601 Pre-Assessment Exam
50. You are reviewing a report created after a recent vulnerability scan. However, it isn't clear if the scan was run as a credential scan or a non-credentialed scan. Which of the following would give you the BEST indication that the scan was a credentialed scan? A. The report shows software versions of installed applications. B. The report shows a large number of false positives. C. The report shows a listing of IP addresses it discovered. D. The report shows a listing of open ports.
A is correct. A credentialed scan will show software versions of installed applications. A credentialed scan will show fewer false positives, not more. Any scan should list IP addresses it discovered along with open ports on these hosts. Chapter 8
52. You suspect servers in your screened subnet are being attacked by an Internet-based attacker. You want to view IPv4 packet data reaching these servers from the Internet. Which of the following would be the BEST choice to meet this need? A. Protocol analyzer B. IP scanner C. Vulnerability scanner D. Proxy server E. Heuristic-based IDS
A is correct. A protocol analyzer can capture and analyze packets on a network. An IP scanner (sometimes called a network scanner) identifies hosts within a network by identifying active IP addresses and additional information about each active host. Vulnerability scanners scan hosts within a network looking for vulnerabilities. Proxy servers (also known as forward proxy servers) forward requests for services from a client. Heuristic-based (sometimes called behavior-based) intrusion detection systems (IDSs) detect intrusions by identifying anomalies. Chapter 8
66. Your organization maintains a data center to store data. Management has decided to move a large amount of financial data into cloud storage to reduce costs with the data center. This data is regularly accessed and sometimes manipulated by employees, customers, and vendors around the world. Management has mandated that the data always needs to be encrypted while in the cloud. Which of the following is the BEST choice to meet these requirements? A. Symmetric encryption B. Asymmetric encryption C. Homomorphic encryption D. Steganography encryption
C is correct. Homomorphic encryption allows data to be accessed and manipulated while it is encrypted. Symmetric and asymmetric encryption methods require data to be decrypted before it is manipulated. Steganography isn't truly encryption, but instead it simply hides data within data. Chapter 10
60. Cybersecurity experts in your organization are creating a detailed plan identifying how to recover critical systems if these systems suffer a complete loss. What type of plan are they MOST likely creating? A. Backup plan B. Incident response plan C. Communications plan D. Disaster recovery plan
D is correct. A disaster recovery plan (DRP) identifies how to recover critical systems after a disaster. Backup plans are typically focused on backing up and restoring data, not systems. An incident response plan is implemented after a security incident, but all security incidents do not result in a complete lost of systems. A communications plan is part of an incident response plan and provides direction on how to communicate issues related to an incident. Chapter 9
70 Your organization has hired outside consultants to evaluate forensic processes used by internal security specialists. The consultants are evaluating the tools and processes used for digital forensics to identify any variations that may exist. Which of the following BEST describes what these consultants are performing? A. AUP B. NDA C. SLA D. MSA
D is correct. A measurement systems analysis (MSA) evaluates the processes and tools used to make measurements. An acceptable user policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior. A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others. A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Chapter 11
1. Your organization is planning to expand the data center to support more systems. Management wants the plan to focus on resiliency and uptime. Which of the following methods would BEST support these goals? Select TWO. A. UPS B. Cold Site C. NIC teaming D. Off-site backups
A and C are correct. An uninterruptible poser supply (UPS) and network interface card (NIC) teaming support resiliency and uptime goals. The UPS ensures the system stays up if power is lost. NIC teaming automatically recovers if one of the NICs or NIC inputs fail. Resiliency methods help systems heal themselves and recover from faults automatically. A cold site cannot take over automatically and is not quick. Off-site backups would need to be retrieved and applied by a person so they aren't automatic. (Chapter 1)
11. You are reviewing security controls and their usefulness. You notice that account lockout policies are in place. Which of the following attacks will these policies thwart? Select TWO: A. Brute force B. DNS poisoning C. Username identification D. Tunneling certificate E. Hardware token
A and C are correct. Brute force and dictionary attacks attempt to guess passwords, but an account lockout control locks an account after the wrong password is guessed to many times. The other attacks are not passwords attacks,m so they aren't mitigated using account lockout controls. Domain Name System (DNS) poisoning attempts to redirect web browsers to malicious URLs. Replay attacks attempt to capture packets to impersonate one of the parties in an online session. Buffer overflow attacks attempt to overwhelm online applications with unexpected code or data (Chapter 2 and 10)
2. You are tasked with improving the overall security of several servers in your data center. Which of the following are preventative controls that will assist with this goal? Choose TWO. A. Disabling unnecessary services B. Adding cable locks C. Monitoring logs on SIEM systems D. Implementing a backup plan E. Closing unneeded ports
A and E are correct. Disabling unnecessary services and closing unneeded ports are steps you can take to harden a server. They are preventative controls because they help prevent an incident. Cable locks are a type of physical control and are typically used on laptops, not on servers. monitoring logs on security information and event management systems is a detective control. A backup plan is a corrective control (Chapter 1)
72. Security administrators have been responding to an increasing number of incident alerts, making it harder for them to respond to each promptly. Management wants to implement a solution that will automate the response of some of these incidents without requiring real-time involvement by security administrators. Which of the following will BEST meet this need? A. SOAR B. DLP C. STIX D. TAXII
A is correct. A Security Orchestration, Automation, and Response (SOAR) tool can be configures with SOAR runbooks to automate the response of these incidents and is the best choice of the available answers. A data loss prevention (DLP) device typically monitor outgoing traffic to prevent confidential information from getting outside the organization, While a SOAR runbook may include DLP action, a SOAR runbook can do much more. Structured Threat Information eXpression (STIC) defines standardized language used to share cyber threat information. TAXII (Trusted Automated eXchange of Indicator Information) defines a set of services and message exchanges that can be used to share information. STIX identifies what to share and TAXII identifies how to share it. Chapter 11
13. After a recent attack, security investigators discovered that attackers logged on with an administrator account. They recommend implementing a solution that will thwart this type of attack in the future. The solution must support the following requirements: - Allow authorized users to access the administrator account without knowing the password. - Allow authorized users to check out the credentials when needed. - Log each time the credentials are used. - Automatically change the password. Which of the following answers would meet these requirements? A. Privileged access management B. OpenID Connect C. MAC scheme D. MFA
A is correct. A privileged access management system protects and limits access to privileged accounts such as administrator accounts. OpenID Connect is used for authentication and authorization on the Internet, not internal networks. A mandatory access control (MAC) scheme uses labels to control access, but it isn't used to control access to administrator accounts. Multifactor authentication (MFA) uses more than one factor of authentication, but it doesn't meet any of the requirements of this scenario. Chapter 2
57. A security analyst recently completed a BIA and defined the maximum acceptable time for a critical system. What does this identify? A. RTO B. RPO C. MTTR D. MTBF
A is correct. A recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. It is directly related to the maximum acceptable outage time defined in a business impact analysis (BIA). None of the other answers are related to the maximum acceptable outage time. A recovery point objective (RPO) identifies a point in time where data loss is acceptable, and refers to databases. The Mean time between failures (MTBF) provides a measure of a system's reliability and is usually represented in hours. The mean time to repair (MTTR) identifies the average (the arithmetic mean) time it takes to restore a failed system. Chapter 9
7. Your network includes dozens of servers. Administrators in your organization are having problems aggregating and correlating the logs from these servers, Which of the following provides the BEST solution for these problems? A. SIEM B. Syslog C. NetFlow D. sFlow
A is correct. A security information and event management (SIEM) system collects, aggregates, and correlates logs from multiple sources. Syslog is a protocol that specifies log entry formats that many SIEMs use. It is also the name of a log on Linux systems. NetFlow is a network protocol (developed by Cisco) used to collect and monitor network traffic. The sFlow (sampled flow) protocol is used to collect a sampling of network traffic for monitoring. (Chapter 1)
74. A forensic expert is preparing to analyze a hard drive. Which of the following should the expert do FIRST? A. Capture an image of the disk with dd. B. Identify the order of volatility. C. Copy the contents of memory with memdump. D. Create a chain of custody document.
