishing C) Replay D) Smurf
C) Replay A Replay Attack is a malicious network attack where valid transmission data is replayed or duplicated in order to obtain illegal access to a system.
A network administrator needs to provide daily network usage reports on all layer 3 devices without compromising any data while gathering the information. Which of the following would be configured to provide these reports? A) SSH B) ICMP C) SNMPv3 D) SNMP
C) SNMPv3 The Simple Network Management Protocol (SNMP) is used to manage devices on IP networks. It is used to monitor, configure, and manage network devices. SNMPv3 is the correct answer because it provides authentication, integrity, and confidentiality while version 1 and 2 did not.
Which statement is TRUE about the operation of a packet sniffer? A) It can only have one interface on a management network. B) They are required for firewall operation and stateful inspection. C) The Ethernet card must be placed in promiscuous mode. D) It must be placed on a single virtual LAN interface.
C) The Ethernet card must be placed in promiscuous mode. When a NIC is placed in promiscuous mode, it will pass all data it receives onto the CPU. Normally, a NIC will ignore data not intended for it's IP or MAC Addresses.
A security administrator needs to update the OS on all the switches in the company. Which of the following MUST be done before any actual switch configuration is performed? A) The request needs to be sent to the revision management team. B) The request needs to be approved through the incident management process. C) The request needs to be approved through the change management process. D) The request needs to be sent to the enterprise management team.
C) The request needs to be approved through the change management process. The change management process is the process of requesting, planning, evaluating, and implementing changes to a computer system.
Which of the following would a security administrator implement in order to discover comprehensive security threats on a network? A) Code review B) Design reviews C) Vulnerability scan D) Baseline reporting
C) Vulnerability scan Vulnerability Scanning ○ Identifies Vulnerabilities ○ Identifies Misconfigurations ■ Open Ports ■ Weak Passwords ■ Default accounts and pws ■ Sensitive Data - DLP ■ Security and Configuration Errors ○ Passively Tests Security Controls ■ Identifies only, does not exploit ■ Does not interfere with normal operations until an admin can assess ○ Identifies Lack of Security Controls ■ Lack of patches or antivirus
Which of the following standard protocols utilizes the 802.11i standard? A) WEP B) WEP2 C) WPA2 D) PNAC
C) WPA2 IEEE standard 802.11i, was designed to replace WEP in wireless encryption/authentication. It is commonly known as WPA2 or WiFi Protected Access 2.
A United States Department of Defense (DoD) smart card providing the capability for multi-factor authentication of its personnel is known as: SCADA CAC One-time pad HOTP
CAC Common Access Card
Your organization is planning to implement an internal PKI. What is required to ensure users can validate certificates? An intermediate CA CSR CRL Wildcard certificates
CRL A certificate revocation list (CRL) includes a list of revoked certificates and it allows users to validate certificates. Any CA can issue a CRL, so an intermediate CA is not needed. Users request certificates with a certificate signing request (CSR). Wildcard certificates reduce the administrative burden for certificates, but do not have anything to do with validating certificates.
Which of the solutions listed below allow(s) to check whether a digital certificate has been revoked? (Select all that apply) CIRT CRL OCSP CRC ICMP
CRL Key Revocation • Certificate Revocation List (CRL) • Maintained by the Certificate Authority (CA) OCSP (Online Certificate Status Protocol) Getting Revocation Details to the Browser • OCSP • The browser can check certificate revocation • Messages usually sent to an OCSP responder via HTTP • Not all browsers support OCSP • Early Internet Explorer versions did not support OCSP
You need to request a certificate for a web server. Which of the following would you MOST likely use? CA OCSP CSR CRL
CSR A certificate signing request (CSR) uses a specific format to request a certificate. You submit the CSR to a Certificate Authority (CA), but the request needs to be in the CSR format. A certificate revocation list (CRL) is a list of revoked certificates. The Online Certificate Status Protocol (OCSP) is an alternate method of validating certificates and indicates if a certificate is good, revoked, or unknown. See "Understanding Cryptography"
A forensic expert is preparing to analyze a hard drive. Which of the following should the expert do FIRST? Create a chainofcustody document. Identify the order of volatility. Capture an image. Take a screenshot.
Capture an image. Before analyzing a hard drive, a forensic expert should capture an image of the hard drive and then analyze the image. This protects it from accidental modifications and preserves it as usable evidence. The order of volatility identifies what data is most volatile (such as cache) and what is least volatile (such as hard drives). A chainofcustody document should be created when evidence is first collected. A screenshot is taken when a system is operational.
Lenny and Carl work in an organization that includes a PKI. Carl needs to send a digitally signed file to Lenny. What does Carl use in this process? Carl's private key Carl's public key Lenny's private key Lenny's public key
Carl's private key Carl uses his private key to digitally sign the file. Lenny uses Carl's public key to decrypt the digital signature. Lenny's keys are not used in this scenario. See "Understanding Cryptography"
Which of the examples listed below falls into the category of operational security controls? Change management Encryption Antivirus software Mantrap
Change management
A sticky note with a password kept on sight in user's cubicle would be a violation of which of the following policies? Data labeling policy Clean desk policy Acceptable Use Policy (AUP) User account policy
Clean desk policy
A security manager is reviewing security policies related to data loss. Which of the following is the security administrator MOST likely to be reviewing? Separation of duties Clean desk policy Job rotation Change management
Clean desk policy A clean desk policy requires users to organize their areas to reduce the risk of possible data theft and password compromise. A separation of duties policy separates individual tasks of an overall function between different people. Job rotation policies require employees to change roles on a regular basis. Change management helps reduce intended outages from changes
What type of action allows an attacker to exploit the XSS vulnerability? Code injection Banner grabbing PIN recovery Input validation
Code injection Adding information into a data stream • Applications should be developed to properly handle input and output • Used with many different data types • HTML, SQL, XML, LDAP, etc.
Your organization develops web application software, which it sells to other companies for commercial use. Your organization wants to ensure that the software isn't susceptible to common vulnerabilities, such as buffer overflow attacks and race conditions. What should the organization implement to ensure software meets this standard? Change management Regression testing Code review Input validation
Code review A code review goes linebyline through the software code looking for vulnerabilities, such as buffer overflows and race conditions. Input validation helps prevent buffer overflows but not race conditions. Change management controls help prevent unintended outages from unauthorized changes. Regression testing is a type of testing used to ensure that new patches do not cause errors.
Lisa hid several plaintext documents within an image file. Which security goal is she pursuing? Steganography Integrity Encryption Confidentiality
Confidentiality Incorrect Hiding files in another file is one way to achieve the security goal of confidentiality. In this scenario, Lisa is using steganography as the method by hiding files within a file. Encryption is the best way to achieve confidentiality, but simply hiding files within a file doesn't encrypt the data. Hashing methods and digital signatures provide integrity. See "Mastering Security Basics" and "Understanding Cryptography"
What type of virtualization allows a computer's operating system kernel to run multiple isolated instances of a guest virtual machine? Container virtualization Hypervisor virtualization Jailbreaking virtualization Full virtualization
Container virtualization Containerbased virtualization (also called operating system virtualization) uses the same kernel of the host computer. It is often used to run isolated applications or services within a virtual environment. Virtual machines (VMs) using hypervisor virtualization or full virtualization have their own kernels. They do not use the computer's operating system kernel. While jails are used as a specific type of container virtualization, jailbreaking is completely different. Jailbreaking refers to the process of removing software restrictions from mobile devices and is primarily associated with Apple iOS systems.
Your organization wants to ensure that security controls continue to function, helping to maintain an appropriate security posture. Which of the following is the BEST choice to meet this goal? Auditing logs Routine audits Continuous security monitoring Vulnerability scans
Continuous security monitoring Continuous security monitoring helps an organization maintain its security posture, by verifying that security controls continue to function as intended. Auditing logs, performing routine audits, and performing vulnerability scans are all part of a continuous monitoring plan. However, individually, they do not verify all security controls are operating properly
A company recently hired you as a security administrator. You notice that some former accounts used by temporary employees are currently enabled. Which of the following choices is the BEST response? Set account expiration dates for all accounts when creating them. Disable all the temporary accounts. Disable the temporary accounts you've noticed are enabled. Craft a script to identify inactive accounts based on the last time they logged on.
Craft a script to identify inactive accounts based on the last time they logged on. Running a last logon script allows you to identify inactive accounts, such as accounts that haven't been logged on to in the last 30 days. It's appropriate to disable unused accounts, but it isn't necessarily appropriate to disable all temporary accounts, because some might still be in use. If you disable the accounts you notice, you might disable accounts that some employees are still using, and you might miss some accounts that should be disabled. Setting expiration dates for newly created accounts is a good step, but it doesn't address previously created accounts. See "Exploring Control Types and Methods"
Which of the following will allow Pete, a security analyst, to trigger a security alert because of a tracking cookie? A) Host based firewall B) Anti-spam software C) Network based firewall D) Anti-spyware software
D) Anti-spyware software Because of it's specialization in spyware, an Anti-spyware software is needed in this situation. Notice the question specifically asks about a TRACKING cookie.
Sara, an application developer, has just implemented error and exception handling in an application. Which of the following does this help prevent? A) Pop-up blockers B) Cross-site scripting C) Fuzzing D) Buffer overflow
D) Buffer overflow The use of error and exception handling will allow the application to properly handle errors, reducing the chance of buffer overflows from occurring.
An administrator notices that former temporary employees' accounts are still active on a domain. Which of the following can be implemented to increase security and prevent this from happening? A) Implement a password expiration policy B) Run a last logon script to look for inactive accounts C) Implement time of day restrictions for all temporary employees D) Implement an account expiration date for temporary employees
D) Implement an account expiration date for temporary employees Using a script to check for inactive accounts is a good idea, but not a preventative measure. Applying an expiration date to temporary employees accounts will prevent them from accessing the network once they leave the company.
Using programming or scripting in an input field, in an attempt to find a vulnerability, is known as what? A) Patching B) Hardening C) Spoofing D) Injection
D) Injection An injection is when a hacker uses a computer language such as PHP, JavaScript, or SQL in an input field to trick a program into running the injected script, thus taking control of the program.
Which of the following is an access control method, which is based of a persons job? A) HMAC B) MAC C) DAC D) RBAC
D) RBAC RBAC (Role Based Access Control) is an access control, where a persons level of access is dependent on their job in an origination.
Which of the following types of application attacks would be used to specifically gain unauthorized information from databases that did not have any input validation implemented? A) Buffer overflow and XSS B) Session hijacking and XML injection C) Cookies and attachments D) SQL injection
D) SQL injection SQL injection is a code injection technique where a user input is actually given a SQL code, used to display or insert information into a database. Validating and sanitizing user input will prevent this type of attack.
Using proximity card readers instead of the traditional key punch doors would help to mitigate: A) Tailgating B) Dumpster diving C) Impersonation D) Shoulder surfing
D) Shoulder surfing A key punch door is a door that will only unlock when a password or pin number is entered into a nearby console. This means anyone with a clear view can learn the password or pin number. Using a proximity card/badge reader would require all employees to have their badge to enter. It will not mitigate tailgating, because it will still be possible for an unauthorized person to enter behind an authorized person, this is also known as piggybacking.
A program has been discovered that infects a critical Windows system executable and stays dormant in memory. When a Windows mobile phone is connected to the host, the program infects the phone's boot loader and continues to target additional Windows PCs or phones. Which of the following malware categories BEST describes this program? A) Worm B) Trojan C) Pharmer D) Virus
D) Virus A virus is a type of malware that infects another program (typically an exe/executable) and has the ability to spread itself to other systems. Both viruses and worms may have the ability to replicate themselves with or without user intervention. They key difference is that a worm is a standalone program while a virus infects an existing program, for example a critical Windows executable.
An access control method based on the identity of subjects and/or groups to which they belong is called: HMAC DAC MAC RBAC
DAC Discretionary access control (DAC) • The owner is in full control • Very flexible but very weak security
You are troubleshooting an intermittent connectivity issue with a web server. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring? Smurf attack DoS attack DDoS attack Salting attack
DDoS attack A distributed denialofservice (DDoS) attack includes attacks from multiple systems with the goal of depleting the target's resources and this scenario indicates multiple connection attempts from different IP addresses. A DoS attack comes from a single system, and a SYN flood is an example of a DoS attack. A smurf attack doesn't attempt to connect to systems but instead sends pings. Salting is a method used to prevent brute force attacks to discover passwords. See "Identifying Advanced Attacks"
Which of the following algorithms encrypts data in 64bit blocks? Twofish AES DES RC4
DES Data Encryption Standard (DES) encrypts data in 64bit blocks similar to how 3DES and Blowfish encrypt data in 64bit blocks. Advanced Encryption Standard (AES) and Twofish encrypt data in 128bit blocks. Rivest Cipher 4 (RC4) is a stream cipher and it encrypts data one bit at a time.
Some encryption algorithms use stream ciphers and some use block ciphers. Which of the following are examples of block ciphers? (Choose THREE.) SHA DES AES MD5 RC4 Blowfish
DES AES Blowfish Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Blowfish are all block ciphers. Although it's not listed, Triple DES (3DES) is also a block cipher. Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are hashing algorithms. Rivest Cipher 4 (RC4) is a stream cipher.
Your organization hosts a web server and wants to increase its security. You need to separate all webfacing traffic from internal network traffic. Which of the following provides the BEST solution? DMZ Firewall WAF VLAN
DMZ A demilitarized zone (DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server's webfacing traffic from the internal network. You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created on switches in the internal network. A firewall does provide protection for the web server, but doesn't necessarily separate the webfacing traffic from the internal network. A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic.
Your organization is working on its business continuity plan. Management wants to ensure that documents provide detailed information on what technicians should do after an outage. Specifically, they want to list the systems to restore and the order in which to restore them. What document includes this information? HVAC BIA DRP Succession plan
DRP The disaster recovery plan (DRP) typically includes a hierarchical list of critical systems that identifies what to restore and in what order. Heating, ventilation, and air conditioning (HVAC) is not a document. The business impact analysis (BIA) identifies critical systems and components but does not include recovery methods or procedures. Succession planning refers to people, not systems, and it clarifies who can make decisions during a disaster
Your organization hosts a web site with a backend database. The database stores customer data, including credit card numbers. Which of the following is the BEST way to protect the credit card data? Filelevel encryption Full database encryption Whole disk encryption Database column encryption
Database column encryption Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don't need to be encrypted. Full database encryption and whole disk encryption aren't appropriate because everything doesn't need to be encrypted to protect the credit card data. Filelevel encryption isn't appropriate on a database and will often make it inaccessible to the database application.
Your organization plans to deploy new systems within the network within the next six months. What should your organization implement to ensure these systems are developed properly? Attack surface review Baseline review Design review Code review
Design review A design review ensures that systems and software are developed properly. A code review is appropriate if the organization is developing its own software for these new systems, but the scenario doesn't indicate this. A baseline review identifies changes from the initial baseline configuration, but couldn't be done for systems that aren't deployed yet. Identifying the attack surface, including the required protocols and services, would likely be part of the design review, but the design review does much more. See "Managing Risk"
Your primary job activities include monitoring security logs, analyzing trend reports, and installing CCTV systems. Which of the following choices BEST identifies your responsibilities? (Select TWO.) Detecting security incidents Preventing incidents Implementing monitoring controls Hardening systems
Detecting security incidents Implementing monitoring controls Monitoring security logs and analyzing trend reports are detective controls with the goal of detecting security incidents. Installing closedcircuit television (CCTV) systems is one example of implementing a monitoring control. Hardening a system is a preventive control that includes several steps such as disabling unnecessary services, but the scenario doesn't describe these steps. Preventive controls attempt to prevent incidents, but the scenario describes detective controls. See "Exploring Control Types and Methods"
Get Certified Get Ahead (GCGA) has outsourced some application development to your organization. Unfortunately, developers at your organization are having problems getting an application module to work and they want to send the module with accompanying data to a thirdparty vendor for help in resolving the problem. Which of the following should developers consider before doing so? Review NDAs. Ensure that data in transit is encrypted. Identify the classification of the data. .
Developers should review the nondisclosure agreements (NDAs) and verify that sharing data with a third party doesn't violate any existing NDAs. Encrypting data in transit protects its confidentiality while in transit, but it won't protect it from a third party accessing it after receiving it. The classification of the data isn't as relevant as the NDA in this situation. An NDA between the third party and your organization isn't relevant, if the NDA between you and the hiring organization states you cannot share the data.
Security administrators are reviewing security controls and their usefulness. Which of the following attacks will account lockout controls prevent? (Choose TWO.) Buffer overflow Replay DNS poisoning Dictionary Brute force
Dictionary Brute force Brute force and dictionary attacks attempt to guess passwords, but an account lockout control locks an account after the wrong password is guessed too many times. The other attacks are not password attacks, so they aren't mitigated using account lockout controls. Domain name system (DNS) poisoning attempts to redirect web browsers to malicious URLs. Replay attacks attempt to capture packets to impersonate one of the parties in an online session. Buffer overflow attacks attempt to overwhelm online applications with unexpected code or data. See "Identifying Advanced Attacks"
Which of the following answers refers to a solution for secure exchange of cryptographic keys? (Select best answer) Data Encryption Standard (DES) In-band key exchange Diffie-Hellman Out-of-band key exchange
Diffie-Hellman A key exchange method over an insecure communications channel, published in 1976 • Witfield Diffie and Martin Hellman (and Ralph Merkle) • DH does not itself encrypt or authenticate • It's an anonymous key-agreement protocol • Used for Perfect Forward Secrecy • Ephemeral Diffie-Hellman (EDH or DHE) • Combine with elliptic curve cryptography for ECDHE
Your network requires a secure method of sharing encryption keys over a public network. Which of the following is the BEST choice? Symmetric encryption Bcrypt DiffieHellman Steganography
DiffieHellman DiffieHellman allows entities to negotiate encryption keys securely over a public network. Once the entities negotiate the keys, they use symmetric encryption, but they can't share keys using symmetric encryption without first using a secure method such as DiffieHellman. Bcrypt is a key stretching technique used by some Unix systems to make password cracking more difficult. Steganography hides data within data, but it isn't the best method of sharing encryption keys over a public network.
