CompTIA Security+ Certification All-in-One Exam Guide, Sixth Edition, End of Chapter Questions (SY0-601)

Your threat intelligence vendor is sending out urgent messages concerning a new form of memory-resident malware. What is the likely item they are sharing with you? A. Vulnerability database B. Indicator of compromise C. Dark web D. Trusted Automated Exchange of Intelligence Information (TAXII)

B. An indicator of compromise (IoC) provides the details associated with how one can find active malware on a system.

You're reviewing a custom web application and accidentally type a number in a text field. The application returns an error message containing variable names, filenames, and the full path of the application. This is an example of which of the following? A. Resource exhaustion B. Improper error handling C. Generic error message D. Common misconfiguration

B. When an application fails to properly trap an error and generates error messages containing potentially sensitive information, this is known as improper error handling.

What is the purpose of a white team? A. To represent senior management B. To provide judges to score or rule on a test C. To represent parties that are targets in a pen test D. To provide a set of team members with offense and defensive skills (all stars)

B. When an exercise involves scoring and/or a competition perspective, the team of judges is called the white team. If the exercise is such that it requires an outside set of coordinators to manage it, independent of the defending team, they are also called a white team. White team members are there to ensure that the actual exercise stays on track and involves the desired elements of a system.

Several desktops in your organization are displaying a red screen with the message "Your files have been encrypted. Pay 1 bitcoin to recover them." These desktops have most likely been affected by what type of malware? A. Spyware B. Spraying C. Ransomware D. Crypto-malware

C. This is quite clearly ransomware. The malware has encrypted files on the affected systems and is demanding payment for recovery of the files.

When a pen tester uses OSINT to gain information on a system, the type of environment can be changed from ______ to _______. A. closed, open B. unknown, known C. secure, vulnerable D. unknown, partially known

D. OSINT provides information about systems and their addresses and connections, including applications. This takes the status of a system from a completely unknown environment to a partially known environment.

Your senior financial people have been attacked with a piece of malware targeting financial records. Based on talking to one of the executives, you now know this is a spear phishing attack. Which of the following is the most likely vector used? A. Cloud B. Wireless C. Direct access D. Removeable media

D. Removeable media is commonly linked to social engineering attacks such as spear phishing.

Proper use of separation of duties with respect to privileged users on your systems is a defense against which type of hacker? A. Nation-state actor B. Insider C. Criminal syndicate D. All of the above

D. Separation of duties is designed to provide defenses against malicious insiders. But nation-state actors and criminal organizations have the resources and abilities to hack accounts and gain insider access. There are no external accounts, so once a well-resourced hacker is in, they will have permissions associated with an insider.

Which of the following is/are psychological tools used by social engineers to create false trust with a target? A. Impersonation B. Urgency or scarcity C. Authority D. All of the above

D. Social engineers use a wide range of psychological tricks to fool users into trusting them, including faking authority, impersonation, creating a sense of scarcity or urgency, and claiming familiarity.

When an attacker moves to a new machine and rescans the network to look for machines not previously visible, what is this technique called? A. Lateral movement B. Privilege escalation C. Persistence D. Pivoting

D. The key part of the question is the rescanning. Pivoting involves the rescanning of network connections to find unknown or previously unseen connections.

A colleague asks you for advice on why he can't log in to his Gmail account. Looking at his browser, you see he has typed www.gmal.com in the address bar. The screen looks very similar to the Gmail login screen. Your colleague has just fallen victim to what type of attack? A. Jamming B. Rainbow table C. Whale phishing D. Typosquatting

D. Typosquatting capitalizes on common typing errors, such as gmal instead of gmail. The attacker registers a domain very similar to the real domain and attempts to collect credentials or other sensitive information from unsuspecting users.

OSINT involves which of the following? A. Passive reconnaissance B. Active reconnaissance C. Port scanning D. Persistence

A. OSINT is a passive activity, so passive reconnaissance is the correct answer. All of the other answers involve active measures.

Which team involves members who emulate both attackers and defenders? A. Purple team B. Gold team C. Blue team D. White team

A. Purple teams have both offensive (red) and defensive (blue) personnel to provide a balanced response.

What type of attack involves an attacker putting a layer of code between an original device driver and the operating system? A. Refactoring B. Trojan horse C. Shimming D. Pass the hash

C. Shimming is the process of putting a layer of code between the device driver and the operating system.

You have a helpdesk ticket for a system that is acting strangely. Looking at the system remotely, you see the following in the browser cache: www.micros0ft.com/office. What type of attack are you seeing? A. PowerShell B. Domain hijacking C. URL redirection D. Disassociation

C. This is a URL redirection, as the name Microsoft has a zero in place of the o character.

Databases can use which of the following for security? (Choose all that apply.) A. Tokenization B. Salting C. Code signing D. Secure cookies

A and B. Databases can use tokens to represent unique sensitive data, allowing joins between tables and records without exposing the data. Salting can be used to ensure that hashed values of identical input fields will not reveal the fact that two records share the same data.

Which of the following are associated with endpoint protection? (Choose all that apply.) A. EDR B. TPM C. DLP D. HTTP headers

A and C. Endpoint detection and response (EDR) is the combination of several individual endpoint protection mechanisms into a common management framework. Data loss prevention (DLP) is the checking for sensitive data before exfiltration. Both of these are associated with endpoint security. The Trusted Platform Module (TPM), while involved in many security technologies, does not play a direct role in endpoint protection. Nor do HTTP headers, which are associated with the server serving up the web content.

Financial risks associated with vulnerabilities can include which of the following? (Choose all that apply.) A. Regulatory fines and penalties B. Business reputation loss C. Loss of revenue due to downtime D. Loss of data

A and C. Regulatory fines and penalties as well as lost income because of downtime are direct financial impacts of cybersecurity problems. Business reputation may lead to a loss of customers, but this is not a direct connection. Loss of data may or may not have a financial impact depending upon the data and its connection to revenue

Which tools are used in IP address investigations? (Choose all that apply.) A. tracert B. theHarvester C. dnsenum D. chmod

A and C. Tracert gives the IP addresses of a communication channel, and dnsenum gets information from a DNS server.

Comprehensive, proscriptive configuration guides for all major operating systems are available from which of the following? (Choose all that apply.) A. Vendors/manufacturers B. NIST C. CIS D. ISO

A and C. Vendors/manufacturers and the Center for Internet Security both offer comprehensive configuration guides for operating systems. Another source is the Department of Defense STIG program. NIST and ISO develop guidance for policies and processes, but not specific configurations for operating systems.

Weak configurations can include which of the following? (Choose all that apply.) A. Open ports B. Lack of vendor support C. Firmware D. Use of unsecure protocols

A and D. Having open ports and using unsecure protocols can both provide openings for attackers to get into a system. Lack of vendor support is a third-party risk, and firmware has a fixed configuration.

Data protection includes all of the following topics except which ones? (Choose all that apply.) A. Honeypots B. Masking C. Tokenization D. DNS sinkholes

A and D. Honeypots and DNS sinkholes are part of deception and disruption activities, not data protection.

Common sources of vulnerability issues for systems include which of the following? (Choose all that apply.) A. Weak patch management B. Data loss C. Identity theft D. Weak configurations

A and D. Improper or weak patch management and weak configurations are defined as common sources for vulnerabilities.

A mantrap is an example of which type security control? (Choose all that apply.) A. Physical B. Corrective C. Administrative D. Preventative

A and D. It is possible for a specific security control to fall into more than one type. Because a mantrap is a physical barrier that prevents tailgating, it is both a physical control and a preventative control. Corrective controls are used after the event, in an effort to minimize the extent of damage. An administrative control is simply a distractor.

Which of the following are the best reasons for an organization to have a job rotation policy? (Choose all that apply.) A. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization's security problems. B. It helps to maintain a high level of employee morale. C. It ensures all important operations can still be accomplished should budget cuts result in the termination of a number of employees. D. It eliminates the need to rely on one individual for security expertise.

A and D. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization's security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security tasks are the domain of one employee, security will suffer if that individual leaves the organization.

A patch management process should include which of the following? (Choose all that apply.) A. Automated management of software assets B. Automated verification of current patch levels C. A specified period by which systems should be patched D. Connection of the patch management process to the change control process

A, B, C, and D. A good patch management process should include automated management of software assets, automated verification of current patch levels, a specified period by which systems should be patched, and connection of the patch management process to the change control process.

Which of the following statements are true when discussing separation of duties? (Choose all that apply.) A. Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. B. Employing separation of duties means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened. C. Separating duties as a security tool is a good practice, but it is possible to go overboard and break up transactions into too many pieces or require too much oversight. D. Separation of duties spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the "keys to the kingdom" or unique knowledge about how to make everything work.

A, B, C, and D. All of the statements are true when discussing separation of duties.

Which of the following are critical in cloud security? (Choose all that apply.) A. Firewalls B. Integration and auditing C. Secrets management D. Encryption

A, B, C, and D. All of these play important roles in securing cloud environments.

Which of these tools is used in penetration testing? (Choose all that apply.) A. nmap B. Nessus C. scanless D. theHarvester

A, B, C, and D. All of these tools are used in penetration testing. Nmap finds systems, Nessus scans for vulnerabilities, scanless hides the IP of the machine scanning, and theHarvester collects information on potential targets.

Which of the following are issues that need to be determined as part of setting up a SIEM solution? (Choose all that apply.) A. Sensor placement B. Log files and relevant fields C. Desired alert conditions D. DNS logging

A, B, C, and D. Setting up a SIEM requires many steps, including identification of the data source, alerting conditions, which logs and fields to use, and more.

What is the purpose of deception in an enterprise? (Choose all that apply.) A. To trick attackers into stealing fake data B. To identify misconfigured systems C. To permit easy identification of unauthorized actors D. To provide a place to test new systems without impacting regular operations

A, B, and C. Deception techniques such as honeynets and honeypots can trick attackers into stealing fake data and make them easier to find in the network. These techniques can also help in determining systems that are misconfigured.

As a security professional, what should you do to address weak configurations that pose security risks to your organization? (Choose all that apply.) A. Change default usernames and passwords. B. Remove unnecessary apps. C. Disable unnecessary services. D. Open all ports so that everything can be scanned.