A is correct. Before analyzing a hard drive, a forensic expert should capture an image of the hard drive and then analyze the image. The dd (short for data duplicator) command-line tool can be used to create an image of a disk without modifying it. This protects the original disk from accidental modifications and preserves it as usable evidence. While not available as a possible answer, a hash of the original drive should be created before capturing an image. The order of volatility identifies which date is most volatile (such as cache) and which is least volatile (such as hard drives). Although the memdump command is used to copy the contents of memory, this scenario is focused on a hard drive. A chain of custody document should be created when evidence is first collected. Chapter 11
43. Your organization hosts a web application selling digital products. Customers can also post comments related to their purchases. Management suspects that attackers are looking for vulnerabilities that they can exploit. Which of the following will BEST test the cybersecurity resilience of this application? A. Fuzzing B. Input validation C. Error handling D. Anti-malware
A is correct. Fuzzing is a type of dynamic code analysis, and it can test the application's cybersecurity resilience. Fuzzing sends random data to an application to verify the random data doesn't crash the application or expose the system to a data breach. Input validation and error-handling techniques protect applications but do not test them. Anti-malware protects systems from malware attacks, but it doesn't test a system. Chapter 7
3. Your organization houses a server room, and management wants to increase the server room security. You are tasked with identifying some deterrent controls that can be implemented to protect it. Which of the following choices would BEST meet this objective? A. Hardware locks B. Data encryption C. A vulnerability assessment D. Backups
A is correct. Hardware locks are deterrent controls because they would deter someone from entering or accessing the servers in bays if bay door locks are used. They are also examples of physical controls. None of the other answers increase the security of the server room. Data encryption is a technical control designed to protect data on the servers. A vulnerability assessment is a managerial controls designed to discover vulnerabilities. Backups are corrective controls designed to reverse the impact of data loss or corruption. (Chapter 1)
63. An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, BizzFad realized it couldn't meet the requirements of the contract. BizzFad instead stated that it never submitted the bid. Which of the following would provide proof to the organization that BizzFad did submit the bid, if it was used? A. Digital signature B. Integrity C. Repudiation D. Encryption
A is correct. If BizzFad submitted the bid via email using a digital signature, it would provide proof that BizzFad submitted the bid. Digital signatures provide verification of who sent a message, non-repudiation preventing them from denying it, and integrity verifying the message wasn't modified. Integrity verifies the message wasn't modified. Repudiation isn't a valid security concept. Encryption protects the confidentiality of data, but it doesn't verify who sent it or provide non-repudiation. Chapter 10
26. Administrators are designing a site-to-site VPN between offices in two different cities. Management mandated the use of certificates for mutual authentication. Additionally, they want to ensure that internal IP addresses are not revealed. Whit of the following is the BEST choice to meet these requirements? A. IPsec VPN using Tunnel mode B. IPsec VPN using Transport mode C. L2TP VPN D. VLAN VPN
A is correct. Internet Protocol Security (IPsec) using Tunnel mode is the best choice of the available answers. IPsec provide mutual authentication, and Tunnel mode will encrypt both the payload and the packet headers, hiding the internal IP addresses. Transport mode will encrypt the payload only, leaving the internal IP addresses exposed. A VPN using Layer 2 Tunneling Protocol (L2TP) only doesn't provide any encryption. Virtual local area networks (VLANs) provide network segmentation but can't be used as a VPN. Chapter 4
64. An application requires users to log on with passwords. The application developers want to store the passwords in such a way that it will thwart rainbow table attacks. Which of the following is the BEST solution? A. Implement salting. B. Implement hashing. C. Implement homomorphic encryption. D. Implement perfect forward secrecy.
A is correct. Salting passwords is a common method of preventing rainbow table attacks. Salting adds additional data to the password before hashing it. Rainbow table attacks use precomputed hashes to discover passwords so hashing the passwords won't thwart rainbow table attacks. Homomorphic encryption is used to protect data stored in cloud environments and it allows data to remain encrypted while it is being processed. Perfect forward secrecy is related to encryption and indicates that a cryptographic system generates random keys for each session. Chapter 10
14. Lisa wants to implement a secure authentication system on a website. However, instead of collecting and storing user passwords, she wants to use a third-party system. Which of the following is the BEST choice to meet this goal? A. SAML B. Kerberos C. SSH D. OAuth
A is correct. Security Assertion Markup Language (SAML) is a single sign-on SSO solution that can use third-party websites, and it provides authentication. Kerberos is an SSO solution used on internal networks, such as Microsoft Active Directory domains. Secure Shell SSH) is used for remote administration. OAuth (think of this as Open Authentication) is used for authorization, but the scenario wants a solution for authentication. Chapter 2
36. Lisa completed an antivirus scan on a server and detected a Trojan. She removed the Trojan but was concerned that unauthorized personnel might still be able to access data on the server and decided to check the server further. Of the following choices, what is she MOST likely looking for on this server? A. Backdoor B. Logic bomb C. Rootkit D. Botnet
A is correct. She is most likely looking for a backdoor because Trojans commonly create backdoors, and a backdoor allows unauthorized personnel to access data on the system. Logic bombs and rootkits can create backdoor accounts, but Trojans don't create logic bombs and would rarely install a rootkit. The computer might be joined to a botnet, but a botnet is a group of computers. Chapter 6
6. You suspect that attackers have been performing a password spraying attack against a Linux server. Which of the following would be the BEST method of confirming your suspicion? A. Use the cat command to view the auth.log file. B. Implement an account lockout policy C. Salt passwords to prevent the success of the spraying D. Use the logger command to view unsuccessful logins.