An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, Acme realized it couldn't meet the requirements of the contract. Acme instead stated that it never submitted the bid. Which of the following would provide proof to the organization that Acme did submit the bid? Digital signature Repudiation Integrity Encryption
Digital signature If Acme submitted the bid via email using a digital signature, it would provide proof that the bid was submitted by Acme. Digital signatures provide verification of who sent a message, nonrepudiation preventing them from denying it, and integrity verifying the message wasn't modified. Integrity verifies the message wasn't modified. Repudiation isn't a valid security concept. Encryption protects the confidentiality of data, but it doesn't verify who sent it or provide nonrepudiation. See "Understanding Cryptography"
An HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory is known as: Dictionary attack URL hijacking Watering hole attack Directory traversal attack
Directory traversal attack misconfigured server allows inappropriate access • Command injection can be dangerous when this happens • Run unauthorized commands from your browser • Combine with directory traversal for really scary results
Your company has recently provided mobile devices to several employees. A security manager has expressed concerns related to data saved on these devices. Which of the following would BEST address these concerns? Installing an application that tracks the location of the device Enabling geotagging Disabling the use of removable media Implementing a BYOD policy
Disabling the use of removable media Disabling the use of mobile media on the devices will reduce the potential of data loss from these devices. It would make it more difficult to copy data to and from the devices. Tracking the location won't affect data. The devices are provided by the company, so a bring your own device (BYOD) policy isn't relevant. Geotagging only refers to geographic location information attached to pictures posted on social media sites
Attackers recently attacked a web server hosted by your organization. Management has tasked administrators with reducing the attack surface of this server to prevent future attacks. Which of the following will meet this goal? Identifying the baseline Installing and updating antivirus software Installing a NIDS Disabling unnecessary services
Disabling unnecessary services Disabling unnecessary services is a primary method of reducing the attack surface of a host. Installing uptodate antivirus software is valid preventive control, but it doesn't reduce the attack surface. Identifying the baseline should be done after disabling unnecessary services. A networkbased intrusion detection system (NIDS) helps protect the server, but it doesn't reduce its attack surface. See "Securing Hosts and Data"
Your organization wants to improve the security posture of internal database servers and protect against zeroday vulnerabilities. Of the following choices, what provides the BEST solution? Keeping systems up to date with current patches Disabling unnecessary services Opening ports on a server's firewall Keeping systems up to date with current service packs
Disabling unnecessary services Disabling unnecessary services helps reduce threats, including threats from zeroday vulnerabilities. It also reduces the threat from open ports on a firewall if the associated services are disabled, but opening ports won't reduce threats. Keeping systems up to date with patches and service packs protects against known vulnerabilities and is certainly a good practice. However, by definition, there aren't any patches or service packs available for zeroday vulnerabilities
The process of OS hardening involves: (Select all that apply) Risk assessment Identification of critical systems and components Disabling unnecessary services Password protection Disabling unnecessary accounts
Disabling unnecessary services Password protection Disabling unnecessary accounts
What is the goal of tabletop exercises? (Select all that apply) Disaster recovery planning Active test of security controls Discussing a simulated emergency situation Passive test of security controls
Disaster recovery planning Discussing a simulated emergency situation
Web developers are implementing error and exception handling in a web site application. Which of the following represents a best practice for this? Displaying a generic error message but logging detailed information on the error Displaying a detailed error message but logging generic information on the error Displaying a generic error message and logging generic information on the error Displaying a detailed error message and logging detailed information on the error
Displaying a generic error message but logging detailed information on the error You should display a generic error message but log detailed information on the error. Detailed error messages to the user are often confusing to them and give attackers information they can use against the system. Logging generic information makes it more difficult to troubleshoot the problem later
Hardware-based RAID Level 0: (Select 2 answers) Offers redundancy Requires at least three drives to implement Doesn't offer fault tolerance Requires at least two drives to implement Offers fault tolerance
Doesn't offer fault tolerance Requires at least two drives to implement
Your organization plans to issue some employees mobile devices such as smartphones and tablets. These devices don't have a lot of processing power. Which of the following cryptographic methods has the LEAST overhead and will work with these mobile devices? Bcrypt PBKDF2 ECC 3DES
ECC Elliptic curve cryptography (ECC) has minimal overhead and is often used with mobile devices for encryption. Triple Data Encryption Standard (3DES) consumes a lot of processing time and isn't as efficient as ECC. PasswordBased Key Derivation Function 2 (PBKDF2) and bcrypt are key stretching techniques that salt passwords with additional bits to protect against brute force attempts.
Which of the protocols listed below uses elliptic curve cryptography for secure exchange of cryptographic keys? ECC LANMAN ECDHE OCSP
ECDHE
Which of the following is an environmental control? Fencing EMI shielding Motion detection Video surveillance
EMI shielding Electromagnetic interference (EMI) shielding provides protection against interference from electromagnetic sources such as fluorescent lights. Fencing, video surveillance, and motion detection are all physical security controls
Which of the following answers refers to a privacy-related security risk connected with public sharing of pictures taken with smartphones? Data ownership Steganography Weak passwords Embedded geotag
Embedded geotag
Personnel within your company are assisting an external auditor perform a security audit. They frequently send documents to the auditor via email and some of these documents contain confidential information. Management wants to implement a solution to reduce the possibility of unintentionally exposing this data. Which of the following is the BEST choice? Use digital signatures on all outbound email containing confidential information. Hash all outbound email containing confidential information. Encrypt all outbound email containing confidential information. Implement DLP to scan all outbound email.
Encrypt all outbound email containing confidential information. The best method of preventing unintentional exposure of confidential information is encryption, so encrypting all outbound emails containing confidential information is the best choice. Hashing the emails doesn't protect the confidentiality of the information. Digital signatures provide proof of who sent an email, but don't protect confidentiality. Data loss prevention (DLP) techniques can detect when employees send out some types of data, but block the transmission and would prevent the auditors from getting the data they need. See "Understanding Cryptography
You need to transmit PII via email and you want to maintain its confidentiality. Of the following choices, what is the BEST solution? Use hashes. Encrypt it before sending. Use RAID. Protect it with a digital signature
Encrypt it before sending. You can maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption. Hashes provide integrity, not confidentiality. A digital signature provides authentication, nonrepudiation, and integrity. A redundant array of inexpensive disks (RAID) provides higher availability for a disk subsystem. See "Mastering Security Basics" and "Understanding Cryptography"
Which of the following security controls provide(s) confidentiality? (Select all that apply) Encryption Certificates Digital signatures Steganography Hashing
Encryption Steganography
A security administrator is implementing a security program that addresses confidentiality and availability. Of the following choices, what else should the administrator include? Ensure critical systems provide uninterrupted service. Protect data in transit from unauthorized disclosure. Secure data to prevent unauthorized disclosure. Ensure systems are not susceptible to unauthorized changes.
Ensure systems are not susceptible to unauthorized changes. The administrator should ensure systems are not susceptible to unauthorized changes, an element of integrity. A security program should address the three core security principles of confidentiality, integrity, and availability; the system in the example is already addressing confidentiality and availability. Protecting data and securing data to prevent unauthorized disclosure addresses confidentiality. Ensuring critical systems provide uninterrupted service addresses availability. See "Mastering Security Basics"
You are helping implement your company's business continuity plan. For one system, the plan requires an RTO of five hours and an RPO of one day. Which of the following would meet this requirement? Ensure the system can be restored between five hours and one day after an outage. Ensure the system can be restored within five hours and ensure it does not lose more than one day of data. Ensure the system can be restored within one day and ensure it does not lose more than five hours of data Ensure critical systems can be restored within five hours and noncritical systems can be restored within one day.
Ensure the system can be restored within five hours and ensure it does not lose more than one day of data. The recovery time objective (RTO) identifies the maximum amount of time it should to take to restore a system after an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose. RTO only refers to time, not data. RPO refers to data recovery points, not time to restore a system.
A company's account management policy dictates that administrators should disable user accounts instead of deleting them when an employee leaves the company. What security benefit does this provide? Makes it easier to enable the account if the employee returns. Ensures that users cannot log on remotely. Ensures that user files are retained. Ensures that user keys are retained
Ensures that user keys are retained User accounts typically have security keys associated with them. These keys are retained when the account is disabled, but they are no longer accessible when the account is deleted. By disabling the account, it helps ensure that access to files is retained, but it does not directly retain user files. Employees who leave are not expected to return, so this policy has nothing to do with making it easier to enable an account when they return. Users will not be able to use the accounts locally or remotely if they are disabled or deleted, which is a primary reason to have an account management policy
You manage a group of computers in an isolated network without Internet access. You need to update the antivirus definitions manually on these computers. Which of the following choices is the MOST important concern? Ensuring the definition file hash is equal to the hash on the antivirus vendor's website Ensuring the update includes all signature definitions Running a full scan of the systems before installing the new definitions Running a full scan of the systems after installing the new definitions
Ensuring the definition file hash is equal to the hash on the antivirus vendor's website When downloading files as important as antivirus definitions, it's important to ensure they do not lose data integrity, and you can do so by verifying the hashes. It's not necessary to run a full scan either before or after installing new definitions, but the new definitions will help.
Humidity controls in your data center are failing. You need to convince management of the importance of these. What would you tell them? Failing humidity controls can cause damage from EMI and ESD. Failing humidity controls can cause damage from temperature variations and EMI. Failing humidity controls can cause damage from ESD and condensation. Failing humidity controls can cause damage from condensation and poor ventilation.
Failing humidity controls can cause damage from ESD and condensation. Failing humidity controls can cause damage from electrostatic discharge (ESD) if humidity is too low and water damage from condensation if humidity gets too high. Humidity controls do not provide any protection against electromagnetic interference (EMI), temperature, or ventilation
Large amount of processing power required to both encrypt and decrypt the content of the message causes that symmetric-key encryption algorithms are much slower when compared to algorithms used in asymmetric encryption. True False
False
One of the advantages of the Remote Authentication Dial-In User Service (RADIUS) is that it provides encryption for the entire authentication process. True False
False
Block ciphers work by encrypting each plaintext digit one at a time. True False
False Block Ciphers • Used in symmetric encryption • Not used in asymmetric encryption • Encrypt fixed-length groups (blocks) • Often 64-bit or 128-bit blocks • Pad added to short blocks to fill the block size
A recent vulnerability scan reported that a web application server is missing some patches. However, after inspecting the server, you realize that the patches are for a protocol that administrators removed from the server. Which of the following is the BEST explanation for this disparity? False negative False positive Lack of patch management tools The patch isn't applied
False positive A false positive on a vulnerability scan indicates that a vulnerability is positively detected, but the vulnerability doesn't actually exist. A false negative indicates that the vulnerability scan did not detect a vulnerability that does exist on a system. False positives can occur even if an organization has a strong patch management process in place. Although it's true that the patch isn't applied, it's also true that the patch cannot be applied because it is for a protocol that administrators removed.
Network administrators in your organization need to administer firewalls, security appliances, and other network devices. These devices are protected with strong passwords, and the passwords are stored in a file listing these passwords. Which of the following is the BEST choice to protect this password list? Database field encryption Full database encryption File encryption Whole disk encryption
File encryption The best choice is file encryption to protect the passwords in this list. If the passwords were stored in a database, it would be appropriate to encrypt the fields in the database holding the passwords. It's rarely desirable to encrypt an entire database. Whole disk encryption is appropriate for mobile devices. See "Securing Hosts and Data" and "Understanding Cryptography"
You manage a Linux computer used for security within your network. You plan to use it to inspect and handle networkbased traffic using iptables. What network device can this replace? Wireless access point Hub Firewall Layer 2 switch
Firewall Iptables include settings used by the Linux Kernel firewall and can be used to replace a firewall. While it's possible to implement iptables on a wireless access point (assuming it is Linuxbased), iptables still functions as a firewall, not a wireless access point. Neither a layer 2 switch nor a hub supports iptables
What type of device would have the following entries used to define its operation? permit IP any any eq 80 permit IP any any eq 443 deny IP any any Layer 2 switch Web server Proxy server Firewall
Firewall These are rules in an access control list (ACL) for a firewall. The first two rules indicate that traffic from any IP address, to any IP address, using ports 80 or 443 is permitted or allowed. The final rule is also known as an implicit deny rule and is placed last in the ACL. It ensures that all traffic that hasn't been previously allowed is denied. Layer 2 switches do not use ACLs. A proxy server would not use an ACL, although it would use ports 80 and 443 for Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), respectively. A web server wouldn't use an ACL, although it would also use ports 80 and 443. See "Managing Risk"
Your backup policy for a database server dictates that the amount of time needed to perform backups should be minimized. Which of the following backup plans would BEST meet this need? Full backups on Sunday and full backups every other day of the week Full backups on Sunday and differential backups every other day of the week Differential backups on Sunday and incremental backups every other day of the week Full backups on Sunday and incremental backups every other day of the week
Full backups on Sunday and incremental backups every other day of the week A full/incremental backup strategy is best with one full backup on one day and incremental backups on the other days. A full backup every day would require the most time every day. Differential backups become steadily larger as the week progresses and take more time to back up than incremental backups. Backups must start with a full backup, so a differential/incremental backup strategy is not possible
You need to submit a CSR to a CA. Which of the following would you do FIRST? Generate a new RSAbased session key. Generate a new RSAbased private key. Implement OCSP. Generate the CRL.
Generate a new RSAbased private key. You create the RSAbased private key first and then create the matching public key from it, which you include in the certificate signing request (CSR) that you send to the Certificate Authority (CA). The RSA algorithm technically creates the private key first, but most applications that create the key pair appear to create them at the same time. A session key is a symmetric key, but RSA is an asymmetric algorithm. The CA generates the certificate revocation list (CRL) to identify revoked certificates. Online Certificate Status Protocol (OCSP) is an alternative to using CRLs to validate certificates, but it is not required.
What functions does an HSM include? Provides full drive encryption Reduces the risk of employees emailing confidential information outside the organization Provides webmail to clients Generates and stores keys used with servers
Generates and stores keys used with servers A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers for data encryption. A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization. Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud. A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops. See "Securing Hosts and Data"
You are planning to encrypt data in transit with IPsec. Which of the following is MOST likely to be used with IPsec? Twofish Blowfish MD5 HMAC
HMAC Hashbased Message Authentication Code (HMAC) is used with Internet Protocol security (IPsec) and is more likely to be used than any of the other choices. RFC 4835 mandates the use of HMAC for authentication and integrity. When encryption is used, it also mandates the use of either Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES). It does not list Blowfish or Twofish. Message Digest 5 (MD5) is a hashing algorithm. See "Understanding Cryptography"
A piece of hardware and associated software / firmware that usually attaches to the inside of a PC or server and provides at least the minimum of cryptographic functions is called: HSM EFS STP WAF
HSM Hardware Security Module (HSM) • High-end cryptographic hardware • Plug-in card or separate hardware device • Key backup in secured storage • Cryptographic accelerators for offloading CPU overhead • Used in large environments
Which of the following answers refers to the contents of a rainbow table entry? Hash / Password IP address / Domain name Username / Password Hash / Account name
Hash / Password
SHA, MD5, and RIPEMD are examples of: Trust models Encryption algorithms Hash functions Virus signatures
Hash functions
A function converts data into a string of characters and the string of characters cannot be reversed to recreate the original data. What type of function is this? Stream cipher Asymmetric encryption Symmetric encryption Hashing
Hashing A hash function creates a string of characters (typically displayed in hexadecimal) when executed against a file or message, and hashing functions cannot be reversed to recreate the original data. Encryption algorithms (including symmetric encryption, asymmetric encryption, and stream ciphers) create ciphertext from plaintext data, but they include decryption algorithms to recreate the original data. See "Understanding Cryptography"
Users in your organization sign their emails with digital signatures. What provides integrity for these certificates? Private key Encryption Hashing Nonrepudiation
Hashing Hashing provides integrity for digital signatures and other data. A digital signature is a hash of the message encrypted with the sender's private key, but the encryption doesn't provide integrity. The digital signature provides nonrepudiation, but nonrepudiation does not provide integrity. The private key and public key are both needed, but the private key does not provide integrity
Which of the following security controls provide(s) integrity? (Select all that apply) Hashing Steganography Fault tolerance Digital signatures Non-repudiation Encryption
Hashing Digital signatures Non-repudiation
An administrator recently learned of an attack on a Virginiabased web server from IP address 72.52.206.134 at 11:35:33 GMT. However, after investigating the logs, he is unable to see any traffic from that IP address at that time. Which of the following is the MOST likely reason why the administrator was unable to identify the attack? He did not capture an image. He did not account for time offsets. The IP address has expired. The logs were erased when the system was rebooted.
