401 SEC+EXAM PASS 4 SURE
The systems administrator notices that many employees are using passwords that can be easily guessed or are susceptible to brute force attacks. Which of the following would BEST mitigate this risk? A. Enforce password rules requiring complexity. B. Shorten the maximum life of account passwords. C. Increase the minimum password length. D. Enforce account lockout policies
Answer: A Explanation: Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character complexity, the more resistant it is to brute force attacks.
Which of the following attacks involves the use of previously captured network traffic? A. Replay B. Smurf C. Vishing D. DDoS
Answer: A Explanation: Replay attacks are becoming quite common. They occur when information is captured over a network. A replay attack is a kind of access or modification attack. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture the information and replay it later. This can also occur with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time sensitivity. If this attack is successful, the attacker will have all of the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session identifier and a time stamp. If the certificate has expired, it will be rejected and an entry should be made in a security log to notify system administrators.
Which of the following ports should be used by a system administrator to securely manage a remote server? A. 22 B. 69 C. 137 D. 445
Answer: A Explanation: Secure Shell (SSH) is a more secure replacement for Telnet, rlogon, rsh, and rcp. SSH can be called a remote access or remote terminal solution. SSH offers a means by which a commandline, text-only interface connection with a server, router, switch, or similar device can be established over any distance. SSH makes use of TCP port 22.
Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment? A. Protocol analyzer B. Router C. Firewall D. HIPS
Answer: A Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent from two systems that are not communicating properly could help determine the cause of the issue. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
Which of the following would a security administrator implement in order to identify a problem between two applications that are not communicating properly? A. Protocol analyzer B. Baseline report C. Risk assessment D. Vulnerability scan
Answer: A Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent between applications on systems that are not communicating properly could help determine the cause of the issue. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal)
Which of the following would a security administrator implement in order to identify a problem between two systems that are not communicating properly? A. Protocol analyzer B. Baseline report C. Risk assessment D. Vulnerability scan
Answer: A Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent from two systems that are not communicating properly could help determine the cause of the issue. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
Pete, an employee, needs a certificate to encrypt data. Which of the following would issue Pete a certificate? A. Certification authority B. Key escrow C. Certificate revocation list D. Registration authority
Answer: A Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates
A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network? A. A CRL B. Make the RA available C. A verification authority D. A redundant CA
Answer: A Explanation: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked
An administrator wants to ensure that the reclaimed space of a hard drive has been sanitized while the computer is in use. Which of the following can be implemented? A. Cluster tip wiping B. Individual file encryption C. Full disk encryption D. Storage retention
Answer: A Explanation: A computer hard disk is divided into small segments called clusters. A file usually spans several clusters but rarely fills the last cluster, which is called cluster tip. This cluster tip area may contain file data because the size of the file you are working with may grow or shrink and needs to be securely deleted.
Which of the following is an example of multifactor authentication? A. Credit card and PIN B. Username and password C. Password and PIN D. Fingerprint and retina scan
Answer: A Explanation: A credit card is a memory card that functions a type of two-factor authentication. The card is something you have, and its PIN is something you know. Multifactor authentication requires a user to provide two or more different types of authentication factors to prove their identity
An email client says a digital signature is invalid and the sender cannot be verified. The recipient is concerned with which of the following concepts? A. Integrity B. Availability C. Confidentiality D. Remediation
Answer: A Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message. Digital Signatures is used to validate the integrity of the message and the sender. Integrity means the message can't be altered without detection.
Which of the following is the BEST reason for placing a password lock on a mobile device? A. Prevents an unauthorized user from accessing owner's data B. Enables remote wipe capabilities C. Stops an unauthorized user from using the device again D. Prevents an unauthorized user from making phone calls
Answer: A Explanation: A password lock on a mobile device is used to prevent an unauthorized user from accessing owner's data. When a device is turned off either by being manually switched off or byautomatically turning off after a timeout, the device will automatically lock. When you turn the device on, you are prompted to enter a password or numeric code to gain access to the device.
Sara, a security manager, has decided to force expiration of all company passwords by the close of business day. Which of the following BEST supports this reasoning? A. A recent security breach in which passwords were cracked. B. Implementation of configuration management processes. C. Enforcement of password complexity requirements. D. Implementation of account lockout procedures.
Answer: A Explanation: A password only needs to be changed if it doesn't meet the compliance requirements of the company's password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion.
A security administrator would like to ensure that system administrators are not using the same password for both their privileged and non-privileged accounts. Which of the following security controls BEST accomplishes this goal? A. Require different account passwords through a policy B. Require shorter password expiration for non-privileged accounts C. Require shorter password expiration for privileged accounts D. Require a greater password length for privileged accounts
Answer: A Explanation: A password policy aka account policy enforcement can be configured in such a way so as to make sure that system administrators make use of different passwords for different accounts.
An internal auditor is concerned with privilege creep that is associated with transfers inside the company. Which mitigation measure would detect and correct this? A. User rights reviews B. Least privilege and job rotation C. Change management D. Change Control
Answer: A Explanation: A privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of an organization. This means that a user rights review will reveal whether user accounts have been assigned according to their 'new' job descriptions , or if there are privilege creep culprits after transfers has occurred
Which of the following is synonymous with a server's certificate? A. Public key B. CRL C. Private key D. Recovery agent
Answer: A Explanation: A public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key.
It is important to staff who use email messaging to provide PII to others on a regular basis to have confidence that their messages are not intercepted or altered during transmission. They are concerned about which of the following types of security control? A. Integrity B. Safety C. Availability D. Confidentiality
Answer: A Explanation: Integrity means that the messages/ data is not altered. PII is personally identifiable information that can be used to uniquely identify an individual. PII can be used to ensure the integrity of data/messages.
Which of the following security account management techniques should a security analyst implement to prevent staff, who has switched company roles, from exceeding privileges? A. Internal account audits B. Account disablement C. Time of day restriction D. Password complexity
Answer: A Explanation: Internal account auditing will allow you to switch the appropriate users to the proper accounts required after the switching of roles occurred and thus check that the principle of least privilege is followed.
A technician has implemented a system in which all workstations on the network will receive security updates on the same schedule. Which of the following concepts does this illustrate? A. Patch management B. Application hardening C. White box testing D. Black box testing
Answer: A Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities. A part of patch management is testing the effects of vendor updates on a test system before applying the updates on a production system, and scheduling updates.
Which of the following encompasses application patch management? A. Configuration management B. Policy management C. Cross-site request forgery D. Fuzzing
Answer: A Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities. A part of patch management is testing the effects of vendor updates on a test system first to ensure that the updates do not have detrimental effects on the system and its configuration, and, should the updates have no detrimental effects on the test systems, backing up the production systems before applying the updates on a production system.
Which of the following is a security risk regarding the use of public P2P as a method of collaboration? A. Data integrity is susceptible to being compromised. B. Monitoring data changes induces a higher cost. C. Users are not responsible for data usage tracking. D. Limiting the amount of necessary space for data storage.
Answer: A Explanation: Peer-to-peer (P2P) networking is commonly used to share files such as movies and music, but you must not allow users to bring in devices and create their own little networks. All networking must be done through administrators and not on a P2P basis. Data integrity can easily be compromised when using public P2P networking.
The use of social networking sites introduces the risk of: A. Disclosure of proprietary information B. Data classification issues C. Data availability issues D. Broken chain of custody
Answer: A Explanation: People and processes must be in place to prevent the unauthorized disclosure or proprietary information and sensitive information s these pose a security risk to companies. With social networking your company can be exposed to as many threats as the amount of users that make use of social networking and are not advised on security policy regarding the use of social networking.
End-user awareness training for handling sensitive personally identifiable information would include secure storage and transmission of customer: A. Date of birth. B. First and last name. C. Phone number. D. Employer name.
Answer: A Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Date of birth is personally identifiable information.
Privilege creep among long-term employees can be mitigated by which of the following procedures? A. User permission reviews B. Mandatory vacations C. Separation of duties D. Job function rotation
Answer: A Explanation: Privilege creep is the steady build-up of access rights beyond what a user requires to perform his/her task. Privilege creep can be decreased by conducting sporadic access rights reviews,which will confirm each user's need to access specific roles and rights in an effort to find and rescind excess privileges
Which of the following provides the LEAST availability? A. RAID 0 B. RAID 1 C. RAID 3 D. RAID 5
Answer: A Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID 0 is disk striping. It uses multiple drives and maps them together as a single physical drive. This is done primarily for performance, not for fault tolerance. If any drive in a RAID 0 array fails, the entire logical drive becomes unusable.
A security administrator must implement a wireless encryption system to secure mobile devices' communication. Some users have mobile devices which only support 56-bit encryption. Which of the following wireless encryption methods should be implemented? A. RC4 B. AES C. MD5 D. TKIP
Answer: A Explanation: RC4 is popular with wireless and WEP/WPA encryption. It is a streaming cipher that works with key sizes between 40 and 2048 bits, and it is used in SSL and TLS.
A cafe provides laptops for Internet access to their customers. The cafe is located in the center corridor of a busy shopping mall. The company has experienced several laptop thefts from the cafe during peak shopping hours of the day. Corporate has asked that the IT department provide a solution to eliminate laptop theft. Which of the following would provide the IT department with the BEST solution? A. Attach cable locks to each laptop B. Require each customer to sign an AUP C. Install a GPS tracking device onto each laptop D. Install security cameras within the perimeter of the café
Answer: A Explanation: All laptop cases include a built-in security slot in which a cable lock can be inserted to prevent it from easily being removed from the premises.
An administrator needs to secure RADIUS traffic between two servers. Which of the following is the BEST solution? A. Require IPSec with AH between the servers B. Require the message-authenticator attribute for each message C. Use MSCHAPv2 with MPPE instead of PAP D. Require a long and complex shared secret for the servers
Answer: A Explanation: IPsec is used for a secure point-to-point connection traversing an insecure network such as the Internet. Authentication Header (AH) is a primary IPsec protocol that provides authentication of the sender's data.
A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data. Which of the following types of interoperability agreement is this? A. ISA B. MOU C. SLA D. BPA
Answer: A Explanation: ISA/ Interconnection Security Agreement is an agreement between two organizations that have connected systems. The agreement documents the technical requirements of the connected systems.
A customer has provided an email address and password to a website as part of the login process. Which of the following BEST describes the email address? A. Identification B. Authorization C. Access control D. Authentication
Answer: A Explanation: Identification is defined as the claiming of an identity and only has to take place once per authentication or access process. A login process typically consists of an identification such as a username or email address and an authentication which proves you are who you say you are.
Which of the following allows a company to maintain access to encrypted resources when employee turnover is high? A. Recovery agent B. Certificate authority C. Trust model D. Key escrow
Answer: A Explanation: If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys.
Which of the following is a common coding error in which boundary checking is not performed? A. Input validation B. Fuzzing C. Secure coding D. Cross-site scripting
Answer: A Explanation: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain
Input validation is an important security defense because it: A. rejects bad or malformed data. B. enables verbose error reporting. C. protects mis-configured web servers. D. prevents denial of service attacks
Answer: A Explanation: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.
Which of the following can BEST help prevent cross-site scripting attacks and buffer overflows on a production system? A. Input validation B. Network intrusion detection system C. Anomaly-based HIDS D. Peer review
Answer: A Explanation: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.
A system administrator has been instructed by the head of security to protect their data at-rest. Which of the following would provide the strongest protection? A. Prohibiting removable media B. Incorporating a full-disk encryption system C. Biometric controls on data center entry points D. A host-based intrusion detection system
Answer: B Explanation: Full disk encryption can be used to encrypt an entire volume with 128-bit encryption. When the entire volume is encrypted, the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer's security. Full disk encryption is sometimes referred to as hard drive encryption. This would be best to protect data that is at rest
Which of the following does full disk encryption prevent? A. Client side attacks B. Clear text access C. Database theft D. Network-based attacks
Answer: B Explanation: Full-disk encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.
A security administrator wants to test the reliability of an application which accepts user provided parameters. The administrator is concerned with data integrity and availability. Which of the following should be implemented to accomplish this task? A. Secure coding B. Fuzzing C. Exception handling D. Input validation
Answer: B Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
An application developer has tested some of the known exploits within a new application. Which of the following should the administrator utilize to test for unidentified faults or memory leaks? A. XSRF Attacks B. Fuzzing C. Input Validations D. SQL Injections
Answer: B Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following would Jane, an administrator, use to detect an unknown security vulnerability? A. Patch management B. Application fuzzing C. ID badge D. Application configuration baseline
Answer: B Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
An internal auditing team would like to strengthen the password policy to support special characters. Which of the following types of password controls would achieve this goal? A. Add reverse encryption B. Password complexity C. Increase password length D. Allow single sign on
Answer: B Explanation: Generally, the minimum password length is considered to be 8 upper and lowercase characters. The use of at least one non-alpha character like punctuation, special characters, or numbers, combined with the password length produces strong passwords. Strong passwords are produced by the combination of a password's length and complexity.
The system administrator is tasked with changing the administrator password across all 2000 computers in the organization. Which of the following should the system administrator implement to accomplish this task? A. A security group B. A group policy C. Key escrow D. Certificate revocation
Answer: B Explanation: Group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO's include a number of settings related to credentials, such as password complexity requirements, password history, password length, account lockout settings.
Pete, a network administrator, is implementing IPv6 in the DMZ. Which of the following protocols must he allow through the firewall to ensure the web servers can be reached via IPv6 from an IPv6 enabled Internet host? A. TCP port 443 and IP protocol 46 B. TCP port 80 and TCP port 443 C. TCP port 80 and ICMP D. TCP port 443 and SNMP
Answer: B Explanation: HTTP and HTTPS, which uses TCP port 80 and TCP port 443 respectively, is necessary for Communicating with Web servers. It should therefore be allowed through the firewall
A new web server has been provisioned at a third party hosting provider for processing credit card transactions. The security administrator runs the netstat command on the server and notices that ports 80, 443, and 3389 are in a `listening' state. No other ports are open. Which of the following services should be disabled to ensure secure communications? A. HTTPS B. HTTP C. RDP D. TELNET
Answer: B Explanation: HTTP uses port 80. HTTP does not provide encrypted communications. Port 443 is used by HTTPS which provides secure encrypted communications. Port 3389 is used by RDP (Remote Desktop Protocol) which does provide encrypted communications.
Which of the following describes the process of removing unnecessary accounts and services from an application to reduce risk exposure? A. Error and exception handling B. Application hardening C. Application patch management D. Cross-site script prevention
Answer: B Explanation: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.
The datacenter manager is reviewing a problem with a humidity factor that is too low. Which of the following environmental problems may occur? A. EMI emanations B. Static electricity C. Condensation D. Dry-pipe fire suppression
Answer: B Explanation: Humidity control prevents the buildup of static electricity in the environment. If the humidity drops much below 50 percent, electronic components are extremely vulnerable to damage from electrostatic shock.
Which of the following is the BEST reason to provide user awareness and training programs for organizational staff? A. To ensure proper use of social media B. To reduce organizational IT risk C. To detail business impact analyses D. To train staff on zero-days
Answer: B Explanation: Ideally, a security awareness training program for the entire organization should cover the following areas: Importance of security Responsibilities of people in the organization Policies and procedures Usage policies Account and password-selection criteria Social engineering prevention You can accomplish this training either by using internal staff or by hiring outside trainers. This type of training will significantly reduce the organizational IT risk.
Which of the following is the difference between identification and authentication of a user? A. Identification tells who the user is and authentication tells whether the user is allowed to logon to a system. B. Identification tells who the user is and authentication proves it. C. Identification proves who the user is and authentication is used to keep the users data secure. D. Identification proves who the user is and authentication tells the user what they are allowed to do.
Answer: B Explanation: Identification is described as the claiming of an identity, and authentication is described as the act of verifying or proving the claimed identity
When considering a vendor-specific vulnerability in critical industrial control systems which of the following techniques supports availability? A. Deploying identical application firewalls at the border B. Incorporating diversity into redundant design C. Enforcing application white lists on the support workstations D. Ensuring the systems' anti-virus definitions are up-to-date
Answer: B Explanation: If you know there is a vulnerability that is specific to one vendor, you can improve availability by implementing multiple systems that include at least one system from a different vendor and so is not affected by the vulnerability.
A malicious person gained access to a datacenter by ripping the proximity badge reader off the wall near the datacenter entrance. This caused the electronic locks on the datacenter door to release because the: A. badge reader was improperly installed. B. system was designed to fail open for life-safety. C. system was installed in a fail closed configuration. D. system used magnetic locks and the locks became demagnetized.
Answer: B Explanation: It describes a design the lock to fail open for life safety, causing the door to stay open when power is lost - in this case the proximity badge reader was ripped off the wall.
Which of the following practices is used to mitigate a known security vulnerability? A. Application fuzzing B. Patch management C. Password cracking D. Auditing security logs
Answer: B Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from new attacks and vulnerabilities that have recently become known.
Which of the following is the term for a fix for a known software problem? A. Skiff B. Patch C. Slipstream D. Upgrade
Answer: B Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities.
A bank has recently deployed mobile tablets to all loan officers for use at customer sites. Which of the following would BEST prevent the disclosure of customer data in the event that a tablet is lost or stolen? A. Application control B. Remote wiping C. GPS D. Screen-locks
Answer: B Explanation: Remote wipe is the process of deleting data on a device in the event that the device is stolen. This is performed over remote connections such as the mobile phone service or the internet connection and helps ensure that sensitive data is not accessed by unauthorized people
Identifying residual risk is MOST important to which of the following concepts? A. Risk deterrence B. Risk acceptance C. Risk mitigation D. Risk avoidance
Answer: B Explanation: Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it. Residual risk is always present and will remain a risk thus it should be accepted (risk acceptance)
A system security analyst using an enterprise monitoring tool notices an unknown internal host exfiltrating files to several foreign IP addresses. Which of the following would be an appropriate mitigation technique? A. Disabling unnecessary accounts B. Rogue machine detection C. Encrypting sensitive files D. Implementing antivirus
Answer: B Explanation: Rogue machine detection is the process of detecting devices on the network that should not be there. If a user brings in a laptop and plugs it into the network, the laptop is a "rogue machine". The laptop could cause problems on the network. Any device on the network that should not be there is classed as rogue.
Users require access to a certain server depending on their job function. Which of the following would be the MOST appropriate strategy for securing the server? A. Common access card B. Role based access control C. Discretionary access control D. Mandatory access control
Answer: B Explanation: Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role.
Which of the following is an XML based open standard used in the exchange of authentication and authorization information between different parties? A. LDAP B. SAML C. TACACS+ D. Kerberos
Answer: B Explanation: Security Assertion Markup Language (SAML) is an open-standard data format centred on XML. It is used for supporting the exchange of authentication and authorization details between systems, services, and devices
Separation of duties is often implemented between developers and administrators in order to separate which of the following? A. More experienced employees from less experienced employees B. Changes to program code and the ability to deploy to production C. Upper level management users from standard development employees D. The network access layer from the application access layer
Answer: B Explanation: Separation of duties means that there is differentiation between users, employees and duties per se which form part of best practices.
The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company. Which of the following is the BEST method to prevent such activities in the future? A. Job rotation B. Separation of duties C. Mandatory Vacations D. Least Privilege
Answer: B Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization
When a new network drop was installed, the cable was run across several fluorescent lights. The users of the new network drop experience intermittent connectivity. Which of the following environmental controls was MOST likely overlooked during installation? A. Humidity sensors B. EMI shielding C. Channel interference D. Cable kinking
Answer: B Explanation: Shielding refers to the process of preventing electronic emissions from your computer systems from being used to gather intelligence and preventing outside electronic emissions from disrupting your information-processing abilities. In this case you are experiencing intermittent connectivity since Electro Magnetic Interference (EMI) was not taken into account when running the cables over fluorescent lighting.
A security administrator has just finished creating a hot site for the company. This implementation relates to which of the following concepts? A. Confidentiality B. Availability C. Succession planning D. Integrity
Answer: B Explanation: Simply making sure that the data and systems are available for authorized users is what availability is all about. Data backups, redundant systems, and disaster recovery plans all support availability. And creating a hot site is about providing availability
In order to securely communicate using PGP, the sender of an email must do which of the following when sending an email to a recipient for the first time? A. Import the recipient's public key B. Import the recipient's private key C. Export the sender's private key D. Export the sender's public key
Answer: A Explanation: See step 4 below. 1. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. 2. PGP then creates a session key, which is a one-time-only secret key. 3. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. 4. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.
Everyone in the accounting department has the ability to print and sign checks. Internal audit has asked that only one group of employees may print checks while only two other employees may sign the checks. Which of the following concepts would enforce this process? A. Separation of Duties B. Mandatory Vacations C. Discretionary Access Control D. Job Rotation
Answer: A Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more.
Human Resources suspect an employee is accessing the employee salary database. The administrator is asked to find out who it is. In order to complete this task, which of the following is a security control that should be in place? A. Shared accounts should be prohibited. B. Account lockout should be enabled C. Privileges should be assigned to groups rather than individuals D. Time of day restrictions should be in use
Answer: A Explanation: Since distinguishing between the actions of one person and another isn't possible if they both use a shared account, shared accounts should not be allowed. If shared accounts are being used, the administrator will find the account, but have more than one suspect. To nullify this occurrence, Shared accounts should be prohibited.
Employee badges are encoded with a private encryption key and specific personal information. The encoding is then used to provide access to the network. Which of the following describes this access control type? A. Smartcard B. Token C. Discretionary access control D. Mandatory access control
Answer: A Explanation: Smart cards are credit-card-sized IDs, badges, or security passes with an embedded integrated circuit chip that can include data regarding the authorized bearer. This data can then be used for identification and/or authentication purposes.
A security administrator has been tasked to ensure access to all network equipment is controlled by a central server such as TACACS+. This type of implementation supports which of the following risk mitigation strategies? A. User rights and permissions review B. Change management C. Data loss prevention D. Implement procedures to prevent data theft
Answer: A Explanation: Terminal Access Controller Access-Control System (TACACS, and variations like XTACACS and TACACS+) is a client/server-oriented environment, and it operates in a manner similar to RADIUS. Furthermore TACACS+ allows for credential to be accepted from multiple methods. Thus you can perform user rights and permission reviews with TACACS+.
A new intern was assigned to the system engineering department, which consists of the system architect and system software developer's teams. These two teams have separate privileges. The intern requires privileges to view the system architectural drawings and comment on some software development projects. Which of the following methods should the system administrator implement? A. Group based privileges B. Generic account prohibition C. User access review D. Credential management
Answer: A Explanation: You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). By assigning the intern's user account to both groups, the intern will inherit the permissions assigned to those groups.
Jane, an administrator, needs to make sure the wireless network is not accessible from the parking area of their office. Which of the following would BEST help Jane when deploying a new access point? A. Placement of antenna B. Disabling the SSID C. Implementing WPA2 D. Enabling the MAC filtering
Answer: A Explanation: You should try to avoid placing access points near metal (which includes appliances) or near the ground. Placing them in the center of the area to be served and high enough to get around most obstacles is recommended. On the chance that the signal is actually traveling too far, some access points include power level controls, which allow you to reduce the amount of output provided.
An auditing team has found that passwords do not meet best business practices. Which of the following will MOST increase the security of the passwords? (Select TWO). A. Password Complexity B. Password Expiration C. Password Age D. Password Length E. Password History
Answer: A,D Explanation: Passwords should have the strength to avoid discovery through attack, but it should also be easy enough for the user to remember. The length and complexity of a password combined are vital factors in defining a password's strength.
A system administrator is notified by a staff member that their laptop has been lost. The laptop contains the user's digital certificate. Which of the following will help resolve the issue? (Select TWO). A. Revoke the digital certificate B. Mark the key as private and import it C. Restore the certificate using a CRL D. Issue a new digital certificate E. Restore the certificate using a recovery agent
Answer: A,D Explanation: The user's certificate must be revoked to ensure that the stolen computer cannot access resources the user has had access to. To grant the user access to the resources he must be issued a new certificate
Which of the following uses port 22 by default? (Select THREE). A. SSH B. SSL C. TLS D. SFTP E. SCP F. FTPS G. SMTP H. SNMP
Answer: A,D,E Explanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22.
Which of the following security concepts would Sara, the security administrator, use to mitigate the risk of data loss? A. Record time offset B. Clean desk policy C. Cloud computing D. Routine log review
Answer: B Explanation: Clean Desk Policy Information on a desk—in terms of printouts, pads of note paper, sticky notes, and the like—can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk. This will mitigate the risk of data loss when applied.
The fundamental information security principals include confidentiality, availability and which of the following? A. The ability to secure data against unauthorized disclosure to external sources B. The capacity of a system to resist unauthorized changes to stored information C. The confidence with which a system can attest to the identity of a user D. The characteristic of a system to provide uninterrupted service to authorized users
Answer: B Explanation: Confidentiality, integrity, and availability, which make up the CIA triad, are the three most important concepts in security. In this instance, the answer describes the Integrity part of the CIA triad.
Which of the following techniques enables a highly secured organization to assess security weaknesses in real time? A. Access control lists B. Continuous monitoring C. Video surveillance D. Baseline reporting
Answer: B Explanation: Continuous monitoring point toward the never-ending review of what resources a user actually accesses, which is critical for preventing insider threats. Because the process is never-ending, assessments happen in real time
Which of the following assets is MOST likely considered for DLP? A. Application server content B. USB mass storage devices C. Reverse proxy D. Print server
Answer: B Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. A USB presents the most likely device to be used to steal data because of its physical size.
Matt, a security analyst, needs to implement encryption for company data and also prevent theft of company data. Where and how should Matt meet this requirement? A. Matt should implement access control lists and turn on EFS. B. Matt should implement DLP and encrypt the company database. C. Matt should install Truecrypt and encrypt the company server. D. Matt should install TPMs and encrypt the company database
Answer: B Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. Encryption is used to protect data.
Matt, a security consultant, has been tasked with increasing server fault tolerance and has been given no budget to accomplish his task. Which of the following can Matt implement to ensure servers will withstand hardware failure? A. Hardware load balancing B. RAID C. A cold site D. A host standby
Answer: B Explanation: Fault tolerance is the ability of a system to sustain operations in the event of a component failure. Fault-tolerant systems can continue operation even though a critical component, such as a disk drive, has failed. This capability involves overengineering systems by adding redundant components and subsystems. RAID can achieve fault tolerance using software which can be done using the existing hardware and software.
It is MOST important to make sure that the firewall is configured to do which of the following? A. Alert management of a possible intrusion. B. Deny all traffic and only permit by exception. C. Deny all traffic based on known signatures. D. Alert the administrator of a possible intrusion
Answer: B Explanation: Firewalls manage traffic using filters, which is just a rule or set of rules. A recommended guideline for firewall rules is, "deny by default; allow by exception".
Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years. Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk? A. Accept the risk saving $10,000. B. Ignore the risk saving $5,000. C. Mitigate the risk saving $10,000. D. Transfer the risk saving $5,000.
Answer: D Explanation: Risk transference involves sharing some of the risk burden with someone else, such as an insurance company. The cost of the security breach over a period of 5 years would amount to $30,000 and it is better to save $5,000.
The security administrator is currently unaware of an incident that occurred a week ago. Which of the following will ensure the administrator is notified in a timely manner in the future? A. User permissions reviews B. Incident response team C. Change management D. Routine auditing
Answer: D Explanation: Routine audits are carried out after you have implemented security controls based on risk. These audits include aspects such as user rights and permissions and specific events.
Which of the following is BEST used as a secure replacement for TELNET? A. HTTPS B. HMAC C. GPG D. SSH
Answer: D Explanation: SSH transmits both authentication traffic and data in a secured encrypted form, whereas Telnet transmits both authentication credentials and data in clear text
Which of the following ports and protocol types must be opened on a host with a host-based firewall to allow incoming SFTP connections? A. 21/UDP B. 21/TCP C. 22/UDP D. 22/TCP
Answer: D Explanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22.
Topic 6, Cryptography Which of the following protocols uses an asymmetric key to open a session and then establishes a symmetric key for the remainder of the session? A. SFTP B. HTTPS C. TFTP D. TLS
Answer: D Explanation: SSL establishes a session using asymmetric encryption and maintains the session using symmetric encryption.
A company is about to release a very large patch to its customers. An administrator is required to test patch installations several times prior to distributing them to customer PCs. Which of the following should the administrator use to test the patching process quickly and often? A. Create an incremental backup of an unpatched PC B. Create an image of a patched PC and replicate it to servers C. Create a full disk image to restore after each installation D. Create a virtualized sandbox and utilize snapshots
Answer: D Explanation: Sandboxing is the process of isolating a system before installing new applications or patches on it so as to restrict the software from being able to cause harm to production systems. Before the patch is installed, a snapshot of the system should be taken. Snapshots are backups that can be used to quickly recover from poor updates, and errors arising from newly installed applications.
Which of the following can be performed when an element of the company policy cannot be enforced by technical means? A. Develop a set of standards B. Separation of duties C. Develop a privacy policy D. User training
Answer: D Explanation: User training is an important aspect of maintaining safety and security. It helps improve users' security awareness in terms of prevention, enforcement, and threats. It is of critical importance when element of the company policy cannot be enforced by technical means.
Several employees have been printing files that include personally identifiable information of customers. Auditors have raised concerns about the destruction of these hard copies after they are created, and management has decided the best way to address this concern is by preventing these files from being printed. Which of the following would be the BEST control to implement? A. File encryption B. Printer hardening C. Clean desk policies D. Data loss prevention
Answer: D Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. This would address the concerns of the auditors.
The act of magnetically erasing all of the data on a disk is known as: A. Wiping B. Dissolution C. Scrubbing D. Degaussing
Answer: D Explanation: Degaussing is a form a data wiping that entails the use of magnets to alter the magnetic structure of the storage medium
Ann, a security administrator, wishes to replace their RADIUS authentication with a more secure protocol, which can utilize EAP. Which of the following would BEST fit her objective? A. CHAP B. SAML C. Kerberos D. Diameter
Answer: D Explanation: Diameter is an authentication, authorization, and accounting protocol that replaces the RADIUS protocol. Diameter Applications extend the base protocol by including new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP
Pete, a security analyst, has been informed that the development team has plans to develop an application which does not meet the company's password policy. Which of the following should Pete do NEXT? A. Contact the Chief Information Officer and ask them to change the company password policy so that the application is made compliant. B. Tell the application development manager to code the application to adhere to the company's password policy. C. Ask the application development manager to submit a risk acceptance memo so that the issue can be documented. D. Inform the Chief Information Officer of non-adherence to the security policy so that the developers can be reprimanded.
Answer: B Explanation: Since the application is violating the security policy it should be coded differently to comply with the password policy.
In order for Sara, a client, to logon to her desktop computer, she must provide her username, password, and a four digit PIN. Which of the following authentication methods is Sara using? A. Three factor B. Single factor C. Two factor D. Four factor
Answer: B Explanation: Single-factor authentication is when only one authentication factor is used. In this case, Something you know is being used as an authentication factor. Username, password, and PIN form part of Something you know
Which of the following must a user implement if they want to send a secret message to a coworker by embedding it within an image? A. Transport encryption B. Steganography C. Hashing D. Digital signature
Answer: B Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.
Which of the following utilities can be used in Linux to view a list of users' failed authentication attempts? A. badlog B. faillog C. wronglog D. killlog
Answer: B Explanation: var/log/faillog - This Linux log fi le contains failed user logins. You'll find this log useful when tracking attempts to crack into your system. /var/log/apport.log This log records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of a virus or spyware
Connections using point-to-point protocol authenticate using which of the following? (Select TWO). A. RIPEMD B. PAP C. CHAP D. RC4 E. Kerberos
Answer: B,C Explanation: B: A password authentication protocol (PAP) is an authentication protocol that uses a password. PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. C: CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a threeway handshake
Which of the following can use RC4 for encryption? (Select TWO). A. CHAP B. SSL C. WEP D. AES E. 3DES
Answer: B,C Explanation: B: In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4) is the most widely used software stream cipher and is used in popular Internet protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). C: WEP also uses RC4, however WEP is still unsecure.
A security administrator notices that a specific network administrator is making unauthorized changes to the firewall every Saturday morning. Which of the following would be used to mitigate this issue so that only security administrators can make changes to the firewall? A. Mandatory vacations B. Job rotation C. Least privilege D. Time of day restrictions
Answer: C Explanation: A least privilege policy is to give users only the permissions that they need to do their work and no more. That is only allowing security administrators to be able to make changes to the firewall by practicing the least privilege principle.
One of the system administrators at a company is assigned to maintain a secure computer lab. The administrator has rights to configure machines, install software, and perform user account maintenance. However, the administrator cannot add new computers to the domain, because that requires authorization from the Information Assurance Officer. This is an example of which of the following? A. Mandatory access B. Rule-based access control C. Least privilege D. Job rotation
Answer: C Explanation: A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
A system administrator has concerns regarding their users accessing systems and secured areas using others' credentials. Which of the following can BEST address this concern? A. Create conduct policies prohibiting sharing credentials. B. Enforce a policy shortening the credential expiration timeframe. C. Implement biometric readers on laptops and restricted areas. D. Install security cameras in areas containing sensitive systems.
Answer: C Explanation: Biometrics is an authentication process that makes use of physical characteristics to establish identification. This will prevent users making use of others credentials
Several employees submit the same phishing email to the administrator. The administrator finds that the links in the email are not being blocked by the company's security device. Which of the following might the administrator do in the short term to prevent the emails from being received? A. Configure an ACL B. Implement a URL filter C. Add the domain to a block list D. Enable TLS on the mail server
Answer: C Explanation: Blocking e-mail is the same as preventing the receipt of those e-mails and this is done by applying a filter. But the filter must be configured to block it. Thus you should add that specific domain from where the e-mails are being sent to the list of addresses that is to be blocked.
A large bank has moved back office operations offshore to another country with lower wage costs in an attempt to improve profit and productivity. Which of the following would be a customer concern if the offshore staff had direct access to their data? A. Service level agreements B. Interoperability agreements C. Privacy considerations D. Data ownership
Answer: C Explanation: Businesses such as banks have legally mandated privacy requirements and with moving operations offshore there is decentralized control with has implications for privacy of data.
A business has set up a Customer Service kiosk within a shopping mall. The location will be staffed by an employee using a laptop during the mall business hours, but there are still concerns regarding the physical safety of the equipment while it is not in use. Which of the following controls would BEST address this security concern? A. Host-based firewall B. Cable locks C. Locking cabinets D. Surveillance video
Answer: C Explanation: Locking cabinets can be used to protect backup media, documentation and other physical artefacts. In this case a locking cabinet will keep the company's Customer Service kiosk under lock and key when not in use.
During an anonymous penetration test, Jane, a system administrator, was able to identify a shared print spool directory, and was able to download a document from the spool. Which statement BEST describes her privileges? A. All users have write access to the directory. B. Jane has read access to the file. C. All users have read access to the file. D. Jane has read access to the directory
Answer: C Explanation: The question states that Jane was able to download a document from the spool directory. To view and download the document, Jane must have at least Read access to the file. The fact that the document belonged to someone else suggests that all users have read access to the file.
A network administrator has purchased two devices that will act as failovers for each other. Which of the following concepts does this BEST illustrate? A. Authentication B. Integrity C. Confidentiality D. Availability
Answer: D Explanation: Failover refers to the process of reconstructing a system or switching over to other systems when a failure is detected. In the case of a server, the server switches to a redundant server when a fault is detected. This strategy allows service to continue uninterrupted until the primary server can be restored. In the case of a network, this means processing switches to another network path in the event of a network failure in the primary path. This means availability
A security manager requires fencing around the perimeter, and cipher locks on all entrances. The manager is concerned with which of the following security controls? A. Integrity B. Availability C. Confidentiality D. Safety
Answer: D Explanation: Fencing is used to increase physical security and safety. Locks are used to keep those who are unauthorized out
Which of the following file systems is from Microsoft and was included with their earliest operating systems? A. NTFS B. UFS C. MTFS D. FAT
Answer: D Explanation: File Allocation Table (FAT) is a file system created by Microsoft and used for its earliest DOS operating systems
Full disk encryption is MOST effective against which of the following threats? A. Denial of service by data destruction B. Eavesdropping emanations C. Malicious code D. Theft of hardware
Answer: D Explanation: Full-disk encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. However, it does not prevent the theft of hardware it only protects data should the device be stolen.
Topic 4, Application, Data and Host Security Methods to test the responses of software and web applications to unusual or unexpected inputs are known as: A. Brute force. B. HTML encoding. C. Web crawling. D. Fuzzing.
Answer: D Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following describes purposefully injecting extra input during testing, possibly causing an application to crash? A. Input validation B. Exception handling C. Application hardening D. Fuzzing
Answer: D Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following security concepts identifies input variables which are then used to perform boundary testing? A. Application baseline B. Application hardening C. Secure coding D. Fuzzing
Answer: D Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following practices reduces the management burden of access management? A. Password complexity policies B. User account audit C. Log analysis and review D. Group based privileges
Answer: D Explanation: Granting permissions to all members of a group is quicker than individually assigning them to each user. This means an administrator will spend less time on assigning permissions to users who require the same access privileges.
A system administrator needs to ensure that certain departments have more restrictive controls to their shared folders than other departments. Which of the following security controls would be implemented to restrict those departments? A. User assigned privileges B. Password disablement C. Multiple account creation D. Group based privileges
Answer: D Explanation: Group-based privileges assign privileges or access to a resource to all members of a group. Group-based access control grants every member of the group the same level of access to a specific object.
Jane, a VPN administrator, was asked to implement an encryption cipher with a MINIMUM effective security of 128-bits. Which of the following should Jane select for the tunnel encryption? A. Blowfish B. DES C. SHA256 D. HMAC
Answer: D Explanation: HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key. HMAC with 128 bit would provide more additional security compared to Blowfish 128 bit as HMAC uses a symmetric key as well.
Which of the following MUST Matt, a security administrator, implement to verify both the integrity and authenticity of a message while requiring a shared secret? A. RIPEMD B. MD5 C. SHA D. HMAC
Answer: D Explanation: HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key. The hashing function provides data integrity, while the symmetric key provides authenticity.
Which of the following transportation encryption protocols should be used to ensure maximum security between a web browser and a web server? A. SSLv2 B. SSHv1 C. RSA D. TLS
Answer: D Explanation: HTTP Secure HTTP Secure (HTTPS) is the protocol used for "secure" web pages that users should see when they must enter personal information such as credit card numbers, passwords, and other identifiers. It combines HTTP with SSL/TLS to provide encrypted communication. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL, and it is also referred to as SSL 3.1.
Signed digital certificates used to secure communication with a web server are MOST commonly associated with which of the following ports? A. 25 B. 53 C. 143 D. 443
Answer: D Explanation: HTTPS authenticates the website and corresponding web server with which one is communicating. HTTPS makes use of port 443. Incorrect Options: A: Port 25 is used by Simple Mail Transfer Protocol (SMTP) for routing e-mail between mail servers. B: Port 53 is used by Domain Name System (DNS). C: Port 143 is used by Internet Message Access Protocol (IMAP) for the management of email messages.
Disabling unnecessary services, restricting administrative access, and enabling auditing controls on a server are forms of which of the following? A. Application patch management B. Cross-site scripting prevention C. Creating a security baseline D. System hardening
Answer: D Explanation: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing or disabling unnecessary functions and features, removing or disabling unnecessary user accounts, disabling unnecessary protocols and ports, and disabling unnecessary services
After visiting a website, a user receives an email thanking them for a purchase which they did not request. Upon investigation the security administrator sees the following source code in a pop-up window: <HTML> <body onload="document.getElementByID('badForm').submit()"> <form id="badForm" action="shoppingsite.company.com/purchase.php" method="post" > <input name="Perform Purchase" value="Perform Purchase"/> </form> </body> </HTML> Which of the following has MOST likely occurred? A. SQL injection B. Cookie stealing C. XSRF D. XSS
Answer: C Explanation: XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is often accomplished without the user's knowledge.
Account lockout is a mitigation strategy used by Jane, the administrator, to combat which of the following attacks? (Select TWO). A. Spoofing B. Man-in-the-middle C. Dictionary D. Brute force E. Privilege escalation
Answer: C,D Explanation: Account lockout is a useful method for slowing down online password-guessing attacks. A dictionary attack performs password guessing by making use of a pre-existing list of likely passwords. A brute-force attack is intended to try every possible valid combination of characters to create possible passwords in the attempt to discover the specific passwords used by user accounts.
Which of the following are examples of network segmentation? (Select TWO). A. IDS B. IaaS C. DMZ D. Subnet E. IPS
Answer: C,D Explanation: C: A demilitarized zone (DMZ) is a part of the network that is separated of segmented from the rest of the network by means of firewalls and acts as a buffer between the untrusted public Internet and the trusted local area network (LAN). D. IP subnets can be used to separate or segment networks while allowing communication between the network segments via routers.
A technician wants to verify the authenticity of the system files of a potentially compromised system. Which of the following can the technician use to verify if a system file was compromised? (Select TWO). A. AES B. PGP C. SHA D. MD5 E. ECDHE
Answer: C,D Explanation: Hashing is used to prove the integrity of data to prove that it hasn't been modified. Hashing algorithms are used to derive a key mathematically from a message. The most common hashing standards for cryptographic applications are the SHA and MD algorithms.
Jane, the security administrator, sets up a new AP but realizes too many outsiders are able to connect to that AP and gain unauthorized access. Which of the following would be the BEST way to mitigate this issue and still provide coverage where needed? (Select TWO). A. Disable the wired ports B. Use channels 1, 4 and 7 only C. Enable MAC filtering D. Disable SSID broadcast E. Switch from 802.11a to 802.11b
Answer: C,D Explanation: Network administrators may choose to disable SSID broadcast to hide their network from unauthorized personnel. However, the SSID is still needed to direct packets to and from the base station, so it's a discoverable value using a wireless packet sniffer. Thus, the SSID should be disabled if the network isn't for public use. A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all unauthorized devices.
A vulnerability assessment indicates that a router can be accessed from default port 80 and default port 22. Which of the following should be executed on the router to prevent access via these ports? (Select TWO). A. FTP service should be disabled B. HTTPS service should be disabled C. SSH service should be disabled D. HTTP service should disabled E. Telnet service should be disabled
Answer: C,D Explanation: Port 80 is used by HTTP. Port 22 is used by SSH. By disabling the HTTP and Telnet services, you will prevent access to the router on ports 80 and 22.
Which of the following protocols allows for secure transfer of files? (Select TWO). A. ICMP B. SNMP C. SFTP D. SCP E. TFTP
Answer: C,D Explanation: Standard FTP is a protocol often used to move files between one system and another either over the Internet or within private networks. SFTP is a secured alternative to standard FTP. Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote Copy Protocol (RCP).
Access mechanisms to data on encrypted USB hard drives must be implemented correctly otherwise: A. user accounts may be inadvertently locked out. B. data on the USB drive could be corrupted. C. data on the hard drive will be vulnerable to log analysis. D. the security controls on the USB drive can be bypassed
Answer: D Explanation: A common access mechanism to data on encrypted USB hard drives is a password. If a weak password is used, someone could guess the password and bypass the security controls on the USB drive to access the data.
Company A submitted a bid on a contract to do work for Company B via email. Company B was insistent that the bid did not come from Company A. Which of the following would have assured that the bid was submitted by Company A? A. Steganography B. Hashing C. Encryption D. Digital Signatures
Answer: D Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message.
Developers currently have access to update production servers without going through an approval process. Which of the following strategies would BEST mitigate this risk? A. Incident management B. Clean desk policy C. Routine audits D. Change management
Answer: D Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. This structured approach involves policies that should be in place and technological controls that should be enforced.
A system administrator wants to enable WPA2 CCMP. Which of the following is the only encryption used? A. RC4 B. DES C. 3DES D. AES
Answer: D Explanation: Cipher Block Chaining Message Authentication Code Protocol (CCMP) makes use of 128-bit AES encryption with a 48-bit initialization vector
Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use? A. Email scanning B. Content discovery C. Database fingerprinting D. Endpoint protection
Answer: D Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. DLP systems share commonality with network intrusion prevention systems. Endpoint protection provides security and management over both physical and virtual environments.
Which of the following BEST explains the use of an HSM within the company servers? A. Thumb drives present a significant threat which is mitigated by HSM. B. Software encryption can perform multiple functions required by HSM. C. Data loss by removable media can be prevented with DLP. D. Hardware encryption is faster than software encryption
Answer: D Explanation: Hardware Security Module (HSM) is a cryptoprocessor that can be used to enhance security. It provides a fast solution for the for large asymmetrical encryption calculations and is much faster than software-based cryptographic solutions.
Which of the following cryptographic algorithms is MOST often used with IPSec? A. Blowfish B. Twofish C. RC4 D. HMAC
Answer: D Explanation: The HMAC-MD5-96 (also known as HMAC-MD5) encryption technique is used by IPSec to make sure that a message has not been altered.
Which of the following passwords is the LEAST complex? A. MyTrain!45 B. Mytr@in!! C. MyTr@in12 D. MyTr@in#8
Answer: B Explanation: Password policies often enforce a minimum of three out of four standard character types, which includes uppercase and lowercase letters, numbers, and symbols. Although this option includes three of the four character types, it does not include numbers, which makes it less complex than the other options
Which of the following authentication services should be replaced with a more secure alternative? A. RADIUS B. TACACS C. TACACS+ D. XTACACS
Answer: B Explanation: Terminal Access Controller Access-Control System (TACACS) is less secure than XTACACS, which is a proprietary extension of TACACS, and less secure than TACACS+, which replaced TACACS and XTACACS
Pete, the compliance manager, wants to meet regulations. Pete would like certain ports blocked only on all computers that do credit card transactions. Which of the following should Pete implement to BEST achieve this goal? A. A host-based intrusion prevention system B. A host-based firewall C. Antivirus update system D. A network-based intrusion detection system
Answer: B Explanation: A host-based firewall is installed on a client system and is used to protect the client system from the activities of the user as well as from communication from the network or Internet
Which of the following protocols allows for the LARGEST address space? A. IPX B. IPv4 C. IPv6 D. Appletalk
Answer: C Explanation: The main advantage of IPv6 over IPv4 is its larger address space. The length of an IPv6 address is 128 bits, compared with 32 bits in IPv4.
Which of the following can be used on a smartphone to BEST protect against sensitive data loss if the device is stolen? (Select TWO). A. Tethering B. Screen lock PIN C. Remote wipe D. Email password E. GPS tracking F. Device encryption
Answer: C,F Explanation: C: Remote wipe is the process of deleting data on a device in the event that the device is stolen. This is performed over remote connections such as the mobile phone service or the internet connection and helps ensure that sensitive data is not accessed by unauthorized people. F: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.
A system administrator is setting up a file transfer server. The goal is to encrypt the user authentication and the files the user is sending using only a user ID and a key pair. Which of the following methods would achieve this goal? A. AES B. IPSec C. PGP D. SSH
Answer: D Explanation: With SSH you can use automatically generated public-private key pairs to encrypt a network connection, and then use password authentication to log on. Or you can use a manually generated public-private key pair to perform the authentication, allowing users or programs to log in without having to specify a password.
By default, which of the following uses TCP port 22? (Select THREE). A. FTPS B. STELNET C. TLS D. SCP E. SSL F. HTTPS G. SSH H. SFTP
Answer: D,G,H Explanation: G: Secure Shell (SSH) is a cryptographic network protocol for securing data communication. It establishes a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login, remote command execution, but any network service can be secured with SSH. SSH uses port 22. D: SCP stands for Secure Copy. SCP is used to securely copy files over a network. SCP uses SSH to secure the connection and therefore uses port 22. H: SFTP stands for stands for Secure File Transfer Protocol and is used for transferring files using FTP over a secure network connection. SFTP uses SSH to secure the connection and therefore uses port 22.
An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router. *Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets. *Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets. *Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets. Which of the following BEST describes the compromised system? A. It is running a rogue web server B. It is being used in a man-in-the-middle attack C. It is participating in a botnet D. It is an ARP poisoning attack
Answer: C Explanation: In this question, we have a source computer (192.10.3.204) sending data to a single destination IP address 10.10.1.5. No data is being received back by source computer which suggests the data being sent is some kind of Denial-of-service attack. This is common practice for computers participating in a botnet. The port used is TCP 6667 which is IRC (Internet Relay Chat). This port is used by many Trojans and is commonly used for DoS attacks. Software running on infected computers called zombies is often known as a botnet. Bots, by themselves, are but a form of software that runs automatically and autonomously. (For example, Google uses the Googlebot to find web pages and bring back values for the index.) Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder. Denial-of-service attacks—DoS and DDoS—can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). Most bots are written to run in the background with no visible evidence of their presence. Many malware kits can be used to create botnets and modify existing ones.
Which of the following devices is used for the transparent security inspection of network traffic by redirecting user packets prior to sending the packets to the intended destination? A. Proxies B. Load balancers C. Protocol analyzer D. VPN concentrator
Answer: A Explanation: A proxy is a device that acts on behalf of other(s). A commonly used proxy in computer networks is a web proxy. Web proxy functionality is often combined into a proxy firewall. A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all of the packets and reprocesses them for use internally. This process includes hiding IP addresses. The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed through the proxy. The proxy, in turn, repackages the request and sends it along, thereby isolating the user from the external network. The proxy can also offer caching, should the same request be made again, and it can increase the efficiency of data delivery.
Which of the following is a best practice for error and exception handling? A. Log detailed exception but display generic error message B. Display detailed exception but log generic error message C. Log and display detailed error and exception messages D. Do not log or display error or exception messages
Answer: A Explanation: A detailed explanation of the error is not helpful for most end users but might provide information that is useful to a hacker. It is therefore better to display a simple but helpful message to the end user and log the detailed information to an access-restricted log file for the administrator and programmer who would need as much information as possible about the problem in order to rectify it.
A network analyst received a number of reports that impersonation was taking place on the network. Session tokens were deployed to mitigate this issue and defend against which of the following attacks? A. Replay B. DDoS C. Smurf D. Ping of Death
Answer: A Explanation: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack). For example: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password (or hash) read from the last session, which Bob accepts thus granting access to Eve. Countermeasures: A way to avoid replay attacks is by using session tokens: Bob sends a onetime token to Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Eve has captured this value and tries to use it on another session; Bob sends a different session token, and when Eve replies with the captured value it will be different from Bob's computation. Session tokens should be chosen by a (pseudo-) random process. Otherwise Eve may be able to pose as Bob, presenting some predicted future token, and convince Alice to use that token in her transformation. Eve can then replay her reply at a later time (when the previously predicted token is actually presented by Bob), and Bob will accept the authentication. One-time passwords are similar to session tokens in that the password expires after it has been used or after a very short amount of time. They can be used to authenticate individual transactions in addition to sessions. The technique has been widely implemented in personal online banking systems. Bob can also send nonces but should then include a message authentication code (MAC), which Alice should check. Timestamping is another way of preventing a replay attack. Synchronization should be achieved using a secure protocol. For example Bob periodically broadcasts the time on his clock together with a MAC. When Alice wants to send Bob a message, she includes her best estimate of the time on his clock in her message, which is also authenticated. Bob only accepts messages for which the timestamp is within a reasonable tolerance. The advantage of this scheme is that Bobdoes not need to generate (pseudo-) random numbers, with the trade-off being that replay attacks, if they are performed quickly enough i.e. within that 'reasonable' limit, could succeed.
The IT department noticed that there was a significant decrease in network performance during the afternoon hours. The IT department performed analysis of the network and discovered this was due to users accessing and downloading music and video streaming from social sites. The IT department notified corporate of their findings and a memo was sent to all employees addressing the misuse of company resources and requesting adherence to company policy. Which of the following policies is being enforced? A. Acceptable use policy B. Telecommuting policy C. Data ownership policy D. Non disclosure policy
Answer: A Explanation: Acceptable use policy describes how employees are allowed to use company systems and resources, and the consequences of misuse.
Jane has implemented an array of four servers to accomplish one specific task. This is BEST known as which of the following? A. Clustering B. RAID C. Load balancing D. Virtualization
Answer: A Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy (but also add costs).
Which of the following controls would prevent an employee from emailing unencrypted information to their personal email account over the corporate network? A. DLP B. CRL C. TPM D. HSM
Answer: A Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data.
Which of the following types of encryption will help in protecting files on a PED? A. Mobile device encryption B. Transport layer encryption C. Encrypted hidden container D. Database encryption
Answer: A Explanation: Device encryption encrypts the data on a Personal Electronic Device (PED). This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen
Fuzzing is a security assessment technique that allows testers to analyze the behavior of software applications under which of the following conditions? A. Unexpected input B. Invalid output C. Parameterized input D. Valid output
Answer: A Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following application security testing techniques is implemented when an automated system generates random input data? A. Fuzzing B. XSRF C. Hardening D. Input validation
Answer: A Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Highly sensitive data is stored in a database and is accessed by an application on a DMZ server. The disk drives on all servers are fully encrypted. Communication between the application server and end-users is also encrypted. Network ACLs prevent any connections to the database server except from the application server. Which of the following can still result in exposure of the sensitive data in the database server? A. SQL Injection B. Theft of the physical database server C. Cookies D. Cross-site scripting
Answer: A Explanation: The question discusses a very secure environment with disk and transport level encryption and access control lists restricting access. SQL data in a database is accessed by SQL queries from an application on the application server. The data can still be compromised by a SQL injection attack. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
After a recent breach, the security administrator performs a wireless survey of the corporate network. The security administrator notices a problem with the following output: MACSSIDENCRYPTIONPOWERBEACONS 00:10:A1:36:12:CCMYCORPWPA2 CCMP601202 00:10:A1:49:FC:37MYCORPWPA2 CCMP709102 FB:90:11:42:FA:99MYCORPWPA2 CCMP403031 00:10:A1:AA:BB:CCMYCORPWPA2 CCMP552021 00:10:A1:FA:B1:07MYCORPWPA2 CCMP306044 Given that the corporate wireless network has been standardized, which of the following attacks is underway? A. Evil twin B. IV attack C. Rogue AP D. DDoS
Answer: A Explanation: The question states that the corporate wireless network has been standardized. By 'standardized' it means the wireless network access points are running on hardware from the same vendor. We can see this from the MAC addresses used. The first half of a MAC address is vendor specific. The second half is network adapter specific. We have four devices with MAC addresses that start with 00:10:A1. The "odd one out" is the device with a MAC address starting FB:90:11. This device is from a different vendor. The SSID of the wireless network on this access point is the same as the other legitimate access points. Therefore, the access point with a MAC address starting FB:90:11 is impersonating the corporate access points. This is known as an Evil Twin. An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider. In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique. For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name. In wireless transmissions, evil twins are not a new phenomenon. Historically, they were known as honeypots or base station clones. With the advancement of wireless technology and the use of wireless devices in public areas, it is very easy for novice users to set up evil twin exploits.
The datacenter design team is implementing a system, which requires all servers installed in racks to face in a predetermined direction. AN infrared camera will be used to verify that servers are properly racked. Which of the following datacenter elements is being designed? A. Hot and cold aisles B. Humidity control C. HVAC system D. EMI shielding
Answer: A Explanation: There are often multiple rows of servers located in racks in server rooms. The rows of servers are known as aisles, and they can be cooled as hot aisles and cold aisles. With a hot aisle, hot air outlets are used to cool the equipment, whereas with cold aisles, cold air intake is used to cool the equipment. Combining the two, you have cold air intake from below the aisle and hot air outtake above it, providing constant circulation. Infrared cameras are heat detection measures thus it is hot and cold aisle design elements.