A is correct. The cat command (concatenate) displays the entire contents of a file and the auth.log file shows all unsuccessful (and successful) logins, and this is the only choice of the available answers that confirms past activity. An account lockout policy locks an account after too many incorrect passwords within a certain time frame, but a spraying attack uses a time lapse between each password attempt to bypass an account lockout policy. Salting passwords is often used to prevent rainbow table-based attacks, but salt's aren't effective against spraying attacks. The logger command is used to add log entries into the syslog file but doesn't examine log entries. (Chapter 1)
10. A SQL database server was recently attacked. Cybersecurity investigators discovered the attack was self-propagating through the network. When it found the database server, it used well-known credentials to access the database. Which of the following would be the BEST action to prevent this from occurring again? A. Change the default application password. B. Remove the worm. C. Implement 2FA D. Conduct a code review.
A is correct. The default application password for the SQL server should be changed. Some SQL Server software implementations can have a default blank password for the SA account (System Administrator) account), and these default credentials are well-known. While the scenario describes a worm because it is self-propagating, the question is asking for the best preventative action to take. Using two-factor authentication (2FA) is a good practice for users, but it isn't always feasible for application passwords. A code review can detect flaws and vulnerabilities in internally developed applications, but SQL Server is Microsoft software (Chapter 2)
71. Your organization recently developed an incident response policy and is beginning to implement an incident response plan. Which of the following items is the FIRST step in an incident response process? A. Preparation B. Identification C. Containment D. Eradication
A is correct. The first step in an incident response process is preparation. When a potential incident occurs, the nest step is identification. If the event is a security incident, the next step is containment to isolate the incident and limit the damage. Next, personnel take steps to eradicate all elements that caused the incident, such as malware or compromised accounts. The last two steps in the incident response process are recovery and lessons learned. Chapter 11
39. A SIEM system is sending several alerts indicating malware has infected several employee computers. After examining the border firewall and NIDS logs, IT personnel cannot identify malicious traffic entering the network from the Internet. Additionally, they discover that all of these employees attended a trade show during the past two days. Which of the following is the MOST likely source of this malware? A. A fileless virus embedded in a vCard B. Malware on USB drives C. A Trojan delivered from a botnet D. Worms included in presentation media
A is correct. The most likely source (of the given answers) is a fileless virus embedded in a vCard, also known as a Virtual Contact File (VCF). People regularly share contact information at trade shows with vCards, but they can sometimes include malicious code. The scenario doesn't mention USB drives. Malicious traffic from a botnet comes from the Internet, but administrators didn't detect any malicious traffic from the Internet. Speakers use presentation media (such as PowerPoint presentations) while speaking, but viewing presentation media won't infect systems. Chapter 6
29. The Springfield school system stores some data in the cloud using its own resources. The Shelbyville Nuclear Power Plant also stores some data in the cloud using its own resources. Later, the two organizations decide to share some data in both clouds for educational purposes. Which of the following BEST describes the cloud created by these two organizations? A. Community B. Private C. Public D. Xaas
A is correct. They created a community cloud. In the scenario, the two organizations have a common goal of sharing educational materials. The individual clouds created by each organization or private clouds., but the shared community cloud resources are not private. A public cloud would be available to anyone, but the scenario wants to restrict access to just two organizations. Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS. and SaaS. Chapter 5
45. Hacker Harry has an account on a website that he uses when posting comments. When he visits, he enters his username and password to log on, the the site displays his username with any comments he makes. Today, he noticed that he could enter JavaScript as part of his username. After entering the code, other users experience unexpected results when hovering over his username. What does this describe? A. Cross-site scripting B. Input validation C. Privilege escalation D. Directory traversal
A is correct. This is an example of a cross-site scripting (XSS) attack. It can be prevented by using proper input validation techniques to prevent users from entering malicious code into a site's text box. Privilege escalation techniques attempt to give an attacker more rights and permissions. In a directory traversal attack, the attacker can navigate a system's directory structure and read files. Chapter 7
25. Before personnel can enter a secure area, they must first place their smartphones in one of several conductive metal lockboxes. The company implemented this policy because management is concerned about risks related to intellectual property. Which of the following represents the GREATEST risk to intellectual property that this policy will mitigate? A. Bluesnarfing B. Theft of smartphones C. Data exfiltration over a mobile hotspot D. To enable geofencing
A is correct. This policy will prevent Bluesnarfing, which is the unauthorized access of information from a wireless device through a Bluetooth connection. The conductive metal lockboxes act as a small Faraday cage and will block Bluetooth signals. While the lockboxes will help prevent theft, there's no need to pay extra for conductive lockboxes if theft is the greatest risk. Hotspots are typically in public locations. A company would set up a network providing Wi-Fi access, not a hotspot. Geofencing creates a virtual fence using GPS, but devices within a Faraday cage wouldn't be able to reach GPS. Chapter 4
48. Ziffcorp is developing a new technology that they expect to become a huge success when it's released. The CIO is concerned about someone stealing their company secrets related to this technology. Which of the following will help the CIO identify potential dangers related to the loss of this technology? A. Threat hunting B. Vulnerability scan C. SOAR D. SIEM
A is correct. Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat. It typically includes several elements. A vulnerability scan evaluates vulnerabilities (or weaknesses) with a network or a specific system, but it doesn't look for threats. A Security Orchestration, Automation, and Response (SOAR) platform can be configured to automatically respond to low-level incidents, but this scenario indicates that they need to look for more than just low-level threats. A security information and event management (SIEM) is used to collect and aggregate logs and can assist with threat hunting, but threat hunting is much broader. Chapter 8
5. You are using a Linux computer to monitor network traffic. After connecting your computer to the mirror port of a switch, you started logging software on the computer. However, you discover that the only traffic being collected is traffic to or from the Linux computer. You want to collect all traffic going through the switch. Which of the following actions should you take? A. Run the command ifconfig eth0 promisc. B. Run the command ipconfig eth0 promisc. C. Connect the computer to a router D. Reconfigure the switch.