A, B, and C. Every effort should be made to remove unnecessary apps, disable any unnecessary services, and change default account usernames and passwords. Opening all ports is a recipe for disaster. Unnecessary or unused ports should be closed or secured.

Which of the following describe mission-essential functions? (Choose all that apply.) A. Functions that, if they do not occur, would directly affect the mission of the organization B. Functions that, if they are not accomplished properly, would directly affect the mission of the organization C. Functions that are considered essential to the organization D. The routine business functions

A, B, and C. Mission-essential functions are those that, should they not occur or be performed properly, will directly affect the mission of the organization. This is where you spend the majority of your effort— protecting the functions that are essential. It is important to separate mission-essential functions from other business functions.

Which of the following are part of the Cyber Kill Chain? (Choose all that apply.) A. Reconnaissance B. Weaponization C. Anti-forensics D. Installation

A, B, and D. Reconnaissance, weaponization, and installation are steps in the Cyber Kill Chain. Anti-forensics is not; although these actions may occur, they are embedded in other steps.

Direct third-party risks include which of the following? (Choose all that apply.) A. System integration B. Supply chain C. Financial management D. Vendor management

A, B, and D. System integration, supply chain, and vendor management are sources of third-party risk. Financial management is related to impacts, not mainly third-party risks.

Threat hunting involves which of the following? (Choose all that apply.) A. Analysis of adversarial actions B. Interpretation of threats to other companies C. Compliance reporting D. Understanding how data flows in an enterprise

A, B, and D. Threat hunting involves analyzing adversarial actions, interpreting the threats to other companies, and understanding how data flows in an enterprise so adversaries can be caught maneuvering.

To deal with nonpersistence in a system, which of the following items offer risk mitigation? (Choose all that apply.) A. Image backups B. Cloud C. Last known-good configuration D. Revert to a known state

A, C, and D. Image backups capture the nonpersistence of the OS. Also, reverting to a known state and using the last known-good configuration both can resolve nonpersistence issues. Cloud (answer B) is not a direct answer, as by itself, the cloud does not offer persistence to a nonpersistent system. An image backup has everything, so restoring from it can resolve a persistence problem. For the cloud to be involved, it would be as a secondary item (that is, a place to store an image backup), but then it is not actually directly involved.

What kind of device provides tamper protection for encryption keys? A. HSM B. IPSec C. Jump server D. HTML5

A. A hardware security module (HSM) has tamper protections to prevent the encryption keys it manages from being altered.

You are implementing a test lab at your organization for early alpha software development. To prevent any of the development code from inadvertently getting put on production computers, what should you implement? A. Air gap B. Strict firewalls C. Protected distribution D. Patch management

A. A lab environment can be air gapped from the rest of the network to prevent software from being accidentally copied to production machines.

What is a weakness of the DNS protocol? A. Requests and replies are sent in plaintext. B. It doesn't provide billing standardization in cloud infrastructures. C. TCP can be used for large transfers such as zone transfers. D. Its encryption capabilities are slow.

A. A major weakness of the DNS protocol is that requests and replies are sent in plaintext.

What does a privacy impact assessment do? A. It determines the gap between a company's privacy practices and required actions. B. It determines the damage caused by a breach of privacy. C. It determines what companies hold information on a specific person. D. It's a corporate procedure to safeguard PII.

A. A privacy impact assessment (PIA) determines the gap between what a company is doing with PII and what its policies, rules, and regulations state it should be doing.

What is privacy? A. One's ability to control information about oneself B. Being able to keep one's information secret C. Making data-sharing illegal without consumer consent D. Something that is outmoded in the Internet age

A. Although all the possible answers have elements of truth to them, privacy is about controlling one's information, not just hoarding it.

Which of the following is not associated typically with SIEM processes? A. Applications B. Syslog C. Log capture D. Log aggregation

A. Applications may be all over the network and may provide data to a SIEM, but they are not typically part of the SIEM process.

Once an organization's security policies have been established, what is the single most effective method of countering potential social engineering attacks? A. An active security awareness program B. A separate physical access control mechanism for each department in the organization C. Frequent testing of both the organization's physical security procedures and employee telephone practices D. Implementing access control cards and the wearing of security identification badges

A. Because any employee may be the target of a social engineering attack, the best thing you can do to protect your organization from these attacks is to implement an active security awareness program to ensure that all employees are cognizant of the threat and what they can do to address it.

What does chmod do? A. Sets permission on a file B. Initiates a change modification entry in a log file C. Cryptographically hashes a file D. Lists the files in a working directory

A. Chmod is used to set/manage file permissions in a Linux environment.

You think a file is malware. What is the first tool you should invoke? A. Cuckoo B. WinHex C. OpenSSL D. Autopsy

A. Cuckoo is a sandbox program designed to analyze malicious software, separating the software from direct connection to the OS.

Which type of policy sets the direction for the security team to manage who can access what resources in a system? A. Account permissions policy B. Time-based login policies C. Password policies D. Time-of-day restriction policies

A. Developing a policy for account permissions provides guidance to those who are implementing the access control schemes.

Which process allows log files to be enriched with additional data to provide context? A. Log aggregation B. Log collectors C. Log reviews D. Syslog

A. During the process of aggregation, the log entries can be parsed, modified, and have key fields extracted or modified based on lookups or rules.

Where can you find metadata showing where a picture was taken? A. EXIF data B. IPFIX data C. E-mail metadata D. SIP CTL

A. EXIF is the metadata associated with image and video files.

Which of the following are not typically scanned during a vulnerability scan? A. End users B. Network C. Applications D. Web applications

A. End users are not part of a vulnerability scan; they are air gapped from the system and are not part of the elements that are searched for vulnerabilities.

Which of the following is important to ensure privacy release concerns are properly handled when discovered by an incident response team? A. Escalation B. Privacy impact analysis C. Privacy-enhancing technologies D. Public disclosure and notification

A. Escalation is important to ensure that the correct teams respond to a privacy-related incident.

Anti-malware software fails to detect a ransomware attack that is supposed to be within its capabilities of detecting. What is this an example of? A. False negative B. False positive C. Measurement error D. Analysis failure

A. Failing to report on a known reportable event is a false negative.

You have read about a new threat against software that is vulnerable to hacking. The vulnerability is in a Python library, and your firm uses Python for the development of many in-house projects. Where is the best source of information with respect to this threat? A. File/code repositories B. Vulnerability databases C. Open source intelligence D. Indicators of compromise

A. File/code repositories is the correct answer because the code you are concerned about was developed in-house; hence, it will not show up in commercial databases or other sources.

You wish to keep people from using the internal mobile network to play games on their personal phones. What would be the best method of managing this? A. MDM B. Application block list C. Content filter D. Segmentation

A. Forcing users to install an MDM solution before connecting their phone to the internal network resolves many security issues, including access control issues.

Which of the following is used to identify when a device is within a specified distance of a location? A. Geofencing B. Geoproximity C. Geodistance D. Geotagging

A. Geofencing is an electronic distance-based perimeter used to detect specific devices when they cross within a certain geographic area.

IPFIX is used for what? A. Capturing which machines are in communication with each other B. Managing mobile messaging solutions C. Reading syslog files D. DNS logs

A. IPFIX works like NetFlow, identifying which machines are communicating with each other.

What set of algorithms is designed for low-power devices such as the Internet of Things and embedded systems? A. Lightweight B. Hashing C. Stream D. Blockchain

A. Lightweight encryption algorithms are designed for resourceconstrained systems.

For organizations that draw a distinction between a BCP and a DRP, which of the following statements is true? A. The BCP details the functions that are most critical and outlines the order in which critical functions should be returned to service to maintain business operations. B. The BCP is a subset of the DRP. C. The DRP outlines the minimum set of business functions required for the organization to continue functioning. D. The DRP is always developed first, and the BCP normally is an attachment to this document.

A. Many organizations, particularly smaller ones, treat the two terms BCP and DRP synonymously, but for organizations that don't, the BCP outlines the business functions necessary for continued operation and may describe the order in which functions will be restored. The DRP outlines all processes and how they can be restored; the BCP acts as a companion document that describes which functions need to be restored and in which order.

Which of the following is a common measure of how long it takes to fix a given failure? A. MTTR B. RTO C. RPO D. MTBF

A. Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure. Recovery time objective (RTO) describes the target time that is set for the resumption of operations after an incident. Recovery point objective (RPO) represents the maximum time period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures.

Your organization is having issues with a custom web application. The application seems to run fine for a while but starts to lock up or crash after seven to ten days of continuous use. Examining the server, you notice that memory usage seems to climb every day until the server runs out of memory. The application is most likely suffering from which of the following? A. Memory leak B. Overflow leak C. Zero-day exploit D. Pointer dereference

A. Memory leaks are programming errors caused when a computer program does not properly handle memory resources. Over time, while a program runs, if it does not clean up memory resources as they are no longer needed, chunks of dead memory can become scattered across the program's footprint in memory. If a program executes for a long time, these dead memory areas can grow in size and consume resources, causing the system to crash.

Why is memory management important in software development? A. A program can grow and consume other program spaces. B. Memory is expensive. C. Memory can be a speed issue. D. None of the above.

A. Memory management failures can lead to a program growing in size when executing. This can result in either its own failure or the diminishing of memory resources for other programs.

Which of the following describes a major difference between NTFS and FAT32 file systems? A. NTFS supports user-level access differentiation. B. FAT32 supports group-level access differentiation. C. FAT32 natively encrypts files and directories. D. NTFS logs all file access using secure tokens.

A. NTFS supports user-level access differentiation and allows you to assign user permissions to files and folders.

Which of the following is the term for a document used to explain the boundaries of company secret material, information over which control should be exercised to prevent disclosure to unauthorized parties, and to obtain agreement to follow these limits? A. Nondisclosure agreement (NDA) B. Data access agreement (DAA) C. Data disclosure agreement (DDA) D. Data release agreement (DRA)

A. Nondisclosure agreements (NDAs) are standard corporate documents used to explain the boundaries of company secret material, information over which control should be exercised to prevent disclosure to unauthorized parties.

The continual changing of information in a system is referred to as what? A. Nonpersistence B. Snapshots C. Differentials D. Images

A. Nonpersistence refers to system items such as memory and registry elements that are not permanent and can change over time, even while running.