How must user accounts for exiting employees be handled? A. Disabled, regardless of the circumstances B. Disabled if the employee has been terminated C. Deleted, regardless of the circumstances D. Deleted if the employee has been terminated
Answer: A Explanation: You should always disable an employee's account as soon as they leave. The employee knows the username and password of the account and could continue to log in for potentially malicious purposes. Disabling the account will ensure that no one can log in using that account
Which of the following protocols is MOST likely to be leveraged by users who need additional information about another user? A. LDAP B. RADIUS C. Kerberos D. TACACS+
Answer: A Explanation: A 'directory' contains information about users. The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone numbe
The security manager wants to unify the storage of credential, phone numbers, office numbers, and address information into one system. Which of the following is a system that will support the requirement on its own? A. LDAP B. SAML C. TACACS D. RADIUS
Answer: A Explanation: A 'directory' contains information about users. The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
Which of the following helps to apply the proper security controls to information? A. Data classification B. Deduplication C. Clean desk policy D. Encryption
Answer: A Explanation: Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. These categories make applying the appropriate policies and security controls practical.
An auditor's report discovered several accounts with no activity for over 60 days. The accounts were later identified as contractors' accounts who would be returning in three months and would need to resume the activities. Which of the following would mitigate and secure the auditors finding? A. Disable unnecessary contractor accounts and inform the auditor of the update. B. Reset contractor accounts and inform the auditor of the update. C. Inform the auditor that the accounts belong to the contractors. D. Delete contractor accounts and inform the auditor of the update.
Answer: A Explanation: A disabled account cannot be used. It is 'disabled'. Whenever an employee leaves a company, the employee's user account should be disabled. The question states that the accounts are contractors' accounts who would be returning in three months. Therefore, it would be easier to keep the accounts rather than deleting them which would require that the accounts are recreated in three months time. By disabling the accounts, we can ensure that the accounts cannot be used; in three months when the contractors are back, we can simply re-enable the accounts.
Which of the following is an example of a false positive? A. Anti-virus identifies a benign application as malware. B. A biometric iris scanner rejects an authorized user wearing a new contact lens. C. A user account is locked out after the user mistypes the password too many times. D. The IDS does not identify a buffer overflow.
Answer: A Explanation: A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected. In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE -unsolicited bulk email, as junk email is more formally known. Messages that are determined to be spam -- whether correctly or incorrectly -- may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail. One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentally blocking an important message has been enough to deter many companies from implementing any anti-spam measures at all. False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and ports. When activity varies outside of an acceptable range - for example, a remote application attempting to open a normally closed port -- an intrusion may be in progress. However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be high. False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.
An administrator wants to minimize the amount of time needed to perform backups during the week. It is also acceptable to the administrator for restoration to take an extended time frame. Which of the following strategies would the administrator MOST likely implement? A. Full backups on the weekend and incremental during the week B. Full backups on the weekend and full backups every day C. Incremental backups on the weekend and differential backups every day D. Differential backups on the weekend and full backups every day
Answer: A Explanation: A full backup is a complete, comprehensive backup of all files on a disk or server. The full backup is current only at the time it's performed. Once a full backup is made, you have a complete archive of the system at that point in time. A system shouldn't be in use while it undergoes a full backup because some files may not get backed up. Once the system goes back into operation, the backup is no longer current. A full backup can be a time-consuming process on a large system. An incremental backup is a partial backup that stores only the information that has been changed since the last full or the last incremental backup. If a full backup were performed on a Sunday night, an incremental backup done on Monday night would contain only the information that changed since Sunday night. Such a backup is typically considerably smaller than a full backup. Each incremental backup must be retained until a full backup can be performed. Incremental backups are usually the fastest backups to perform on most systems, and each incremental backup tape is relatively small.
A security administrator wants to deploy a physical security control to limit an individual's access into a sensitive area. Which of the following should be implemented? A. Guards B. CCTV C. Bollards D. Spike strip
Answer: A Explanation: A guard can be intimidating and respond to a situation and in a case where you want to limit an individual's access to a sensitive area a guard would be the most effective.
Which of the following devices is BEST suited for servers that need to store private keys? A. Hardware security module B. Hardened network firewall C. Solid state disk drive D. Hardened host firewall
Answer: A Explanation: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. By adding a HSM to the server and storing the private keys on HSM, the security of the keys would be improved.
Which of the following types of technologies is used by security and research personnel for identification and analysis of new security threats in a networked environment by using false data/hosts for information collection? A. Honeynet B. Vulnerability scanner C. Port scanner D. Protocol analyzer
Answer: A Explanation: A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker.
The security team would like to gather intelligence about the types of attacks being launched against the organization. Which of the following would provide them with the MOST information? A. Implement a honeynet B. Perform a penetration test C. Examine firewall logs D. Deploy an IDS
Answer: A Explanation: A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker. A virtual honeynet is one that, while appearing to be an entire network, resides on a single server
What is a system that is intended or designed to be broken into by an attacker? A. Honeypot B. Honeybucket C. Decoy D. Spoofing system
Answer: A Explanation: A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers. There are two main types of honeypots: Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research - A research honeypot add value to research in computer security by providing a platform to study the threat.
Joe, a network security engineer, has visibility to network traffic through network monitoring tools. However, he's concerned that a disgruntled employee may be targeting a server containing the company's financial records. Which of the following security mechanism would be MOST appropriate to confirm Joe's suspicion? A. HIDS B. HIPS C. NIPS D. NIDS
Answer: A Explanation: A host-based IDS (HIDS) is an intrusion detection system that runs as a service on a host computer system. It is used to monitor the machine logs, system events, and application activity for signs of intrusion. It is useful for detecting attacks that originate outside the organization as well as attacks by internal users logged on to the system.
Each server on a subnet is configured to only allow SSH access from the administrator's workstation. Which of the following BEST describes this implementation? A. Host-based firewalls B. Network firewalls C. Network proxy D. Host intrusion prevention
Answer: A Explanation: A host-based firewall is installed on a client system and is used to protect the client system from the activities of the user as well as from communication from the network or Internet. These firewalls manage network traffic using filters to block certain ports and protocols while allowing others to pass through the system.
In order to prevent and detect fraud, which of the following should be implemented? A. Job rotation B. Risk analysis C. Incident management D. Employee evaluations
Answer: A Explanation: A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job and in this way the company can potentially uncover any fraud perhaps committed by the incumbent
Which of the following is true about the recovery agent? A. It can decrypt messages of users who lost their private key. B. It can recover both the private and public key of federated users. C. It can recover and provide users with their lost or private key. D. It can recover and provide users with their lost public key.
Answer: A Explanation: A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.
Which of the following risk mitigation strategies will allow Ann, a security analyst, to enforce least privilege principles? A. User rights reviews B. Incident management C. Risk based controls D. Annual loss expectancy
Answer: A Explanation: A least privilege policy should be used when assigning permissions. Give users only the permissions and rights that they need to do their work and no more.
Joe is the accounts payable agent for ABC Company. Joe has been performing accounts payable function for the ABC Company without any supervision. Management has noticed several new accounts without billing invoices that were paid. Which of the following is the BEST management option for review of the new accounts? A. Mandatory vacation B. Job rotation C. Separation of duties D. Replacement
Answer: A Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity todiscover fraud. In this case mandatory vacations can allow the company to review all the new accounts.
Why would a technician use a password cracker? A. To look for weak passwords on the network B. To change a user's passwords when they leave the company C. To enforce password complexity requirements D. To change users passwords if they have forgotten them
Answer: A Explanation: A password cracker will be able to expose weak passwords on a network
Which device monitors network traffic in a passive manner? A. Sniffer B. IDS C. Firewall D. Web browser
Answer: A Explanation: A sniffer is another name for a protocol analyzer. A protocol analyzer performs its function in a passive manner. In other words, computers on the network do not know that their data packets have been captured. A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal). A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
A network administrator noticed various chain messages have been received by the company. Which of the following security controls would need to be implemented to mitigate this issue? A. Anti-spam B. Antivirus C. Host-based firewalls D. Anti-spyware
Answer: A Explanation: A spam filter is a software or hardware solution used to identify and block, filter, or remove unwanted messages sent via email or instant messaging (IM).
Ann is starting a disaster recovery program. She has gathered specifics and team members for a meeting on site. Which of the following types of tests is this? A. Structured walkthrough B. Full Interruption test C. Checklist test D. Tabletop exercise
Answer: A Explanation: A structured walkthrough test of a recovery plan involves representatives from each of the functional areas coming together to review the plan to determine if the plan pertaining to their area is accurate and complete and can be implemented when required.
Ann, a security analyst, is preparing for an upcoming security audit. To ensure that she identifies unapplied security controls and patches without attacking or compromising the system, Ann would use which of the following? A. Vulnerability scanning B. SQL injection C. Penetration testing D. Antivirus update
Answer: A Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.
Which of the following is BEST utilized to identify common misconfigurations throughout the enterprise? A. Vulnerability scanning B. Port scanning C. Penetration testing D. Black box
Answer: A Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.
An administrator is concerned that a company's web server has not been patched. Which of the following would be the BEST assessment for the administrator to perform? A. Vulnerability scan B. Risk assessment C. Virus scan D. Network sniffer
Answer: A Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. Vulnerabilities include computer systems that do not have the latest security patches installed. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
The system administrator notices that their application is no longer able to keep up with the large amounts of traffic their server is receiving daily. Several packets are dropped and sometimes the server is taken offline. Which of the following would be a possible solution to look into to ensure their application remains secure and available? A. Cloud computing B. Full disk encryption C. Data Loss Prevention D. HSM
Answer: A Explanation: Cloud computing means hosting services and data on the Internet instead of hosting it locally. There is thus no issue when the company's server is taken offline
Pete, the system administrator, is reviewing his disaster recovery plans. He wishes to limit the downtime in the event of a disaster, but does not have the budget approval to implement or maintain an offsite location that ensures 99.99% availability. Which of the following would be Pete's BEST option? A. Use hardware already at an offsite location and configure it to be quickly utilized. B. Move the servers and data to another part of the company's main campus from the server room. C. Retain data back-ups on the main campus and establish redundant servers in a virtual environment. D. Move the data back-ups to the offsite location, but retain the hardware on the main campus for redundancy.
Answer: A Explanation: A warm site provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. Warm sites may be for your exclusive use, but they don't have to be. A warm site requires more advanced planning, testing, and access to media for system recovery. Warm sites represent acompromise between a hot site, which is very expensive, and a cold site, which isn't preconfigured.
Which of the following is characterized by an attacker attempting to map out an organization's staff hierarchy in order to send targeted emails? A. Whaling B. Impersonation C. Privilege escalation D. Spear phishing
Answer: A Explanation: A whaling attack is targeted at company executives. Mapping out an organization's staff hierarchy to determine who the people at the top are is also part of a whaling attack. Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats.
A company has just deployed a centralized event log storage system. Which of the following can be used to ensure the integrity of the logs after they are collected? A. Write-once drives B. Database encryption C. Continuous monitoring D. Role-based access controls
Answer: A Explanation: A write-once drive means that the disk cannot be overwritten once data is written to the disk; and thus the integrity of the logs, if they are written to a write-once drives will ensure integrity of those logs.
Which of the following may cause Jane, the security administrator, to seek an ACL work around? A. Zero day exploit B. Dumpster diving C. Virus outbreak D. Tailgating
Answer: A Explanation: A zero day vulnerability is an unknown vulnerability so there is no fix or patch for it. One way to attempt to work around a zero day vulnerability would be to restrict the permissions by using an ACL (Access Control List) A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
Which of the following presents the STRONGEST access control? A. MAC B. TACACS C. DAC D. RBAC
Answer: A Explanation: A: With Mandatory Access Control (MAC) all access is predefined. This makes it the strongest access control of the options presented in the question
Which of the following services are used to support authentication services for several local devices from a central location without the use of tokens? A. TACACS+ B. Smartcards C. Biometrics D. Kerberos
Answer: A Explanation: ACACS allows a client to accept a username and password and send a query to a TACACS authentication server. It would determine whether to accept or deny the authentication request and send a response back. The TIP would then allow access or not based upon the response, not tokens.
Which of the following can be implemented with multiple bit strength? A. AES B. DES C. SHA-1 D. MD5 E. MD4
Answer: A Explanation: AES (a symmetric algorithm) uses key sizes of 128, 192, or 256 bits
Joe, a newly hired employee, has a corporate workstation that has been compromised due to several visits to P2P sites. Joe insisted that he was not aware of any company policy that prohibits the use of such web sites. Which of the following is the BEST method to deter employees from the improper use of the company's information systems? A. Acceptable Use Policy B. Privacy Policy C. Security Policy D. Human Resource Policy
Answer: A Explanation: Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware
Which of the following security benefits would be gained by disabling a terminated user account rather than deleting it? A. Retention of user keys B. Increased logging on access attempts C. Retention of user directories and files D. Access to quarantined files
Answer: A Explanation: Account Disablement should be implemented when a user will be gone from a company whether they leave temporary or permanently. In the case of permanently leaving the company the account should be disabled. Disablement means that the account will no longer be an active account and that the user keys for that account are retained which would not be the case if the account was deleted from the system
Which of the following controls mitigates the risk of Matt, an attacker, gaining access to a company network by using a former employee's credential? A. Account expiration B. Password complexity C. Account lockout D. Dual factor authentication
Answer: A Explanation: Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
Which of the following policies is implemented in order to minimize data loss or theft? A. PII handling B. Password policy C. Chain of custody D. Zero day exploits
Answer: A Explanation: Although the concept of PII is old, it has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Thus a PII handling policy can be used to protect data
Which of the following describes a type of malware which is difficult to reverse engineer in a virtual lab? A. Armored virus B. Polymorphic malware C. Logic bomb D. Rootkit
Answer: A Explanation: An armored virus is a type of virus that has been designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult. An Armored Virus may also protect itself from antivirus programs, making it more difficult to trace. To do this, the Armored Virus attempts to trick the antivirus program into believing its location is somewhere other than where it really is on the system
Which of the following is best practice to put at the end of an ACL? A. Implicit deny B. Time of day restrictions C. Implicit allow D. SNMP string
Answer: A Explanation: An implicit deny clause is implied at the end of each ACL. This implies that if you aren't specifically granted access or privileges for a resource, you're denied access by default. The implicit deny clause is set by the system
Which of the following concepts allows an organization to group large numbers of servers together in order to deliver a common service? A. Clustering B. RAID C. Backup Redundancy D. Cold site
Answer: A Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy (but also add costs). Clustering is done whenever you connect multiple computers to work and act together as a single server. It is meant to utilize parallel processing and can also add to redundancy.
Which of the following would prevent a user from installing a program on a company-owned mobile device? A. White-listing B. Access control lists C. Geotagging D. Remote wipe
Answer: A Explanation: Application whitelisting is a form of application security which prevents any software from running on a system unless it is included on a preapproved exception list.
After a security incident involving a physical asset, which of the following should be done at the beginning? A. Record every person who was in possession of assets, continuing post-incident. B. Create working images of data in the following order: hard drive then RAM. C. Back up storage devices so work can be performed on the devices immediately. D. Write a report detailing the incident and mitigation suggestions.
Answer: A Explanation: Asset tracking is the process of maintaining oversight over inventory, and ensuring that a device is still in the possession of the assigned authorized user.
Which of the following allows a network administrator to implement an access control policy based on individual user characteristics and NOT on job function? A. Attributes based B. Implicit deny C. Role based D. Rule based
Answer: A Explanation: Attribute-based access control allows access rights to be granted to users via policies, which combine attributes together. The policies can make use of any type of attributes, which includes user attributes, resource attributes and environment attributes.
A company that purchased an HVAC system for the datacenter is MOST concerned with which of the following? A. Availability B. Integrity C. Confidentiality D. Fire suppression
Answer: A Explanation: Availability means simply to make sure that the data and systems are available for authorized users. Data backups, redundant systems, and disaster recovery plans all support availability; as does environmental support by means of HVAC
A network technician is on the phone with the system administration team. Power to the server room was lost and servers need to be restarted. The DNS services must be the first to be restarted. Several machines are powered off. Assuming each server only provides one service, which of the following should be powered on FIRST to establish DNS services? A. Bind server B. Apache server C. Exchange server D. RADIUS server
Answer: A Explanation: BIND (Berkeley Internet Name Domain) is the most widely used Domain Name System (DNS) software on the Internet. It includes the DNS server component contracted for name daemon. This is the only option that directly involves DNS
A process in which the functionality of an application is tested without any knowledge of the internal mechanisms of the application is known as: A. Black box testing B. White box testing C. Black hat testing D. Gray box testing
Answer: A Explanation: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
Which of the following means of wireless authentication is easily vulnerable to spoofing? A. MAC Filtering B. WPA - LEAP C. WPA - PEAP D. Enabled SSID
Answer: A Explanation: Each network interface on your computer or any other networked device has a unique MAC address. These MAC addresses are assigned in the factory, but you can easily change, or "spoof," MAC addresses in software. Networks can use MAC address filtering, only allowing devices with specific MAC addresses to connect to a network. This isn't a great security tool because people can spoof their MAC addresses.
The security consultant is assigned to test a client's new software for security, after logs show targeted attacks from the Internet. To determine the weaknesses, the consultant has no access to the application program interfaces, code, or data structures. This is an example of which of the following types of testing? A. Black box B. Penetration C. Gray box D. White box
Answer: A Explanation: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
In regards to secure coding practices, why is input validation important? A. It mitigates buffer overflow attacks. B. It makes the code more readable. C. It provides an application configuration baseline. D. It meets gray box testing standards
Answer: A Explanation: Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application is fed more input data than it is programmed to handle. This may cause the application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary access to privileged levels in the system, while overwriting can cause important data to be lost. Proper error and exception handling and input validation will help prevent Buffer overflow exploits.
Sara, an application developer, implemented error and exception handling alongside input validation. Which of the following does this help prevent? A. Buffer overflow B. Pop-up blockers C. Cross-site scripting D. Fuzzing
Answer: A Explanation: Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application is fed more input data than it is programmed to handle. This may cause the application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary access to privileged levels in the system, while overwriting can cause important data to be lost. Proper error and exception handling and input validation will help prevent Buffer overflow exploits.
In the case of a major outage or business interruption, the security office has documented the expected loss of earnings, potential fines and potential consequence to customer service. Which of the following would include the MOST detail on these objectives? A. Business Impact Analysis B. IT Contingency Plan C. Disaster Recovery Plan D. Continuity of Operations
Answer: A Explanation: Business impact analysis (BIA) is the process of evaluating all of the critical systems in an organization to define impact and recovery plans. BIA isn't concerned with external threats or vulnerabilities; the analysis focuses on the impact a loss would have on the organization. A BIA comprises the following: identifying critical functions, prioritizing critical business functions, calculating a timeframe for critical systems loss, and estimating the tangible impact on the organization
A network administrator has been tasked with securing the WLAN. Which of the following cryptographic products would be used to provide the MOST secure environment for the WLAN? A. WPA2 CCMP B. WPA C. WPA with MAC filtering D. WPA2 TKIP
Answer: A Explanation: CCMP is the standard encryption protocol for use with the WPA2 standard and is much more secure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security services: Data confidentiality; ensures only authorized parties can access the information Authentication; provides proof of genuineness of the user Access control in conjunction with layer management Because CCMP is a block cipher mode using a 128-bit key, it is secure against attacks to the 264 steps of operation.
A security administrator wishes to increase the security of the wireless network. Which of the following BEST addresses this concern? A. Change the encryption from TKIP-based to CCMP-based. B. Set all nearby access points to operate on the same channel. C. Configure the access point to use WEP instead of WPA2. D. Enable all access points to broadcast their SSIDs.
Answer: A Explanation: CCMP makes use of 128-bit AES encryption with a 48-bit initialization vector. This initialization vector makes cracking a bit more difficult.
A company is concerned that a compromised certificate may result in a man-in-the-middle attack against backend financial servers. In order to minimize the amount of time a compromised certificate would be accepted by other servers, the company decides to add another validation step to SSL/TLS connections. Which of the following technologies provides the FASTEST revocation capability? A. Online Certificate Status Protocol (OCSP) B. Public Key Cryptography (PKI) C. Certificate Revocation Lists (CRL) D. Intermediate Certificate Authority (CA)
Answer: A Explanation: CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP. The main advantage to OCSP is that because the client is allowed query the status of a single certificate, instead of having to download and parse an entire list there is much less overhead on the client and network
Which of the following identifies certificates that have been compromised or suspected of being compromised? A. Certificate revocation list B. Access control list C. Key escrow registry D. Certificate authority
Answer: A Explanation: Certificates that have been compromised or are suspected of being compromised are revoked. A CRL is a locally stored record containing revoked certificates and revoked keys.
The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation's hard drive. During the investigation, local law enforcement's criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved? A. Chain of custody B. System image C. Take hashes D. Order of volatility
Answer: A Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.
A new virtual server was created for the marketing department. The server was installed on an existing host machine. Users in the marketing department report that they are unable to connect to the server. Technicians verify that the server has an IP address in the same VLAN as the marketing department users. Which of the following is the MOST likely reason the users are unable to connect to the server? A. The new virtual server's MAC address was not added to the ACL on the switch B. The new virtual server's MAC address triggered a port security violation on the switch C. The new virtual server's MAC address triggered an implicit deny in the switch D. The new virtual server's MAC address was not added to the firewall rules on the switch
Answer: A Explanation: Configuring the switch to allow only traffic from computers based upon their physical address is known as MAC filtering. The physical address is known as the MAC address. Every network adapter has a unique MAC address hardcoded into the adapter. You can configure the ports of a switch to allow connections from computers with specific MAC addresses only and block all other MAC addresses. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network
An organization must implement controls to protect the confidentiality of its most sensitive data. The company is currently using a central storage system and group based access control for its sensitive information. Which of the following controls can further secure the data in the central storage system? A. Data encryption B. Patching the system C. Digital signatures D. File hashing
Answer: A Explanation: Data encryption makes data unreadable to anyone who does not have the required key to decrypt the data. The question states that the sensitive data is stored on a central storage system. Group based access control is used to control who can access the sensitive data. However, this offers no physical security for the data. Someone could steal the central storage system or remove the hard disks from it with the plan of placing the hard disks into another system to read the data on the disks. With the data encrypted, the data would be unreadable.
An employee recently lost a USB drive containing confidential customer data. Which of the following controls could be utilized to minimize the risk involved with the use of USB drives? A. DLP B. Asset tracking C. HSM D. Access control
Answer: A Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data.
A merchant acquirer has the need to store credit card numbers in a transactional database in a high performance environment. Which of the following BEST protects the credit card data? A. Database field encryption B. File-level encryption C. Data loss prevention system D. Full disk encryption
Answer: A Explanation: Database encryption makes use of cryptography functions that are built into the database software to encrypt the data stored in the data base. This often offers granular encryption optionswhich allows for the encryptions of the entire database, specific database tables, or specific database fields, such as a credit card number field.
A way to assure data at-rest is secure even in the event of loss or theft is to use: A. Full device encryption. B. Special permissions on the file system. C. Trusted Platform Module integration. D. Access Control Lists.
Answer: A Explanation: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen
During a security assessment, an administrator wishes to see which services are running on a remote server. Which of the following should the administrator use? A. Port scanner B. Network sniffer C. Protocol analyzer D. Process list
Answer: A Explanation: Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server. A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.
A software firm posts patches and updates to a publicly accessible FTP site. The software firm also posts digitally signed checksums of all patches and updates. The firm does this to address: A. Integrity of downloaded software. B. Availability of the FTP site. C. Confidentiality of downloaded software. D. Integrity of the server logs.
Answer: A Explanation: Digital Signatures is used to validate the integrity of the message and the sender. In this case the software firm that posted the patches and updates digitally signed the checksums of all patches and updates.
Which of the following is a way to implement a technical control to mitigate data loss in case of a mobile device theft? A. Disk encryption B. Encryption policy C. Solid state drive D. Mobile device policy
Answer: A Explanation: Disk and device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen
Which of the following data security techniques will allow Matt, an IT security technician, to encrypt a system with speed as its primary consideration? A. Hard drive encryption B. Infrastructure as a service C. Software based encryption D. Data loss prevention
Answer: A Explanation: Disk and device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. It should be implemented using a hardware-based solution for greater speed.
After a number of highly publicized and embarrassing customer data leaks as a result of social engineering attacks by phone, the Chief Information Officer (CIO) has decided user training will reduce the risk of another data leak. Which of the following would be MOST effective in reducing data leaks in this situation? A. Information Security Awareness B. Social Media and BYOD C. Data Handling and Disposal D. Acceptable Use of IT Systems
Answer: A Explanation: Education and training with regard to Information Security Awareness will reduce the risk of data leaks and as such forms an integral part of Security Awareness. By employing social engineering data can be leaked by employees and only when company users are made aware of the methods of social engineering via Information Security Awareness Training, you can reduce the risk of data leaks.
A customer service department has a business need to send high volumes of confidential information to customers electronically. All emails go through a DLP scanner. Which of the following is the BEST solution to meet the business needs and protect confidential information? A. Automatically encrypt impacted outgoing emails B. Automatically encrypt impacted incoming emails C. Monitor impacted outgoing emails D. Prevent impacted outgoing emails
Answer: A Explanation: Encryption is done to protect confidentiality and integrity of data. It also provides authentication, nonrepudiation and access control to the data. Since all emails go through a DLP scanner and it is outgoing main that requires protection then the best option is to put a system in place that will encrypt the outgoing emails automatically.
Several departments within a company have a business need to send high volumes of confidential information to customers via email. Which of the following is the BEST solution to mitigate unintentional exposure of confidential information? A. Employ encryption on all outbound emails containing confidential information. B. Employ exact data matching and prevent inbound emails with Data Loss Prevention. C. Employ hashing on all outbound emails containing confidential information. D. Employ exact data matching and encrypt inbound e-mails with Data Loss Prevention.
Answer: A Explanation: Encryption is used to ensure the confidentiality of information and in this case the outbound email that contains the confidential information should be encrypted
What is the term for the process of luring someone in (usually done by an enforcement officer or a government agent)? A. Enticement B. Entrapment C. Deceit D. Sting
Answer: A Explanation: Enticement is the process of luring someone into your plan or trap.
A computer security officer has investigated a possible data breach and has found it credible. The officer notifies the data center manager and the Chief Information Security Officer (CISO). This is an example of: A. escalation and notification. B. first responder. C. incident identification. D. incident mitigation
Answer: A Explanation: Escalation and notification is a response strategy that outlines a staged procedure of escalation and notification that is to be followed in the event of a security incident. Only those in specific positions of authority or responsibility must receive notification of the security breach.
Which of the following types of logs could provide clues that someone has been attempting to compromise the SQL Server database? A. Event B. SQL_LOG C. Security D. Access
Answer: A Explanation: Event logs include Application logs, such as those where SQL Server would write entries. This is where you would see logs with details of someone trying to access a SQL database.
Which of the following is an application security coding problem? A. Error and exception handling B. Patch management C. Application hardening D. Application fuzzing
Answer: A Explanation: Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.
A security administrator examines a network session to a compromised database server with a packet analyzer. Within the session there is a repeated series of the hex character 90 (x90). Which of the following attack types has occurred? A. Buffer overflow B. Cross-site scripting C. XML injection D. SQL injection
Answer: A Explanation: Explanation The hex character 90 (x90) means NOP or No Op or No Operation. In a buffer overflow attack, the buffer can be filled and overflowed with No Op commands. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occuraccidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Which of the following fire suppression systems is MOST likely used in a datacenter? A. FM-200 B. Dry-pipe C. Wet-pipe D. Vacuum
Answer: A Explanation: FM200 is a gas and the principle of a gas system is that it displaces the oxygen in the room, thereby removing this essential component of a fi re. in a data center is is the preferred choice of fire suppressant.
A team of firewall administrators have access to a `master password list' containing service account passwords. Which of the following BEST protects the master password list? A. File encryption B. Password hashing C. USB encryption D. Full disk encryption
Answer: A Explanation: File encryption can be used to protect the contents of individual files. It uses randomly generated symmetric encryption keys for the file and stores the key in an encrypted form using the user's public key on the encrypted file
To protect corporate data on removable media, a security policy should mandate that all removable devices use which of the following? A. Full disk encryption B. Application isolation C. Digital rights management D. Data execution prevention
Answer: A Explanation: Full-disk encryption encrypts the data on the hard drive of the device or on a removable drive. This feature ensures that the data on the device or removable drive cannot be accessed in a useable form should it be stolen.
Pete, a developer, writes an application. Jane, the security analyst, knows some things about the overall application but does not have all the details. Jane needs to review the software before it is released to production. Which of the following reviews should Jane conduct? A. Gray Box Testing B. Black Box Testing C. Business Impact Analysis D. White Box Testing
Answer: A Explanation: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.
A network inventory discovery application requires non-privileged access to all hosts on a network for inventory of installed applications. A service account is created by the network inventory discovery application for accessing all hosts. Which of the following is the MOST efficient method for granting the account non-privileged access to the hosts? A. Implement Group Policy to add the account to the users group on the hosts B. Add the account to the Domain Administrator group C. Add the account to the Users group on the hosts D. Implement Group Policy to add the account to the Power Users group on the hosts.
Answer: A Explanation: Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs). This means that if the GPO is linked to the domain, all Users groups in the domain will include the service account
Which of the following concepts describes the use of a one way transformation in order to validate the integrity of a program? A. Hashing B. Key escrow C. Non-repudiation D. Steganography
Answer: A Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables and its main characteristics are: It must be one-way - it is not reversible. Variable-length input produces fixed-length output - whether you have two characters or 2 million, the hash size is the same. The algorithm must have few or no collisions - in hashing two different inputs does not give the same output.
Which of the following functions provides an output which cannot be reversed and converts data into a string of characters? A. Hashing B. Stream ciphers C. Steganography D. Block ciphers
Answer: A Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables one of its characteristics is that it must be one-way - it is not reversible.
Ann, the system administrator, is installing an extremely critical system that can support ZERO downtime. Which of the following BEST describes the type of system Ann is installing? A. High availability B. Clustered C. RAID D. Load balanced
Answer: A Explanation: High Availability is he term used to refer to a system that has been secured and set up/configured in such a way so as to be online, active and able to respond and thus have zero downtime as a result
A network administrator recently updated various network devices to ensure redundancy throughout the network. If an interface on any of the Layer 3 devices were to go down, traffic will still pass through another interface and the production environment would be unaffected. This type of configuration represents which of the following concepts? A. High availability B. Load balancing C. Backout contingency plan D. Clustering
Answer: A Explanation: High availability (HA) refers to the measures used to keep services and systems operational during an outage. In short, the goal is to provide all services to all users, where they need them and when they need them. With high availability, the goal is to have key services available 99.999 percent of the time (also known as five nines availability).
After a network outage, a PC technician is unable to ping various network devices. The network administrator verifies that those devices are working properly and can be accessed securely. Which of the following is the MOST likely reason the PC technician is unable to ping those devices? A. ICMP is being blocked B. SSH is not enabled C. DNS settings are wrong D. SNMP is not configured properly
Answer: A Explanation: ICMP is a protocol that is commonly used by tools such as ping, traceroute, and pathping. ICMP offers no information If ICMP request queries go unanswered, or ICMP replies are lost or blocked.
Which of the following controls would allow a company to reduce the exposure of sensitive systems from unmanaged devices on internal networks? A. 802.1x B. Data encryption C. Password strength D. BGP
Answer: A Explanation: IEEE 802.1X (also known as Dot1x) is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN - though the term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. An analogy to this is providing a valid visa at the airport's arrival immigration before being allowed to enter the country. With 802.1X portbased authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.
A database administrator receives a call on an outside telephone line from a person who states that they work for a well-known database vendor. The caller states there have been problems applying the newly released vulnerability patch for their database system, and asks what version is being used so that they can assist. Which of the following is the BEST action for the administrator to take? A. Thank the caller, report the contact to the manager, and contact the vendor support line to verify any reported patch issues. B. Obtain the vendor's email and phone number and call them back after identifying the number of systems affected by the patch. C. Give the caller the database version and patch level so that they can receive help applying the patch. D. Call the police to report the contact about the database systems, and then check system logs for attack attempts.
Answer: A Explanation: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. In this question, the person making the call may be impersonating someone who works for a wellknown database vendor. The actions described in this answer would mitigate the risk. By not divulging information about your database system and contacting the vendor directly, you can be sure that you are talking to the right people.
Which of the following access controls enforces permissions based on data labeling at specific levels? A. Mandatory access control B. Separation of duties access control C. Discretionary access control D. Role based access control
Answer: A Explanation: In a MAC environment everything is assigned a classification marker. Subjects are assigned a clearance level and objects are assigned a sensitivity label.
Which of the following is the MOST likely cause of users being unable to verify a single user's email signature and that user being unable to decrypt sent messages? A. Unmatched key pairs B. Corrupt key escrow C. Weak public key D. Weak private key
Answer: A Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. The sender and receiver must have a matching key in order for the receiver to decrypt the data.
Which of the following allows lower level domains to access resources in a separate Public Key Infrastructure? A. Trust Model B. Recovery Agent C. Public Key D. Private Key
Answer: A Explanation: In a bridge trust model allows lower level domains to access resources in a separate PKI through the root CA. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a bridge trust model, a peer-to-peer relationship exists among the root CAs. The root CAs can communicate with one another, allowing cross certification. This arrangement allows a certification process to be established between organizations or departments. Each intermediate CA trusts only the CAs above and below it, but the CA structure can be expanded without creating additional layers of CAs.
Some customers have reported receiving an untrusted certificate warning when visiting the company's website. The administrator ensures that the certificate is not expired and that customers have trusted the original issuer of the certificate. Which of the following could be causing the problem? A. The intermediate CA certificates were not installed on the server. B. The certificate is not the correct type for a virtual server. C. The encryption key used in the certificate is too short. D. The client's browser is trying to negotiate SSL instead of TLS
Answer: A Explanation: In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't.
An administrator needs to renew a certificate for a web server. Which of the following should be submitted to a CA? A. CSR B. Recovery agent C. Private key D. CRL
Answer: A Explanation: In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. When you renew a certificate you send a CSR to the CA to get the certificate resigned
Which of the following is described as an attack against an application using a malicious file? A. Client side attack B. Spam C. Impersonation attack D. Phishing attack
Answer: A Explanation: In this question, a malicious file is used to attack an application. If the application is running on a client computer, this would be a client side attack. Attacking a service or application on a server would be a server side attack. Client-side attacks target vulnerabilities in client applications interacting with a malicious data. The difference is the client is the one initiating the bad connection. Client-side attacks are becoming more popular. This is because server side attacks are not as easy as they once were according to apache.org. Attackers are finding success going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. To defend against client-side attacks keep-up the most current application patch levels, keep antivirus software updated and keep authorized software to a minimum.
Sara, a security administrator, is noticing a slow down in the wireless network response. Sara launches a wireless sniffer and sees a large number of ARP packets being sent to the AP. Which of the following type of attacks is underway? A. IV attack B. Interference C. Blue jacking D. Packet sniffing
Answer: A Explanation: In this question, it's likely that someone it trying to crack the wireless network security. An initialization vector is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce, or "number occurring once," as an encryption program uses it only once per session. An initialization vector is used to avoid repetition during the data encryption process, making it impossible for hackers who use dictionary attack to decrypt the exchanged encrypted message by discovering a pattern. This is known as an IV attack. A particular binary sequence may be repeated more than once in a message, and the more it appears, the more the encryption method is discoverable. For example if a one-letter word exists in a message, it may be either "a" or "I" but it can't be "e" because the word "e" is non-sensical in English, while "a" has a meaning and "I" has a meaning. Repeating the words and letters makes it possible for software to apply a dictionary and discover the binary sequence corresponding to each letter. Using an initialization vector changes the binary sequence corresponding to each letter, enabling the letter "a" to be represented by a particular sequence in the first instance, and then represented by a completely different binary sequence in the second instance. WEP (Wireless Equivalent Privacy) is vulnerable to an IV attack. Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.
Joe, the information security manager, is tasked with calculating risk and selecting controls to protect a new system. He has identified people, environmental conditions, and events that could affect the new system. Which of the following does he need to estimate NEXT in order to complete his risk calculations? A. Vulnerabilities B. Risk C. Likelihood D. Threats
Answer: A Explanation: In this question, the security administrator has identified people, environmental conditions, and events that could affect the new system. The next step of the risk assessment is to determine the vulnerabilities of the system itself. Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of informationprocessing capabilities or a loss of information itself. A vulnerability is a weakness that could be exploited by a threat. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of it occurring. The key here is to think outside the box. Conventional threats and risks are often too limited when considering risk assessment. The key components of a risk-assessment process are outlined here: Risks to Which the Organization Is Exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating system, server, or application may have known risks in certain environments. You should create a plan for how your organization will best deal with these risks and the best way to respond. Risks That Need Addressing: The risk-assessment component also allows an organization to provide a reality check on which risks are real and which are unlikely. This process helps an organization focus on its resources as well as on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a hurricane damaging the server room in Indiana is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.
QUESTION NO: 1000 A company plans to expand by hiring new engineers who work in highly specialized areas. Each engineer will have very different job requirements and use unique tools and applications in their job. Which of the following is MOST appropriate to use? A. Role-based privileges B. Credential management C. User assigned privileges D. User access
Answer: A Explanation: In this question, we have engineers who require different tools and applications according to their specialized job function. We can therefore use the Role-Based Access Control model. Role-Based Access Control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no longer be available. Instead of thinking "Denise needs to be able to edit files," RBAC uses the logic "Editors need to be able to edit files" and "Denise is a member of the Editors group." This model is always good for use in an environment in which there is high employee turnover.
A set of standardized system images with a pre-defined set of applications is used to build enduser workstations. The security administrator has scanned every workstation to create a current inventory of all applications that are installed on active workstations and is documenting which applications are out-of-date and could be exploited. The security administrator is determining the: A. attack surface. B. application hardening effectiveness. C. application baseline. D. OS hardening effectiveness.
Answer: A Explanation: In this question, we have out-of-date applications that could be exploited. The out-of-date applications are security vulnerabilities. The combination of all vulnerabilities that could be exploited (or attacked) is known as the attack surface. The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. One approach to improving information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. By having less code available to unauthorized actors, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.
A network administrator is looking for a way to automatically update company browsers so they import a list of root certificates from an online source. This online source will then be responsible for tracking which certificates are to be trusted or not trusted. Which of the following BEST describes the service that should be implemented to meet these requirements? A. Trust model B. Key escrow C. OCSP D. PKI
Answer: A Explanation: In this scenario we can put a CA in the local network and use an online CA as root CA in a hierarchical trust model. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree
Based on information leaked to industry websites, business management is concerned that unauthorized employees are accessing critical project information for a major, well-known new product. To identify any such users, the security administrator could: A. Set up a honeypot and place false project documentation on an unsecure share. B. Block access to the project documentation using a firewall. C. Increase antivirus coverage of the project servers. D. Apply security updates and harden the OS on all project servers
Answer: A Explanation: In this scenario, we would use a honeypot as a 'trap' to catch unauthorized employees who are accessing critical project information. A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers. There are two main types of honeypots: Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research - A research honeypot add value to research in computer security by providing a platform to study the threat.
If Organization A trusts Organization B and Organization B trusts Organization C, then Organization A trusts Organization C. Which of the following PKI concepts is this describing? A. Transitive trust B. Public key trust C. Certificate authority trust D. Domain level trust
Answer: A Explanation: In transitive trusts, trust between a first party and a third party flows through a second party that is trusted by both the first party and the third party.
Matt, an IT administrator, wants to protect a newly built server from zero day attacks. Which of the following would provide the BEST level of protection? A. HIPS B. Antivirus C. NIDS D. ACL
Answer: A Explanation: Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. A Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. As a zero-day attack is an unknown vulnerability (a vulnerability that does not have a fix or a patch to prevent it), the best defence would be an intrusion prevention system.
Ann, the Chief Technology Officer (CTO), has agreed to allow users to bring their own device (BYOD) in order to leverage mobile technology without providing every user with a company owned device. She is concerned that users may not understand the company's rules, and she wants to limit potential legal concerns. Which of the following is the CTO concerned with? A. Data ownership B. Device access control C. Support ownership D. Acceptable use
Answer: A Explanation: Issues of limiting potential legal concerns regarding company rules where users are allowed to bring their own devices is the premise of data ownership. When a third party (in this case the user's own device) is involves in a data exchange when clear rules and restrictions should be applied regarding data ownership.
An information bank has been established to store contacts, phone numbers and other records. An application running on UNIX would like to connect to this index server using port 88. Which of the following authentication services would this use this port by default? A. Kerberos B. TACACS+ C. Radius D. LDAP
Answer: A Explanation: Kerberos makes use of port 88.
Jane, a security administrator, has been tasked with explaining authentication services to the company's management team. The company runs an active directory infrastructure. Which of the following solutions BEST relates to the host authentication protocol within the company's environment? A. Kerberos B. Least privilege C. TACACS+ D. LDAP
Answer: A Explanation: Kerberos was accepted by Microsoft as the chosen authentication protocol for Windows 2000 and Active Directory domains that followed
Ann, the network administrator, is receiving reports regarding a particular wireless network in the building. The network was implemented for specific machines issued to the developer department, but the developers are stating that they are having connection issues as well as slow bandwidth. Reviewing the wireless router's logs, she sees that devices not belonging to the developers are connecting to the access point. Which of the following would BEST alleviate the developer's reports? A. Configure the router so that wireless access is based upon the connecting device's hardware address. B. Modify the connection's encryption method so that it is using WEP instead of WPA2. C. Implement connections via secure tunnel with additional software on the developer's computers. D. Configure the router so that its name is not visible to devices scanning for wireless networks.
Answer: A Explanation: MAC addresses are also known as an Ethernet hardware address (EHA), hardware address or physical address. Enabling MAC filtering would allow for a WAP to restrict or allow access based on the hardware address of the device.
Ann, a sales manager, successfully connected her company-issued smartphone to the wireless network in her office without supplying a username/password combination. Upon disconnecting from the wireless network, she attempted to connect her personal tablet computer to the same wireless network and could not connect. Which of the following is MOST likely the reason? A. The company wireless is using a MAC filter. B. The company wireless has SSID broadcast disabled. C. The company wireless is using WEP. D. The company wireless is using WPA2.
Answer: A Explanation: MAC filtering allows you to include or exclude computers and devices based on their MAC address.
A user reports being unable to access a file on a network share. The security administrator determines that the file is marked as confidential and that the user does not have the appropriate access level for that file. Which of the following is being implemented? A. Mandatory access control B. Discretionary access control C. Rule based access control D. Role based access control
Answer: A Explanation: Mandatory Access Control (MAC) allows access to be granted or restricted based on the rules of classification. MAC in corporate business environments involve the following four sensitivity levels Public Sensitive Private Confidential MAC assigns subjects a clearance level and assigns objects a sensitivity label. The name of the clearance level must be the same as the name of the sensitivity label assigned to objects or resources. In this case the file is marked confidential, and the user does not have that clearance level and cannot access the file.
Mandatory vacations are a security control which can be used to uncover which of the following? A. Fraud committed by a system administrator B. Poor password security among users C. The need for additional security staff D. Software vulnerabilities in vendor code
Answer: A Explanation: Mandatory vacations also provide an opportunity to discover fraud apart from the obvious benefits of giving employees a chance to refresh and making sure that others in the company can fill those positions and make the company less dependent on those persons; a sort pf replication and duplication at all levels.
A security team has identified that the wireless signal is broadcasting into the parking lot. To reduce the risk of an attack against the wireless network from the parking lot, which of the following controls should be used? (Select TWO). A. Antenna placement B. Interference C. Use WEP D. Single Sign on E. Disable the SSID F. Power levels
Answer: A,F Explanation: Placing the antenna in the correct position is crucial. You can then adjust the power levels to exclude the parking lot.
A security architect wishes to implement a wireless network with connectivity to the company's internal network. Before they inform all employees that this network is being put in place, the architect wants to roll it out to a small test segment. Which of the following allows for greater secrecy about this network during this initial phase of implementation? A. Disabling SSID broadcasting B. Implementing WPA2 - TKIP C. Implementing WPA2 - CCMP D. Filtering test workstations by MAC address
Answer: A Explanation: Network administrators may choose to disable SSID broadcast to hide their network from unauthorized personnel. However, the SSID is still needed to direct packets to and from the base station, so it's a discoverable value using a wireless packet sniffer. Thus, the SSID should be disabled if the network isn't for public use.
An organization does not want the wireless network name to be easily discovered. Which of the following software features should be configured on the access points? A. SSID broadcast B. MAC filter C. WPA2 D. Antenna placement
Answer: A Explanation: Numerous networks broadcast their name (known as an SSID broadcast) to reveal their presence.
Which of the following relies on the use of shared secrets to protect communication? A. RADIUS B. Kerberos C. PKI D. LDAP
Answer: A Explanation: Obfuscated passwords are transmitted by the RADIUS protocol via a shared secret and the MD5 hashing algorithm.
Which of the following allows Pete, a security technician, to provide the MOST secure wireless implementation? A. Implement WPA B. Disable SSID C. Adjust antenna placement D. Implement WEP
Answer: A Explanation: Of the options supplied, WiFi Protected Access (WPA) is the most secure and is the replacement for WEP.
The security administrator is analyzing a user's history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user's history log shows evidence that the user attempted to escape the rootjail? A. cd ../../../../bin/bash B. whoami C. ls /root D. sudo -u root
Answer: A Explanation: On modern UNIX variants, including Linux, you can define the root directory on a perprocess basis. The chroot utility allows you to run a process with a root directory other than /. The root directory appears at the top of the directory hierarchy and has no parent: A process cannot access any files above the root directory (because they do not exist). If, for example, yourun a program (process) and specify its root directory as /home/sam/jail, the program would have no concept of any files in /home/sam or above: jail is the program's root directory and is labeled / (not jail). By creating an artificial root directory, frequently called a (chroot) jail, you prevent a program from accessing or modifying—possibly maliciously—files outside the directory hierarchy starting at its root. You must set up a chroot jail properly to increase security: If you do not set up the chroot jail correctly, you can actually make it easier for a malicious user to gain access to a system than if there were no chroot jail. The command cd .. takes you up one level in the directory structure. Repeated commands would take you to the top level the root which is represented by a forward slash /. The command /bin/bash is an attempt to run the bash shell from the root level.
Which of the following would provide the STRONGEST encryption? A. Random one-time pad B. DES with a 56-bit key C. AES with a 256-bit key D. RSA with a 1024-bit key
Answer: A Explanation: One-time pads are the only truly completely secure cryptographic implementations. They are so secure for two reasons. First, they use a key that is as long as a plaintext message. That means there is no pattern in the key application for an attacker to use. Also, one-time pad keys are used only once and then discarded. So even if you could break a one-time pad cipher, that same key would never be used again, so knowledge of the key would be useless
Pete, a security auditor, has detected clear text passwords between the RADIUS server and the authenticator. Which of the following is configured in the RADIUS server and what technologies should the authentication protocol be changed to? A. PAP, MSCHAPv2 B. CHAP, PAP C. MSCHAPv2, NTLMv2 D. NTLM, NTLMv2
Answer: A Explanation: PAP transmits the username and password to the authentication server in plain text. MSCHAPv2 is utilized as an authentication option for RADIUS servers that are used for Wi-Fi security using the WPA-Enterprise protocol
A company uses PGP to ensure that sensitive email is protected. Which of the following types of cryptography is being used here for the key exchange? A. Symmetric B. Session-based C. Hashing D. Asymmetric
Answer: A Explanation: PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key.
A security administrator is auditing a database server to ensure the correct security measures are in place to protect the data. Some of the fields consist of people's first name, last name, home address, date of birth and mothers last name. Which of the following describes this type of data? A. PII B. PCI C. Low D. Public
Answer: A Explanation: PII is any type of information/data and portion of data that can be used to trace back to a person and is usually data like personally identifiable information such as first names, last names, home address, date of birth, etc.
A password history value of three means which of the following? A. Three different passwords are used before one can be reused. B. A password cannot be reused once changed for three years. C. After three hours a password must be re-entered to continue. D. The server stores passwords in the database for three days.
Answer: A Explanation: Password History defines the number of unique new passwords a user must use before an old password can be reused.
An organizations' security policy requires that users change passwords every 30 days. After a security audit, it was determined that users were recycling previously used passwords. Which of the following password enforcement policies would have mitigated this issue? A. Password history B. Password complexity C. Password length D. Password expiration
Answer: A Explanation: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. However, without a minimum password age setting, the user could change his password six times and cycle back to his original password.
After working on his doctoral dissertation for two years, Joe, a user, is unable to open his dissertation file. The screen shows a warning that the dissertation file is corrupted because it is infected with a backdoor, and can only be recovered by upgrading the antivirus software from the free version to the commercial version. Which of the following types of malware is the laptop MOST likely infected with? A. Ransomware B. Trojan C. Backdoor D. Armored virus
Answer: A Explanation: Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive), while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a trojan like a conventional computer worm, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program will then run a payload: such as one that will begin to encrypt personal files on the hard drive. More sophisticated ransomware may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. Some ransomware payloads do not use encryption. In these cases, the payload is simply an application designed to restrict interaction with the system, typically by setting the Windows Shell to itself, or even modifying the master boot record and/or partition table (which prevents the operating system from booting at all until it is repaired) Ransomware payloads utilize elements of scareware to extort money from the system's user. The payload may, for example, display notices purportedly issued by companies or law enforcement agencies which falsely claim that the system had been used for illegal activities, or contains illegal content such as pornography and pirated software or media. Some ransomware payloads imitate Windows' product activation notices, falsely claiming that their computer's Windows installation is counterfeit or requires re-activation. These tactics coax the user into paying the malware's author to remove the ransomware, either by supplying a program which can decrypt the files, or by sending an unlock code that undoes the changes the payload has made.
How often, at a MINIMUM, should Sara, an administrator, review the accesses and rights of the users on her system? A. Annually B. Immediately after an employee is terminated C. Every five years D. Every time they patch the server
Answer: A Explanation: Reviewing the accesses and rights of the users on a system at least annually is acceptable practice. More frequently would be desirable but too frequently would be a waste of administrative time.
A security administrator is responsible for performing periodic reviews of user permission settings due to high turnover and internal transfers at a corporation. Which of the following BEST describes the procedure and security rationale for performing such reviews? A. Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned. B. Review the permissions of all transferred users to ensure new permissions are granted so the employee can work effectively. C. Ensure all users have adequate permissions and appropriate group memberships, so the volume of help desk calls is reduced. D. Ensure former employee accounts have no permissions so that they cannot access any network file stores and resources.
Answer: A Explanation: Reviewing user permissions and group memberships form part of a privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation.
Various network outages have occurred recently due to unapproved changes to network and security devices. All changes were made using various system credentials. The security analyst has been tasked to update the security policy. Which of the following risk mitigation strategies would also need to be implemented to reduce the number of network outages due to unauthorized changes? A. User rights and permissions review B. Configuration management C. Incident management D. Implement security controls on Layer 3 devices
Answer: A Explanation: Reviewing user rights and permissions can be used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation and their job descriptions. Also reviewing user rights and permissions will afford the security analyst the opportunity to put the principle of least privilege in practice as well as update the security policy
A company that has a mandatory vacation policy has implemented which of the following controls? A. Risk control B. Privacy control C. Technical control D. Physical control
Answer: A Explanation: Risk mitigation is done anytime you take steps to reduce risks. Thus mandatory vacation implementation is done as a risk control measure because it is a step that is taken as risk mitigation.
A server dedicated to the storage and processing of sensitive information was compromised with a rootkit and sensitive data was extracted. Which of the following incident response procedures is best suited to restore the server? A. Wipe the storage, reinstall the OS from original media and restore the data from the last known good backup. B. Keep the data partition, restore the OS from the most current backup and run a full system antivirus scan. C. Format the storage and reinstall both the OS and the data from the most current backup. D. Erase the storage, reinstall the OS from most current backup and only restore the data that was not compromised.
Answer: A Explanation: Rootkits are software programs that have the ability to hide certain things from the operating system. With a rootkit, there may be a number of processes running on a system that do not show up in Task Manager or connections established or available that do not appear in a netstat display—the rootkit masks the presence of these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out information that would normally appear. Theoretically, rootkits could hide anywhere that there is enough memory to reside: video cards, PCI cards, and the like. The best way to handle this situation is to wipe the server and reinstall the operating system with the original installation disks and then restore the extracted data from your last known good backup. This way you can eradicate the rootkit and restore the data.
Ann, a security analyst, has discovered that her company has very high staff turnover and often user accounts are not disabled after an employee leaves the company. Which of the following could Ann implement to help identify accounts that are still active for terminated employees? A. Routine audits B. Account expirations C. Risk assessments D. Change management
Answer: A Explanation: Routine audits are carried out after you have implemented security controls based on risk. These audits include aspects such as user rights and permissions and specific events.
A security technician is working with the network firewall team to implement access controls at the company's demarc as part of the initiation of configuration management processes. One of the network technicians asks the security technician to explain the access control type found in a firewall. With which of the following should the security technician respond? A. Rule based access control B. Role based access control C. Discretionary access control D. Mandatory access control
Answer: A Explanation: Rule-based access control is used for network devices, such as firewalls and routers, which filter traffic based on filtering rules.
Which of the following is used to verify data integrity? A. SHA B. 3DES C. AES D. RSA
Answer: A Explanation: SHA stands for "secure hash algorithm". SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used applications and protocols including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It is used to ensure data integrity. Note: A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they're the same, thereis a very high probability that the message was transmitted intact. This is how hashing is used to ensure data integrity.
A technician wants to securely collect network device configurations and statistics through a scheduled and automated process. Which of the following should be implemented if configuration integrity is most important and a credential compromise should not allow interactive logons? A. SNMPv3 B. TFTP C. SSH D. TLS
Answer: A Explanation: SNMPv3 provides the following security features: Message integrity--Ensures that a packet has not been tampered with in transit. Authentication--Determines that the message is from a valid source. Encryption--Scrambles the content of a packet to prevent it from being learned by an unauthorized source.
Which of the following BEST describes a SQL Injection attack? A. The attacker attempts to have the receiving server pass information to a back-end database from which it can compromise the stored information. B. The attacker attempts to have the receiving server run a payload using programming commonly found on web servers. C. The attacker overwhelms a system or application, causing it to crash and bring the server down to cause an outage. D. The attacker overwhelms a system or application, causing it to crash, and then redirects the memory address to read from a location holding the payload.