A is correct. You should run the command ifconfig eth0 promisc to enable promiscuous mode on eth0, the network interface card (NIC). Promiscuous mode allows a NIC to process all traffic it receives, instead of only traffic addressed to it. The ipconfig command is used on Windows systems and doesn't support this feature. The scenario indicates she wants to collect traffic going through the switch, so connecting to a router isn't necessary. Port mirroring on a switch sends a copy of all traffic received by the switch to the mirror port. The scenario indicates this is configured, so the switch doesn't need to be configured. (Chapter 1)
44. An attacker has launched several successful XSS attacks on a web application hosted by your organization. Which of the following are the BEST choices to protect the web application and prevent this attack? Select TWO: A. Dynamic code analysis B. Input validation C. Code obfuscation D. WAF E. Normalization
B and D are correct. Input validation and a web application firewall (WAF) are the best choices of the available answers. Both protect against cross-site scripting (XSS) attacks. Input validation validates data before using it to help prevent XSS attacks. A WAF acts as an additional firewall that monitors, filters, and/or blocks HTTP traffic to a web server. None of the other answers will directly prevent XSS attacks. Dynamic code analysis (such as fuzzing) can test code. Code obfuscation makes the code more difficult to read. Normalization refers to organizing tables and columns in a database to reduce redundant data and improve overall database performance. Chapters 3 & 7
56. Your organization's backup policy for a file server dictates that the amount of time needed to restore backups should be minimized. Which of the following backup plans would BEST meet this need? A. Full backups on Sunday and incremental backups on the other 6 days of the week. B. Full backups on Sunday and differential backups on the other 6 days of the week. C. Incremental backups on Sunday and differential backups on the other 6 days of the week D. Differential backups on Sunday and incremental backups on the other 6 days of the week.
B is correct. A full/differential backup strategy is best with one full backup on one day and differential backups on the other days. A restore would require only two backups, making it quicker than the other options. A full/incremental backup would typically require you to restore more than two backups. For example, data loss on Friday would require you to restore the full backup, plus four incremental backups. Backup that start with a full backup, so neither an incremental/differential nor a differential/incremental backup strategy is possible.
32. A small business owner has asked your for advice. She wants to improve the company's security posture, but she doesn't have any security staff. Which of the following is the BEST solution to meet her needs? A. SOAR B. MSSP C. SaaS D. XaaS
B is correct. A managed security service provider (MSSP) is a third-party vendor that provides security services for an organization, and its the best solution for this scenario. A security Orchestration, Automation, and Response (SOAR) solution automates incident response for some events, but it will augment services already provided by security staff within an organization. SOAR would not work here because the small business doesn't have any security staff. Software as a Service (SaaS) includes any software or application provided to users over a network such as the Internet. Anything as a Service (XaaS) refers to cloud services beyond SaaS, IaaS, and PaaS. Chapter 5
55. Administrators at your organization want to increase cybersecurity resilience on key servers by adding fault tolerance capabilities. However, they have a limited budget. Which of the following is the BEST choice to meet these needs? A. Alternate processing site B. RAID-10 C. Backups D. Faraday cage
B is correct. A redundant array of inexpensive disks 10 (RAID-10) subsystem provides fault tolerance for disks and increases cybersecurity resilience. In this context, cybersecurity resilience refers to a system's ability to continue to operate even after an adverse event. An alternate processing site can provide cybersecurity resilience for an entire site, but it is expensive and does much more than provide fault tolerance for some servers. Backups contribute to cybersecurity resilience, but they do not help with fault tolerance. A Faraday cage is a room or enclosure that prevents signals from emanating beyond the room. Chapter 9
46. Which of the following BEST describes the purpose of a risk register? A. It shows risks on a plot or graph. B. It provides a listing of risks, the risk owner, and the mitigation measures. C. It shows risks on a color-coded graph. D. It evaluates the supply chain.
B is correct. A risk register list risks and often includes the name of the risk, the risk owner, mitigation measures, and a risk score. A risk matrix plots risks into a graph or chart, and a heat map plots risks onto a color-coded graph or chart. While a risk register may evaluate supply chain risks, it does much more. Chapter 8
53. Your organization has decided to move some data to a cloud provider, and management has narrowed their search down to three possible choices. Management wants to ensure that the cloud provider they choose has strong cybersecurity controls in place. Which of the following reports would they MOST likely want to cloud provider to give to them? A. SOC 2 Type I B. SOC 2 Type II C. SOC 3 D. SOC 1
B is correct. A system and Organization Controls (SOC) 2 report is a report on organizational controls that cover cybersecurity. A SOC 2 Type II report identifies the controls in place during a date range of at least six months. A SOC 2 Type I report identifies the controls in place during a specific date. A SOC 3 report is a generalized report sometimes available to the public. A SOC 1 report is a detailed report covering financial and auditable controls for an organization and is sometimes provided by organizations that process financial data. Chapter 8
35. Homer recently received a phishing email with a malicious attachment. He was curious so he opened it to see what it was. It installed malware on his system, and quickly spread to other systems in the network. Security investigators discovered that the malware exploited a vulnerability that wasn't previously known by any trusted sources. Which of the following BEST describes this attack? A. Open source intelligence B. Zero-day C. Hoax D. DDoS
B is correct. A zero-day exploit is one that isn't known by trusted sources such as antivirus vendors or operating system vendors. Attackers use open source intelligence to identify a target. Some typical sources are social media sites and news outlets. A hoax is not a specific attack. It is a message, often circulated through email that tells of impending doom from a virus or other security threat that simple doesn't exist. A distributed denial-of-service (DDoS) attack comes from multiple sources, not as a single phishing email. Chapter 6
24. A coffee shop recently stopped broadcasting the SSID (coffee Wifi) for its wireless network. Instead, paying customers can view it on their receipt and use it to connect to the coffee shop's wireless network. Today, Lisa turned on her laptop computer, saw the SSID coffee Wifi, and connected to it. Which of the following attacks is MOST likely occurring? A. Rogue AP B. Evil twin C. Jamming D. Bluejacking
B is correct. An evil twin is a rogue access point (AP) with the same or similar server set identifier (SSID) as a legitimate access point. The actual SSID coffee Wifi has a broadcasting turned off, but the evil twin SSID of coffee Wifi is broadcasting, allowing users to see it. While it is also a rogue AP, evil twin is a more accurate answer since it is similar to the actual SSID. Jamming typically prevents anyone from connecting to a wireless network. Bluejacking is related to Bluetooth, not wireless networks. Chapter 4
17. Your organization plans to deploy a server in the screened subnet that will perform the following functions: - identify mail servers - provide data integrity - prevent poisoning attacks - respond to request for A and AAAA records. Which of the following will BEST meet these requirements? A. DNS B. DNSSEC C. TLS D. ESP
B is correct. Domain Name System Security Extensions (DNSSEC) add security to DNS systems and can prevent DNS poisoning attacks by adding data integrity to DNS records. The function in the list indicate that the server in the screened subnet (sometimes called a demilitarized zone (DMZ) is a DNS server but for the DNS server to provide data integrity and prevent DNS poisoning, it needs DNSSEC. DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies. RRSIG can use Transport Layer Security (TLS) to create the signature, but TLS by itself doesn't provide the required protection. Internet Protocol security (IPSec) uses Encapsulating Security Payload (ESP) to encrypt data. Chapter 3