The fact that there are multiple methods of representing an object in a computer system can lead to issues when logical comparisons are needed. What can be used to ensure accuracy of comparison elements? A. Normalization B. Stored procedures C. Third-party libraries D. Third-party software development kits

A. Normalization is the process of reducing items to a canonical form before comparisons to ensure appropriate logical matching.

What does OCSP do? A. It reviews the CRL for the client and provides a status about the certificate being validated. B. It outlines the details of a certificate authority, including how identities are verified, the steps the CA follows to generate certificates, and why the CA can be trusted. C. It provides for a set of values to be attached to the certificate. D. It provides encryption for digital signatures.

A. Online Certificate Status Protocol (OCSP) is an online protocol that will look for a certificate's serial number on CRLs and provide a status message about the certificate to the client.

Which of the following is not a category of security controls? A. People B. Managerial C. Technical D. Operational

A. People is not a defined category of security control. Security controls that function through people's actions are called operational controls.

While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 61337 open. When you use Wireshark and examine the packets, you see encrypted traffic, in single packets, going back and forth every five minutes. The external connection is a server outside of your organization. What is this connection? A. Command and control B. Backdoor C. External backup location D. Remote login

A. Periodic traffic that looks like a heartbeat on high ports to an unknown server outside the network is suspicious, and this is what many command-and-control signals look like.

Which phase of the incident response process occurs before an actual incident? A. Preparation B. Identification C. Containment D. Prevention

A. Preparation is the phase of incident response that occurs before a specific incident. Preparation includes all the tasks needed to be organized and ready to respond to an incident. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. Containment is the set of actions taken to constrain the incident to the minimal number of machines. Prevention is not a phase of the incident response process.

What are accounts with greater than "normal" user access called? A. Privileged accounts B. System accounts C. Superuser accounts D. Audit accounts

A. Privileged accounts are any accounts with greater-than-normal user access. Privileged accounts are typically root- or admin-level accounts and represent risk in that they are unlimited in their powers.

What is the best tool to ensure network traffic priorities for video conferencing are maintained? A. QoS B. VLAN C. Network segmentation D. Next-generation firewall

A. Quality of Service (QoS) solutions can manage traffic flows by type to provide guaranteed access and priority for specific traffic flows.

What protocol is used for RADIUS? A. UDP B. NetBIOS C. TCP D. Proprietary

A. RADIUS has been officially assigned UDP port 1812 for RADIUS authentication and port 1813 for RADIUS accounting by the Internet Assigned Numbers Authority (IANA). However, previously, ports 1645 (authentication) and 1646 (accounting) were used unofficially and became the default ports assigned by many RADIUS client/server implementations of the time. The tradition of using 1645 and 1646 for backward compatibility continues to this day. For this reason, many RADIUS server implementations monitor both sets of UDP ports for RADIUS requests. Microsoft RADIUS servers default to 1812 and 1813, but Cisco devices default to the traditional 1645 and 1646 ports.

A common data element needed later in the forensics process is an accurate system time with respect to an accurate external time source. A record time offset is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server. Which of the following must be considered relative to obtaining a record time offset? A. The record time offset can be lost if the system is powered down, so it is best collected while the system is still running. B. The internal clock may not be recorded to the same level of accuracy, so conversions may be necessary. C. External clock times may vary as much as 2 to 3 seconds, so it is best to obtain the time from several NTP servers to gain a more accurate reading. D. Recording time to track man-hours is a legal requirement.

A. Record time offset will be lost if the system is powered down, so it is best collected while the system is still running.

You need to move to the cloud a specific customer service module that has a web front end. This application is highly scalable and can be provided on demand. Which cloud deployment model is best for this application? A. SaaS B. PaaS C. IaaS D. None of the above

A. Software as a Service is suitable for delivering highly scalable, ondemand applications without installing endpoint software.

To ensure customers entering credentials in your website are valid and not someone with stolen credentials, your team is tasked with designing multifactor authentication. Which of the following would not be a good choice? A. Static code B. Phone call C. Authentication application D. Short Message Service

A. Static codes can be captured and replayed and are not well suited for systems with active users.

You have kiosk-based machines in the lobby and scattered through the facility. They do not require a login for guests to access certain items. What is the best way to protect these machines from users introducing trojans? A. Application allow list B. Application block list C. Data loss prevention D. Configuration settings of the process

A. Strict application allow listing will limit what runs on the system to only those applications authorized.

You need to analyze previously collected packet data on a network, including editing some of the data. Which is the best tool to use? A. tcpreplay B. tcpdump C. netstat D. Wireshark

A. Tcpreplay is the best tool to use in this case because the question requested packet editing.

Which protocol allows the passing of legacy authentication protocols such as PAP, CHAP, and MS-CHAP? A. EAP-TTLS B. EAP-TLS C. SAE D. CCMP

A. The EAP-TTLS protocol tunnels the client side of the authentication, allowing the use of legacy authentication protocols such as Password Authentication Protocol (PAP), ChallengeHandshake Authentication Protocol (CHAP), MS-CHAP, and MSCHAP-V2.

What is the Secure Shell (SSH) protocol? A. It is an encrypted remote terminal connection program used for remote connections to a server. B. It provides dynamic network address translation. C. It provides Software as a Service (SaaS). D. It provides snapshots of physical machines at a point in time.

A. The SSH protocol is an encrypted remote terminal connection program used for remote connections to a server.

Which of the following elements is not part of the Root of Trust? A. Registry B. UEFI C. TPM PCR D. Digital signatures

A. The Windows Registry is where configuration parameters for the OS and applications are stored. It is not associated with the Root of Trust, as it is not even accessible during the establishment of this trust chain.

You are a security admin for XYZ company. You suspect that company e-mails using the default POP and IMAP e-mail protocols and ports are getting intercepted while in transit. Which of the following ports should you consider using? A. Ports 995 and 993 B. Ports 53 and 22 C. Ports 110 and 143 D. Ports 161 and 16240

A. The default POP3 and IMAP4 ports are 110 and 143, respectively. These are not secure. As a security admin, you should consider using secure POP using port 995 and secure IMAP using port 993.

What makes a digitally signed message different from an encrypted message? A. The digitally signed message has encryption protections for integrity and nonrepudiation. B. The digitally signed message uses much stronger encryption and is harder to break. C. The encrypted message only uses symmetric encryption. D. There is no difference.

A. The digital signature includes a hash of the message to supply message integrity and uses asymmetric encryption to demonstrate nonrepudiation (the fact that the sender's private key was used to sign the message).

An intrusion detection system is an example of what control type? A. Detective B. Technical C. Compensating D. Operational

A. The key word in the question is type, making detective the correct answer. If the question asked for the category, the correct answer would be technical.

Where would one look for consensus-developed, secure configuration guidelines for hardening a wide range of technical items? A. CIS B. ISO C. Vendors/manufacturers D. Peers

A. The key word is consensus. CIS has developed a consensus-based set of secure configuration guidelines for hardening a wide range of technical items.

What is the primary purpose of a screened subnet? A. To prevent direct access to secure servers from the Internet B. To provide a place for corporate servers to reside so they can access the Internet C. To create a safe computing environment next to the Internet D. To slow down traffic coming and going to the network

A. The primary purpose of a screened subnet is to provide separation between the untrusted zone of the Internet and the trusted zone of enterprise systems. It does so by preventing direct access to secure servers from the Internet.

What is the primary use of near field communication (NFC)? A. Establishing radio communications over a short proximity B. Communication in sparsely populated areas C. Long-distance connectivity D. Communication in noisy industrial environments

A. The primary use of NFC is to establish radio communications over a short proximity.

Which of the following teams is commonly used for active pen testing? A. Red team B. Black team C. White team D. Green team

A. The red team is a team of offense actors used in penetration testing.

You have been tasked with assisting in the forensic investigation of an incident relating to employee misconduct. The employee's supervisor believes evidence of this misconduct can be found on the employee's assigned workstation. Which of the following choices best describes what should be done? A. Create a timeline of events related to the scope. B. Copy the user profile to reduce the search space. C. Sign in as the user and search through their recent efforts. D. Examine log file entries under the user's profile.

A. The scope defines the boundaries of the investigation, and the timeline shows what a user did within that scope period with respect to items of interest.

A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop-up ads every few minutes. It doesn't seem to matter which websites are being visited— the pop-ups still appear. What type of attack does this sound like? A. A potentially unwanted program (PUP) B. Ransomware C. Worm D. Virus

A. This behavior is often seen in a potentially unwanted program—a type of application that has been bundled with others and is performing tasks that are undesired.

Your network scan is showing a large number of address changes to the MAC tables and lots of ARP and RARP messages. What is happening? A. MAC flooding attack B. Disassociation attack C. Jamming attack D. DNS poisoning

A. This is a MAC flooding attack—an attempt to overflow the MAC tables in the switches.

Users are reporting that the wireless network on one side of the building is broken. They can connect but can't seem to get to the Internet. While investigating, you notice all of the affected users are connecting to an access point you don't recognize. These users have fallen victim to what type of attack? A. Rogue AP B. WPS C. Bluejacking D. Disassociation

A. This is a rogue AP attack. Attackers set up their own access points in an attempt to get wireless devices to connect to the rogue APs instead of the authorized access points.

You're working with a group testing a new application. You've noticed that when three or more of you click Submit on a specific form at the same time, the application crashes every time. This is most likely an example of which of the following? A. A race condition B. A nondeterministic error C. An undocumented feature D. A DLL injection

A. This is most likely an example of a race condition. A race condition is an error condition that occurs when the output of a function is dependent on the sequence or timing of the inputs. In this case, the application crashes when multiple inputs are submitted at the same time because the application is not receiving the inputs or handling the inputs in the expected order.

Which of the following is a type of social engineering attack in which an attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity in an e-mail? A. Phishing B. Pharming C. Spam D. Vishing

A. This is the definition of a phishing attack, as introduced in the chapter. The key elements of the question are e-mail and the unsolicited nature of its sending (spam).

Which of the following can provide complete traceability to an original transaction without revealing any personal information if disclosed to an outside party? A. Tokenization B. Data sovereignty C. Rights management D. Baseline configuration

A. Tokenization is the use of a random value to take the place of a data element that has traceable meaning. This provides complete traceability to the original transaction, and yet if disclosed to an outside party, it reveals nothing. Data sovereignty relates to a country's specific laws regarding the storage and transmission of personal data. Rights management is the systematic establishment of rules and order to the various rights that users can invoke over digital objects. A baseline configuration is originally created at system creation and is a representation of how the system is supposed to be configured.