Answer: A Explanation: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literalescape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Users are encouraged to click on a link in an email to obtain exclusive access to the newest version of a popular Smartphone. This is an example of. A. Scarcity B. Familiarity C. Intimidation D. Trust
Answer: A Explanation: Scarcity, in the area of social psychology, works much like scarcity in the area of economics. Simply put, humans place a higher value on an object that is scarce, and a lower value on those that are abundant. The thought that we, as humans, want something we cannot have drives us to desire the object even more. This idea is deeply embedded in the intensely popular, "Black Friday" shopping extravaganza that U.S. consumers participate in every year on the day after Thanksgiving. More than getting a bargain on a hot gift idea, shoppers thrive on the competition itself, in obtaining the scarce product. In this question, people want the brand new latest version of a smartphone. The temptation of being one of the first to get the new phone will tempt people into clicking the link in the email
Which of the following can a security administrator implement on mobile devices that will help prevent unwanted people from viewing the data if the device is left unattended? A. Screen lock B. Voice encryption C. GPS tracking D. Device encryption
Answer: A Explanation: Screen-lock is a security feature that requires the user to enter a PIN or a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications.
A small company has recently purchased cell phones for managers to use while working outside if the office. The company does not currently have a budget for mobile device management and is primarily concerned with deterring leaks if sensitive information obtained by unauthorized access to unattended phones. Which of the following would provide the solution BEST meets the company's requirements? A. Screen-lock B. Disable removable storage C. Full device encryption D. Remote wiping
Answer: A Explanation: Screen-lock is a security feature that requires the user to enter a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications.
Which of the following would be used as a secure substitute for Telnet? A. SSH B. SFTP C. SSL D. HTTPS
Answer: A Explanation: Secure Shell (SSH) is a tunneling protocol originally designed for Unix systems. It uses encryption to establish a secure connection between two systems. SSH also provides alternative, securityequivalent programs for such Unix standards as Telnet, FTP, and many other communicationsoriented applications. SSH is available for use on Windows systems as well. This makes it the preferred method of security for Telnet and other cleartext oriented programs in the Unix environment.
Which of the following cryptographic related browser settings allows an organization to communicate securely? A. SSL 3.0/TLS 1.0 B. 3DES C. Trusted Sites D. HMAC
Answer: A Explanation: Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by default.
The method to provide end users of IT systems and applications with requirements related to acceptable use, privacy, new threats and trends, and use of social networking is: A. Security awareness training. B. BYOD security training. C. Role-based security training. D. Legal compliance training.
Answer: A Explanation: Security awareness and training are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management.
The Chief Technology Officer (CTO) wants to improve security surrounding storage of customer passwords. The company currently stores passwords as SHA hashes. Which of the following can the CTO implement requiring the LEAST change to existing systems? A. Smart cards B. TOTP C. Key stretching D. Asymmetric keys
Answer: A Explanation: Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic with an embedded microchip. The second is as a USB token. It contains a built in processor and has the ability to securely store and process information. A "contact" smart card communicates with a PC using a smart card reader whereas a "contactless" card sends encrypted information via radio waves to the PC. Typical scenarios in which smart cards are used include interactive logon, e-mail signing, e-mail decryption and remote access authentication. However, smart cards are programmable and can contain programs and data for many different applications. For example smart cards may be usedto store medical histories for use in emergencies, to make electronic cash payments or to verify the identity of a customer to an e-retailer. Microsoft provides two device independent APIs to insulate application developers from differences between current and future implementations: CryptoAPI and Microsoft Win32® SCard APIs. The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private key data. All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). There are many different cryptographic algorithms and even when implementing the same algorithm there are many choices to make about key sizes and padding for example. For this reason, CSPs are grouped into types, in which each supported CryptoAPI function, by default, performs in a way particular to that type. For example, CSPs in the PROV_DSS provider type support DSS Signatures and MD5 and SHA hashing.
After reviewing the firewall logs of her organization's wireless APs, Ann discovers an unusually high amount of failed authentication attempts in a particular segment of the building. She remembers that a new business moved into the office space across the street. Which of the following would be the BEST option to begin addressing the issue? A. Reduce the power level of the AP on the network segment B. Implement MAC filtering on the AP of the affected segment C. Perform a site survey to see what has changed on the segment D. Change the WPA2 encryption key of the AP in the affected segment
Answer: A Explanation: Some access points include power level controls that allow you to reduce the amount of output provided if the signal is traveling too far.
A security technician at a small business is worried about the Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Which of the following will BEST mitigate the risk if implemented on the switches? A. Spanning tree B. Flood guards C. Access control lists D. Syn flood
Answer: A Explanation: Spanning Tree is designed to eliminate network 'loops' from incorrect cabling between switches. Imagine two switches named switch 1 and switch 2 with two network cables connecting the switches. This would cause a network loop. A network loop between two switches can cause a 'broadcast storm' where a broadcast packet is sent out of all ports on switch 1 which includes two links to switch 2. The broadcast packet is then sent out of all ports on switch 2 whichincludes links back to switch 1. The broadcast packet will be sent out of all ports on switch 1 again which includes two links to switch 2 and so on thus flooding the network with broadcast traffic. The Spanning-Tree Protocol (STP) was created to overcome the problems of transparent bridging in redundant networks. The purpose of STP is to avoid and eliminate loops in the network by negotiating a loop-free path through a root bridge. This is done by determining where there are loops in the network and blocking links that are redundant. Spanning-Tree Protocol executes an algorithm called the Spanning-Tree Algorithm (STA). In order to find redundant links, STA will choose a reference point called a Root Bridge, and then determines all the available paths to that reference point. If it finds a redundant path, it chooses for the best path to forward and for all other redundant paths to block. This effectively severs the redundant links within the network. All switches participating in STP gather information on other switches in the network through an exchange of data messages. These messages are referred to as Bridge Protocol Data Units (BPDUs). The exchange of BPDUs in a switched environment will result in the election of a root switch for the stable spanning-tree network topology, election of designated switch for every switched segment, and the removal of loops in the switched network by placing redundant switch ports in a backup state.
An attacker crafts a message that appears to be from a trusted source, but in reality it redirects the recipient to a malicious site where information is harvested. The message is narrowly tailored so it is effective on only a small number of victims. This describes which of the following? A. Spear phishing B. Phishing C. Smurf attack D. Vishing
Answer: A Explanation: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority.
A security administrator wants to deploy security controls to mitigate the threat of company employees' personal information being captured online. Which of the following would BEST serve this purpose? A. Anti-spyware B. Antivirus C. Host-based firewall D. Web content filter
Answer: A Explanation: Spyware monitors a user's activity and uses network protocols to reports it to a third party without the user's knowledge. This is usually accomplished using a tracking cookie
The common method of breaking larger network address space into smaller networks is known as: A. subnetting. B. phishing. C. virtualization. D. packet filtering.
Answer: A Explanation: Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections.
Pete, the Chief Executive Officer (CEO) of a company, has increased his travel plans for the next two years to improve business relations. Which of the following would need to be in place in case something happens to Pete? A. Succession planning B. Disaster recovery C. Separation of duty D. Removing single loss expectancy
Answer: A Explanation: Succession planning outlines those internal to the organization who have the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.
Which of the following wireless security technologies continuously supplies new keys for WEP? A. TKIP B. Mac filtering C. WPA2 D. WPA
Answer: A Explanation: TKIP is a suite of algorithms that works as a "wrapper" to WEP, which allows users of legacy WLAN equipment to upgrade to TKIP without replacing hardware. TKIP uses the original WEP programming but "wraps" additional code at the beginning and end to encapsulate and modify it.
A program displays: ERROR: this program has caught an exception and will now terminate. Which of the following is MOST likely accomplished by the program's behavior? A. Operating system's integrity is maintained B. Program's availability is maintained C. Operating system's scalability is maintained D. User's confidentiality is maintained
Answer: A Explanation: The purpose of error handling is to maintain the security and integrity of the system. Integrity is compromised when unauthorized modification occurs
An internal audit has detected that a number of archived tapes are missing from secured storage. There was no recent need for restoration of data from the missing tapes. The location is monitored by access control and CCTV systems. Review of the CCTV system indicates that it has not been recording for three months. The access control system shows numerous valid entries into the storage location during that time. The last audit was six months ago and the tapes were accounted for at that time. Which of the following could have aided the investigation? A. Testing controls B. Risk assessment C. Signed AUP D. Routine audits
Answer: A Explanation: Testing controls come in three types: Technical, Management and Operational. In this question, the CCTV system has not been recording for three months and no one noticed. Improved testing controls (regular testing to verify the CCTV system is recording) would ensure that the CCTV is recording as expected. The CCTV recordings could have aided the investigation into the missing tapes.
Pete, the security administrator, has been notified by the IDS that the company website is under attack. Analysis of the web logs show the following string, indicating a user is trying to post a comment on the public bulletin board. INSERT INTO message `<script>source=http://evilsite</script> This is an example of which of the following? A. XSS attack B. XML injection attack C. Buffer overflow attack D. SQL injection attack
Answer: A Explanation: The <script> </script> tags indicate that script is being inserted. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user
An investigator recently discovered that an attacker placed a remotely accessible CCTV camera in a public area overlooking several Automatic Teller Machines (ATMs). It is also believed that user accounts belonging to ATM operators may have been compromised. Which of the following attacks has MOST likely taken place? A. Shoulder surfing B. Dumpster diving C. Whaling attack D. Vishing attack
Answer: A Explanation: The CCTV camera has recorded people entering their PINs in the ATMs. This is known as shoulder surfing. Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shouldersurfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
Which of the following is true about the CRL? A. It should be kept public B. It signs other keys C. It must be kept secret D. It must be encrypted
Answer: A Explanation: The CRL must be public so that it can be known which keys and certificates have been revoked. In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.
A network administrator, Joe, arrives at his new job to find that none of the users have changed their network passwords since they were initially hired. Joe wants to have everyone change their passwords immediately. Which of the following policies should be enforced to initiate a password change? A. Password expiration B. Password reuse C. Password recovery D. Password disablement
Answer: A Explanation: The Maximum password age policy setting determines the number of days that a password can be used before the system requires the user to change it. The password expiration setting determines that a user will not be able to log into a system without changing their password after the maximum password age has been reached.
Which of the following protocols is used by IPv6 for MAC address resolution? A. NDP B. ARP C. DNS D. NCP
Answer: A Explanation: The Neighbor Discovery Protocol (NDP) is a protocol in the Internet protocol suite used with Internet Protocol Version 6 (IPv6).
Which of the following uses both a public and private key? A. RSA B. AES C. MD5 D. SHA
Answer: A Explanation: The RSA algorithm is an early public-key encryption system that uses large integers as the basis for the process. RSA uses both a public key and a secret. RSA key generation process: 1. Generate two large random primes, p and q, of approximately equal size such that their product, n = pq, is of the required bit length (such as 2048 bits, 4096 bits, and so forth). Let n = pq Let m = (p-1)(q-1) 2. Choose a small number e, co-prime to m (note: Two numbers are co-prime if they have no common factors). 3. Find d, such that de % m = 1 4. Publish e and n as the public key. Keep d and n as the secret key
Ann has taken over as the new head of the IT department. One of her first assignments was to implement AAA in preparation for the company's new telecommuting policy. When she takes inventory of the organizations existing network infrastructure, she makes note that it is a mix of several different vendors. Ann knows she needs a method of secure centralized access to the company's network resources. Which of the following is the BEST service for Ann to implement? A. RADIUS B. LDAP C. SAML D. TACACS+
Answer: A Explanation: The Remote Authentication Dial In User Service (RADIUS) networking protocol offers centralized Authentication, Authorization, and Accounting (AAA) management for users who make use of a network service
Matt, a forensic analyst, wants to obtain the digital fingerprint for a given message. The message is 160-bits long. Which of the following hashing methods would Matt have to use to obtain this digital fingerprint? A. SHA1 B. MD2 C. MD4 D. MD5
Answer: A Explanation: The Secure Hash Algorithm (SHA) was designed to ensure the integrity of a message. SHA is a one-way hash that provides a hash value that can be used with an encryption protocol. This algorithm produces a 160-bit hash value. SHA (1 or 2) is preferred over Message Digest Algorithm
Which of the following types of authentication packages user credentials in a ticket? A. Kerberos B. LDAP C. TACACS+ D. RADIUS
Answer: A Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.
Several bins are located throughout a building for secure disposal of sensitive information. Which of the following does this prevent? A. Dumpster diving B. War driving C. Tailgating D. War chalking
Answer: A Explanation: The bins in this question will be secure bins designed to prevent someone accessing the 'rubbish' to learn sensitive information. Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash
A security administrator looking through IDS logs notices the following entry: (where [email protected] and passwd= 'or 1==1') Which of the following attacks had the administrator discovered? A. SQL injection B. XML injection C. Cross-site script D. Header manipulation
Answer: A Explanation: The code in the question is an example of a SQL Injection attack. The code '1==1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump thedatabase contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
In order to maintain oversight of a third party service provider, the company is going to implement a Governance, Risk, and Compliance (GRC) system. This system is promising to provide overall security posture coverage. Which of the following is the MOST important activity that should be considered? A. Continuous security monitoring B. Baseline configuration and host hardening C. Service Level Agreement (SLA) monitoring D. Security alerting and trending
Answer: A Explanation: The company is investing in a Governance, Risk, and Compliance (GRC) system to provide overall security posture coverage. This is great for testing the security posture. However, to beeffective and ensure the company always has a good security posture, you need to monitor the security continuously. Once a baseline security configuration is documented, it is critical to monitor it to see that this baseline is maintained or exceeded. A popular phrase among personal trainers is "that which gets measured gets improved." Well, in network security, "that which gets monitored gets secure." Continuous monitoring means exactly that: ongoing monitoring. This may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations.
A major security risk with co-mingling of hosts with different security requirements is: A. Security policy violations. B. Zombie attacks. C. Password compromises. D. Privilege creep.
Answer: A Explanation: The entire network is only as strong as the weakest host. Thus with the co-mingling of hosts with different security requirements would be risking security policy violations.
The finance department works with a bank which has recently had a number of cyber attacks. The finance department is concerned that the banking website certificates have been compromised. Which of the following can the finance department check to see if any of the bank's certificates are still valid? A. Bank's CRL B. Bank's private key C. Bank's key escrow D. Bank's recovery agent
Answer: A Explanation: The finance department can check if any of the bank's certificates are in the CRL or not. If a certificate is not in the CRL then it is still valid. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.
When Ann an employee returns to work and logs into her workstation she notices that, several desktop configuration settings have changed. Upon a review of the CCTV logs, it is determined that someone logged into Ann's workstation. Which of the following could have prevented this from happening? A. Password complexity policy B. User access reviews C. Shared account prohibition policy D. User assigned permissions policy
Answer: A Explanation: The most important countermeasure against password crackers is to use long, complex passwords, which are changed regularly. Since changes were made to Ann's desktop configuration settings while she was not at work, means that her password was compromised.
Which of the following is an example of a false negative? A. The IDS does not identify a buffer overflow. B. Anti-virus identifies a benign application as malware. C. Anti-virus protection interferes with the normal operation of an application. D. A user account is locked out after the user mistypes the password too many times.
Answer: A Explanation: With a false negative, you are not alerted to a situation when you should be alerted.
A computer supply company is located in a building with three wireless networks. The system security team implemented a quarterly security scan and saw the following. SSIDStateChannelLevel Computer AreUs1connected170dbm Computer AreUs2connected580dbm Computer AreUs3connected375dbm Computer AreUs4connected695dbm Which of the following is this an example of? A. Rogue access point B. Near field communication C. Jamming D. Packet sniffing
Answer: A Explanation: The question states that the building has three wireless networks. However, the scan is showing four wireless networks with the SSIDs: Computer AreUs1 , Computer AreUs2 , Computer AreUs3 and Computer AreUs4. Therefore, one of these wireless networks probably shouldn't be there. This is an example of a rogue access point. A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router thatcan potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server serverclient) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network. To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.
Which of the following is used to certify intermediate authorities in a large PKI deployment? A. Root CA B. Recovery agent C. Root user D. Key escrow
Answer: A Explanation: The root CA certifies other certification authorities to publish and manage certificates within the organization. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree. .
Which of the following types of application attacks would be used to identify malware causing security breaches that have NOT yet been identified by any trusted sources? A. Zero-day B. LDAP injection C. XML injection D. Directory traversal
Answer: A Explanation: The security breaches have NOT yet been identified. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
Joe a company's new security specialist is assigned a role to conduct monthly vulnerability scans across the network. He notices that the scanner is returning a large amount of false positives or failed audits. Which of the following should Joe recommend to remediate these issues? A. Ensure the vulnerability scanner is located in a segmented VLAN that has access to the company's servers B. Ensure the vulnerability scanner is configured to authenticate with a privileged account C. Ensure the vulnerability scanner is attempting to exploit the weaknesses it discovers D. Ensure the vulnerability scanner is conducting antivirus scanning
Answer: A Explanation: The vulnerability scanner is returning false positives because it is trying to scan servers that it doesn't have access to; for example, servers on the Internet. We need to ensure that the local network servers only are scanned. We can do this by locating the vulnerability scanner in a segmented VLAN that has access to the company's servers. A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected. In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE -unsolicited bulk email, as junk email is more formally known. Messages that are determined to be spam -- whether correctly or incorrectly -- may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail. One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentallyblocking an important message has been enough to deter many companies from implementing any anti-spam measures at all. False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and ports. When activity varies outside of an acceptable range - for example, a remote application attempting to open a normally closed port -- an intrusion may be in progress. However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be high. False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.
The security administrator is observing unusual network behavior from a workstation. The workstation is communicating with a known malicious destination over an encrypted tunnel. A full antivirus scan, with an updated antivirus definition file, does not show any signs of infection. Which of the following has happened on the workstation? A. Zero-day attack B. Known malware infection C. Session hijacking D. Cookie stealing
Answer: A Explanation: The vulnerability was unknown in that the full antivirus scan did not detect it. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users
Which of the following is the BEST way to prevent Cross-Site Request Forgery (XSRF) attacks? A. Check the referrer field in the HTTP header B. Disable Flash content C. Use only cookies for authentication D. Use only HTTPS URLs
Answer: A Explanation: XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is accomplished by changing values in the HTTP header and even in the user's cookie to falsify access. It can be prevented by embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations. Examples are synchronizer token patterns, cookie-to-header tokens, and checking the HTTP Referrer header and the HTTP Origin header.
A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage? A. Biometrics B. Mandatory access control C. Single sign-on D. Role-based access control
Answer: A Explanation: This question is asking about "authorization", not authentication. Mandatory access control (MAC) is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set of rules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications. MAC can also be deployed in private sector or corporate business environments. Such cases typically involve the following four security domain levels (in order from least sensitive to most sensitive): Public Sensitive Private Confidential A MAC environment works by assigning subjects a clearance level and assigning objects a sensitivity label—in other words, everything is assigned a classification marker. Subjects or users are assigned clearance levels. The name of the clearance level is the same as the name of the sensitivity label assigned to objects or resources. A person (or other subject, such as a program or a computer system) must have the same or greater assigned clearance level as the resources they wish to access. In this manner, access is granted or restricted based on the rules of classification (that is, sensitivity labels and clearance levels). MAC is named as it is because the access control it imposes on an environment is mandatory. Its assigned classifications and the resulting granting and restriction of access can't be altered by users. Instead, the rules that define the environment and judge the assignment of sensitivity labels and clearance levels control authorization. MAC isn't a very granularly controlled security environment. An improvement to MAC includes the use of need to know: a security restriction where some objects (resources or data) are restricted unless the subject has a need to know them. The objects that require a specific need to know are assigned a sensitivity label, but they're compartmentalized from the rest of the objects with the same sensitivity label (in the same security domain). The need to know is a rule in and of itself, which states that access is granted only to users who have been assigned work tasks that require access to the cordoned-off object. Even if users have the proper level of clearance, without need to know, they're denied access. Need to know is the MAC equivalent of the principle of least privilege from DAC
Jane, a security administrator, has observed repeated attempts to break into a server. Which of the following is designed to stop an intrusion on a specific server? A. HIPS B. NIDS C. HIDS D. NIPS
Answer: A Explanation: This question is asking which of the following is designed to stop an intrusion on a specific server. To stop an intrusion on a specific server, you would use a HIPS (Host Intrusion Prevention System). The difference between a HIPS and other intrusion prevention systems is that a HIPS is a software intrusion prevention systems that is installed on a 'specific server'. Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. A HIPS (Host Intrusion Prevention System) is software installed on a host which monitors the host for suspicious activity by analyzing events occurring within that host with the aim of detecting and preventing intrusion.
Which of the following security concepts can prevent a user from logging on from home during the weekends? A. Time of day restrictions B. Multifactor authentication C. Implicit deny D. Common access card
Answer: A Explanation: Time of day restrictions limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours when oversight and monitoring can be performed to prevent fraud, abuse, or intrusion.
An organization has introduced token-based authentication to system administrators due to risk of password compromise. The tokens have a set of numbers that automatically change every 30 seconds. Which of the following type of authentication mechanism is this? A. TOTP B. Smart card C. CHAP D. HOTP
Answer: A Explanation: Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. In this case, it's every 30 seconds
Which of the following types of application attacks would be used to specifically gain unauthorized information from databases that did not have any input validation implemented? A. SQL injection B. Session hijacking and XML injection C. Cookies and attachments D. Buffer overflow and XSS
Answer: A Explanation: To access information in databases, you use SQL. To gain unauthorized information from databases, a SQL Injection attack is used. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
After encrypting all laptop hard drives, an executive officer's laptop has trouble booting to the operating system. Now that it is successfully encrypted the helpdesk cannot retrieve the data. Which of the following can be used to decrypt the information for retrieval? A. Recovery agent B. Private key C. Trust models D. Public key
Answer: A Explanation: To access the data the hard drive need to be decrypted. To decrypt the hard drive you would need the proper private key. The key recovery agent can retrieve the required key. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed
The systems administrator wishes to implement a hardware-based encryption method that could also be used to sign code. They can achieve this by: A. Utilizing the already present TPM. B. Configuring secure application sandboxes. C. Enforcing whole disk encryption. D. Moving data and applications into the cloud
Answer: A Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Which of the following provides dedicated hardware-based cryptographic functions to an operating system and its applications running on laptops and desktops? A. TPM B. HSM C. CPU D. FPU
Answer: A Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Speaking a passphrase into a voice print analyzer is an example of which of the following security concepts? A. Two factor authentication B. Identification and authorization C. Single sign-on D. Single factor authentication
Answer: A Explanation: Two-factor authentication is when two different authentication factors are provided for authentication purposes. Speaking (Voice) - something they are. Passphrase - something they know.
A recent spike in virus detections has been attributed to end-users visiting www.compnay.com. The business has an established relationship with an organization using the URL of www.company.com but not with the site that has been causing the infections. Which of the following would BEST describe this type of attack? A. Typo squatting B. Session hijacking C. Cross-site scripting D. Spear phishing
Answer: A Explanation: Typosquatting, also called URL hijacking or fake url, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter). The typosquatter's URL will usually be one of four kinds, all similar to the victim site address: (In the following, the intended website is "example.com") A common misspelling, or foreign language spelling, of the intended site: exemple.com A misspelling based on typing errors: xample.com or examlpe.com A differently phrased domain name: examples.com A different top-level domain: example.org Once in the typosquatter's site, the user may also be tricked into thinking that they are in fact in the real site; through the use of copied or similar logos, website layouts or content.
The marketing department wants to distribute pens with embedded USB drives to clients. In the past this client has been victimized by social engineering attacks which led to a loss of sensitive data. The security administrator advises the marketing department not to distribute the USB pens due to which of the following? A. The risks associated with the large capacity of USB drives and their concealable nature B. The security costs associated with securing the USB drives over time C. The cost associated with distributing a large volume of the USB pens D. The security risks associated with combining USB drives and cell phones on a network
Answer: A Explanation: USB drive and other USB devices represent a security risk as they can be used to either bring malicious code into a secure system or to copy and remove sensitive data out of the system.
An advantage of virtualizing servers, databases, and office applications is: A. Centralized management. B. Providing greater resources to users. C. Stronger access control. D. Decentralized management
Answer: A Explanation: Virtualization consists of allowing one set of hardware to host multiple virtual Machines and in the case of software and applications; one host is all that is required. This makes centralized management a better prospect.
Which of the following tests a number of security controls in the least invasive manner? A. Vulnerability scan B. Threat assessment C. Penetration test D. Ping sweep
Answer: A Explanation: Vulnerability scanning has minimal impact on network resource due to the passive nature of the scanning. A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.
Jane has recently implemented a new network design at her organization and wishes to passively identify security issues with the new network. Which of the following should Jane perform? A. Vulnerability assessment B. Black box testing C. White box testing D. Penetration testing
Answer: A Explanation: Vulnerability scanning has minimal impact on network resources due to the passive nature of the scanning. A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.
Configuring key/value pairs on a RADIUS server is associated with deploying which of the following? A. WPA2-Enterprise wireless network B. DNS secondary zones C. Digital certificates D. Intrusion detection system
Answer: A Explanation: WPA2-Enterprise is designed for enterprise networks and requires a RADIUS authentication server.
Mike, a security professional, is tasked with actively verifying the strength of the security controls on a company's live modem pool. Which of the following activities is MOST appropriate? A. War dialing B. War chalking C. War driving D. Bluesnarfing
Answer: A Explanation: War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network
Which of the following would MOST likely involve GPS? A. Wardriving B. Protocol analyzer C. Replay attack D. WPS attack
Answer: A Explanation: War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. A GPS (Global Positioning System) system can be used to accurately map your location while detecting the wireless networks.
A security specialist has been asked to evaluate a corporate network by performing a vulnerability assessment. Which of the following will MOST likely be performed? A. Identify vulnerabilities, check applicability of vulnerabilities by passively testing security controls. B. Verify vulnerabilities exist, bypass security controls and exploit the vulnerabilities. C. Exploit security controls to determine vulnerabilities and misconfigurations. D. Bypass security controls and identify applicability of vulnerabilities by passively testing security controls.
Answer: A Explanation: We need to determine if vulnerabilities exist by passively testing security controls. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
Which of the following is a notification that an unusual condition exists and should be investigated? A. Alert B. Trend C. Alarm D. Trap
Answer: A Explanation: We need to look carefully at the wording of the question to determine the answer. This question is asking about an "unusual condition" that should be investigated. There are different levels of alerts from Critical to Warning to Information only. An Alarm would be triggered by a serious definite problem that needs resolving urgently. An "unusual condition" probably wouldn't trigger an alarm; it is more likely to trigger an Alert
The Chief Executive Officer (CEO) receives a suspicious voice mail warning of credit card fraud. No one else received the voice mail. Which of the following BEST describes this attack? A. Whaling B. Vishing C. Spear phishing D. Impersonation
Answer: A Explanation: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats.
Ann, the security administrator, received a report from the security technician, that an unauthorized new user account was added to the server over two weeks ago. Which of the following could have mitigated this event? A. Routine log audits B. Job rotation C. Risk likelihood assessment D. Separation of duties
Answer: A Explanation: When a new user account is created, an entry is added to the Event Logs. By routinely auditing the event logs, you would know that an account has been created.
Which of the following attacks would cause all mobile devices to lose their association with corporate access points while the attack is underway? A. Wireless jamming B. Evil twin C. Rogue AP D. Packet sniffing
Answer: A Explanation: When most people think of frequency jamming, what comes to mind are radio, radar and cell phone jamming. However, any communication that uses radio frequencies can be jammed by a strong radio signal in the same frequency. In this manner, Wi-Fi may be attacked with a network jamming attack, reducing signal quality until it becomes unusable or disconnects occur. With very similar methods, a focused and aimed signal can actually break access point hardware, as with equipment destruction attacks.
A company provides secure wireless Internet access for visitors and vendors working onsite. Some of the vendors using older technology report that they are unable to access the wireless network after entering the correct network information. Which of the following is the MOST likely reason for this issue? A. The SSID broadcast is disabled. B. The company is using the wrong antenna type. C. The MAC filtering is disabled on the access point. D. The company is not using strong enough encryption.
Answer: A Explanation: When the SSID is broadcast, any device with an automatic detect and connect feature is able to see the network and can initiate a connection with it. The fact that they cannot access the network means that they are unable to see it.
A security technician is attempting to access a wireless network protected with WEP. The technician does not know any information about the network. Which of the following should the technician do to gather information about the configuration of the wireless network? A. Spoof the MAC address of an observed wireless network client B. Ping the access point to discover the SSID of the network C. Perform a dictionary attack on the access point to enumerate the WEP key D. Capture client to access point disassociation packets to replay on the local PC's loopback
Answer: A Explanation: With ARP spoofing (also known as ARP poisoning), the MAC (Media Access Control) address of the data is faked. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack. In all cases, the address being faked is an address of a legitimate user, and that makes it possible to get around such measures as allow/deny lists. Note: As an example, the initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IVs are reused with the same key. By examining the repeating result, it was easy for attackers to crack the WEP secret key. This is known as an IV attack.
A network stream needs to be encrypted. Sara, the network administrator, has selected a cipher which will encrypt 8 bits at a time before sending the data across the network. Which of the following has Sara selected? A. Block cipher B. Stream cipher C. CRC D. Hashing algorithm
Answer: A Explanation: With a block cipher the algorithm works on chunks of data—encrypting one and then moving to the next. Example: Blowfish is an encryption system that performs a 64-bit block cipher at very fast speeds
An administrator has successfully implemented SSL on srv4.comptia.com using wildcard certificate *.comptia.com, and now wishes to implement SSL on srv5.comptia.com. Which of the following files should be copied from srv4 to accomplish this? A. certificate, private key, and intermediate certificate chain B. certificate, intermediate certificate chain, and root certificate C. certificate, root certificate, and certificate signing request D. certificate, public key, and certificate signing request
Answer: A Explanation: a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. In public-key cryptography, the receiver has a private key known only to them; a public key corresponds to it, which they make known to others. The public key can be sent to all other parties; the private key is never divulged. A symmetric algorithm requires that receivers of the message use the same private key. Thus you should copy the certificate, the private key and the intermediate certificate chain from srv4 to srv5.
Use of a smart card to authenticate remote servers remains MOST susceptible to which of the following attacks? A. Malicious code on the local system B. Shoulder surfing C. Brute force certificate cracking D. Distributed dictionary attacks
Answer: A Explanation: Once a user authenticates to a remote server, malicious code on the user's workstation could then infect the server.
When a communications plan is developed for disaster recovery and business continuity plans, the MOST relevant items to include would be: (Select TWO). A. Methods and templates to respond to press requests, institutional and regulatory reporting requirements. B. Methods to exchange essential information to and from all response team members, employees, suppliers, and customers. C. Developed recovery strategies, test plans, post-test evaluation and update processes. D. Defined scenarios by type and scope of impact and dependencies, with quantification of loss potential. E. Methods to review and report on system logs, incident response, and incident handling.
Answer: A,B Explanation: A: External emergency communications that should fit into your business continuity plan include notifying family members of an injury or death, discussing the disaster with the media, and providing status information to key clients and stakeholders. Each message needs to be prepared with the audience (e.g., employees, media, families, government regulators) in mind; broad general announcements may be acceptable in the initial aftermath of an incident, but these will need to be tailored to the audiences in subsequent releases. B: A typical emergency communications plan should be extensive in detail and properly planned by a business continuity planner. Internal alerts are sent using either email, overhead building paging systems, voice messages or text messages to cell/smartphones with instructions to evacuate the building and relocate at assembly points, updates on the status of the situation, and notification of when it's safe to return to work.
Which of the following controls can be implemented together to prevent data loss in the event of theft of a mobile device storing sensitive information? (Select TWO). A. Full device encryption B. Screen locks C. GPS D. Asset tracking E. Inventory control
Answer: A,B Explanation: A: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. B: Screen locks are a security feature that requires the user to enter a PIN or a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications.
While securing a network it is decided to allow active FTP connections into the network. Which of the following ports MUST be configured to allow active FTP connections? (Select TWO). A. 20 B. 21 C. 22 D. 68 E. 69
Answer: A,B Explanation: FTP (File Transfer Protocol) makes use of ports 20 and 21
Which of the following concepts are included on the three sides of the "security triangle"? (Select THREE). A. Confidentiality B. Availability C. Integrity D. Authorization E. Authentication F. Continuity
Answer: A,B,C Explanation: Confidentiality, integrity, and availability are the three most important concepts in security. Thus they form the security triangle.
Users are utilizing thumb drives to connect to USB ports on company workstations. A technician is concerned that sensitive files can be copied to the USB drives. Which of the following mitigation techniques would address this concern? (Select TWO). A. Disable the USB root hub within the OS. B. Install anti-virus software on the USB drives. C. Disable USB within the workstations BIOS. D. Apply the concept of least privilege to USB devices. E. Run spyware detection against all workstations
Answer: A,C Explanation: A: The USB root hub can be disabled from within the operating system. C: USB can also be configured and disabled in the system BIOS.
A security analyst performs the following activities: monitors security logs, installs surveillance cameras and analyzes trend reports. Which of the following job responsibilities is the analyst performing? (Select TWO). A. Detect security incidents B. Reduce attack surface of systems C. Implement monitoring controls D. Hardening network devices E. Prevent unauthorized access
Answer: A,C Explanation: By monitoring security logs, installing security cameras and analyzing trend reports, the security analyst is implementing monitoring controls. With the monitoring controls in place, by monitoring the security logs, reviewing the footage from the security cameras and analyzing trend reports, the security analyst is able to detect security incidents.
Joe, a security analyst, asks each employee of an organization to sign a statement saying that they understand how their activities may be monitored. Which of the following BEST describes this statement? (Select TWO). A. Acceptable use policy B. Risk acceptance policy C. Privacy policy D. Email policy E. Security policy
Answer: A,C Explanation: Privacy policies define what controls are required to implement and maintain the sanctity of data privacy in the work environment. Privacy policy is a legal document that outlines how data collected is secured. It should encompass information regarding the information the company collects, privacy choices you have based on your account, potential information sharing of your data with other parties, security measures in place, and enforcement. Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.
Which of the following is a difference between TFTP and FTP? A. TFTP is slower than FTP. B. TFTP is more secure than FTP. C. TFTP utilizes TCP and FTP uses UDP. D. TFTP utilizes UDP and FTP uses TCP.
Answer: D Explanation: FTP employs TCP ports 20 and 21 to establish and maintain client-to-server communications, whereas TFTP makes use of UDP port 69.
Which of the following attacks impact the availability of a system? (Select TWO). A. Smurf B. Phishing C. Spim D. DDoS E. Spoofing
Answer: A,D Explanation: A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messagesto the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees. Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network. A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time.
The chief Risk officer is concerned about the new employee BYOD device policy and has requested the security department implement mobile security controls to protect corporate data in the event that a device is lost or stolen. The level of protection must not be compromised even if the communication SIM is removed from the device. Which of the following BEST meets the requirements? (Select TWO) A. Asset tracking B. Screen-locks C. GEO-Tracking D. Device encryption
Answer: A,D Explanation: A: Asset tracking is the process of maintaining oversight over inventory, and ensuring that a device is still in the possession of the assigned authorized user. D: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.
When using PGP, which of the following should the end user protect from compromise? (Select TWO). A. Private key B. CRL details C. Public key D. Key password E. Key escrow F. Recovery agent
Answer: A,D Explanation: A: In PGP only the private key belonging to the receiver can decrypt the session key. PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key. D: PGP uses a passphrase to encrypt your private key on your machine. Your private key is encrypted on your disk using a hash of your passphrase as the secret key. You use the passphrase to decrypt and use your private key.
A security engineer is asked by the company's development team to recommend the most secure method for password storage. Which of the following provide the BEST protection against brute forcing stored passwords? (Select TWO). A. PBKDF2 B. MD5 C. SHA2 D. Bcrypt E. AES F. CHAP
Answer: A,D Explanation: A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key. D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. The bcrypt function is the default password hash algorithm for BSD and many other systems. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 109-110, 139, 143, 250, 255-256, 256
In the initial stages of an incident response, Matt, the security administrator, was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO). A. Take hashes B. Begin the chain of custody paperwork C. Take screen shots D. Capture the system image E. Decompile suspicious files
Answer: A,D Explanation: A: Take Hashes. NIST (the National Institute of Standards and Technology) maintains a National Software Reference Library (NSRL). One of the purposes of the NSRL is to collect "known, traceable software applications" through their hash values and store them in a Reference Data Set(RDS). The RDS can then be used by law enforcement, government agencies, and businesses to determine which fi les are important as evidence in criminal investigations. D: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it
Certificates are used for: (Select TWO). A. Client authentication. B. WEP encryption. C. Access control lists. D. Code signing. E. Password hashing
Answer: A,D Explanation: Certificates are used in PKI to digitally sign data, information, files, email, code, etc. Certificates are also used in PKI for client authentication.
A recent audit has discovered that at the time of password expiration clients are able to recycle the previous credentials for authentication. Which of the following controls should be used together to prevent this from occurring? (Select TWO). A. Password age B. Password hashing C. Password complexity D. Password history E. Password length
Answer: A,D Explanation: D: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. A: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to hisoriginal password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
A technician is unable to manage a remote server. Which of the following ports should be opened on the firewall for remote server management? (Select TWO). A. 22 B. 135 C. 137 D. 143 E. 443 F. 3389
Answer: A,F Explanation: A secure remote administration solution and Remote Desktop protocol is required. Secure Shell (SSH) is a secure remote administration solution and makes use of TCP port 22. Remote Desktop Protocol (RDP) uses TCP port 3389.
A security administrator must implement all requirements in the following corporate policy: Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE). A. Account lockout B. Account expiration C. Screen locks D. Password complexity E. Minimum password lifetime F. Minimum password length
Answer: A,D,F Explanation: A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking. For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers. The best defense against brute force attacks strong passwords. The following password policies will ensure that users have strong (difficult to guess) passwords: F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice. D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. This will ensure that passwords don't consist of dictionary words which are easy to crack using brute force techniques. A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.
The loss prevention department has purchased a new application that allows the employees to monitor the alarm systems at remote locations. However, the application fails to connect to the vendor's server and the users are unable to log in. Which of the following are the MOST likely causes of this issue? (Select TWO). A. URL filtering B. Role-based access controls C. MAC filtering D. Port Security E. Firewall rules
Answer: A,E Explanation: A URL filter is used to block URLs (websites) to prevent users accessing the website. Firewall rules act like ACLs, and they are used to dictate what traffic can pass between the firewall and the internal network. Three possible actions can be taken based on the rule's criteria: Block the connection Allow the connection Allow the connection only if it is secured Incorrect Options: B: Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role. Since the sales team needs to save and print reports, they would not be restricted if restrictions were role-based. C: A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all unauthorized devices. D: Port security works at level 2 of the OSI model and allows an administrator to configure switch ports so that only certain MAC addresses can use the port.
Which of the following is a directional antenna that can be used in point-to-point or point-to-multipoint WiFi communication systems? (Select TWO). A. Backfire B. Dipole C. Omni D. PTZ E. Dish
Answer: A,E Explanation: Both the Backfire and the Dish antennae are high gain antenna types that transmit a narrow beam of signal. It can therefore be used as a point-to-point antenna over short distances, but as point-tomulti-point antenna over longer distances.
Joe, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify the validity's of Joe's certificate? (Select TWO). A. The CA's public key B. Joe's private key C. Ann's public key D. The CA's private key E. Joe's public key F. Ann's private key
Answer: A,E Explanation: Joe wants to send a message to Ann. It's important that this message not be altered. Joe will use the private key to create a digital signature. The message is, in effect, signed with the private key. Joe then sends the message to Ann. Ann will use the public key attached to the message to validate the digital signature. If the values match, Ann knows the message is authentic and came from Joe. Ann will use a key provided by Joe—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit. Thus Ann would compare the signature area referred to as a message in the message with the calculated value digest (her private key in this case). If thevalues match, the message hasn't been tampered with and the originator is verified as the person they claim to be. This process provides message integrity, nonrepudiation, and authentication. A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. A certificate is nothing more than a mechanism that associates the public key with an individual. If Joe wants to send Ann an encrypted e-mail, there should be a mechanism to verify to Ann that the message received from Mike is really from Joe. If a third party (the CA) vouches for Joe and Ann trusts that third party, Ann can assume that the message is authentic because the third party says so.
Which of the following, if properly implemented, would prevent users from accessing files that are unrelated to their job duties? (Select TWO). A. Separation of duties B. Job rotation C. Mandatory vacation D. Time of day restrictions E. Least privilege
Answer: A,E Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization. A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
The manager has a need to secure physical documents every night, since the company began enforcing the clean desk policy. The BEST solution would include: (Select TWO). A. Fire- or water-proof safe. B. Department door locks. C. Proximity card. D. 24-hour security guard. E. Locking cabinets and drawers.
Answer: A,E Explanation: Using a safe and locking cabinets to protect backup media, documentation, and any other physical artifacts that could do harm if they fell into the wrong hands would form part of keeping employees desks clean as in a clean desk policy.
Which of the following wireless protocols could be vulnerable to a brute-force password attack? (Select TWO). A. WPA2-PSK B. WPA - EAP - TLS C. WPA2-CCMP D. WPA -CCMP E. WPA - LEAP F. WEP
Answer: A,F Explanation: A brute force attack is an attack that attempts to guess a password. WPA2-PSK and WEP both use a "Pre-Shared Key". The pre-shared key is a password and therefore is susceptible to a brute force attack.
FTP/S uses which of the following TCP ports by default? A. 20 and 21 B. 139 and 445 C. 443 and 22 D. 989 and 990
Answer: D Explanation: FTPS uses ports 989 and 990.
During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO). A. SSL 1.0 B. RC4 C. SSL 3.0 D. AES E. DES F. TLS 1.0
Answer: A,F Explanation: TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, "contained a number of security flaws which ultimately led to the design of SSL version 3.0". TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security. TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.
Several employee accounts appear to have been cracked by an attacker. Which of the following should the security administrator implement to mitigate password cracking attacks? (Select TWO). A. Increase password complexity B. Deploy an IDS to capture suspicious logins C. Implement password history D. Implement monitoring of logins E. Implement password expiration F. Increase password length
Answer: A,F Explanation: The more difficult a password is the more difficult it is to be cracked by an attacker. By increasing the password complexity you make it more difficult. Passwords that are too short can easily be cracked. The more characters used in a password, combined with the increased complexity will mitigate password cracking attacks
A company needs to receive data that contains personally identifiable information. The company requires both the transmission and data at rest to be encrypted. Which of the following achieves this goal? (Select TWO). A. SSH B. TFTP C. NTLM D. TKIP E. SMTP F. PGP/GPG
Answer: A,F Explanation: We can use SSH to encrypt the transmission and PGP/GPG to encrypt the data at rest (on disk). A: Secure Shell (SSH) is a cryptographic protocol that can be used to secure network communication. It establishes a secure tunnel over an insecure network. F: Pretty Good Privacy (PGP) is a data encryption and decryption solution that can be used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.
A security analyst implemented group-based privileges within the company active directory. Which of the following account management techniques should be undertaken regularly to ensure least privilege principles? A. Leverage role-based access controls. B. Perform user group clean-up. C. Verify smart card access controls. D. Verify SHA-256 for password hashes
Answer: B Explanation: Active Directory (AD) has no built-in clean-up feature. This can result in obsolete user, group and computer objects accumulating over time and placing security and compliance objectives in jeopardy. You would therefore need to regularly clean-up these settings.
Which of the following can Pete, a security administrator, use to distribute the processing effort when generating hashes for a password cracking program? A. RAID B. Clustering C. Redundancy D. Virtualization
Answer: B Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy. Server clustering is used to provide failover capabilities / redundancy in addition to scalability as demand increases.
During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware? A. Lessons Learned B. Preparation C. Eradication D. Identification
Answer: B Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. It is important to stop malware before it ever gets hold of a system -thus you should know which malware is out there and take defensive measures - this means preparation to guard against malware infection should be done.
A Human Resources user is issued a virtual desktop typically assigned to Accounting employees. A system administrator wants to disable certain services and remove the local accounting groups installed by default on this virtual machine. The system administrator is adhering to which of the following security best practices? A. Black listing applications B. Operating System hardening C. Mandatory Access Control D. Patch Management
Answer: B Explanation: Operating System hardening is the process of securing the operating system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.
A user has several random browser windows opening on their computer. Which of the following programs can be installed on his machine to help prevent this from happening? A. Antivirus B. Pop-up blocker C. Spyware blocker D. Anti-spam
Answer: B Explanation: Pop-up blockers prevent websites from opening new browser windows without the users consent. These are often used for advertisements but can also be used to distribute malicious code.
One of the servers on the network stops responding due to lack of available memory. Server administrators did not have a clear definition of what action should have taken place based on the available memory. Which of the following would have BEST kept this incident from occurring? A. Set up a protocol analyzer B. Set up a performance baseline C. Review the systems monitor on a monthly basis D. Review the performance monitor on a monthly basis
Answer: B Explanation: A performance baseline provides the input needed to design, implement, and support a secure network. The performance baseline would define the actions that should be performed on a server that is running low on memory.
Which of the following is the BEST approach to perform risk mitigation of user access control rights? A. Conduct surveys and rank the results. B. Perform routine user permission reviews. C. Implement periodic vulnerability scanning. D. Disable user accounts that have not been used within the last two weeks.
Answer: B Explanation: Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on. User permissions may be the most basic aspect of security and is best coupled with a principle of least privilege. And related to permissions is the concept of the access control list (ACL). An ACL is literally a list of who can access what resource and at what level. Thus the best risk mitigation steps insofar as access control rights are concerned, is the regular/routine review of user permissions.
In order to secure additional budget, a security manager wants to quantify the financial impact of a one-time compromise. Which of the following is MOST important to the security manager? A. Impact B. SLE C. ALE D. ARO
Answer: B Explanation: SLE is a monetary value, and it represents how much you expect to lose at any one time: the single loss expectancy. SLE can be divided into two components: AV (asset value) and the EF (exposure factor). Thus a one-time compromise would resort under the SLE for the security manager.
Sara, a security analyst, is trying to prove to management what costs they could incur if their customer database was breached. This database contains 250 records with PII. Studies show that the cost per record for a breach is $300. The likelihood that their database would be breached in the next year is only 5%. Which of the following is the ALE that Sara should report to management for a security breach? A. $1,500 B. $3,750 C. $15,000 D. $75,000
Answer: B Explanation: SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence. SLE = 250 x $300; ARO = 5% $75000 x 0.05 = $3750
A security manager must remain aware of the security posture of each system. Which of the following supports this requirement? A. Training staff on security policies B. Establishing baseline reporting C. Installing anti-malware software D. Disabling unnecessary accounts/services
Answer: B Explanation: The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline. A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).
A user casually browsing the Internet is redirected to a warez site where a number of pop-ups appear. After clicking on a pop-up to complete a survey, a drive-by download occurs. Which of the following is MOST likely to be contained in the download? A. Backdoor B. Spyware C. Logic bomb D. DDoS E. Smurf
Answer: B Explanation Spyware is software that is used to gather information about a person or organization without their knowledge and sends that information to another entity. Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.
A bank has a fleet of aging payment terminals used by merchants for transactional processing. The terminals currently support single DES but require an upgrade in order to be compliant with security standards. Which of the following is likely to be the simplest upgrade to the aging terminals which will improve in-transit protection of transactional data? A. AES B. 3DES C. RC4 D. WPA2
Answer: B Explanation: 3DES (Triple DES) is based on DES. In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The electronic payment industry uses Triple DES and continues to develop and promulgate standards based upon it (e.g. EMV). Microsoft OneNote, Microsoft Outlook 2007, and Microsoft System Center Configuration Manager 2012, use Triple DES to password protect user content and system data.
An administrator notices an unusual spike in network traffic from many sources. The administrator suspects that: A. it is being caused by the presence of a rogue access point. B. it is the beginning of a DDoS attack. C. the IDS has been compromised. D. the internal DNS tables have been poisoned.
Answer: B Explanation: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
A security technician wishes to gather and analyze all Web traffic during a particular time period. Which of the following represents the BEST approach to gathering the required data? A. Configure a VPN concentrator to log all traffic destined for ports 80 and 443. B. Configure a proxy server to log all traffic destined for ports 80 and 443. C. Configure a switch to log all traffic destined for ports 80 and 443. D. Configure a NIDS to log all traffic destined for ports 80 and 443.
Answer: B Explanation: A proxy server is in essence a device that acts on behalf of others and in security terms all internal user interaction with the Internet should be controlled through a proxy server. This makes a proxy server the best tool to gather the required data.
A company is installing a new security measure that would allow one person at a time to be authenticated to an area without human interaction. Which of the following does this describe? A. Fencing B. Mantrap C. A guard D. Video surveillance
Answer: B Explanation: Mantraps make use of electronic locks and are designed to allow you to limit the amount of individual allowed access to an area at any one time
A server with the IP address of 10.10.2.4 has been having intermittent connection issues. The logs show repeated connection attempts from the following IPs: 10.10.3.16 10.10.3.23 212.178.24.26 217.24.94.83 These attempts are overloading the server to the point that it cannot respond to traffic. Which of the following attacks is occurring? A. XSS B. DDoS C. DoS D. Xmas
Answer: B Explanation: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attackmachine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
Which of the following BEST allows Pete, a security administrator, to determine the type, source, and flags of the packet traversing a network for troubleshooting purposes? A. Switches B. Protocol analyzers C. Routers D. Web security gateways
Answer: B Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. By capturing and analyzingthe packets, Pete will be able to determine the type, source, and flags of the packets traversing a network for troubleshooting purposes. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
Maintenance workers find an active network switch hidden above a dropped-ceiling tile in the CEO's office with various connected cables from the office. Which of the following describes the type of attack that was occurring? A. Spear phishing B. Packet sniffing C. Impersonation D. MAC flooding
Answer: B Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing. However, packet sniffing requires a physical connection to the network. The switch hidden in the ceiling is used to provide the physical connection to the network. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal). A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
An administrator wants to establish a WiFi network using a high gain directional antenna with a narrow radiation pattern to connect two buildings separated by a very long distance. Which of the following antennas would be BEST for this situation? A. Dipole B. Yagi C. Sector D. Omni
Answer: B Explanation: A Yagi-Uda antenna, commonly known simply as a Yagi antenna, is a directional antenna consisting of multiple parallel dipole elements in a line, usually made of metal rods. It consists ofa single driven element connected to the transmitter or receiver with a transmission line, and additional parasitic elements: a so-called reflector and one or more directors. The reflector element is slightly longer than the driven dipole, whereas the directors are a little shorter. This design achieves a very substantial increase in the antenna's directionality and gain compared to a simple dipole.
A trojan was recently discovered on a server. There are now concerns that there has been a security breach that allows unauthorized people to access data. The administrator should be looking for the presence of a/an: A. Logic bomb. B. Backdoor. C. Adware application. D. Rootkit
Answer: B Explanation: A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit. A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. Although the number of backdoors in systems using proprietary software (software whose source code is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission. Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer (generally a PC on broadband running Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM measures—and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers.
Which of the following is the MOST important step for preserving evidence during forensic procedures? A. Involve law enforcement B. Chain of custody C. Record the time of the incident D. Report within one hour of discovery
Answer: B Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering. Thus to preserve evidence during a forensic procedure the chain of custody is of utmost importance.
Pete, a security analyst, has been tasked with explaining the different types of malware to his colleagues. The two malware types that the group seems to be most interested in are botnets and viruses. Which of the following explains the difference between these two types of malware? A. Viruses are a subset of botnets which are used as part of SYN attacks. B. Botnets are a subset of malware which are used as part of DDoS attacks. C. Viruses are a class of malware which create hidden openings within an OS. D. Botnets are used within DR to ensure network uptime and viruses are not.
Answer: B Explanation: A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation. Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. Many computer users are unaware that their computer is infected with bots. Depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules.
Which of the following components MUST be trusted by all parties in PKI? A. Key escrow B. CA C. Private key D. Recovery key
Answer: B Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. In a simple trust model all parties must trust the CA. In a more complicated trust model all parties must trust the Root CA.
Establishing a method to erase or clear cluster tips is an example of securing which of the following? A. Data in transit B. Data at rest C. Data in use D. Data in motion
Answer: B Explanation: A computer hard disk is divided into small segments called clusters. A file stored on a hard disk usually spans several clusters but rarely fills the last cluster, which is called cluster tip. This cluster tip area may contain file data because the size of the file you are working with may grow or shrink and needs to be securely deleted. Data stored on the hard drive is called data at rest
A company's employees were victims of a spear phishing campaign impersonating the CEO. The company would now like to implement a solution to improve the overall security posture by assuring their employees that email originated from the CEO. Which of the following controls could they implement to BEST meet this goal? A. Spam filter B. Digital signatures C. Antivirus software D. Digital certificates
Answer: B Explanation: A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. The digital equivalent of a handwritten signature or stamped seal, but offering far more inherent security, a digital signature is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence to origin, identity and status of an electronic document, transaction or message, as well as acknowledging informed consent by the signer. Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a fixed length value, which is usually much shorter. This saves time since hashing is much faster than signing.
A company would like to take electronic orders from a partner; however, they are concerned that a non-authorized person may send an order. The legal department asks if there is a solution that provides non-repudiation. Which of the following would meet the requirements of this scenario? A. Encryption B. Digital signatures C. Steganography D. Hashing E. Perfect forward secrecy
Answer: B Explanation: A digital signature is an electronic mechanism to prove that a message was sent from a specific user (that is, it provides for non-repudiation) and that the message wasn't changed while in transit (it also provides integrity). Thus digital signatures will meet the stated requirements.
After a production outage, which of the following documents contains detailed information on the order in which the system should be restored to service? A. Succession planning B. Disaster recovery plan C. Information security plan D. Business impact analysis
Answer: B Explanation: A disaster-recovery plan, or scheme, helps an organization respond effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses
Due to issues with building keys being duplicated and distributed, a security administrator wishes to change to a different security control regarding a restricted area. The goal is to provide access based upon facial recognition. Which of the following will address this requirement? A. Set up mantraps to avoid tailgating of approved users. B. Place a guard at the entrance to approve access. C. Install a fingerprint scanner at the entrance. D. Implement proximity readers to scan users' badges.
Answer: B Explanation: A guard can be instructed to deny access until authentication has occurred will address the situation adequately.
An Information Systems Security Officer (ISSO) has been placed in charge of a classified peer-topeer network that cannot connect to the Internet. The ISSO can update the antivirus definitions manually, but which of the following steps is MOST important? A. A full scan must be run on the network after the DAT file is installed. B. The signatures must have a hash value equal to what is displayed on the vendor site. C. The definition file must be updated within seven days. D. All users must be logged off of the network prior to the installation of the definition file.
Answer: B Explanation: A hash value can be used to uniquely identify secret information. This requires that the hash function is collision resistant, which means that it is very hard to find data that generate the same hash value and thus it means that in hashing two different inputs will not yield the same output. Thus the hash value must be equal to that displayed on the vendor site.
A security administrator wants to get a real time look at what attackers are doing in the wild, hoping to lower the risk of zero-day attacks. Which of the following should be used to accomplish this goal? A. Penetration testing B. Honeynets C. Vulnerability scanning D. Baseline reporting
Answer: B Explanation: A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker. A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.
Which of the following should an administrator implement to research current attack methodologies? A. Design reviews B. Honeypot C. Vulnerability scanner D. Code reviews
Answer: B Explanation: A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers. There are two main types of honeypots: Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research - A research honeypot add value to research in computer security by providing a platform to study the threat.
