CompTIA Security+
What protocol may be used to secure passwords in transit to a web application?
TLS
What data obfuscation technique is intended to be reversible?
Tokenization
Bob is planning to use a cryptographic cipher that rearranges the characters in a message. What type of cypher is Bob planning to use?
Transposition cipher
It is difficult to develop defenses against APT attackers True or False
True
It is generally a bad practice to run software after the vendor's end-of-life True or False
True
Privelege escalation attacks require a normal user account to execute True or False
True
The main purpose of a code repository is to store the source files used in software development in a centralized location that allows for secure storage. True or False
True
What Java clause is critical for error handling
Try...Catch
The attacker called a help desk employee and persuaded her that she was a project manager on a tight deadline and locked out of her account. The help desk technician provided the attacker with access to the account. What social engineering principle was used?
Urgency
What phase of the capability maturity model introduces the reuse of code across projects?
(Quantitatively) Managed
Which one of the following is not a possible hash length from the SHA-2 function? a. 224 bits b. 128 bits c. 384 bits d. 512 bits
128 bits
How many keys should be used with 3DES to achieve the greatest level of security?
3
What CVSS value is the threshold at which PCI DSS requires remediation to achieve a passing scan?
4
What length encryption key does the Data Encryption Standard use?
56 bits
What type of phishing attack focuses specifically on senior executives of a targeted organization?
Whaling
What is the name of the application control technology built-in to Microsoft Windows?
AppLocker
What approach to threat identification begins with a listing of all resources owned by the organization?
Asset-focused
What is the basic principle underlying threat hunting activities?
Assumption of Compromise
What algorithm uses Blowfish cipher along with a salt to strengthen cryptographic keys?
Bcrypt
In a _____ penetration test, the attacker has no prior knowledge of the environment.
Black box
What input validation approach works to exclude prohibited input?
Blacklisting
Alice would like to send a message to Bob using RSA encryption. What key should she use to encrypt the message?
Bob's public key
What type of attack seeks to write data to areas of memory reserved for other purposes?
Buffer overflow
As Dave works with his colleagues in other IT disciplines, he notices that they use different names to refer to the same products and vendors. Which SCAP component would best assist him in reconciling these differences?
CPE (Common Platform Enumeration)
What technology can you use to tell clients that a certificate is unlikely to change over time?
Certificate pinning
In the early 1990s, the NSA attempted to introduce key escrow using what failed technology?
Clipper chip
CCE
Common Configuration Enumeration
CPE
Common Platform Enumeration
CVE
Common Vulnerabilities and Exposures
CVSS
Common Vulnerability Scoring System
The reuse of passwords across multiple sites makes an individual susceptible to ______ attacks?
Credential stuffing
Alan is analyzing his web server logs and sees several strange entries that contain strings similar to "../../" in URL requests. What type of attack was attempted against his server?
Directory traversal
What attack technique wraps malicious code around a legitimate driver?
Driver shimming
Which one of the following encryption approaches is most susceptible to a quantum computing attack? a. quantum cryptography b. RSA cryptography c. AES cryptography d. Elliptic Curve Cryptography
Elliptic Curve Cryptography
What operation uses a cryptographic key to convert plaintext into ciphertext?
Encryption
What type of digital certificate offers the highest possible level of trust?
Extended Validation (EV)
XCCDF
Extensible Configuration Checklist Description Format
Companies should always manage bug bounty programs internally. True or False
False
Database normalization should always be used to improve database security True or False
False
Removing names and identification numbers is usually all that is necessary to deidentify a dataset True or False
False
The DevOps model prioritizes development efforts over operational tasks. True or False
False
Static code testing software executes code to verify that it is functioning properly. True or False
False *Static code testing software does NOT execute code, only analyzes it
The analysis of adversary TTP includes tools, techniques, and policies. True or False
False Correct definition of TTP includes tools, techniques and *procedures
Jason recently investigated a vulnerability discovered during a scan and, after exhaustive research, determined that the vulnerability did not exist. What type of error occurred?
False Positive
What type of attacker is primarily concerned with advancing an ideological agenda?
Hacktivist
What is a common command and control mechanism for botnets?
IRC (Internet Relay Chat)
What type of organization facilitates cybersecurity information sharing among industry-specific communities?
ISAC
What is the most effective defense against cross-site scripting attacks?
Input validation
What action can users take to overcome security flaws in RC4?
It is not possible to use RC4 securely.
______ consist of shared code objects that perform related functions.
Libraries
What type of malware delivers its payload only after certain conditions are met?
Logic bomb
Maloof would like to digitally sign a message that he is sending to Clementine. What key does he use the create the digital signature?
Maloof's private key
What type of fuzz testing captures real software input and modifies it?
Mutation Fuzzing
Alice would like to be able to prove to Charlie that a message she received actually came from Bob. What cryptographic goal is Alice trying to enforce?
Non-repudiation
Harold works for a certificate authority and wants to ensure that his organization is able to revoke digital certificates that it creates. What is the most effective method of revoking digital certificates?
Online Certificate Status Protocol
OVAL
Open Vulnerability and Assessment Language
What is the first step of a Fagan inspection?