He did not account for time offsets. The most likely reason is that he did not account for the time offset. The attack occurred at 11:35:33 Greenwich Mean Time (GMT) and the web server is in the Eastern Standard Time (EST) zone in Virginia, which is five hours different from GMT. There is no need to capture an image to view logs. IP addresses on the Internet do not expire. Logs are written to a hard drive or a central location; they are not erased when a system is rebooted.
Homer recently implemented a wireless network in his home using WEP. He asks you for advice. Which of the following is the BEST advice you can give him? He should not use WEP because it uses a weak encryption algorithm. He should ensure it is in Enterprise mode. He should not use WEP because it implements weak IVs for encryption keys. He should also ensure he disables SSID broadcast for security purposes.
He should not use WEP because it implements weak IVs for encryption keys. Wired Equivalent Privacy (WEP) is not recommended for use and one of the reasons is due to weak initialization vectors (IVs) used for key transmission. It uses the RC4 stream cipher, which is a strong encryption algorithm. Disabling the service set identifier (SSID) broadcast will hide the network from casual users, but it does not provide additional security. WEP doesn't support Enterprise mode. See "Securing Your Network"
Your organization is evaluating replacement HVAC systems and is considering increasing current capacities. Which of the following is a potential security benefit of increasing the HVAC capabilities? Lower MTTR times of hardware components due to lower temperatures Lower MTBF times of hardware components due to lower temperatures Higher MTBF times of hardware components due to lower temperatures Higher MTTR times of hardware components due to lower temperatures
Higher MTBF times of hardware components due to lower temperatures Increasing the heating, ventilation, and air conditioning (HVAC) capacity results in higher mean time between failures (MTBF) times by keeping systems at lower temperatures. Lower MTBF times indicate more failures. Mean time to recover (MTTR) is unrelated to failures or HVAC systems
Homer is able to connect to his company's wireless network with his smartphone but not with his laptop computer. Which of the following is the MOST likely reason for this disparity? His company's network has enabled SSID broadcast. His company's network has a MAC address filter in place. His company's network has enabled CCMP. His company's network has enabled WPA2 Enterprise
His company's network has a MAC address filter in place. A media access control (MAC) address filter allows (or blocks) devices based on their MAC addresses, so it is likely that the filter is allowing Homer's smartphone but not allowing his laptop computer. Enabling the service set identifier (SSID) makes the network easier to see by casual users, but it does not block access even if SSID broadcast is disabled. WiFi Protected Access II (WPA2) and Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) both provide strong security, but they do not differentiate between devices.
A security company wants to gather intelligence about current methods attackers are using against its clients. What can it use? MAC address filtering Honeynet Evil twin Vulnerability scan
Honeynet A honeynet is a fake network designed to look valuable to attackers and can help security personnel learn about current attack methods. In this scenario, the security company can install honeynets in its customers' networks to lure the attackers. A vulnerability scan detects vulnerabilities, but attackers may not try to exploit them. Media access control (MAC) address filtering is a form of network access control, but can't be used to detect or learn about attacks. An evil twin is a rogue access point with the same SSID as an authorized access point. See "Securing Your Network"
Maggie is compiling a list of approved software for desktop operating systems within a company. What is the MOST likely purpose of this list? Host software baseline Baseline reporting Application configuration baseline Code review
Host software baseline A host software baseline (also called an application baseline) identifies a list of approved software for systems and compares it with installed applications. Baseline reporting is a process that monitors systems for changes and reports discrepancies. An application configuration baseline identifies proper settings for applications. A code review looks at the actual code of the software, and doesn't just create a list.
Which of the protocols listed below is used by the PING utility? IPsec SNMP FCoE ICMP
ICMP
Which of the following network tools includes sniffing capabilities? VPN IDS WAP NAC
IDS Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) include sniffing capabilities allowing them to inspect packet streams for malicious activity. None of the other tools have the capability of inspecting packets. A wireless access point (WAP) provides access to a wired network for wireless devices. A virtual private network (VPN) provides access to an internal network for remote users. A network access control (NAC) system inspects clients to ensure they meet minimum security requirements
An organization has a critical SCADA network it is using to manage a water treatment plant for a large city. Availability of this system is important. Which of the following security controls would be MOST important as a defense layer for this system? IPS Log management and reviews Deploying patches automatically Antimalware software
IPS An intrusion prevention system (IPS) is the most important security control of those listed to ensure availability of the supervisory control and data acquisition (SCADA) system. Managing the logs and doing periodic reviews will allow you to recreate what happened after an attack, but it doesn't defend the network and ensure availability. Deploying patches automatically typically requires access to the Internet so it is not recommended for a SCADA system. Instead, updates should be applied manually. Antimalware (or antivirus) software is valuable, but not as valuable as an IPS. The IPS can intercept malicious traffic coming into the network (including malware), but it can do much more.
Your organization is planning to implement a VPN and wants to ensure it is secure. Which of the following protocols is the BEST choice to use with the VPN? HTTP SFTP PPTP IPsec
IPsec Internet Protocol secure (IPsec) is one of several protocols used to secure virtual private network (VPN) traffic. It is the best choice of the available answers. Hypertext Transfer Protocol (HTTP) doesn't provide any security. Secure File Transfer Protocol (SFTP) secures FTP transmissions but not VPNs. PointtoPoint Tunneling Protocol (PPTP) is an older protocol used with VPNs, but it is not as secure as IPsec
You are planning to encrypt data in transit. Which of the following protocols meets this need and encapsulates IP packets within an additional IP header? HMAC TLS IPsec SSL
IPsec Internet Protocol security (IPsec) can encrypt data in transit and encapsulates IP packets with an additional IP header. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are both transport encryption protocols that can protect the data while it is in transit. Although they both use certificates for security, they do not encapsulate IP packets within an additional IP header. Hashbased Message Authentication Code (HMAC) is often used with IPsec, but HMAC does not encrypt data.
Which of the following authentication protocols offer(s) countermeasures against replay attacks? (Select all that apply) IPsec MPLS PAP Kerberos CHAP
IPsec Kerberos CHAP CHAP (Challenge-Handshake Authentication Protocol) • Encrypted challenge sent over the network • Three-way handshake • After link is established, server sends a challenge message • Client responds with a password hash • Server compares received hash with stored hash
Network administrators connect to a legacy server using Telnet. They want to secure these transmissions using encryption at a lower layer of the OSI model. What could they use? IPv4 IPv6 SFTP SSH
IPv6 IPv6 includes the use of Internet Protocol security (IPsec), so it is the best choice and it operates on Layer 3 of the Open Systems Interconnection (OSI) reference model. IPv4 doesn't support IPsec natively. Although you can use Secure Shell (SSH) instead of Telnet, they both operate on Layer 7 of the OSI model. IPv6 operates on Layer 3. Secure File Transfer Protocol (SFTP) is useful for encrypting large files in transit, but it doesn't encrypt Telnet traffic.
Your organization is considering storage of sensitive data in a cloud provider. Your organization wants to ensure the data is encrypted while at rest and while in transit. What type of interoperability agreement can your organization use to ensure the data is encrypted while in transit? BPA MOU SLA ISA
ISA An interconnection security agreement (ISA) specifies technical and security requirements for secure connections and can ensure data is encrypted while in transit. None of the other agreements address the connection. A service level agreement (SLA) stipulates performance expectations of a vendor. A business partners agreement (BPA) is a written agreement for business partners. A memorandum of understanding (MOU) expresses an understanding between two parties to work together
You work as a helpdesk professional in a large organization. You have begun to receive an extraordinary number of calls from employees related to malware. Using common incident response procedures, what should be your FIRST response? Preparation Identification Escalation Mitigation
Identification At this stage, the first response is incident identification. The preparation phase is performed before an incident, and includes steps to prevent incidents. After identifying this as a valid incident (malware infection), the next step is escalation and notification and then mitigation steps.
A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command: telnet server1 80. What is the purpose of this command? Identify if server1 is running a service using port 80 and is reachable. Use Telnet to remotely administer server1. Launch an attack on server1 sending 80 separate packets in a short period of time Use Telnet to start an RDP session.
Identify if server1 is running a service using port 80 and is reachable. This command sends a query to server1 over port 80 and if the server is running a service on port 80, it will connect. This is a common beginning command for a banner grabbing attempt. It does not send 80 separate packets. If 80 was omitted, Telnet would attempt to connect using its default port of 23 and attempt to create a Telnet session. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario. See "Managing Risk
Bart is performing a vulnerability assessment. Which of the following BEST represents the goal of this task? Identify the system's security posture. Determine if input validation is in place. Identify services running on a system. Determine if vulnerabilities can be exploited
Identify the system's security posture. A vulnerability assessment identifies a system or network's security posture. A port scanner identifies services running on a system. A penetration test determines if vulnerabilities can be exploited. Although a vulnerability assessment might verify if input validation methods are in place, it includes much more. See "Managing Risk"
You are configuring a switch and need to ensure that only authorized devices can connect to it and access the network through this switch. Which of the following is the BEST choice to meet this goal? Use a Layer 3 switch. Implement 802.1x Create a VLAN Enable RSTP.
Implement 802.1x An 802.1x server provides portbased authentication and can prevent unauthorized devices from connecting to a network. Although you can configure an 802.1x server with a VLAN to redirect unauthorized clients, the VLAN by itself will not block unauthorized devices. A Layer 3 switch does not provide portbased authentication. Rapid Spanning Tree Protocol (RSTP) will prevent switching loop problems but doesn't authenticate clients.
An organization recently updated its security policy. A new requirement dictates a need to increase protection from rogue devices plugging into physical ports. Which of the following choices provides the BEST protection? Implement 802.1x Disable unused ports Enable MAC limiting Enable MAC filtering
Implement 802.1x IEEE 802.1x is a portbased authentication protocol and it requires systems to authenticate before they are granted access to the network. If an attacker plugged a rogue device into a physical port, the 802.1x server would block it from accessing the network. Disabling unused ports is a good practice, but it doesn't prevent an attacker from unplugging a system from a used port and plugging the rogue device into the port. While MAC limiting and filtering will provide some protection against rogue devices, an 802.1x server provides much stronger protection. See "Understanding Basic Network Security
A network technician incorrectly wired switch connections in your organization's network. It effectively disabled the switch as though it was a victim of a denialofservice attack. What should be done to prevent this in the future? Only use Layer 2 switches. Install SNMP on the switches. Install an IDS. Implement STP or RSTP.
Implement STP or RSTP. Spanning Tree Protocol (STP) or Rapid STP (RSTP) will prevent switching loop problems. It's rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each other, it creates a switching loop and effectively disables the switch. An intrusion detection system (IDS) will not prevent a switching loop. Layer 2 switches are susceptible to this problem. Administrators use Simple Network Management Protocol (SNMP) to manage and monitor devices, but it doesn't prevent switching loops.
An administrator is tasked with increasing the security of the existing SAN. Ideally, he wants to isolate any faults or configuration issues to limit their impact. Which of the following choices will meet this need? Implement a VSAN Implement 802.1x for port security Implement cloud storage Implement a VLAN
Implement a VSAN A virtual storage area network (VSAN) can segment areas of a SAN, which can effectively isolate faults or configuration issues within the SAN. For example, a single SAN can be segmented into one VSAN for a disk array, another VSAN for tape libraries, and another VSAN for optical jukeboxes. A VSAN is similar in concept to a virtual local area network (VLAN). A VLAN is a separate network created on specific ports of a switch. Similarly, a VSAN is a separate storage area network created on specific ports of a Fibre Channel switch. However, implementing a VLAN doesn't increase security for a SAN. While port security will increase security, it doesn't isolate areas of the SAN. Cloud storage is unrelated to a SAN so will not increase security for the SAN
Social engineers have launched several successful phonebased attacks against your organization resulting in several data leaks. Which of the following would be the MOST effective at reducing the success of these attacks? Provide training on data handling. Update the AUP. Implement a BYOD policy. Implement a program to increase security awareness.
Implement a program to increase security awareness. The best choice of the available answers is to implement a program to increase security awareness, and it could focus on social engineering attacks. A bring your own device (BYOD) policy or an acceptable use policy (AUP) doesn't apply in this scenario. Training is useful, but training users on data handling won't necessarily educate them on social engineering attacks.
Your organization is increasing security and wants to prevent attackers from mapping out the IP addresses used on your internal network. Which of the following choices is the BEST option? Implement secure zone transfers. Implement subnetting. Block outgoing traffic on UDP port 53. Add a WAF
Implement secure zone transfers. By implementing secure zone transfers on internal Domain Name System (DNS) servers, it prevents attackers from downloading zone data and mapping out IP addresses and devices. Subnetting divides classful IP address ranges into smaller subnets, but it doesn't prevent attacks. DNS name resolution queries use UDP port 53, so blocking outgoing traffic on UDP port 53 would prevent internal users from using DNS on the Internet. A web application firewall (WAF) protects a web server.
A security analyst is evaluating a critical industrial control system. The analyst wants to ensure the system has security controls to support availability. Which of the following will BEST meet this need? Implementing control redundancy and diversity Using at least two firewalls to create a DMZ Using an embedded system Installing a SCADA system
Implementing control redundancy and diversity A critical industrial control system implies a supervisory control and data acquisition (SCADA) system and ensuring that the system incorporates diversity into a redundant design will best meet this need of the available choices. A demilitarized zone (DMZ) provides some protection against Internet attacks, but critical industrial control systems rarely have direct Internet access. The goal in the question is to protect the SCADA system, but the SCADA system isn't a security control. The scenario is describing an embedded system. See "Securing Hosts and Data"
Lisa is the new CTO at your organization. She wants to ensure that critical business systems are protected from isolated outages. Which of the following would let her know how often these systems will experience outages? MTTR MTTF MITM MTBF
Incorrect The mean time between failures (MTBF) provides a measure of a system's reliability and is usually represented in hours. More specifically, the MTBF identifies the average (the arithmetic mean) time between failures. In the context of this scenario, it provides an estimate of how often the systems will experience outages. Man in the middle (MITM) is an attack allowing the attacker to intercept traffic and insert malicious code sent to other clients. The mean time to failure (MTTF) indicates the lifetime of an item. In other words, it provides an estimate of how long the item will remain operational before it failures. MTTF typically indicates a permanent failure of a device, such as the failure of a hard drive, requiring replacement of the component. The mean time to repair (MTTR) refers to the time it takes to repair a system, not the time between failures.
A code review of a web application discovered that the application is not performing boundary checking. What should the web developer add to this application to resolve this issue? XSS XSRF Input validation Fuzzing
Input validation The lack of input validation is a common coding error and it includes boundary or limit checking to validate data before using it. Proper input validation prevents many problems such as crosssite request forgery (XSRF), crosssite scripting (XSS), buffer overflow, and command injection attacks. Fuzzing injects extra data and tests the effectiveness of input validation. See "Identifying Advanced Attacks"
An organization is planning to implement an internal PKI for smart cards. Which of the following should the organization do FIRST? Install a CA. Generate a certificate. Generate key pairs. Identify a recovery agent.
Install a CA. A Public Key Infrastructure (PKI) requires a certification authority (CA), so a CA should be installed first. Smart cards require certificates and would be issued by the CA. After installing the CA, you can generate key pairs to be used with certificates issued by the CA. A recovery agent can be identified, but it isn't required to be done as a first step for a CA. See "Understanding Cryptography"
Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA systems. Although they removed the malware, management is still concerned. Lisa needs to continue using her system and it's not possible to update the SCADA systems. What can mitigate this risk? Install HIPS on the SCADA systems. Install a NIPS on the border of the SCADA network. Install a honeypot on the SCADA network. Install a firewall on the border of the SCADA network
Install a NIPS on the border of the SCADA network. A network intrusion prevention system (NIPS) installed on the supervisory control and data acquisition (SCADA) network can intercept malicious traffic coming into the network and is the best choice of those given. The scenario states you cannot update the SCADA systems, so you cannot install a hostbased IPS (HIPS) on any of them A firewall provides a level of protection. However, it wouldn't be able to differentiate between valid traffic sent by Lisa and malicious traffic sent by malware from Lisa's system. A honeypot might be useful to observe malicious traffic, but wouldn't prevent it. See "Securing Your Network"
Which of the answers listed below exemplifies an implementation of risk transference methodology? Insurance policy Security guard Antivirus software User education
Insurance policy
Lisa manages network devices in your organization and maintains copies of the configuration files for all the managed routers and switches. On a weekly basis, she creates hashes for these files and compares them with hashes she created on the same files the previous week. Which security goal is she pursuing? Integrity Safety Confidentiality Availability
Integrity She is pursing integrity by verifying the configuration files have not changed. By verifying that the hashes are the same, she also verifies that the configuration files are the same. Confidentiality is enforced with encryption, access controls, and steganography. Availability ensures systems are up and operational when needed. Safety goals help ensure the safety of personnel and/or other assets. See "Mastering Security Basics" and "Understanding Cryptography"
Which of the following is a potential benefit of a VSAN over a SAN? It can isolate traffic within the SAN It provides port security It can redirect traffic to other VLANs It ensures each VSAN uses identical security policies
It can isolate traffic within the SAN A virtual storage area network (VSAN) can isolate traffic within a SAN. This can ensure that problems in one VSAN do not impact other VSANs within the SAN. A VSAN is similar in concept to a virtual local area network (VLAN). A VLAN is a separate network created on specific ports of a switch. Similarly, a VSAN is a separate storage area network created on specific ports of a Fibre Channel switch. However, a VSAN does not redirect traffic to other VLANs. While a VSAN does isolate traffic between Fibre Channel switch ports, it does not provide port security. Each VSAN within the SAN can use their own security policies. It isn't necessary for them all to have the same security policy
Your organization is considering the purchase of new computers. A security professional stresses that these devices should include TPMs. What benefit does a TPM provide? (Choose all that apply.) It uses hardware encryption, which is quicker than software encryption. It uses software encryption, which is quicker than hardware encryption. It includes an HSM file system. It stores RSA keys.