Which of the following is an important step in the initial stages of deploying a host-based firewall? A. Selecting identification versus authentication B. Determining the list of exceptions C. Choosing an encryption algorithm D. Setting time of day restrictions
Answer: B Explanation: A host-based firewall is installed on a client system and is used to protect the client system from the activities of the user as well as from communication from the network or Internet. These firewalls manage network traffic using filters to block certain ports and protocols while allowing others to pass through the system.
Which of the following disaster recovery strategies has the highest cost and shortest recovery time? A. Warm site B. Hot site C. Cold site D. Co-location site
Answer: B Explanation: A hot site is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. Hot sites provide network connectivity, systems, and preconfigured software to meet the needs of an organization. Databases can be kept up-to-date using network connections. These types of facilities are expensive, and they're primarily suitable for short-term situations.
A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks. Which of the following practices is being implemented? A. Mandatory vacations B. Job rotation C. Least privilege D. Separation of duties
Answer: B Explanation: A job rotation policy defines intervals at which employees must rotate through positions.
Which of the following types of risk reducing policies also has the added indirect benefit of cross training employees when implemented? A. Least privilege B. Job rotation C. Mandatory vacations D. Separation of duties
Answer: B Explanation: A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job.
A company is looking to reduce the likelihood of employees in the finance department being involved with money laundering. Which of the following controls would BEST mitigate this risk? A. Implement privacy policies B. Enforce mandatory vacations C. Implement a security policy D. Enforce time of day restrictions
Answer: B Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. And in the same time it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfy the need to have replication or duplication at all levels in addition to affording the company an opportunity to discover fraud for when others do the same job in the absence of the regular staff member then there is transparency.
A system administrator has noticed that users change their password many times to cycle back to the original password when their passwords expire. Which of the following would BEST prevent this behavior? A. Assign users passwords based upon job role. B. Enforce a minimum password age policy. C. Prevent users from choosing their own passwords. D. Increase the password expiration time frame
Answer: B Explanation: A minimum password age policy defines the period that a password must be used for before it can be changed
Ann, the security administrator, wishes to implement multifactor security. Which of the following should be implemented in order to compliment password usage and smart cards? A. Hard tokens B. Fingerprint readers C. Swipe badge readers D. Passphrases
Answer: B Explanation: A multifactor authentication method uses two or more processes for logon. A twofactor method might use smart cards and biometrics for logon. For obvious reasons, the two or more factors employed should not be from the same category.
Which of the following is where an unauthorized device is found allowing access to a network? A. Bluesnarfing B. Rogue access point C. Honeypot D. IV attack
Answer: B Explanation: A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server serverclient) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network. To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points
A certificate used on an ecommerce web server is about to expire. Which of the following will occur if the certificate is allowed to expire? A. The certificate will be added to the Certificate Revocation List (CRL). B. Clients will be notified that the certificate is invalid. C. The ecommerce site will not function until the certificate is renewed. D. The ecommerce site will no longer use encryption
Answer: B Explanation: A similar process to certificate revocation will occur when a certificate is allowed to expire. Notification will be sent out to clients of the invalid certificate. The process of revoking a certificate begins when the CA is notified that a particular certificate needs to be revoked. This must be done whenever the private key becomes known. The owner of a certificate can request that it be revoked at any time, or the administrator can make the request
Which of the following will help prevent smurf attacks? A. Allowing necessary UDP packets in and out of the network B. Disabling directed broadcast on border routers C. Disabling unused services on the gateway firewall D. Flash the BIOS with the latest firmware
Answer: B Explanation: A smurf attack involves sending PING requests to a broadcast address. Therefore, we can prevent smurf attacks by blocking broadcast packets on our external routers. A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees. Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.
An administrator is instructed to disable IP-directed broadcasts on all routers in an organization. Which of the following attacks does this prevent? A. Pharming B. Smurf C. Replay D. Xmas
Answer: B Explanation: A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's Internet connection with ping replies, bringing their entire Internet service to its knees. Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network. By disabling IP-directed broadcasts on all routers, we can prevent the smurf attack by blocking the ping requests to broadcast addresses.
Computer evidence at a crime is preserved by making an exact copy of the hard disk. Which of the following does this illustrate? A. Taking screenshots B. System image capture C. Chain of custody D. Order of volatility
Answer: B Explanation: A system image would be a snapshot of what exists at the moment. Thus capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.
A large corporation has data centers geographically distributed across multiple continents. The company needs to securely transfer large amounts of data between the data center. The data transfer can be accomplished physically or electronically, but must prevent eavesdropping while the data is on transit. Which of the following represents the BEST cryptographic solution? A. Driving a van full of Micro SD cards from data center to data center to transfer data B. Exchanging VPN keys between each data center via an SSL connection and transferring the data in the VPN C. Using a courier to deliver symmetric VPN keys to each data center and transferring data in the VPN D. Using PKI to encrypt each file and transferring them via an Internet based FTP or cloud server
Answer: B Explanation: A virtual private network (VPN) is an encrypted communication tunnel that connects two systems over an untrusted network, such as the Internet. They provide security for both authentication and data transmission through a process called encapsulation. Secure Sockets Layer (SSL) can be used to exchange the VPN keys securely. SSL is used to establish secure TCP communication between two machines by encrypting the communication
Which of the following MOST specifically defines the procedures to follow when scheduled system patching fails resulting in system outages? A. Risk transference B. Change management C. Configuration management D. Access control revalidation
Answer: B Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. In this case 'scheduled system patching'.
Which of the following would Pete, a security administrator, do to limit a wireless signal from penetrating the exterior walls? A. Implement TKIP encryption B. Consider antenna placement C. Disable the SSID broadcast D. Disable WPA
Answer: B Explanation: Cinderblock walls, metal cabinets, and other barriers can reduce signal strength significantly. Therefore, antenna placement is critical.
A security administrator wants to perform routine tests on the network during working hours when certain applications are being accessed by the most people. Which of the following would allow the security administrator to test the lack of security controls for those applications with the least impact to the system? A. Penetration test B. Vulnerability scan C. Load testing D. Port scanner
Answer: B Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.
Which of the following can only be mitigated through the use of technical controls rather than user security training? A. Shoulder surfing B. Zero-day C. Vishing D. Trojans
Answer: B Explanation: A zero day vulnerability is an unknown vulnerability in a software application. This cannot be prevented by user security training. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users
A security analyst, Ann, is reviewing an IRC channel and notices that a malicious exploit has been created for a frequently used application. She notifies the software vendor and asks them for remediation steps, but is alarmed to find that no patches are available to mitigate this vulnerability. Which of the following BEST describes this exploit? A. Malicious insider threat B. Zero-day C. Client-side attack D. Malicious add-on
Answer: B Explanation: A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. In this question, there are no patches are available to mitigate the vulnerability. This is therefore a zero-day vulnerability.
Which of the following risk concepts requires an organization to determine the number of failures per year? A. SLE B. ALE C. MTBF D. Quantitative analysis
Answer: B Explanation: ALE is the annual loss expectancy value. This is a monetary measure of how much loss you could expect in a year.
A security administrator must implement a network that is immune to ARP spoofing attacks. Which of the following should be implemented to ensure that a malicious insider will not be able to successfully use ARP spoofing techniques? A. UDP B. IPv6 C. IPSec D. VPN
Answer: B Explanation: ARP is not used in IPv6 networks. The Address Resolution Protocol (ARP) is a telecommunication protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP is used for converting a network address (e.g. an IPv4 address) to a physical address like an Ethernet address (also named a MAC address). In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).
During an audit, the security administrator discovers that there are several users that are no longer employed with the company but still have active user accounts. Which of the following should be performed? A. Account recovery B. Account disablement C. Account lockouts D. Account expiration
Answer: B Explanation: Account Disablement should be implemented when a user will be gone from a company whether they leave temporary or permanently. In the case of permanently leaving the company the account should be disabled. Disablement means that the account will no longer be an active account.
ABC company has a lot of contractors working for them. The provisioning team does not always get notified that a contractor has left the company. Which of the following policies would prevent contractors from having access to systems in the event a contractor has left? A. Annual account review B. Account expiration policy C. Account lockout policy D. Account disablement
Answer: B Explanation: Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
At the outside break area, an employee, Ann, asked another employee to let her into the building because her badge is missing. Which of the following does this describe? A. Shoulder surfing B. Tailgating C. Whaling D. Impersonation
Answer: B Explanation: Although Ann is an employee and therefore authorized to enter the building, she does not have her badge and therefore strictly she should not be allowed to enter the building. Just as a driver can tailgate another driver's car by following too closely, in the security sense, tailgating means to compromise physical security by following somebody through a door meant to keep out intruders. Tailgating is actually a form of social engineering, whereby someone who is not authorized to enter a particular area does so by following closely behind someone who is authorized
Allowing unauthorized removable devices to connect to computers increases the risk of which of the following? A. Data leakage prevention B. Data exfiltration C. Data classification D. Data deduplication
Answer: B Explanation: Data exfiltration is the unauthorized copying, transfer or retrieval of data from a system.
Which of the following must be kept secret for a public key infrastructure to remain secure? A. Certificate Authority B. Certificate revocation list C. Public key ring D. Private ke
Answer: D Explanation: The private key, which is also called the secret key, must be kept secret.
A computer is found to be infected with malware and a technician re-installs the operating system. The computer remains infected with malware. This is an example of: A. a rootkit. B. a MBR infection. C. an exploit kit. D. Spyware.
Answer: B Explanation: An MBR infection is malware that is installed into the Master Boot Record (MBR) of a hard disk. Reinstalling the operating system does not remove the malware from the MBR. A 'Bootkit' is a rootkit that infects the Master Boot Record. Bootkits are an advanced form of rootkits that take the basic functionality of a rootkit and extend it with the ability to infect the master boot record (MBR) or volume boot record (VBR) so that the bootkit remains active even after a system reboot. Bootkits are designed to not only load from the master boot record but also remain active in the system memory from protected mode through the launch of the operating system and during the computer's active state.
Which of the following types of wireless attacks would be used specifically to impersonate another WAP in order to gain unauthorized information from mobile users? A. IV attack B. Evil twin C. War driving D. Rogue access point
Answer: B Explanation: An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider. In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique. For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name. In wireless transmissions, evil twins are not a new phenomenon. Historically, they were known as honeypots or base station clones. With the advancement of wireless technology and the use of wireless devices in public areas, it is very easy for novice users to set up evil twin exploits.
Which of the following types of attacks involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network? A. Near field communication B. IV attack C. Evil twin D. Replay attack
Answer: B Explanation: An initialization vector is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce, or "number occurring once," as an encryption program uses it only once per session. An initialization vector is used to avoid repetition during the data encryption process, making it impossible for hackers who use dictionary attack to decrypt the exchanged encrypted message by discovering a pattern. This is known as an IV attack. A particular binary sequence may be repeated more than once in a message, and the more it appears, the more the encryption method is discoverable. For example if a one-letter word exists in a message, it may be either "a" or "I" but it can't be "e" because the word "e" is non-sensical in English, while "a" has a meaning and "I" has a meaning. Repeating the words and letters makes it possible for software to apply a dictionary and discover the binary sequence corresponding to each letter. Using an initialization vector changes the binary sequence corresponding to each letter, enabling the letter "a" to be represented by a particular sequence in the first instance, and then represented by a completely different binary sequence in the second instance. WEP (Wireless Equivalent Privacy) is vulnerable to an IV attack. Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.
It has been discovered that students are using kiosk tablets intended for registration and scheduling to play games and utilize instant messaging. Which of the following could BEST eliminate this issue? A. Device encryption B. Application control C. Content filtering D. Screen-locks
Answer: B Explanation: Application control is the process of controlling what applications are installed on a device. This may reduce exposure to malicious software by limiting the user's ability to install applications that come from unknown sources or have no work-related features.
Which of the following protocols encapsulates an IP packet with an additional IP header? A. SFTP B. IPSec C. HTTPS D. SSL
Answer: B Explanation: Authentication Header (AH) is a member of the IPsec protocol suite. AH operates directly on top of IP, using IP protocol number 51.
An organization's security policy states that users must authenticate using something you do. Which of the following would meet the objectives of the security policy? A. Fingerprint analysis B. Signature analysis C. Swipe a badge D. Password
Answer: B Explanation: Authentication systems or methods are based on one or more of these five factors: Something you know, such as a password or PIN Something you have, such as a smart card, token, or identification device Something you are, such as your fingerprints or retinal pattern (often called biometrics) Something you do, such as an action you must take to complete authentication Somewhere you are (this is based on geolocation) Writing your signature on a document is 'something you do'. Someone can then analyze the signature to see if it matches one stored on record.
A hacker has discovered a simple way to disrupt business for the day in a small company which relies on staff working remotely. In a matter of minutes the hacker was able to deny remotely working staff access to company systems with a script. Which of the following security controls is the hacker exploiting? A. DoS B. Account lockout C. Password recovery D. Password complexity
Answer: B Explanation: B: Account lockout automatically disables an account due to repeated failed log on attempts. The hacker must have executed a script to repeatedly try logging on to the remote accounts, forcing the account lockout policy to activate
A new security analyst is given the task of determining whether any of the company's servers are vulnerable to a recently discovered attack on an old version of SSH. Which of the following is the quickest FIRST step toward determining the version of SSH running on these servers? A. Passive scanning B. Banner grabbing C. Protocol analysis D. Penetration testing
Answer: B Explanation: B: Banner grabbing looks at the banner, or header information messages sent with data to find out about the system(s). Banners often identify the host, the operating system running on it, and other information that can be useful if you are going to attempt to later breach the security of it. Banners can be snagged with Telnet as well as tools like netcat or Nmap. In other words Banner grabbing looks at the banner, or header, information messages sent with data to find out about the system(s). Thus a quick way to check which version of SSH is running on your server.
A security analyst noticed a colleague typing the following command: `Telnet some-host 443' Which of the following was the colleague performing? A. A hacking attempt to the some-host web server with the purpose of achieving a distributed denial of service attack. B. A quick test to see if there is a service running on some-host TCP/443, which is being routed correctly and not blocked by a firewall. C. Trying to establish an insecure remote management session. The colleague should be using SSH or terminal services instead. D. A mistaken port being entered because telnet servers typically do not listen on port 443.
Answer: B Explanation: B: The Telnet program parameters are: telnet <hostname> <port> <hostname> is the name or IP address of the remote server to connect to. <port> is the port number of the service to use for the connection. TCP port 443 provides the HTTPS (used for secure web connections) service; it is the default SSL port. By running the Telnet some-host 443 command, the security analyst is checking that routing is done properly and not blocked by a firewall.
Matt, an administrator, is concerned about the wireless network being discovered by war driving. Which of the following can be done to mitigate this? A. Enforce a policy for all users to authentic through a biometric device. B. Disable all SSID broadcasting. C. Ensure all access points are running the latest firmware. D. Move all access points into public access areas.
Answer: B Explanation: B: War driving is the act of using a detection tool to look for wireless networking signals. The setting making a wireless network closed (or at least hidden) is the disabling of service set identifier (SSID) broadcasting. Thus by disabling all SSID broadcasting you can mitigate the risk of war driving.
Pete, the system administrator, has blocked users from accessing social media web sites. In addition to protecting company information from being accidentally leaked, which additional security benefit does this provide? A. No competition with the company's official social presence B. Protection against malware introduced by banner ads C. Increased user productivity based upon fewer distractions D. Elimination of risks caused by unauthorized P2P file sharing
Answer: B Explanation: Banner, or header information messages sent with data to find out about the system(s) does happen. Banners often identify the host, the operating system running on it, and other information that can be useful if you are going to attempt to later breach the security of it.
In which of the following categories would creating a corporate privacy policy, drafting acceptable use policies, and group based access control be classified? A. Security control frameworks B. Best practice C. Access control methodologies D. Compliance activity
Answer: B Explanation: Best practices are based on what is known in the industry and those methods that have consistently shown superior results over those achieved by other means. Furthermore best practices are applied to all aspects in the work environment
The Quality Assurance team is testing a new third party developed application. The Quality team does not have any experience with the application. Which of the following is the team performing? A. Grey box testing B. Black box testing C. Penetration testing D. White box testing
Answer: B Explanation: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
Sara, a security engineer, is testing encryption ciphers for performance. Which of the following ciphers offers strong encryption with the FASTEST speed? A. 3DES B. Blowfish C. Serpent D. AES256
Answer: B Explanation: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64-bit block cipher at very fast speeds. Blowfish is a fast, except when changing keys. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).
Which of the following should be used when a business needs a block cipher with minimal key size for internal encryption? A. AES B. Blowfish C. RC5 D. 3DES
Answer: B Explanation: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).
Joe, an employee is taking a taxi through a busy city and starts to receive unsolicited files sent to his Smartphone. Which of the following is this an example of? A. Vishing B. Bluejacking C. War Driving D. SPIM E. Bluesnarfing
Answer: B Explanation: Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters. Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames
Which of the following describes how Sara, an attacker, can send unwanted advertisements to a mobile device? A. Man-in-the-middle B. Bluejacking C. Bluesnarfing D. Packet sniffing
Answer: B Explanation: Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters. Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames.
An administrator has advised against the use of Bluetooth phones due to bluesnarfing concerns. Which of the following is an example of this threat? A. An attacker using the phone remotely for spoofing other phone numbers B. Unauthorized intrusions into the phone to access data C. The Bluetooth enabled phone causing signal interference with the network D. An attacker using exploits that allow the phone to be disabled
Answer: B Explanation: Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a high-speed but very short-range wireless technology for exchanging data between desktop and mobile computers, personal digital assistants (PDAs), and other devices. By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information -- such as the user's calendar, contact list and e-mail and text messages -without leaving any evidence of the attack. Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, although to a lesser extent, by virtue of their more complex systems. Operating in invisible mode protects some devices, but others are vulnerable as long as Bluetooth is enabled.
Which of the following application attacks is used to gain access to SEH? A. Cookie stealing B. Buffer overflow C. Directory traversal D. XML injection
Answer: B Explanation: Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been altered when a function returns. If it has been altered, the program exits with a segmentation fault. Microsoft's implementation of Data Execution Prevention (DEP) mode explicitly protects the pointer to the Structured Exception Handler (SEH) from being overwritten. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
A user was reissued a smart card after the previous smart card had expired. The user is able to log into the domain but is now unable to send digitally signed or encrypted email. Which of the following would the user need to perform? A. Remove all previous smart card certificates from the local certificate store. B. Publish the new certificates to the global address list. C. Make the certificates available to the operating system. D. Recover the previous smart card certificates
Answer: B Explanation: CAs can be either private or public, with VeriSign being one of the best known of the public variety. Many operating system providers allow their systems to be configured as CA systems.These CA systems can be used to generate internal certificates that are used within a business or in large external settings. The process provides certificates to the users. Since the user in question has been re-issued a smart card, the user must receive a new certificate by the CA to allow the user to send digitally signed email. This is achieved by publishing the new certificates to the global address list.
An access point has been configured for AES encryption but a client is unable to connect to it. Which of the following should be configured on the client to fix this issue? A. WEP B. CCMP C. TKIP D. RC4
Answer: B Explanation: CCMP is an encryption protocol designed for Wireless LAN products that implement the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM) of the AES standard.
A retail store uses a wireless network for its employees to access inventory from anywhere in the store. Due to concerns regarding the aging wireless network, the store manager has brought in a consultant to harden the network. During the site survey, the consultant discovers that the network was using WEP encryption. Which of the following would be the BEST course of action for the consultant to recommend? A. Replace the unidirectional antenna at the front of the store with an omni-directional antenna. B. Change the encryption used so that the encryption protocol is CCMP-based. C. Disable the network's SSID and configure the router to only access store devices based on MAC addresses. D. Increase the access point's encryption from WEP to WPA TKIP.
Answer: B Explanation: CCMP is the standard encryption protocol for use with the WPA2 standard and is much more secure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security services: Data confidentiality; ensures only authorized parties can access the information Authentication; provides proof of genuineness of the user Access control in conjunction with layer management Incorrect Options: A: The antenna type deals with signal strength and direction. It will not have a bearing on whether technology is older. C: This option would "cloak" the network, not harden the network. D: WPA2, which uses CCMP as its standard encryption protocol, more secure than WPA-TKIP.
The security administrator has been tasked to update all the access points to provide a more secure connection. All access points currently use WPA TKIP for encryption. Which of the following would be configured to provide more secure connections? A. WEP B. WPA2 CCMP C. Disable SSID broadcast and increase power levels D. MAC filtering
Answer: B Explanation: CCMP makes use of 128-bit AES encryption with a 48-bit initialization vector. This initialization vector makes cracking a bit more difficult.
A company has two server administrators that work overnight to apply patches to minimize disruption to the company. With the limited working staff, a security engineer performs a risk assessment to ensure the protection controls are in place to monitor all assets including the administrators in case of an emergency. Which of the following should be in place? A. NIDS B. CCTV C. Firewall D. NIPS
Answer: B Explanation: CCTV are an excellent way to deter unwanted activity and it records the occurrence of the event, in case it does happen. Cameras can be placed to watch points of entry, to monitor activitiesaround valuable assets as well as provide additional protection in areas such as parking areas and walkways.
Which of the following devices will help prevent a laptop from being removed from a certain location? A. Device encryption B. Cable locks C. GPS tracking D. Remote data wipes
Answer: B Explanation: Cable locks are theft deterrent devices that can be used to tether a device to a fixed point keep smaller devices from being easy to steal.
A victim is logged onto a popular home router forum site in order to troubleshoot some router configuration issues. The router is a fairly standard configuration and has an IP address of 192.168.1.1. The victim is logged into their router administrative interface in one tab and clicks a forum link in another tab. Due to clicking the forum link, the home router reboots. Which of the following attacks MOST likely occurred? A. Brute force password attack B. Cross-site request forgery C. Cross-site scripting D. Fuzzing
Answer: B Explanation: Cross-Site Request Forgery—also known as XSRF, session riding, and one-click attack—involves unauthorized commands coming from a trusted user to the website. This is often done without the user's knowledge, and it employs some type of social networking to pull it off. For example, assume that Evan and Spencer are chatting through Facebook. Spencer sends Evan a link to what he purports is a funny video that will crack him up. Evan clicks the link, but it actually brings up Evan's bank account information in another browser tab, takes a screenshot of it, closes the tab, and sends the information to Spencer. The reason the attack is possible is because Evan is a trusted user with his own bank. In order for it to work, Evan would need to have recently accessed that bank's website and have a cookie that had yet to expire. The best protection against crosssite scripting is to disable the running of scripts (and browser profi les).
A security administrator develops a web page and limits input into the fields on the web page as well as filters special characters in output. The administrator is trying to prevent which of the following attacks? A. Spoofing B. XSS C. Fuzzing D. Pharming
Answer: B Explanation: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. By validating user input and preventing special characters, we can prevent the injection of clientside scripting code
Matt, a security administrator, wants to configure all the switches and routers in the network in order to securely monitor their status. Which of the following protocols would he need to configure on each device? A. SMTP B. SNMPv3 C. IPSec D. SNMP
Answer: B Explanation: Currently, SNMP is predominantly used for monitoring and performance management. SNMPv3 defines a secure version of SNMP and also facilitates remote configuration of the SNMP entities.
During the analysis of a PCAP file, a security analyst noticed several communications with a remote server on port 53. Which of the following protocol types is observed in this traffic? A. FTP B. DNS C. Email D. NetBIOS
Answer: B Explanation: DNS (Domain Name System) uses port 53.
Users at a company report that a popular news website keeps taking them to a web page with derogatory content. This is an example of which of the following? A. Evil twin B. DNS poisoning C. Vishing D. Session hijacking
Answer: B Explanation: DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer). A domain name system server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server doesn't know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again. When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (in this case, the server hosting the web page with derogatory content)
Data execution prevention is a feature in most operating systems intended to protect against which type of attack? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. SQL injection
Answer: B Explanation: Data Execution Prevention (DEP) is a security feature included in modern operating systems. It marks areas of memory as either "executable" or "nonexecutable", and allows only data in an "executable" area to be run by programs, services, device drivers, etc. It is known to be available in Linux, OS X, Microsoft Windows, iOS and Android operating systems. DEP protects against some program errors, and helps prevent certain malicious exploits, especially attacks that store executable instructions in a data area via a buffer overflow. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
The main corporate website has a service level agreement that requires availability 100% of the time, even in the case of a disaster. Which of the following would be required to meet this demand? A. Warm site implementation for the datacenter B. Geographically disparate site redundant datacenter C. Localized clustering of the datacenter D. Cold site implementation for the datacenter
Answer: B Explanation: Data backups, redundant systems, and disaster recovery plans all support availability. AN in this case a geographically disparate site redundant datacenter represents 100% availability regardless of whether a disaster event occurs.
Elastic cloud computing environments often reuse the same physical hardware for multiple customers over time as virtual machines are instantiated and deleted. This has important implications for which of the following data security concerns? A. Hardware integrity B. Data confidentiality C. Availability of servers D. Integrity of data
Answer: B Explanation: Data that is not kept separate or segregated will impact on that data's confidentiality maybe being compromised. Be aware of the fact that your data is only as safe as the data with which it is integrated. For example, assume that your client database is hosted on a server that another company is also using to test an application that they are creating. If their application obtains rootlevel access at some point (such as to change passwords) and crashes at that point, then the user running the application could be left with root permissions and conceivably be to access data on the server for which they are not authorized, such as your client database. Data segregation is crucial; keep your data on secure servers.
After analyzing and correlating activity from multiple sensors, the security administrator has determined that a group of very well organized individuals from an enemy country is responsible for various attempts to breach the company network, through the use of very sophisticated and targeted attacks. Which of the following is this an example of? A. Privilege escalation B. Advanced persistent threat C. Malicious insider threat D. Spear phishing
Answer: B Explanation: Definitions of precisely what an APT is can vary widely, but can best be summarized by their named requirements: Advanced - Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly "advanced" (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target. Persistent - Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. Threat - means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminal operators have a specific objective and are skilled, motivated, organized and well funded.
Which of the following is a BEST practice when dealing with user accounts that will only need to be active for a limited time period? A. When creating the account, set the account to not remember password history. B. When creating the account, set an expiration date on the account. C. When creating the account, set a password expiration date on the account. D. When creating the account, set the account to have time of day restrictions.
Answer: B Explanation: Disablement is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day
Ann, an employee, is cleaning out her desk and disposes of paperwork containing confidential customer information in a recycle bin without shredding it first. This is MOST likely to increase the risk of loss from which of the following attacks? A. Shoulder surfing B. Dumpster diving C. Tailgating D. Spoofing
Answer: B Explanation: Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policywhere all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.
After recovering from a data breach in which customer data was lost, the legal team meets with the Chief Security Officer (CSO) to discuss ways to better protect the privacy of customer data. Which of the following controls support this goal? A. Contingency planning B. Encryption and stronger access control C. Hashing and non-repudiation D. Redundancy and fault tolerance
Answer: B Explanation: Encryption is used to protect data/contents/documents. Access control refers to controlling who accesses any data/contents/documents and to exercise authorized control to the accessing of that data.
Which of the following is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead? A. Enticement B. Entrapment C. Deceit D. Sting
Answer: B Explanation: Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead. Entrapment is a valid legal defense in a criminal prosecution.
Which of the following is the MOST secure protocol to transfer files? A. FTP B. FTPS C. SSH D. TELNET
Answer: B Explanation: FTPS refers to FTP Secure, or FTP SSL. It is a secure variation of File Transfer Protocol (FTP).
A vulnerability scan is reporting that patches are missing on a server. After a review, it is determined that the application requiring the patch does not exist on the operating system. Which of the following describes this cause? A. Application hardening B. False positive C. Baseline code review D. False negative
Answer: B Explanation: False positives are essentially events that are mistakenly flagged and are not really events to be concerned about.
Matt, a security administrator, wants to ensure that the message he is sending does not get intercepted or modified in transit. This concern relates to which of the following concepts? A. Availability B. Integrity C. Accounting D. Confidentiality
Answer: B Explanation: Integrity means ensuring that data has not been altered. Hashing and message authentication codes are the most common methods to accomplish this. In addition, ensuring nonrepudiation via digital signatures supports integrity
Pete's corporation has outsourced help desk services to a large provider. Management has published a procedure that requires all users, when receiving support, to call a special number. Users then need to enter the code provided to them by the help desk technician prior to allowing the technician to work on their PC. Which of the following does this procedure prevent? A. Collusion B. Impersonation C. Pharming D. Transitive Access
Answer: B Explanation: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. The procedure the users have to go through is to ensure that the technician who will have access to the computer is a genuine technician and not someone impersonating a technician
Which of the following ciphers would be BEST used to encrypt streaming video? A. RSA B. RC4 C. SHA1 D. 3DES
Answer: B Explanation: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP. Because RC4 is a stream cipher, it is more malleable than common block ciphers. If not used together with a strong message authentication code (MAC), then encryption is vulnerable to a bitflipping attack. The cipher is also vulnerable to a stream cipher attack if not implemented correctly. Furthermore, inadvertent double encryption of a message with the same key may accidentally output plaintext rather than ciphertext because the involutory nature of the XOR function would result in the second operation reversing the first. It is noteworthy, however, that RC4, being a stream cipher, was for a period of time the only common cipher that was immune to the 2011 BEAST attack on TLS 1.0. The attack exploits a known weakness in the way cipher block chaining mode is used with all of the other ciphers supported by TLS 1.0, which are all block ciphers.
Purchasing receives a phone call from a vendor asking for a payment over the phone. The phone number displayed on the caller ID matches the vendor's number. When the purchasing agent asks to call the vendor back, they are given a different phone number with a different area code. Which of the following attack types is this? A. Hoax B. Impersonation C. Spear phishing D. Whaling
Answer: B Explanation: In this question, the impersonator is impersonating a vendor and asking for payment. They have managed to 'spoof' their calling number so that their caller ID matches the vendor's number. Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat.
The security officer is preparing a read-only USB stick with a document of important personal phone numbers, vendor contacts, an MD5 program, and other tools to provide to employees. At which of the following points in an incident should the officer instruct employees to use this information? A. Business Impact Analysis B. First Responder C. Damage and Loss Control D. Contingency Planning
Answer: B Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. In this scenario the security officer is carrying out an incident response measure that will address and be of benefit to those in the vanguard, i.e. the employees and they are the first responders.
Physical documents must be incinerated after a set retention period is reached. Which of the following attacks does this action remediate? A. Shoulder Surfing B. Dumpster Diving C. Phishing D. Impersonation
Answer: B Explanation: Incinerating documents (or shredding documents) instead of throwing them into a bin will prevent people being able to read the documents to view sensitive information. Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash
Verifying the integrity of data submitted to a computer program at or during run-time, with the intent of preventing the malicious exploitation of unintentional effects in the structure of the code, is BEST described as which of the following? A. Output sanitization B. Input validation C. Application hardening D. Fuzzing
Answer: B Explanation: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain
Which of the following is the below pseudo-code an example of? IF VARIABLE (CONTAINS NUMBERS = TRUE) THEN EXIT A. Buffer overflow prevention B. Input validation C. CSRF prevention D. Cross-site scripting prevention
Answer: B Explanation: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.
After Matt, a user, enters his username and password at the login screen of a web enabled portal, the following appears on his screen: `Please only use letters and numbers on these fields' Which of the following is this an example of? A. Proper error handling B. Proper input validation C. Improper input validation D. Improper error handling
Answer: B Explanation: Input validation is an aspect of secure coding and is intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.
Joe, a network administrator, is able to manage the backup software console by using his network login credentials. Which of the following authentication services is the MOST likely using? A. SAML B. LDAP C. iSCSI D. Two-factor authentication
Answer: B Explanation: Joe is able to manage the backup system by logging into the network. This is an example of Single Sign-on. A common usage of LDAP is to provide a "single sign on" where one password for a user is shared between many services, such as applying a company login code to web pages (so that staff log in only once to company computers, and then are automatically logged into the company intranet). The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
Which of the following provides the BEST application availability and is easily expanded as demand grows? A. Server virtualization B. Load balancing C. Active-Passive Cluster D. RAID 6
Answer: B Explanation: Load balancing is a way of providing high availability by splitting the workload across multiple computers.
Which of the following technologies uses multiple devices to share work? A. Switching B. Load balancing C. RAID D. VPN concentrator
Answer: B Explanation: Load balancing is a way of providing high availability by splitting the workload across multiple computers.
On a train, an individual is watching a proprietary video on Joe's laptop without his knowledge. Which of the following does this describe? A. Tailgating B. Shoulder surfing C. Interference D. Illegal downloading
Answer: B Explanation: Looking at information on a computer screen without the computer user's knowledge is known as shoulder surfing. Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
An administrator needs to secure a wireless network and restrict access based on the hardware address of the device. Which of the following solutions should be implemented? A. Use a stateful firewall B. Enable MAC filtering C. Upgrade to WPA2 encryption D. Force the WAP to use channel 1
Answer: B Explanation: MAC addresses are also known as an Ethernet hardware address (EHA), hardware address or physical address. Enabling MAC filtering would allow for a WAP to restrict or allow access based on the hardware address of the device.
After entering the following information into a SOHO wireless router, a mobile device's user reports being unable to connect to the network: PERMIT 0A: D1: FA. B1: 03: 37 DENY 01: 33: 7F: AB: 10: AB Which of the following is preventing the device from connecting? A. WPA2-PSK requires a supplicant on the mobile device. B. Hardware address filtering is blocking the device. C. TCP/IP Port filtering has been implemented on the SOHO router. D. IP address filtering has disabled the device from connecting.
Answer: B Explanation: MAC filtering allows you to include or exclude computers and devices based on their MAC address.
Which of the following wireless security measures can an attacker defeat by spoofing certain properties of their network interface card? A. WEP B. MAC filtering C. Disabled SSID broadcast D. TKIP
Answer: B Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network. While giving a wireless network some additional protection, MAC filtering can be circumvented by scanning a valid MAC (via airodumping) and then spoofing one's own MAC into a validated one.
Which of the following is a management control? A. Logon banners B. Written security policy C. SYN attack prevention D. Access Control List (ACL)
Answer: B Explanation: Management control types include risk assessment, planning, systems and Services Acquisition as well as Certification, Accreditation and Security Assessment; and written security policy falls in this category.
Which of the following common access control models is commonly used on systems to ensure a "need to know" based on classification levels? A. Role Based Access Controls B. Mandatory Access Controls C. Discretionary Access Controls D. Access Control List
Answer: B Explanation: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
Pete, an IT Administrator, needs to secure his server room. Which of the following mitigation methods would provide the MOST physical protection? A. Sign in and sign out logs B. Mantrap C. Video surveillance D. HVAC
Answer: B Explanation: Mantraps are designed to contain an unauthorized, potentially hostile person/individual physically until authorities arrive. Mantraps are typically manufactured with bulletproof glass, high-strength doors, and locks and to allow the minimal amount of individuals depending on its size. Some mantraps even include scales that will weigh the person. The doors are designed in such a way as to open only when the mantrap is occupied or empty and not in-between. Thismeans that the backdoor must first close before the front door will open. Mantraps are in most cases also combined with guards. This is the most physical protection any one measure will provide.
A systems engineer has been presented with storage performance and redundancy requirements for a new system to be built for the company. The storage solution must be designed to support the highest performance and must also be able to support more than one drive failure. Which of the following should the engineer choose to meet these requirements? A. A mirrored striped array with parity B. A mirrored mirror array C. A striped array D. A striped array with parity
Answer: B Explanation: Mirroring means the data written to one drive is exactly duplicated to a second drive in real time. Disk mirroring is also known as RAID 1 and the data is intact in a RAID 1 array if either one of the two drives fails. After the failed drive is replaced with a new drive, you remirror the data from the good drive to the new drive to re-create the array.
Ann, the Chief Information Officer (CIO) of a company, sees cloud computing as a way to save money while providing valuable services. She is looking for a cost-effective solution to assist in capacity planning as well as visibility into the performance of the network. Which of the following cloud technologies should she look into? A. IaaS B. MaaS C. SaaS D. PaaS
Answer: B Explanation: Monitoring-as-a-service (MaaS) is a cloud delivery model that falls under anything as a service (XaaS). MaaS allows for the deployment of monitoring functionalities for several other services and applications within the cloud.
Which of the following concepts is used by digital signatures to ensure integrity of the data? A. Non-repudiation B. Hashing C. Transport encryption D. Key escrow
Answer: B Explanation: Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit.
An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team member to perform the examination with minimal impact to the potential evidence? A. Using a software file recovery disc B. Mounting the drive in read-only mode C. Imaging based on order of volatility D. Hashing the image after capture
Answer: B Explanation: Mounting the drive in read-only mode will prevent any executable commands from being executed. This is turn will have the least impact on potential evidence using the drive in question
A security administrator is tasked with ensuring that all devices have updated virus definition files before they are allowed to access network resources. Which of the following technologies would be used to accomplish this goal? A. NIDS B. NAC C. DLP D. DMZ E. Port Security
Answer: B Explanation: Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies
Which of the following is a security advantage of using NoSQL vs. SQL databases in a three-tier environment? A. NoSQL databases are not vulnerable to XSRF attacks from the application server. B. NoSQL databases are not vulnerable to SQL injection attacks. C. NoSQL databases encrypt sensitive information by default. D. NoSQL databases perform faster than SQL databases on the same hardware.
Answer: B Explanation: NoSQL is a nonrelational database and does not use SQL. It is therefore not vulnerable to SQL injection attacks but is vulnerable to similar injection-type attacks.
An encrypted message is sent using PKI from Sara, a client, to a customer. Sara claims she never sent the message. Which of the following aspects of PKI BEST ensures the identity of the sender? A. CRL B. Non-repudiation C. Trust models D. Recovery agents
Answer: B Explanation: Nonrepudiation prevents one party from denying actions they carried out. This means that the identity of the email sender will not be repudiated.
A security technician is attempting to improve the overall security posture of an internal mail server. Which of the following actions would BEST accomplish this goal? A. Monitoring event logs daily B. Disabling unnecessary services C. Deploying a content filter on the network D. Deploy an IDS on the network
Answer: B Explanation: One of the most basic practices for reducing the attack surface of a specific host is to disable unnecessary services. Services running on a host, especially network services provide an avenue through which the system can be attacked. If a service is not being used, disable it.
Which of the following offers the LEAST secure encryption capabilities? A. TwoFish B. PAP C. NTLM D. CHAP
Answer: B Explanation: PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.
A small company wants to employ PKI. The company wants a cost effective solution that must be simple and trusted. They are considering two options: X.509 and PGP. Which of the following would be the BEST option? A. PGP, because it employs a web-of-trust that is the most trusted form of PKI. B. PGP, because it is simple to incorporate into a small environment. C. X.509, because it uses a hierarchical design that is the most trusted form of PKI. D. X.509, because it is simple to incorporate into a small environment
Answer: B Explanation: PGP easier to use and setup than the corporate PKI model, but it is also less robust when it comes to issues like authentication and trust. However, the full benefits of public key cryptography are used.
In order to use a two-way trust model the security administrator MUST implement which of the following? A. DAC B. PKI C. HTTPS D. TPM
Answer: B Explanation: PKI is a high level concept. Within a PKI you use a trust model to set up trust between Certification Authorities (CAs). A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates
A new client application developer wants to ensure that the encrypted passwords that are stored in their database are secure from cracking attempts. To implement this, the developer implements a function on the client application that hashes passwords thousands of times prior to being sent to the database. Which of the following did the developer MOST likely implement? A. RIPEMD B. PBKDF2 C. HMAC D. ECDHE
Answer: B Explanation: Password-Based Key Derivation Function 2 (PBKDF2) makes use of a hashing operation, an encryption cipher function, or an HMAC operation) on the input password, which is combined with a salt and is repeated thousands of times
Which of the following assessments would Pete, the security administrator, use to actively test that an application's security controls are in place? A. Code review B. Penetration test C. Protocol analyzer D. Vulnerability scan
Answer: B Explanation: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. Pen test strategies include: Targeted testing Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out. External testing This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access. Internal testing This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause. Blind testing A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive. Double blind testing Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization's security monitoring and incident identification as well as its response procedures
Which of the following tools will allow a technician to detect security-related TCP connection anomalies? A. Logical token B. Performance monitor C. Public key infrastructure D. Trusted platform module
Answer: B Explanation: Performance Monitor in a Windows system can monitor many different 'counters'. For TCP network connections, you can monitor specific TCP related counters including the following: Connection Failures Connections Active Connections Established Connections Passive Connections Reset Segments Received/sec Segments Retransmitted/sec Segments Sent/sec Total Segments/sec By monitoring the counters listed above, you will be able to detect security-related TCP connection anomalies.
Which of the following concepts is a term that directly relates to customer privacy considerations? A. Data handling policies B. Personally identifiable information C. Information classification D. Clean desk policies
Answer: B Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. This has a direct relation to customer privacy considerations.
A security administrator notices large amounts of traffic within the network heading out to an external website. The website seems to be a fake bank site with a phone number that when called, asks for sensitive information. After further investigation, the security administrator notices that a fake link was sent to several users. This is an example of which of the following attacks? A. Vishing B. Phishing C. Whaling D. SPAM E. SPIM
Answer: B Explanation: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Phishing email will direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website, however, is bogus and set up only to steal the information the user enters on the page. Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of people, the "phisher" counts on the email being read by a percentage of people who actually have an account with the legitimate company being spoofed in the email and corresponding webpage. Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.
Which of the following may significantly reduce data loss if multiple drives fail at the same time? A. Virtualization B. RAID C. Load balancing D. Server clustering
Answer: B Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning
All of the following are valid cryptographic hash functions EXCEPT: A. RIPEMD. B. RC4. C. SHA-512. D. MD4.
Answer: B Explanation: RC4 is not a hash function. RC4 is popular with wireless and WEP/WPA encryption
Which of the following concepts is enforced by certifying that email communications have been sent by who the message says it has been sent by? A. Key escrow B. Non-repudiation C. Multifactor authentication D. Hashing
Answer: B Explanation: Regarding digital security, the cryptological meaning and application of non-repudiation shifts to mean: A service that provides proof of the integrity and origin of data. An authentication that can be asserted to be genuine with high assurance.
Which of the following types of cryptography should be used when minimal overhead is necessary for a mobile device? A. Block cipher B. Elliptical curve cryptography C. Diffie-Hellman algorithm D. Stream cipher
Answer: B Explanation: Regarding the performance of ECC applications on various mobile devices, ECC is the most suitable PKC (Public-key cryptography) scheme for use in a constrained environment. Note: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits in comparison with non-ECC cryptography (with plain Galois fields as a basis) is the same level of security provided by keys of smaller size. Using smaller key size would be faster.
Which of the following protocols is the security administrator observing in this packet capture? 12:33:43, SRC 192.168.4.3:3389, DST 10.67.33.20:8080, SYN/ACK A. HTTPS B. RDP C. HTTP D. SFTP
Answer: B Explanation: Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. Example of RDP tracing output: No. Time Delta Source Destination Protocol Length Info 5782, 2013-01-06 09:52:15.407, 0.000, SRC 10.7.3.187, DST 10.0.107.58, TCP, 62, 3389 > 59193 [SYN, ACK]
A company hired Joe, an accountant. The IT administrator will need to create a new account for Joe. The company uses groups for ease of management and administration of user accounts. Joe will need network access to all directories, folders and files within the accounting department. Which of the following configurations will meet the requirements? A. Create a user account and assign the user account to the accounting group. B. Create an account with role-based access control for accounting. C. Create a user account with password reset and notify Joe of the account creation. D. Create two accounts: a user account and an account with full network administration rights.
Answer: B Explanation: Role-based Access Control is basically based on a user's job description. When a user is assigned a specific role in an environment, that user's access to objects is granted based on the required tasks of that role. The IT administrator should, therefore, create an account with rolebased access control for accounting for Joe.
During the information gathering stage of a deploying role-based access control model, which of the following information is MOST likely required? A. Conditional rules under which certain systems may be accessed B. Matrix of job titles with required access privileges C. Clearance levels of all company personnel D. Normal hours of business operation
Answer: B Explanation: Role-based access control is a model where access to resources is determines by job role rather than by user account. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department. To configure role-based access control, you need a list (or matrix) of job titles (roles) and the access privileges that should be assigned to each role.
Which of the following ports is used to securely transfer files between remote UNIX systems? A. 21 B. 22 C. 69 D. 445
Answer: B Explanation: SCP copies files securely between hosts on a network. It uses SSH for data transfer, and uses the same authentication and provides the same security as SSH. Unlike RCP, SCP will ask for passwords or passphrases if they are needed for authentication. SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22.
A network administrator is asked to send a large file containing PII to a business associate. Which of the following protocols is the BEST choice to use? A. SSH B. SFTP C. SMTP D. FTP
Answer: B Explanation: SFTP encrypts authentication and data traffic between the client and server by making use of SSH to provide secure FTP communications. As a result, SFTP offers protection for both the authentication traffic and the data transfer taking place between a client and server.
Joe, the system administrator, has been asked to calculate the Annual Loss Expectancy (ALE) for a $5,000 server, which often crashes. In the past year, the server has crashed 10 times, requiring a system reboot to recover with only 10% loss of data or function. Which of the following is the ALE of this server? A. $500 B. $5,000 C. $25,000 D. $50,000
Answer: B Explanation: SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence. (5000 x 10) x 0.1 = 5000
A recent vulnerability scan found that Telnet is enabled on all network devices. Which of the following protocols should be used instead of Telnet? A. SCP B. SSH C. SFTP D. SSL
Answer: B Explanation: SSH transmits both authentication traffic and data in a secured encrypted form, whereas Telnet transmits both authentication credentials and data in clear text.
Which of the following secure file transfer methods uses port 22 by default? A. FTPS B. SFTP C. SSL D. S/MIME
Answer: B Explanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22.
An achievement in providing worldwide Internet security was the signing of certificates associated with which of the following protocols? A. TCP/IP B. SSL C. SCP D. SSH
Answer: B Explanation: SSL (Secure Sockets Layer) is used for establishing an encrypted link between two computers, typically a web server and a browser. SSL is used to enable sensitive information such as login credentials and credit card numbers to be transmitted securely.
Which of the following techniques describes the use of application isolation during execution to prevent system compromise if the application is compromised? A. Least privilege B. Sandboxing C. Black box D. Application hardening
Answer: B Explanation: Sandboxing is the process of isolating a system before installing new applications on it so as to restrict any potential malware that may be embedded in the new application from being able to cause harm to production systems.
Which of the following protocols provides transport security for virtual terminal emulation? A. TLS B. SSH C. SCP D. S/MIME
Answer: B Explanation: Secure Shell (SSH) is a tunneling protocol originally designed for Unix systems. It uses encryption to establish a secure connection between two systems. SSH also provides alternative, securityequivalent programs for such Unix standards as Telnet, FTP, and many other communicationsoriented applications. SSH is available for use on Windows systems as well. This makes it the preferred method of security for Telnet and other cleartext oriented programs in the Unix environment.
A security analyst needs to logon to the console to perform maintenance on a remote server. Which of the following protocols would provide secure access? A. SCP B. SSH C. SFTP D. HTTPS
Answer: B Explanation: Secure Shell (SSH) is a tunneling protocol originally used on Unix systems. It's now available for both Unix and Windows environments. SSH is primarily intended for interactive terminal sessions. SSH is used to establish a command-line, text-only interface connection with a server, router, switch, or similar device over any distance.
Which of the following MOST interferes with network-based detection techniques? A. Mime-encoding B. SSL C. FTP D. Anonymous email accounts
Answer: B Explanation: Secure Sockets Layer (SSL) is used to establish secure TCP communication between two machines by encrypting the communication. Encrypted communications cannot easily be inspected for anomalies by network-based intrusion detection systems (NIDS).
A security audit identifies a number of large email messages being sent by a specific user from their company email account to another address external to the company. These messages were sent prior to a company data breach, which prompted the security audit. The user was one of a few people who had access to the leaked data. Review of the suspect's emails show they consist mostly of pictures of the user at various locations during a recent vacation. No suspicious activities from other users who have access to the data were discovered. Which of the following is occurring? A. The user is encrypting the data in the outgoing messages. B. The user is using steganography. C. The user is spamming to obfuscate the activity. D. The user is using hashing to embed data in the emails.
Answer: B Explanation: Steganography is the process of hiding one message in another. Steganography may also be referred to as electronic watermarking. It is also the process of hiding a message in a medium such as a digital image, audio fi le, or other fi le. In theory, doing this prevents analysts from detecting the real message. You could encode your message in another file or message and use that file to hide your message
A security analyst has been notified that trade secrets are being leaked from one of the executives in the corporation. When reviewing this executive's laptop they notice several pictures of the employee's pets are on the hard drive and on a cloud storage network. When the analyst hashes the images on the hard drive against the hashes on the cloud network they do not match. Which of the following describes how the employee is leaking these secrets? A. Social engineering B. Steganography C. Hashing D. Digital signatures
Answer: B Explanation: Steganography is the process of hiding one message in another. Steganography may also be referred to as electronic watermarking. It is also the process of hiding a message in a medium such as a digital image, audio fi le, or other fi le. In theory, doing this prevents analysts from detecting the real message. You could encode your message in another file or message and use that file to hide your message.
Establishing a published chart of roles, responsibilities, and chain of command to be used during a disaster is an example of which of the following? A. Fault tolerance B. Succession planning C. Business continuity testing D. Recovery point objectives
Answer: B Explanation: Succession planning outlines those internal to the organization that has the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.
A system administrator is using a packet sniffer to troubleshoot remote authentication. The administrator detects a device trying to communicate to TCP port 49. Which of the following authentication methods is MOST likely being attempted? A. RADIUS B. TACACS+ C. Kerberos D. LDAP
Answer: B Explanation: TACACS makes use of TCP port 49 by default.
Which of the following is the default port for TFTP? A. 20 B. 69 C. 21 D. 68
Answer: B Explanation: TFTP makes use of UDP port 69
Joe, a security administrator, is concerned with users tailgating into the restricted areas. Given a limited budget, which of the following would BEST assist Joe with detecting this activity? A. Place a full-time guard at the entrance to confirm user identity. B. Install a camera and DVR at the entrance to monitor access. C. Revoke all proximity badge access to make users justify access. D. Install a motion detector near the entrance.
Answer: B Explanation: Tailgating is a favorite method of gaining entry to electronically locked systems by following someone through the door they just unlocked. With a limited budget installing a camera and DVR at the entrance to monitor access to the restricted areas is the most feasible solution. The benefit of a camera (also known as closed-circuit television, or CCTV) is that it is always running and can record everything it sees, creating evidence that can be admissible in court if necessary
A network consists of various remote sites that connect back to two main locations. Pete, the security administrator, needs to block TELNET access into the network. Which of the following, by default, would be the BEST choice to accomplish this goal? A. Block port 23 on the L2 switch at each remote site B. Block port 23 on the network firewall C. Block port 25 on the L2 switch at each remote site D. Block port 25 on the network firewall
Answer: B Explanation: Telnet is a terminal-emulation network application that supports remote connectivity for executing commands and running applications but doesn't support transfer of files. Telnet uses TCP port 23. Because it's a clear text protocol and service, it should be avoided and replaced with SSH.
After a new firewall has been installed, devices cannot obtain a new IP address. Which of the following ports should Matt, the security administrator, open on the firewall? A. 25 B. 68 C. 80 D. 443
Answer: B Explanation: The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for distributing IP addresses for interfaces and services. DHCP makes use of port 68.
The Chief Security Officer (CSO) is contacted by a first responder. The CSO assigns a handler. Which of the following is occurring? A. Unannounced audit response B. Incident response process C. Business continuity planning D. Unified threat management E. Disaster recovery process
Answer: B Explanation: The Incident response policy outlines the processes that should be followed when an incident occurs. Thus when a CSO is contacted by a first responder and then assign a handler for the incident it is clearly the incident response process that is put in practice.
A firewall technician has been instructed to disable all non-secure ports on a corporate firewall. The technician has blocked traffic on port 21, 69, 80, and 137-139. The technician has allowed traffic on ports 22 and 443. Which of the following correctly lists the protocols blocked and allowed? A. Blocked: TFTP, HTTP, NetBIOS; Allowed: HTTPS, FTP B. Blocked: FTP, TFTP, HTTP, NetBIOS; Allowed: SFTP, SSH, SCP, HTTPS C. Blocked: SFTP, TFTP, HTTP, NetBIOS; Allowed: SSH, SCP, HTTPS D. Blocked: FTP, HTTP, HTTPS; Allowed: SFTP, SSH, SCP, NetBIOS
Answer: B Explanation: The question states that traffic on port 21, 69, 80, and 137-139 is blocked, while ports 22 and 443 are allowed. Port 21 is used for FTP by default. Port 69 is used for TFTP. Port 80 is used for HTTP. Ports 137-139 are used for NetBIOS. VMM uses SFTP over default port 22. Port 22 is used for SSH by default. SCP runs over TCP port 22 by default. Port 443 is used for HTTPS.
Jane, a security analyst, is reviewing logs from hosts across the Internet which her company uses to gather data on new malware. Which of the following is being implemented by Jane's company? A. Vulnerability scanner B. Honeynet C. Protocol analyzer D. Port scanner
Answer: B Explanation: The Internet hosts used to gather data on new malware are known as honeypots. A collection of honeypots is known as a honeynet. A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increasenetwork security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker. A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.
While previously recommended as a security measure, disabling SSID broadcast is not effective against most attackers because network SSIDs are: A. no longer used to authenticate to most wireless networks. B. contained in certain wireless packets in plaintext. C. contained in all wireless broadcast packets by default. D. no longer supported in 802.11 protocols.
Answer: B Explanation: The SSID is still required for directing packets to and from the base station, so it can be discovered using a wireless packet sniffer.
Which of the following provides the strongest authentication security on a wireless network? A. MAC filter B. WPA2 C. WEP D. Disable SSID broadcast
Answer: B Explanation: The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication protocols were designed to address the core, easy-to-crack problems of WEP
Which of the following is a concern when encrypting wireless data with WEP? A. WEP displays the plain text entire key when wireless packet captures are reassembled B. WEP implements weak initialization vectors for key transmission C. WEP uses a very weak encryption algorithm D. WEP allows for only four pre-shared keys to be configured
Answer: B Explanation: The initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IVs are reused with the same key. By examining the repeating result, it was easy for attackers to crack the WEP secret key. This is known as an IV attack.
Which of the following is a security benefit of providing additional HVAC capacity or increased tonnage in a datacenter? A. Increased availability of network services due to higher throughput B. Longer MTBF of hardware due to lower operating temperatures C. Higher data integrity due to more efficient SSD cooling D. Longer UPS run time due to increased airflow
Answer: B Explanation: The mean time between failures (MTBF) is the measure of the anticipated incidence of failure for a system or component. This measurement determines the component's anticipated lifetime. If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year. If the system lasts longer than the MTBF, your organization receives a bonus. MTBF is helpful in evaluating a system's reliability and life expectancy. Thus longer MTBF due to lower operating temperatures is a definite advantage
Company XYZ recently salvaged company laptops and removed all hard drives, but the Chief Information Officer (CIO) is concerned about disclosure of confidential information. Which of the following is the MOST secure method to dispose of these hard drives? A. Degaussing B. Physical Destruction C. Lock up hard drives in a secure safe D. Wipe
Answer: B Explanation: The physical description of hard drives is the only secure means of disposing hard drives. This can include incineration, an acid bath, and crushing
The security administrator installed a newly generated SSL certificate onto the company web server. Due to a misconfiguration of the website, a downloadable file containing one of the pieces of the key was available to the public. It was verified that the disclosure did not require a reissue of the certificate. Which of the following was MOST likely compromised? A. The file containing the recovery agent's keys. B. The file containing the public key. C. The file containing the private key. D. The file containing the server's encrypted passwords.