You have to implement an OpenID solution. What is the typical relationship with existing systems? A. OpenID is used for authentication, OAuth is used for authorization. B. OpenID is used for authorization, OAuth is used for authentication. C. OpenID is not compatible with OAuth. D. OpenID only works with Kerberos.

A. Typically OpenID is used for authentication, and OAuth is used for authorization.

Virtual networking in a cloud environment can include all of the following except? A. VPC endpoint B. Public subnets C. Private subnets D. Network function virtualization

A. VPC endpoints are not part of the virtual network; although they are virtual applications, they are not part of the network per se.

Which of the following items do you as a defender have control over with respect to using threat intelligence to defend your systems? A. Vectors B. Actors C. Threat intelligence sources D. Attributes of actors

A. Vectors is the correct answer because this is the only item you have any direct control over. The other items are real issues, just not ones you have any measure of direct control over.

What is the primary difference between WPA2-Personal and WPA2- Enterprise? A. The use of a pre-shared secret B. The number of concurrent supported users C. Licensing costs on a per-user basis D. The use of SAE for connections

A. WPA2-Personal uses a PSK, whereas WPA2-Enterprise does not.

When a new login request comes from a geographically distant location, for a user with a history of recent local logins, what policy can best help address legitimacy? A. Impossible travel time B. Geolocation C. Network location D. Time-of-day restrictions

A. When a subsequent account access request is received and there is not adequate time for the user to physically move to the new location, it is likely a fraudulent attempt.

From the initial step in the forensics process, the most important issue must always be which of the following? A. Preservation of the data B. Chain of custody C. Documenting all actions taken D. Witness preparation

A. While all of these are important, from the initial step in the forensics process, the most important issue must always be preservation of the data.

Which is the most critical element in understanding your current cloud security posture? A. Cloud service agreement B. Networking security controls C. Encryption D. Application security

A. While many things are involved in cloud security, they all start on the foundation of the cloud services agreement, which describes all of the terms of service.

You've spent the last week tweaking a fingerprint-scanning solution for your organization. Despite your best efforts, roughly 1 in 50 attempts will fail, even if the user is using the correct finger and their fingerprint is in the system. Your supervisor says 1 in 50 is "good enough" and tells you to move on to the next project. Your supervisor just defined which of the following for your fingerprint scanning system? A. False rejection rate B. False acceptance rate C. Critical threshold D. Failure acceptance criteria

A. Your supervisor just defined the false rejection rate (FRR) for your system. The FRR is the level of false negatives, or rejections, that are going to be allowed in the system. In this case, your supervisor is willing to accept one false rejection for every 50 attempts.

Which of the following are not U.S. laws associated with cybersecurity? (Choose all that apply.) A. CFAA B. PCI DSS C. GDPR D. Sarbanes Oxley (SOX)

B and C. PCI DSS is a voluntary, contractual-based standard, and GDPR is an EU directive, not a U.S. law.

Which of the following are security control lists that can be employed in an enterprise? (Choose all that apply.) A. ISO 27001 B. CSA CCM C. CIS top 20 list D. NIST RMF

B and C. The Cloud Security Alliance Cloud Controls Matrix is a list of security controls associated with cloud deployments. The CIS top 20 list is an ordered set of security controls for the enterprise. Both ISO 27001 and NIST RMF are procedural documents, not listings of controls.

When you're creating a website, which of the following will provide protection against user attacks against your site? (Choose all that apply.) A. Tokenization B. HTTP headers C. Code signing D. Fuzzing

B and D. HTTP headers prevent browsers from performing some activities that are allowed (by protocol) but not advised by site rules. Fuzzing will provide input as to input validation errors.

Which of the following statements are true in regard to a clean desk policy for security? (Choose all that apply.) A. While a clean desk policy makes for a pleasant work environment, it actually has very little impact on security. B. Sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian. C. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise. D. A clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads.

B, C, and D. A clean desk policy can actually have a positive impact on security for the reasons listed.

Guidance for setting up and operating computer systems to a secure level that is understood and documented can be obtained from which of the following? (Choose all that apply.) A. ISO B. CIS C. Government sources D. Vendors/manufacturers

B, C, and D. Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. There are numerous sources for these guides, but three main sources exist for a large number of these systems. You can get benchmark guides from manufacturers of the software, from the government, and from an independent organization such as the Center for Internet Security (CIS) or the Cloud Security Alliance (CSA). ISO is a standards organization and does not deal with specific implementation details.

Your boss has asked you to set up wireless connectivity at a new company location. However, she is concerned about planning, coverage, and security regarding AP placement. She wants you to ensure coverage and address security concerns. Which of the following should you consider using while setting up this new location? (Select three.) A. RADIUS federation B. Site survey C. Wi-Fi analyzer D. Heat map

B, C, and D. Professional site surveys, Wi-Fi analyzers, and heat maps for wireless network installations and proper access point (AP) placement are used to ensure coverage area and security concerns. Answers A is incorrect because RADIUS federation allows users to use their normal credentials across trusted networks.

What is the security benefit of a Faraday cage? A. Prevents attack by EMP B. Prevents accessing a device using a wireless network or cell connection C. Works better than anti-scale fencing D. Prevents stack overflows by EMI

B. A Faraday cage can prevent accessing a device via radio frequency waves, either from a wireless network or cell radio.

A network-based intrusion prevention system (NIPS) relies on what other technology at its core? A. VPN B. IDS C. NAT D. ACL

B. A NIPS relies on the technology of an intrusion detection system (IDS) at its core to detect potential attacks.

Which of the following is a description of a business partnership agreement (BPA)? A. A negotiated agreement between parties detailing the expectations between a customer and a service provider B. A legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities C. A specialized agreement between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the interconnection D. A written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal

B. A business partnership agreement is a legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities.

Having an expired certificate is an example of what type of error? A. Mobile device management B. Configuration C. Application whitelisting D. Content filter/URL filter

B. A certificate error is typically caused by a configuration error associated with the certificate.

Which of the following is not PII? A. Customer name B. Customer ID number C. Customer Social Security number or taxpayer identification number D. Customer birth date

B. A customer ID number generated by a firm to track customer records is meaningful only inside the firm and is generally not considered to be personally identifiable information (PII). Note that it is important not to use Social Security numbers for this, for obvious reasons.

What is a disadvantage of infrared (IR) technology? A. It has a high data rate. B. It cannot penetrate solid objects. C. It can penetrate walls. D. It uses a slow encryption technology.

B. A disadvantage of IR technology is that it cannot penetrate solid objects.

What is the primary downside of a private cloud model? A. Restrictive access rules B. Cost C. Scalability D. Lack of vendor support

B. A private cloud model is considerably more expensive, as it is a dedicated resource, negating some of the advantages of outsourcing the infrastructure in the first place.

When an attacker captures network traffic and retransmits it at a later time, what type of attack are they attempting? A. Denial-of-service attack B. Replay attack C. Bluejacking attack D. Man in the middle attack

B. A replay attack occurs when the attacker captures a portion of the communication between two parties and retransmits it at a later time. For example, an attacker might replay a series of commands and codes used in a financial transaction to cause the transaction to be conducted multiple times. Generally, replay attacks are associated with attempts to circumvent authentication mechanisms, such as the capturing and reuse of a certificate or ticket.

Which of the following is a system component whose failure or malfunctioning could result in the failure of the entire system? A. Mean time between failures B. Single point of failure C. Single-loss expectancy D. Likelihood of occurrence

B. A single point of failure is any aspect of a system that, if triggered, could result in the failure of the entire system. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Single loss expectancy (SLE) is the expected loss from the occurrence of a risk on an asset. The likelihood of occurrence is the chance that a particular risk will occur.

If you wish to monitor 100 percent of the transmissions from your customer service representatives to the Internet and other internal services, which is the best tool to use? A. SPAN port B. TAP C. Mirror port D. Aggregator switches

B. A test access point (TAP) is required to monitor 100 percent of the transmissions from your customer service representatives to the Internet and other internal services.

Which of the following is a very important aspect to always remember when dealing with security of medical devices? A. They are still relatively new in their usage. B. They can directly affect human life. C. Security is not related to safety. D. They are almost exclusively stand-alone devices, without Internet connectivity.

B. A very important aspect to always remember when dealing with security of medical devices is that they can directly affect human life.

Which of the following is a weakness of cellular technology? A. Multiple vendors in a nationwide network B. Less availability in rural areas C. Multiple cell towers in close proximity in urban areas D. Strong signals in areas of reasonable population

B. A weakness of cellular technology is that it is less available in rural areas.

What type of threat exploits system and application vulnerabilities that are unknown to software developers and even anti-malware manufacturers? A. An on-premises attack B. A zero-day attack C. A cloud-based attack D. A legacy platform attack

B. A zero-day attack exploits system and application vulnerabilities that are unknown to others except the person who found it. The other answer options are not attack types. Vulnerabilities can exist on premises or be cloud based, and legacy platforms is the term used to describe systems that are no longer being marketed or supported.

A user wants to know if the network is down because she is unable to connect to anything. While troubleshooting, you notice the MAC address for her default gateway setting doesn't match the MAC address of your organization's router. What type of attack has been used against this user? A. MAC cloning B. ARP poisoning C. Disassociation D. Rogue access point

B. ARP poisoning is an attack that involves sending spoofed ARP or RARP replies to a victim in an attempt to alter the ARP table on the victim's system. If successful, an ARP poisoning attack will replace one of more MAC addresses in the victim's ARP table with the MAC address the attacker supplies in their spoofed responses.

Your organization is revamping its account management policies and you've been asked to clarify the difference between account disablement and account lockout. Which of the following statements best describes that difference? A. Account disablement removes the user and all their data files; account lockout does not. B. Account lockout typically only affects the ability to log in; account disablement removes all privileges. C. Account lockout is permanent; account disablement is easily reversible. D. Account disablement requires administrative privileges to execute; account lockout can be performed by any user.

B. Account disablement is a step down from removing an account completely. While the account (and associated data files) still exist on the system, the account itself is disabled and has no privileges to access the system. Account lockout typically only affects logon privileges. Performing a temporary account lockout is a common approach to thwarting brute force password-guessing attacks.