It uses hardware encryption, which is quicker than software encryption. It stores RSA keys. A Trusted Platform Module (TPM) is a hardware chip that stores RSA encryption keys and uses hardware encryption, which is quicker than software encryption. A TPM does not use software encryption. An HSM is a removable hardware device that uses hardware encryption, but it does not have a file system and TPM does not provide HSM as a benefit. See "Securing Hosts and Data
You are helping your organization create a security policy for incident response. Of the following choices, what is the BEST choice to include when an incident requires confiscation of a physical asset? Ensure witnesses sign an AUP. Ensure hashes are taken first. Maintain the order of volatility. Keep a record of everyone who took possession of the physical asset.
Keep a record of everyone who took possession of the physical asset. It's important to keep a chain of custody for any confiscated physical items and the chain of custody is a record of everyone who took possession of the asset after it was first confiscated. Hashes should be taken before capturing an image, but they are not required before confiscating equipment. Users, not witnesses, sign an acceptable use policy (AUP). Security personnel should be aware of the order of volatility, but there isn't any way to maintain the order
Assigning a unique key, called a ticket, to each user that logs on to the network is a characteristic feature of: SAML Secure LDAP RADIUS Kerberos
Kerberos Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
You are modifying a configuration file used to authenticate Unix accounts against an external server. The file includes phrases such as DC=Server1 and DC=Com. Which authentication service is the external server using? SAML Diameter RADIUS LDAP
LDAP Lightweight Directory Access Protocol (LDAP) uses X.500based phrases to identify components such as the domain component (DC). Diameter is an alternative to Remote Authentication DialIn User Service (RADIUS), but neither of these use X.500based phrases. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for webbased single signon (SSO) solutions. See "Mastering Security Basics"
Your network uses an authentication service based on the X.500 specification. When encrypted, it uses TLS. Which authentication service is your network using? Diameter SAML LDAP Kerberos
LDAP Lightweight Directory Access Protocol (LDAP) uses X.500based phrases to identify components and Secure LDAP can be encrypted with Transport Layer Security (TLS). Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single signon (SSO), but it is not based on X.500. Diameter is an alternative to Remote Authentication DialIn User Service (RADIUS), but neither of these are based on X.500.
Which of the following is an attack against servers hosting a directory service? XSRF attack Fuzzing attack LDAP injection attack XSS attack
LDAP injection attack A Lightweight Directory Application Protocol (LDAP) injection attack attempts to access data on servers hosting a directory service, such as a Microsoft domain controller hosting Active Directory. Crosssite scripting (XSS) and crosssite request forgery (XSRF) attacks attack web servers, not directory service servers. Fuzzing sends random data to see if the application can handle it, but it doesn't necessarily target servers hosting a directory service.
A recent vulnerability assessment identified several issues related to an organization's security posture. Which of the following issues is MOST likely to affect the organization on a daytoday basis? Lack of antivirus software Natural disasters Lack of protection for data in transit Lack of protection for data at rest
Lack of antivirus software Malware is a constant threat and without antivirus software, systems are sure to become infected in a short period of time. Natural disasters are a risk, but not on a daytoday basis. Encryption protects data at rest and data in transit, but a lack of encryption isn't likely to affect the organization on a daytoday basis. See "Managing Risk"
You maintain a training lab with 18 computers. You have enough rights and permissions on these machines so that you can configure them as needed for classes. However, you do not have the rights to add them to your organization's domain. Which of the following choices BEST describes this example? Separation of duties Userbased privileges Need to know Least privilege
Least privilege When following the principle of least privilege, individuals have only enough rights and permissions to perform their job, and this is exactly what is described in this scenario. Need to know typically refers to data and information rather than the privileges required to perform an action, such as adding computers to a domain. Userbased privileges refer to giving permissions to individual users rather than groups, and this question doesn't address either userbased privileges or groupbased privileges. Separation of duties is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process, and it isn't addressed in this question either
Bart wants to send a secure email to Lisa, so he decides to encrypt it. He wants to ensure that only Lisa can decrypt it. Which of the following does Lisa need to meet this requirement? Lisa's public key Bart's public key Lisa's private key Bart's private key
Lisa's private key Lisa would decrypt the email with her private key and Bart would encrypt the email with Lisa's public key. Although not part of this scenario, if Bart wanted Lisa to have verification that he sent it, he would create a digital signature with his private key and Lisa would decrypt the private key with Bart's public key. Bart does not need his keys to encrypt email sent to someone else. See "Understanding Cryptography"
Which of the access control models listed below enforces the strictest set of access rules? MAC RBAC DAC HMAC
MAC
Which of the answers listed below refers to the most common access control model used in Trusted OS implementations? HMAC MAC RBAC DAC
MAC
An organization has implemented an access control model that enforces permissions based on data labels assigned at different levels. What type of model is this? DAC MAC RoleBAC RuleBAC
MAC The mandatory access control (MAC) model uses labels assigned at different levels to restrict access. The discretionary access control (DAC) model assigns permissions based on object ownership. The rolebased access control (roleBAC) model uses groupbased privileges. The rulebased access control (ruleBAC) model uses rules that trigger in response to events. See "Exploring Control Types and Methods"
An access control model in which every resource has a sensitivity label matching a clearance level assigned to a user is known as: RBAC DAC HMAC MAC
MAC Mandatory Access Control (MAC) • Based on security clearance levels • Every object gets a label • Labeling of objects uses predefined rules
A security technician runs an automated script every night designed to detect changes in files. Of the following choices, what are the most likely protocols used in this script? ECC and HMAC PGP and MD5 AES and Twofish MD5 and HMAC
MD5 and HMAC Hashing algorithms can detect changes in files (or verify the files have not lost integrity) and Message Digest 5 (MD5) and Hashbased Message Authentication Code (HMAC) are both hashing algorithms. Pretty Good Privacy (PGP) is a method used to secure email communication. Elliptic curve cryptography (ECC), Advanced Encryption Standard (AES), and TwoFish are all encryption algorithms.
Your organization is updating its business continuity documents. You're asked to review the communications plans for possible updates. Which of the following should you ensure is included in the communications plan? A list of systems to recover in hierarchical order Incident response procedures List of critical systems and components Methods used to respond to media requests, including templates
Methods used to respond to media requests, including templates A communications plan will include methods used to respond to media requests, including basic templates. Although not available as a possible answer, it would also include methods used to communicate with response team members, employees, suppliers, and customers. None of the other answers are part of a communications plan. A DRP includes a list of systems to recover in hierarchical order. An incident response plan identifies incident response procedures. A BIA identifies critical systems and components. See "Preparing for Business Continuity"
An organization needs to identify a continuity of operations plan that will allow it to provide temporary IT support during a disaster. The organization does not want to have a dedicated site. Which of the following provides the best solution? Cold site Hot site Warm site Mobile site Incorrect
Mobile site A mobile site is a selfcontained transportable unit that can be moved around without having a dedicated site. Cold sites, warm sites, and hot sites are dedicated locations. See "Preparing for Business Continuity
Marge, a security administrator, is tasked with ensuring that all devices have updated virus definition files before they can access network resources. Which of the following technologies would help her accomplish this goal? NAC NIDS DLP DMZ
NAC Network access control (NAC) inspects clients for health including having uptodate virus definition files and can restrict network access to unhealthy clients to a remediation network. A network intrusion detection system (NIDS) can detect incoming attacks, but doesn't inspect internal clients. A data loss prevention (DLP) system typically examines outgoing traffic looking for confidential data. A demilitarized zone DMZ is a buffer zone between the Internet and an internal network.
Which of the following solutions is used to hide the internal IP addresses by modifying IP address information in IP packet headers while in transit across a traffic routing device? NAC ACL NAT DMZ
NAT
The BizzFad company decides to partner with Costington's to bid on a contract. Management in both companies realize that they need to share proprietary data. However, they want to ensure that distribution of this data is limited within each of the companies. Which of the following will BEST meet this need? BPA MOU NDA ISA
NDA A nondisclosure agreement (NDA) would meet this need. It can be written to ensure that proprietary data is not shared with other departments or divisions in the other company. This question is a great example of how you can often answer a Security+ question just by knowing what the acronym means. A memorandum of understanding (MOU) expresses an understanding between two or more parties indicating their intention to work together toward a common goal. However, it is less formal than an NDA and it doesn't have strict guidelines in place to protect sensitive data. A business partners agreement (BPA) details the relationship between business partners including their obligations toward the partnership. It is not an agreement between different organizations, but instead an agreement between partners in a single organization. An interconnection security agreement (ISA) specifies the technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities. See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0401 Study Guide for more information on operational security. Also Appendix A is an acronym list of all of the relevant acronyms covered on the Security+ exam.
A group that consists of SNMP devices and one or more SNMP managers is known as: SNMP trap Network Management System (NMS) SNMP community Management Information Base (MIB) Intranet
Network Management System (NMS) A network management system (NMS) is a set of hardware and/or software tools that allow an IT professional to supervise the individual components of a network within a larger network management framework.
Bart recently sent out confidential data via email to potential competitors. Management suspects he did so accidentally, but Bart denied sending the data. Management wants to implement a method that would prevent Bart from denying accountability in the future. What are they trying to enforce? Encryption Confidentiality Access control Nonrepudiation
Nonrepudiation Nonrepudiation methods such as digital signatures prevent users from denying they took an action. Encryption methods protect confidentiality. Access control methods protect access to data. See "Mastering Security Basics" and "Understanding Cryptography
Your organization requires the use of a PKI and it wants to implement a protocol to validate trust with minimal traffic. Which of the following protocols validates trust by returning short responses, such as "good" or "revoked"? CSR OCSP CRL CA
OCSP Online Certificate Status Protocol (OCSP) validates trust with certificates. Clients send the serial number of the certificate to the Certificate Authority (CA) within the Public Key Infrastructure (PKI) and the CA returns short responses such as good, unknown, or revoked. A certificate revocation list (CRL) includes a list of revoked certificates listed by serial numbers and can become quite large after a while. The CA isn't a protocol. You request certificates with a certificate signing request (CSR).
Which of the following provides the fastest way for validating a digital certificate? ICMP CRL Key escrow OCSP
OCSP OCSP (Online Certificate Status Protocol) Getting Revocation Details to the Browser • OCSP • The browser can check certificate revocation • Messages usually sent to an OCSP responder via HTTP • Not all browsers support OCSP • Early Internet Explorer versions did not support OCSP
Which of the answers listed below refers to a security measure providing protection against various password-based attacks, specifically password sniffing and replay attacks? OTP LSO OCSP CRL
OTP One-Time Password
An organizational policy specifies that duties of application developers and administrators must be separated. What is the MOST likely result of implementing this policy? One group develops databases and the other group modifies databases. One group develops program code and the other group deploys the code. One group develops program code and the other group modifies the code. One group deploys program code and the other group administers databases.
One group develops program code and the other group deploys the code. This describes a separation of duties policy where the application developers create and modify the code, and the administrators deploy the code to live production systems, but neither group can perform both functions. Developers would typically develop the original code, and modify it when necessary. This scenario does not mention databases. See "Exploring Operational Security"
Your organization recently updated an online application employees use to log in when working from home. Employees enter their username and password into the application from their smartphone and the application logs their location using GPS. What type of authentication is being used? Dualfactor Onefactor Something you are Somewhere you are
Onefactor This is using onefactor authentication - something you know. The application uses your username for identification and your password for authentication. Note that even though the application is logging your location using Global Positioning System (GPS), there isn't any indication that it is using this information for authentication. It could simply be using it for auditing purposes. Dualfactor authentication requires another factor of authentication. If the application verified you were logging in from a specific GPS location, it would be dualfactor authentication (something you know and somewhere you are). Something you are refers to biometric authentication methods. The somewhere you are authentication method verifies you are somewhere such as in a specific GPS location, using an IP address from a specific location, or using a specific computer.
Which type of authentication does a hardware token provide? Biometric Strong password Onetime password PIN
Onetime password A hardware token (such as an RSA token) uses a onetime password for authentication in the something you have factor of authentication. Biometric methods are in the something you are factor of authentication, such as a fingerprint A PIN and a password are both in the something you know factor of authentication and do not require a hardware token. See "Mastering Security Basics"
In forensic procedures, a sequence of steps in which different types of evidence should be collected is known as: Order of volatility Layered security Chain of custody Transitive access
Order of volatility
EMI shielding protects the transferred data from: (Select all that apply) Outside interference Phishing Eavesdropping Decryption Bluesnarfing
Outside interference Eavesdropping
Which of the following protocols transmits passwords over the network in an unecrypted form and is therefore considered unsecure? RADIUS PAP TACACS+ CHAP
PAP PAP (Password Authentication Protocol) • PAP is clear-text authentication • Unsophisticated, insecure
Which of the following provides authentication services and uses PPP? Kerberos and LDAP PAP and CHAP Diameter and biometrics SAML and SSO
PAP and CHAP Both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) use PointtoPoint Protocol (PPP). Diameter is an authentication service, but biometrics is an authentication method. Kerberos is an authentication service, but it doesn't use PPP and Lightweight Directory Access Protocol (LDAP) as a method of querying directories. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)-based data format used for single signon (SSO), but it doesn't use PPP.
Your organization has implemented a network design that allows internal computers to share one public IP address. Of the following choices, what did they MOST likely implement? PAT TLS STP DNAT
PAT Port Address Translation (PAT) is a form of Network Address Translation (NAT) and it allows many internal devices to share one public IP address. Dynamic Network Address Translation (DNAT) uses multiple public IP addresses instead of just one. Spanning Tree Protocol (STP) prevents switch loop problems and is unrelated to sharing IPs. Transport Layer Security (TLS) secures transmissions for data in transit.
Application developers are creating an application that requires users to log on with strong passwords. The developers want to store the passwords in such a way that it will thwart brute force attacks. Which of the following is the BEST solution? MD5 Database fields PBKDF2 3DES
PBKDF2 PasswordBased Key Derivation Function 2 (PBKDF2) is a key stretching technique designed to protect against brute force attempts and is the best choice of the given answers. Another alternative is bcrypt. Both salt the password with additional bits. Triple DES (3DES) is an encryption protocol. Passwords stored using Message Digest 5 (MD5) are easier to crack because they don't use salts. Storing the passwords in encrypted database fields is a possible solution, but just storing them in unencrypted database fields does not protect them at all. See "Understanding Cryptography"
Examples of key stretching algorithms include: (Select 2 answers) PBKDF2 RC4 NTLMv2 Bcrypt FCoE
PBKDF2 Bcrypt bcrypt • Generates hashes from passwords • An extension to the UNIX crypt library • Uses Blowfish cipher to perform multiple rounds of hashing • Password-Based Key Derivation Function 2 (PBKDF2) • Part of RSA public key cryptography standards (PKCS #5, RFC 2898)
GNU Privacy Guard (GPG) provides similar functionality and an alternative to: PAP IMAP4 PGP Windows Firewall
PGP GNU Privacy Guard GnuPG is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient's public key to encrypt a session key which is only used once.
A computer program (and related protocols) that uses cryptography to provide data security for electronic mail and other applications on the Internet is known as: SMTP PGP OCSP OVAL
PGP Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.
A software tool used for monitoring and examining contents of the network traffic is known as: (Select all that apply) Port scanner Packet sniffer Vulnerability scanner Protocol analyzer
Packet sniffer Protocol analyzer
You are redesigning your password policy. You want to ensure that users change their passwords regularly, but they are unable to reuse passwords. What settings should you configure? (Select THREE.) Password history Password length Maximum password age Password complexity Minimum password age
Password history Maximum password age Minimum password age The maximum password age ensures users change their passwords regularly. The password history records previously used passwords (such as the last 24 passwords) to prevent users from reusing the same passwords. The minimum password age prevents users from changing their password repeatedly to get back to their original password and should be used with the password history setting. Password length requires a minimum number of characters in a password. Password complexity requires a mix of uppercase and lowercase letters, numbers, and special characters. See "Exploring Control Types and Methods"
Your company has recently standardized servers using imaging technologies. However, a recent security audit verified that some servers were immune to known OS vulnerabilities, whereas other systems were not immune to the same vulnerabilities. Which of the following would reduce these vulnerabilities? Snapshots Patch management Sandboxing Baselines
Patch management Patch management procedures ensure operating systems (OS) are kept up to date with current patches. Patches ensure systems are immune to known vulnerabilities, but none of the other answers protects systems from these known vulnerabilities. Sandboxing isolates systems for testing. Snapshots record the state of a virtual machine at a moment in time. Baselines identify the starting point for systems. See "Securing Hosts and Data
A recent risk assessment identified several problems with servers in your organization. They occasionally reboot on their own and the operating systems do not have current security fixes. Administrators have had to rebuild some servers from scratch due to mysterious problems. Which of the following solutions will mitigate these problems? IDS Sandboxing Virtualization Patch management
Patch management Patch management procedures ensure that systems are kept up to date with current security fixes and patches and help eliminate problems with known attack methods. The scenario indicates that these systems have been attacked, exploiting the vulnerabilities caused by not patching them. Virtualization will have the same problems if the systems are not kept up to date. Sandboxing isolates systems for testing, but there isn't any indication these servers should be isolated. An intrusion detection system (IDS) might identify some attacks, but the systems will still be exploited if they aren't patched
Lisa recently ran an application to test the security posture of a database server running in a test bed. What type of report will she retrieve to identify vulnerabilities that the application actually exploited? Penetration test report Vulnerability test report Risk assessment test report Code review report
Penetration test report A penetration test attempts to exploit weaknesses so a penetration test report would report vulnerabilities that the application exploited. A vulnerability test identifies the security posture of a network but it does not actually exploit any weaknesses. A risk assessment would identify risks (including threats and vulnerabilities) and a penetration test might be part of the risk assessment, but the risk assessment would not necessarily include a list of exploited vulnerabilities. A code review is a linebyline review of application code, but it does not exploit vulnerabilities.