Answer: B Explanation: The public key can be made available to everyone. There is no need to reissue the certificate.
A user commuting to work via public transport received an offensive image on their smart phone from another commuter. Which of the following attacks MOST likely took place? A. War chalking B. Bluejacking C. War driving D. Bluesnarfing
Answer: B Explanation: The question states that the 'attack' took place on public transport and was received on a smartphone. Therefore, it is most likely that the image was sent using Bluetooth. Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters. Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames
A network administrator is configuring access control for the sales department which has high employee turnover. Which of the following is BEST suited when assigning user rights to individuals in the sales department? A. Time of day restrictions B. Group based privileges C. User assigned privileges D. Domain admin restrictions
Answer: B Explanation: The question states that the sales department has a high employee turnover. You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). Then when a new employee starts, you simply add the new user account to the appropriate groups. The user then inherits all the permissions assigned to the groups
Which of the following is true about an email that was signed by User A and sent to User B? A. User A signed with User B's private key and User B verified with their own public key. B. User A signed with their own private key and User B verified with User A's public key. C. User A signed with User B's public key and User B verified with their own private key. D. User A signed with their own public key and User B verified with User A's private key
Answer: B Explanation: The sender uses his private key, in this case User A's private key, to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver (User B) uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. The receiver uses a key provided by the sender—the public key—to decrypt the message.
Public keys are used for which of the following? A. Decrypting wireless messages B. Decrypting the hash of an electronic signature C. Bulk encryption of IP based email traffic D. Encrypting web browser traffic
Answer: B Explanation: The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic.
Matt, the Chief Information Security Officer (CISO), tells the network administrator that a security company has been hired to perform a penetration test against his network. The security company asks Matt which type of testing would be most beneficial for him. Which of the following BEST describes what the security company might do during a black box test? A. The security company is provided with all network ranges, security devices in place, and logical maps of the network. B. The security company is provided with no information about the corporate network or physical locations. C. The security company is provided with limited information on the network, including all network diagrams. D. The security company is provided with limited information on the network, including some subnet ranges and logical network diagrams.
Answer: B Explanation: The term black box testing is generally associated with application testing. However, in this question the term is used for network testing. Black box testing means testing something when you have no knowledge of the inner workings. Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
Which of the following was launched against a company based on the following IDS log? 122.41.15.252 - - [21/May/2012:00:17:20 +1200] "GET /index.php?username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A AAA HTTP/1.1" 200 2731 "http://www.company.com/cgibin/ forum/commentary.pl/noframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" A. SQL injection B. Buffer overflow attack C. XSS attack D. Online password crack
Answer: B Explanation: The username should be just a username; instead we can see it's a long line of text with an HTTP command in it. This is an example of a buffer overflow attack. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred? A. Cookie stealing B. Zero-day C. Directory traversal D. XML injection
Answer: B Explanation: The vulnerability was unknown in that the IDS and antivirus did not detect it. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users
Which of the following malware types is MOST likely to execute its payload after Jane, an employee, has left the company? A. Rootkit B. Logic bomb C. Worm D. Botnet
Answer: B Explanation: This is an example of a logic bomb. The logic bomb is configured to 'go off' or when Jane has left the company. A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Some viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. Trojans that activate on certain dates are often called "time bombs". To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs.
A user has received an email from an external source which asks for details on the company's new product line set for release in one month. The user has a detailed spec sheet but it is marked "Internal Proprietary Information". Which of the following should the user do NEXT? A. Contact their manager and request guidance on how to best move forward B. Contact the help desk and/or incident response team to determine next steps C. Provide the requestor with the email information since it will be released soon anyway D. Reply back to the requestor to gain their contact information and call them
Answer: B Explanation: This is an incident that has to be responded to by the person who discovered it- in this case the user. An incident is any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. It's important that an incident response policy establish at least the following items: Outside agencies that should be contacted or notified in case of an incident Resources used to deal with an incident Procedures to gather and secure evidence List of information that should be collected about an incident Outside experts who can be used to address issues if needed Policies and guidelines regarding how to handle an incident Since the spec sheet has been marked Internal Proprietary Information the user should refer the incident to the incident response team.
A server administrator notes that a legacy application often stops running due to a memory error. When reviewing the debugging logs, they notice code being run calling an internal process to exploit the machine. Which of the following attacks does this describe? A. Zero-day B. Buffer overflow C. Cross site scripting D. Malicious add-on
Answer: B Explanation: This question describes a buffer overflow attack. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type ofsecurity attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
A financial company requires a new private network link with a business partner to cater for realtime and batched data flows. Which of the following activities should be performed by the IT security staff member prior to establishing the link? A. Baseline reporting B. Design review C. Code review D. SLA reporting
Answer: B Explanation: This question is asking about a new private network link (a VPN) with a business partner. This will provide access to the local network from the business partner. When implementing a VPN, an important step is the design of the VPN. The VPN should be designed to ensure that the security of the network and local systems is not compromised. The design review assessment examines the ports and protocols used, the rules, segmentation, and access control in the systems or applications. A design review is basically a check to ensure that the design of the system meets the security requirements.
A security technician has been asked to recommend an authentication mechanism that will allow users to authenticate using a password that will only be valid for a predefined time interval. Which of the following should the security technician recommend? A. CHAP B. TOTP C. HOTP D. PAP
Answer: B Explanation: Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. Therefore, the password will only be valid for a predefined time interval.
Protecting the confidentiality of a message is accomplished by encrypting the message with which of the following? A. Sender's private key B. Recipient's public key C. Sender's public key D. Recipient's private key
Answer: B Explanation: To achieve both authentication and confidentiality, the sender should include the recipient's name in the message, sign it using his private key, and then encrypt both the message and the signature using the recipient's public key.
QUESTION NO: 1132 Protecting the confidentiality of a message is accomplished by encrypting the message with which of the following? A. Sender's private key B. Recipient's public key C. Sender's public key D. Recipient's private key
Answer: B Explanation: To achieve both authentication and confidentiality, the sender should include the recipient's name in the message, sign it using his private key, and then encrypt both the message and the signature using the recipient's public key.
If you don't know the MAC address of a Linux-based machine, what command-line utility can you use to ascertain it? A. macconfig B. ifconfig C. ipconfig D. config
Answer: B Explanation: To find MAC address of a Unix/Linux workstation, use ifconfig or ip a.
Which of the following is a control that allows a mobile application to access and manipulate information which should only be available by another application on the same mobile device (e.g. a music application posting the name of the current song playing on the device on a social media site)? A. Co-hosted application B. Transitive trust C. Mutually exclusive access D. Dual authentication
Answer: B Explanation: Transitive trust is a form of trust that flows from one entity to another so that if A trusts B and B trusts C, A automatically trusts C.
Recent data loss on financial servers due to security breaches forced the system administrator to harden their systems. Which of the following algorithms with transport encryption would be implemented to provide the MOST secure web connections to manage and access these servers? A. SSL B. TLS C. HTTP D. FTP
Answer: B Explanation: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by default.
The concept of rendering data passing between two points over an IP based network impervious to all but the most sophisticated advanced persistent threats is BEST categorized as which of the following? A. Stream ciphers B. Transport encryption C. Key escrow D. Block ciphers
Answer: B Explanation: Transport encryption is the process of encrypting data ready to be transmitted over an insecure network. A common example of this would be online banking or online purchases where sensitive information such as account numbers or credit card numbers is transmitted. Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Which of the following provides additional encryption strength by repeating the encryption process with additional keys? A. AES B. 3DES C. TwoFish D. Blowfish
Answer: B Explanation: Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys
Which of the following is built into the hardware of most laptops but is not setup for centralized management by default? A. Whole disk encryption B. TPM encryption C. USB encryption D. Individual file encryption
Answer: B Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Which of the following is a measure of biometrics performance which rates the ability of a system to correctly authenticate an authorized user? A. Failure to capture B. Type II C. Mean time to register D. Template capacity
Answer: B Explanation: Type II, or false acceptance rate (FAR), is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user.
Key cards at a bank are not tied to individuals, but rather to organizational roles. After a break in, it becomes apparent that extra efforts must be taken to successfully pinpoint who exactly enters secure areas. Which of the following security measures can be put in place to mitigate the issue until a new key card system can be installed? A. Bollards B. Video surveillance C. Proximity readers D. Fencing
Answer: B Explanation: Video surveillance is making use of a camera, or CCTV that is able to record everything it sees and is always running. This way you will be able to check exactly who enters secure areas
Which of the following protocols is vulnerable to man-in-the-middle attacks by NOT using end to end TLS encryption? A. HTTPS B. WEP C. WPA D. WPA 2
Answer: B Explanation: WEP offers no end-to-end TLS encryption.The WEP process consists of a series of steps as follows: The wireless client sends an authentication request. The Access Point (AP) sends an authentication response containing clear-text (uh-oh!) challenge text. The client takes the challenge text received and encrypts it using a static WEP key. The client sends the encryptedauthenticationpacket to the AP. The APencryptsthe challenge text using its own static WEP key and compares the result to the authentication packet sent by the client. If the results match, the AP begins the association process for the wireless client. The big issue with WEP is the fact that it is very susceptible to a Man inthe Middle attack. The attacker capturesthe clear-text challenge and then the authentication packet reply. The attacker then reverses the RC4 encryption in order to derive the static WEP key. Yikes! As you might guess, the designers attempted to strengthen WEP using the approach of key lengths. The native Windows client supported a 104-bit key as opposed to the initial 40-bit key. The fundamental weaknesses in the WEP process still remained however.
The practice of marking open wireless access points is called which of the following? A. War dialing B. War chalking C. War driving D. Evil twin
Answer: B Explanation: War chalking is the act of making chalk marks on outdoor surfaces (walls, sidewalks, buildings, sign posts, trees) to indicate the existence of an open wireless network connection, usually offering an Internet connection so that others can benefit from the free wireless access. The open connections typically come from the access points of wireless networks located within buildings to serve enterprises. The chalk symbols indicate the type of access point that is available at that specific spot.
When implementing fire suppression controls in a datacenter it is important to: A. Select a fire suppression system which protects equipment but may harm technicians. B. Ensure proper placement of sprinkler lines to avoid accidental leakage onto servers. C. Integrate maintenance procedures to include regularly discharging the system. D. Use a system with audible alarms to ensure technicians have 20 minutes to evacuate.
Answer: B Explanation: Water-based systems can cause serious damage to all electrical equipment and the sprinkler lines in a fire suppression control system should be placed in such a way so as not to leak onto computers when it do get activated because it works with overhead nozzles
A user has unknowingly gone to a fraudulent site. The security analyst notices the following system change on the user's host: Old `hosts' file: 127.0.0.1 localhost New `hosts' file: 127.0.0.1 localhost 5.5.5.5 www.comptia.com Which of the following attacks has taken place? A. Spear phishing B. Pharming C. Phishing D. Vishing
Answer: B Explanation: We can see in this question that a fraudulent entry has been added to the user's hosts file. This will point the URL: www.comptia.com to 5.5.5.5 instead of the correct IP address. Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server (or hosts file) by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.
Which of the following attacks targets high level executives to gain company information? A. Phishing B. Whaling C. Vishing D. Spoofing
Answer: B Explanation: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles. Hackers who engage in whaling often describe these efforts as "reeling in a big fish," applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats
Sara, a hacker, is completing a website form to request a free coupon. The site has a field that limits the request to 3 or fewer coupons. While submitting the form, Sara runs an application on her machine to intercept the HTTP POST command and change the field from 3 coupons to 30. Which of the following was used to perform this attack? A. SQL injection B. XML injection C. Packet sniffer D. Proxy
Answer: B Explanation: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user's input and sanitize it to make certain that it does not cause XPath to return more data than it should.
A security administrator has configured FTP in passive mode. Which of the following ports should the security administrator allow on the firewall by default? A. 20 B. 21 C. 22 D. 23
Answer: B Explanation: When establishing an FTP session, clients start a connection to an FTP server that listens on TCP port 21 by default.
Which of the following should be done before resetting a user's password due to expiration? A. Verify the user's domain membership. B. Verify the user's identity. C. Advise the user of new policies. D. Verify the proper group membership
Answer: B Explanation: When resetting a password, users have to establish their identity by answering a series of personal questions, using a hardware authentication token, or responding to a password notification e-mail. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided. This can be done from their workstation login prompt, or through a telephone call.
Which of the following is used by the recipient of a digitally signed email to verify the identity of the sender? A. Recipient's private key B. Sender's public key C. Recipient's public key D. Sender's private key
Answer: B Explanation: When the sender wants to send a message to the receiver. It's important that this message not be altered. The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The recipient uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. Thus the recipient uses the sender's public key to verify the sender's identity.
While opening an email attachment, Pete, a customer, receives an error that the application has encountered an unexpected issue and must be shut down. This could be an example of which of the following attacks? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. Directory traversal
Answer: B Explanation: When the user opens an attachment, the attachment is loaded into memory. The error is caused by a memory issue due to a buffer overflow attack. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Which of the following is a security concern regarding users bringing personally-owned devices that they connect to the corporate network? A. Cross-platform compatibility issues between personal devices and server-based applications B. Lack of controls in place to ensure that the devices have the latest system patches and signature files C. Non-corporate devices are more difficult to locate when a user is terminated D. Non-purchased or leased equipment may cause failure during the audits of company-owned assets
Answer: B Explanation: With employees who want to bring their own devices you will have to make them understand why they cannot. You do not want them plugging in a flash drive, let alone a camera, smartphone, tablet computer, or other device, on which company fi les could get intermingled with personal files. Allowing this to happen can create situations where data can leave the building that shouldn't as well as introduce malware to the system. Employees should not syncunauthorized smartphones to their work systems. Some smartphones use multiple wireless spectrums and unwittingly open up the possibility for an attacker in the parking lot to gain access through the phone to the internal network. Thus if you do not have controls in place then your network is definitely at risk.
Which of the following is an authentication method that can be secured by using SSL? A. RADIUS B. LDAP C. TACACS+ D. Kerberos
Answer: B Explanation: With secure LDAP (LDAPS), all LDAP communications are encrypted with SSL/TLS
An organization processes credit card transactions and is concerned that an employee may intentionally email credit card numbers to external email addresses. This company should consider which of the following technologies? A. IDS B. Firewalls C. DLP D. IPS
Answer: C Explanation: A Data Loss Prevention technology is aimed at detecting and preventing unauthorized access to, use of, or transmission of sensitive information such as credit card details
Which of the following is BEST utilized to actively test security controls on a particular system? A. Port scanning B. Penetration test C. Vulnerability scanning D. Grey/Gray box
Answer: B Explanation: Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system's security controls to gain access to the system. Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. Pen test strategies include: Targeted testing Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out. External testing This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access. Internal testing This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause. Blind testing A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive. Double blind testing Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization's security monitoring and incident identification as well as its response procedures.
A network administrator uses an RFID card to enter the datacenter, a key to open the server rack, and a username and password to logon to a server. These are examples of which of the following? A. Multifactor authentication B. Single factor authentication C. Separation of duties D. Identification
Answer: B Explanation: Single-factor authentication (SFA) is a process for securing access to a given system by identifying the party requesting access via a single category of credentials. In this case, the network administrator makes use of an RFID card to access the datacenter, a key to access the server rack, and a username and password to access a server. CompTIA
Joe must send Ann a message and provide Ann with assurance that he was the actual sender. Which of the following will Joe need to use to BEST accomplish the objective? A. A pre-shared private key B. His private key C. Ann's public key D. His public key
Answer: B Explanation: To achieve both authentication and confidentiality, Joe should include Ann's name in the message, sign it using his private key, and then encrypt both the message and the signature using Ann's public key
An administrator discovers that many users have used their same passwords for years even though the network requires that the passwords be changed every six weeks. Which of the following, when used together, would BEST prevent users from reusing their existing password? (Select TWO). A. Length of password B. Password history C. Minimum password age D. Password expiration E. Password complexity F. Non-dictionary words
Answer: B,C Explanation: In this question, users are forced to change their passwords every six weeks. However, they are able to change their password and enter the same password as the new password. Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. When a user is forced to change his password due to a maximum password age period expiring, (the question states that the network requires that the passwords be changed every six weeks) he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
Digital signatures are used for ensuring which of the following items? (Select TWO). A. Confidentiality B. Integrity C. Non-Repudiation D. Availability E. Algorithm strength
Answer: B,C Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender. The message is encrypted using the encryption system, and a second piece of information, the digital signature, is added to the message. Nonrepudiation prevents one party from denying actions that they carried out and in the electronic world nonrepudiation measures can be a two-key cryptographic system and the involvement of a third party to verify the validity. This respected third party 'vouches' for the individuals in the twokey system. Thus non-repudiation also impacts on integrity.
After an assessment, auditors recommended that an application hosting company should contract with additional data providers for redundant high speed Internet connections. Which of the following is MOST likely the reason for this recommendation? (Select TWO). A. To allow load balancing for cloud support B. To allow for business continuity if one provider goes out of business C. To eliminate a single point of failure D. To allow for a hot site in case of disaster E. To improve intranet communication speeds
Answer: B,C Explanation: A high-speed internet connection to a second data provider could be used to keep an up-to-date replicate of the main site. In case of problem on the first site, operation can quickly switch to the second site. This eliminates the single point of failure and allows the business to continue uninterrupted on the second site. Note: Recovery Time Objective The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during BIA creation.
Which of the following would BEST be used to calculate the expected loss of an event, if the likelihood of an event occurring is known? (Select TWO). A. DAC B. ALE C. SLE D. ARO E. ROI
Answer: B,C Explanation: ALE (Annual Loss Expectancy) is equal to the SLE (Single Loss Expectancy) times the annualized rate of occurrence. SLE (Single Loss Expectancy) is equal to asset value (AV) times exposure factor (EF).
Digital certificates can be used to ensure which of the following? (Select TWO). A. Availability B. Confidentiality C. Verification D. Authorization E. Non-repudiation
Answer: B,E Explanation: Digital Signatures is used to validate the integrity of the message and the sender. Digital certificates refer to cryptography which is mainly concerned with Confidentiality, Integrity, Authentication, Nonrepudiation and Access Control. Nonrepudiation prevents one party from denying actions they carried out.
Which of the following algorithms has well documented collisions? (Select TWO). A. AES B. MD5 C. SHA D. SHA-256 E. RSA
Answer: B,C Explanation: B: MD5 biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use. C: SHA-1 (also known as SHA) is being retired from most government uses; the U.S. National Institute of Standards and Technology said, "Federal agencies should stop using SHA-1 for...applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010", though that was later relaxed. Note: The hashing algorithm must have few or no collisions. This means that hashing two different inputs does not give the same output. Cryptographic hash functions are usually designed to be collision resistant. But many hash functions that were once thought to be collision resistant were later broken. MD5 and SHA-1 in particular both have published techniques more efficient than brute force for finding collisions.
In PKI, a key pair consists of: (Select TWO). A. A key ring B. A public key C. A private key D. Key escrow E. A passphrase
Answer: B,C Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. The key pair consists of these two keys.
A recent audit has revealed weaknesses in the process of deploying new servers and network devices. Which of the following practices could be used to increase the security posture during deployment? (Select TWO). A. Deploy a honeypot B. Disable unnecessary services C. Change default passwords D. Implement an application firewall E. Penetration testing
Answer: B,C Explanation: Increasing security posture is akin to getting the appropriate type of risk mitigation for your company. A plan and its implementation is a major part of security posture. When new servers and network devices are being deployed your most vulnerable points will be coming from all unnecessary services that may be running from servers and network default passwords. Thus your plan should be to disable those services that are not needed and change the default password during the deployment of the new servers and network devices
Which of the following ports should be opened on a firewall to allow for NetBIOS communication? (Select TWO). A. 110 B. 137 C. 139 D. 143 E. 161 F. 443
Answer: B,C Explanation: NetBIOS provides four distinct services: Name service for name registration and resolution (port: 137/udp) Name service for name registration and resolution (port: 137/tcp) Datagram distribution service for connectionless communication (port: 138/udp) Session service for connection-oriented communication (port: 139/tcp)
Corporate IM presents multiple concerns to enterprise IT. Which of the following concerns should Jane, the IT security manager, ensure are under control? (Select THREE). A. Authentication B. Data leakage C. Compliance D. Malware E. Non-repudiation F. Network loading
Answer: B,C,D Explanation: In a joint enterprise, data may be combined from both organizations. It must be determined, in advance, who is responsible for that data and how the data backups will be managed. Data leakage, compliance and Malware issues are all issues concerning data ownership and backup which are both impacted on by corporate IM.
The public key is used to perform which of the following? (Select THREE). A. Validate the CRL B. Validate the identity of an email sender C. Encrypt messages D. Perform key recovery E. Decrypt messages F. Perform key escrow
Answer: B,C,E Explanation: B: The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. C: The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message. E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent. Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.
Which of the following symmetric key algorithms are examples of block ciphers? (Select THREE). A. RC4 B. 3DES C. AES D. MD5 E. PGP F. Blowfish
Answer: B,C,F Explanation: B: Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. C: Advanced Encryption Standard (AES) is a block cipher that has replaced DES as the current standard, and it uses the Rijndael algorithm. It was developed by Joan Daemen and Vincent Rijmen. AES is the current product used by U.S. governmental agencies. F: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64bit block cipher at very fast speeds
During a penetration test from the Internet, Jane, the system administrator, was able to establish a connection to an internal router, but not successfully log in to it. Which ports and protocols are MOST likely to be open on the firewall? (Select FOUR). A. 21 B. 22 C. 23 D. 69 E. 3389 F. SSH G. Terminal services H. Rlogin I. Rsync J. Telnet
Answer: B,C,F,J Explanation: The question states that Jane was able to establish a connection to an internal router. Typical ports and protocols used to connect to a router include the following: B, F: Port 22 which is used by SSH (Secure Shell). C, J: Port 23 which is used by Telnet. SSH and Telnet both provide command line interfaces for administering network devices such as routers and switches.
Pete, an employee, is terminated from the company and the legal department needs documents from his encrypted hard drive. Which of the following should be used to accomplish this task? (Select TWO). A. Private hash B. Recovery agent C. Public key D. Key escrow E. CRL
Answer: B,D Explanation: B: If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys. D: If a key need to be recovered for legal purposes the key escrow can be used. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.
Ann, a software developer, has installed some code to reactivate her account one week after her account has been disabled. Which of the following is this an example of? (Select TWO). A. Rootkit B. Logic Bomb C. Botnet D. Backdoor E. Spyware
Answer: B,D Explanation: This is an example of both a logic bomb and a backdoor. The logic bomb is configured to 'go off' or activate one week after her account has been disabled. The reactivated account will provide a backdoor into the system. A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Some viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. Trojans that activate on certain dates are often called "time bombs". To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs. A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit. A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system.
A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally, the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO). A. Patch Audit Policy B. Change Control Policy C. Incident Management Policy D. Regression Testing Policy E. Escalation Policy F. Application Audit Policy
Answer: B,D Explanation: A backout (regression testing) is a reversion from a change that had negative consequences. It could be, for example, that everything was working fi ne until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfixes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout. A change control policy refers to the structured approach that is followed to secure a company's assets in the event of changes occurring.
Which of the following should Matt, a security administrator, include when encrypting smartphones? (Select TWO). A. Steganography images B. Internal memory C. Master boot records D. Removable memory cards E. Public keys
Answer: B,D Explanation: All useable data on the device should be encrypted. This data can be located on the hard drive, or removable drives, such as USB devices and memory cards, and on internal memory.
The librarian wants to secure the public Internet kiosk PCs at the back of the library. Which of the following would be the MOST appropriate? (Select TWO). A. Device encryption B. Antivirus C. Privacy screen D. Cable locks E. Remote wipe
Answer: B,D Explanation: B: Antivirus software is used to protect systems against viruses, which are a form of malicious code designed to spread from one system to another, consuming network resources. Public systems are particularly prone to viruses. D: Cable locks are theft deterrent devices that can be used to tether a device to a fixed point keep devices from being easy to steal
A company is preparing to decommission an offline, non-networked root certificate server. Before sending the server's drives to be destroyed by a contracted company, the Chief Security Officer (CSO) wants to be certain that the data will not be accessed. Which of the following, if implemented, would BEST reassure the CSO? (Select TWO). A. Disk hashing procedures B. Full disk encryption C. Data retention policies D. Disk wiping procedures E. Removable media encryption
Answer: B,D Explanation: B: Full disk encryption is when the entire volume is encrypted; the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer's security. Full disk encryption is sometimes referred to as hard drive encryption. D: Disk wiping is the process of overwriting data on the repeatedly, or using a magnet to alter the magnetic structure of the disks. This renders the data unreadable.
Which of the following results in datacenters with failed humidity controls? (Select TWO). A. Excessive EMI B. Electrostatic charge C. Improper ventilation D. Condensation E. Irregular temperature
Answer: B,D Explanation: Humidity control prevents the buildup of static electricity in the environment. If the humidity drops much below 50 percent, electronic components are extremely vulnerable to damage from electrostatic shock. Most environmental systems also regulate humidity; however, a malfunctioning system can cause the humidity to be almost entirely extracted from a room. Make sure that environmental systems are regularly serviced. Electrostatic damage can occur when humidity levels get too low. Condensation is a direct result from failed humidity levels.
A recent audit of a company's identity management system shows that 30% of active accounts belong to people no longer with the firm. Which of the following should be performed to help avoid this scenario? (Select TWO). A. Automatically disable accounts that have not been utilized for at least 10 days. B. Utilize automated provisioning and de-provisioning processes where possible. C. Request that employees provide a list of systems that they have access to prior to leaving the firm. D. Perform regular user account review / revalidation process. E. Implement a process where new account creations require management approval.
Answer: B,D Explanation: Provisioning and de-provisioning processes can occur manually or automatically. Since the manual processes are so time consuming, the automated option should be used as it is more efficient. Revalidating user accounts would determine which users are no longer active
Which of the following are restricted to 64-bit block sizes? (Select TWO). A. PGP B. DES C. AES256 D. RSA E. 3DES F. AES
Answer: B,E Explanation: B: The Data Encryption Standard (DES) has been used since the mid-1970s. It was the primary standard used in government and industry until it was replaced by AES. It's based on a 56-bit key and has several modes that offer security and integrity. It is now considered insecure because of the small key size. E: Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).
A recent review of accounts on various systems has found that after employees' passwords are required to change they are recycling the same password as before. Which of the following policies should be enforced to prevent this from happening? (Select TWO). A. Reverse encryption B. Minimum password age C. Password complexity D. Account lockouts E. Password history F. Password expiration
Answer: B,E Explanation: E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. B: When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.
After an audit, it was discovered that the security group memberships were not properly adjusted for employees' accounts when they moved from one role to another. Which of the following has the organization failed to properly implement? (Select TWO). A. Mandatory access control enforcement. B. User rights and permission reviews. C. Technical controls over account management. D. Account termination procedures. E. Management controls over account management. F. Incident management and response plan.
Answer: B,E Explanation: Reviewing user rights and permissions can be used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation and their job descriptions since they were all moved to different roles. Control over account management would have taken into account the different roles that employees have and adjusted the rights and permissions of these roles accordingly.
Which of the following security architecture elements also has sniffer functionality? (Select TWO). A. HSM B. IPS C. SSL accelerator D. WAP E. IDS
Answer: B,E Explanation: Sniffer functionality means the ability to capture and analyze the content of data packets as they are transmitted across the network. IDS and IPS systems perform their functions by capturing and analyzing the content of data packets. An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of "flavors" and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization. IDPSes typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content.
Joe, an employee, was escorted from the company premises due to suspicion of revealing trade secrets to a competitor. Joe had already been working for two hours before leaving the premises. A security technician was asked to prepare a report of files that had changed since last night's integrity scan. Which of the following could the technician use to prepare the report? (Select TWO). A. PGP B. MD5 C. ECC D. AES E. Blowfish F. HMAC
Answer: B,F Explanation: B: MD5 can be used to locate the data which has changed. The Message Digest Algorithm (MD) creates a hash value and uses a one-way hash. The hash value is used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2. F: A common method of verifying integrity involves adding a message authentication code (MAC) to the message. HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key.
Which of the following are Data Loss Prevention (DLP) strategies that address data in transit issues? (Select TWO). A. Scanning printing of documents. B. Scanning of outbound IM (Instance Messaging). C. Scanning copying of documents to USB. D. Scanning of SharePoint document library. E. Scanning of shared drives. F. Scanning of HTTP user traffic.
Answer: B,F Explanation: DLP systems monitor the contents of systems (workstations, servers, networks) to make sure key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. Outbound IM and HTTP user traffic refers to data over a network which falls within the DLP strategy.
Which of the following is characterized by an attack against a mobile device? A. Evil twin B. Header manipulation C. Blue jacking D. Rogue AP
Answer: C Explanation: A bluejacking attack is where unsolicited messages are sent to mobile devices using Bluetooth. Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters. Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames.
Which of the following malware types typically allows an attacker to monitor a user's computer, is characterized by a drive-by download, and requires no user interaction? A. Virus B. Logic bomb C. Spyware D. Adware
Answer: C Explanation: Spyware is software that is used to gather information about a person or organization without their knowledge and sends that information to another entity.
Company XYZ has encountered an increased amount of buffer overflow attacks. The programmer has been tasked to identify the issue and report any findings. Which of the following is the FIRST step of action recommended in this scenario? A. Baseline Reporting B. Capability Maturity Model C. Code Review D. Quality Assurance and Testing
Answer: C Explanation: A buffer overflow attack attacks a vulnerability caused by poor coding in an application. Reviewing the code of the application will enable you to identify code that is vulnerable to buffer overflow. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codesdesigned to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
A security administrator must implement a secure key exchange protocol that will allow company clients to autonomously exchange symmetric encryption keys over an unencrypted channel. Which of the following MUST be implemented? A. SHA-256 B. AES C. Diffie-Hellman D. 3DES
Answer: C Explanation: Diffie-Hellman key exchange (D-H) is a means of securely generating symmetric encryption keys across an insecure medium
A database administrator would like to start encrypting database exports stored on the SAN, but the storage administrator warns that this may drastically increase the amount of disk space used by the exports. Which of the following explains the reason for the increase in disk space usage? A. Deduplication is not compatible with encryption B. The exports are being stored on smaller SAS drives C. Encrypted files are much larger than unencrypted files D. The SAN already uses encryption at rest
Answer: C Explanation: Encryption adds overhead to the data which results in and increase in file size. This overhead is attached to each file and could include the encryption/decryption key, data recovery files and data decryption field in file header. As a result, requires increased storage space.
Which of the following can result in significant administrative overhead from incorrect reporting? A. Job rotation B. Acceptable usage policies C. False positives D. Mandatory vacations
Answer: C Explanation: False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. This causes a significant administrative overhead because the reporting is what results in the false positives.
Which of the following implementation steps would be appropriate for a public wireless hotspot? A. Reduce power level B. Disable SSID broadcast C. Open system authentication D. MAC filter
Answer: C Explanation: For a public wireless hot-spot, you want members of the public to be able to access the wireless network without having to provide them with a password. Therefore, Open System Authentication is the best solution. Open System Authentication (OSA) is a process by which a computer can gain access to a wireless network that uses the Wired Equivalent Privacy (WEP) protocol. With OSA, a computer equipped with a wireless modem can access any WEP network and receive files that are not encrypted. For OSA to work, the service set identifier (SSID) of the computer should match the SSID of the wireless access point. The SSID is a sequence of characters that uniquely names a wireless local area network (WLAN). The process occurs in three steps. First, the computer sends a request for authentication to the access point. Then the access point generates an authentication code, usually at random, intended for use only during that session. Finally, the computer accepts the authentication code and becomes part of the network as long as the session continues and the computer remains within range of the original access point. If it is necessary to exchange encrypted data between a WEP network access point and a wireless-equipped computer, a stronger authentication process called Shared Key Authentication (SKA) is required
Which of the following documents outlines the technical and security requirements of an agreement between organizations? A. BPA B. RFQ C. ISA D. RFC
Answer: C Explanation: ISA/ Interconnection Security Agreement is an agreement between two organizations that have connected systems. The agreement documents the technical requirements of the connected systems.
A datacenter requires that staff be able to identify whether or not items have been removed from the facility. Which of the following controls will allow the organization to provide automated notification of item removal? A. CCTV B. Environmental monitoring C. RFID D. EMI shielding
Answer: C Explanation: RFID is radio frequency identification that works with readers that work with 13.56 MHz smart cards and 125 kHz proximity cards and can open turnstiles, gates, and any other physical security safeguards once the signal is read. Fitting out the equipment with RFID will allow you to provide automated notification of item removal in the event of any of the equipped items is taken off the premises.
A security administrator is tasked with calculating the total ALE on servers. In a two year period of time, a company has to replace five servers. Each server replacement has cost the company $4,000 with downtime costing $3,000. Which of the following is the ALE for the company? A. $7,000 B. $10,000 C. $17,500 D. $35,000
Answer: C Explanation: SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence. SLE =($4000 + $3000) x 5 = $35000 ARO = 2 years Thus per year it would be 50% = 0,5 The ALE is thus $35000 x 0.5 = $17500
Visible security cameras are considered to be which of the following types of security controls? A. Technical B. Compensating C. Deterrent D. Administrative
Answer: C Explanation: Since a deterrent access control method is designed to discourage the violation of security policies, so a camera can be used to discourage individuals from taking unwanted action
A security administrator discovered that all communication over the company's encrypted wireless network is being captured by savvy employees with a wireless sniffing tool and is then being decrypted in an attempt to steal other employee's credentials. Which of the following technology is MOST likely in use on the company's wireless? A. WPA with TKIP B. VPN over open wireless C. WEP128-PSK D. WPA2-Enterprise
Answer: C Explanation: WEP's major weakness is its use of static encryption keys. When you set up a router with a WEP encryption key, that one key is used by every device on your network to encrypt every packet that's transmitted. But the fact that packets are encrypted doesn't prevent them from being intercepted, and due to some esoteric technical flaws it's entirely possible for an eavesdropper to intercept enough WEP-encrypted packets to eventually deduce what the key is. This problem used to be something you could mitigate by periodically changing the WEP key (which is why routers generally allow you to store up to four keys). But few bother to do this because changing WEP keys is inconvenient and time-consuming because it has to be done not just on the router, but on every device that connects to it. As a result, most people just set up a single key and then continue using it ad infinitum. Even worse, for those that do change the WEP key, new research and developments reinforce how even changing WEP keys frequently is no longer sufficient to protect a WLAN. The processof 'cracking' a WEP key used to require that a malicious hacker intercept millions of packets plus spend a fair amount of time and computing power. Researchers in the computer science department of a German university recently demonstrated the capability to compromise a WEPprotected network very quickly. After spending less than a minute intercepting data (fewer than 100,000 packets in all) they were able to compromise a WEP key in just three seconds.
A distributed denial of service attack can BEST be described as: A. Invalid characters being entered into a field in a database application. B. Users attempting to input random or invalid data into fields within a web browser application. C. Multiple computers attacking a single target in an organized attempt to deplete its resources. D. Multiple attackers attempting to gain elevated privileges on a target system.
Answer: C Explanation: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
Which of the following tools would allow Ann, the security administrator, to be able to BEST quantify all traffic on her network? A. Honeypot B. Port scanner C. Protocol analyzer D. Vulnerability scanner
Answer: C Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. By capturing and analyzing the packets sent between the systems on the network, Ann would be able to quantify the amount of traffic on the network. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal
A malicious individual is attempting to write too much data to an application's memory. Which of the following describes this type of attack? A. Zero-day B. SQL injection C. Buffer overflow D. XSRF
Answer: C Explanation: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability
When reviewing a digital certificate for accuracy, which of the following would Matt, a security administrator, focus on to determine who affirms the identity of the certificate owner? A. Trust models B. CRL C. CA D. Recovery agent
Answer: C Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. The CA affirms the identity of the certificate owner.
A program has been discovered that infects a critical Windows system executable and stays dormant in memory. When a Windows mobile phone is connected to the host, the program infects the phone's boot loader and continues to target additional Windows PCs or phones. Which of the following malware categories BEST describes this program? A. Zero-day B. Trojan C. Virus D. Rootkit
Answer: C Explanation: A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are man-made. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems. Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs
A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used? A. Detective B. Deterrent C. Corrective D. Preventive
Answer: C Explanation: A corrective control would be any corrective action taken to correct any existing control that were faulty or wrongly installed - as in this case the cameras were already there, it just had to be adjusted to perform its function as intended.
QUESTION NO: 1020 Digital Signatures provide which of the following? A. Confidentiality B. Authorization C. Integrity D. Authentication E. Availability
Answer: C Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender.
Which of the following concepts defines the requirement for data availability? A. Authentication to RADIUS B. Non-repudiation of email messages C. Disaster recovery planning D. Encryption of email messages
Answer: C Explanation: A disaster-recovery plan, or scheme, helps an organization respond effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses.
A company wants to ensure that its hot site is prepared and functioning. Which of the following would be the BEST process to verify the backup datacenter is prepared for such a scenario? A. Site visit to the backup data center B. Disaster recovery plan review C. Disaster recovery exercise D. Restore from backup
Answer: C Explanation: A hot site is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. Hot sites provide network connectivity, systems, and preconfigured software tomeet the needs of an organization. This means that an actual exercise run would test the abilities of your hot site best
The Chief Information Officer (CIO) receives an anonymous threatening message that says "beware of the 1st of the year". The CIO suspects the message may be from a former disgruntled employee planning an attack. Which of the following should the CIO be concerned with? A. Smurf Attack B. Trojan C. Logic bomb D. Virus
Answer: C Explanation: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Some viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. Trojans that activate on certain dates are often called "time bombs". To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs.
The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible. Which of the following would be the BEST course of action? A. Create a single, shared user account for every system that is audited and logged based upon time of use. B. Implement a single sign-on application on equipment with sensitive data and high-profile shares. C. Enact a policy that employees must use their vacation time in a staggered schedule. D. Separate employees into teams led by a person who acts as a single point of contact for observation purposes.
Answer: C Explanation: A policy that states employees should use their vacation time in a staggered schedule is a way of employing mandatory vacations. A mandatory vacation policy requires all users to take time away from work while others step in and do the work of that employee on vacation. This will afford the CSO the opportunity to see who is using the company assets responsibly and who is abusing it.
Which of the following would be MOST appropriate if an organization's requirements mandate complete control over the data and applications stored in the cloud? A. Hybrid cloud B. Community cloud C. Private cloud D. Public cloud
Answer: C Explanation: A private cloud is a cloud service for internal use only and is located within a corporate network rather than on the Internet. It is usually owned, managed, and operated by the company, which gives the company full control over the data and applications stored in the cloud
Which of the following devices would be the MOST efficient way to filter external websites for staff on an internal network? A. Protocol analyzer B. Switch C. Proxy D. Router
Answer: C Explanation: A proxy is a device that acts on behalf of other devices. All internal user communications with the Internet could be controlled through a proxy server, which can be configured to automatically filter out or block certain sites and content. It can also cache often-accessed sites to improve performance.
Which of the following attacks could be used to initiate a subsequent man-in-the-middle attack? A. ARP poisoning B. DoS C. Replay D. Brute force
Answer: C Explanation: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack). For example: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password (or hash) read from the last session, which Bob accepts thus granting access to Eve. Countermeasures: A way to avoid replay attacks is by using session tokens: Bob sends a onetime token to Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Eve has captured this value and tries to use it on another session; Bob sends a different session token, and when Eve replies with the captured value it will be different from Bob's computation. Session tokens should be chosen by a (pseudo-) random process. Otherwise Eve may be able to pose as Bob, presenting some predicted future token, and convince Alice to use that token in her transformation. Eve can then replay her reply at a later time (when the previously predicted token is actually presented by Bob), and Bob will accept the authentication. One-time passwords are similar to session tokens in that the password expires after it has been used or after a very short amount of time. They can be used to authenticate individual transactions in addition to sessions. The technique has been widely implemented in personal online banking systems. Bob can also send nonces but should then include a message authentication code (MAC), which Alice should check. Timestamping is another way of preventing a replay attack. Synchronization should be achieved using a secure protocol. For example Bob periodically broadcasts the time on his clock together with a MAC. When Alice wants to send Bob a message, she includes her best estimate of the time on his clock in her message, which is also authenticated. Bob only accepts messages for which the timestamp is within a reasonable tolerance. The advantage of this scheme is that Bob does not need to generate (pseudo-) random numbers, with the trade-off being that replay attacks, if they are performed quickly enough i.e. within that 'reasonable' limit, could succeed.
In which of the following scenarios is PKI LEAST hardened? A. The CRL is posted to a publicly accessible location. B. The recorded time offsets are developed with symmetric keys. C. A malicious CA certificate is loaded on all the clients. D. All public keys are accessed by an unauthorized user.
Answer: C Explanation: A rogue Certification Authority (CA) certificate allows malicious users to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. A rogue CA certificate would be seen as trusted by Web browsers, and it is harmful because it can appear to be signed by one of the root CAs that browsers trust by default. A rogue Certification Authority (CA) certificate can be created using a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure Web sites.
A user has plugged in a wireless router from home with default configurations into a network jack at the office. This is known as: A. an evil twin. B. an IV attack. C. a rogue access point. D. an unauthorized entry point.
Answer: C Explanation: A rogue access point is a wireless access point that should not be there. In this question, the wireless router has been connected to the corporate network without authorization. Therefore, it is a rogue access point. A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server serverclient) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network. To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.
Who should be contacted FIRST in the event of a security breach? A. Forensics analysis team B. Internal auditors C. Incident response team D. Software vendors
Answer: C Explanation: A security breach is an incident and requires a response. The incident response team would be better equipped to deal with any incident insofar as all their procedures are concerned. Their procedures in addressing incidents are: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control.
A periodic update that corrects problems in one version of a product is called a A. Hotfix B. Overhaul C. Service pack D. Security update
Answer: C Explanation: A service pack is a collection of updates and hotfixes that address a number of software issues, as well as new software features. It is released periodically by the vendor.
Which of the following is an important implementation consideration when deploying a wireless network that uses a shared password? A. Authentication server B. Server certificate C. Key length D. EAP method
Answer: C Explanation: Key length is the main issue of concern since the wireless network uses a shared password. With risks of shared passwords makes the length of the password a crucial factor to risk mitigation.
Which statement is TRUE about the operation of a packet sniffer? A. It can only have one interface on a management network. B. They are required for firewall operation and stateful inspection. C. The Ethernet card must be placed in promiscuous mode. D. It must be placed on a single virtual LAN interface.
Answer: C Explanation: A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
Which of the following types of data encryption would Matt, a security administrator, use to encrypt a specific table? A. Full disk B. Individual files C. Database D. Removable media
Answer: C Explanation: A table is stored in a database. Database encryption makes use of cryptography functions that are built into the database software to encrypt the data stored in the database. This often offers granular encryption options which allows for the encryptions of the entire database, specific database tables, or specific database fields, such as a credit card number field.
A security administrator must implement a system that will support and enforce the following file system access control model: FILE NAMESECURITY LABEL Employees.docConfidential Salary.xlsConfidential OfficePhones.xlsUnclassified PersonalPhones.xlsRestricted Which of the following should the security administrator implement? A. White and black listing B. SCADA system C. Trusted OS D. Version control
Answer: C Explanation: A trusted operating system (TOS) is any operating system that meets the government's requirements for security. Trusted OS uses a form of Mandatory access control called Multi-Level Security. The Mandatory access control (MAC) is a form of access control commonly employed by government and military environments. MAC specifies that access is granted based on a set ofrules rather than at the discretion of a user. The rules that govern MAC are hierarchical in nature and are often called sensitivity labels, security domains, or classifications. MLS is an implementation of MAC that focuses on confidentiality. A Multi-Level Security operating system is able to enforce the separation of multiple classifications of information as well as manage multiple users with varying levels of information clearance. The military and intelligence community must handle and process various hierarchical levels of classified information. At the high-end there is Top Secret, followed in turn by Secret, Confidential, and Unclassified:
An administrator was asked to review user accounts. Which of the following has the potential to cause the MOST amount of damage if the account was compromised? A. A password that has not changed in 180 days B. A single account shared by multiple users C. A user account with administrative rights D. An account that has not been logged into since creation
Answer: C Explanation: A user account with administrative rights has the same rights as an administrator account on a computer. An administrator account is a user account that lets you make changes that will affect other users. Administrators can change security settings, install software and hardware, and access all files on the computer. Administrators can also make changes to other user accounts. This compares to a standard user (non-administrative) account which has limited rights on a computer. For example, a standard user account cannot install software, cannot make system changes that would affect other users and cannot access other users' files. Therefore, a compromised user account with administrative rights has the potential for the most damage.
Which of the following would be used to identify the security posture of a network without actually exploiting any weaknesses? A. Penetration test B. Code review C. Vulnerability scan D. Brute Force scan
Answer: C Explanation: A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
Which of the following BEST represents the goal of a vulnerability assessment? A. To test how a system reacts to known threats B. To reduce the likelihood of exploitation C. To determine the system's security posture D. To analyze risk mitigation strategies
Answer: C Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.
Pete, the system administrator, has concerns regarding users losing their company provided smartphones. Pete's focus is on equipment recovery. Which of the following BEST addresses his concerns? A. Enforce device passwords. B. Use remote sanitation. C. Enable GPS tracking. D. Encrypt stored data
Answer: C Explanation: Global Positioning System (GPS) tracking can be used to identify its location of a stolen device and can allow authorities to recover the device. However, for GPS tracking to work, the device must have an Internet connection or a wireless phone service over which to send its location information
Which of the following would a security administrator implement in order to discover comprehensive security threats on a network? A. Design reviews B. Baseline reporting C. Vulnerability scan D. Code review
Answer: C Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. Vulnerabilities include computer systems that do not have the latest security patches installed. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
Several users' computers are no longer responding normally and sending out spam email to the users' entire contact list. This is an example of which of the following? A. Trojan virus B. Botnet C. Worm outbreak D. Logic bomb
Answer: C Explanation: A worm is similar to a virus but is typically less malicious. A virus will usually cause damage to the system or files whereas a worm will usually just spread itself either using the network or by sending emails. A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack? A. Configure MAC filtering on the switch. B. Configure loop protection on the switch. C. Configure flood guards on the switch. D. Configure 802.1x authentication on the switch.
Answer: C Explanation: ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. Once the attacker's MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol. To perform ARP spoofing the attacker floods the network with spoofed ARP packets. As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack. A flood guard configured on the network switch will block the flood of spoofed ARP packets.
Which of the following would BEST deter an attacker trying to brute force 4-digit PIN numbers to access an account at a bank teller machine? A. Account expiration settings B. Complexity of PIN C. Account lockout settings D. PIN history requirements
Answer: C Explanation: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. For example, an account can be configured to lock if three incorrect passwords (or in this case PIN's) are entered. The account can then be configured to automatically unlock after a period of time or stay locked until someone manually unlocks it.
Which of the following malware types may require user interaction, does not hide itself, and is commonly identified by marketing pop-ups based on browsing habits? A. Botnet B. Rootkit C. Adware D. Virus
Answer: C Explanation: Adware is free software that is supported by advertisements. Common adware programs are toolbars, games and utilities. They are free to use, but require you to watch advertisements as long as the programs are open. Adware typically requires an active Internet connection to run
The system administrator has deployed updated security controls for the network to limit risk of attack. The security manager is concerned that controls continue to function as intended to maintain appropriate security posture. Which of the following risk mitigation strategies is MOST important to the security manager? A. User permissions B. Policy enforcement C. Routine audits D. Change management
Answer: C Explanation: After you have implemented security controls based on risk, you must perform routine audits. These audits should include reviews of user rights and permissions as well as specific events. You should pay particular attention to false positives and negatives.
A security team has established a security awareness program. Which of the following would BEST prove the success of the program? A. Policies B. Procedures C. Metrics D. Standards
Answer: C Explanation: All types of training should be followed up- be tested to see if it worked and how much was learned in the training process. You must follow up and gather training metrics to validate compliance and security posture. By training metrics, we mean some quantifiable method for determining the efficacy of training.
Which of the following is an indication of an ongoing current problem? A. Alert B. Trend C. Alarm D. Trap
Answer: C Explanation: An alarm indicates that something is wrong and needs to be resolved as soon as possible. Alarms usually continue to sound until the problem is resolved or the alarm is manually silenced.
A small business needs to incorporate fault tolerance into their infrastructure to increase data availability. Which of the following options would be the BEST solution at a minimal cost? A. Clustering B. Mirrored server C. RAID D. Tape backup
Answer: C Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID can achieve fault tolerance using software which can be done using the existing hardware and software
In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following? A. Identification B. Authorization C. Authentication D. Multifactor authentication
Answer: C Explanation: An authentication ticket, also known as a ticket-granting ticket (TGT), is a small amount of encrypted data that is issued by a server in the Kerberos authentication model to begin the authentication process. When the client receives an authentication ticket, the client sends the ticket back to the server along with additional information verifying the client's identity. The server then issues a service ticket and a session key (which includes a form of password), completing the authorization process for that session. In the Kerberos model, all tickets are time-stamped and have limited lifetimes. This minimizes the danger that hackers will be able to steal or crack the encrypted data and use it to compromise the system. Ideally, no authentication ticket remains valid for longer than the time an expert hacker would need to crack the encryption. Authentication tickets are session-specific, further improving the security of the system by ensuring that no authentication ticket remains valid after a given session is complete.
A Windows-based computer is infected with malware and is running too slowly to boot and run a malware scanner. Which of the following is the BEST way to run the malware scanner? A. Kill all system processes B. Enable the firewall C. Boot from CD/USB D. Disable the network connection
Answer: C Explanation: Antivirus companies frequently create boot discs you can use to scan and repair your computer. These tools can be burned to a CD or DVD or installed onto a USB drive. You can then restart your computer and boot from the removable media. A special antivirus environment will load where your computer can be scanned and repaired. Incorrect Options: A: Kill all system processes will stop system processes, and could have a negative effect on the system. It is not the BEST way to run the malware scanner B: The basic purpose of a firewall is to isolate one network from another. It is not the BEST way to run the malware scanner. D: Disabling the network connection will not allow for the BEST way to run the malware scanner.
Sara, a security architect, has developed a framework in which several authentication servers work together to increase processing power for an application. Which of the following does this represent? A. Warm site B. Load balancing C. Clustering D. RAID
Answer: C Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy. Server clustering is used to provide failover capabilities / redundancy in addition to scalability as demand increases.
Identifying a list of all approved software on a system is a step in which of the following practices? A. Passively testing security controls B. Application hardening C. Host software baselining D. Client-side targeting
Answer: C Explanation: Application baseline defines the level or standard of security that will be implemented and maintained for the application. It may include requirements of hardware components, operating system versions, patch levels, installed applications and their configurations, and available ports and services. Systems can be compared to the baseline to ensure that the required level of security is being maintained.
When confidentiality is the primary concern, and a secure channel for key exchange is not available, which of the following should be used for transmitting company documents? A. Digital Signature B. Symmetric C. Asymmetric D. Hashing
Answer: C Explanation: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. Asymmetric algorithms do not require a secure channel for the initial exchange of secret keys between the parties.
A user ID and password together provide which of the following? A. Authorization B. Auditing C. Authentication D. Identification
Answer: C Explanation: Authentication generally requires one or more of the following: Something you know: a password, code, PIN, combination, or secret phrase. Something you have: a smart card, token device, or key. Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter. Somewhere you are: a physical or logical location. Something you do: typing rhythm, a secret handshake, or a private knock.
A security administrator is tackling issues related to authenticating users at a remote site. There have been a large number of security incidents that resulted from either tailgating or impersonation of authorized users with valid credentials. The security administrator has been told to implement multifactor authentication in order to control facility access. To secure access to the remote facility, which of the following could be implemented without increasing the amount of space required at the entrance? A. MOTD challenge and PIN pad B. Retina scanner and fingerprint reader C. Voice recognition and one-time PIN token D. One-time PIN token and proximity reader
Answer: C Explanation: Authentication systems or methods are based on one or more of these five factors: Something you know, such as a password or PIN Something you have, such as a smart card, token, or identification device Something you are, such as your fingerprints or retinal pattern (often called biometrics) Something you do, such as an action you must take to complete authentication Somewhere you are (this is based on geolocation) Multifactor authentication is authentication that uses two of more of the authentication factors listed above. In this question, we can use voice recognition (something you are) and a one-time PIN token (something you have) to provide two factors of authentication. The one-time PIN token is a small device that generates a one-time PIN to enable access.
Sara, an employee, tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Sara is out at lunch her PC is compromised via the tethered connection and corporate data is stolen. Which of the following would BEST prevent this from occurring again? A. Disable the wireless access and implement strict router ACLs. B. Reduce restrictions on the corporate web security gateway. C. Security policy and threat awareness training. D. Perform user rights and permissions reviews.
Answer: C Explanation: BYOD (In this case Sara's smart phone) involves the possibility of a personal device that is infected with malware introducing that malware to the network and security awareness training will address the issue of the company's security policy with regard to BYOD.
Which of the following BEST describes a protective countermeasure for SQL injection? A. Eliminating cross-site scripting vulnerabilities B. Installing an IDS to monitor network traffic C. Validating user input in web applications D. Placing a firewall between the Internet and database servers
Answer: C Explanation: By validating user input and preventing special characters, we can prevent the injection of clientside scripting code. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Which of the following should be implemented to stop an attacker from mapping out addresses and/or devices on a network? A. Single sign on B. IPv6 C. Secure zone transfers D. VoIP
Answer: C Explanation: C: A primary DNS server has the "master copy" of a zone, and secondary DNS servers keep copies of the zone for redundancy. When changes are made to zone data on the primary DNS server, these changes must be distributed to the secondary DNS servers for the zone. This is done through zone transfers. If you allow zone transfers to any server, all the resource records in the zone are viewable by any host that can contact your DNS server. Thus you will need to secure the zone transfers to stop an attacker from mapping out your addresses and devices on your network.
Which of the following can be used as an equipment theft deterrent? A. Screen locks B. GPS tracking C. Cable locks D. Whole disk encryption
Answer: C Explanation: Cable locks are theft deterrent devices that can be used to tether a device to a fixed point keep smaller devices from being easy to steal.
To ensure proper evidence collection, which of the following steps should be performed FIRST? A. Take hashes from the live system B. Review logs C. Capture the system image D. Copy all compromised files
Answer: C Explanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. This is essential since the collection of evidence process may result in some mishandling and changing the exploited state.
Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools? A. Identify user habits B. Disconnect system from network C. Capture system image D. Interview witnesses
Answer: C Explanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Very much as helpful in same way that a virus sample is kept in laboratories to study later after a breakout. Also you should act in the order of volatility which states that the system image capture is first on the list of a forensic analysis.