Understanding how an attacker operates so that you can develop a defensive posture is done through the use of which of the following? A. Predictive analysis B. TTPs C. Threat maps D. Automated Indicator Sharing

B. Adversary tactics, techniques, and procedures (TTPs) provide details on how an adversary operates.

You have a series of web servers that you wish to harden. Which of the following is the best solution for this case? A. A block list/deny list B. An allow list C. Secure cookies D. Code signing

B. Allow lists are ideally suited for single-purpose servers, as the applications that are to be allowed to execute are known in advance.

When doing incident response for your company, you review the forensics of several virtual servers and you see the attacker on the web server injecting code into uninitialized memory blocks. What attack is the attacker likely attempting? A. Denial-of-service attack on the hypervisor B. VM escape C. Containerization attack D. Crashing the CASB

B. Although all hypervisors actively try to prevent it, any flaw in memory handling could allow code that is maliciously placed in a block to be read by the hypervisor or another machine. This is known as VM escape. The scenario states virtual server, eliminating answers C and D, and operational code blocks in uninitialized memory would not cause a denial of service, eliminating answer A.

With regard to authentication, an access token falls into which factor category? A. Something you are B. Something you have C. Something you know D. Something you see

B. An access token is a physical object that identifies specific access rights, and in authentication it falls into the "something you have" factor category.

Information that could disclose the identity of a customer is referred to as what? A. Customer identity information (CII) B. Personally identifiable information (PII) C. Privacy protected information (PPI) D. Sensitive customer information (SCI)

B. Any information that can be used to determine identity is referred to collectively as personally identifiable information (PII).

Your security system has identified a specific executable as potentially dangerous. What is the best way to handle the specific item that was identified? A. Segmentation B. Quarantine C. Firewall rule D. Playbook

B. Because the item is an object, quarantine applies. Other methods of isolation belong to networks and systems.

What frequency spectrum does Bluetooth use? A. 1.7 GHz B. 2.4 GHz C. 5 GHz D. 6.4 GHz

B. Bluetooth uses the 2.4-GHz frequency spectrum.

Which of the following is the name often used to describe the process of addressing the questions associated with sources of risk, their impacts, and the steps taken to mitigate them in the enterprise? A. Risk assessment B. Business impact analysis C. Threat assessment D. Penetration test

B. Business impact analysis (BIA) is the name often used to describe a document created by addressing the questions associated with sources of risk and the steps taken to mitigate them in the enterprise. A risk assessment is a method to analyze potential risk based on statistical and mathematical models. A common method is the calculation of the annual loss expectancy (ALE). A threat assessment is a structured analysis of the threats that confront an enterprise. Penetration tests are used by organizations that want a real-world test of their security.

A site survey will reveal all of the following except which one? A. Optimal access point placement B. Captive portal location C. Channel allocations D. Link speeds across the site

B. Captive portals are software-driven locations a user is pointed to, not part of the physical Wi-Fi configuration.

You wish to create an access control scheme that enables the CFO to access financial data from his machine, but not from the machine in the reception area of the lobby. Which access control model is best suited for this? A. Role-based access control B. Conditional access control C. Mandatory access control D. Discretionary access control

B. Conditional access control models allow differing access control schemes based on specific conditions beyond just user account.

What is the term for the set of steps needed to develop a comprehensive plan to enact during a situation where normal operations are interrupted? A. Disaster recovery B. Continuity of operations planning C. Incident response planning D. Restoration of business functions planning

B. Continuity of operations planning is the set of steps needed to develop a comprehensive plan to enact during a situation where normal operations are interrupted. Disaster recovery is the process that an organization uses to recover from events that disrupt normal operations. An incident response plan describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system. Restoration of business functions planning is not a standard term used in recovery planning.

Which type of security control is used after the event, in an effort to minimize the extent of damage? A. Deterrent B. Corrective C. Preventative D. Detective

B. Corrective controls are used after the event, in an effort to minimize the extent of damage. A deterrent control acts to influence the attacker by reducing the likelihood of success. A preventative control is one that prevents specific actions from occurring. A detective control is one that facilitates the detection of a security breach.

A user reports to the help desk that he is getting "cannot resolve address" error messages from his browser. Which port is likely a problem on his firewall? A. 22 B. 53 C. 161 D. 162

B. Domain Name System (DNS) uses TCP and UDP port 53 for standard queries and responses. This port should be open on the firewall in this scenario. Secure Shell (SSH) uses TCP port 22 as its default port. All versions of SNMP require ports 161 and 162 to be open on a firewall.

You have deployed a network of Internet-connected sensors across a wide geographic area. These sensors are small, low-power IoT devices, and you need to perform temperature conversions and collect the data into a database. The calculations would be best managed by which architecture? A. Fog computing B. Edge computing C. Thin client D. Decentralized database in the cloud

B. Edge computing on the way to the cloud would be the best fit given the lightweight processing capability of the IoT devices.

Which of the following statements is not true? A. Embedded systems are designed with a single control purpose in mind and typically have no additional functionality. B. Embedded systems are free of risk and security concerns. C. Embedded is the name given to a computer that is included as an integral part of a larger system. D. Embedded systems can be as complex as the dozens of interconnected embedded systems in a modern automobile.

B. Embedded systems are not free of risk or security concerns, as hackers have demonstrated.

Which phase of the incident response process involves removing the problem? A. Identification B. Eradication C. Recovery D. Mitigation

B. Eradication involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. The recovery process includes the steps necessary to return the systems and applications to operational status. Mitigation is not a phase in the incident response process.

After a physical security incident, what critical data can security guards commonly provide? A. Employee ID information B. Access logs of who has entered and exited the building C. Alarm codes D. Blueprints showing unmonitored areas of the building

B. Guards commonly have logs of who has entered and exited a building.

What is the purpose of HTTPS? A. To allow enumeration and monitoring of network resources B. To use SSL or TLS to encrypt a channel over which HTTP traffic is transmitted C. To implement Single Sign-On D. To enhance communication protocols

B. HTTPS uses SSL or TLS to encrypt a channel over which HTTP traffic is transmitted.

Your company has had bad press concerning its support (or lack of support) for a local social issue. Which type of hacker would be the most likely threat to attack or deface your website with respect to this issue? A. State actor B. Hacktivist C. Black hat D. Competitor

B. Hacktivists are hackers that are pursuing a mission associated with a cause.

High availability is dependent on which of the following? A. Secrets management B. Dynamic resource allocation C. Container security D. CASB

B. High availability depends on the ability of the cloud to reallocate resources in the event of a failure; this is one of the functions of dynamic resource allocation.

What distinguishes high availability systems? A. The ability to change with respect to usage conditions B. The ability to process, even in times of disruption C. Automated backups and recovery functions D. The use of diversity to mitigate single threats

B. High availability systems continue to process data even when disrupting events occur.

If you need to perform operations such as addition on encrypted elements, what type of encryption scheme would you use? A. Asymmetric B. Homomorphic C. Stream D. Lightweight

B. Homomorphic schemes allow computations on encrypted elements.

Which of the following is not a state of data in the enterprise? A. At rest B. In storage C. In processing D. In transit/motion

B. In storage is not a correct term used in describing the states of data. The correct states are at rest, in transit/motion, and in processing.

What is the term used to describe the steps an organization performs after any situation determined to be abnormal in the operation of a computer system? A. Computer/network penetration incident plan B. Incident response plan C. Backup restoration and reconfiguration D. Cyber event response

B. Incident response plan is the term used to describe the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system.

Industry-standard frameworks are primarily useful for which of the following purposes? A. Aligning with an audit-based standard B. Aligning IT and security with the enterprise's business strategy C. Providing high-level organization over processes D. Creating diagrams to document system architectures

B. Industry-standard frameworks provide a method to align IT and security with the enterprise's business strategy.

Why is physical security important to protecting data? A. Physical access to data will negate the security advantages of the cloud. B. Information resides on physical assets, linking physical and information security. C. Social engineering can negate any information security controls. D. None of the above.

B. Information resides on physical assets, linking physical security with the security of information.

Which of the following statements is true about HVAC and building automation systems? A. They have not been exploited to any significant degree yet. B. Interconnecting these systems and using Internet-based central control mechanisms increases the risk profile from outside attacks. C. Having a "smart building" that reduces the use of building resources in accordance with the number and distribution of people inside has not increased efficiency or reduced costs. D. The rise of hyper-connectivity has introduced no additional security concerns

B. Interconnecting HVAC and building automation systems and using Internet-based central control mechanisms to manage them increases the risk profile from outside attacks.

What tool can be used to read system log data in Linux systems? A. Any text editor B. Journalctl C. Web browser D. Protocol analyzer

B. Journalctl can read system logs on Linux systems.

What is the purpose of Lightweight Directory Access Protocol Secure (LDAPS)? A. It leverages encryption protections of SSH to secure FTP transfers. B. It uses an SSL/TLS tunnel to connect LDAP services. C. It digitally signs DNS records. D. It provides both symmetric and asymmetric encryption.

B. LDAPS uses an SSL/TLS tunnel to connect LDAP services.

Your organization needs a system for restricting access to files based on the sensitivity of the information in those files. You might suggest which of the following access control systems? A. Discretionary access control B. Mandatory access control C. Confidential access control D. File-based access control

B. Mandatory access control (MAC) is a system used in environments with different levels of security classifications. Access to objects (like files) is based on the sensitivity of the information contained in those objects and the authorization of the user to access information with that level of sensitivity.

To best understand which machines are talking to each other, which of the following should be used? A. DNS logs B. NetFlow C. Network logs D. SIEM alerts

B. NetFlow data describes which machines are talking to which machines.

To protect software from reverse engineering by attackers, developers can use which of the following? A. Dead code B. Obfuscation C. Binary diversity D. Stored procedures

B. Obfuscation is the technique of hiding properties to prevent examination. Making code hard to decompile and not storing any specific clues in the source code can make reverse engineering a challenge.

You want to get specific information on a specific threat that you have read about in your online newsfeed on your phone. Which of the following is the best source for detailed information? A. Vulnerability database B. Open source intelligence C. Dark web D. Predictive analysis

B. Open source intelligence is the best answer. Because you are looking for threat information, this eliminates vulnerability information as an answer. The dark web may or may not have information, and you would have to find it, and predictive analysis needs the information you seek in order to function.