Planning
Matt would like to limit the tests performed by his vulnerability scanner to only those that affect operating systems installed in his environment. Which setting should he modify?
Plug-ins
What language is commonly used to automate the execution of system administration tasks on Windows systems?
PowerShell
What type of AI technique is most commonly associated with optimization?
Prescriptive Analytics
In what technique do attackers pose as their victim to elicit information from third parties?
Pretexting
Dan is engaging in a password cracking attack where he uses precomputed hash values. What type of attack is Dan waging?
Rainbow table
CryptoLocker is an example of what type of malware?
Ransomware
What component of a change management program includes final testing that the software functions properly?
Release management
What security technology best assists with the automation of security workflows?
SOAR
Which of the following is a standardized language used to communicate security information between systems and organizations? a. ISAC b. OVAL c. STIX d. CVSS
STIX
In what type of social engineering attack does the attacker physically observe the victim's activity?
Shoulder Surfing
What type of website does the attacker use when waging a watering hole attack?
Site trusted by the end user
What device is often used in card cloning attacks?
Skimmer
What software development methodology uses four stages in an iterative process?
Spiral
Jasmine comes across a file sent out of her organization that she suspects contains proprietary trade secrets but appears to be an innocuous image. What technique might the sender have used to hide information in the image?
Steganography
In a cybersecurity exercise, what team is responsible for serving as moderators?
White Team
Where do fileless viruses often store themselves to maintain persistence?
Windows Registry
What standard governs the structure and content of digital certificates?
X.509
Which one of the following metrics does not contribute to the Exploitability score for a vulnerability in CVSS? a. Confidentiality b. User Interaction c. Attack Vector d. Attack Complexity
a. Confidentiality Reason: Confidentiality shows IMPACT not EXPLOITABILITY
Which one of the following is an example of an in-band approach to key exchange? a. Diffie-Hellman b. U.S. mail c. Physical meeting d. Phone call
a. Diffie-Hellman
Which one of the following is not an effective defense against XSRF attacks? a. Network segmentation b. User education c. Preventing the use of HTTP GET requests d. Automatic logouts
a. Network segmentation
Renee is creating a prioritized list of scanning targets. Which one of the following is the least important criteria for her prioritization? a. Operating System b. Targets c. Type of Scan d. None of these are low priority
a. Operating System
Which one of these file extensions is always associated with certificates stored in binary form? a. PFX b. PEM c. P7B d. CRT
a. PFX
Randy is developing a vulnerability management program. Which one of the following is not a common source of requirements for such a program? a. Sales team requests b. Legal requirements c. Security objectives d. Corporate policy
a. Sales team requests
Which one of the following is NOT critical to the security of one time pad operations? a. using AES in conjunction with the one-time pad b. choosing the key at random c. securely exchanging the pads d. only using the pad one time
a. using AES in conjunction with the one-time pad
Which one of the following is not a standard application hardening technique? a. Apply security patching b. Conduct cross-site scripting c. Validate user input d. Encrypt sensitive information
b. Conduct cross-site scripting
Helen has vulnerability scanners located at several points on her network. Which one of the following scanners is likely to provide the most complete picture of the vulnerabilities present on a public web server? a. Public Scanner b. DMZ Scanner c. Rough Scanner d. BNC Scanner
b. DMZ Scanner
Which one of the following issues is not generally associated with the use of default configurations? a. extraneous services running b. SQL injection flaws c. open ports d. vendor-assigned passwords
b. SQL injection flaws
Which one of the following is not a barrier to using the web of trust (WoT) approach? a. Technical knowledge required of users b. Use of weak cryptography c. Decentralized approach d. High barrier to entry
b. Use of weak cryptography
What basic cryptographic functions does the AES algorithm use to encrypt plaintext?
both substitution and transposition
Which of the following is an example of an open-source intelligence resource? a. social media b. vulnerability databases c. all of these answers d. security websites
c. all of these answers
Which one of the following controls is not particularly effective against insider threats? a. least privilege b. background checks c. firewalls d. separation of duties
c. firewalls
Data breaches violate which principle of cybersecurity?
confidentiality
What type of object must a hacker typically access in order to engage in a session hijacking attack?
cookie
Which one of the following technologies is an example of a parameterized query? a. Output encoding b. Masked identifier c. Hashed identifier d. Stored procedure
d. Stored Procedure
Which of the following is a race condition attack? a. SQLi b. XSRF c. XSS d. TOC/TOU
d. TOC/TOU
Developers wishing to sign their code must have a ______
digital certificate
When you communicate over the Tor network, which of the following entities do you communicate with directly? a. entry node b. delivery node c. destination server d. Network node
entry node
What is the simplest way to take an existing cipher and make it stronger?
increase the length of the encryption key
What condition occurs when a software package fails to release memory that it reserved for use?
memory leak
The difficulty of solving what mathematical problem provides the security underlying the Diffie-Hellman Algorithm?
prime factorization
What key is actually used to encrypt the contents of a message when using PGP?
randomly generated key
If Alice wants to send a message to Bob using symmetry cryptography, what key does she use to encrypt the message?
shared secret key
What type of malware can spread without user interaction?
worm