28. Bart needs to send an email to his supervisor with an attachment that includes sensitive information. He wants to maintain the confidentiality of this information. Which of the following choices is the BEST choice to meet his needs? A. Digital signature B. Encryption C. Data masking D. Hashing
B is correct. Encryption is the best choice to provide confidentiality of any type of information, including sensitive information. A digital signature provides integrity, non-repudiation, and authentication. Data masking modifies the original data, producing data that looks valid but is not authentic. Hashing provides integrity. Chapter 5
68. An administrator is installing a certificate with a private key on a server. Which of the following certificate types is he MOST likely installing? A. DER B. P12 C. CER D. P78
B is correct. P12 (PKCS #12) certificates commonly include a private key and they are used to install a private key on a server. A Distinguished Encoding Rules (DER)-based certificate is a binary encoded file and a Canonical Encoding Rules (CER)-based certificate is an ASCII encoded file. However, DER and CER are used to define the format, not the content (such as a private key). While a P12 certificate does use a DER format, not all DER certificates include private keys. A P7B (PKCS #7) certificate is used to share the public key and never includes the private key. Chapter 10
30. Your organization is planning to implement a CYOD deployment model. You're asked to provide input for the new policy. Which of the following concepts are appropriate for this policy? A. SCADA access B. Storage segmentation D. Database Security D. Embedded RTOS
B is correct. Storage segmentation creates separate areas in mobile devices and can be used with a choose your own device (CYOD) mobile device deployment model where users own their devices. None of the other answers are directly related to mobile devices. A supervisory control and data acquisition (SCADA) system controls industrial control systems (ICSs), such as those used in nuclear power plants or water treatment facilities, and SCADA systems should be isolated. Database security includes the use of permissions and encryption to protect data in a database but is unrelated to mobile device deployment. Some embedded systems use a real-time operating system (RTOS) when the system must react within a specific time. Chapter 5
23. Attackers have recently launched several attacks against servers in your organization's DMZ. You are tasked with identifying a solution that will have the best chance at preventing these attacks in the future. Which of the following is the BEST choice? A. An anomaly-based IDS B. An inline IPS C. A passive IDS D. A signature-based IDS
B is correct. The best solution of the given choices is an in-band intrusion prevention system (IPS). Traffic goes through the IPS, and the IPS can prevent attacks from reaching internal systems. An intrusion detection system (IDS) is passive and not inline, so it can only detect and react to the attacks, not block them. A signature-based IDS can detect known attacks based on the attack's signature, but there isn't any indication that the past attacks were known. Chapter 4
58. The new chief technology officer (CTO) at your organization wants to ensure that critical business systems are protected from isolated outages. Which of the following would let her know how often these systems will experience outages? A. MTTR B. MTBF C. RTO D. RPO
B is correct. The mean time between failures (MTBF) provides a measure of a system's reliability and would provide an estimate of how often the systems will experience outages. The mean time to repair (MTTR) refers to the time it takes to restore a system, not the time between failures. The recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. The recovery point objective (RPO) identifies a point in time where data loss is acceptable. Chapter 9
38. Employees at the Marvin Monroe Memorial Hospital are unable to access any computer data. Instead, they occasionally see a message indicating that attackers encrypted all the data and it would remain encrypted until the attackers received a hefty sum as payment. Which of the following BEST describes this attack? A. Criminal syndicate B. Ransomware C. Fileless virus D. Rootkit
B is correct. The scenario described ransomware, where attackers typically encrypt data and demand payment to release the data. Although the attack might have been launched by a criminal syndicate because their motivation is primarily money, the question is asking about the attack, not the attacker. A Fileless virus injects code into existing scrips and may install ransomware, but a fileless virus is not ransomware. A rootkit is a program or group of programs that provide root-level access to a system but hides itself to evade detection. Chapter 6
40. Homer received an email letting him know he won the lottery. To claim the prize,. ne needs to confirm his identity by providing his name, phone number, address, and birth date. The email states he'll receive the prize after providing this information. What does this describe? A. Spear phishing B. Phishing C. Smishing D. Whaling
B is correct. This describes a phishing email that is trying to trick the user into revealing personal information. Spear phishing targets a group of people with a common connection, such as employees of a company. Smishing is a form of phishing that uses text messages. Whaling is a form of spear phishing that targets high-level executives in an organization. Chapter 6
49. Your organization hired a cybersecurity expert to perform a security assessment. After running a vulnerability scan, they see the following error on a web server: -Host IP 192.168.1.10 OS Apache httpd 2.433 Vulnerable to mod_auth exploit. However, she verified that the mod_auth module has not been installed or enabled on the server. Which of the following BEST explains this scenario? A. A false negative B. A false positive C. The result of a credentialed scan D. The result of a non-credentialed scan
B is correct. This is an example of a false positive. The vulnerability scanner is indicating a vulnerability exists with the mod_auth module. However, the mod_auth module is not installed or enabled on the server, so it cannot represent a vulnerability on the server. A false negative occurs when a vulnerability exists, but the scanner doesn't report it. The scenario doesn't give enough information to determine if this is a credentialed or a non-credentialed scan. However, a credentialed scan would allow a vulnerability scanner to have more visibility over the systems it scans, allowing it to get a more accurate view of the systems. Chapter 8
41. Some protocols include sequence numbers and timestamps. Which of the following attacks are thwarted by using these components? A. MAC flooding B. Replay C. SYN flood D. Salting
B is correct. Timestamps and sequence numbers act as a countermeasure against replay attacks. None of the other choices are attacks that timestamps and sequence numbers can thwart. A media access control (MAC) flood attack attempts to overload a switch with different MAC addresses. SYN (synchronize) flood attacks disrupt the TCP three-way handshake. Salting isn't an attack, but it does protect against brute force attacks on passwords. Chapter 7
75. Your company hosts an e-commerce site that sells renewable subscriptions for services. Customers can choose to renew their subscription monthly or annually automatically. However, management doesn't want to store customer credit card information on any database or system managed by the company. Which of the following can be used instead? A. Pseudo-anonymization B. Tokenization C. Data minimization D. Anonymization
B is correct. Tokenization is the best choice. It stores a token created by the credit card processor instead of the credit card number, and this token can be used to make charges. Pseudo-anonymization replaces data with artificial identifies, but the process can be reversed. Data anonymization modifies data to protect the privacy of individuals by either removing all Personally Identifiable Information or encrypting it. Data minimization is a principle requiring organizations to limit the data they collect and use. Chapter 11
20. Maggie is a sales representative for a software company. While in a coffee shop, she uses her laptop to connect to the public wi-Fi, check her work emails, and upload details of a recent sale. Which of the following would she use to prevent other devices on the public network from accessing her laptop? Choose the BEST Two Choices: A. TPM B. HSM C. Firewall D. DLP E. VPN