You are seeing a bunch of PDFs flood people's inboxes with titles such as "New Tax Rates for 2021." What attack vector is most likely in use? A. Python B. Macro C. Man in the middle D. DDoS

B. PDFs have macro capability and can execute a variety of code bases if allowed.

To prevent the loss of a single message due to accidental decryption from affecting other encrypted messages, which of the following properties is needed? A. Stream encryption B. Perfect forward secrecy C. Entropy D. Obfuscation

B. Perfect forward secrecy (PFS) is a property of a public key system in which a key derived from another key is not compromised even if the originating key is compromised in the future.

One of the primary resources in use at your organization is a standard database that many applications tie into. Which cloud deployment model is best for this kind of application? A. SaaS B. PaaS C. IaaS D. None of the above

B. Platform as a Service is suitable for standard resources in use by many other applications.

A PDU provides management of what in an enterprise? A. Redundant backup processing B. Power distribution to servers C. Improved network connection to data storage D. Load balancing

B. Power distribution units provide a centralized means of managing and monitoring the power delivered to servers in a rack.

Data that is labeled "proprietary" typically pertains to what category? A. Information under legal hold B. Information to be safeguarded by business partners because it contains business secrets C. Personal data D. PHI and PII together

B. Proprietary data may be shared with a third party that is not a competitor, but in labeling the data "proprietary," you alert the party you have shared with that the data is not to be shared further.

When a program is installed and needs permissions, what is this called? A. Staging B. Provisioning C. Continuous integration D. Version control

B. Provisioning is the assignment of permissions or authorities to objects.

How can proxy servers improve security? A. They use TLS-based encryption to access all sites. B. They can control which sites and content employees access, lessening the chance of malware exposure. C. They enforce appropriate use of company resources. D. They prevent access to phishing sites.

B. Proxy servers can improve security by limiting the sites and content accessed by employees, thus limiting the potential access to malware.

Which type of evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact? A. Direct evidence B. Real evidence C. Documentary evidence D. Demonstrative evidence

B. Real evidence is also known as associative or physical evidence and includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Evidence in the form of business records, printouts, manuals, and similar objects, which make up much of the evidence relating to computer crimes, is documentary evidence. Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.

Which of the following is the best description of risk? A. The cost associated with a realized risk B. The chance of something not working as planned C. Damage that is the result of unmitigated risk D. The level of concern one places on the well-being of people

B. Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. Property damage can be the result of unmitigated risk. Safety is when you consider the level of concern one places on the well-being of people.

To secure communications during remote access of a system, one can use which of the following tools? A. OpenSSL B. SSH C. dd D. tcpdump

B. SSH encrypts the communication channel across the path its packets take.

Secure web gateways operate by inspecting at what point in the communication channel? A. Security group membership B. Application layer C. Instance awareness D. API inspection

B. SWGs operate at the application layer, making application layer determinations of suitability.

The policies and procedures employed to connect the IAM systems of the enterprise and the cloud to enable communication with the data are referred to as what? A. API inspection and integration B. Secrets management C. Dynamic resource allocation D. Container security

B. Secrets management is the name used to denote the policies and procedures employed to connect the IAM systems of the enterprise and the cloud to enable communication with the data.

What is the only sure method of ensuring input is valid before use on a server? A. Use of third-party libraries and software development kits B. Server-side validation C. Stored procedures D. Client-side validation

B. Server-side validation is the only sure validation method for inputs to the application.

What is a primary problem with biometrics? A. Technically, biometrics are difficult to implement. B. The human body changes over time. C. Biometrics are easily faked. D. Biometrics can't be loaned or delegated.

B. Some biometric features can change over time, or medical conditions can make them less reliable, thus forcing a re-identification phase to resync a user and their biometric.

Which of the following is important to consider when specifically examining configuration management? A. Data loss prevention B. Standard naming conventions C. Rights management D. Hashing

B. Standard naming conventions improve the communication of critical elements, thus enabling better configuration management activities.

Which category of control is most likely to be automated? A. Corrective B. Technical C. Operational D. Compensating

B. Technical controls are the most likely to be automated, as they are machine based.

Which of the following is the fastest category of control when responding to a known threat? A. Operational B. Technical C. Administrative D. Managerial

B. Technical controls can be automated and can thus be the fastest to respond to an incident.

The X.509 standard applies to which of the following? A. SSL providers B. Digital certificates C. Certificate revocation lists D. Public key infrastructure

B. The X.509 standard is used to define the properties of digital certificates.

A colleague has been urging you to download a new animated screensaver he has been using for several weeks. While he is showing you the program, the cursor on his screen moves on its own and a command prompt window opens and quickly closes. You can't tell what if anything was displayed in that command prompt window. Your colleague says, "It's been doing that for a while, but it's no big deal." Based on what you've seen, you suspect the animated screensaver is really what type of malware? A. A worm B. A trojan C. Ransomware D. Spyware

B. The animated screensaver is most likely a trojan. The software appears to do one thing, but contains hidden, additional functionality. Your colleague brought the trojan "inside the walls" when he downloaded and installed the software on his desktop.

Which of the following is a representation of the frequency of an event, measured in a standard year? A. Annual loss expectancy (ALE) B. Annualized rate of occurrence (ARO) C. Single-loss expectancy (SLE) D. Annualized expectancy of occurrence (AEO)

B. The annualized rate of occurrence (ARO) is a representation of the frequency of the event, measured in a standard year. The annual loss expectancy (ALE) is calculated by multiplying the single-loss expectancy (SLE) by the likelihood or number of times the event is expected to occur in a year. The SLE is calculated by multiplying the asset value times the exposure factor. Annualized expectancy of occurrence (AEO) is not a term used in the cybersecurity industry.

What is the term used to describe the process that accounts for all persons who handled or had access to a piece of evidence? A. Secure e-discovery B. Chain of custody C. Evidence accountability process D. Evidence custodianship

B. The chain of custody accounts for all persons who handled or had access to the evidence.

How does a hypervisor enable multiple guest operating systems to run concurrently on a host computer? A. Via a specialized driver package B. By abstracting the hardware from the guest operating system C. By providing specific virtual hardware to each guest OS D. By hiding the underlying Linux operating system

B. The hypervisor abstracts the hardware from the guest operating system to enable multiple guest operating systems to run concurrently on a host computer.

You have been asked to prepare a report on network-based intrusion detection systems that compares the NIDS solutions from two potential vendors your company is considering. One solution is signature based and one is behavior based. Which of the following lists what your report will identify as the key advantage of each? A. Behavioral: low false-negative rate; Signature: ability to detect zero-day attacks B. Behavioral: ability to detect zero-day attacks; Signature: low false-positive rates C. Behavioral: high false-positive rate; Signature: high speed of detection D. Behavioral: low false-positive rate; Signature: high false-positive rate

B. The key advantage of a behavior-based NIDS is its ability to detect zero-day attacks, whereas the key advantage of a signature-based NIDS is low false-positive rates.

What is an example of a human-based screened subnet (DMZ)? A. A visitor's lobby that is separated from a company office by a receptionist B. Hallways between the company lobby and offices C. A server room with a locked door D. The networking cabinets in the facility

B. The lobby is part of the outside environment, so the hallways are the better choice. Server rooms and networking rooms are the more secured spaces.

What is the most important first step in a penetration test? A. OSINT B. Rules of engagement C. Reconnaissance D. Privilege escalation

B. The rules of engagement describe the scope of an engagement and provide important information regarding contacts and permissions. Obtaining these rules is essential before any pen test work begins.

Which cloud deployment model has the fewest security controls? A. Private B. Public C. Hybrid D. Community

B. The shared environment of a public cloud has the least amount of security controls.

What is the most secure means of establishing connectivity to a Wi-Fi access point? A. CCMP B. SAE protocol C. WPA2 D. IEEE 802.1X

B. The use of SAE, part of WPA3, is currently the most secure way to establish a connection via wireless.

A system-focused set of predetermined automation steps is an example of what? A. Isolation B. Runbook C. Playbook D. Firewall rules

B. The wording "system-focused" points to a runbook. A playbook is business process focused.

Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called "btmine" is running on each of the affected systems. You also notice each of the affected systems is communicating with an IP address outside your country on UDP port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly. Based on what you've observed, you suspect these systems are infected with what type of malware? A. Rainbow tables B. Crypto-malware C. Dictionary D. Hybrid attack

B. These systems are most likely infected with crypto-malware and are now part of a botnet that's mining cryptocurrency. The systems are running an unknown/unauthorized process, communicating with an external IP address, and using significant resources. These are all classic signs of crypto-malware.

Your e-commerce site is crashing under an extremely high traffic volume. Looking at the traffic logs, you see tens of thousands of requests for the same URL coming from hundreds of different IP addresses around the world. What type of attack are you facing? A. Domain hijacking B. DDoS C. DNS poisoning D. URL redirection

B. This is a DDoS attack. DDoS (or distributed denial-of-service) attacks attempt to overwhelm their targets with traffic from many different sources. Botnets are quite commonly used to launch DDoS attacks.

A web application you are reviewing has an input field for username and indicates the username should be between 6 and 12 characters. You've discovered that if you input a username that's 150 characters or more in length, the application crashes. What is this is an example of? A. Memory leak B. Buffer overflow C. Directory traversal D. Integer overflow

B. This is a fairly classic example of a buffer overflow. The input routine does not validate the provided input to ensure a maximum of 12 characters is received and processed. In this case, the application tries to store all 150 (or more) characters of the username, resulting in areas of memory being overwritten and causing the application to crash.

If a system sends an alert that a user account is being hacked because of too many password failures, but analysis shows that the person's device had cached an old password, triggering the failures, what is this an example of? A. False negative B. False positive C. Measurement error D. Analysis failure

B. This is a false positive, as the report was positive that something had happened, when in fact it had not.

You notice a new custodian in the office, working much earlier than normal, emptying trash cans, and moving slowly past people working. You ask him where the normal guy is, and in very broken English he says, "Out sick," indicating a cough. What is happening? A. Watering hole attack B. Impersonation C. Prepending D. Identity fraud

B. This is a likely impersonation attack, using the cover of the janitor. Because of the unusual circumstances, it would be wise to report to a manager for investigation.