Which of the following MUST be updated immediately when an employee is terminated to prevent unauthorized access? A. Registration B. CA C. CRL D. Recovery agent
Answer: C Explanation: Certificates or keys for the terminated employee should be put in the CRL. A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked
A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident? A. Eye Witness B. Data Analysis of the hard drive C. Chain of custody D. Expert Witness
Answer: C Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering.
Which of the following mitigation strategies is established to reduce risk when performing updates to business critical systems? A. Incident management B. Server clustering C. Change management D. Forensic analysis
Answer: C Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. In this case 'performing updates to business critical systems.
A security administrator needs to update the OS on all the switches in the company. Which of the following MUST be done before any actual switch configuration is performed? A. The request needs to be sent to the incident management team. B. The request needs to be approved through the incident management process. C. The request needs to be approved through the change management process. D. The request needs to be sent to the change management team.
Answer: C Explanation: Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. Thus the actual switch configuration should first be subject to the change management approval.
The network administrator is responsible for promoting code to applications on a DMZ web server. Which of the following processes is being followed to ensure application integrity? A. Application hardening B. Application firewall review C. Application change management D. Application patch management
Answer: C Explanation: Change management is the structured approach that is followed to secure a company's assets. Promoting code to application on a SMZ web server would be change management.
A security administrator forgets their card to access the server room. The administrator asks a coworker if they could use their card for the day. Which of the following is the administrator using to gain access to the server room? A. Man-in-the-middle B. Tailgating C. Impersonation D. Spoofing
Answer: C Explanation: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. In this question, by using the coworker's card, the security administrator is 'impersonating' the coworker. The server room locking system and any logging systems will 'think' that the coworker has entered the server room.
An administrator has a network subnet dedicated to a group of users. Due to concerns regarding data and network security, the administrator desires to provide network access for this group only. Which of the following would BEST address this desire? A. Install a proxy server between the users' computers and the switch to filter inbound network traffic. B. Block commonly used ports and forward them to higher and unused port numbers. C. Configure the switch to allow only traffic from computers based upon their physical address. D. Install host-based intrusion detection software to monitor incoming DHCP Discover requests
Answer: C Explanation: Configuring the switch to allow only traffic from computers based upon their physical address is known as MAC filtering. The physical address is known as the MAC address. Every network adapter has a unique MAC address hardcoded into the adapter. You can configure the ports of a switch to allow connections from computers with specific MAC addresses only and block all other MAC addresses. MAC filtering is commonly used in wireless networks but is considered insecure because a MAC address can be spoofed. However, in a wired network, it is more secure because it would be more difficult for a rogue computer to sniff a MAC address.
Which of the following security strategies allows a company to limit damage to internal systems and provides loss control? A. Restoration and recovery strategies B. Deterrent strategies C. Containment strategies D. Detection strategies
Answer: C Explanation: Containment strategies is used to limit damages, contain a loss so that it may be controlled, much like quarantine, and loss incident isolation.
Which of the following is being tested when a company's payroll server is powered off for eight hours? A. Succession plan B. Business impact document C. Continuity of operations plan D. Risk assessment plan
Answer: C Explanation: Continuity of operations plan is the effort to ensure the continued performance of critical business functions during a wide range of potential emergencies.
Which of the following can be implemented in hardware or software to protect a web server from cross-site scripting attacks? A. Intrusion Detection System B. Flood Guard Protection C. Web Application Firewall D. URL Content Filter
Answer: C Explanation: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.
The Chief Information Officer (CIO) is concerned with moving an application to a SaaS cloud provider. Which of the following can be implemented to provide for data confidentiality assurance during and after the migration to the cloud? A. HPM technology B. Full disk encryption C. DLP policy D. TPM technology
Answer: C Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. The Software as a Service (SaaS) applications are remotely run over the Web and as such requires DLP monitoring
Which of the following are examples of detective controls? A. Biometrics, motion sensors and mantraps. B. Audit, firewall, anti-virus and biometrics. C. Motion sensors, intruder alarm and audit. D. Intruder alarm, mantraps and firewall
Answer: C Explanation: Detective controls are those that operate afterward so as to discover that has happened. Detective controls include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation, mandatory vacations, audit trails, honeypots or honeynets, IDSs, violation reports, supervision and reviews of users, and incident investigations.
Which of the following tools would a security administrator use in order to identify all running services throughout an organization? A. Architectural review B. Penetration test C. Port scanner D. Design review
Answer: C Explanation: Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server. A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploitinga known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.
A technician is investigating intermittent switch degradation. The issue only seems to occur when the building's roof air conditioning system runs. Which of the following would reduce the connectivity issues? A. Adding a heat deflector B. Redundant HVAC systems C. Shielding D. Add a wireless network
Answer: C Explanation: EMI can cause circuit overload, spikes, or even electrical component failure. In the question it is mentioned that switch degradation occurs when the building's roof air-conditioning system is also running. All electromechanical systems emanate EMI. Thus you could alleviate the problem using EMI shielding
Matt, a security analyst, needs to select an asymmetric encryption method that allows for the same level of encryption strength with a lower key length than is typically necessary. Which of the following encryption methods offers this capability? A. Twofish B. Diffie-Hellman C. ECC D. RSA
Answer: C Explanation: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits in comparison with non-ECC cryptography (with plain Galois fields as a basis) is the same level of security provided by keys of smaller size.
Which of the following is an attack vector that can cause extensive physical damage to a datacenter without physical access? A. CCTV system access B. Dial-up access C. Changing environmental controls D. Ping of death
Answer: C Explanation: Environmental systems include heating, air conditioning, humidity control, fire suppression, and power systems. All of these functions are critical to a well-designed physical plant. A computer room will typically require full-time environmental control. Changing any of these controls (when it was set to its optimum values) will result in damage
Which of the following software allows a network administrator to inspect the protocol header in order to troubleshoot network issues? A. URL filter B. Spam filter C. Packet sniffer D. Switch
Answer: C Explanation: Every data packet transmitted across a network has a protocol header. To view a protocol header, you need to capture and view the contents of the packet with a packet sniffer. A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer
Which of the following is a best practice when a mistake is made during a forensics examination? A. The examiner should verify the tools before, during, and after an examination. B. The examiner should attempt to hide the mistake during cross-examination. C. The examiner should document the mistake and workaround the problem. D. The examiner should disclose the mistake and assess another area of the disc.
Answer: C Explanation: Every step in an incident response should be documented, including every action taken by end users and the incident-response team.
Which of the following pseudocodes can be used to handle program exceptions? A. If program detects another instance of itself, then kill program instance. B. If user enters invalid input, then restart program. C. If program module crashes, then restart program module. D. If user's input exceeds buffer length, then truncate the input.
Answer: C Explanation: Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture all errors and exceptions that could cause the application or its modules to crash. Restarting the application or module would ensure that the application reverts back to a secure state.
Which of the following techniques can be used to prevent the disclosure of system information resulting from arbitrary inputs when implemented properly? A. Fuzzing B. Patch management C. Error handling D. Strong passwords
Answer: C Explanation: Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.
Ann, a security technician, is reviewing the IDS log files. She notices a large number of alerts for multicast packets from the switches on the network. After investigation, she discovers that this is normal activity for her network. Which of the following BEST describes these results? A. True negatives B. True positives C. False positives D. False negatives
Answer: C Explanation: False positives are essentially events that are mistakenly flagged and are not really events to be concerned about.
Which of the following would be MOST appropriate to secure an existing SCADA system by preventing connections from unauthorized networks? A. Implement a HIDS to protect the SCADA system B. Implement a Layer 2 switch to access the SCADA system C. Implement a firewall to protect the SCADA system D. Implement a NIDS to protect the SCADA system
Answer: C Explanation: Firewalls manage traffic using filters, which is just a rule or set of rules. A recommended guideline for firewall rules is, "deny by default; allow by exception". This means that if a network connection is not specifically allowed, it will be denied.
Which of the following is the BEST method for ensuring all files and folders are encrypted on all corporate laptops where the file structures are unknown? A. Folder encryption B. File encryption C. Whole disk encryption D. Steganography
Answer: C Explanation: Full-disk encryption encrypts the data on the hard drive of the device or on a removable drive. This feature ensures that the data on the device or removable drive cannot be accessed in a useable form should it be stolen. Furthermore, full-disk encryption is not dependant on knowledge of the file structure.
An IT security technician is actively involved in identifying coding issues for her company. Which of the following is an application security technique that can be used to identify unknown weaknesses within the code? A. Vulnerability scanning B. Denial of service C. Fuzzing D. Port scanning
Answer: C Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following application security principles involves inputting random data into a program? A. Brute force attack B. Sniffing C. Fuzzing D. Buffer overflow
Answer: C Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Prior to leaving for an extended vacation, Joe uses his mobile phone to take a picture of his family in the house living room. Joe posts the picture on a popular social media site together with the message: "Heading to our two weeks vacation to Italy." Upon returning home, Joe discovers that the house was burglarized. Which of the following is the MOST likely reason the house was burglarized if nobody knew Joe's home address? A. Joe has enabled the device access control feature on his mobile phone. B. Joe's home address can be easily found using the TRACEROUTE command. C. The picture uploaded to the social media site was geo-tagged by the mobile phone. D. The message posted on the social media site informs everyone the house will be empty.
Answer: C Explanation: Geo-tagging is the process of embedding the GPS coordinates in image files and images taken using a smartphone or a digital camera. The geotagged information accompanying the image allows anyone to discover the precise location where the image was taken.
A group policy requires users in an organization to use strong passwords that must be changed every 15 days. Joe and Ann were hired 16 days ago. When Joe logs into the network, he is prompted to change his password; when Ann logs into the network, she is not prompted to change her password. Which of the following BEST explains why Ann is not required to change her password? A. Ann's user account has administrator privileges. B. Joe's user account was not added to the group policy. C. Ann's user account was not added to the group policy. D. Joe's user account was inadvertently disabled and must be re-created.
Answer: C Explanation: Group policy is used to manage Windows systems in a Windows network domain environment by means of a Group Policy Object (GPO). GPO's include a number of settings related to credentials, which includes password expiration. Because Anne was not prompted to change her password, it could only mean that her user account was not added to the group policy.
Which of the following should be connected to the fire alarm system in order to help prevent the spread of a fire in a server room without data loss to assist in an FM-200 deployment? A. Water base sprinkler system B. Electrical C. HVAC D. Video surveillance
Answer: C Explanation: HVAC refers to heating, ventilation and air-conditioning to allow for a zone-based environmental control measure. The fire-alarm system should ideally also be hooked up to the HVAC so that the HVAC can monitor the changes in heating and ventilation.
The process of making certain that an entity (operating system, application, etc.) is as secure as it can be is known as: A. Stabilizing B. Reinforcing C. Hardening D. Toughening
Answer: C Explanation: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services
Vendors typically ship software applications with security settings disabled by default to ensure a wide range of interoperability with other applications and devices. A security administrator should perform which of the following before deploying new software? A. Application white listing B. Network penetration testing C. Application hardening D. Input fuzzing testing
Answer: C Explanation: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.
An SSL/TLS private key is installed on a corporate web proxy in order to inspect HTTPS requests. Which of the following describes how this private key should be stored so that it is protected from theft? A. Implement full disk encryption B. Store on encrypted removable media C. Utilize a hardware security module D. Store on web proxy file system
Answer: C Explanation: Hardware Security Module (HSM) hardware-based encryption solution that is usually used in conjunction with PKI to enhance security with certification authorities (CAs). It is available as an expansion card and can cryptographic keys, passwords, or certificates
A company is trying to implement physical deterrent controls to improve the overall security posture of their data center. Which of the following BEST meets their goal? A. Visitor logs B. Firewall C. Hardware locks D. Environmental monitoring
Answer: C Explanation: Hardware security involves applying physical security modifications to secure the system(s) and preventing them from leaving the facility. Don't spend all of your time worrying about intruders coming through the network wire while overlooking the obvious need for physical security. Hardware security involves the use of locks to prevent someone from picking up and carrying out your equipment.
The security administrator is implementing a malware storage system to archive all malware seen by the company into a central database. The malware must be categorized and stored based on similarities in the code. Which of the following should the security administrator use to identify similar malware? A. TwoFish B. SHA-512 C. Fuzzy hashes D. HMAC
Answer: C Explanation: Hashing is used to ensure that a message has not been altered. It can be useful for positively identifying malware when a suspected file has the same hash value as a known piece of malware. However, modifying a single bit of a malicious file will alter its hash value. To counter this, a continuous stream of hash values is generated for rolling block of code. This can be used to determine the similarity between a suspected file and known pieces of malware
An online store wants to protect user credentials and credit card information so that customers can store their credit card information and use their card for multiple separate transactions. Which of the following database designs provides the BEST security for the online store? A. Use encryption for the credential fields and hash the credit card field B. Encrypt the username and hash the password C. Hash the credential fields and use encryption for the credit card field D. Hash both the credential fields and the credit card field
Answer: C Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables. One main characteristic of hashing is that the algorithm must have few or no collisions - in hashing two different inputs does not give the same output. Thus the credential fields should be hashed because anyone customer will have a unique credit card number/identity and sincethey will use their credit cards for many different transactions, the credit card field should be encrypted only, not hashed.
A new MPLS network link has been established between a company and its business partner. The link provides logical isolation in order to prevent access from other business partners. Which of the following should be applied in order to achieve confidentiality and integrity of all data across the link? A. MPLS should be run in IPVPN mode. B. SSL/TLS for all application flows. C. IPSec VPN tunnels on top of the MPLS link. D. HTTPS and SSH for all application flows
Answer: C Explanation: IPSec can very well be used with MPLS. IPSec could provide VPN tunnels on top if the MPLS link. Internet Protocol Security (IPSec) isn't a tunneling protocol, but it's used in conjunction with tunneling protocols. IPSec is oriented primarily toward LAN-to-LAN connections, but it can also be used with dial-up connections. IPSec provides secure authentication and encryption of data and headers; this makes it a good choice for security.
A security administrator wishes to change their wireless network so that IPSec is built into the protocol and NAT is no longer required for address range extension. Which of the following protocols should be used in this scenario? A. WPA2 B. WPA C. IPv6 D. IPv4
Answer: C Explanation: IPSec security is built into IPv6
Ann is the data owner of financial records for a company. She has requested that she have the ability to assign read and write privileges to her folders. The network administrator is tasked with setting up the initial access control system and handing Ann's administrative capabilities. Which of the following systems should be deployed? A. Role-based B. Mandatory C. Discretionary D. Rule-based
Answer: C Explanation: In a Discretionary Access Control (DAC) model, network users have some fl exibility regarding how information is accessed. This model allows users to share information dynamically with other users. Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner. In this question, Ann has requested that she have the ability to assign read and write privileges to her folders. Read and write access to Ann's files will be granted by Ann at her discretion. Therefore, this is an example of Discretionary Access Control
Sara, a user, downloads a keygen to install pirated software. After running the keygen, system performance is extremely slow and numerous antivirus alerts are displayed. Which of the following BEST describes this type of malware? A. Logic bomb B. Worm C. Trojan D. Adware
Answer: C Explanation: In computers, a Trojan is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus.
After viewing wireless traffic, an attacker notices the following networks are being broadcasted by local access points: Corpnet Coffeeshop FreePublicWifi Using this information the attacker spoofs a response to make nearby laptops connect back to a malicious device. Which of the following has the attacker created? A. Infrastructure as a Service B. Load balancer C. Evil twin D. Virtualized network
Answer: C Explanation: In this question, the attacker has created another wireless network that is impersonating one of more of the three wireless networks listed in the question. This is known as an Evil Twin. An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider. In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique. For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name. In wireless transmissions, evil twins are not a new phenomenon. Historically, they were known as honeypots or base station clones. With the advancement of wireless technology and the use of wireless devices in public areas, it is very easy for novice users to set up evil twin exploits.
An employee connects a wireless access point to the only jack in the conference room to provide Internet access during a meeting. The access point is configured to use WPA2-TKIP. A malicious user is able to intercept clear text HTTP communication between the meeting attendees and the Internet. Which of the following is the reason the malicious user is able to intercept and see the clear text communication? A. The malicious user has access to the WPA2-TKIP key. B. The wireless access point is broadcasting the SSID. C. The malicious user is able to capture the wired communication. D. The meeting attendees are using unencrypted hard drives.
Answer: C Explanation: In this question, the wireless users are using WPA2-TKIP. While TKIP is a weak encryption protocol, it is still an encryption protocol. Therefore, the wireless communications between the laptops and the wireless access point are encrypted. The question states that user was able to intercept 'clear text' HTTP communication between the meeting attendees and the Internet. The HTTP communications are unencrypted as they travel over the wired network. Therefore, the malicious user must have been able to capture the wired communication. TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for "Temporal Key Integrity Protocol." It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated.
A software development company has hired a programmer to develop a plug-in module to an existing proprietary application. After completing the module, the developer needs to test the entire application to ensure that the module did not introduce new vulnerabilities. Which of the following is the developer performing when testing the application? A. Black box testing B. White box testing C. Gray box testing D. Design review
Answer: C Explanation: In this question, we know the tester has some knowledge of the application because the tester developed a plug-in module for it. However, the tester does not have detailed information about the entire application. Therefore, this is a grey-box test. Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledgeabout internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.
A security administrator at a company which implements key escrow and symmetric encryption only, needs to decrypt an employee's file. The employee refuses to provide the decryption key to the file. Which of the following can the administrator do to decrypt the file? A. Use the employee's private key B. Use the CA private key C. Retrieve the encryption key D. Use the recovery agent
Answer: C Explanation: Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.
A large multinational corporation with networks in 30 countries wants to establish an understanding of their overall public-facing network attack surface. Which of the following security techniques would be BEST suited for this? A. External penetration test B. Internal vulnerability scan C. External vulnerability scan D. Internal penetration test
Answer: C Explanation: In this question, we need to determine the public-facing network attack surface. We therefore need to perform a vulnerability scan from outside the network; in other words, an external vulnerability scan. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
Requiring technicians to report spyware infections is a step in which of the following? A. Routine audits B. Change management C. Incident management D. Clean desk policy
Answer: C Explanation: Incident management refers to the steps followed when events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets).
An organization is recovering data following a datacenter outage and determines that backup copies of files containing personal information were stored in an unsecure location, because the sensitivity was unknown. Which of the following activities should occur to prevent this in the future? A. Business continuity planning B. Quantitative assessment C. Data classification D. Qualitative assessment
Answer: C Explanation: Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. Knowing how to apply these categories and matching it up with the appropriate data handling will address the situation of the data 'unknown sensitivity'
Without validating user input, an application becomes vulnerable to all of the following EXCEPT: A. Buffer overflow. B. Command injection. C. Spear phishing. D. SQL injection
Answer: C Explanation: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.
A security administrator wants to ensure that the message the administrator sends out to their Chief Financial Officer (CFO) does not get changed in route. Which of the following is the administrator MOST concerned with? A. Data confidentiality B. High availability C. Data integrity D. Business continuity
Answer: C Explanation: Integrity is the process of ensuring that the information has not been altered during transmission. This can be accomplished by means of hashing.
Sara, a security administrator, manually hashes all network device configuration files daily and compares them to the previous days' hashes. Which of the following security concepts is Sara using? A. Confidentiality B. Compliance C. Integrity D. Availability
Answer: C Explanation: Integrity means the message can't be altered without detection
A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident, a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment? A. Chain of custody B. Tracking man hours C. Record time offset D. Capture video traffic
Answer: C Explanation: It is quite common for workstation as well as server times to be off slightly from actual time. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. Onemethod of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system. There is no mention that this was done by the incident response team.
Which of the following has serious security implications for large organizations and can potentially allow an attacker to capture conversations? A. Subnetting B. NAT C. Jabber D. DMZ
Answer: C Explanation: Jabber is a new unified communications application and could possible expose you to attackers that want to capture conversations because Jabber provides a single interface across presence, instant messaging, voice, video messaging, desktop sharing and conferencing.
Ann is a member of the Sales group. She needs to collaborate with Joe, a member of the IT group, to edit a file. Currently, the file has the following permissions: Ann:read/write Sales Group:read IT Group:no access If a discretionary access control list is in place for the files owned by Ann, which of the following would be the BEST way to share the file with Joe? A. Add Joe to the Sales group. B. Have the system administrator give Joe full access to the file. C. Give Joe the appropriate access to the file directly. D. Remove Joe from the IT group and add him to the Sales group.
Answer: C Explanation: Joe needs access to only one file. He also needs to 'edit' that file. Editing a file requires Read and Write access to the file. The best way to provide Joe with the minimum required permissions to edit the file would be to give Joe the appropriate access to the file directly.
Which of the following is a requirement when implementing PKI if data loss is unacceptable? A. Web of trust B. Non-repudiation C. Key escrow D. Certificate revocation list
Answer: C Explanation: Key escrow is a database of stored keys that later can be retrieved. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question
Which of the following can be implemented if a security administrator wants only certain devices connecting to the wireless network? A. Disable SSID broadcast B. Install a RADIUS server C. Enable MAC filtering D. Lowering power levels on the AP
Answer: C Explanation: MAC filtering is commonly used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network.
A security administrator implements access controls based on the security classification of the data and need-to-know information. Which of the following BEST describes this level of access control? A. Implicit deny B. Role-based Access Control C. Mandatory Access Controls D. Least privilege
Answer: C Explanation: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
Which of the following is the primary security concern when deploying a mobile device on a network? A. Strong authentication B. Interoperability C. Data security D. Cloud storage technique
Answer: C Explanation: Mobile devices, such as laptops, tablet computers, and smartphones, provide security challenges above those of desktop workstations, servers, and such in that they leave the office and this increases the odds of their theft which makes data security a real concern. At a bare minimum, the following security measures should be in place on mobile devices: Screen lock, Strongpassword, Device encryption, Remote Wipe or Sanitation, voice encryption, GPS tracking, Application control, storage segmentation, asses tracking and device access control.
A user attempting to log on to a workstation for the first time is prompted for the following information before being granted access: username, password, and a four-digit security pin that was mailed to him during account registration. This is an example of which of the following? A. Dual-factor authentication B. Multifactor authentication C. Single factor authentication D. Biometric authentication
Answer: C Explanation: Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors ("things only the user knows"), such as passwords possession factors ("things only the user has"), such as ATM cards inherence factors ("things only the user is"), such as biometrics In this question a username, password, and a four-digit security pin knowledge are all knowledge factors (something the user knows). Therefore, this is single-factor authentication
A Chief Information Security Officer (CISO) wants to implement two-factor authentication within the company. Which of the following would fulfill the CISO's requirements? A. Username and password B. Retina scan and fingerprint scan C. USB token and PIN D. Proximity badge and token
Answer: C Explanation: Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors ("things only the user knows"), such as passwords possession factors ("things only the user has"), such as ATM cards inherence factors ("things only the user is"), such as biometrics In this question, a USB token is a possession factor (something the user has) and a PIN is a knowledge factor (something the user knows).
Which of the following helps to establish an accurate timeline for a network intrusion? A. Hashing images of compromised systems B. Reviewing the date of the antivirus definition files C. Analyzing network traffic and device logs D. Enforcing DLP controls at the perimeter
Answer: C Explanation: Network activity as well as intrusion can be viewed on device logs and by analyzing the network traffic that passed through your network. Thus to establish an accurate timeline for a network intrusion you can look at and analyze the device logs and network traffic to yield the appropriate information.
Which of the following best practices makes a wireless network more difficult to find? A. Implement MAC filtering B. UseWPA2-PSK C. Disable SSID broadcast D. Power down unused WAPs
Answer: C Explanation: Network administrators may choose to disable SSID broadcast to hide their network from unauthorized personnel. However, the SSID is still needed to direct packets to and from the base station, so it's a discoverable value using a wireless packet sniffer. Thus, the SSID should be disabled if the network isn't for public use.
Ann, a newly hired human resource employee, sent out confidential emails with digital signatures, to an unintended group. Which of the following would prevent her from denying accountability? A. Email Encryption B. Steganography C. Non Repudiation D. Access Control
Answer: C Explanation: Nonrepudiation prevents one party from denying actions they carried out.
Which of the following provides the BEST explanation regarding why an organization needs to implement IT security policies? A. To ensure that false positives are identified B. To ensure that staff conform to the policy C. To reduce the organizational risk D. To require acceptable usage of IT systems
Answer: C Explanation: Once risks has been identified and assessed then there are five possible actions that should be taken. These are: Risk avoidance, Risk transference, Risk mitigation, Risk deterrence and Risk acceptance. Anytime you engage in steps to reduce risk, you are busy with risk mitigation and implementing IT security policy is a risk mitigation strategy.
When employees that use certificates leave the company they should be added to which of the following? A. PKI B. CA C. CRL D. TKIP
Answer: C Explanation: The certificates of the leaving employees must be made unusable. This is done by revoking them. The revoke certificates end up in the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.
Which of the following can be used by a security administrator to successfully recover a user's forgotten password on a password protected file? A. Cognitive password B. Password sniffing C. Brute force D. Social engineering
Answer: C Explanation: One way to recover a user's forgotten password on a password protected file is to guess it. A brute force attack is an automated attempt to open the file by using many different passwords. A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking. For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers. An attack of this nature can be time- and resource-consuming. Hence the name "brute force attack;" success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm.
Which of the following would satisfy wireless network implementation requirements to use mutual authentication and usernames and passwords? A. EAP-MD5 B. WEP C. PEAP-MSCHAPv2 D. EAP-TLS
Answer: C Explanation: PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authentication is accomplished via password-base credentials (user name and password) rather than digital certificates or smart cards.
Which of the following could cause a browser to display the message below? "The security certificate presented by this website was issued for a different website's address." A. The website certificate was issued by a different CA than what the browser recognizes in its trusted CAs. B. The website is using a wildcard certificate issued for the company's domain. C. HTTPS://127.0.01 was used instead of HTTPS://localhost. D. The website is using an expired self signed certificate
Answer: C Explanation: PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). Users, or their software on their behalf, check that the private key used to sign some certificate matches the public key in the CA's certificate. Since CA certificates are often signed by other, "higher-ranking," CAs, there must necessarily be a highest CA, which provides the ultimate in attestation authority in that particular PKI scheme. Localhost is a hostname that means this computer and may be used to access the computer's own network services via its loopback network interface. Using the loopback interface bypasses local network interface hardware. In this case the HTTPS://127.0.01 was used and not HTTPS//localhost
A company's security administrator wants to manage PKI for internal systems to help reduce costs. Which of the following is the FIRST step the security administrator should take? A. Install a registration server. B. Generate shared public and private keys. C. Install a CA D. Establish a key escrow policy
Answer: C Explanation: PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. When you implement a PKI you should start by installing a CA.
An administrator finds that non-production servers are being frequently compromised, production servers are rebooting at unplanned times and kernel versions are several releases behind the version with all current security fixes. Which of the following should the administrator implement? A. Snapshots B. Sandboxing C. Patch management D. Intrusion detection system
Answer: C Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities
Ann a technician received a spear-phishing email asking her to update her personal information by clicking the link within the body of the email. Which of the following type of training would prevent Ann and other employees from becoming victims to such attacks? A. User Awareness B. Acceptable Use Policy C. Personal Identifiable Information D. Information Sharing
Answer: C Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Employees should be made aware of this type of attack by means of training
An active directory setting restricts querying to only secure connections. Which of the following ports should be selected to establish a successful connection? A. 389 B. 440 C. 636 D. 3286
Answer: C Explanation: Port 636 is used for secure LDAP (LDAPS). Incorrect Options: A: Port 389 is used for LDAP. B: Port 440 is not used for secure Active Directory connections. D: Port 3286 is not used for secure Active Directory connections.
Which of the following ports would be blocked if Pete, a security administrator, wants to deny access to websites? A. 21 B. 25 C. 80 D. 3389
Answer: C Explanation: Port 80 is used by HTTP, which is the foundation of data communication for the World Wide Web.
In order for network monitoring to work properly, you need a PC and a network card running in what mode? A. Launch B. Exposed C. Promiscuous D. Sweep
Answer: C Explanation: Promiscuous mode allows the network card to look at any packet that it sees on the network. This even includes packets that are not addressed to that network card.
Which of the following types of security services are used to support authentication for remote users and devices? A. Biometrics B. HSM C. RADIUS D. TACACS
Answer: C Explanation: RADIUS authentication phase takes place when a network client connects to a network access server (NAS) and provides authentication credentials. The NAS will then make use of the authentication credentials to issue a RADIUS authentication request to the RADIUS server, which will then exchange RADIUS authentication messages with the NAS.
A security administrator is concerned about the strength of user's passwords. The company does not want to implement a password complexity policy. Which of the following can the security Administrator implement to mitigate the risk of an online password attack against users with weak passwords? A. Increase the password length requirements B. Increase the password history C. Shorten the password expiration period D. Decrease the account lockout time
Answer: C Explanation: Reducing the password expiration period will require passwords to be changed at the end of that period. A password needs to be changed if it doesn't meet the compliance requirements of the company's password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion. This will give online password attackers less time to crack the weak passwords.
A network administrator has recently updated their network devices to ensure redundancy is in place so that: A. switches can redistribute routes across the network. B. environmental monitoring can be performed. C. single points of failure are removed. D. hot and cold aisles are functioning
Answer: C Explanation: Redundancy refers to systems that either are duplicated or fail over to other systems in the event of a malfunction. The best way to remove an SPOF from your environment is to add redundancy
The security administrator notices a user logging into a corporate Unix server remotely as root. Which of the following actions should the administrator take? A. Create a firewall rule to block SSH B. Delete the root account C. Disable remote root logins D. Ensure the root account has a strong password
Answer: C Explanation: Remote users log in to Unix or Linux servers by using SSH. Although SSH is secure, allowing remote access as root is a security risk. One of the biggest security holes you could open on a Unix or Linux server is to allow directly logging in as root through SSH, because any cracker can attempt to brute force your root password and potentially get access to your system if they can figure out your password. It's much better to have a separate account that you regularly use and simply sudo to root when necessary. You should disable root ssh access by editing /etc/ssh/sshd_config to contain: PermitRootLogin no
RC4 is a strong encryption protocol that is generally used with which of the following? A. WPA2 CCMP B. PEAP C. WEP D. EAP-TLS
Answer: C Explanation: Rivest Cipher 4 (RC4) is a 128-bit stream cipher used WEP and WPA encryption.
Which of the following protocols operates at the HIGHEST level of the OSI model? A. ICMP B. IPSec C. SCP D. TCP
Answer: C Explanation: SCP (Secure Copy) uses SSH (Secure Shell). SSH runs in the application layer (layer 7) of the OSI model.
Pete needs to open ports on the firewall to allow for secure transmission of files. Which of the following ports should be opened on the firewall? A. TCP 23 B. UDP 69 C. TCP 22 D. TCP 21
Answer: C Explanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22. Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote Copy Protocol (RCP). Secure FTP (SFTP) is a secured alternative to standard File Transfer Protocol (FTP).
A software developer wants to prevent stored passwords from being easily decrypted. When the password is stored by the application, additional text is added to each password before the password is hashed. This technique is known as: A. Symmetric cryptography. B. Private key cryptography. C. Salting. D. Rainbow tables.
Answer: C Explanation: Salting can be used to strengthen the hashing when the passwords were encrypted. Though hashing is a one-way algorithm it does not mean that it cannot be hacked. One method to hack a hash is though rainbow tables and salt is the counter measure to rainbow tables. With salt a password that you typed in and that has been encrypted with a hash will yield a letter combination other than what you actually types in when it is rainbow table attacked.
A company has purchased an application that integrates into their enterprise user directory for account authentication. Users are still prompted to type in their usernames and passwords. Which of the following types of authentication is being utilized here? A. Separation of duties B. Least privilege C. Same sign-on D. Single sign-on
Answer: C Explanation: Same sign-on requires the users to re-enter their credentials but it allows them to use the same credentials that they use to sign on locally.
A security administrator wants to implement a solution which will allow some applications to run under the user's home directory and only have access to files stored within the same user's folder, while other applications have access to shared folders. Which of the following BEST addresses these requirements if the environment is concurrently shared by multiple users? A. OS Virtualization B. Trusted OS C. Process sandboxing D. File permission
Answer: C Explanation: Sandboxing involves running applications in restricted memory areas. It limits the possibility of an application crash, allowing a user to access another application or the data associated with it.
An administrator is building a development environment and requests that three virtual servers are cloned and placed in a new virtual network isolated from the production network. Which of the following describes the environment the administrator is building? A. Cloud B. Trusted C. Sandbox D. Snapshot
Answer: C Explanation: Sandboxing is the process of isolating a system before installing new applications on it so as to restrict any potential malware that may be embedded in the new application from being able to cause harm to production systems.
Jane, an IT security technician, needs to create a way to secure company mobile devices. Which of the following BEST meets this need? A. Implement voice encryption, pop-up blockers, and host-based firewalls. B. Implement firewalls, network access control, and strong passwords. C. Implement screen locks, device encryption, and remote wipe capabilities. D. Implement application patch management, antivirus, and locking cabinets.
Answer: C Explanation: Screen-lock is a security feature that requires the user to enter a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications. Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. Remote wipe is the process of deleting data on a device in the event that the device is stolen. This is performed over remote connections such as the mobile phone service or the internet connection and helps ensure that sensitive data is not accessed by unauthorized people.
Several employees clicked on a link in a malicious message that bypassed the spam filter and their PCs were infected with malware as a result. Which of the following BEST prevents this situation from occurring in the future? A. Data loss prevention B. Enforcing complex passwords C. Security awareness training D. Digital signatures
Answer: C Explanation: Security awareness and training include explaining policies, procedures, and current threats to both users and management. A security awareness and training program can do much to assist in your efforts to improve and maintain security. Ideally, a security awareness training program for the entire organization should cover the following areas: Importance of security Responsibilities of people in the organization Policies and procedures Usage policies Account and password-selection criteria Social engineering prevention
An insurance company requires an account recovery process so that information created by an employee can be accessed after that employee is no longer with the firm. Which of the following is the BEST approach to implement this process? A. Employee is required to share their password with authorized staff prior to leaving the firm B. Passwords are stored in a reversible form so that they can be recovered when needed C. Authorized employees have the ability to reset passwords so that the data is accessible D. All employee data is exported and imported by the employee prior to them leaving the firm
Answer: C Explanation: Since a user's password isn't stored on most operating systems (only a hash value is kept), most operating systems allow the administrator (or authorized person in this case) to change the value then the information/files/documents can be accessed. This is the safest way of recovery by an authorized person and is not dependent on those who leave the firm.
A user has forgotten their account password. Which of the following is the BEST recovery strategy? A. Upgrade the authentication system to use biometrics instead. B. Temporarily disable password complexity requirements. C. Set a temporary password that expires upon first use. D. Retrieve the user password from the credentials database
Answer: C Explanation: Since a user's password isn't stored on most operating systems (only a hash value is kept), most operating systems allow the administrator to change the value for a user who has forgotten theirs. This new value allows the user to log in and then immediately change it to another value that they can (ideally) remember. Also setting a temporary password to expire upon first use will not allow a hacker the opportunity or time to use it.
A new application needs to be deployed on a virtual server. The virtual server hosts a SQL server that is used by several employees. Which of the following is the BEST approach for implementation of the new application on the virtual server? A. Take a snapshot of the virtual server after installing the new application and store the snapshot in a secure location. B. Generate a baseline report detailing all installed applications on the virtualized server after installing the new application. C. Take a snapshot of the virtual server before installing the new application and store the snapshot in a secure location. D. Create an exact copy of the virtual server and store the copy on an external hard drive after installing the new application.
Answer: C Explanation: Snapshots are backups of virtual machines that can be used to quickly recover from poor updates, and errors arising from newly installed applications. However, the snapshot should be taken before the application or update is installed.
Ann, a security administrator, has concerns regarding her company's wireless network. The network is open and available for visiting prospective clients in the conference room, but she notices that many more devices are connecting to the network than should be. Which of the following would BEST alleviate Ann's concerns with minimum disturbance of current functionality for clients? A. Enable MAC filtering on the wireless access point. B. Configure WPA2 encryption on the wireless access point. C. Lower the antenna's broadcasting power. D. Disable SSID broadcasting.
Answer: C Explanation: Some access points include power level controls that allow you to reduce the amount of output provided if the signal is traveling too far.
A company administrator has a firewall with an outside interface connected to the Internet and an inside interface connected to the corporate network. Which of the following should the administrator configure to redirect traffic destined for the default HTTP port on the outside interface to an internal server listening on port 8080? A. Create a dynamic PAT from port 80 on the outside interface to the internal interface on port 8080 B. Create a dynamic NAT from port 8080 on the outside interface to the server IP address on port 80 C. Create a static PAT from port 80 on the outside interface to the internal interface on port 8080 D. Create a static PAT from port 8080 on the outside interface to the server IP address on port 80
Answer: C Explanation: Static PAT translations allow a specific UDP or TCP port on a global address to be translated to a specific port on a local address. In this case, the default HTTP port (80) is the global address to be translated, and port 8080 is the specific port on a local address. Incorrect Options: A: Dynamic PAT is not a valid type of PAT. B: Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The question also states that the internal server is listening on port 8080. D: The question states that the internal server is listening on port 8080.
A security administrator discovers an image file that has several plain text documents hidden in the file. Which of the following security goals is met by camouflaging data inside of other files? A. Integrity B. Confidentiality C. Steganography D. Availability
Answer: C Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message
A malicious user is sniffing a busy encrypted wireless network waiting for an authorized client to connect to it. Only after an authorized client has connected and the hacker was able to capture the client handshake with the AP can the hacker begin a brute force attack to discover the encryption key. Which of the following attacks is taking place? A. IV attack B. WEP cracking C. WPA cracking D. Rogue AP
Answer: C Explanation: There are three steps to penetrating a WPA-protected network. Sniffing Parsing Attacking
A security analyst discovered data such as images and word documents hidden within different types of files. Which of the following cryptographic concepts describes what was discovered? A. Symmetric encryption B. Non-repudiation C. Steganography D. Hashing
Answer: C Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.
Users need to exchange a shared secret to begin communicating securely. Which of the following is another name for this symmetric key? A. Session Key B. Public Key C. Private Key D. Digital Signature
Answer: C Explanation: Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn't disclosed to people who aren't authorized to use the encryption system.
Which of the following is an authentication and accounting service that uses TCP for connecting to routers and switches? A. DIAMETER B. RADIUS C. TACACS+ D. Kerberos
Answer: C Explanation: TACACS+ is an authentication, authorization, and accounting (AAA) service that makes us of TCP only.
Which of the following provides a static record of all certificates that are no longer valid? A. Private key B. Recovery agent C. CRLs D. CA
Answer: C Explanation: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.
A malicious program modified entries in the LMHOSTS file of an infected system. Which of the following protocols would have been affected by this? A. ICMP B. BGP C. NetBIOS D. DNS
Answer: C Explanation: The LMHOSTS file provides a NetBIOS name resolution method that can be used for small networks that do not use a WINS server. NetBIOS has been adapted to run on top of TCP/IP, and is still extensively used for name resolution and registration in Windows-based environments.
Which of the following is the GREATEST security risk of two or more companies working together under a Memorandum of Understanding? A. Budgetary considerations may not have been written into the MOU, leaving an entity to absorb more cost than intended at signing. B. MOUs have strict policies in place for services performed between the entities and the penalties for compromising a partner are high. C. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. D. MOUs between two companies working together cannot be held to the same legal standards as SLAs.
Answer: C Explanation: The Memorandum of Understanding This document is used in many settings in the information industry. It is a brief summary of which party is responsible for what portion of the work. For example, Company A may be responsible for maintaining the database server and Company B may be responsible for telecommunications. MOUs are not legally binding but they carry a degree of seriousness and mutual respect, stronger than a gentlemen's agreement. Often, MOUs are the first steps towards a legal contract.
Three of the primary security control types that can be implemented are. A. Supervisory, subordinate, and peer. B. Personal, procedural, and legal. C. Operational, technical, and management. D. Mandatory, discretionary, and permanent
Answer: C Explanation: The National Institute of Standards and Technology (NIST) places controls into various types. The control types fall into three categories: Management, Operational, and Technical.
Which of the following protocols is used to validate whether trust is in place and accurate by returning responses of either "good", "unknown", or "revoked"? A. CRL B. PKI C. OCSP D. RA
Answer: C Explanation: The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.
Results from a vulnerability analysis indicate that all enabled virtual terminals on a router can be accessed using the same password. The company's network device security policy mandates that at least one virtual terminal have a different password than the other virtual terminals. Which of the following sets of commands would meet this requirement? A. line vty 0 6 P@s5W0Rd password line vty 7 Qwer++!Y password B. line console 0 password password line vty 0 4 password P@s5W0Rd C. line vty 0 3 password Qwer++!Y line vty 4 password P@s5W0Rd D. line vty 0 3 password Qwer++!Y line console 0 password P@s5W0Rd
Answer: C Explanation: The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software - there is no hardware associated with them. Two numbers follow the keyword VTY because there is more than one VTY line for router access. The default number of lines is five on many Cisco routers. Here, I'm configuring one password for all terminal (VTY) lines. I can specify the actual terminal or VTY line numbers as a range. The syntax that you'll see most often, vty 0 4, covers all five terminal access lines.
Which of the following provides the HIGHEST level of confidentiality on a wireless network? A. Disabling SSID broadcast B. MAC filtering C. WPA2 D. Packet switching
Answer: C Explanation: The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication protocols were designed to address the core, easy-to-crack problems of WEP.
While setting up a secure wireless corporate network, which of the following should Pete, an administrator, avoid implementing? A. EAP-TLS B. PEAP C. WEP D. WPA
Answer: C Explanation: WEP is one of the more vulnerable security protocols. The only time to use WEP is when you must have compatibility with older devices that do not support new encryption
The string: ' or 1=1-- Represents which of the following? A. Bluejacking B. Rogue access point C. SQL Injection D. Client-side attacks
Answer: C Explanation: The code in the question is an example of a SQL Injection attack. The code '1=1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Company employees are required to have workstation client certificates to access a bank website. These certificates were backed up as a precautionary step before the new computer upgrade. After the upgrade and restoration, users state they can access the bank's website, but not login. Which is the following is MOST likely the issue? A. The IP addresses of the clients have change B. The client certificate passwords have expired on the server C. The certificates have not been installed on the workstations D. The certificates have been installed on the CA
Answer: C Explanation: The computer certificates must be installed on the upgraded client computers
A file on a Linux server has default permissions of rw-rw-r--. The system administrator has verified that Ann, a user, is not a member of the group owner of the file. Which of the following should be modified to assure that Ann has read access to the file? A. User ownership information for the file in question B. Directory permissions on the parent directory of the file in question C. Group memberships for the group owner of the file in question D. The file system access control list (FACL) for the file in question
Answer: C Explanation: The file permissions according to the file system access control list (FACL) are rw-rw-r--. The first 'rw-' are the file owner permissions (read and write). The second 'rw-' are the group permissions (read and write) for the group that has been assigned the file. The third 'r--' is the All Users permissions; in this case read only. To enable Ann to access the file, we should add Ann to the group that has been assigned to the file.
A security administrator has installed a new KDC for the corporate environment. Which of the following authentication protocols is the security administrator planning to implement across the organization? A. LDAP B. RADIUS C. Kerberos D. XTACACS
Answer: C Explanation: The fundamental component of a Kerberos solution is the key distribution centre (KDC), which is responsible for verifying the identity of principles and granting and controlling access within a network environment through the use of secure cryptographic keys and tickets
Matt, a developer, recently attended a workshop on a new application. The developer installs the new application on a production system to test the functionality. Which of the following is MOST likely affected? A. Application design B. Application security C. Initial baseline configuration D. Management of interfaces
Answer: C Explanation: The initial baseline configuration of a computer system is an agreed configuration for the computer. For example, the initial baseline configuration will list what operating system he computer will run, what software applications and patches will be installed and what configuration settings should be applied to the system. In this question, we are installing a new software application on a server. After the installation of the software, the "configuration" of the server (installed software, settings etc) is now different from the initial baseline configuration.
Which of the following risks could IT management be mitigating by removing an all-in-one device? A. Continuity of operations B. Input validation C. Single point of failure D. Single sign on
Answer: C Explanation: The major disadvantage of combining everything into one, although you do this to save costs, is to include a potential single point of failure and the reliance/dependence on a single vendor
An administrator configures all wireless access points to make use of a new network certificate authority. Which of the following is being used? A. WEP B. LEAP C. EAP-TLS D. TKIP
Answer: C Explanation: The majority of the EAP-TLS implementations require client-side X.509 certificates without giving the option to disable the requirement.
During a disaster recovery planning session, a security administrator has been tasked with determining which threats and vulnerabilities pose a risk to the organization. Which of the following should the administrator rate as having the HIGHEST frequency of risk to the organization? A. Hostile takeovers B. Large scale natural disasters C. Malware and viruses D. Corporate espionage
Answer: C Explanation: The most common threat to an organization is computer viruses or malware. A computer can become infected with a virus through day-to-day activities such as browsing web sites or emails.As browsing and opening emails are the most common activities performed by all users, computer viruses represent the most likely risk to a business. Common examples of malware include viruses, worms, trojan horses, and spyware. Viruses, for example, can cause havoc on a computer's hard drive by deleting files or directory information. Spyware can gather data from a user's system without the user knowing it. This can include anything from the Web pages a user visits to personal information, such as credit card numbers
A security administrator wants to check user password complexity. Which of the following is the BEST tool to use? A. Password history B. Password logging C. Password cracker D. Password hashing
Answer: C Explanation: The most important countermeasure against password crackers is to use long, complex passwords, which are changed regularly. Password-cracking tools compare hashes from potential passwords with the hashes stored in the accounts database. Each potential password is hashed, and that hash value is compared with the accounts database. If a match is found, the passwordcracker tool has discovered a password for a user account.
A security administrator is reviewing the below output from a password auditing tool: P@ss. @pW1. S3cU4 Which of the following additional policies should be implemented based on the tool's output? A. Password age B. Password history C. Password length D. Password complexity
Answer: C Explanation: The output shows that all the passwords are either 4 or 5 characters long. This is way too short, 8 characters are shown to be the minimum for password length.
A network administrator is responsible for securing applications against external attacks. Every month, the underlying operating system is updated. There is no process in place for other software updates. Which of the following processes could MOST effectively mitigate these risks? A. Application hardening B. Application change management C. Application patch management D. Application firewall review
Answer: C Explanation: The question states that operating system updates are applied but not other software updates. The 'other software' in this case would be applications. Software updates includes functionalityupdates and more importantly security updates. The process of applying software updates or 'patches' to applications is known as 'application patch management'. Application patch management is an effective way of mitigating security risks associated with software applications
Which of the following defines a business goal for system restoration and acceptable data loss? A. MTTR B. MTBF C. RPO D. Warm site
Answer: C Explanation: The recovery point objective (RPO) defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). This is an essential business goal insofar as system restoration and acceptable data loss is concerned.
A security administrator is reviewing the company's continuity plan. The plan specifies an RTO of six hours and RPO of two days. Which of the following is the plan describing? A. Systems should be restored within six hours and no later than two days after the incident. B. Systems should be restored within two days and should remain operational for at least six hours. C. Systems should be restored within six hours with a minimum of two days worth of data. D. Systems should be restored within two days with a minimum of six hours worth of data.
Answer: C Explanation: The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during the business impact analysis (BIA) creation. The recovery point objective (RPO) is similar to RTO, but it defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). As a general rule, the closer the RPO matches the item of the crash, the more expensive it is to obtain
Which of the following would a security administrator implement in order to identify change from the standard configuration on a server? A. Penetration test B. Code review C. Baseline review D. Design review
Answer: C Explanation: The standard configuration on a server is known as the baseline. The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline. A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).
Several users report to the administrator that they are having issues downloading files from the file server. Which of the following assessment tools can be used to determine if there is an issue with the file server? A. MAC filter list B. Recovery agent C. Baselines D. Access list
Answer: C Explanation: The standard configuration on a server is known as the baseline. In this question, we can see if anything has changed on the file server by comparing its current configuration with the baseline. The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline. A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).
Users have been reporting that their wireless access point is not functioning. They state that it allows slow connections to the internet, but does not provide access to the internal network. The user provides the SSID and the technician logs into the company's access point and finds no issues. Which of the following should the technician do? A. Change the access point from WPA2 to WEP to determine if the encryption is too strong B. Clear all access logs from the AP to provide an up-to-date access list of connected users C. Check the MAC address of the AP to which the users are connecting to determine if it is an imposter D. Reconfigure the access point so that it is blocking all inbound and outbound traffic as a troubleshooting gap
Answer: C Explanation: The users may be connecting to a rogue access point. The rogue access point could be hosting a wireless network that has the same SSID as the corporate wireless network. The only way to tell for sure if the access point the users are connecting to is the correct one is to check the MAC address. Every network card has a unique 48-bit address assigned. A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and WiFi. Logically, MAC addresses are used in the media access control protocol sublayer of the OSI reference model. MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address (BIA). It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. This can be contrasted to a programmed address, where the host device issues commands to the NIC to use an arbitrary address. A network node may have multiple NICs and each NIC must have a unique MAC address. MAC addresses are formed according to the rules of one of three numbering name spaces managed by the Institute of Electrical and Electronics Engineers (IEEE): MAC-48, EUI-48, and EUI-64.
An attacker used an undocumented and unknown application exploit to gain access to a file server. Which of the following BEST describes this type of attack? A. Integer overflow B. Cross-site scripting C. Zero-day D. Session hijacking E. XML injection
Answer: C Explanation: The vulnerability is undocumented and unknown. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
A security administrator has concerns about new types of media which allow for the mass distribution of personal comments to a select group of people. To mitigate the risks involved with this media, employees should receive training on which of the following? A. Peer to Peer B. Mobile devices C. Social networking D. Personally owned devices
Answer: C Explanation: There many companies that allow full use of social media in the workplace, believing that the marketing opportunities it holds outweigh any loss in productivity. What they are unknowingly minimizing are the threats that exist. Rather than being all new threats, the social networking/media threats tend to fall in the categories of the same old tricks used elsewhere but in a new format. A tweet can be sent with a shortened URL so that it does not exceed the 140character limit set by Twitter; unfortunately, the user has no idea what the shortened URL leads to. This makes training your employees regarding the risks social networking entails essential.
A company's Chief Information Officer realizes the company cannot continue to operate after a disaster. Which of the following describes the disaster? A. Risk B. Asset C. Threat D. Vulnerability
Answer: C Explanation: Threat is basically anything that can take advantage of any vulnerability that may be found. When the CIO realizes that the company cannot continue to operate after a disaster, the disaster is then the threat to the company.
A company with a US-based sales force has requested that the VPN system be configured to authenticate the sales team based on their username, password and a client side certificate. Additionally, the security administrator has restricted the VPN to only allow authentication from the US territory. How many authentication factors are in use by the VPN system? A. 1 B. 2 C. 3 D. 4
Answer: C Explanation: Three different types of authentication factors have been used in this question: Something you know - username and password. Something you have - client side certificate. Somewhere you are - authentication to the VPN is only allowed from the U.S. territory
A technician is reviewing the logical access control method an organization uses. One of the senior managers requests that the technician prevent staff members from logging on during nonworking days. Which of the following should the technician implement to meet managements request? A. Enforce Kerberos B. Deploy smart cards C. Time of day restrictions D. Access control lists
Answer: C Explanation: Time of day restrictions limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours
The company's sales team plans to work late to provide the Chief Executive Officer (CEO) with a special report of sales before the quarter ends. After working for several hours, the team finds they cannot save or print the reports. Which of the following controls is preventing them from completing their work? A. Discretionary access control B. Role-based access control C. Time of Day access control D. Mandatory access control
Answer: C Explanation: Time of day restrictions limit when users can access specific systems based on the time of day or week. It can limit access to sensitive environments to normal business hours when oversight and monitoring can be performed to prevent fraud, abuse, or intrusion. In this case, the sales team is prevented from saving or printing reports after a certain time.
Which of the following protocols is used to authenticate the client and server's digital certificate? A. PEAP B. DNS C. TLS D. ICMP
Answer: C Explanation: Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. It uses X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom it is communicating, and to exchange a symmetric key.
Which of the following has a storage root key? A. HSM B. EFS C. TPM D. TKIP
Answer: C Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates on non-volatile (NV) memory. Data stored on NV memory is retained unaltered when the device has no power. The storage root key is embedded in the TPM to protect TPM keys created by applications, so that these keys cannot be used without the TPM
A company wants to ensure that all aspects if data are protected when sending to other sites within the enterprise. Which of the following would ensure some type of encryption is performed while data is in transit? A. SSH B. SHA1 C. TPM D. MD5
Answer: C Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
A hospital IT department wanted to secure its doctor's tablets. The IT department wants operating system level security and the ability to secure the data from alteration. Which of the following methods would MOST likely work? A. Cloud storage B. Removal Media C. TPM D. Wiping
Answer: C Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Which of the following is a hardware based encryption device? A. EFS B. TrueCrypt C. TPM D. SLE
Answer: C Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Sara, an attacker, is recording a person typing in their ID number into a keypad to gain access to the building. Sara then calls the helpdesk and informs them that their PIN no longer works and would like to change it. Which of the following attacks occurred LAST? A. Phishing B. Shoulder surfing C. Impersonation D. Tailgating
Answer: C Explanation: Two attacks took place in this question. The first attack was shoulder surfing. This was the act of Sara recording a person typing in their ID number into a keypad to gain access to the building. The second attack was impersonation. Sara called the helpdesk and used the PIN to impersonate the person she recorded.
Which of the following would be used when a higher level of security is desired for encryption key storage? A. TACACS+ B. L2TP C. LDAP D. TPM
Answer: D Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Ann was reviewing her company's event logs and observed several instances of GUEST accessing the company print server, file server, and archive database. As she continued to investigate, Ann noticed that it seemed to happen at random intervals throughout the day, but mostly after the weekly automated patching and often logging in at the same time. Which of the following would BEST mitigate this issue? A. Enabling time of day restrictions B. Disabling unnecessary services C. Disabling unnecessary accounts D. Rogue machine detection
Answer: C Explanation: User account control is a very important part of operating system hardening. It is important that only active accounts be operational and that they be properly managed. This means disabling unnecessary accounts. Enabled accounts that are not needed on a system provide a door through which attackers can gain access. You should disable all accounts that are not needed immediately—on servers and workstations alike. Here are some types of accounts that you should disable: Employees Who Have Left the Company: Be sure to disable immediately accounts for any employee who has left the company. This should be done the minute employment is terminated. Temporary Employees: It is not uncommon to create short-term accounts for brief periods of time for access by temporary employees. These also need to be disabled the moment they are no longer needed. Default Guest Accounts: In many operating systems, a guest account is created during installation and intended for use by those needing only limited access and lacking their own account on the system. This account presents a door into the system that should not be there, andall who have worked with the operating system knows of its existence, thus making it a likely target for attackers
All executive officers have changed their monitor location so it cannot be easily viewed when passing by their offices. Which of the following attacks does this action remediate? A. Dumpster Diving B. Impersonation C. Shoulder Surfing D. Whaling
Answer: C Explanation: Viewing confidential information on someone's monitor is known as shoulder surfing. By moving their monitors so they cannot be seen, the executives are preventing users passing by 'shoulder surfing'. Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
Joe, a technician, is tasked with finding a way to test operating system patches for a wide variety of servers before deployment to the production environment while utilizing a limited amount of hardware resources. Which of the following would provide the BEST environment for performing this testing? A. OS hardening B. Application control C. Virtualization D. Sandboxing
Answer: C Explanation: Virtualization is used to host one or more operating systems in the memory of a single host computer and allows multiple operating systems to run simultaneously on the same hardware, reducing costs. Virtualization offers the flexibility of quickly and easily making backups of entire virtual systems, and quickly recovering the virtual system when errors occur. Furthermore, malicious code compromises of virtual systems rarely affect the host system, which allows for safer testing and experimentation
Purchasing receives an automated phone call from a bank asking to input and verify credit card information. The phone number displayed on the caller ID matches the bank. Which of the following attack types is this? A. Hoax B. Phishing C. Vishing D. Whaling
Answer: C Explanation: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone. The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur." If the attack is carried out by telephone, caller ID spoofing can cause the victim's set to indicate a legitimate source, such as a bank or a government agency. Vishing is difficult for authorities to trace, particularly when conducted using VoIP. Furthermore, like many legitimate customer services, vishing scams are often outsourced to other countries, which may render sovereign law enforcement powerless. Consumers can protect themselves by suspecting any unsolicited message that suggests they are targets of illegal activity, no matter what the medium or apparent source. Rather than calling a number given in any unsolicited message, a consumer should directly call the institution named, using a number that is known to be valid, to verify all recent activity and to ensure that the account information has not been tampered with.