An organization has a legacy server within the DMZ. It is running older software that is not compatible with current patches, so it remains unpatched. Management accepts the risk on this system, but wants to know if attackers can access the internal network if they successfully compromise this server. Which of the following is the MOST appropriate test? Port scan Vulnerability scan Pentest Code review
Pentest A pentest (or penetration test) attempts to compromise the server and then attempts to access the internal network. A vulnerability scan is passive. It does not attempt to compromise a system, so it cannot verify if an attacker can access the internal network. A port scan only identifies open ports. A code review is useful for newly developed software, but there isn't any indication that the original code is available for the legacy server.
Which of the following tools is the MOST invasive type of testing? Pentest Vulnerability scan Host enumeration Protocol analyzer
Pentest A pentest (or penetration test) is the invasive type of test listed, and can potentially compromise a system A protocol analyzer is not invasive, but it cannot determine if security controls are in place. A vulnerability scan can verify if security controls are in place and it does not try to exploit these controls using any invasive methods. Host enumeration identifies hosts on a network, but does not check for security controls. See "Managing Risk"
A continuity of operations plan for an organization includes the use of a warm site. The BCP coordinator wants to verify that the organization's backup data center is prepared to implement the warm site if necessary. Which of the following is the BEST choice to meet this need? Perform a review of the disaster recovery plan. Perform a test restore. Perform a disaster recovery exercise. Ask the managers of the backup data center.
Perform a disaster recovery exercise. The best way to test elements of a business continuity plan (BCP) or disaster recovery plan (DRP) is to test the plan by performing a disaster recovery exercise. Asking managers if they are ready and reviewing the plan are both helpful, but not as effective as an exercise. Performing a test restore verifies the backup capabilities, but not necessarily the steps required when implementing a warm site. See "Preparing for Business Continuity"
Lisa needs to identify if a risk exists on a web application and if attackers can potentially bypass security controls. However, she should not actively test the application. Which of the following is the BEST choice? Perform traffic analysis with a sniffer. Perform a port scan. Perform a penetration test. Perform a vulnerability scan
Perform a vulnerability scan A vulnerability scan identifies vulnerabilities that attackers can potentially exploit, and vulnerability scanners perform passive testing. A penetration test actively tests the application and can potentially compromise the system. A port scan only identifies open ports. A sniffer can capture traffic for analysis, but it doesn't check for security controls.
You suspect that an executable file on a web server is malicious and includes a zeroday exploit. Which of the following steps can you take to verify your suspicious? Perform an operating system baseline comparison. Perform a code review. Perform an architecture review. Perform a design review.
Perform an operating system baseline comparison. An operating system baseline comparison is the best choice of the available answers. It can verify if the file is in the baseline, or was added after the server was deployed. A code review is possible if you have access to the original code, but this isn't easily possible with an executable file. Code reviews look at the code before it is released and architecture reviews look at architecture designs, but neither of these identifies malicious files after a web server has been deployed. See "Securing Hosts and Data
Which of the following answers refers to a DNS poisoning attack? Vishing Pharming Spear phishing Whaling
Pharming Redirection to a bogus site • Combines farming with phishing • Farming - Harvest large groups of people • Phishing - Collect access credentials • Difficult for anti-malware software to stop • Everything appears legitimate to the user
The process by which malicious software changes its underlying code to avoid detection is called: Fuzzing Polymorphism Pharming Spoofing
Polymorphism
Bart is complaining that new browser windows keep opening on his computer. Which of the following is the BEST choice to stop these in the future? Malware Popup blocker Adware Antivirus software
Popup blocker A popup blocker is the best choice to stop these windows, which are commonly called popup windows. They might be the result of malware or adware, but more malware or adware will not stop them. Some antivirus software may block the popups, but a popup blocker is the best choice
Which of the answers listed below apply to xmas attack? (Select 2 answers) Port scan Denial-of-service attack IP spoofing Transitive access Social engineering
Port scan Denial-of-service attack as Attacks ○ Port scan used to get details about an OS ○ It sends bits in the packet header of the TCP port scan that resemble christmas lights ○ This gives it info about how the system responds and what OS it is. ○ It's more for recon than anything ○ Many IDS and IPS can detect this
You want to identify all of the services running on a server. Which of the following tools is the BEST choice to meet this goal? Penetration test Sniffer Port scanner Protocol analyzer
Port scanner A port scanner identifies open ports on a system and is commonly used to determine what services are running on the system. A penetration test attempts to exploit a vulnerability. A protocol analyzer (also called a sniffer) could analyze traffic and discover protocols in use, but this would be much more difficult than using a port scanner.
What is the purpose of non-repudiation? Hiding one piece of data in another piece of data Ensuring that received data hasn't changed in transit Preventing someone from denying that they have taken specific action Transforming plaintext into ciphertext
Preventing someone from denying that they have taken specific action
Which of the following answers refer to the applications / features of quantum cryptography? (Select 2 answers) High availability Protection against eavesdropping Loop protection Secure key exchange
Protection against eavesdropping Secure key exchange Quantum cryptography • Use quantum physics to provide cryptographic references • Quantum key distribution (QKD) • Used to communicate a shared key between two users • If a third-party tries to get in the middle, the data is disturbed
A network administrator needs to identify the type of traffic and packet flags used in traffic sent from a specific IP address. Which of the following is the BEST tool to meet this need? Protocol analyzer UTM security appliance Router logs Vulnerability scan
Protocol analyzer A protocol analyzer (or sniffer) can capture traffic sent over a network and identify the type of traffic, the source of the traffic, and protocol flags used within individual packets. A unified threat management (UTM) security appliance combines multiple security solutions into a single solution but doesn't typically capture traffic. Router logs identify the type of traffic going through it, but do not include packet flag data. A vulnerability scan identifies vulnerabilities on a network
An attacker is bypassing clientside input validation by intercepting and modifying data within the HTTP POST command. Which of the following does the attacker use in this attack? Command injection Proxy Flash cookie Exception handling
Proxy An attacker can use a web proxy to intercept the HTTP POST command. The attacker then modifies the data in the command and sends it to the website. Command injection is a type of clientside injection attack that input validation thwarts. Flash cookies are used by Adobe Flash applets, but are not used to bypass input validation. Exception handling catches errors, allowing applications to handle them gracefully
A software development company wants to implement a digital rights management solution to protect its intellectual property. Which of the following should the company implement to enforce software digital rights? A) IPsec B) Non-repudiation C) Transport encryption D) Public Key infrastructure
Public Key infrastructure PKI - Public Key Infrastructure ■ Enables signatures and certificates to function by maintaining encryption keys and certificate management Public Key Infrastructure (PKI) • Policies, procedures, hardware, software, people to manage digital certificates • Create, distribute, manage, store, revoke • Requires extensive planning • Also refers to the binding of public keys to people
Homer works as a contractor at a company on a oneyear renewing contract. After renewing his contract, the company issues him a new smart card. However, he is now having problems digitally signing email or opening encrypted email. What is the MOST likely solution? Publish the certificate in his new smart card. Copy his original public key to the new smart card Copy the original certificate to the new smart card. Copy his original private key to the new smart card.
Publish the certificate in his new smart card. He should publish the certificate in his new smart card in a global address list within the domain. It is not possible for users to copy a certificate, a public key, or a private key to a smart card. See "Understanding Cryptography"
Which of the following choices provide authentication services for remote users and devices? (Select TWO.) Secure LDAP RADIUS Kerberos Diameter
RADIUS Diameter Both Remote Authentication DialIn User Service (RADIUS) and Diameter are authentication services for remote users and devices. Diameter is more secure than RADIUS. Kerberos is an authentication service used with a domain or realm and Secure Lightweight Directory Access Protocol (LDAP) uses Transport Layer Security (TLS) for encryption and is used to query directories.
Your company recently began allowing workers to telecommute from home one or more days a week. However, your company doesn't currently have a remote access solution. They want to implement an AAA solution that supports different vendors. Which of the following is the BEST choice? RADIUS Circumference TACACS+ SAML
RADIUS Remote Authentication DialIn User Service (RADIUS) is an authentication, authorization, and accounting (AAA) protocol and is the best choice. TACACS+ is proprietary to Cisco, so it won't support different vendor solutions. Diameter is preferable to RADIUS, but there is no such thing as a Circumference protocol. SAML is an SSO solution used with webbased applications. See "Mastering Security Basics"
Which of the following choices is an AAA protocol that uses shared secrets as a method of security? RADIUS SAML Kerberos MD5
RADIUS Remote Authentication DialIn User Service (RADIUS) is an authentication, authorization, and accounting (AAA) protocol that uses shared secrets (or passwords) for security. Kerberos uses tickets. SAML provides SSO for webbased applications, but it is not an AAA protocol. MD5 is a hashing protocol, not an AAA protocol. See "Mastering Security Basics"
You are tasked with configuring authentication services settings on computers in your network. You are entering shared secrets on different servers. Which of the following services are you MOST likely configuring? (Select TWO.) RADIUS LDAP Kerberos TACACS
RADIUS LDAP Remote Authentication Dialin User Server (RADIUS) servers use shared secrets. You can configure them to interact with Lightweight Directory Access Protocol (LDAP) based systems by entering the same shared secret on both a RADIUS server and an LDAP server. A shared secret is basically just an identical password on both systems. Kerberos uses tickets for authentication, not shared secrets. Terminal Access Controller AccessControl System (TACACS) is a legacy authentication service, and rarely used today. TACACS+ is a newer protocol and it does use a preshared key, sometimes referred to as a shared secret. For example, you can configure TACACS+ systems to interact with LDAP systems with a shared secret
You are tasked with configuring authentication services settings on servers in your network. You are entering shared secrets on different servers. Which of the following services support the use of shared secrets? (Select TWO.) Kerberos GRE RADIUS TACACS+
RADIUS TACACS+ Remote Authentication Dialin User Server (RADIUS) servers use shared secrets. Similarly, Terminal Access Controller AccessControl System Plus (TACACS+) uses shared secret keys, sometimes referred to as shared secrets. What should you select if this question includes RADIUS, TACACS+, and Lightweight Directory Access Protocol (LDAP) as possible answers. Because all three support shared secrets, it's easy to consider it a bogus question that hasn't been thought out by the test writer. However, because both RADIUS and LDAP consistently use the term "shared secret" they are the best answer. Kerberos uses a tickets for authentication, not shared secrets. Generic Routing Encapsulation (GRE) is a tunneling protocol. It can encapsulate various networking protocols to provide a layer of protection when data is sent over a network.
Which of the following is the lowest cost solution for fault tolerance? Clustering Cold site RAID Load balancing
RAID A redundant array of inexpensive disks (RAID) subsystem is a relatively lowcost solution for fault tolerance for disks. RAID also increases data availability. Load balancing and failover clustering add in additional servers, which is significantly more expensive than RAID. A cold site is a completely separate location, which can be expensive, but a cold site does not provide fault tolerance. See "Preparing for Business Continuity"
An organization needs to improve fault tolerance to increase data availability. However, the organization has a limited budget. Which of the following is the BEST choice to meet the organization's needs? Backup system RAID UPS Cluster
RAID A redundant array of inexpensive disks (RAID) system would provide fault tolerance for disk drives and increase data availability if drives fail. A backup system improves data availability because you can restore data after data is lost or corrupt. However, a backup system does not provide fault tolerance. A cluster provides fault tolerance at the server level and ensures a service continues to operate even if a server fails. However, a cluster is more expensive than a RAID. An uninterruptible power supply (UPS) provides shortterm power after a power failure but does not directly increase data availability
Which of the following solutions add(s) redundancy in areas identified as single points of failure? (Select all that apply) Virtualization RAID Hot site UPS Backup generator PSU
RAID Hot site UPS Backup generator
Which of the following solutions does not offer fault tolerance? RAID 5 Disk duplexing RAID 0 Disk mirroring RAID 1
RAID 0
You are a technician at a small organization. You need to add faulttolerance capabilities within the business to increase the availability of data. However, you need to keep costs as low as possible. Which of the following is the BEST choice to meet these needs? Failover cluster RAID6 UPS Backups
RAID6 A redundant array of inexpensive disks 6 (RAID6) subsystem provides fault tolerance for disks, and increases data availability. A failover cluster provides fault tolerance for servers and can increase data availability but is significantly more expensive than a RAID subsystem. Backups help ensure data availability, but they do not help with fault tolerance. An uninterruptible power supply (UPS) provides fault tolerance for power, but not necessarily for data. See "Preparing for Business Continuity"
One of your web servers was recently attacked and you have been tasked with reviewing firewall logs to see if you can determine how an attacker accessed the system remotely. You identified the following port numbers in log entries: 21, 22, 25, 53, 80, 110, 443, and 3389. Which of the following protocols did the attacker MOST likely use? RDP Telnet DNS HTTPS
RDP The attacker most likely used Remote Desktop Protocol (RDP) over port 3389. Telnet can connect to systems remotely, but it uses port 23 and that isn't one of the listed ports. HTTPS uses port 443 for secure HTTP sessions. DNS uses port 53 for name resolution queries and zone transfers. See "Understanding Basic Network Security"
Your organization uses several different types of cryptographic techniques. Which of the following techniques uses a private key and a public key? MD5 AES RSA Blowfish
RSA Rivest, Shamir, Adleman (RSA) is an asymmetric algorithm and all asymmetric algorithms use public and private keys. Advanced Encryption Standard (AES) and Blowfish are strong blockbased symmetric encryption algorithms. Message Digest 5 (MD5) is a hashing algorithm.
An organization is implementing a PKI and plans on using public and private keys. Which of the following can be used to create strong key pairs? AES MD5 RSA HMAC
RSA Rivest, Shamir, Adleman (RSA) is used to create key pairs. Message Digest 5 (MD5) and Hashbased Message Authentication Code (HMAC) are hashing algorithms. Advanced Encryption Standard (AES) is a symmetric encryption algorithm. See "Understanding Cryptography
A business continuity expert is creating a BIA. Which of the following elements is MOST likely to be omitted from the BIA? Recommended solutions List of critical systems and functions Critical downtime limit Potential loss
Recommended solutions A business impact analysis (BIA) does not include recommended solutions. It does identify critical systems and functions, dependencies, critical downtime limits, potential scenarios causing a loss, and the potential loss.
A user's laptop developed a problem and can no longer boot. Help desk personnel tried to recover the data on the disk, but the disk is encrypted. Which of the following can be used to retrieve data from the hard drive? Recovery agent A trust relationship Public key CRL
Recovery agent Recovery agents can decrypt data and messages if the user's private key is no longer available. Although certificate authorities use trust models, a trust relationship doesn't directly apply here. A user's public key is already publicly available, so it isn't useful here. A certificate revocation list (CRL) is a list of revoked certificates and doesn't apply in this scenario.
Copies of lost private encryption keys can be retrieved from a key database by: Power users Recovery agents End users Backup operators
Recovery agents
Which of the following is a valid reason to use a wildcard certificate? Reduce the administrative burden of managing certificates. Support multiple private keys. Support multiple public keys. Increase the lifetime of the certificate
Reduce the administrative burden of managing certificates. A wildcard certificate reduces the certificate management burden by using an asterisk (*) in place of child domain names. The certificate still has a single public and private key pair. The wildcard doesn't affect the lifetime of the certificate. See "Understanding Cryptography"
Your organization hosts a website with a backend database server. During a recent power outage, the server crashed, resulting in a significant amount of lost data. Which of the following can your organization implement to prevent this loss from occurring again? Disaster recovery procedures Redundancy Warm site Higher RTO
Redundancy Server redundancy solutions such as a failover cluster would prevent this type of loss. Additionally, a power redundancy solution such as an uninterruptible power supply (UPS) would prevent this. Disaster recovery procedures help restore the systems after a disaster, but they wouldn't prevent the incident. A warm site is as an alternate site, but it wouldn't prevent data loss. The recovery time objective (RTO) identifies the time period when you plan to restore a system after an outage, but it doesn't prevent a loss
Marge is reviewing an organization's auditing processes. She wants to ensure that security logs identify the employee responsible for any security alerts. Which of the following steps would BEST meet this requirement? Updating ACLs for all files and folders. Perform user access reviews at least annually. Removing all shared accounts. Implement rolebased privileges.
Removing all shared accounts. Removing all shared accounts is the best answer of the available choices. If two employees are using the same account, and one employee maliciously deletes data in a database, it isn't possible to identify which employee deleted the data. In contrast, if all employees had unique accounts and one employee deleted data in a database, the logs would reflect the actions of that one employee. The file and folder access control lists (ACLs) define permissions for accounts and groups. They can restrict access, but if employees are using shared accounts, the permissions will be the same for everyone using the same shared account. Rolebased (or groupbased) privileges assign the same permissions to all members of a group. This simplifies administration. However, users still have unique accounts and the actions are logged using their unique accounts. User access reviews help ensure users have only the access they need, and the organization is following established procedures. It might discover shared accounts, but a better solution for this scenario is to remove the shared accounts now, instead of during an annual review
Some protocols include timestamps and sequence numbers. These components help protect against what type of attacks? Replay Smurf Salting Flood guards
Replay Timestamps and sequence numbers act as countermeasures against replay attacks. Blocking directed broadcasts prevents smurf attacks. Flood guards protect against SYN (synchronize) attacks. Salting protects against brute force attacks on passwords.