While examining a laptop infected with malware, you notice the malware loads on startup and also loads a file called netutilities.dll each time Microsoft Word is opened. This is an example of which of the following? A. Race condition B. DLL injection C. System infection D. Memory overflow

B. This is an example of DLL injection, which is the process of adding to a program, at runtime, a DLL that has a specific function vulnerability that can be capitalized upon by an attacker.

Your colleague is telling you a story she heard about a way to trick fingerprint scanners using gummy bears. She heard that if you press a gummy bear against an authorized user's finger, you can then use that gummy bear as their fingerprint to fool a fingerprint scanner. If this works, the result is an example of which of the following? A. False negative B. False positive C. Crossover positive D. Crossover negative

B. This is an example of a false positive. A false positive occurs when a biometric is scanned and allows access to someone who is not authorized.

You're sitting at the airport when your friend gets a message on her phone. In the text is a picture of a duck with the word "Pwnd" as the caption. Your friend doesn't know who sent the message. Your friend is a victim of what type of attack? A. Snarfing B. Bluejacking C. Quacking D. Collision

B. This is most likely a bluejacking attack. If a victim's phone has Bluetooth enabled and is in discoverable mode, it may be possible for an attacker to send unwanted texts, images, or audio to the victim's phone.

During a visit to a hosting center where your organization keeps some offsite servers, you see a door with an odd-looking panel next to it. You see people approaching the panel and placing their eyes into a hooded viewer. A few seconds after they've done this, the door unlocks. What type of biometric scanner might this be? A. Voice recognition scanner B. Retinal scanner C. Fingerprint scanner D. Facial recognition scanner

B. This is most likely a retinal scanner. Retinal scanners examine blood vessel patterns in the back of the eye. Retinal scanning must be done at short distances; the user has to be right at the device for it to work.

A user reports "odd" certificate warnings on her web browser this morning whenever she visits Google. Looking at her browser, you see these certificate warnings. Looking at the network traffic, you notice that all HTTP and HTTPS requests from that system are being routed to the same IP regardless of destination. Which of the following attack types are you seeing in this case? A. Evil twin B. Man in the middle C. Disassociation D. MAC cloning

B. This is most likely some type of man in the middle attack. This attack method is usually done by routing all of the victim's traffic to the attacker's host, where the attacker can view it, modify it, or block it. The attacker inserts himself into the middle of his victim's network communications.

Your boss thanks you for pictures you sent from the recent company picnic. You ask him what he is talking about, and he says he got an e- mail from you with pictures from the picnic. Knowing you have not sent him that e-mail, what type of attack do you suspect is happening? A. Phishing B. Spear phishing C. Reconnaissance D. Impersonation

B. This is spear phishing, which is a targeted phishing attack against a specific person.

What is the correct term for tracking issues associated with the upgrading of a component in a subassembly, specifically to a newer software version? A. Vendor risk B. Change control C. Supply chain risk D. Change management

B. Tracking and managing the details of a change is change control. The process is change management.

Account audits are used for all of the following except? A. Testing password strength B. Verification of user training C. Verification of user employment/authorization D. Testing for password policy enforcement

B. User training would not be examined during an account audit. Account audits are focused on the authentication system policies and implementations.

Which of the following is an issue that must be addressed if an organization enforces a mandatory vacation policy? A. Enforcing a mandatory vacation policy in most cases is a costly policy. B. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. C. Vacations often occur at the most inopportune time for the organization and can affect its ability to complete projects or deliver services. D. Forcing employees to take a vacation if they don't want to often will result in disgruntled employees, which can introduce another security threat.

B. Using mandatory vacation as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. The organization must therefore ensure that they have a second person who is familiar with the vacationing employee's duties.

To test your systems against weak passwords, you as an admin (with proper permissions) test all the accounts using the top 100 commonly used passwords. What is this test an example of? A. Dictionary B. Password spraying C. Rainbow tables D. Online

B. Using preset passwords against all accounts is an example of password spraying.

A user in your organization contacts you to see if there's any update to the "account compromise" that happened last week. When you ask him to explain what he means, and the user tells you he received a phone call earlier in the week from your department and was asked to verify his user ID and password. The user says he gave the caller his user ID and password. This user has fallen victim to what specific type of attack? A. Spear phishing B. Vishing C. Phishing D. Replication

B. Vishing is a social engineering attack that uses voice communication technology to obtain the information the attacker is seeking. Most often the attacker will call a victim and pretend to be someone else in an attempt to extract information from the victim.

War flying is a term to describe which of the following? A. Pen testing networks on commercial planes B. The use of aerial platforms to gain access to wireless networks C. Driving around and sampling open Wi-Fi networks D. The use of pen testing techniques against the Defense Department

B. War flying is the use of drones, airplanes, and other flying means of gaining access to wireless networks that are otherwise inaccessible.

Your manager wants you to review the company's internal PKI system's CPS for applicability and verification and to ensure that it meets current needs. What are you most likely to focus on? A. Revocations B. Trust level provided to users C. Key entropy D. How the keys are stored

B. You are most likely to focus on the level of trust provided by the CA to users of the system, as providing trust is the primary purpose of the CA.

When discussing location for storage of backups, which of the following statements are true? (Choose all that apply.) A. The most recent copy should be stored offsite, as it is the one that is most current and is thus the most valuable. B. Offsite storage is generally not necessary, except in cases where the possibility of a break-in at the main facility is high. C. Offsite storage is a good idea so that you don't lose your backup to the same event that caused you to lose your operational data and thus need the backup. D. The most recent copy can be stored locally, as it is the most likely to be needed, while other copies can be kept at other locations.

C and D. Offsite storage is a good idea so that you don't lose your backup to the same event that caused you to lose your operational data and thus need the backup. Additionally, the most recent copy can be stored locally, as it is the most likely to be needed, while other copies can be kept at other locations.

Volatile information locations such as the RAM change constantly, and data collection should occur in the order of volatility or lifetime of the data. Order the following list from most volatile (which should be collected first) to least volatile. A. Routing tables, ARP cache, process tables, kernel statistics B. Memory (RAM) C. CPU, cache, and register contents D. Temporary file system/swap space

C, A, B, and D. The most volatile elements should be examined and collected first and in this order.

Which of the following is a benefit of DNSSEC? A. Scalability B. Lower expenditures from operations capital (OpsCap) expenditures C. Enables origin authentication, authenticated denial of existence, and data integrity D. Availability and confidentiality

C. A major benefit of DNSSEC is that it enables origin authentication, authenticated denial of existence, and data integrity.

The use of a penetration test to determine vulnerabilities is an example of what category of control? A. Operational B. External C. Managerial D. Technical

C. A penetration test is a form of risk assessment and thus is a managerial action, as it advises management of the current risk posture associated with a system.

Which of the following would a capture video not be used to collect? A. Serial number plates B. Cable connections C. System image D. Physical layout and existence of systems

C. A system image is a dump of the physical memory of a computer system and would not be captured in a video. All of the others are static sources of information that a capture video is valuable in recording.

On a web-facing interface, where your employees can gain access to the network, you wish to employ security against brute force attacks. One of the most cost-effective tools is to enforce which of the following? A. Geofencing policy B. Password complexity policy C. Account lockout policy D. Certificates

C. Account lockout is a temporary measure to slow down brute force attempts at cracking a password.

The use of combination locks as a security control procedure to limit physical security risk is an example of what category of control? A. Physical B. Technical C. Operational D. Corrective

C. An operational control is a policy or procedure used to limit security risk. The key word in the question is category.

Who assumes the risk associated with a system or product after it has entered EOL status? A. The original manufacturer B. The vendor C. The organization D. The supply chain manager

C. An organization that continues to use a system or product assumes all of the risk associated with issues uncovered after the product has entered end-of-life (EOL) status. The manufacturer is in fact most often the vendor, and from their standpoint, the product reaches EOL when they stop supporting it. The supply chain manager is a distractor answer choice.

What is the primary limitation of a credentialed scan on a network? A. Speed B. Examining too deeply into individual boxes C. The inability to scale across multiple systems D. Slowing down your network with ancillary traffic

C. Because a credentialed scan requires credentials for each system it is examining, and these credentials will change across a network, this type of scan is less scalable with automation.

You are issued a certificate from a CA, delivered by e-mail, but the file does not have an extension. The e-mail notes that the root CA, the intermediate CAs, and your certificate are all attached in the file. What format is your certificate likely in? A. DER B. CER C. PEM D. PFX

C. Because the certificate includes the entire certificate chain, it is most likely delivered to you in Privacy-Enhanced Mail (PEM) format.

You are examining the server infrastructure and wish to harden the machines in your server farm. Which is the first task you should perform across all of your servers? A. Apply a block list/deny list. B. Apply an allow list. C. Block open ports and disable unused services. D. Employ disk encryption.

C. Because the server farm may have multiple different types of systems, elements such as allow lists become more complicated, as the results do not scale across different server types. All machines benefit from blocking of unused ports and disabling of unused services.

Covering one's tracks to prevent discovery is also known as what? A. Lateral movement B. OSINT C. Cleanup D. Pivoting

C. Cleanup involves the steps of clearing logs and other evidence to prevent one from being easily discovered.

You have offices in six locations across town and wish to utilize a common backup restore methodology. Which would be the most efficient solution for your small offices? A. SAN B. NAS C. Cloud D. Offline

C. Cloud backup solutions can be ideal for small offices, and with the different offices, centralized administration can be added.

Which of the following best describes what CVE is? A. A place to report errors and vulnerabilities B. A measure of the severity of a vulnerability C. A list of known vulnerabilities D. A list of systems that have vulnerabilities

C. Common Vulnerabilities and Exposures is an enumeration or list of known vulnerabilities.

Your new application has multiple small processes that provide services to the network. You want to make this application run more efficiently by virtualizing it. What is the best approach for virtualization of this application? A. Type II hypervisor B. Linux KVM C. Containerization D. Type I hypervisor

C. Containerization runs small applications on a host OS with virtually no overhead.

In which phase of the incident response process are actions taken to constrain the incident to the minimal number of machines? A. Eradication B. Identification C. Containment D. Recovery

C. Containment is the set of actions taken to constrain the incident to the minimal number of machines. Eradication involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. The recovery process includes the steps necessary to return the systems and applications to operational status.