C and E are correct. A firewall and a virtual private network (VPN) would prevent other devices from accessing her laptop. A host-based firewall provides primary protection. The VPN encrypts all of her Internet-based traffic going over the public Wi-Fi. A Trusted Platform Modula (TPM) provides full drive encryption and would protect the data if someone accessed the laptop, but it doesn't prevent access. A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers. A data loss prevention (DLP) devices helps prevent unauthorized data from leaving a network, but it doesn't prevent access. Chapter 3
18. Your organization has added a hot site as shown in the following graphic. All firewalls should enforce the following requirements: - Use only secure protocols for remote management - block cleartext web traffic Users in the hot site are unable to access websites in the Internet. The following graphic shows the current rules configured in Firewall 3. You're asked to verify the rules are configured correctly. Which rule, if any should be changed in Firewall 3? A. HTTPS Outbound B. HTTP Outbound C. DNS D. Telnet E. SSH F. None. All rules are correct
C is correct. The Domain Name System (DNS) rule should be changed because the source IP address is incorrect. It should be 10.0.3.0/24 instead of 10.0.1.0/24. All other rules are configures correctly. Chapter 3
33.. Management at the Goody New Shoes retail chain decided to allow employees to connect to the Internet network using their personal mobile devices. However, the organization is having problems with these devices, including the following: - Employees do not keep their devices updated. - There is no standardization among the devices. - The organization doesn't have adequate control over the devices. Management still wants to implement a mobile device deployment model to overcome these problems while still allowing employees to use their own devices. Which of the following is the BEST choice? A. BYOD B. COPE C. CYOD D. IaaS
C is correct. A choose your own device (CYOD) mobile device deployment model includes a list of acceptable devices that employees can purchase and connect to the network. IT management can implement a mobile device management (MDM) system to provide standardized management for these devices. The current policy is a bring your own device (BYOD) policy, but because of the lack of standardization, it's difficult for IT departments to adequately manage the devices and ensure they don't introduce vulnerabilities to the network. A corporate-owned personally enabled (COPE) policy indicates the organization owns the devices, not the employees. Infrastructure as a Service (IaaS) is a cloud computing option where the vendor provides access to a computer, but customers must install the operating system and maintain the system. Chapter 5
59. The Ninth National Bank of Springfield is considering an alternate location as part of its continuity of operations plan. It wants to identify a site resiliency solution that provides the shortest recovery time. Which of the following is the BEST choice? A. Cold site B. Warm site C. Hot site D, Snapshot
C is correct. A hot site has the shortest recovery time, but it is also the most expensive. Cold sites have the longest recovery time and are the least expensive. Warm sites have a shorter recovery time than cold sites but a longer recovery time than hot sites. A snapshot backup provides a backup of a disk at the moment in time and is sometimes used in digital forensics. Chapter 9
51. Your IT department includes a subgroup of employees dedicated to cybersecurity testing. Each member of this group has knowledge of known TTPs and how to use them. Additionally, each member of this group had knowledge of security controls that would be implemented to protect network resources. Which of the following BEST describes members of this team? A. Members of the red team B. Member of the blue team C. Members of the purple team D. Members of the white team
C is correct. A purple team is composed of personnel who can perform as either red team members or blue team members. A red team attacks and they often use tactics, techniques, and procedures (TTPs) that attackers have used in actual attacks. A blue team defends, and they would know about various security controls used to protect network resources. The white team wasn't mentioned in the scenario, but they don't perform any testing but instead set the rules and oversee the testing. Chapter 8
69. Your organization is negotiating with an outside vendor to host cloud-based resources. Management wants to ensure the vendor commits to returning the systems to full operation after an outage within a certain time frame. Which of the following is the organization MOST likely negotiating? A. MTTR B. NDA C. SLA D. DLP
C is correct. A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, including returning a system to full operation within a specific timeframe. The mean time to repair (MTTR) identifies the average (the arithmetic mean) time it takes to restore a failed system, but it does not provide a guarantee that the vendor will restore the system within the MTTR every time. A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others. A data loss prevent (DLP) device typically monitors outgoing traffic to prevent confidential information from getting outside the organization. Chapter 11.
21. Your organization wants to combine some of the security controls used to control incoming and outgoing network traffic. At a minimum, the solution should include stateless inspection, malware inspection, and a content filter. Which of the following BEST meets this goal? A. VLAN B. NAT C. UTM D. DNSSEC E. WAF
C is correct. A unified threat management (UTM) device is an advanced firewall and combines multiple security controls into a single device such as a stateless inspection, malware inspection, and a content filter. None of the other answers include these components. You can configure a virtual local area network (VLAN) on a switch to provide network segmentation. Network Address Translation (NAT) translates public IP addresses to private IP addresses and private addresses back to public IP Addresses. Domain Name System Security Extensions (DNSSEC) is a suite of extensions for DNS that provides validation for DNS responses. A web application firewall (WAF) protects a web server from Internet-based attacks. Chapter 3
61. Your organization is planning to expand its cloud-based services offered to the public. In preparation, they expanded the data center. It currently has one row of racks for servers, but they plan to add at least one more row of racks for servers. Engineers calculated the power and HVAC requirements and said the best way to reduce utility costs is by ensuring the two server rows are facing in the opposite direction. What is the primary reason for this configuration? A. To provide fire suppression B. To reduce power consumption from the servers C. To create hot and cold aisles D. To create an air gap
C is correct. Hot and cold aisles have server rows facing the opposite direction and provide more efficient cooling systems within a data center. This results in reduced costs for the heating, ventilation, and air conditioning (HVAC) system and subsequently reduces power consumption to keep the data center cool. This does not reduce the poser consumption of the servers. Hot and cold aisles do not provide fire suppression. An air gap ensures systems are not connected to the same network, but the scenario indicates the servers will be connected for the cloud-based servers. Chapter 9
34. During a vulnerability scan, you discover some new systems in the network. After investigating this, you verify that these systems aren't authorized because someone installed them without going through a standard approval process. What does this describe? A. Hacktivist B. Script kiddie C. Shadow IT D. Authorized hacker
C is correct. Shadow IT refers to any systems or applications installed on a network without authorization or approval. Employees often add them to bypass security controls. A hacktivist launches an attack as part of an activist movement or to further a cause. A script kiddie is an attacker who uses existing computer scripts or code to launch attacks and typically has limited technical skills. An authorized hacker (sometimes referred to as a white hat attacker) is a security professional working within the law to protect an organization from attackers. Chapter 6
73. Security administrators have isolated a Linux server after a successful attack. A forensic analyst is tasked with creating an image of the hard drive of this system for analysis. Which of the following will the analyst MOST likely use to create the image? A. tcpreplay B. chmod C. dd D. Cuckoo