Replay Attacks ○ Steal all the authentication data transferred between two clients, then try to send out that authentication data again to pretend to be one of the two ○ Timestamps and sequence numbers thwart this ○ Kerberos uses timestamps
Replay Attacks ○ Steal all the authentication data transferred between two clients, then try to send out that authentication data again to pretend to be one of the two ○ Timestamps and sequence numbers thwart this ○ Kerberos uses timestamps
Hardware-based RAID Level 1: (Select 3 answers) Requires at least 2 drives to implement Is also known as disk striping Offers improved performance in comparison to RAID 0 Offers improved reliability by creating identical data sets on each drive (failure of one drive does not destroy the array as each drive contains identical copy of the data) Is also referred to as disk mirroring
Requires at least 2 drives to implement Offers improved reliability by creating identical data sets on each drive (failure of one drive does not destroy the array as each drive contains identical copy of the data) Is also referred to as disk mirroring
Homer called into the help desk and says he forgot his password. Which of the following choices is the BEST choice for what the helpdesk professional should do? Look up the user's password and tell the user what it is. Verify the user's account exists. Reset the password and configure the password to expire after the first use. Disable the user's account.
Reset the password and configure the password to expire after the first use. In this scenario, it's best to create a temporary password that expires after first use, which forces the user to create a new password. It's not necessary to verify the user's account exists, but the helpdesk professional should verify the identity of the user. Passwords should not be available in such a way that allows helpdesk professionals to look them up. It is not necessary to disable a user account to reset the password. See "Mastering Security Basics"
Which of the following terms relates closely to the concept of residual risk? Firewall rules Virtualization Risk acceptance Quantitative risk assessment
Risk acceptance A business decision; we'll take the risk!
Your organization hosts three wireless networks for different purposes. A recent site survey audit discovered the information shown in the following table: SSID Security Channel Power GetCertifiedVisitors WPA2 1 71 dBm GetCertifiedEmployee WPA2 2 94 dBm GetCertifiedEmployees WPA2 3 73 dBm GetCertifiedKiosk WPA2 5 79 dBm What does this indicate? Interference Rogue access point Evil twin Near field communication
Rogue access point This indicates a rogue access point because the organization is hosting three wireless networks, but the survey found four. A rogue access point typically has a similar name (such as GetCertifiedGetEmployee in this example). An evil twin will have the exact name as an authorized WAP. An interference or jamming attack would make it difficult to connect to the access points causing users to disconnect often. Near field communication (NFC) refers to two devices communicating when they are close to each other and is unrelated to this scenario.
An administrator needs to grant users access to different servers based on their job functions. Which access control model is the BEST choice to use? Discretionary access control Rolebased access control Rulebased access control Mandatory access control
Rolebased access control The rolebased access control model is the best choice for assigning access based on job functions. A discretionary access control model specifies that every object has an owner and owners have full control over objects, but it isn't related to job functions. Mandatory access control uses labels and a lattice to grant access rather than job functions. A rulebased access control model uses rules that trigger in response to events.
A collection of software tools used by a hacker in order to mask intrusion and obtain administrator-level access to a computer or computer network is known as: Backdoor Botnet Honeypot Rootkit Armored virus
Rootkit
Lisa recently completed an external security audit for an organization. She discovered that Otto left the organization to become a school bus driver, but his account remains enabled. Which of the following would have discovered this before Lisa discovered it? User rights and permissions review Account management processes Routine account audits Change management procedures
Routine account audits Routine account audits would discover the original problem (not disabling or deleting the account). Routine accounts might be done on a weekly or monthly basis. Note that the question isn't asking what process wasn't followed to disable or delete the account, but instead it is asking how the organization could have discovered it before the external audit. Account management processes include disabling and/or deleting accounts that are no longer needed. If this process was followed, Otto's account would be either disabled or deleted. However, following the established account management procedures doesn't detect when the procedures aren't followed. Change management refers to making changes to systems. They aren't related to disabling accounts of previous employees. A user rights and permissions review helps ensure that users don't have more rights and permissions than they need for their job. They aren't related to previous employees. Objective: 5.3 Install and configure security controls when performing account management, based on best practices.
Security administrators have recently implemented several security controls to enhance the network's security posture. Management wants to ensure that these controls continue to function as intended. Which of the following tools is the BEST choice to meet this goal? Design review Routine audit Change management Black box test
Routine audit A routine audit can verify controls are continuing to operate as intended. Change management controls can help ensure that systems don't suffer from unintended outages after a change, and although change management helps ensure the controls aren't modified, it doesn't necessarily ensure the controls continue to operate as intended. A design review would be done before the controls are deployed. A black box test is a type of penetration test where the testers don't have any knowledge of the system, so it wouldn't be able to identify if the controls are functioning as intended.
Your organization security policy requires that personnel notify security administrators if an incident occurs. However, this is not occurring consistently. Which of the following could the organization implement to ensure security administrators are notified in a timely manner? User rights and permissions reviews Routine auditing Incident response team Design review
Routine auditing Routine auditing of the help desk or administrator logs can discover incidents and then match them with reported incidents. A review of user rights and permissions helps ensure they are assigned and maintained appropriately, but do not help with ensuring incidents are reported correctly. A design review ensures that systems and software are developed properly. An incident response team responds to incidents, but they wouldn't necessarily ensure administrators are informed of incidents. See "Managing Risk"
Bart has read access to an accounting database and Lisa has both read and write access to this database. A database application automatically triggers a change in permissions so that Bart has both read and write access when Lisa is absent. What type of access control system is in place? DAC RoleBAC RuleBAC MAC
RuleBAC A rulebased access control system (ruleBAC) is in place in this scenario with a rule designed to trigger a change in permissions based on an event. The mandatory access control (MAC) model uses labels to identify users and data, and is used in systems requiring a need to know. A discretionary access control (DAC) model does not use triggers. A rolebased access control (roleBAC) system uses groupbased privileges.
Which of the following protocols operates on Layer 7 of the OSI model? TCP IPv6 SCP ARP
SCP Secure Copy (SCP) operates on Layer 7 of the OSI model. IPv6 operates on Layer 3. TCP operates on Layer 4. Address Resolution Protocol (ARP) operates on Layer 2. See "Understanding Basic Network Security"
A network protocol for secure file transfer over Secure Shell (SSH) is called: TFTP SFTP Telnet FTPS
SFTP
Of the following choices, what can you use to verify data integrity? DES RC4 AES SHA
SHA Secure Hash Algorithm (SHA) is one of many available hashing algorithms used to verify data integrity. None of the other options are hashing algorithms. Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Rivest Cipher 4 (RC4) are symmetric encryption algorithms.
Which of the following answers list the protocol and port number used by a spam filter? (Select 2 answers) HTTPS 23 SMTP 443 TELNET 25
SMTP 25
Your organization hosts a web site within a DMZ and the web site accesses a database server in the internal network. ACLs on firewalls prevent any connections to the database server except from the web server. Database fields holding customer data are encrypted and all data in transit between the web site server and the database server are encrypted. Which of the following represents the GREATEST risk to the data on the server? Sniffing SQL injection XML injection Theft of the database server
SQL injection A SQL injection attack allows an attacker to send commands to the database server to access data. Encryption protects it on the server and in transit, but the web server can decrypt it. Because the data in the database server is encrypted, theft of the server isn't a significant risk. There aren't any indications that the database server is replying with Extensible Markup Language (XML) data, so an XML injection attack isn't a risk. Because data is encrypted while in transit, sniffing isn't a significant risk.
Your organization's security policy requires that PII data at rest and PII data in transit be encrypted. Of the following choices, what would the organization use to achieve these objectives? (Select TWO.) FTP SMTP SSH HTTP PGP/GPG
SSH PGP/GPG You can use Secure Shell (SSH) to encrypt Personally Identifiable Information (PII) data when transmitting it over the network (data in transit). While Pretty Good Privacy (PGP)/GNU Privacy Guard (GPG) is primarily used to encrypt email, it can also be used to encrypt data at rest. File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) transmit data in cleartext unless they are combined with an encryption protocol. See "Understanding Basic Network Security" and "Understanding Cryptography"
Which of the following list of protocols use TCP port 22 by default? FTPS, TLS, SCP HTTPS, SSL, TLS SCP, SFTP, FTPS SSH, SCP, SFTP SCP, SSH, SSL
SSH, SCP, SFTP Secure Shell (SSH) uses Transmission Control Protocol (TCP) port 22 by default. Secure Copy (SCP) and Secure File Transfer Protocol (SFTP) both use SSH for encryption so they also use port 22 by default. File Transfer Protocol Secure (FTPS) uses either Secure Sockets Layer (SSL) or Transport Layer Security (TLS), typically on ports 989 or 990. Hypertext Transfer Protocol Secure (HTTPS) uses SSL or TLS on port 443. TLS and SSL do not have a default port by themselves, but instead use a default port based on the protocols they are encrypting.
Management at your company recently decided to implement additional lighting and fencing around the property. Which security goal is your company MOST likely pursuing? Integrity Confidentiality Safety Availability
Safety Lighting and fencing are two methods that can enhance the security goal of safety. Confidentiality is enhanced with encryption and access controls. Integrity is enhanced with hashing, certificates, and digital signatures. Availability is enhanced with redundancy and faulttolerance procedures.
Key personnel in your organization have mobile devices, which store sensitive information. What can you implement to prevent data loss from these devices if a thief steals one? GPS tracking Asset tracking Mobile device management Screen lock
Screen lock A screen lock helps prevent data loss in the event of theft of a mobile device storing sensitive information. Other security controls (not listed as answers in this question) that help prevent loss of data in this situation are account lockouts, full device encryption, and remote wipe capabilities. Asset tracking is an inventory control method. Mobile device management helps keep systems up to date with current patches. Global positioning system (GPS) tracking helps locate the device.
Which of the following is the MOST likely negative result if administrators do not implement access controls correctly on an encrypted USB hard drive? Data can be corrupted. Security controls can be bypassed. Drives can be geotagged. Data is not encrypted.
Security controls can be bypassed. If access controls are not implemented correctly, an attacker might be able to bypass them and access the data. The incorrect implementation of the access controls won't corrupt the data. Files such as pictures posted on social media can be geotagged, but this is unrelated to a hard drive. The scenario says the drive is encrypted, so the data is encrypted.
Which of the following is a management control? Least privilege Security policy Encryption Change management
Security policy Written security policies are management controls. Encryption and the principle of least privilege are technical controls. Change management is an operational control. See "Exploring Operational Security"
An ecommerce website does not currently have an account recovery process for customers who have forgotten their passwords. Which of the following choices are the BEST items to include if website designers add this process? (Select TWO.) Implement biometric authentication. Set a temporary password that expires upon first use. Email the password to the user. Create a webbased form that verifies customer identities using another method.
Set a temporary password that expires upon first use. Create a webbased form that verifies customer identities using another method. A webbased form using an identityproofing method, such as requiring users to enter the name of their first pet, can verify their identity. Setting a password that expires upon first use ensures that the user changes the password. Biometric authentication is not reasonable for an online ecommerce website. Emailing the password is a possibility, but not without configuring the password to expire upon first use. See "Mastering Security Basics"
You're asked to identify who is accessing a spreadsheet containing employee salary data. Detailed logging is configured correctly on this file. However, you are unable to identify a specific person who is accessing the file. What is the MOST likely reason? Account lockout has been enabled. Shared accounts are not prohibited. Guest accounts are disabled. Permissions for the file were assigned to a group
Shared accounts are not prohibited. The most likely reason of those given is that shared accounts are not prohibited, allowing multiple users to access the same file. For example, if the Guest account is enabled and used as a shared account by all users, the logs will indicate the Guest account accessed the file, but it won't identify specific individuals. It doesn't matter how permissions are assigned in order for a log to identify who accessed the file. Account lockout stops someone from guessing a password, but it doesn't affect file access logs.
A HIDS reported a vulnerability on a system using an assigned vulnerability identification number. After researching the number on the vendor's web site, you identify the recommended solution and begin applying it. What type of HIDS is in use? Signaturebased Networkbased Anomalybased Heuristicbased
Signaturebased If the issue has an assigned number, it must be known, so it is signaturebased. A hostbased intrusion detection system (HIDS) is not networkbased. A heuristicbased (or anomalybased) detection system catches issues that are not previously known
Your organization is planning to implement a BYOD policy. Which of the following security controls will help protect data using containerization? Storage segmentation Encrypt sensitive data Full device encryption Asset tracking
Storage segmentation Storage segmentation is one way to protect company data on mobile devices. It isolates data (and sometimes applications) in a secure area of a user's device. This segmented area is typically encrypted and requires authentication for access. Loss of company data is a critical concern and is typically addressed in Bring Your Own Device (BYOD) security policies. Another way to look at this question is "Which of the following is MOST commonly used for BYOD data containerization?" Encrypting sensitive data is the secondbest choice. Containerization typically uses encryption, but encrypting data doesn't necessarily protect all the company data in a secure container. It isn't necessary to encrypt all data on the device. This would encrypt the user's data too, which is beyond the goal of protecting company data in the question. Asset tracking is an important security control for company owneddevices, but is less important for userowned devices. You would want to ensure you know which devices have been authorized, but doing so wouldn't protect company data in secure containers
Which of the following is a symmetric encryption algorithm that encrypts data one bit at a time? Block cipher Stream cipher DES AES MD5
Stream cipher A stream cipher encrypts data a single bit or a single byte at a time and is more efficient when the size of the data is unknown, such as streaming audio or video. A block cipher encrypts data in specificsized blocks, such as 64bit blocks or 128bit blocks. Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Message Digest 5 (MD5) are all block ciphers. See "Understanding Cryptography."
Your organization was recently attacked, resulting in a data breach, and attackers captured customer data. Management wants to take steps to better protect customer data. Which of the following will BEST support this goal? Hashing and digital signatures Fault tolerance and redundancy Succession planning and data recovery procedures Stronger access controls and encryption
Stronger access controls and encryption Strong access controls and encryption are two primary methods of protecting the confidentiality of any data, including customer data. Succession planning and data recovery procedures are part of business continuity. Fault tolerance and redundancy increase the availability of data. Hashing and digital signatures provide integrity. See "Securing Hosts and Data
A network administrator needs to update the operating system on switches used within the network. Assuming the organization is following standard best practices, what should the administrator do first? Submit a request using the incident management process. Submit a request using the application patch management process. Submit a request using the baseline configuration process. Submit a request using the change management process.
Submit a request using the change management process. The network administrator should submit a change using the change management process, which is the same process that is typically used for changes to any devices or systems. A baseline configuration identifies the starting configuration. Incident management addresses security incidents. A regular patch management process typically includes following change management, but application patch management does not apply to devices.
You need to divide a single Class B IP address range into several ranges. What would you do? Subnet the Class B IP address range. Create a virtual LAN. Implement STP. Create a DMZ.
Subnet the Class B IP address range. You can divide any classful IP address range by subnetting it. This breaks up a larger range of IP addresses into smaller network segments or blocks of IP addresses. A virtual local area network (VLAN) divides groups of computers logically, but doesn't use IP ranges. A demilitarized zone (DMZ) is a buffered zone between a protected network and a public network. Spanning Tree Protocol (STP) prevents looping problems caused by incorrect cabling
A BCP includes a chart listing roles within the organization along with their matching responsibilities during a disaster. It also includes a chain of command. What is the purpose of this chart? IT contingency planning COOP Succession planning RTO
Succession planning Succession planning clarifies who can make decisions during a disaster and can be documented in a chart listing roles and responsibilities along with a chain of command. IT contingency planning focuses on recovery of IT systems. Continuity of operations planning (COOP) identifies methods, such as alternate sites, that an organization can implement after a disaster. Recovery time objective (RTO) identifies the maximum amount of time it should to take to restore a system after an outage.
Monty Burns is the CEO of the Springfield Nuclear Power Plant. What would the company have in place in case something happens to him? Business continuity planning IT contingency planning Separation of duties Succession planning
Succession planning Succession planning identifies people within an organization who can fill leadership positions if they become vacant. It is also helpful during a disaster by ensuring people understand their roles and responsibilities. A succession planning chart is often in a business continuity plan (BCP), but business continuity planning is much broader than just succession planning. A separation of duties policy separates individual tasks of an overall function between different people. IT contingency planning focuses on recovery of IT systems. See "Preparing for Business Continuity"
What type of encryption does the RADIUS protocol use? SHA MD5 Asymmetric Symmetric
Symmetric Remote Authentication DialIn User Service (RADIUS) uses symmetric encryption. It does not use asymmetric encryption, which uses a public key and a private key. Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are hashing algorithms.