A company hires outside security experts to evaluate the security status of the corporate network. All of the company's IT resources are outdated and prone to crashing. The company requests that all testing be performed in a way which minimizes the risk of system failures. Which of the following types of testing does the company want performed? A. Penetration testing B. WAF testing C. Vulnerability scanning D. White box testing
Answer: C Explanation: Vulnerability scanning has minimal impact on network resource due to the passive nature of the scanning. A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.
Due to hardware limitation, a technician must implement a wireless encryption algorithm that uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should implement while ensuring the STRONGEST level of security? A. WPA2-AES B. 802.11ac C. WPA-TKIP D. WEP
Answer: C Explanation: WPA-TKIP uses the RC4 cipher. TKIP and the related WPA standard implement three new security features to address security problems encountered in WEP protected networks. First, TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP related key attacks. Second, WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point. Finally, TKIP implements a 64-bit Message Integrity Check (MIC) To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher. TKIP also provides a rekeying mechanism. TKIP ensures that every data packet is sent with a unique encryption key.
The Chief Information Officer (CIO) wants to implement a redundant server location to which the production server images can be moved within 48 hours and services can be quickly restored, in case of a catastrophic failure of the primary datacenter's HVAC. Which of the following can be implemented? A. Cold site B. Load balancing C. Warm site D. Hot site
Answer: C Explanation: Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement.
A system administrator has noticed vulnerability on a high impact production server. A recent update was made available by the vendor that addresses the vulnerability but requires a reboot of the system afterwards. Which of the following steps should the system administrator implement to address the vulnerability? A. Test the update in a lab environment, schedule downtime to install the patch, install the patch and reboot the server and monitor for any changes B. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the patch, and monitor for any changes C. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the update, reboot the server, and monitor for any changes D. Backup the server, schedule downtime to install the patch, installs the patch and monitor for any changes
Answer: C Explanation: We have an update to apply to fix the vulnerability. The update should be tested first in a lab environment, not on the production server to ensure it doesn't cause any other problems with the server. After testing the update, we should backup the server to enable us to roll back any changes in the event of any unforeseen problems with the update. The question states that the server will require a reboot. This will result in downtime so you should schedule the downtime before installing the patch. After installing the update, you should monitor the server to ensure it is functioning correctly.
Which of the following technical controls is BEST used to define which applications a user can install and run on a company issued mobile device? A. Authentication B. Blacklisting C. Whitelisting D. Acceptable use policy
Answer: C Explanation: White lists are closely related to ACLs and essentially, a white list is a list of items that are allowed.
One of the most basic ways to protect the confidentiality of data on a laptop in the event the device is physically stolen is to implement which of the following? A. File level encryption with alphanumeric passwords B. Biometric authentication and cloud storage C. Whole disk encryption with two-factor authentication D. BIOS passwords and two-factor authentication
Answer: C Explanation: Whole-disk encryption only provides reasonable protection when the system is fully powered off. to make the most of the defensive strength of whole-disk encryption, a long, complex passphrase should be used to unlock the system on bootup. Combining whole-disk encryption with two factor authentication would further increase protection.
Which of the following is an advantage of implementing individual file encryption on a hard drive which already deploys full disk encryption? A. Reduces processing overhead required to access the encrypted files B. Double encryption causes the individually encrypted files to partially lose their properties C. Individually encrypted files will remain encrypted when copied to external media D. File level access control only apply to individually encrypted files in a fully encrypted drive
Answer: C Explanation: With full disk encryption a file is encrypted as long as it remains on the disk. This is because the data on the disk is decrypted when the user logs on, thus the data is in a decrypted form when it is copied to another disk. Individually encrypted files on the other hand remain encrypted.
Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to some technical issues, ABC services wants to send some of Acme Corp's debug data to a third party vendor for problem resolution. Which of the following MUST be considered prior to sending data to a third party? A. The data should be encrypted prior to transport B. This would not constitute unauthorized data sharing C. This may violate data ownership and non-disclosure agreements D. Acme Corp should send the data to ABC Services' vendor instead
Answer: C Explanation: With sending your data to a third party is already a risk since the third party may have a different policy than yours. Data ownership and non-disclosure is already a risk that you will have to accept since the data will be sent for debugging /troubleshooting purposes which will result in definite disclosure of the data.
A company storing data on a secure server wants to ensure it is legally able to dismiss and prosecute staff who intentionally access the server via Telnet and illegally tamper with customer data. Which of the following administrative controls should be implemented to BEST achieve this? A. Command shell restrictions B. Restricted interface C. Warning banners D. Session output pipe to /dev/null
Answer: C Explanation: Within Microsoft Windows, you have the ability to put signs (in the form of onscreen pop-up banners) that appear before the login telling similar information—authorized access only, violators will be prosecuted, and so forth. Such banners convey warnings or regulatory information to the user that they must "accept" in order to use the machine or network. You needto make staff aware that they may legally be prosecuted and a message is best given via a banner so that all staff using workstation will get notification.
A supervisor in the human resources department has been given additional job duties in the accounting department. Part of their new duties will be to check the daily balance sheet calculations on spreadsheets that are restricted to the accounting group. In which of the following ways should the account be handled? A. The supervisor should be allowed to have access to the spreadsheet files, and their membership in the human resources group should be terminated. B. The supervisor should be removed from the human resources group and added to the accounting group. C. The supervisor should be added to the accounting group while maintaining their membership in the human resources group. D. The supervisor should only maintain membership in the human resources group.
Answer: C Explanation: You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). By assigning the human resources supervisor's user account to the group means the supervisor will inherit the permissions of that group, and allow him to carry out the new duties. Because the new duties are being added to his normal duties, maintaining membership in the human resources group will allow the supervisor to continue performing his normal duties.
A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the following can the researcher do to determine if the file is malicious in nature? A. TCP/IP socket design review B. Executable code review C. OS Baseline comparison D. Software architecture review
Answer: C Explanation: Zero-Day Exploits begin exploiting holes in any software the very day it is discovered. It is very difficult to respond to a zero-day exploit. Often, the only thing that you as a security administrator can do is to turn off the service. Although this can be a costly undertaking in terms of productivity, it is the only way to keep the network safe. In this case you want to check if the executable file is malicious. Since a baseline represents a secure state is would be possible to check the nature of the executable file in an isolated environment against the OS baseline
To help prevent unauthorized access to PCs, a security administrator implements screen savers that lock the PC after five minutes of inactivity. Which of the following controls is being described in this situation? A. Management B. Administrative C. Technical D. Operational
Answer: C Explanation: controls such as preventing unauthorized access to PC's and applying screensavers that lock the PC after five minutes of inactivity is a technical control type, the same as Identification and Authentication, Access Control, Audit and Accountability as well as System and Communication Protection.
A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allow for faster imaging to a second hard drive? A. cp /dev/sda /dev/sdb bs=8k B. tail -f /dev/sda > /dev/sdb bs=8k C. dd in=/dev/sda out=/dev/sdb bs=4k D. locate /dev/sda /dev/sdb bs=4k
Answer: C Explanation: dd is a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files. dd can duplicate data across files, devices, partitions and volumes On Unix, device drivers for hardware (such as hard disks) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files; dd can also read and/or write from/to these files, provided that function is implemented in their respective driver. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings. An attempt to copy the entire disk using cp may omit the final block if it is of an unexpected length; whereas dd may succeed. The source and destination disks should have the same size.
A technician has just installed a new firewall onto the network. Users are reporting that they cannot reach any website. Upon further investigation, the technician determines that websites can be reached by entering their IP addresses. Which of the following ports may have been closed to cause this issue? A. HTTP B. DHCP C. DNS D. NetBIOS
Answer: C Explanation: DNS links IP addresses and human-friendly fully qualified domain names (FQDNs), which are made up of the Top-level domain (TLD), the registered domain name, and the Subdomain or hostname. Therefore, if the DNS ports are blocked websites will not be reachable.
A security administrator is aware that a portion of the company's Internet-facing network tends to be non-secure due to poorly configured and patched systems. The business owner has accepted the risk of those systems being compromised, but the administrator wants to determine the degree to which those systems can be used to gain access to the company intranet. Which of the following should the administrator perform? A. Patch management assessment B. Business impact assessment C. Penetration test D. Vulnerability assessment
Answer: C Explanation: Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system's security controls to gain access to the system. It is also used to determine the degree to which the systems can be used to gain access to the company intranet (the degree of access to local network resources). Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. Pen test strategies include: Targeted testing Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out. External testing This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access. Internal testing This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause. Blind testing A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive. Double blind testing Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization's security monitoring and incident identification as well as its response procedures.
Which of the following protocols provides for mutual authentication of the client and server? A. Two-factor authentication B. Radius C. Secure LDAP D. Biometrics
Answer: C Explanation: C: The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory. Because it is a client-server model it makes provision for mutual authentication between the two parties
Which of the following should a security technician implement to identify untrusted certificates? A. CA B. PKI C. CRL D. Recovery agent
Answer: C Explanation: Untrusted certificates and keys are revoked and put into the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included.
A company has implemented PPTP as a VPN solution. Which of the following ports would need to be opened on the firewall in order for this VPN to function properly? (Select TWO). A. UDP 1723 B. TCP 500 C. TCP 1723 D. UDP 47 E. TCP 47
Answer: C,D Explanation: A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTP GRE packet format is non-standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, as in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.
Joe, a user, wants to protect sensitive information stored on his hard drive. He uses a program that encrypted the whole hard drive. Once the hard drive is fully encrypted, he uses the same program to create a hidden volume within the encrypted hard drive and stores the sensitive information within the hidden volume. This is an example of which of the following? (Select TWO). A. Multi-pass encryption B. Transport encryption C. Plausible deniability D. Steganography E. Transitive encryption F. Trust models
Answer: C,D Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. In this case, it is a hidden volume within the encrypted hard drive. In cryptography, deniable encryption may be used to describe steganographic techniques, where the very existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that an encrypted message exists. This then provides you with plausible deniability
A security technician needs to open ports on a firewall to allow for domain name resolution. Which of the following ports should be opened? (Select TWO). A. TCP 21 B. TCP 23 C. TCP 53 D. UDP 23 E. UDP 53
Answer: C,E Explanation: DNS uses TCP and UDP port 53. TCP port 53 is used for zone transfers, whereas UDP port 53 is used for queries.
A company replaces a number of devices with a mobile appliance, combining several functions. Which of the following descriptions fits this new implementation? (Select TWO). A. Cloud computing B. Virtualization C. All-in-one device D. Load balancing E. Single point of failure
Answer: C,E Explanation: The disadvantages of combining everything into one include a potential single point of failure, and the dependence on the one vendor. The all -in-one device represents a single point of failure risk being taken on.
The BEST methods for a web developer to prevent the website application code from being vulnerable to cross-site request forgery (XSRF) are to: (Select TWO). A. Permit redirection to Internet-facing web URLs. B. Ensure all HTML tags are enclosed in angle brackets, e.g., "<" and ">". C. Validate and filter input on the server side and client side. D. Use a web proxy to pass website requests between the user and the application. E. Restrict and sanitize use of special characters in input and URLs.
Answer: C,E Explanation: XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is often accomplished without the user's knowledge. XSRF can be prevented by adding a randomization string (called a nonce) to each URL request and session establishment and checking the client HTTP request header referrer for spoofing.
An organization recently switched from a cloud-based email solution to an in-house email server. The firewall needs to be modified to allow for sending and receiving email. Which of the following ports should be open on the firewall to allow for email traffic? (Select THREE). A. TCP 22 B. TCP 23 C. TCP 25 D. TCP 53 E. TCP 110 F. TCP 143 G. TCP 445
Answer: C,E,F Explanation: Port 25 is used by Simple Mail Transfer Protocol (SMTP) for routing e-mail between mail servers. Port 110 is used for Post Office Protocol v3 (POP3), which is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. Port 143 is used by Internet Message Access Protocol (IMAP) for the management of email messages.
Topic 5, Access Control and Identity Management Jane, a security administrator, needs to implement a secure wireless authentication method that uses a remote RADIUS server for authentication. Which of the following is an authentication method Jane should use? A. WPA2-PSK B. WEP-PSK C. CCMP D. LEAP
Answer: D Explanation: A RADIUS server is a server with a database of user accounts and passwords used as a central authentication database for users requiring network access. The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be configured to use TKIP instead of dynamic WEP.
Ann is an employee in the accounting department and would like to work on files from her home computer. She recently heard about a new personal cloud storage service with an easy web interface. Before uploading her work related files into the cloud for access, which of the following is the MOST important security concern Ann should be aware of? A. Size of the files B. Availability of the files C. Accessibility of the files from her mobile device D. Sensitivity of the files
Answer: D Explanation: Cloud computing has privacy concerns, regulation compliance difficulties, use of open-/closedsource solutions, and adoption of open standards. It is also unsure whether cloud-based data is actually secured (or even securable).
One of the most consistently reported software security vulnerabilities that leads to major exploits is: A. Lack of malware detection. B. Attack surface decrease. C. Inadequate network hardening. D. Poor input validation.
Answer: D Explanation: D: With coding there are standards that should be observed. Of these standards the most fundamental is input validation. Attacks such as SQL injection depend on unfiltered input being sent through a web application. This makes for a software vulnerability that can be exploited. There are two primary ways to do input validation: client-side validation and server-side validation. Thus with poor input validation you increase your risk with regard to exposure to major software exploits.
An IT security technician needs to establish host based security for company workstations. Which of the following will BEST meet this requirement? A. Implement IIS hardening by restricting service accounts. B. Implement database hardening by applying vendor guidelines. C. Implement perimeter firewall rules to restrict access. D. Implement OS hardening by applying GPOs.
Answer: D Explanation: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing or disabling unnecessary functions and features, removing or disabling unnecessary user accounts, disabling unnecessary protocols and ports, and disabling unnecessary services. This can be implemented using the native security features of an operating system, such as Group Policy Objects (GPOs).
A system administrator is responding to a legal order to turn over all logs from all company servers. The system administrator records the system time of all servers to ensure that: A. HDD hashes are accurate. B. the NTP server works properly. C. chain of custody is preserved. D. time offset can be calculated
Answer: D Explanation: It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-stepaccount of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.
Matt, a systems security engineer, is determining which credential-type authentication to use within a planned 802.1x deployment. He is looking for a method that does not require a client certificate, has a server side certificate, and uses TLS tunnels for encryption. Which credential type authentication method BEST fits these requirements? A. EAP-TLS B. EAP-FAST C. PEAP-CHAP D. PEAP-MSCHAPv2
Answer: D Explanation: PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authentication is accomplished via password-base credentials (user name and password) rather than digital certificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate.
Which of the following ports is used for SSH, by default? A. 23 B. 32 C. 12 D. 22
Answer: D Explanation: Secure Shell (SSH) is a cryptographic network protocol for securing data communication. It establishes a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login, remote command execution, but any network service can be secured with SSH. SSH uses port 22.
Ann works at a small company and she is concerned that there is no oversight in the finance department; specifically, that Joe writes, signs and distributes paycheques, as well as other expenditures. Which of the following controls can she implement to address this concern? A. Mandatory vacations B. Time of day restrictions C. Least privilege D. Separation of duties
Answer: D Explanation: Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. This helps in fraud prevention, error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security. In this case, Joe should not be allowed to write and sign paycheques.
Mike, a user, states that he is receiving several unwanted emails about home loans. Which of the following is this an example of? A. Spear phishing B. Hoaxes C. Spoofing D. Spam
Answer: D Explanation: Spam is most often considered to be electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited email. However, if a long-lost brother finds your email address and sends you a message, this could hardly be called spam, even though it is unsolicited. Real spam is generally email advertising for some product sent to a mailing list or newsgroup. In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of network bandwidth. Consequently, there are many organizations, as well as individuals, who have taken it upon themselves to fight spam with a variety of techniques. But because the Internet is public, there is really little that can be done to prevent spam, just as it is impossible to prevent junk mail.However, some online services have instituted policies to prevent spammers from spamming their subscribers. There is some debate about why it is called spam, but the generally accepted version is that it comes from the Monty Python song, "Spam spam spam spam, spam spam spam spam, lovely spam, wonderful spam". Like the song, spam is an endless repetition of worthless text. Another school of thought maintains that it comes from the computer group lab at the University of Southern California who gave it the name because it has many of the same characteristics as the lunch meat Spam: Nobody wants it or ever asks for it. No one ever eats it; it is the first item to be pushed to the side when eating the entree. Sometimes it is actually tasty, like 1% of junk mail that is really useful to some people. The term spam can also be used to describe any "unwanted" email from a company or website -typically at some point a user would have agreed to receive the email via subscription list opt-in -a newer term called graymail is used to describe this particular type of spam.
Which of the following would Matt, a security administrator, use to encrypt transmissions from an internal database to an internal server, keeping in mind that the encryption process must add as little latency to the process as possible? A. ECC B. RSA C. SHA D. 3DES
Answer: D Explanation: 3DES would be less secure compared to ECC, but 3DES would require less computational power. Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).
A server is configured to communicate on both VLAN 1 and VLAN 12. VLAN 1 communication works fine, but VLAN 12 does not. Which of the following MUST happen before the server can communicate on VLAN 12? A. The server's network switch port must be enabled for 802.11x on VLAN 12. B. The server's network switch port must use VLAN Q-in-Q for VLAN 12. C. The server's network switch port must be 802.1q untagged for VLAN 12. D. The server's network switch port must be 802.1q tagged for VLAN 12.
Answer: D Explanation: 802.1q is a standard that defines a system of VLAN tagging for Ethernet frames. The purpose of a tagged port is to pass traffic for multiple VLAN's. Incorrect Options: A: 802.11x provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. B: VLAN Q-in-Q allows multiple VLAN tags to be inserted into a single frame. C: The purpose an untagged port is to accept traffic for a single VLAN only.
Public key certificates and keys that are compromised or were issued fraudulently are listed on which of the following? A. PKI B. ACL C. CA D. CRL
Answer: D Explanation: A CRL is a locally stored record containing revoked certificates and revoked keys
A security administrator needs a locally stored record to remove the certificates of a terminated employee. Which of the following describes a service that could meet these requirements? A. OCSP B. PKI C. CA D. CRL
Answer: D Explanation: A CRL is a locally stored record containing revoked certificates and revoked keys.
A CRL is comprised of. A. Malicious IP addresses. B. Trusted CA's. C. Untrusted private keys. D. Public keys
Answer: D Explanation: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked. The certificates for which a CRL should be maintained are often X.509/public key certificates, as this format is commonly used by PKI schemes.
An administrator is assigned to monitor servers in a data center. A web server connected to the Internet suddenly experiences a large spike in CPU activity. Which of the following is the MOST likely cause? A. Spyware B. Trojan C. Privilege escalation D. DoS
Answer: D Explanation: A Distributed Denial of Service (DDoS) attack is a DoS attack from multiple computers whereas a DoS attack is from a single computer. In terms of the actual method of attack, DDoS and DoS attacks are the same. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
A security analyst has been tasked with securing a guest wireless network. They recommend the company use an authentication server but are told the funds are not available to set this up. Which of the following BEST allows the analyst to restrict user access to approved devices? A. Antenna placement B. Power level adjustment C. Disable SSID broadcasting D. MAC filtering
Answer: D Explanation: A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all unauthorized devices.
Two programmers write a new secure application for the human resources department to store personal identifiable information. The programmers make the application available to themselves using an uncommon port along with an ID and password only they know. This is an example of which of the following? A. Root Kit B. Spyware C. Logic Bomb D. Backdoor
Answer: D Explanation: A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit. A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. Although the number of backdoors in systems using proprietary software (software whose source code is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission. Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer (generally a PC on broadband running Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM measures—and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers.
Joe, the system administrator, is performing an overnight system refresh of hundreds of user computers. The refresh has a strict timeframe and must have zero downtime during business hours. Which of the following should Joe take into consideration? A. A disk-based image of every computer as they are being replaced. B. A plan that skips every other replaced computer to limit the area of affected users. C. An offsite contingency server farm that can act as a warm site should any issues appear. D. A back-out strategy planned out anticipating any unforeseen problems that may arise.
Answer: D Explanation: A backout is a reversion from a change that had negative consequences. It could be, for example, that everything was working fine until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfixes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout.
Failure to validate the size of a variable before writing it to memory could result in which of the following application attacks? A. Malicious logic B. Cross-site scripting C. SQL injection D. Buffer overflow
Answer: D Explanation: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Validating the size of a variable before writing it to memory will ensure that the variable can fit into the buffer. Failure to validate the size of a variable before writing it to memory can result in a buffer overflow.
A certificate authority takes which of the following actions in PKI? A. Signs and verifies all infrastructure messages B. Issues and signs all private keys C. Publishes key escrow lists to CRLs D. Issues and signs all root certificates
Answer: D Explanation: A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is part of a public key infrastructure (PKI) scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA). Note: In cryptography and computer security, a root certificate is an unsigned public key certificate (also called self-signed certificate) that identifies the Root Certificate Authority (CA).
Joe, a user, reports to the system administrator that he is receiving an error stating his certificate has been revoked. Which of the following is the name of the database repository for these certificates? A. CSR B. OCSP C. CA D. CRL
Answer: D Explanation: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key.
Which of the following application attacks is used against a corporate directory service where there are unknown servers on the network? A. Rogue access point B. Zero day attack C. Packet sniffing D. LDAP injection
Answer: D Explanation: A directory service is accessed by using LDAP (Lightweight Directory Access Protocol). LDAP injection is an attack against a directory service. Just as SQL injection attacks take statements that are input by users and exploit weaknesses within, an LDAP injection attack exploits weaknesses in LDAP (Lightweight Directory Access Protocol) implementations. This can occur when the user's input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries. The best way to prevent LDAP injection attacks is to filter the user input and to use a validation scheme to make certain that queries do not contain exploits. One of the most common uses of LDAP is associated with user information. Numerous applications exist—such as employee directories—where users find other users by typing in a portion of their name. These queries are looking at the cn value or other fields (those defined for department, home directory, and so on). Someone attempting LDAP injection could feed unexpected values to the query to see what results are returned. All too often, finding employee information equates to finding usernames and values about those users that could be portions of their passwords.
Which of the following can Joe, a security administrator, implement on his network to capture attack details that are occurring while also protecting his production network? A. Security logs B. Protocol analyzer C. Audit logs D. Honeypot
Answer: D Explanation: A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers. There are two main types of honeypots: Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research - A research honeypot add value to research in computer security by providing a platform to study the threat.
Which of the following controls should critical application servers implement to protect themselves from other potentially compromised application services? A. NIPS B. Content filter C. NIDS D. Host-based firewalls
Answer: D Explanation: A host-based firewall is designed to protect the host from network based attack by using filters to limit the network traffic that is allowed to enter or leave the host. The action of a filter is to allow, deny, or log the network packet. Allow enables the packet to continue toward its destination. Deny blocks the packet from going any further and effectively discarding it. Log records information about the packet into a log file. Filters can be based on protocol and ports. By blocking protocols and ports that are not required, other potentially compromised application services would be prevented from being exploited across the network.
The recovery agent is used to recover the: A. Root certificate B. Key in escrow C. Public key D. Private key
Answer: D Explanation: A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.
Which of the following should Pete, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from their company? A. Privacy Policy B. Least Privilege C. Acceptable Use D. Mandatory Vacations
Answer: D Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. But not only does mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels as well as an opportunity to discover fraud.
Two members of the finance department have access to sensitive information. The company is concerned they may work together to steal information. Which of the following controls could be implemented to discover if they are working together? A. Least privilege access B. Separation of duties C. Mandatory access control D. Mandatory vacations
Answer: D Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud. In this case mandatory vacations can prevent the two members from colluding to steal the information that they have access to.
After a company has standardized to a single operating system, not all servers are immune to a well-known OS vulnerability. Which of the following solutions would mitigate this issue? A. Host based firewall B. Initial baseline configurations C. Discretionary access control D. Patch management system
Answer: D Explanation: A patch is an update to a system. Sometimes a patch adds new functionality; in other cases, it corrects a bug in the software. Patch Management can thus be used to fix security problems discovered within the OS thus negating a known OS vulnerability.
A company executive's laptop was compromised, leading to a security breach. The laptop was placed into storage by a junior system administrator and was subsequently wiped and re-imaged. When it was determined that the authorities would need to be involved, there was little evidence to present to the investigators. Which of the following procedures could have been implemented to aid the authorities in their investigation? A. A comparison should have been created from the original system's file hashes B. Witness testimony should have been taken by the administrator C. The company should have established a chain of custody tracking the laptop D. A system image should have been created and stored
Answer: D Explanation: A system image is a snapshot of what it and if a system image of the compromised system was created and stored, it is a useful tool when the authorities want to revisit the issue to investigate the incident.
Which of the following is a penetration testing method? A. Searching the WHOIS database for administrator contact information B. Running a port scanner against the target's network C. War driving from a target's parking lot to footprint the wireless network D. Calling the target's helpdesk, requesting a password reset
Answer: D Explanation: A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as end-users' adherence to security policies. Penetration testing evaluates an organization's ability to protect its networks, applications,endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. Test results validate the risk posed by specific security vulnerabilities or flawed processes, enabling IT management and security professionals to prioritize remediation efforts. By embracing more frequent and comprehensivepenetration testing, organizations can more effectively anticipate emerging security risks and prevent unauthorized access to critical systems and valuable information. Penetration tests are not always technically clever attempts to access a network. By calling the target's helpdesk and requesting a password reset, if they reset the password without requiring proof that you are authorized to request a password change, you can easily gain access to the network.
Timestamps and sequence numbers act as countermeasures against which of the following types of attacks? A. Smurf B. DoS C. Vishing D. Replay
Answer: D Explanation: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack). For example: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password (or hash) read from the last session, which Bob accepts thus granting access to Eve. Countermeasures: A way to avoid replay attacks is by using session tokens: Bob sends a onetime token to Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Eve has captured this value and tries to use it on another session; Bob sends a differentsession token, and when Eve replies with the captured value it will be different from Bob's computation. Session tokens should be chosen by a (pseudo-) random process. Otherwise Eve may be able to pose as Bob, presenting some predicted future token, and convince Alice to use that token in her transformation. Eve can then replay her reply at a later time (when the previously predicted token is actually presented by Bob), and Bob will accept the authentication. One-time passwords are similar to session tokens in that the password expires after it has been used or after a very short amount of time. They can be used to authenticate individual transactions in addition to sessions. The technique has been widely implemented in personal online banking systems. Bob can also send nonces but should then include a message authentication code (MAC), which Alice should check. Timestamping is another way of preventing a replay attack. Synchronization should be achieved using a secure protocol. For example Bob periodically broadcasts the time on his clock together with a MAC. When Alice wants to send Bob a message, she includes her best estimate of the time on his clock in her message, which is also authenticated. Bob only accepts messages for which the timestamp is within a reasonable tolerance. The advantage of this scheme is that Bob does not need to generate (pseudo-) random numbers, with the trade-off being that replay attacks, if they are performed quickly enough i.e. within that 'reasonable' limit, could succeed.
During a server audit, a security administrator does not notice abnormal activity. However, a network security analyst notices connections to unauthorized ports from outside the corporate network. Using specialized tools, the network security analyst also notices hidden processes running. Which of the following has MOST likely been installed on the server? A. SPIM B. Backdoor C. Logic bomb D. Rootkit
Answer: D Explanation: A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining userlevel access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network. A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing system tools to escape detection. The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are available for a number of operating systems, including Windows, and are increasingly difficult to detect on any network.
The information security technician wants to ensure security controls are deployed and functioning as intended to be able to maintain an appropriate security posture. Which of the following security techniques is MOST appropriate to do this? A. Log audits B. System hardening C. Use IPS/IDS D. Continuous security monitoring
Answer: D Explanation: A security baseline is the security setting of a system that is known to be secure. This is the initial security setting of a system. Once the baseline has been applied, it must be maintained or improved. Maintaining the security baseline requires continuous monitoring.
Which of the following network devices is used to analyze traffic between various network interfaces? A. Proxies B. Firewalls C. Content inspection D. Sniffers
Answer: D Explanation: A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
Which of the following can be used to maintain a higher level of security in a SAN by allowing isolation of mis-configurations or faults? A. VLAN B. Protocol security C. Port security D. VSAN
Answer: D Explanation: A storage area network (SAN) is a secondary network that offers storage isolation by consolidating storage devices such as hard drives, drive arrays, optical jukeboxes, and tape libraries. Virtualization can be used to further enhance the security of a SAN by using switches to create a VSAN. These switches act as routers controlling and filtering traffic into and out of the VSAN while allowing unrestricted traffic within the VSAN
During a recent investigation, an auditor discovered that an engineer's compromised workstation was being used to connect to SCADA systems while the engineer was not logged in. The engineer is responsible for administering the SCADA systems and cannot be blocked from connecting to them. The SCADA systems cannot be modified without vendor approval which requires months of testing. Which of the following is MOST likely to protect the SCADA systems from misuse? A. Update anti-virus definitions on SCADA systems B. Audit accounts on the SCADA systems C. Install a firewall on the SCADA network D. Deploy NIPS at the edge of the SCADA network
Answer: D Explanation: A supervisory control and data acquisition (SCADA) system is an industrial control system (ICS) that is used to control infrastructure processes, facility-based processes, or industrial processes. A network-based IPS (NIPS) is an intrusion detection and prevention system that scans network traffic in real time against a database of attack signatures. It is useful for detecting and responding to network-based attacks originating from outside the organization.
Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time. Which of the following does this illustrate? A. System image capture B. Record time offset C. Order of volatility D. Chain of custody
Answer: D Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.
An organization has three divisions: Accounting, Sales, and Human Resources. Users in the Accounting division require access to a server in the Sales division, but no users in the Human Resources division should have access to resources in any other division, nor should any users in the Sales division have access to resources in the Accounting division. Which of the following network segmentation schemas would BEST meet this objective? A. Create two VLANS, one for Accounting and Sales, and one for Human Resources. B. Create one VLAN for the entire organization. C. Create two VLANs, one for Sales and Human Resources, and one for Accounting. D. Create three separate VLANS, one for each division.
Answer: D Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function.
Deploying a wildcard certificate is one strategy to: A. Secure the certificate's private key. B. Increase the certificate's encryption key length. C. Extend the renewal date of the certificate. D. Reduce the certificate management burden
Answer: D Explanation: A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single Wildcard certificate for *.example.com, will secure all these domains: payment.example.com contact.example.com login-secure.example.com www.example.com Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops), these domains would not be valid for the certificate: test.login.example.com
To ensure compatibility with their flagship product, the security engineer is tasked to recommend an encryption cipher that will be compatible with the majority of third party software and hardware vendors. Which of the following should be recommended? A. SHA B. MD5 C. Blowfish D. AES
Answer: D Explanation: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is used to encrypt data, not to verify data integrity.
A company has recently allowed employees to take advantage of BYOD by installing WAPs throughout the corporate office. An employee, Joe, has recently begun to view inappropriate material at work using his personal laptop. When confronted, Joe indicated that he was never told that he could not view that type of material on his personal laptop. Which of the following should the company have employees acknowledge before allowing them to access the corporate WLAN with their personal devices? A. Privacy Policy B. Security Policy C. Consent to Monitoring Policy D. Acceptable Use Policy
Answer: D Explanation: Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.
Which of the following is the MOST specific plan for various problems that can arise within a system? A. Business Continuity Plan B. Continuity of Operation Plan C. Disaster Recovery Plan D. IT Contingency Plan
Answer: D Explanation: An IT contingency plan would focus on the IT aspect in particular to ensure business continuity.
Which of the following is the LEAST volatile when performing incident response procedures? A. Registers B. RAID cache C. RAM D. Hard drive
Answer: D Explanation: An example of OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts. Of the options stated in the question the hard drive would be the least volatile.
Ann an employee is visiting Joe, an employee in the Human Resources Department. While talking to Joe, Ann notices a spreadsheet open on Joe's computer that lists the salaries of all employees in her department. Which of the following forms of social engineering would BEST describe this situation? A. Impersonation B. Dumpster diving C. Tailgating D. Shoulder surfing
Answer: D Explanation: Ann was able to see the Spreadsheet on Joe's computer. This direct observation is known as shoulder surfing. Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
A computer is suspected of being compromised by malware. The security analyst examines the computer and finds that a service called Telnet is running and connecting to an external website over port 443. This Telnet service was found by comparing the system's services to the list of standard services on the company's system image. This review process depends on: A. MAC filtering. B. System hardening. C. Rogue machine detection. D. Baselining.
Answer: D Explanation: Application baseline defines the level or standard of security that will be implemented and maintained for the application. It may include requirements of hardware components, operating system versions, patch levels, installed applications and their configurations, and available ports and services. Systems can be compared to the baseline to ensure that the required level of security is being maintained.
The call center supervisor has reported that many employees have been playing preinstalled games on company computers and this is reducing productivity. Which of the following would be MOST effective for preventing this behavior? A. Acceptable use policies B. Host-based firewalls C. Content inspection D. Application whitelisting
Answer: D Explanation: Application whitelisting is a form of application security which prevents any software from running on a system unless it is included on a preapproved exception list.
Which of the following should a company implement to BEST mitigate from zero-day malicious code executing on employees' computers? A. Least privilege accounts B. Host-based firewalls C. Intrusion Detection Systems D. Application white listing
Answer: D Explanation: Application whitelisting is a security stance that prohibits unauthorized software from being able to execute unless it is on the preapproved exception list: the whitelist. This prevents any and all software, including malware, from executing unless it is on the whitelist. This can help block zeroday attacks, which are new attacks that exploit flaws or vulnerabilities in targeted systems and applications that are unknown or undisclosed to the world in general
A company has 5 users. Users 1, 2 and 3 need access to payroll and users 3, 4 and 5 need access to sales. Which of the following should be implemented to give the appropriate access while enforcing least privilege? A. Assign individual permissions to users 1 and 2 for payroll. Assign individual permissions to users 4 and 5 for sales. Make user 3 an administrator. B. Make all users administrators and then restrict users 1 and 2 from sales. Then restrict users 4 and 5 from payroll. C. Create two additional generic accounts, one for payroll and one for sales that users utilize. D. Create a sales group with users 3, 4 and 5. Create a payroll group with users 1, 2 and 3.
Answer: D Explanation: Assigning permissions to a group requires less effort than assigning permissions to individual users. When you have groups configured with the appropriate permissions, you can grant the permissions to individual users by adding the users to the groups. Users can be members of multiple groups and therefore have multiple sets of permissions assigned to them. In this answer, user 3 is a member of both groups which grants the user permission to both Sales and Payroll.
Which of the following is true about asymmetric encryption? A. A message encrypted with the private key can be decrypted by the same key B. A message encrypted with the public key can be decrypted with a shared key. C. A message encrypted with a shared key, can be decrypted by the same key. D. A message encrypted with the public key can be decrypted with the private key.
Answer: D Explanation: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes
An organization is implementing a password management application which requires that all local administrator passwords be stored and automatically managed. Auditors will be responsible for monitoring activities in the application by reviewing the logs. Which of the following security controls is the BEST option to prevent auditors from accessing or modifying passwords in the application? A. Time of day restrictions B. Create user accounts for the auditors and assign read-only access C. Mandatory access control D. Role-based access with read-only
Answer: D Explanation: Auditors (employees performing the auditor role) will have access application by reviewing the logs. We can therefore assign access based on employee role. This is an example of Role-based access control (RBAC). To prevent the auditors from modifying passwords in the application, we need to ensure that they do not have write access. Therefore, you should assign only read access. Role-Based Access Control (RBAC) models approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. Each employee has one or more roles that allow access to specific information. If a person moves from one role to another, the access for the previous role will no longer be available. Instead of thinking "Denise needs to be able to edit files," RBAC uses the logic "Editors need to be able to edit files" and "Denise is a member of the Editors group." This model is always good for use in an environment in which there is high employee turnover.
A network administrator has a separate user account with rights to the domain administrator group. However, they cannot remember the password to this account and are not able to login to the server when needed. Which of the following is MOST accurate in describing the type of issue the administrator is experiencing? A. Single sign-on B. Authorization C. Access control D. Authentication
Answer: D Explanation: Authentication generally requires one or more of the following: Something you know: a password, code, PIN, combination, or secret phrase. Something you have: a smart card, token device, or key. Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter. Somewhere you are: a physical or logical location. Something you do: typing rhythm, a secret handshake, or a private knock.
An administrator needs to submit a new CSR to a CA. Which of the following is a valid FIRST step? A. Generate a new private key based on AES. B. Generate a new public key based on RSA. C. Generate a new public key based on AES. D. Generate a new private key based on RSA
Answer: D Explanation: Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The private key is needed to produce, but it is not part of, the CSR. The private key is an RSA key. The private encryption key that will be used to protect sensitive information. Note: A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.
Which of the following attacks allows access to contact lists on cellular phones? A. War chalking B. Blue jacking C. Packet sniffing D. Bluesnarfing
Answer: D Explanation: Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a high-speed but very short-range wireless technology for exchanging data between desktop and mobile computers, personal digital assistants (PDAs), and other devices. By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information -- such as the user's calendar, contact list and e-mail and text messages -without leaving any evidence of the attack. Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, although to a lesser extent, by virtue of their more complex systems. Operating in invisible mode protects some devices, but others are vulnerable as long as Bluetooth is enabled.
A company's chief information officer (CIO) has analyzed the financial loss associated with the company's database breach. They calculated that one single breach could cost the company $1,000,000 at a minimum. Which of the following documents is the CIO MOST likely updating? A. Succession plan B. Continuity of operation plan C. Disaster recovery plan D. Business impact analysis
Answer: D Explanation: Business impact analysis (BIA) is the process of evaluating all of the critical systems in an organization to define impact and recovery plans. BIA isn't concerned with external threats or vulnerabilities; the analysis focuses on the impact a loss would have on the organization. A BIA comprises the following: identifying critical functions, prioritizing critical business functions, calculating a timeframe for critical systems loss, and estimating the tangible impact on the organization.
XYZ Corporation is about to purchase another company to expand its operations. The CEO is concerned about information leaking out, especially with the cleaning crew that comes in at night. The CEO would like to ensure no paper files are leaked. Which of the following is the BEST policy to implement? A. Social media policy B. Data retention policy C. CCTV policy D. Clean desk policy
Answer: D Explanation: Clean Desk Policy Information on a desk—in terms of printouts, pads of note paper, sticky notes, and the like—can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk.
Which of the following is true about input validation in a client-server architecture, when data integrity is critical to the organization? A. It should be enforced on the client side only. B. It must be protected by SSL encryption. C. It must rely on the user's knowledge of the application. D. It should be performed on the server side.
Answer: D Explanation: Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by catching malformed input on the client and, therefore, saving a roundtrip to the server. However, client side validation can be easily bypassed and should never be used for security purposes. Always use server-side validation to protect your application from malicious attacks
An overseas branch office within a company has many more technical and non-technical security incidents than other parts of the company. Which of the following management controls should be introduced to the branch office to improve their state of security? A. Initial baseline configuration snapshots B. Firewall, IPS and network segmentation C. Event log analysis and incident response D. Continuous security monitoring processes
Answer: D Explanation: Continuous monitoring may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations. It also points toward the never-ending review of what resources a user actually accesses, which is critical for preventing insider threats. Incorrect Options: A: An initial baseline configuration snapshot would allow for the standardized minimal level of security that all systems in an organization must comply with to be enforced. This will not cover the non-technical security incidents. B: A Firewall, IPS and network segmentation will offer technical protection, but not non-technical security protection. C: Event log analysis and incident response will not cover the non-technical security incidents
A new network administrator is setting up a new file server for the company. Which of the following would be the BEST way to manage folder security? A. Assign users manually and perform regular user access reviews B. Allow read only access to all folders and require users to request permission C. Assign data owners to each folder and allow them to add individual users to each folder D. Create security groups for each folder and assign appropriate users to each group
Answer: D Explanation: Creating a security group for each folder and assigning necessary users to each group would only allow users belonging to the folder's security group access to the folder. It will make assigning folder privileges much easier, while also being more secure
A security administrator must implement a wireless security system, which will require users to enter a 30 character ASCII password on their accounts. Additionally the system must support 3DS wireless encryption. Which of the following should be implemented? A. WPA2-CCMP with 802.1X B. WPA2-PSK C. WPA2-CCMP D. WPA2-Enterprise
Answer: D Explanation: D: WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. RADIUS can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized. Thus the RADIUS server can perform all authentications. This will require users to use their passwords on their user accounts.
A security administrator must implement a network authentication solution which will ensure encryption of user credentials when users enter their username and password to authenticate to the network. Which of the following should the administrator implement? A. WPA2 over EAP-TTLS B. WPA-PSK C. WPA2 with WPS D. WEP over EAP-PEAP
Answer: D Explanation: D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isn't considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP-PSK, EAP MD5, as well as LEAP and PEAP. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates toauthenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
Encryption of data at rest is important for sensitive information because of which of the following? A. Facilitates tier 2 support, by preventing users from changing the OS B. Renders the recovery of data harder in the event of user password loss C. Allows the remote removal of data following eDiscovery requests D. Prevents data from being accessed following theft of physical equipment
Answer: D Explanation: Data encryption allows data that has been stolen to remain out of the eyes of the intruders who took it as long as they do not have the proper passwords.
A company is trying to limit the risk associated with the use of unapproved USB devices to copy documents. Which of the following would be the BEST technology control to use in this scenario? A. Content filtering B. IDS C. Audit logs D. DLP
Answer: D Explanation: Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
Sara, the Chief Information Officer (CIO), has requested an audit take place to determine what services and operating systems are running on the corporate network. Which of the following should be used to complete this task? A. Fingerprinting and password crackers B. Fuzzing and a port scan C. Vulnerability scan and fuzzing D. Port scan and fingerprinting
Answer: D Explanation: Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server. A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine. Fingerprinting is a means of ascertaining the operating system of a remote computer on a network. Fingerprinting is more generally used to detect specific versions of applications or protocols that are run on network servers. Fingerprinting can be accomplished "passively" by sniffing network packets passing between hosts, or it can be accomplished "actively" by transmitting specially created packets to the target machine and analyzing the response
Joe has read and write access to his own home directory. Joe and Ann are collaborating on a project, and Joe would like to give Ann write access to one particular file in this home directory. Which of the following types of access control would this reflect? A. Role-based access control B. Rule-based access control C. Mandatory access control D. Discretionary access control
Answer: D Explanation: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner
The IT department has setup a share point site to be used on the intranet. Security has established the groups and permissions on the site. No one may modify the permissions and all requests for access are centrally managed by the security team. This is an example of which of the following control types? A. Rule based access control B. Mandatory access control C. User assigned privilege D. Discretionary access control
Answer: D Explanation: Discretionary access control (DAC) allows access to be granted or restricted by an object's owner based on user identity and on the discretion of the object owner
Which of the following should be used to authenticate and log connections from wireless users connecting with EAP-TLS? A. Kerberos B. LDAP C. SAML D. RADIUS
Answer: D Explanation: EAP-TLS, defined in RFC 2716, is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security, since TLS is considered the successor of the SSL standard. It uses PKI to secure communication to the RADIUS authentication server. Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services
An administrator has two servers and wants them to communicate with each other using a secure algorithm. Which of the following choose to provide both CRC integrity checks and RCA encryption? A. NTLM B. RSA C. CHAP D. ECDHE
Answer: D Explanation: ECDHE provides both CRC integrity checks and RCA encryption. Adding an ephemeral key to Elliptic Curve Diffie-Hellman turns it into ECDHE. It is the ephemeral component of each of these that provides the perfect forward secrecy. Forward secrecy is a property of any key exchange system, which ensures that if one key is compromised, subsequent keys will not also be compromised. Perfect forward secrecy occurs when this process is unbreakable.
Which of the following should be considered to mitigate data theft when using CAT5 wiring? A. CCTV B. Environmental monitoring C. Multimode fiber D. EMI shielding
Answer: D Explanation: EMI Shielding refers to the process of preventing electronic emissions from your computer systems from being used to gather intelligence and preventing outside electronic emissions from disrupting your information-processing abilities. Thus all wiring should be shielded to mitigate data theft.
Which of the following controls can be used to prevent the disclosure of sensitive information stored on a mobile device's removable media in the event that the device is lost or stolen? A. Hashing B. Screen locks C. Device password D. Encryption
Answer: D Explanation: Encryption is used to ensure the confidentiality of information
After copying a sensitive document from his desktop to a flash drive, Joe, a user, realizes that the document is no longer encrypted. Which of the following can a security technician implement to ensure that documents stored on Joe's desktop remain encrypted when moved to external media or other network based storage? A. Whole disk encryption B. Removable disk encryption C. Database record level encryption D. File level encryption
Answer: D Explanation: Encryption is used to ensure the confidentiality of information. In this case you should make use of file level encryption. File level encryption is a form of disk encryption where individual files or directories are encrypted by the file system itself. This is in contrast to full disk encryption where the entire partition or disk, in which the file system resides, is encrypted.
Ann would like to forward some Personal Identifiable Information to her HR department by email, but she is worried about the confidentiality of the information. Which of the following will accomplish this task securely? A. Digital Signatures B. Hashing C. Secret Key D. Encryption
Answer: D Explanation: Encryption is used to prevent unauthorized users from accessing data. Data encryption will support the confidentiality of the email.
Environmental control measures include which of the following? A. Access list B. Lighting C. Motion detection D. EMI shielding
Answer: D Explanation: Environmental controls include HVAC, Fire Suppression, EMI Shielding, Hot and Cold Aisles, Environmental monitoring as well as Temperature and Humidity controls
A security administrator has deployed all laptops with Self Encrypting Drives (SED) and enforces key encryption. Which of the following represents the greatest threat to maintaining data confidentiality with these devices? A. Full data access can be obtained by connecting the drive to a SATA or USB adapter bypassing the SED hardware. B. A malicious employee can gain the SED encryption keys through software extraction allowing access to other laptops. C. If the laptop does not use a Secure Boot BIOS, the SED hardware is not enabled allowing full data access. D. Laptops that are placed in a sleep mode allow full data access when powered back on
Answer: D Explanation: Hardware-based encryption when built into the drive is transparent to the user. The drive except for bootup authentication operates just like any drive with no degradation in performance. When the computer is started up, the user is prompted to enter a password to allow the system to boot and allow access to the encrypted drive. When a laptop is placed into sleep mode (also known as standby mode), the computer is placed into a low power mode. In sleep mode, the computer is not fully shut down. The screen is turned off, the hard disks are turned off and the CPU is throttled down to its lowest power state. However, the computer state is maintained in memory (RAM). Most computers can be 'woken' from sleep mode by pressing any key on the keyboard or pressing the power button. The computer can be configured to require a password on wake up, but if a password is not required, the computer will wake up and be logged in as it was at the time of going into sleep mode. This would enable full access to the data stored on the disks.
Which of the following would a security administrator use to verify the integrity of a file? A. Time stamp B. MAC times C. File descriptor D. Hash
Answer: D Explanation: Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables and it is a one-way transformation in order to validate the integrity of data.
Use of group accounts should be minimized to ensure which of the following? A. Password security B. Regular auditing C. Baseline management D. Individual accountability
Answer: D Explanation: Holding users accountable for their actions is part of security, and can only be achieved by users having their own user accounts. To adequately provide accountability, the use of shared or group accounts should be discouraged
A system administrator attempts to ping a hostname and the response is 2001:4860:0:2001::68. Which of the following replies has the administrator received? A. The loopback address B. The local MAC address C. IPv4 address D. IPv6 address
Answer: D Explanation: IPv6 addresses are 128-bits in length. An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by colons (:). The hexadecimal digits are case-insensitive, but IETF recommendations suggest the use of lower case letters. The full representation of eight 4-digit groups may be simplified by several techniques, eliminating parts of the representation.
Joe, the systems administrator, is setting up a wireless network for his team's laptops only and needs to prevent other employees from accessing it. Which of the following would BEST address this? A. Disable default SSID broadcasting. B. Use WPA instead of WEP encryption. C. Lower the access point's power settings. D. Implement MAC filtering on the access point.
Answer: D Explanation: If MAC filtering is turned off, any wireless client that knows the values looked for (MAC addresses) can join the network. When MAC filtering is used, the administrator compiles a list of the MAC addresses associated with users' computers and enters those addresses. When a client attempts to connect and other values have been correctly entered, an additional check of the MAC address is done. If the address appears in the list, the client is allowed to join; otherwise, it is forbidden from doing so.
A CA is compromised and attacks start distributing maliciously signed software updates. Which of the following can be used to warn users about the malicious activity? A. Key escrow B. Private key verification C. Public key verification D. Certificate revocation list
Answer: D Explanation: If we put the root certificate of the comprised CA in the CRL, users will know that this CA (and the certificates that it has issued) no longer can be trusted. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.
Users report that they are unable to access network printing services. The security technician checks the router access list and sees that web, email, and secure shell are allowed. Which of the following is blocking network printing? A. Port security B. Flood guards C. Loop protection D. Implicit deny
Answer: D Explanation: Implicit deny says that if you aren't explicitly granted access or privileges for a resource, you're denied access by default. The scenario does not state that network printing is allowed in the router access list, therefore, it must be denied by default.
Company A sends a PGP encrypted file to company B. If company A used company B's public key to encrypt the file, which of the following should be used to decrypt data at company B? A. Registration B. Public key C. CRLs D. Private key
Answer: D Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key. A PKI example: You want to send an encrypted message to Jordan, so you request his public key. Jordan responds by sending you that key. You use the public key he sends you to encrypt the message. You send the message to him. Jordan uses his private key to decrypt the message
The IT department has setup a website with a series of questions to allow end users to reset their own accounts. Which of the following account management practices does this help? A. Account Disablements B. Password Expiration C. Password Complexity D. Password Recovery
Answer: D Explanation: People tend to forget their own passwords and because a user's password in not stored on the operating system, only a hash value is kept and most operating systems allows the administrator to change the value meaning that the password can then be recovered. If you allow end users to reset their own accounts then the password recovery process is helped along.
Which of the following BEST describes part of the PKI process? A. User1 decrypts data with User2's private key B. User1 hashes data with User2's public key C. User1 hashes data with User2's private key D. User1 encrypts data with User2's public key
Answer: D Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key. A PKI example: You want to send an encrypted message to Jordan, so you request his public key. Jordan responds by sending you that key. You use the public key he sends you to encrypt the message. You send the message to him. Jordan uses his private key to decrypt the message.
Ann has recently transferred from the payroll department to engineering. While browsing file shares, Ann notices she can access the payroll status and pay rates of her new coworkers. Which of the following could prevent this scenario from occurring? A. Credential management B. Continuous monitoring C. Separation of duties D. User access reviews
Answer: D Explanation: In addition to assigning user access properly, it is important to review that access periodically. Access review is a process to determine whether a user's access level is still appropriate. People's roles within an organization can change over time. It is important to review user accounts periodically and determine if they still require the access they currently have. An example of such a scenario would be a network administrator who was responsible for the domain controller but then moved over to administer the remote access servers. The administrator's access to the domain controller should now be terminated. This concept of access review is closely related to the concept of least privileges. It is important that users do not have "leftover" privileges from previous job roles
Joe, a user, in a coffee shop is checking his email over a wireless network. An attacker records the temporary credentials being passed to Joe's browser. The attacker later uses the credentials to impersonate Joe and creates SPAM messages. Which of the following attacks allows for this impersonation? A. XML injection B. Directory traversal C. Header manipulation D. Session hijacking
Answer: D Explanation: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.
An IT auditor tests an application as an authenticated user. This is an example of which of the following types of testing? A. Penetration B. White box C. Black box D. Gray box
Answer: D Explanation: In this question, the tester is testing the application as an authenticated user. We can assume from this that the tester has at least limited knowledge of the application. This meets the criteria of a grey-box test. Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario inwhich the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.
Joe, an administrator, installs a web server on the Internet that performs credit card transactions for customer payments. Joe also sets up a second web server that looks like the first web server. However, the second server contains fabricated files and folders made to look like payments were processed on this server but really were not. Which of the following is the second server? A. DMZ B. Honeynet C. VLAN D. Honeypot
Answer: D Explanation: In this scenario, the second web server is a 'fake' webserver designed to attract attacks. We can then monitor the second server to view the attacks and then ensure that the 'real' web server is secure against such attacks. The second web server is a honeypot. A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers. There are two main types of honeypots: Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research - A research honeypot add value to research in computer security by providing a platform to study the threat.
Which of the following is BEST carried out immediately after a security breach is discovered? A. Risk transference B. Access control revalidation C. Change management D. Incident management
Answer: D Explanation: Incident management is the steps followed when security incident occurs.
In which of the following steps of incident response does a team analyze the incident and determine steps to prevent a future occurrence? A. Mitigation B. Identification C. Preparation D. Lessons learned
Answer: D Explanation: Incident response procedures involves in chronological order: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Thus lessons are only learned after the mitigation occurred. For only then can you 'step back' and analyze the incident to prevent the same occurrence in future.
After a recent security breach, the network administrator has been tasked to update and backup all router and switch configurations. The security administrator has been tasked to enforce stricter security policies. All users were forced to undergo additional user awareness training. All of these actions are due to which of the following types of risk mitigation strategies? A. Change management B. Implementing policies to prevent data loss C. User rights and permissions review D. Lessons learned
Answer: D Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Described in the question is a situation where a security breach had occurred and its response which shows that lessons have been learned and used to put in place measures that will prevent any future security breaches of the same kind.
The Chief Technical Officer (CTO) has tasked The Computer Emergency Response Team (CERT) to develop and update all Internal Operating Procedures and Standard Operating Procedures documentation in order to successfully respond to future incidents. Which of the following stages of the Incident Handling process is the team working on? A. Lessons Learned B. Eradication C. Recovery D. Preparation
Answer: D Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and losscontrol. Developing and updating all internal operating and standard operating procedures documentation to handle future incidents is preparation.