C is correct. The dd command is available on Linux systems, and it is used to copy disks and files for analysis. As an example, the dd if=/dev/sda2 of=sd2disk.img command creates an image of a disk without modifying the original disk. None of the other choices creates an image of a drive. Tcpreplay is a suite of utilities used to edit packet captures and resend them, and it includes the tcpreplay command. The chmod (short for change mode) command is used to change permissions on Linux systems. Cuckoo is an open source malware analysis system. It analyzes malware within a sandbox environment. Chapter 11
16. Lisa uses term-16a Linux system to regularly connect to a remote server named gcga with a secure SSH connection. However, the SSH account has a complex password, and she wants to avoid using it without sacrificing security. Which of the following commands would she use as a FIRST step when creating a password-less login with the remote system? A. ssh-copy-id -i ~.ssh/id_rsa.pub lisa@gcga B. chmod 644 ~/.ssh/id_rsa C. ssh-keygen -t rsa D. ssh root@gcga
C is correct. The first step would be to enter ssh-keygen -t rsa at the terminal. This creates an RSA-based key pair (a private key and a public key). The public key's location and the name is ~.ssh/id_rsa.pub, and the private key's location and the name is ~/.ssh/id_rsa. The second step is to copy the public key to the remote server using the command ssh-copy-id -i ~.ssh/id_ rsa.pub lisa@gcga. The private key should always stay private, but the chmod 644 command makes it readable by everyone, so it shouldn't be used. The ssh command connects to the remote server using Secure Shell (SSH). If the key pair is in place, it would use the key pair for authentication and not require the complex password. The ssh-keygen command is a utility within the OpenSSH suite of tools Chapter 3
65. Your SIEM system sent an alert related to multiple failed logins. Reviewing the logs, you notice login failures for about 100 different accounts. The logs then show the same accounts indicate login failures starting about three hours after the first login failure. Which of the following BEST describes this activity? A. A brute force attack B. A dictionary attack C. A spraying attack D. An account lockout attack
C is correct. This describes a spraying attack. The security information and event management (SIEM) logs would show that the attack loops through a long list of accounts, guessing one password for one account at a time. A brute force attack attempts to guess all possible character combinations for a password, and a dictionary attack uses a dictionary of words trying to discover the correct password. However, neither a brute force attack nor a dictionary attack loops through a list of user accounts. A spraying attack attempts to bypass an account lockout policy. An account lockout attack isn't relevant in this scenario. Chapter 10
37. Some network appliances monitoring incoming data have recently started sending alerts on potentially malicious files. You discover that these are PE32 files with the tar.gz extension, and they are being downloaded to several user systems. After investigating further, you discover these users previously opened an email with an infected MHT file. Which of the following answers BEST describes this scenario? A. The systems have joined a botnet. B. Users installed ransomware. C. Users installed a RAT, and it is downloading additional tools. D. Shadow IT is running in the network.
C is correct. This indicates that users installed a remote access Trojan (RAT) when they opened the email containing the malicious MHT file. An MHT file (or MHTML) is a webpage archive, and it will store HTML, CSS, images, JavaScript, and anything else in the webpage. After installing the RAT, attackers later began downloading Portable Executable (PE32) files to the compromised systems. While the systems may have joined a botnet, the scenario doesn't indicate that they are part of a botnet. Ransomware would indicate that it has controlled the user's computer or data, but this isn't indicated in this scenario. Show information technology (IT) refers to any unauthorized systems or applications within an organization. Chapter 6
9. The chief information officer (CIO) at your organization suspects someone is entering the data center after normal working hours and stealing sensitive data. Which of the following actions can prevent this? A. Upgrade the CCTV system. B. Require smart cards to enter the data center. C. Implement time-based logins. D. Enable advanced auditing.
C is correct. Time-based logins (time-of-day restrictions) would prevent this. They would prevent anyone from logging in after normal working hours and accessing sensitive data. All of the other answers can detect suspicious behavior, but they wouldn't prevent the users from logging in after normal working hours and stealing the data. (Chapter 2)
12. IT administrators created a VPN for employees to use while working from home. The VPN is configured to provide AAA services. Which of the following would be presented to the AAA system for identification? A. Password B. Permissions C. Username identification D. Tunneling certificate E. Hardware token
C is correct. Users would typically enter a username as identification for an authentication, authorization, and accounting (AAA) system. Users would provide a password as proof that the claimed identity (the username) is theirs. The password provides authentication. Users are assigned permissions based on their proven identity, but the permissions do not provide authentication. The virtual private network (VPN) would encrypt traffic sent via the VPN tunnel, and this traffic may be encrypted with the use of a certificate. However, this is not called a tunneling certificate, and the certificate used for encryption does not provide identification. A hardware token is often used as an additional method of authentication, but it does not provide identification. Chapter 2
42. You're reviewing the logs for a web server and see several suspicious entries. You suspect that an attacker is attempting to write more data into a web application's memory than it can handle. What does this describe? A. Pinter/object dereference B. Race condition exploit C. DLL injection attack D. Buffer overflow attack
D is correct. A buffer overflow attack attempts to write more data into an application's memory than it can handle. A pointer or object dereference is a programming error that can corrupt memory, but programmers, not attackers, cause it. A race condition is a programming conflict when two or more applications or application models attempt to access or modify a resource at the same time. A dynamic link library (DLL) injection attack injects DLL into memory and causes it to run. Chapter 7
67. Lisa and Bart need to exchange emails over the Internet using an unsecured channel. These emails need to provide non-repudiation. They decide to use certificates on each of their computers. What would they use to sign their certificates? A. CRL B. OCSP C. CSR D. CA E. DSA
D is correct. A certificate authority (CA) manages certificates and would sign certificates issued to users. Note that non-repudiation would be provided with digital signatures and each user would need a certificate assigned to them that they would use to create the digital signatures. A certificate revocation list (CRL) is a list of revoked certificates. Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response indicating the validity of a certificate. The certificate signing request (CSR) is used to request a certificate. A Digital Signature Algorithm (DSA) is used to create a digital signature. They would use digital signatures to sign their emails, and they need a certificate to create a digital signature, but they can't sign their certificates with a digital signature. Chapter 10
27. Network administrators are considering adding an HSM to a server in your network. What functions will this add to the server? A. Provide full drive encryption B. Reduce the risk of employees emailing confidential information outside the organization C. Provide webmail to clients D. Generate and store keys used with servers
D is correct. A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers. The keys can be used to encrypt data sent to and from the server, but they wouldn't be used for full drive encryption. A Trusted Platform Module (TPM) provides full drive encryption an is included in many laptops. A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization. Software as a service (SaaS) provides software or applications, such as webmail, via the cloud. Chapter 5