Which of the answers listed below refer(s) to the Advanced Encryption Standard (AES): (Select all that apply) Symmetric-key algorithm 128-, 192-, and 256-bit keys Asymmetric-key algorithm Block cipher algorithm Stream cipher algorithm
Symmetric-key algorithm 128-, 192-, and 256-bit key Block cipher algorithm AES (Advanced Encryption Standard) • US Federal Government Standard • 128-bit block cipher - 128-, 192-, and 256-bit keys • Used in WPA2 - Powerful wireless encryption
Which of the following answers refers to a Cisco-proprietary alternative to RADIUS? LDAP Kerberos SAML TACACS+
TACACS+ The latest Cisco proprietary version of TACACS • Not backwards compatible • More authentication requests and response codes
A network administrator needs to open a port on a firewall to support a VPN using PPTP. What ports should the administrator open? TCP 1723 UDP 47 TCP 50 UDP 1721
TCP 1723 A virtual private network (VPN) using PointtoPoint Tunneling Protocol (PPTP) requires Transmission Control Protocol (TCP) port 1723 open. It would also need protocol ID 47 open, but the protocol ID is not a port. Internet Protocol security (IPsec) uses protocol ID 50. See "Understanding Basic Network Security" and "Securing Your Network"
Which of the protocols listed below does not provide authentication? FTP TFTP SCP SFTP
TFTP
Which two protocols provide strong security for the Internet with the use of certificates? (Choose TWO.) TLS SCP SSH SSL SFTP
TLS SSL Secure Sockets Layer (SSL) and Transport Layer Security (TLS) secure Internet traffic with the use of certificates. Secure Shell (SSH) encrypts traffic such as Secure Copy (SCP), Secure File Transfer Protocol (SFTP), and Telnet but none of these use certificates. See "Understanding Cryptography"
Your organization is planning to establish a secure link between one of your mail servers and a business partner's mail server. The connection will use the Internet. What protocol is the BEST choice? TLS SMTP HTTP SSH
TLS Transport Layer Security (TLS) is a good choice to create a secure connection between two systems over the Internet. Although the mails servers will likely exchange mail using Simple Mail Transfer Protocol (SMTP), SMTP by itself will not create a secure link. Similarly, Hypertext Transfer Protocol (HTTP) doesn't create a secure link. Although Secure Shell (SSH) creates a secure connection, it isn't used with SMTP.
A heavily used application accesses a financial database on a server within your network. Due to recent data breaches, management wants to ensure transport encryption protects this data. Which of the following algorithms is the BEST choice to meet this goal? SSL SHA TLS CRL
TLS Transport Layer Security (TLS) is a transport encryption protocol that can protect the data while it is in transit. Secure Sockets Layer (SSL) is also a transport encryption protocol, but TLS is recommended instead. Secure Hash Algorithm (SHA) is a hashing algorithm, not an encryption protocol. Both SSL and TLS use certificates and revoked certificates are published in a certificate revocation list (CRL), but a CRL is not a transport encryption protocol.
What type of encryption protocols are used by Secure LDAP (LDAPS)? (Select all that apply) TLS UDP SSL IP TCP
TLS SSL
Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement? HOTP CAC Kerberos TOTP
TOTP A Timebased OneTime Password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds. HMACbased OneTime Password (HOTP) creates passwords that do not expire. A Common Access Card (CAC) is a type of smart card, but it does not create passwords. Kerberos uses tickets instead of passwords.
Your organization is planning to implement stronger authentication for remote access users. An updated security policy mandates the use of tokenbased authentication with a password that changes every 30 seconds. Which of the following choices BEST meets this requirement? TOTP Smart card CHAP HOTP
TOTP A Timebased OneTime Password (TOTP) creates passwords that expire after 30 seconds. An HMACbased One Time Password (HOTP) creates passwords that do not expire. Challenge Handshake Authentication Protocol uses a nonce (a number used once), but a nonce does not expire after 30 seconds. See "Mastering Security Basics"
An algorithm used for computing one-time password from a shared secret key and the current time is known as: HOTP PAP TOTP CHAP
TOTP TOTP - Time-based One-Time Password • Use a secret key and the time of day • Secret key is configured ahead of time • Timestamps are synchronized via NTP • Timestamp usually increments every 30 seconds • Put in your username, password, and TOTP code • One of the more common OTP methods • Used by Google, Facebook, Microsoft, etc.
The BCP coordinator at your organization is leading a meeting onsite with key disaster recovery personnel. The purpose of the meeting is to perform a test. What type of test is this? Fullblown test Tabletop exercise Functional exercise Simulation to perform steps of a plan
Tabletop exercise A tabletop exercise is discussionbased and is typically performed in a classroom or conference room setting. Because this is a meeting led by the business continuity plan (BCP) coordinator, it is a tabletop exercise. Functional exercises are handson exercises and include simulations and fullblown tests.
After a recent incident, a forensic analyst was given several hard drives to analyze. What should the analyst do first? Take hashes and capture system images. Take screenshots and capture system images. Take hashes and screenshots. Perform antivirus scans and create chainofcustody documents.
Take hashes and capture system images. Forensic analysts capture images and take hashes before beginning analysis, and they only analyze the image copies, not the original drive. Screenshots are taken when a computer is running. An antivirus scan might modify the drive and chainofcustody documents are created when evidence is collected.
Port number 23 is used by: SMTP SSH Telnet TFTP
Telnet
Homer wants to send a secure email to Marge so he decides to encrypt it. Homer wants to ensure that Marge can verify that he sent it. Which of the following does Marge need to verify the certificate that Homer used in this process is valid? The CA's public key The CA's private key Marge's public key Marge's private key
The CA's public key Marge would verify Homer's certificate is valid by querying the Certificate Authority (CA) that issued Homer's certificate and the CA's public certificate includes the CA's public key. Homer would use a digital signature to provide verification that he sent the message. Homer would encrypt the digital signature with his private key and Marge would decrypt the digital signature with Homer's public key. The CA's private key remains private. Marge's keys are not used for Homer's digital signature, but might be used for the encryption of the email.
Your organization is hosting a wireless network with an 802.1x server using PEAP. On Thursday, users report they can no longer access the wireless network. Administrators verified the network configuration matches the baseline, there aren't any hardware outages, and the wired network is operational. Which of the following is the MOST likely cause for this problem? DNS is providing incorrect host names. DHCP is issuing duplicate IP addresses. The RADIUS server certificate expired. MAC filtering is enabled.
The RADIUS server certificate expired. The most likely cause is that the Remote Authentication DialIn User Service (RADIUS) server certificate expired. An 802.1x server is implemented as a RADIUS server and Protected Extensible Authentication Protocol (PEAP) requires a certificate. If Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP) failed, it would affect both wired and wireless users. Media access control (MAC) address filtering might cause this symptom if all MAC addresses were blocked, but the scenario states that there weren't any network configuration changes. See "Securing Your Network"
A manager is suspected of leaking trade secrets to a competitor. A security investigator is examining his laptop and notices a large volume of vacation pictures on the hard drive. Data on this laptop automatically uploads to a private cloud owned by the company once a week. The investigator noticed that the hashes of most of the pictures on the hard drive are different from the hashes of the pictures in the cloud location. Which of the following is the MOST likely explanation for this scenario? The manager is leaking data using steganography methods. The manager is leaking data using digital signatures. The manager is leaking data using hashing methods. The manager is not leaking data.
The manager is leaking data using steganography methods. The manager is most likely leaking data using steganography methods by embedding the data into the vacation pictures. If the file is the same, the hash of the file and the hash of a file copy should be the same. Because the hashes are different, it indicates the files are different and the most likely explanation is because some of the files have other data embedded within them. Hashing and digital signatures are not methods that would support leaking data. The scenario indicates the manager is suspected of leaking data, and the different hashes provide evidence to support this suspicion.
While reviewing logs on a firewall, you see several requests for the AAAA record of gcgapremium.com. What is the purpose of this request? To identify the IPv6 address of gcgapremium.com To identify the mail server for gcgapremium.com To identify any aliases used by gcgapremium.com To identify the IPv4 address of gcgapremium.com
To identify the IPv6 address of gcgapremium.com A Domain Name System (DNS) AAAA record identifies the IPv6 address of a given name. An A record identifies the IPv4 address of a given name. An MX record identifies a mail server. A CNAME record identifies aliases
In the OSI model, TCP resides at the: Physical layer Network layer Application layer Session layer Transport layer
Transport layer
An IPsec mode providing encryption only for the payload (the data part of the packet) is known as: Protected mode Tunnel mode Transport mode Safe mode
Transport mode
In asymmetric encryption, any message encrypted with the use of the public key can only be decrypted by applying the same algorithm and the matching private key. True False
True
In asymmetric encryption, data encrypted with the use of a private key can only be decrypted with the use of a matching public key. True False
True
A digital signature is a hash of a message that uniquely identifies the sender of the message and provides a proof that the message hasn't changed in transit. True False
True digital signature Sign with the private key • The message doesn't need to be encrypted • Verify with the public key • Any change in the message will invalidate the signature
VLAN membership can be set through: (Select all that apply) IP address Trunk port Physical address Group permissions MAC address
Trunk port Physical address MAC address
Which IPsec mode provides encryption for the entire packet? Tunnel Host-to-host Payload Transport
Tunnel
Which of the following ensures the privacy of a VPN connection? Hashing Tunneling Authentication Cleartext credentials
Tunneling
You need to prevent the use of TFTP through your firewall. Which port would you block? TCP 69 UDP 69 UDP 21 TCP 21
UDP 69 You should block UDP port 69 to block Trivial File Transfer Protocol (TFTP). TFTP does not use TCP. File Transfer Protocol (FTP) uses TCP port 21
Your organization wants to combine some of the security controls used on the network. What could your organization implement to meet this goal? SSO UTM VLAN VPN
UTM A unified threat management (UTM) device combines multiple security controls into a single device. Single signon allows users to sign on once and access multiple resources without signing on again. Users can access a private network over a public network via a virtual private network (VPN). You can configure a virtual local area network (VLAN) on a switch to group computers together logically
Management recently learned that several employees are using the company network to visit gambling and gaming websites. They want to implement a security control to prevent this in the future. Which of the following choices would meet this need? DMZ NIDS WAF UTM
UTM A unified threat management (UTM) device typically includes a URL filter and can block access to websites, just as a proxy server can block access to websites. A web application firewall (WAF) protects a web server from incoming attacks. A demilitarized zone (DMZ) is a buffered zone between protected and unprotected networks, but it does not include URL filters. A networkbased intrusion detection system (NIDS) can detect attacks, but doesn't include outgoing URL filters. See "Understanding Basic Network Security"
A user recently worked with classified data on an unclassified system. You need to sanitize all the reclaimed space on this system's hard drives while keeping the system operational. Which of the following methods will BEST meet this goal? Degauss the disk. Use a cluster tip wiping tool. Physically destroy the disk. Use a file shredding tool.
Use a cluster tip wiping tool. A cluster tip wiping tool sanitizes reclaimed space on hard drives. The cluster tip is the extra space in the last cluster of a file, which can hold remnants of data. A file shredding tool successfully erases a file, but does not affect clusters in reclaimed space. Degaussing the disk magnetically erases it, and physically destroying the disk is the most secure method protecting its confidentiality, but both of these methods take the system out of operation.
You are configuring a file server used to share files and folders among employees within your organization. However, employees should not be able to access all folders on this server. Which of the following choices is the BEST method to manage security for these folders? Assign permissions to each user as needed. Delegate authority to assign these permissions Use security groups with appropriate permissions. Wait for users to request permission and then assign the appropriate permissions.
Use security groups with appropriate permissions. You can create security groups, place users into these groups, and grant access to the folders by assigning appropriate permissions to the security groups. For example, the security groups might be Sales, Marketing, and HR, and you place users into the appropriate group based on their job. This is an example of using groupbased privileges. Waiting for users to ask, and then assigning permissions to users individually has a high administrative overhead. Although delegating authority to assign permissions might work, it doesn't provide the same level of security as centrally managed groups, and without groups, it will still have a high administrative overhead for someone. See "Exploring Control Types and Methods"
Which of the following answers list the characteristic features of the Mandatory Access Control (MAC) model? (Select 3 answers) Users are not allowed to change access policies at their own discretion Labels and clearance levels can only be applied and changed by an administrator Every object has an owner who at his/her own discretion determines what kind of permissions other users can have to that object Access to resources based on user identity Every resource has a sensitivity label matching a clearance level assigned to a user
Users are not allowed to change access policies at their own discretion Labels and clearance levels can only be applied and changed by an administrator Every resource has a sensitivity label matching a clearance level assigned to a user
Your organization frequently has guests visiting in various conference rooms throughout the building. These guests need access to the Internet via wall jacks, but should not be able to access internal network resources. Employees need access to both the internal network and the Internet. What would BEST meet this need? DMZ and VPN VLANs and 802.1x PAT and NAT Routers and Layer 3 switches
VLANs and 802.1x An 802.1x server provides portbased authentication and can authenticate clients. Clients that cannot authenticate (the guests in this scenario) can be redirected to a virtual local area network (VLAN) that grants them Internet access, but not access to the internal network. None of the other solutions provides port security or adequate network separation. Port Address Translation (PAT) and Network Address Translation (NAT) each translate private IP addresses to public IP addresses. A demilitarized zone (DMZ) provides a buffer zone between a public network and a private network for publicfacing servers. A virtual private network (VPN) provides access to a private network via a public network. Routers work on Layer 3, and Layer 3 switches mimic some of the functionality of routers.
A network administrator needs to ensure the company's network is protected against smurf attacks. What should the network administrator do? Install flood guards. Use salting techniques. Verify border routers block directed broadcasts. Ensure protocols use timestamps and sequence numbers
Verify border routers block directed broadcasts. Smurf attacks are blocked by preventing routers from passing directed broadcasts, especially border routers with direct access to the Internet. Flood guards protect against SYN (synchronize) flood attacks. Salting techniques add additional characters to passwords to thwart brute force attacks. Timestamps and sequence numbers are useful to protect against replay attacks, but not smurf attacks.
A user calls into the help desk and asks the helpdesk professional to reset his password. Which of the following choices is the BEST choice for what the helpdesk professional should do before resetting the password? Verify the user's original password. Disable the user's account. Enable the user's account. Verify the user's identity.
Verify the user's identity. Before resetting a user's password, it's important to verify the user's identity. Users often need the password reset because they have forgotten their original password, so it's not possible to verify the user's original password. It's not necessary to disable a user account to reset the password. You would enable the account if it was disabled or locked out, but the scenario doesn't indicate
An IT department recently had its hardware budget reduced, but the organization still expects them to maintain availability of services. Of the following choices, what would BEST help them maintain availability with a reduced budget? Failover clusters Bollards Virtualization Hashing
Virtualization Virtualization provides increased availability because it is much easier to rebuild a virtual server than a physical server after a failure. Virtualization supports a reduced budget because virtual servers require less hardware, less space in a data center, less power, and less heating and air conditioning. Failover clusters are more expensive. Bollards are physical barriers that block vehicles. Hashing provides integrity, not availability.
Which of the following answers lists an example method for passive test of security controls? Tabletop exercises Pentest Vulnerability scan War chalking
Vulnerability scan
You suspect that a database server used by a web application does not have current patches. Which of the following is the BEST action to take to verify the server has uptodate patches? Vulnerability scan Host enumeration Port scan Protocol analyzer
Vulnerability scan A vulnerability scan determines if the system has current patches and is the best choice of those given. A port scan identifies open ports. A protocol analyzer (sniffer) captures traffic for analysis. Host enumeration identifies hosts on a network based on their IP addresses.
A war driver is capturing traffic from a wireless network. When an authorized client connects, the attacker is able to implement a brute force attack to discover the encryption key. What type of attack did this war driver use? WPS attack WPA cracking Packet injection iv attack
WPA cracking A WiFi Protected Access (WPA) cracking attack captures traffic and then performs an offline brute force attack to discover the encryption key. WiFi Protected Setup (WPS) attacks also use a brute force attack, but do not need to wait for an authorized client to connect. Initialization vector (IV) attacks often use packet injection techniques to generate more traffic in Wired Equivalent Privacy (WEP) attacks.
You are planning a wireless network for a business. A core requirement is to ensure that the solution encrypts user credentials when users enter their usernames and passwords. Which of the following BEST meets this requirement? WPA2PSK WPS with LEAP WEP over PEAP WPA2 over EAPTTLS
WPA2 over EAPTTLS WiFi Protected Access II (WPA2) over Extensible Authentication Protocol (EAP)Tunneled Transport Layer Security (EAPTTLS) is the best solution from the available answers. Because users must enter their usernames and passwords, an 802.1x solution is required and EAPTTLS meets this requirement. WPA2preshared key (PSK) does not authenticate users based on their usernames. Wired Equivalent Privacy (WEP) is not recommended for use even with Protected EAP (PEAP). WiFi Protected Setup (WPS) is a standard designed to simplify the setup of a wireless network, but it does not implement usernames, and Cisco recommends using stronger protocols rather than Lightweight EAP (LEAP). See "Securing Your Network"
You are assisting a user implement a wireless network in his home. The wireless hardware he has requires the RC4 protocol. What type of security is BEST for this network? WPATKIP WPAAES WPA2 Enterprise WEP
WPATKIP Temporal Key Integrity Protocol (TKIP) uses RC4 and is compatible with older hardware so WiFi Protected Access (WPA) with TKIP is the best option for this network. Wired Equivalent Privacy (WEP) uses RC4, but it is not secure and should not be used. WPA with Advanced Encryption Standard (AES) is stronger, but it uses AES instead of RC4. WiFi Protected Access II (WPA2) Enterprise requires an 802.1x server and does not use RC4.