Which of the following security awareness training is BEST suited for data owners who are concerned with protecting the confidentiality of their data? A. Social networking use training B. Personally owned device policy training C. Tailgating awareness policy training D. Information classification training
Answer: D Explanation: Information classification is done by confidentiality and comprises of three categories, namely: public use, internal use and restricted use. Knowing these categories and how to handle data according to its category is essential in protecting the confidentiality of the data.
The incident response team has received the following email message. From: [email protected] To: [email protected] Subject: Copyright infringement A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT. After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the incident. 09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john 09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne 10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov 11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok Which of the following is the MOST likely reason why the incident response team is unable to identify and correlate the incident? A. The logs are corrupt and no longer forensically sound. B. Traffic logs for the incident are unavailable. C. Chain of custody was not properly maintained. D. Incident time offsets were not accounted for.
Answer: D Explanation: It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.
An attacker attempted to compromise a web form by inserting the following input into the username field: admin)(|(password=*)) Which of the following types of attacks was attempted? A. SQL injection B. Cross-site scripting C. Command injection D. LDAP injection
Answer: D Explanation: LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database. <input type="text" size=20 name="userName">Insert the username</input> The LDAP query is narrowed down for performance and the underlying code for this function might be the following: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows: If a user puts "*" on box search, the system may return all the usernames on the LDAP base If a user puts "jonys) (| (password = * ) )", it will generate the code bellow revealing jonys' password ( cn = jonys ) ( | (password = * ) )
An information bank has been established to store contacts, phone numbers and other records. A UNIX application needs to connect to the index server using port 389. Which of the following authentication services should be used on this port by default? A. RADIUS B. Kerberos C. TACACS+ D. LDAP
Answer: D Explanation: LDAP makes use of port 389.
While rarely enforced, mandatory vacation policies are effective at uncovering: A. Help desk technicians with oversight by multiple supervisors and detailed quality control systems. B. Collusion between two employees who perform the same business function. C. Acts of incompetence by a systems engineer designing complex architectures as a member of a team. D. Acts of gross negligence on the part of system administrators with unfettered access to system and no oversight.
Answer: D Explanation: Least privilege (privilege reviews) and job rotation is done when mandatory vacations are implemented. Then it will uncover areas where the system administrators neglected to check all users' privileges since the other users must fill in their positions when they are on their mandatory vacation.
Ann, a technician, is attempting to establish a remote terminal session to an end user's computer using Kerberos authentication, but she cannot connect to the destination machine. Which of the following default ports should Ann ensure is open? A. 22 B. 139 C. 443 D. 3389
Answer: D Explanation: Remote Desktop Protocol (RDP) uses TCP port 3389.
Pete, the security engineer, would like to prevent wireless attacks on his network. Pete has implemented a security control to limit the connecting MAC addresses to a single port. Which of the following wireless attacks would this address? A. Interference B. Man-in-the-middle C. ARP poisoning D. Rogue access point
Answer: D Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. In this question, a rogue access point would need to be able to connect to the network to provide access to network resources. If the MAC address of the rogue access point isn't allowed to connect to the network port, then the rogue access point will not be able to connect to the network
Users report that after downloading several applications, their systems' performance has noticeably decreased. Which of the following would be used to validate programs prior to installing them? A. Whole disk encryption B. SSH C. Telnet D. MD5
Answer: D Explanation: MD5 can be used to locate the data which has changed. The Message Digest Algorithm (MD) creates a hash value and uses a one-way hash. The hash value is used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2.
Which of the following describes the purpose of an MOU? A. Define interoperability requirements B. Define data backup process C. Define onboard/offboard procedure D. Define responsibilities of each party
Answer: D Explanation: MOU or Memorandum of Understanding is a document outlining which party is responsible for what portion of the work.
Visitors entering a building are required to close the back door before the front door of the same entry room is open. Which of the following is being described? A. Tailgating B. Fencing C. Screening D. Mantrap
Answer: D Explanation: Mantraps are designed to contain an unauthorized, potentially hostile person/individual physically until authorities arrive. Mantraps are typically manufactured with bulletproof glass, high-strength doors, and locks and to allow the minimal amount of individuals depending on its size. Some mantraps even include scales that will weigh the person. The doors are designed in such a way as to open only when the mantrap is occupied or empty and not in-between. This means that the backdoor must first close before the front door will open; exactly what is required in this scenario.
Which of the following technical controls helps to prevent Smartphones from connecting to a corporate network? A. Application white listing B. Remote wiping C. Acceptable use policy D. Mobile device management
Answer: D Explanation: Mobile device management (MDM) is allows for managing the mobile devices that employees use to access company resources. MDM is intended to improve security, provide monitoring,enable remote management, and support troubleshooting. It can be used to push or remove applications, manage data, and enforce configuration settings on these devices.
A security administrator has concerns regarding employees saving data on company provided mobile devices. Which of the following would BEST address the administrator's concerns? A. Install a mobile application that tracks read and write functions on the device. B. Create a company policy prohibiting the use of mobile devices for personal use. C. Enable GPS functionality to track the location of the mobile devices. D. Configure the devices so that removable media use is disabled
Answer: D Explanation: Mobile devices can be plugged into computers where they appear as an additional disk in the same way as a USB drive. This is known as removable media. This would enable users to copy company data onto the mobile devices. By disabling removable media use, the users will not be able to copy data onto the mobile devices.
Which of the following is mainly used for remote access into the network? A. XTACACS B. TACACS+ C. Kerberos D. RADIUS
Answer: D Explanation: Most gateways that control access to the network have a RADIUS client component that communicates with the RADIUS server. Therefore, it can be inferred that RADIUS is primarily used for remote access.
Four weeks ago, a network administrator applied a new IDS and allowed it to gather baseline data. As rumors of a layoff began to spread, the IDS alerted the network administrator that access to sensitive client files had risen far above normal. Which of the following kind of IDS is in use? A. Protocol based B. Heuristic based C. Signature based D. Anomaly based
Answer: D Explanation: Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity - or signature - for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known methods of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signaturebased IDS is only as good as its database of stored signatures. Any organization wanting to implement a more thorough - and hence safer - solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization's web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server. There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good atidentifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware - for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed
Several departments in a corporation have a critical need for routinely moving data from one system to another using removable storage devices. Senior management is concerned with data loss and the introduction of malware on the network. Which of the following choices BEST mitigates the range of risks associated with the continued use of removable storage devices? A. Remote wiping enabled for all removable storage devices B. Full-disk encryption enabled for all removable storage devices C. A well defined acceptable use policy D. A policy which details controls on removable storage use
Answer: D Explanation: Removable storage is both a benefit and a risk and since not all mobile devices support removable storage, the company has to has a comprehensive policy which details the controls of the use of removable s to mitigate the range of risks that are associated with the use of these devices.
Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms? A. Signature based IPS B. Signature based IDS C. Application based IPS D. Anomaly based IDS
Answer: D Explanation: Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity - or signature - for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signaturebased IDS is only as good as its database of stored signatures. Any organization wanting to implement a more thorough - and hence safer - solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization's web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware - for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.
Which of the following BEST describes using a smart card and typing in a PIN to gain access to a system? A. Biometrics B. PKI C. Single factor authentication D. Multifactor authentication
Answer: D Explanation: Multifactor authentication requires a user to provide two or more authentication factors for authentication purposes. In this case, a smart card (something they have) is one and a PIN (something they know) is the second
Joe, the security administrator, has determined that one of his web servers is under attack. Which of the following can help determine where the attack originated from? A. Capture system image B. Record time offset C. Screenshots D. Network sniffing
Answer: D Explanation: Network sniffing is the process of capturing and analyzing the packets sent between systems on the network. A network sniffer is also known as a Protocol Analyzer. A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent to the web server will help determine the source IP address of the system sending the packets. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
Which of the following can be utilized in order to provide temporary IT support during a disaster, where the organization sets aside funds for contingencies, but does not necessarily have a dedicated site to restore those services? A. Hot site B. Warm site C. Cold site D. Mobile site
Answer: D Explanation: Not having a dedicated site means that the mobile site can fill the role of either being a hot, warm or cold site as a disaster recovery measure.
The IT department has installed new wireless access points but discovers that the signal extends far into the parking lot. Which of the following actions should be taken to correct this? A. Disable the SSID broadcasting B. Configure the access points so that MAC filtering is not used C. Implement WEP encryption on the access points D. Lower the power for office coverage only
Answer: D Explanation: On the chance that the signal is actually traveling too far, some access points include power level controls, which allow you to reduce the amount of output provided.
Which of the following statements is MOST likely to be included in the security awareness training about P2P? A. P2P is always used to download copyrighted material. B. P2P can be used to improve computer system response. C. P2P may prevent viruses from entering the network. D. P2P may cause excessive network bandwidth
Answer: D Explanation: P2P networking by definition involves networking which will reduce available bandwidth for the rest of the users on the network.
Which of the following types of trust models is used by a PKI? A. Transitive B. Open source C. Decentralized D. Centralized
Answer: D Explanation: PKI uses a centralized trust model. In a simple PKI a single centralized certification authority (CA). In a hierarchical trust model the root CA is the center of the model, with subordinate CAs lower in the hierarchy. Note: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate.
Which of the following can be used to mitigate risk if a mobile device is lost? A. Cable lock B. Transport encryption C. Voice encryption D. Strong passwords
Answer: D Explanation: Passwords are the most likely mechanism that can be used to mitigate risk when a mobile device is lost. A strong password would be more difficult to crack
A recently installed application update caused a vital application to crash during the middle of the workday. The application remained down until a previous version could be reinstalled on the server, and this resulted in a significant loss of data and revenue. Which of the following could BEST prevent this issue from occurring again? A. Application configuration baselines B. Application hardening C. Application access controls D. Application patch management
Answer: D Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities. A part of patch management is testing the effects ofvendor updates on a test system first to ensure that the updates do not have detrimental effects on the system, and, should the updates have no detrimental effects on the test systems, backing up the production systems before applying the updates on a production system.
Which of the following is the MOST intrusive type of testing against a production system? A. White box testing B. War dialing C. Vulnerability testing D. Penetration testing
Answer: D Explanation: Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system's security controls to gain access to the system.
A small company has a website that provides online customer support. The company requires an account recovery process so that customers who forget their passwords can regain access. Which of the following is the BEST approach to implement this process? A. Replace passwords with hardware tokens which provide two-factor authentication to the online customer support site. B. Require the customer to physically come into the company's main office so that the customer can be authenticated prior to their password being reset. C. Web-based form that identifies customer by another mechanism and then emails the customer their forgotten password. D. Web-based form that identifies customer by another mechanism, sets a temporary password and forces a password change upon first login.
Answer: D Explanation: People tend to forget their passwords, thus you should have a password recovery system for them that will not increase risk exposure. Setting a temporary password will restrict the time that the password is valid and thus decrease risk; and in addition forcing the customer to change it upon first login will make the password more secure for the customer.
Which of the following is a vulnerability associated with disabling pop-up blockers? A. An alert message from the administrator may not be visible B. A form submitted by the user may not open C. The help window may not be displayed D. Another browser instance may execute malicious code
Answer: D Explanation: Pop-up blockers prevent websites from opening new browser windows without the users consent. These are often used for advertisements but can also be used to distribute malicious code.
Which of the following preventative controls would be appropriate for responding to a directive to reduce the attack surface of a specific host? A. Installing anti-malware B. Implementing an IDS C. Taking a baseline configuration D. Disabling unnecessary services
Answer: D Explanation: Preventive controls are to stop something from happening. These can include locked doors that keep intruders out, user training on potential harm (to keep them vigilant and alert), or even biometric devices and guards that deny access until authentication has occurred. By disabling all unnecessary services you would be reducing the attack surface because then there is less opportunity for risk incidents to happen. There are many risks with having many services enabled since a service can provide an attack vector that someone could exploit against your system. It is thus best practice to enable only those services that are absolutely required
Upper management decides which risk to mitigate based on cost. This is an example of: A. Qualitative risk assessment B. Business impact analysis C. Risk management framework D. Quantitative risk assessment
Answer: D Explanation: Quantitative analysis / assessment is used to the show the logic and cost savings in replacing a server for example before it fails rather than after the failure. Quantitative assessments assign a dollar amount.
Which of the following represents a cryptographic solution where the encrypted stream cannot be captured by a sniffer without the integrity of the stream being compromised? A. Elliptic curve cryptography. B. Perfect forward secrecy. C. Steganography. D. Quantum cryptography.
Answer: D Explanation: Quantum cryptography is a cryptosystem that is completely secure against being compromised without knowledge of the sender or the receiver of the messages.
Which of the following is an authentication service that uses UDP as a transport medium? A. TACACS+ B. LDAP C. Kerberos D. RADIUS
Answer: D Explanation: RADIUS runs in the application layer and makes use of UDP as transport
Which of the following provides data the best fault tolerance at the LOWEST cost? A. Load balancing B. Clustering C. Server virtualization D. RAID 6
Answer: D Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID can achieve fault tolerance using software which can be done using the existing hardware and software thus representing the lowest cost option.
When creating a public / private key pair, for which of the following ciphers would a user need to specify the key strength? A. SHA B. AES C. DES D. RSA
Answer: D Explanation: RSA (an asymmetric algorithm) uses keys of a minimum length of 2048 bits
A user, Ann, is reporting to the company IT support group that her workstation screen is blank other than a window with a message requesting payment or else her hard drive will be formatted. Which of the following types of malware is on Ann's workstation? A. Trojan B. Spyware C. Adware D. Ransomware
Answer: D Explanation: Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive), while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a trojan like a conventional computer worm, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program will then run a payload: such as one that will begin to encrypt personal files on the hard drive. More sophisticated ransomware may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. Some ransomware payloads do not use encryption. In these cases, the payload is simply an application designed to restrict interaction with the system, typically by setting the Windows Shell to itself, or even modifying the master boot record and/or partition table (which prevents the operating system from booting at all until it is repaired) Ransomware payloads utilize elements of scareware to extort money from the system's user. The payload may, for example, display notices purportedly issued by companies or law enforcement agencies which falsely claim that the system had been used for illegal activities, or contains illegal content such as pornography and pirated software or media. Some ransomware payloads imitate Windows' product activation notices, falsely claiming that their computer's Windows installation is counterfeit or requires re-activation. These tactics coax the user into paying the malware's author to remove the ransomware, either by supplying a program which can decrypt the files, or by sending an unlock code that undoes the changes the payload has made.
A company recently experienced data loss when a server crashed due to a midday power outage. Which of the following should be used to prevent this from occurring again? A. Recovery procedures B. EMI shielding C. Environmental monitoring D. Redundancy
Answer: D Explanation: Redundancy refers to systems that either are duplicated or fail over to other systems in the event of a malfunction (in this case a power outage). Failover refers to the process of reconstructing a system or switching over to other systems when a failure is detected. In the case of a server, the server switches to a redundant server when a fault is detected. This strategy allows service to continue uninterrupted until the primary server can be restored.
Sara, a company's security officer, often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Sara should immediately implement which of the following? A. Acceptable Use Policy B. Physical security controls C. Technical controls D. Security awareness training
Answer: D Explanation: Security awareness and training include explaining policies, procedures, and current threats to both users and management. A security awareness and training program can do much to assist in your efforts to improve and maintain security. A good security awareness training program for the entire organization should cover the following areas: Importance of security; Responsibilities of people in the organization; Policies and procedures; Usage policies; Account and passwordselection criteria as well as Social engineering prevention
Which of the following allows an organization to store a sensitive PKI component with a trusted third party? A. Trust model B. Public Key Infrastructure C. Private key D. Key escrow
Answer: D Explanation: Sensitive PKI data, such as private keys, can be put into key escrow data. The key escrow data can be kept at a trusted third party. Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third parties may include businesses, who may want access to employees' private communications, or governments, who may wish to be able to view the contents of encrypted communications
A user in the company is in charge of various financial roles but needs to prepare for an upcoming audit. They use the same account to access each financial system. Which of the following security controls will MOST likely be implemented within the company? A. Account lockout policy B. Account password enforcement C. Password complexity enabled D. Separation of duties
Answer: D Explanation: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that there is differentiation between users, employees and duties per se which form part of best practices
LDAP and Kerberos are commonly used for which of the following? A. To perform queries on a directory service B. To store usernames and passwords for Federated Identity C. To sign SSL wildcard certificates for subdomains D. To utilize single sign-on capabilities
Answer: D Explanation: Single sign-on is usually achieved via the Lightweight Directory Access Protocol (LDAP), although Kerberos can also be used.
A company wants to ensure that all credentials for various systems are saved within a central database so that users only have to login once for access to all systems. Which of the following would accomplish this? A. Multi-factor authentication B. Smart card access C. Same Sign-On D. Single Sign-O
Answer: D Explanation: Single sign-on means that once a user (or other subject) is authenticated into a realm, reauthentication is not required for access to resources on any realm entity. Single sign-on is able to internally translate and store credentials for the various mechanisms, from the credential used for original authentication.
After Ann, a user, logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. Which of the following is being described? A. Trusted OS B. Mandatory access control C. Separation of duties D. Single sign-on
Answer: D Explanation: Single sign-on means that once a user (or other subject) is authenticated into a realm, reauthentication is not required for access to resources on any realm entity. The question states that when Ann logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. This describes an SSO scenario
The security department has implemented a new laptop encryption product in the environment. The product requires one user name and password at the time of boot up and also another password after the operating system has finished loading. This setup is using which of the following authentication types? A. Two-factor authentication B. Single sign-on C. Multifactor authentication D. Single factor authentication
Answer: D Explanation: Single-factor authentication is when only one authentication factor is used. In this case, Something you know is being used as an authentication factor. Username, password, and PIN form part of Something you know
The information security team does a presentation on social media and advises the participants not to provide too much personal information on social media web sites. This advice would BEST protect people from which of the following? A. Rainbow tables attacks B. Brute force attacks C. Birthday attacks D. Cognitive passwords attacks
Answer: D Explanation: Social Networking Dangers are 'amplified' in that social media networks are designed to mass distribute personal messages. If an employee reveals too much personal information it would be easy for miscreants to use the messages containing the personal information to work out possible passwords.
Users can authenticate to a company's web applications using their credentials from a popular social media site. Which of the following poses the greatest risk with this integration? A. Malicious users can exploit local corporate credentials with their social media credentials B. Changes to passwords on the social media site can be delayed from replicating to the company C. Data loss from the corporate servers can create legal liabilities with the social media site D. Password breaches to the social media site affect the company application as well
Answer: D Explanation: Social networking and having you company's application authentication 'linked' to users' credential that they use on social media sites exposes your company's application exponentially more than is necessary. You should strive to practice risk avoidance.
Which of the following will allow Pete, a security analyst, to trigger a security alert because of a tracking cookie? A. Network based firewall B. Anti-spam software C. Host based firewall D. Anti-spyware software
Answer: D Explanation: Spyware monitors a user's activity and uses network protocols to reports it to a third party without the user's knowledge. This is usually accomplished using a tracking cookie
A company requires that a user's credentials include providing something they know and something they are in order to gain access to the network. Which of the following types of authentication is being described? A. Biometrics B. Kerberos C. Token D. Two-factor
Answer: D Explanation: Two-factor authentication is when two different authentication factors are provided for authentication purposes. In this case, "something they know and something they are".
A system administrator wants to confidentially send a user name and password list to an individual outside the company without the information being detected by security controls. Which of the following would BEST meet this security goal? A. Digital signatures B. Hashing C. Full-disk encryption D. Steganography
Answer: D Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.
Which of the following can hide confidential or malicious data in the whitespace of other files (e.g. JPEGs)? A. Hashing B. Transport encryption C. Digital signatures D. Steganography
Answer: D Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.
Which of the following concepts is BEST described as developing a new chain of command in the event of a contingency? A. Business continuity planning B. Continuity of operations C. Business impact analysis D. Succession planning
Answer: D Explanation: Succession planning outlines those internal to the organization who have the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions
Symmetric encryption utilizes __________, while asymmetric encryption utilizes _________. A. Public keys, one time B. Shared keys, private keys C. Private keys, session keys D. Private keys, public keys
Answer: D Explanation: Symmetrical systems require the key to be private between the two parties. With asymmetric systems, each circuit has one key. In more detail: * Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn't disclosed to people who aren't authorized to use the encryption system. * Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes.
Which of the following protocols uses TCP instead of UDP and is incompatible with all previous versions? A. TACACS B. XTACACS C. RADIUS D. TACACS+
Answer: D Explanation: TACACS+ is not compatible with TACACS and XTACACS, and makes use of TCP.
An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use? A. Packet B. Active C. Port D. Passive
Answer: D Explanation: TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint. Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems and different versions of the same operating system set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP. Just inspecting the Initial TTL and window size TCP/IP fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting. Passive OS fingerprinting is the examination of a passively collected sample of packets from a host in order to determine its operating system platform. It is called passive because it doesn't involve communicating with the host being examined. In this question, the proxy will use passive fingerprinting because the proxy is a 'transparent proxy'. It isn't seen by the computer.
Which of the following could a security administrator implement to mitigate the risk of tailgating for a large organization? A. Train employees on correct data disposal techniques and enforce policies. B. Only allow employees to enter or leave through one door at specified times of the day. C. Only allow employees to go on break one at a time and post security guards 24/7 at each entrance. D. Train employees on risks associated with social engineering attacks and enforce policies.
Answer: D Explanation: Tailgating is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device. Many social engineering intruders needing physical access to a site will use this method of gaining entry. Educate users to beware of this and other social engineering ploys and prevent them from happening.
Datacenter access is controlled with proximity badges that record all entries and exits from the datacenter. The access records are used to identify which staff members accessed the data center in the event of equipment theft. Which of the following MUST be prevented in order for this policy to be effective? A. Password reuse B. Phishing C. Social engineering D. Tailgating
Answer: D Explanation: Tailgating is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device. This should be prevented in this case.
When reviewing security logs, an administrator sees requests for the AAAA record of www.comptia.com. Which of the following BEST describes this type of record? A. DNSSEC record B. IPv4 DNS record C. IPSEC DNS record D. IPv6 DNS record
Answer: D Explanation: The AAAA Address record links a FQDN to an IPv6 address.
A system administrator is configuring UNIX accounts to authenticate against an external server. The configuration file asks for the following information DC=ServerName and DC=COM. Which of the following authentication services is being used? A. RADIUS B. SAML C. TACACS+ D. LDAP
Answer: D Explanation: The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number. An entry can look like this when represented in LDAP Data Interchange Format (LDIF) (LDAP itself is a binary protocol): dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: [email protected] manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top "dn" is the distinguished name of the entry; it is neither an attribute nor a part of the entry. "cn=John Doe" is the entry's RDN (Relative Distinguished Name), and "dc=example,dc=com" is the DN of the parent entry, where "dc" denotes 'Domain Component'. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for domain component, "mail" for e-mail address, and "sn" for surname.
Which of the following was based on a previous X.500 specification and allows either unencrypted authentication or encrypted authentication through the use of TLS? A. Kerberos B. TACACS+ C. RADIUS D. LDAP
Answer: D Explanation: The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporateemail directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number. A common usage of LDAP is to provide a "single sign on" where one password for a user is shared between many services, such as applying a company login code to web pages (so that staff log in only once to company computers, and then are automatically logged into the company intranet). LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite. A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP and UDP port 389, or on port 636 for LDAPS. Global Catalog is available by default on ports 3268, and 3269 for LDAPS. The client then sends an operation request to the server, and the server sends responses in return. The client may request the following operations: StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
A software development company wants to implement a digital rights management solution to protect its intellectual property. Which of the following should the company implement to enforce software digital rights? A. Transport encryption B. IPsec C. Non-repudiation D. Public key infrastructure
Answer: D Explanation: The Public-Key Infrastructure (PKI) is intended to offer a means of providing security to messages and transactions on a grand scale. The need for universal systems to support e-commerce, secure transactions, and information privacy is one aspect of the issues being addressed with PKI. A PKI can be used to protect software.
Encryption used by RADIUS is BEST described as: A. Quantum B. Elliptical curve C. Asymmetric D. Symmetric
Answer: D Explanation: The RADIUS server uses a symmetric encryption method. Note: Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected.
RADIUS provides which of the following? A. Authentication, Authorization, Availability B. Authentication, Authorization, Auditing C. Authentication, Accounting, Auditing D. Authentication, Authorization, Accounting
Answer: D Explanation: The Remote Authentication Dial In User Service (RADIUS) networking protocol offers centralized Authentication, Authorization, and Accounting (AAA) management for users who make use of a network service. It is for this reason that A, B, and C: are incorrect. References: http://en.wikipedia.org/wiki/RADIU
Which of the following authentication services requires the use of a ticket-granting ticket (TGT) server in order to complete the authentication process? A. TACACS+ B. Secure LDAP C. RADIUS D. Kerberos
Answer: D Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved
Which of the following explains the difference between a public key and a private key? A. The public key is only used by the client while the private key is available to all.Both keys are mathematically related. B. The private key only decrypts the data while the public key only encrypts the data.Both keys are mathematically related. C. The private key is commonly used in symmetric key decryption while the public key is used in asymmetric key decryption. D. The private key is only used by the client and kept secret while the public key is available to all.
Answer: D Explanation: The private key must be kept secret at all time. The private key is only by the client. The public key is available to anybody
Which of the following authentication services uses a ticket granting system to provide access? A. RADIUS B. LDAP C. TACACS+ D. Kerberos
Answer: D Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.
Which of the following types of authentication solutions use tickets to provide access to various resources from a central location? A. Biometrics B. PKI C. ACLs D. Kerberos
Answer: D Explanation: The basic process of Kerberos authentication is as follows: The subject provides logon credentials. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT—a hashed form of the subject's password with the addition of a time stamp that indicates a valid lifetime). The TGT is encrypted and sent to the client. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime. The client receives the ST. The client sends the ST to the network server that hosts the desired resource. The network server verifies the ST. If it's verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.
When an order was submitted via the corporate website, an administrator noted special characters (e.g., ";--" and "or 1=1 --") were input instead of the expected letters and numbers. Which of the following is the MOST likely reason for the unusual results? A. The user is attempting to highjack the web server session using an open-source browser. B. The user has been compromised by a cross-site scripting attack (XSS) and is part of a botnet performing DDoS attacks. C. The user is attempting to fuzz the web server by entering foreign language characters which are incompatible with the website. D. The user is sending malicious SQL injection strings in order to extract sensitive company or customer data via the website.
Answer: D Explanation: The code in the question is an example of a SQL Injection attack. The code '1=1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
A security administrator has implemented a policy to prevent data loss. Which of the following is the BEST method of enforcement? A. Internet networks can be accessed via personally-owned computers. B. Data can only be stored on local workstations. C. Wi-Fi networks should use WEP encryption by default. D. Only USB devices supporting encryption are to be used.
Answer: D Explanation: The concern for preventing data loss is the concern for maintaining data confidentiality. This can be accomplished through encryption, access controls, and steganography. USB encryption is usually provided by the vendor of the USB device. It is not included on all USB devices.
A security administrator must implement a firewall rule to allow remote employees to VPN onto the company network. The VPN concentrator implements SSL VPN over the standard HTTPS port. Which of the following is the MOST secure ACL to implement at the company's gateway firewall? A. PERMIT TCP FROM ANY 443 TO 199.70.5.25 443 B. PERMIT TCP FROM ANY ANY TO 199.70.5.23 ANY C. PERMIT TCP FROM 199.70.5.23 ANY TO ANY ANY D. PERMIT TCP FROM ANY 1024-65535 TO 199.70.5.23 443
Answer: D Explanation: The default HTTPS port is port 443. When configuring SSL VPN you can change the default port for HTTPS to a port within the 1024-65535 range. This ACL will allow traffic from VPNs using the 1024-65535 port range to access the company network via company's gateway firewall on port 443.
Key elements of a business impact analysis should include which of the following tasks? A. Develop recovery strategies, prioritize recovery, create test plans, post-test evaluation, and update processes. B. Identify institutional and regulatory reporting requirements, develop response teams and communication trees, and develop press release templates. C. Employ regular preventive measures such as patch management, change management, antivirus and vulnerability scans, and reports to management. D. Identify critical assets systems and functions, identify dependencies, determine critical downtime limit, define scenarios by type and scope of impact, and quantify loss potential.
Answer: D Explanation: The key components of a Business impact analysis (BIA) include: Identifying Critical Functions Prioritizing Critical Business Functions Calculating a Timeframe for Critical Systems Loss Estimating the Tangible and Intangible Impact on the Organization
A company is looking to improve their security posture by addressing risks uncovered by a recent penetration test. Which of the following risks is MOST likely to affect the business on a day-to-day basis? A. Insufficient encryption methods B. Large scale natural disasters C. Corporate espionage D. Lack of antivirus software
Answer: D Explanation: The most common threat to computers is computer viruses. A computer can become infected with a virus through day-to-day activities such as browsing web sites or emails. As browsing and opening emails are the most common activities performed by all users, computer viruses represent the most likely risk to a business
Ann, the software security engineer, works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions, buffer overflows, and other similar vulnerabilities prior to each production release? A. Product baseline report B. Input validation C. Patch regression testing D. Code review
Answer: D Explanation: The problems listed in this question can be caused by problems with the application code. Reviewing the code will help to prevent the problems. The purpose of code review is to look at all custom written code for holes that may exist. The review needs also to examine changes that the code—most likely in the form of a finished application—may make: configuration files, libraries, and the like. During this examination, look for threats such as opportunities for injection to occur (SQL, LDAP, code, and so on), cross-site request forgery, and authentication. Code review is often conducted as a part of gray box testing. Looking at source code can often be one of the easiest ways to find weaknesses within the application. Simply reading the code is known as manual assessment, whereas using tools to scan the code is known as automated assessment.
A company hosts its public websites internally. The administrator would like to make some changes to the architecture. The three goals are: reduce the number of public IP addresses in use by the web servers drive all the web traffic through a central point of control mitigate automated attacks that are based on IP address scanning Which of the following would meet all three goals? A. Firewall B. Load balancer C. URL filter D. Reverse proxy
Answer: D Explanation: The purpose of a proxy server is to serve as a proxy or middle man between clients and servers. Using a reverse proxy you will be able to meet the three stated goals.
Ann, the network administrator, has learned from the helpdesk that employees are accessing the wireless network without entering their domain credentials upon connection. Once the connection is made, they cannot reach any internal resources, while wired network connections operate smoothly. Which of the following is MOST likely occurring? A. A user has plugged in a personal access point at their desk to connect to the network wirelessly. B. The company is currently experiencing an attack on their internal DNS servers. C. The company's WEP encryption has been compromised and WPA2 needs to be implemented instead. D. An attacker has installed an access point nearby in an attempt to capture company information.
Answer: D Explanation: The question implies that users should be required to enter their domain credentials upon connection to the wireless network. The fact that they are connecting to a wireless network without being prompted for their domain credentials and they are unable to access network resources suggests they are connecting to a rogue wireless network. A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server serverclient) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network. To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points
A security administrator needs to determine which system a particular user is trying to login to at various times of the day. Which of the following log types would the administrator check? A. Firewall B. Application C. IDS D. Security
Answer: D Explanation: The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.
Ann wants to send a file to Joe using PKI. Which of the following should Ann use in order to sign the file? A. Joe's public key B. Joe's private key C. Ann's public key D. Ann's private key
Answer: D Explanation: The sender uses his private key, in this case Ann's private key, to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. The receiver uses a key provided by the sender—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit.
Which of the following is an effective way to ensure the BEST temperature for all equipment within a datacenter? A. Fire suppression B. Raised floor implementation C. EMI shielding D. Hot or cool aisle containment
Answer: D Explanation: There are often multiple rows of servers located in racks in server rooms. The rows of servers are known as aisles, and they can be cooled as hot aisles and cold aisles. With a hot aisle, hot air outlets are used to cool the equipment, whereas with cold aisles, cold air intake is used to cool the equipment. Combining the two, you have cold air intake from below the aisle and hot air outtake above it, providing constant circulation. This is a more effective way of controlling temperature to safeguard your equipment in a data center.
A security administrator plans on replacing a critical business application in five years. Recently, there was a security flaw discovered in the application that will cause the IT department to manually re-enable user accounts each month at a cost of $2,000. Patching the application today would cost $140,000 and take two months to implement. Which of the following should the security administrator do in regards to the application? A. Avoid the risk to the user base allowing them to re-enable their own accounts B. Mitigate the risk by patching the application to increase security and saving money C. Transfer the risk replacing the application now instead of in five years D. Accept the risk and continue to enable the accounts each month saving money
Answer: D Explanation: This is a risk acceptance measure that has to be implemented since the cost of patching would be too high compared to the cost to keep the system going as is. Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices (i.e. risk deterrence, mitigation, transference or avoidance) exceeds the value of the harm that would occur if the risk came to fruition.
The system administrator is reviewing the following logs from the company web server: 12:34:56 GET /directory_listing.php?user=admin&pass=admin1 12:34:57 GET /directory_listing.php?user=admin&pass=admin2 12:34:58 GET /directory_listing.php?user=admin&pass=1admin 12:34:59 GET /directory_listing.php?user=admin&pass=2admin Which of the following is this an example of? A. Online rainbow table attack B. Offline brute force attack C. Offline dictionary attack D. Online hybrid attack
Answer: D Explanation: This is an example of an online hybrid attack. A hybrid attack is a combination of attacks. In this example, we have a combination of a dictionary attack and a brute-force attack. A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. A dictionary attack uses a list of words to use as passwords. The combination or hybrid attack adds characters or numbers or even other words to the beginning or end of the password guesses.In this example we have a password guess of 'admin'. From the word admin, we have four combinations, 'admin1, 1admin, admin2, 2admin'
A network administrator identifies sensitive files being transferred from a workstation in the LAN to an unauthorized outside IP address in a foreign country. An investigation determines that the firewall has not been altered, and antivirus is up-to-date on the workstation. Which of the following is the MOST likely reason for the incident? A. MAC Spoofing B. Session Hijacking C. Impersonation D. Zero-day
Answer: D Explanation: This question states that antivirus is up-to-date on the workstation and the firewall has not been altered. The antivirus software is up to date with all 'known' viruses. A zero day vulnerability is an unknown vulnerability so a patch or virus definition has not been released yet. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users
An IT security manager is asked to provide the total risk to the business. Which of the following calculations would the security manager choose to determine total risk? A. (Threats X vulnerability X asset value) x controls gap B. (Threats X vulnerability X profit) x asset value C. Threats X vulnerability X control gap D. Threats X vulnerability X asset value
Answer: D Explanation: Threats X vulnerability X asset value is equal to asset value (AV) times exposure factor (EF). This is used to calculate a risk.
The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response? A. Recovery B. Follow-up C. Validation D. Identification E. Eradication F. Containment
Answer: D Explanation: To be able to respond to the incident of malware infection you need to know what type of malware was used since there are many types of malware around. This makes identification critical in this case.
After running into the data center with a vehicle, attackers were able to enter through the hole in the building and steal several key servers in the ensuing chaos. Which of the following security measures can be put in place to mitigate the issue from occurring in the future? A. Fencing B. Proximity readers C. Video surveillance D. Bollards
Answer: D Explanation: To stop someone from entering a facility, barricades or gauntlets can be used. These are often used in conjunction with guards, fencing, and other physical security measures. Bollards are physical barriers that are strong enough to withstand impact with a vehicle.
A company has recently implemented a high density wireless system by having a junior technician install two new access points for every access point already deployed. Users are now reporting random wireless disconnections and slow network connectivity. Which of the following is the MOST likely cause? A. The old APs use 802.11a B. Users did not enter the MAC of the new APs C. The new APs use MIMO D. A site survey was not conducted
Answer: D Explanation: To test the wireless AP placement, a site survey should be performed.
A security engineer, Joe, has been asked to create a secure connection between his mail server and the mail server of a business partner. Which of the following protocol would be MOST appropriate? A. HTTPS B. SSH C. FTP D. TLS
Answer: D Explanation: Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. It uses X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom it is communicating, and to exchange a symmetric key. The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.
Which of the following hardware based encryption devices is used as a part of multi-factor authentication to access a secured computing system? A. Database encryption B. USB encryption C. Whole disk encryption D. TPM
Answer: D Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates
Which of the following is a hardware-based security technology included in a computer? A. Symmetric key B. Asymmetric key C. Whole disk encryption D. Trusted platform module
Answer: D Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates
Which of the following should be enabled in a laptop's BIOS prior to full disk encryption? A. USB B. HSM C. RAID D. TPM
Answer: D Explanation: Trusted Platform Module (TPM) is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disable in BIOS. It helps with hash key generation and stores cryptographic keys, passwords, or certificates.
Using proximity card readers instead of the traditional key punch doors would help to mitigate: A. Impersonation B. Tailgating C. Dumpster diving D. Shoulder surfing
Answer: D Explanation: Using a traditional key punch door, a person enters a code into a keypad to unlock the door. Someone could be watching the code being entered. They would then be able to open the door by entering the code. The process of watching the key code being entered is known as shoulder surfing. Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
Which of the following solutions provides the most flexibility when testing new security controls prior to implementation? A. Trusted OS B. Host software baselining C. OS hardening D. Virtualization
Answer: D Explanation: Virtualization is used to host one or more operating systems in the memory of a single host computer and allows multiple operating systems to run simultaneously on the same hardware. Virtualization offers the flexibility of quickly and easily making backups of entire virtual systems, and quickly recovering the virtual system when errors occur. Furthermore, malicious code compromises of virtual systems rarely affect the host system, which allows for safer testing and experimentation.
Jane, an individual, has recently been calling various financial offices pretending to be another person to gain financial information. Which of the following attacks is being described? A. Phishing B. Tailgating C. Pharming D. Vishing
Answer: D Explanation: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voicetechnology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone. The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur." If the attack is carried out by telephone, caller ID spoofing can cause the victim's set to indicate a legitimate source, such as a bank or a government agency. Vishing is difficult for authorities to trace, particularly when conducted using VoIP. Furthermore, like many legitimate customer services, vishing scams are often outsourced to other countries, which may render sovereign law enforcement powerless. Consumers can protect themselves by suspecting any unsolicited message that suggests they are targets of illegal activity, no matter what the medium or apparent source. Rather than calling a number given in any unsolicited message, a consumer should directly call the institution named, using a number that is known to be valid, to verify all recent activity and to ensure that the account information has not been tampered with.
Which of the following BEST describes the weakness in WEP encryption? A. The initialization vector of WEP uses a crack-able RC4 encryption algorithm.Once enough packets are captured an XOR operation can be performed and the asymmetric keys can be derived. B. The WEP key is stored in plain text and split in portions across 224 packets of random data.Once enough packets are sniffed the IV portion of the packets can be removed leaving the plain text key. C. The WEP key has a weak MD4 hashing algorithm used.A simple rainbow table can be used to generate key possibilities due to MD4 collisions. D. The WEP key is stored with a very small pool of random numbers to make the cipher text.As the random numbers are often reused it becomes easy to derive the remaining WEP key.
Answer: D Explanation: WEP is based on RC4, but due to errors in design and implementation, WEP is weak in a number of areas, two of which are the use of a static common key and poor implementation of initiation vectors (IVs). When the WEP key is discovered, the attacker can join the network and then listen in on all other wireless client communications.
After a user performed a war driving attack, the network administrator noticed several similar markings where WiFi was available throughout the enterprise. Which of the following is the term used to describe these markings? A. IV attack B. War dialing C. Rogue access points D. War chalking
Answer: D Explanation: War chalking is the act of making chalk marks on outdoor surfaces (walls, sidewalks, buildings, sign posts, trees) to indicate the existence of an open wireless network connection, usually offering an Internet connection so that others can benefit from the free wireless access. The open connections typically come from the access points of wireless networks located within buildings to serve enterprises. The chalk symbols indicate the type of access point that is available at that specific spot.
Which of the following is the BEST concept to maintain required but non-critical server availability? A. SaaS site B. Cold site C. Hot site D. Warm site
Answer: D Explanation: Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. Another term for a warm site/reciprocal site is active/active model.
Joe analyzed the following log and determined the security team should implement which of the following as a mitigation method against further attempts? Host 192.168.1.123 [00: 00: 01]Successful Login: 015 192.168.1.123 : local [00: 00: 03]Unsuccessful Login: 022 214.34.56.006 : RDP 192.168.1.124 [00: 00: 04]UnSuccessful Login: 010 214.34.56.006 : RDP 192.168.1.124 [00: 00: 07]UnSuccessful Login: 007 214.34.56.006 : RDP 192.168.1.124 [00: 00: 08]UnSuccessful Login: 003 214.34.56.006 : RDP 192.168.1.124 A. Reporting B. IDS C. Monitor system logs D. Hardening
Answer: D Explanation: We can see a number of unsuccessful login attempts using a Remote Desktop Connection (using the RDP protocol) from a computer with the IP address 192.168.1.124. Someone successfully logged in locally. This is probably an authorized login (for example, Joe logging in). Hardening is the process of securing a system. We can harden (secure) the system by either disallowing remote desktop connections altogether or by restricting which IPs are allowed to initiate remote desktop connections.
Which of the following password attacks is MOST likely to crack the largest number of randomly generated passwords? A. Hybrid B. Birthday attack C. Dictionary D. Rainbow tables
Answer: D Explanation: When a password is "tried" against a system it is "hashed" using encryption so that the actual password is never sent in clear text across the communications line. This prevents eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length than the original password. Your password might be "shitzu" but the hash of your password would look something like "7378347eedbfdd761619451949225ec1". To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in a table on the server. If the hashes match, then the user is authenticated and granted access. Password cracking programs work in a similar way to the login process. The cracking program starts by taking plaintext passwords, running them through a hash algorithm, such as MD5, andthen compares the hash output with the hashes in the stolen password file. If it finds a match then the program has cracked the password. Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are prematched to possible plaintext passwords. The Rainbow Tables essentially allow hackers to reverse the hashing function to determine what the plaintext password might be. The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage (sometimes Terabytes) to hold the Rainbow Tables themselves. With a rainbow table, all of the possible hashes are computed in advance. In other words, you create a series of tables; each has all the possible two-letter, three-letter, four-letter, and so forth combinations and the hash of that combination, using a known hashing algorithm like SHA-2. Now if you search the table for a given hash, the letter combination in the table that produced the hash must be the password you are seeking.
Which of the following assessment techniques would a security administrator implement to ensure that systems and software are developed properly? A. Baseline reporting B. Input validation C. Determine attack surface D. Design reviews
Answer: D Explanation: When implementing systems and software, an important step is the design of the systems and software. The systems and software should be designed to ensure that the system works as intended and is secure. The design review assessment examines the ports and protocols used, the rules, segmentation, and access control in the system or application. A design review is basically a check to ensure that the design of the system meets the security requirements.
Which of the following should Joe, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from his company? A. Privacy Policy B. Least Privilege C. Acceptable Use D. Mandatory Vacations
Answer: D Explanation: When one person fills in for another, such as for mandatory vacations, it provides an opportunity to see what the person is doing and potentially uncover any fraud.
Which of the following is a step in deploying a WPA2-Enterprise wireless network? A. Install a token on the authentication server B. Install a DHCP server on the authentication server C. Install an encryption key on the authentication server D. Install a digital certificate on the authentication server
Answer: D Explanation: When setting up a wireless network, you'll find two very different modes of Wi-Fi Protected Access (WPA) security, which apply to both the WPA and WPA2 versions. The easiest to setup is the Personal mode, technically called the Pre-Shared Key (PSK) mode. It doesn't require anything beyond the wireless router or access points (APs) and uses a single passphrase or password for all users/devices. The other is the Enterprise mode —which should be used by businesses and organizations—and is also known as the RADIUS, 802.1X, 802.11i, or EAP mode. It provides better security and key management, and supports other enterprise-type functionality, such as VLANs and NAP. However, it requires an external authentication server, called a Remote Authentication Dial In User Service (RADIUS) server to handle the 802.1X authentication of users. To help you better understand the process of setting up WPA/WPA2-Enterprise and 802.1X, here's the basic overall steps: Choose, install, and configure a RADIUS server, or use a hosted service. Create a certificate authority (CA), so you can issue and install a digital certificate onto the RADIUS server, which may be done as a part of the RADIUS server installation and configuration. Alternatively, you could purchase a digital certificate from a public CA, such as GoDaddy or Verisign, so you don't have to install the server certificate on all the clients. If using EAP-TLS, you'd also create digital certificates for each end-user. On the server, populate the RADIUS client database with the IP address and shared secret for each AP. On the server, populate user data with usernames and passwords for each end-user. On each AP, configure the security for WPA/WPA2-Enterprise and input the RADIUS server IP address and the shared secret you created for that particular AP. On each Wi-Fi computer and device, configure the security for WPA/WPA2-Enterprise and set the 802.1X authentication settings.
A quality assurance analyst is reviewing a new software product for security, and has complete access to the code and data structures used by the developers. This is an example of which of the following types of testing? A. Black box B. Penetration C. Gray box D. White box
Answer: D Explanation: White box testing is the process of testing an application when you have detailed knowledge of the inner workings of the application. White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system-level test.
A security administrator has been tasked with setting up a new internal wireless network that must use end to end TLS. Which of the following may be used to meet this objective? A. WPA B. HTTPS C. WEP D. WPA 2
Answer: D Explanation: Wi-Fi Protected Access 2 (WPA2) was intended to provide security that's equivalent to that on a wired network, and it implements elements of the 802.11i standard. In April 2010, the Wi-Fi Alliance announced the inclusion of additional Extensible Authentication Protocol (EAP) types to its certification programs for WPA- and WPA2- Enterprise certification programs. EAP-TLS is included in this certification program. Note: Although WPA mandates the use of TKIP, WPA2 requires Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of a replay attack.
The system administrator has been notified that many users are having difficulty connecting to the company's wireless network. They take a new laptop and physically go to the access point and connect with no problems. Which of the following would be the MOST likely cause? A. The certificate used to authenticate users has been compromised and revoked. B. Multiple war drivers in the parking lot have exhausted all available IPs from the pool to deny access. C. An attacker has gained access to the access point and has changed the encryption keys. D. An unauthorized access point has been configured to operate on the same channel.
Answer: D Explanation: Wireless Access Points can be configured to use a channel. If you have multiple access points within range of each other, you should configure the access points to use different channels. Different channels use different frequencies. If you have two access points using the same channel, their Wi-Fi signals will interfere with each other. The question states that that many users are having difficulty connecting to the company's wireless network. This is probably due to the signal being weakened by interference from another access point using the same channel. When the administrator takes a new laptop and physically goes to the access point and connects with no problems, he is able to connect because he is near the access point and therefore has a strong signal.
Although a vulnerability scan report shows no vulnerabilities have been discovered, a subsequent penetration test reveals vulnerabilities on the network. Which of the following has been reported by the vulnerability scan? A. Passive scan B. Active scan C. False positive D. False negative
Answer: D Explanation: With a false negative, you are not alerted to a situation when you should be alerted. A False negative is exactly the opposite of a false positive.
Customers' credit card information was stolen from a popular video streaming company. A security consultant determined that the information was stolen, while in transit, from the gaming consoles of a particular vendor. Which of the following methods should the company consider to secure this data in the future? A. Application firewalls B. Manual updates C. Firmware version control D. Encrypted TCP wrappers
Answer: D Explanation: Wrapping sensitive systems with a specific control is required when protecting data in transit. TCP wrappers are also security controls. TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or inetd query replies, to be used as tokens on which to filter for access control purposes. TCP Wrapper should not be considered a replacement for a properly configured firewall. Instead, TCP Wrapper should be used in conjunction with a firewall and other security enhancements in order to provide another layer of protection in the implementation of a security policy.
An administrator notices that former temporary employees' accounts are still active on a domain. Which of the following can be implemented to increase security and prevent this from happening? A. Implement a password expiration policy. B. Implement an account expiration date for permanent employees. C. Implement time of day restrictions for all temporary employees. D. Run a last logon script to look for inactive accounts.
Answer: D Explanation: You can run a script to return a list of all accounts that haven't been used for a number of days, for example 30 days. If an account hasn't been logged into for 30 days, it's a safe bet that the user the account belonged to is no longer with the company. You can then disable all the accounts that the script returns. A disabled account cannot be used to log in to a system. This is a good security measure. As soon as an employee leaves the company, the employees account should always be disabled.
Ann, a security administrator at a call center, has been experiencing problems with users intentionally installing unapproved and occasionally malicious software on their computers. Due to the nature of their jobs, Ann cannot change their permissions. Which of the following would BEST alleviate her concerns? A. Deploy a HIDS suite on the users' computers to prevent application installation. B. Maintain the baseline posture at the highest OS patch level. C. Enable the pop-up blockers on the users' browsers to prevent malware. D. Create an approved application list and block anything not on it.
Answer: D Explanation: You can use Software Restriction Policy or its successor AppLocker to prevent unauthorized applications from running or being installed on computers. Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers. You can use AppLocker as part of your overall security strategy for the following scenarios: Help prevent malicious software (malware) and unsupported applications from affecting computers in your environment. Prevent users from installing and using unauthorized applications. Implement application control policy to satisfy portions of your security policy or compliance requirements in your organization.
A security analyst informs the Chief Executive Officer (CEO) that a security breach has just occurred. This results in the Risk Manager and Chief Information Officer (CIO) being caught unaware when the CEO asks for further information. Which of the following strategies should be implemented to ensure the Risk Manager and CIO are not caught unaware in the future? A. Procedure and policy management B. Chain of custody management C. Change management D. Incident management
Answer: D Explanation: incident management refers to the steps followed when events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets). The events that could occur include security breaches.
A software company has completed a security assessment. The assessment states that the company should implement fencing and lighting around the property. Additionally, the assessment states that production releases of their software should be digitally signed. Given the recommendations, the company was deficient in which of the following core security areas? (Select TWO). A. Fault tolerance B. Encryption C. Availability D. Integrity E. Safety F. Confidentiality
Answer: D,E Explanation: Aspects such as fencing, proper lighting, locks, CCTV, Escape plans Drills, escape routes and testing controls form part of safety controls. Integrity refers to aspects such as hashing, digital signatures, certificates and non-repudiation - all of which has to do with data integrity.
Which of the following is true about PKI? (Select TWO). A. When encrypting a message with the public key, only the public key can decrypt it. B. When encrypting a message with the private key, only the private key can decrypt it. C. When encrypting a message with the public key, only the CA can decrypt it. D. When encrypting a message with the public key, only the private key can decrypt it. E. When encrypting a message with the private key, only the public key can decrypt it.
Answer: D,E Explanation: E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent. Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked. D: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key. A PKI example: You want to send an encrypted message to Jordan, so you request his public key. Jordan responds by sending you that key. You use the public key he sends you to encrypt the message. You send the message to him. Jordan uses his private key to decrypt the message.
A security administrator must implement a system to allow clients to securely negotiate encryption keys with the company's server over a public unencrypted communication channel. Which of the following implements the required secure key negotiation? (Select TWO). A. PBKDF2 B. Symmetric encryption C. Steganography D. ECDHE E. Diffie-Hellman
Answer: D,E Explanation: Elliptic curve Diffie-Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or better yet, to derive another key which can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie-Hellman protocol using elliptic curve cryptography. Note: Adding an ephemeral key to Diffie-Hellman turns it into DHE (which, despite the order of the acronym, stands for Ephemeral Diffie-Hellman). Adding an ephemeral key to Elliptic Curve Diffie-Hellman turns it into ECDHE (again, overlook the order of the acronym letters; it is called Ephemeral Elliptic Curve Diffie-Hellman). It is the ephemeral component of each of these that provides the perfect forward secrecy
Used in conjunction, which of the following are PII? (Select TWO). A. Marital status B. Favorite movie C. Pet's name D. Birthday E. Full name
Answer: D,E Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. A birthday together with a full name makes it personally identifiable information.
A UNIX administrator would like to use native commands to provide a secure way of connecting to other devices remotely and to securely transfer files. Which of the following protocols could be utilized? (Select TWO). A. RDP B. SNMP C. FTP D. SCP E. SSH
Answer: D,E Explanation: SSH is used to establish a command-line, text-only interface connection with a server, router, switch, or similar device over any distance. Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote Copy Protocol (RCP). SCP is commonly used on Linux and Unix platforms
An administrator implements SELinux on a production web server. After implementing this, the web server no longer serves up files from users' home directories. To rectify this, the administrator creates a new policy as the root user. This is an example of which of the following? (Select TWO). A. Enforcing SELinux in the OS kernel is role-based access control B. Enforcing SELinux in the OS kernel is rule-based access control C. The policy added by the root user is mandatory access control D. Enforcing SELinux in the OS kernel is mandatory access control E. The policy added by the root user is role-based access control F. The policy added by the root user is rule-based access control
Answer: D,F Explanation: Enforcing SELinux in the OS kernel is mandatory access control. SELinux is Security Enhanced Linux which is a locked down version of the OS kernel. Mandatory Access Control (MAC) is a relatively inflexible method for how information access is permitted. In a MAC environment, all access capabilities are predefined. Users can't share information unless their rights to share it are established by administrators. Consequently, administrators must make any changes that need to be made to such rights. This process enforces a rigid model of security. However, it is also considered the most secure security model. The policy added by the root user is rule-based access control. The administrator has defined a policy that states that users folders should be served by the web server. Rule-Based Access Control (RBAC) uses the settings in preconfigured security policies to make all decisions.
Joe, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify that the email came from Joe and decrypt it? (Select TWO). A. The CA's public key B. Ann's public key C. Joe's private key D. Ann's private key E. The CA's private key F. Joe's public key
Answer: D,F Explanation: Joe wants to send a message to Ann. It's important that this message not be altered. Joe will use the private key to create a digital signature. The message is, in effect, signed with the private key. Joe then sends the message to Ann. Ann will use the public key attached to the message to validate the digital signature. If the values match, Ann knows the message is authentic and came from Joe. Ann will use a key provided by Joe—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit. Thus Ann would compare the signature area referred to as a message in the message with the calculated value digest (her private key in this case). If thevalues match, the message hasn't been tampered with and the originator is verified as the person they claim to be.
Human Resources (HR) would like executives to undergo only two specific security training programs a year. Which of the following provides the BEST level of security training for the executives? (Select TWO). A. Acceptable use of social media B. Data handling and disposal C. Zero day exploits and viruses D. Phishing threats and attacks E. Clean desk and BYOD F. Information security awareness
Answer: D,F Explanation: Managers/ i.e. executives in the company are concerned with more global issues in the organization, including enforcing security policies and procedures. Managers should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts and enforcement and how the various departments are affected by security policies. Phishing is a form of social engineering in which you ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An email might look as if it is from a bank and contain some basic information, such as the user's name. Executives an easily fall prey to phishing if they are not trained to lookout for these attacks
After a recent internal audit, the security administrator was tasked to ensure that all credentials must be changed within 90 days, cannot be repeated, and cannot contain any dictionary words or patterns. All credentials will remain enabled regardless of the number of attempts made. Which of the following types of user account options were enforced? (Select TWO). A. Recovery B. User assigned privileges C. Lockout D. Disablement E. Group based privileges F. Password expiration G. Password complexity
Answer: F,G Explanation: Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some character type complexity, the more resistant it is to password-cracking techniques. In most cases, passwords are set to expire every 90 days