22. Administrators are deploying a new Linux server in the screened subnet. After it is installed, they want to manage it from their desktop computers located within the organization's private network. Which of the following would be the BEST choice to meet this need? A. Forward proxy server B. Reverse proxy server C. Web application firewall D. Jump server
D is correct. A jump server is a server placed between different security zones, such as an internal network and a screened subnet (aka a demilitarized zone or DMZ) and is used to manage devices in the other security zone. In this scenario, administrators could connect to the jump server with Secure Shell (SSH) and then connect to the Linux server using SSH forwarding on the jump server. A forward proxy server (often called a proxy server) is used by internal clients to access Internet resources., not resources in the screened subnet. Reverse proxy servers accept traffic from the Internet, not the internal network, and forward the traffic to one or more internal web servers. A web application firewall (WAF) protects a web server from Internet-based attacks but isn't used to control traffic between an internal network and the screened subnet. Chapter 3
54. You need to identify and mitigate potential single points of failure in your organization's security operations. Which of the following policies would help you? A. A disaster recovery plan B. A business impact analysis C. Annualized loss expectancy D. Separation of duties
D is correct. A separation of duties policy is the best answer. In this context, if only one person can perform tasks within the organization's security operations, that person becomes a single point of failure. None of the other answers address a single point of failure. A disaster recovery plan (DRP) identifies how to recover critical systems and data after a disaster. A business impact analysis (BIA) helps an organization identify critical systems and components. An annualized loss expectancy (ALE) identifies the expected annual loss from a known risk. Chapter 9
15. Your organization is implementing an SDN. Management wants to use an access control scheme that controls access based on attributes. Which of the following is the BEST solution? A. DAC B. MAC C. Role-BAC D. ABAC
D is correct. A software-defined network (SDN) typically uses an attribute-based access control (ABAC) scheme. The ABAC scheme is based on attributes that identify subjects and objects within a policy. A discretionary access control (DAC) scheme has an owner, and the owner established access for the objects. A mandatory access control (MAC) scheme uses labels assigned to subjects and objects. A role-based access control (Role-BAC) scheme uses roles or groups to assign rights and permissions. Chapter 2
8. You are comparing different types of authentication. Of the following choices, which one uses multifactor authentication? A. A system that requires users to enter a username and password B. A system that checks an employee's fingerprint and does a vein scan C. A cipher door lock that requires employees to enter a code to open the door D. A system that requires used to have a smart card and a PIN
D is correct. A system that requires users to have a smart card and a personal identification number (PIN) used multifactor authentication or two-factor authentication. The card is in the something you have factor, and the PIN is in the something you know factor. A username provides identification, and a password is in the something you know factor, providing single-factor authentication. Fingerprints and vein scans are both in the something you are factor, providing single-factor authentication. A code for a cipher door lock is in the something you know factor, providing single-factor authentication. (Chapter 2)
31. Your organization plans to implement desktops via the cloud. Each desktop will include an operating system and a core group of applications needed by employees, and the cloud provider will manage the desktops. Employees with Internet access will be able to access these desktops from anywhere and almost any device. Which of the following BEST identifies this service? A. IaaS B. CASB C. SaaS D. XaaS
D is correct. Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS. It would include desktops as a service. Infrastructure as a Service (IaaS) is a cloud computing option where the vendor provides access to a computer. Still, customers must install the operating system and maintain the system. A cloud access security broker (CASB) is a software tool used to provide additional security for cloud resources, but it provides the underlying cloud services. Software as a Service (SaaS) provides access to specific applications, such as an email application, but not entire desktops. Chapter 5
62. As a security administrator, you receive an antivirus alert from a server in your network indicating one of the files has a hash of known malware. The file was pushed to the server from the organization's patch management system and is scheduled to be applied to the server early the next morning. The antivirus software indicates that the file and hash of the malware are: - File: gcga_upgrade.exe - Hash: 518b571e26035d95e5e9232b4affbd84 Checking the logs of the patch management system, you see: Status - Pushed | Update name - gcga_upgrade.exe Hash - 518b571e26035d95e5e9232b4affbd84 Which of the following indicates what MOST likely occurred? A. The file was infected after it was pushed out to the server. B. The file was embedded with crypto-malware before it was pushed to the server. C. The file was listed in the patch management system's blacklist. D. The file was infected when the patch management system downloaded it.
D is correct. Of the given choices, the file was most likely infected when the patch management system downloaded it. This is because the name and hash of the file is the same on the server as it is on the patch management system. If it were infected after it was pushed out to the server, it would have a different hash. The scenario doesn't indicate what type of infection the malware has, so it isn't possible to tell if it is crypto-malware or another type of malware. A blacklist blocks files so if the file were listed in the patch management system's blacklist, the patch management system wouldn't push it out to systems. Chapter 10
19. Bart incorrectly wired a switch in your organization's network. It effectively disabled the switch as though it was a victim of a denial-of-service attack. Which of the following should be done to prevent this situation in the future? A. Install an IDS. B. Only use Layer 2 switches. C. Install SNMPv3 on the switches. D. Implement STP or RSTP.
D is correct. Spanning Tree Protocol (STP) and Rapid STP (RSTP) both prevent switching loop problems. It's rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each other, it creates a switching loop and effectively disables the switch. An intrusion detection system (IDS) will not prevent a switching loop. Layer 2 switches are susceptible to this problem. Administrators use Simple Network Management Protocol version 3 (SNMPv3) to manage and monitor devices, but it doesn't prevent switching loops. Chapter 3
47. Maggie is performing a risk assessment for an organization. She identifies the loss for the previous year due to a specific risk as $5,000. What does this represent? A. SLE B. ARO C. MTBF D. ALE
D is correct. The annual loss expectancy (ALE) identifies the expected loss for a given year based on a specific risk and existing security controls. The single loss expectancy (SLE) identifies the cost of any single loss. The annual rate of occurrence (ARO) identifies how many times a loss is expected to occur in a year. Multiplying SLE x ARO identifies the ALE. Note that the scenario refers to a specific risk, but it doesn't indicate how many times the loss occurred. This could have been five incidents (ARO of 5) incurring losses of $1,000 for each incident (SLE), resulting in an ALE of $5,000. The mean time between failures (MTBF) provides a measure of a system's reliability and is usually represented in hours Chapter 8
4. You suspect that a Linux computer is establishing connections with a remote server on the Internet without any user interaction. You want to verify this by viewing a summary of protocol statistics on a Linux system. Which of the following commands would you use? A. dig B. nslookup C. ifconfig D. netstat
D is correct. The netstat -s command will display a summary of protocol statistics on a Linux system. You can use the dig (domain information groper) command on Linux systems to query Domain Name System (DNS) Servers and verify if you can resolve names to OIP addresses. The nslookup (name server lookup) command can also be used to query DNS servers. The ifconfig command is used to display information and configure network interfaces on Linux systems. (Chapter 1)