Which of the following fall(s) into the category of social engineering attacks? (Select all that apply) Whaling MITM attack Shoulder surfing Bluejacking Dumpster diving Bluesnarfing Tailgating Vishing
Whaling Shoulder surfing Dumpster diving Tailgating Vishing
Homer recently received an email thanking him for a purchase that he did not make. He asked an administrator about it and the administrator noticed a popup window, which included the following code: <body onload="document.getElementByID('myform').submit()"> <form id="myForm" action="gcgapremium.com/purchase.php" method="post" <input name="Buy Now" value="Buy Now" /> </form> What is the MOST likely explanation? Buffer overflow SQL injection XSRF Fuzzing
XSRF A crosssite request forgery attack (XSRF) causes users to perform actions without their knowledge. This scenario indicates the user visited a web site, most likely through a malicious link, and the link initiated a purchase. None of the other attacks cause unsuspecting users to make purchases. A buffer overflow attacks a website and attempts to access system memory. A SQL injection attack attempts to access data on a database server. Fuzzing sends random data to an application to test its ability to handle the random data.
A penetration tester has successfully exploited a vulnerability against your organization giving him access to the following data User, password, logindate, cookieid Homer, canipass, 20160901 11:12, 286755fad04869ca523320acce0dc6a4 Bart, passican, 20160901 11:15, 8edd7261c353c87a113269cd37635c68 Marge, icanpass, 20160901 11:19, 26887fbd90ac0340e29ad62470270401 What type of attack does this represent? SQL injection XML injection XSS Session hijacking
XSS Crosssite scripting (XSS) is the best choice of the available answers. You can see that the penetration tester is looking at cookies because the header includes 'cookieid' and successful crosssite scripting (XSS) attacks allow attackers to capture user information such as cookies. Note that it is a poor programming practice to store user passwords within a cookie. However, poor programming practices is probably the reason why the pen tester was able to exploit an XSS vulnerability. A SQL injection attack uses a SQL statement, and typically includes a phrase such as or 1 = 1. An XML injection attack would include XML markup data, with XML tags within the < and > symbols. A session hijacking attack uses a cookie to take over a session. However, it's more than just the text within a cookie. See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0401 Study Guide for more information on attacks, including crosssite scripting attacks.
You need to provide connectivity between two buildings without running any cables. You decide to use two WAPs and a highgain directional antenna. Which of the following antennas is the BEST choice to meet this need? Dipole Yagi Omni Isotropi
Yagi A Yagi antenna is a highgain directional antenna with a very narrow radiation pattern and is an ideal choice for this scenario. An isotropic antenna is theoretical and indicates the signal goes in all directions equally. Omnidirectional and dipole antennas attempt to mimic an isotropic antenna, but have stronger gains horizontally then vertically, assuming they are standing vertically
Your network IDS recently detected an attack on a server. Upon investigation, you discover that the IDS does not have a signature on this attack. Instead, the IDS detected it using a heuristic analysis. Of the following choices, what is the MOST likely category of this attack? CVE Definition Zeroday Phishing
Zeroday Heuristic analysis has the best chance of detecting a zeroday attack. A zeroday attack is one that is unknown to vendors and because this attack doesn't have a signature, it is most likely unknown. Definitionbased intrusion detection systems (IDSs) are the same as signaturebased IDSs. Many signatures are based on the Common Vulnerabilities and Exposures (CVE) list. A phishing attack is an email, not an attack on a server
Security personnel recently performed a security audit. They identified several employees who had permissions for previously held jobs within the company. What should the organization implement to prevent this in the future? RoleBAC model Account management controls Vulnerability assessment Account disablement policy
account management controls Account management controls ensure that accounts only have the permissions they need and no more, and would ensure that user permissions are removed when users no longer need them. User rights and permission reviews also help ensure the controls are effective. A rolebased access control (roleBAC) model uses groupbased permissions, but it doesn't force administrators to take a user out of a security group when the user moves to a different job. An account disablement policy ensures accounts are disabled when an employee leaves. A vulnerability assessment might detect this as it reviews the organization's security posture, but it won't prevent it.
A user is complaining of a problem with his smartphone. The technician suspects the user has attempted to break out of the installed rootjail and decides to review the user's history log. Which of the following entries MOST likely indicates the user attempted to escape from the rootjail? chrootjail /root ls /root su root cd ../../../../bin/bash
cd ../../../../bin/bash The change directory to root (cd ../) command indicates the user is attempting to access the actual root of a system. A rootjail changes the user's effective root directory (the highest level directory in the hierarchy). For example, imagine a user's root jail is /data/projects/security. The user can access the security directory and any directories within it. However, the user cannot see the /data/ directory or the /data/projects/ directory. For this user, the effective root is /security. Bash is the command language interpreter (or shell) for Linux, and the command is attempting to access it. The ls /root command attempts to list the contents of the root directory, but it doesn't break the user out of the jail. The su root command attempts to log into the root user account but it requires you to enter the root's password. If the password is known, you can ultimately break out of the rootjail, but this less direct than the cd command.
Which of the following functionalities allows a DLP system to fulfil its role? Motion detection Environmental monitoring Content inspection Loop protection
content inspection
Log analysis should not take into account the difference between the reading of a system clock and standard time as this impedes the reconstruction of the sequence of events during an attack or security breach. t or f
f
A type of Intrusion Detection System (IDS) that relies on the previously established baseline of normal network activity in order to detect intrusions is known as a signature-based IDS. true or false
false Anomaly-based
Which of the following commands would you use on a Linux based system to identify a computer's MAC address? Mac Ipconfig Nslookup Ifconfig
ifconfig The ifconfig command will identify the media access control (MAC) address of a system, along with other TCP/IP details. More specifically, you can use the ifconfig a command to show the MAC address. The ipconfig command is used on Windows systems, not Linux or Unix based systems. Linux systems do not have a "mac" command
A replay attack occurs when an attacker intercepts user credentials and tries to use this information later for gaining unauthorized access to resources on a network. t or f
t
While creating a web application, a developer adds code to limit data provided by users. The code prevents users from entering special characters. Which of the following attacks will this code MOST likely prevent? Sniffing Spoofing Pharming xss
xss A crosssite scripting (XSS) attack can be blocked by using input validation techniques to filter special characters such as the < and > characters used in HTML code. None of the other attackers requires the use of special characters. Sniffing captures data with a protocol analyzer. Spoofing hides the identity of the original entity. Pharming redirects a user from one web site to another website
Which part of the 192.168.1.5/24 address identifies its network ID? 192 192.168 192.168.1 192.168.1.5
192.168.1
Which of the following answers lists the IPv6 loopback address? ::/128 FF00::/8 ::1 127.0.0.1
::1
Which of the following acronyms refers to a risk assessment formula defining probable financial loss due to a risk over a one-year period? ARO ALE SLE UAT
ALE
Which of the answers listed below refers to the correct formula for calculating probable financial loss due to a risk over a one-year period? SLE = AV x EF ALE = ARO x SLE SLE = ALE x AV ALE = AV x EF
ALE = ARO x SLE ALE (Annual Loss Expectancy) • ARO x SLE • 7 laptops stolen a year (ARO) x $1,000 (SLE) = $7,000
An estimate based on the historical data of how often a threat would be successful in exploiting a vulnerability is known as: ALE ARO SLE AUP
ARO Annualized Rate of Occurrence How likely is it that a hurricane will hit? In Montana? In Florida?
Which of the following answers list(s) example(s) of physical security control types? (Select all that apply) Fire suppression Environmental monitoring Biometrics Motion detection Video surveillance
Biometrics Motion detection Video surveillance
A type of exploit that relies on overwriting the contents of memory in order to cause unpredictable results in an application is called: IV attack SQL injection Buffer overflow Fuzz test
Buffer overflow Overwriting a buffer of memory • Spills over into other memory areas • Developers need to perform bounds checking • The bad guys spend a lot of time looking for openings • A really useful buffer overflow is repeatable
Which of the following security control types fall(s) into the category of detection controls? (Select all that apply) Warning signs CCTV monitoring Hardware locks Motion sensors IDS
CCTV monitoring Motion sensors IDS
Contracting out a specialized technical component when the company's employees lack the necessary skills is an example of: Risk deterrence Risk avoidance Risk acceptance Risk transference
Risk transference Buy some insurance
A system used to convert a computer's host name into an IP address on the Internet is known as: DNS NetBIOS TLS DHCP NAT
DNS The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.
Which of the following answers list(s) the characteristic features of pharming? (Select all that apply) Port scanning Dictionary attack DNS poisoning Rainbow table Domain spoofing
DNS poisoning Domain spoofing
Which of the answers listed below refers to an authentication framework frequently used in wireless networks and point-to-point connections? DLP OCSP EAP LDAP
EAP Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and point-to-point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247.
Which of the answers listed below refers to an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection? ISA ALE MOU BPA
ISA Interconnection Security Agreement (ISA) • Used by US Federal Government to define security controls
Which of the answers listed below refers to an attack aimed at exploiting the vulnerability of WEP? MITM attack Smurf attack IV attack Xmas attack
IV attack IV is an extra bit of data thrown in to change the encryption stream • The IV changes each time data is sent (ideally) • With 802.11 WEP, the IV is passed along with the encrypted data • The other side reverses the process
Address Resolution Protocol (ARP) translates: (Select all that apply) Link layer addresses into IP addresses Domain names into IP addresses IP addresses into MAC addresses Network layer addresses into link layer addresses
IP addresses into MAC addresses Network layer addresses into link layer addresses
Which of the following answers apply to smurf attack? (Select 3 answers) IP spoofing Privilege escalation DDoS Polymorphic malware MITM attack Large amount of ICMP echo replies
IP spoofing DDoS Large amount of ICMP echo replies
Which of the following authentication protocols offer(s) countermeasures against replay attacks? (Select all that apply) PAP IPsec OCSP Kerberos CHAP
IPsec Kerberos CHAP
Which of the following protocols operate(s) at layer 3 (the network layer) of the OSI model? (Select all that apply) IPsec IPv6 HTTP IPv4 IMAP ICMP
IPsec IPv6 IPv4 ICMP
Which of the following programming aspects are critical in secure application development process? (Select 2 answers) Patch management Input validation Password protection Error and exception handling Application whitelisting
Input validation Error and exception handling
Which of the following examples falls into the category of technical security controls? Change management Acceptable Use Policy (AUP) Intrusion Detection System (IDS) Incident response procedure
Intrusion Detection System (IDS)
Which of the following acronyms refers to flash cookies? RPO BCP LSO CRP
LSO Locally Shared Objects • Also called Flash Cookies • Used by Adobe Flash Player to store data • Information is saved on the user's computer • On by default • Applies to all browsers • Data is stored in a common directory • Can only be read by the domain that created the LSO • www.example.com can only be read by www.example.com • Unless specifically passed to another domain
Which of the following examples falls into the category of deterrent security control types? Lighting Access lists Motion detection Alarms
Lighting
A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission is known as: BPA MOU SLE ISA
MOU Memorandum of Understanding • Informal letter of intent;not a signed contract • Usually includes statements of confidentiality
What is war chalking? Manipulating a user into disclosing confidential information Finding unsecured wireless networks Gaining unauthorized access to restricted areas by following another person Marking unsecured wireless networks
Marking unsecured wireless networks
Which of the following answers lists an example order of volatility for a typical computer system? Memory dump, disk files, temporary files, archival media Archival media, disk files, temporary files, memory dump Memory dump, temporary files, disk files, archival media Temporary files, memory dump, archival media, disk files
Memory dump, temporary files, disk files, archival media
Which of the following antenna types would provide the best coverage for workstations connecting to a WAP placed in a central point of a typical office? (Select all that apply) Omnidirectional Unidirectional Bidirectional Non-directional
Omnidirectional Non-directional
Which of the following acronyms refers to a solution allowing companies to cut costs related to the managing of internal calls? PBX POTS P2P PSTN
PBX A PBX (private branch exchange) is a telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.
Which of the protocols listed below protects against switching loops? UTP OCSP STP HMAC
STP
Assessment of risk probability and its impact based on subjective judgment falls into the category of: Environmental controls Quantitative risk assessment Forensic procedures Qualitative risk assessment
Qualitative risk assessment its qualitative because you cannot assign a dollar amount to it
A calculation of the Single Loss Expectancy (SLE) is an example of: Quantitative risk assessment Risk deterrence Qualitative risk assessment Incident management
Quantitative risk assessment • Assign a dollar value to risk
Which of the following acronyms refers to a maximum tolerable period of time required for restoring business functions after a failure or disaster? RAS RTO ROI RPO
RTO Recovery time objectives (RTO) • Get up and running quickly • Get back to a particular service lev
Hardware-based RAID Level 5: (Select 2 answers) Continues to operate in case of failure of more than 1 drive Requires at least 3 drives to implement Offers increased performance and fault tolerance (single drive failure does not destroy the array and lost data can be re-created from the remaining drives) Requires at least 5 drives to implement Is also referred to as disk duplexing
Requires at least 3 drives to implement Offers increased performance and fault tolerance (single drive failure does not destroy the array and lost data can be re-created from the remaining drives)
Disabling certain system functions or shutting down the system when risks are identified is an example of: Risk acceptance Risk avoidance Risk transference Risk deterrence
Risk avoidance Stop participating in high-risk activity
An access control model in which access to resources is granted or denied depending on Access Control List (ACL) entries is also known as: Mandatory Access Control Lattice-Based Access Control Role-Based Access Control Rule-Based Access Control
Rule-Based Access Control
Which of the answers listed below refers to a control system providing the capability for real-time monitoring and gathering information related to industrial equipment? OVAL SCADA TACACS SCAP
SCADA Supervisory Control and Data Acquisition System • Large-scale, multi-site Industrial Control Systems (ICS) • Runs on normal PCs, manages equipment • Power generation, refining, manufacturing equipment • Traditionally not built with security in mind • This has obviously been a problem these days • Huge emphasis in securing all SCADA systems • Enormous improvements in a short time
An agreement between a service provider and the user(s) defining the nature, availability, quality, and scope of the service to be provided is known as: SLE BPA SLA DLP
SLA Service Level Agreement (SLA) • Minimum terms for services provided • Uptime, response time agreement, etc
Which of the following terms is used to describe the loss of value to an asset based on a single security incident? SLE ARO ALE ARP
SLE Single-loss expectancy (SLE) is the monetary value expected from the occurrence of a risk on an asset. It is related to risk management and risk assessment. What is the monetary loss if a single event occurs? • Laptop stolen = $1,000
Which of the following protocols transmit(s) data in an unencrypted form? (Select all that apply) SCP IPsec SNMPv1 FTP Telnet SFTP
SNMPv1 FTP Telnet
Which of the protocols listed below run(s) on port number 22? (Select all that apply) FTPS SSH TFTP SCP SFTP FTP
SSH SCP SFTP
Which of the following security control types can be used in implementing a risk mitigation strategy? (Select all that apply) Technical Management Operational Zero-day
Technical Management Operational
A path or tool allowing an attacker to gain unauthorized access to a system or network is known as: Backdoor Threat vector Discretionary access Rootkit
Threat vector The path that the threat takes to the target • Target: Your computer, mobile device, gaming system • Email: Embedded links, attached files • Web browser: Fake site, session hijack • Wireless hotspot: Rogue access point • Telephone: Social engineering • USB flash drive: Auto-executing malware • And many more...
URL hijacking is also referred to as: Banner grabbing Session hijacking Typo squatting DNS poisoning
Typo squatting
Which of the following terms refers to a logical grouping of computers that allow computer hosts to act as if they were attached to the same broadcast domain, regardless of their physical location? Honeynet Virtual Private Network (VPN) Demilitarized Zone (DMZ) Virtual Local Area Network (VLAN) SNMP community
Virtual Local Area Network (VLAN) A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is an abbreviation of local area network. To subdivide a network into virtual LANs, one configures a network switch or router.
Which of the following acronyms refers to a firewall controlling access to a web server? WEP WAP WPS WAF
WAF
Which of the answers listed below refers to wireless site survey? Bluejacking Spear phishing War driving Shoulder surfing
War driving
An optimal WAP antenna placement provides a countermeasure against: (Select 2 answers) War chalking Tailgating War driving Shoulder surfing Site survey
War driving Site survey A wireless site survey, sometimes called an RF site survey or wireless survey, is the process of planning and designing a wireless network, to provide a wireless solution that will deliver the required wireless coverage, data rates, network capacity, roaming capability and Quality of Service (QoS).
The term "Trusted OS" refers to an operating system: Admitted to a network through NAC Implementing patch management That has been authenticated on the network With enhanced security features
With enhanced security features Evaluation Assurance Levels • Common Criteria for Information Technology Security Evaluation • Also called Common Criteria (or CC) • Very common reference for US Federal Government • Evaluation Assurance Level (EAL) - EAL1 through EAL7 • Trusted operating system • The operating system is EAL compliant • EAL4 is the most accepted minimum level
A temporary area of memory allocated with a fixed size for holding data while it's waiting to be transferred to another location is known as: Cache Header Local Shared Object (LSO) Buffer
buffer
A networking standard for linking data storage devices over an IP network is known as: FCoE iSCSI TPM SCSI LDAP
iSCSI iSCSI, which stands for Internet Small Computer System Interface, works on top of the Transport Control Protocol (TCP) and allows the SCSI command to be sent end-to-end over local-area networks (LANs), wide-area networks (WANs) or the Internet.
Which of the protocols listed below facilitate(s) communication between SAN devices? (Select all that apply) SCSI MTBF iSCSI MTTF FCoE
iSCSI FCoE
A type of Intrusion Detection System (IDS) that relies on known attack patterns to detect an intrusion is known as a signature-based IDS. true or false
true