Problems in which phase will specifically stop continuous deployment but not necessarily continuous delivery? A. Continuous integration B. Continuous monitoring C. Continuous validation D. Continuous development

C. Continuous validation is required to ensure error-free software, and errors will stop continuous deployment.

Correlation does what with SIEM data? A. Determines causes B. Provides background contextual information C. Allows rule-based interpretation of data D. All of the above

C. Correlation allows different events to be combined to provide greater specificity in determining SIEM-based event detection. Correlation is a means for a SIEM system to apply rules to combine data sources to fine-tune event detection.

Resource policies involve all of the following except? A. Permissions B. IAM C. Cost D. Access

C. Cost is not part of the resource policies. Resource policies describe how the elements of IAM, both in the enterprise and in the cloud, work together to provision resources.

Which can be the most valuable log for finding malware in a system? A. Network B. Web C. DNS D. IPFIX

C. DNS logs can see requests to communicate with malware command-and-control (C2) servers.

Enterprises can employ ___________ to block malicious commandand-control traffic from malware. A. encryption B. honeyfiles C. DNS sinkholes D. honeynets

C. DNS sinkholes can prevent communications on command-andcontrol systems associated with malware and botnets by blocking the destination address through the intentional misrouting of traffic to a dead end.

Which of the following is not a privacy-enhancing technology? A. Data minimization B. Data masking C. Data disclosure D. Tokenization

C. Data disclosures are not privacy-enhancing technologies; they are the resultant effect of an attacker getting access to sensitive data on a system.

Which of the following best describes the exporting of stolen data from an enterprise? A. Data loss B. Data breach C. Data exfiltration D. Identity theft

C. Data exfiltration is the exporting of stolen data from an enterprise. Data loss is when an organization actually loses information. Data breaches are the release of data to unauthorized parties. Identity theft is a crime where someone uses information on another party to impersonate them.

Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the building early this morning. The security guard says the people claimed to be looking for aluminum cans, but only had a bag of papers—no cans. What type of attack has this security guard witnessed? A. Spear phishing B. Pharming C. Dumpster diving D. Rolling refuse

C. Dumpster diving is the process of going through a target's trash in the hopes of finding valuable information such as user lists, directories, organization charts, network maps, passwords, and so on.

What is the role of EAP in wireless connections? A. It is a framework for establishing connectivity. B. It is a framework for passing authentication information. C. It is a framework to secure the authentication process. D. It is an actual encryption method used during authentication.

C. EAP is only a framework to secure the authentication process, not an actual encryption method.

Which port does FTPS use? A. 53 B. 83 C. 990 D. 991

C. FTPS uses port 990.

Creating fake network traffic to deceive attackers in segments of the network designed to deceive them is called what? A. DNS sinkhole B. Honeytraffic C. Fake telemetry D. Masking

C. Fake telemetry is the name for fake network traffic in a deceptionbased environment.

Which of the following impacts is in many ways the final arbiter of all activities because it is how we "keep score"? A. Reputation B. Safety C. Finance D. Life

C. Finance is in many ways the final arbiter of all activities because it is how we keep score. The others are important but are not considered the final arbiter.

Forward secrecy exists for which of the following protocols? A. WPS B. WPA2 C. WPA3 D. All of the above

C. Forward secrecy is only available via WPA3. This is because the method of establishing the connection is not observable.

Which of the following terms is a privacy regulation? A. CFAA B. SOX C. GDPR D. PCI DSS

C. GDPR is the EU privacy directive with far-reaching consequences across industries and even country boundaries.

What is the best way to get the plaintext from a hash value? A. Use linear cryptanalysis. B. Use a reverse hash function. C. You cannot get the plaintext out of a hash value. D. Use an ephemeral key.

C. Hash ciphers are designed to reduce the plaintext to a small value and are built to not allow extraction of the plaintext. This is why they are commonly called "one-way" functions.

You are browsing a website when your browser provides you with the following warning message: "There is a problem with this website's security certificate." When you examine the certificate, it indicates that the root CA is not trusted. What most likely happened to cause this error? A. The certificate was revoked. B. The certificate does not have enough bit length for the TLS protocol. C. The server's CSR was not signed by a trusted CA. D. The certificate has expired.

C. In this case, the server's certificate signing request (CSR) was not signed by a CA that is trusted by the endpoint computer, so no thirdparty trust can be established. This could be an indication of an attack, so the certificate should be manually verified before data is provided to the web server

Which of the following are specifically used to spread influence, alter perceptions, and sway people toward a position favored by those spreading it? A. Identity fraud, invoice scams, credential harvesting B. Hoaxes, eliciting information, urgency C. Influence campaigns, social media, hybrid warfare D. Authority, intimidation, consensus

C. Influence campaigns are used to alter perceptions and change people's minds on a topic. They are even more powerful when used in conjunction with social media to spread influence through influencer propagation. Nation-states often use hybrid warfare to sway people toward a position favored by those spreading it.

You are planning to move some applications to the cloud, including your organization's accounting application, which is highly customized and does not scale well. Which cloud deployment model is best for this application? A. SaaS B. PaaS C. IaaS D. None of the above

C. Infrastructure as a Service is appropriate for highly customized, poorly scaling solutions that require specific resources to run.

How do you make a short secret, such as a password, become long enough for use? A. Salting B. Key elongation C. Key stretching D. Ephemeral operations

C. Key stretching is a mechanism that takes what would be weak keys and "stretches" them to make the system more secure.

Steganography is commonly accomplished using which method? A. Encryption B. Initialization vectors (IVs) C. LSB encoding D. Entropy substitution

C. LSB, or least significant bit, is designed to place the encoding into the image in the least significant way to avoid altering the image.

When you update your browser, you get a warning about a plugin not being compatible with the new version. You do not recognize the plugin, and you aren't sure what it does. Why is it important to understand plugins? What attack vector can be involved in plugins? A. Man in the middle attack B. Domain hijacking attack C. Man in the browser attack D. URL redirection attack

C. Man in the browser attacks are frequently carried out via browser extensions or plugins.

To capture an image of the memory in a running system, one can use which of the following? A. grep B. dumpmem C. memdump D. logger

C. Memdump is a program used to copy what is currently in memory.

You are new to your job, new to the industry, and new to the city. Which of the following sources would be the best to connect with your peers on threat intelligence information? A. Vendors B. Social media C. Local industry groups D. Vulnerability or threat feeds

C. Networking between peers is a useful attribute of local industry groups.

What distinguishes real-time operating systems (RTOSs) from generalpurpose operating systems? A. Unlike RTOSs, most general-purpose operating systems handle interrupts within defined time constraints. B. Unlike general-purpose OSs, most RTOSs are capable of multitasking by design. C. Unlike RTOSs, most general-purpose operating systems are multitasking by design. D. Unlike general-purpose OSs, RTOSs are designed to handle multiple threads.

C. One thing that distinguishes real-time operating systems (RTOSs) from general-purpose operating systems is that most general-purpose operating systems are designed for multitasking.

Which of the following is not a PCI DSS control objective? A. Build and maintain a secure network B. Maintain a vulnerability management program C. Establish a CSO position D. Implement strong access control measures

C. PCI DSS control objectives include: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy Nowhere does it mandate specific corporate positions.

Your firm has 200 desktops in three sites, split among a dozen business departments. Which of the following would be the first that you should ensure is working correctly to reduce risk? A. Application security B. Secure Boot C. Patch management D. Secure cookies

C. Patch management reduces the attack surface on the operating systems and application components. Automating this process is an important early step in the security journey because of the number of items it addresses.

Which of the following statements is true about printers and multifunction devices? A. They rely on the computer to manage the printing and scanning processes. B. Because of their long history and widespread use, security is designed into these products. C. These devices communicate in a bidirectional fashion, accepting print jobs and sending back job status, printer status, and so forth. D. So far, they have not been shown to be hackable or capable of passing malware to the computer.

C. Printers and multifunction devices communicate in a bidirectional fashion, accepting print jobs and sending back job status, printer status, and so forth.

Which of the following statements is not true about system on a chip? A. It provides the full functionality of a computing platform on a single chip. B. It typically has low power consumption and efficient design. C. Programming of SoC systems can occur at several different levels, and thus potential risks are easily mitigated. D. Because SoC represents computing platforms with billions of devices worldwide, it has become a significant force in the marketplace.

C. Programming of SoC systems can occur at several different levels, and thus potential risks are difficult to mitigate.

Why is proper interior and exterior lighting important? A. It can detect people who are where they don't belong. B. It shows who is in a restricted space. C. It allows more people and activities to be observed. D. It is needed for the use of closed-circuit television cameras.

C. Proper lighting allows more people and activities to be observed.

Which of the following is the process of subjectively determining the impact of an event that affects a project, program, or business? A. Likelihood of occurrence B. Functional recovery plan C. Qualitative risk assessment D. Quantitative risk assessment

C. Qualitative risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. The likelihood of occurrence is the chance that a particular risk will occur. Functional recovery plans represent the transition from operations under business continuity back to normal operations. Quantitative risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business.

An externally facing web server in your organization keeps crashing. Looking at the server after a reboot, you notice CPU usage is pegged and memory usage is rapidly climbing. The traffic logs show a massive amount of incoming HTTP and HTTPS requests to the server. Which type of attack is this web server experiencing? A. Input validation B. Distributed error handling C. Resource exhaustion D. Race condition

C. Resource exhaustion is the state where a system does not have all of the resources it needs to continue to function. In this case, the server does not have the memory or CPU capacity to handle the massive volume of incoming HTTP/HTTPS requests.

What is the primary purpose of a SOAR solution? A. To collect and aggregate diverse security data B. To analyze data for anomalies and to create alerts C. To produce approved, detailed response plans with respect to given incident response scenarios D. To manage configuration changes on systems

C. SOARs are known for producing runbooks and playbooks in response to specific conditions.

Which of the following terms is not related to storage security in the cloud? A. Permissions B. High availability C. Segmentation D. Encryption

C. Segmentation is a network issue, separate from storage.

What is the best way to deal with large, complex systems that have very expensive and lengthy process elements in an exercise? A. Tabletops B. Walkthroughs C. Simulations D. Just skip this element.

C. Simulation is a valuable tool to imitate parts of a process that can't be included in an exercise because of cost, time, resources, or other constraints.

You wish to tokenize account credentials so people can carry their passwords with them and not have to remember or type in long passwords. The best solution would involve which of the following? A. Identity providers (IdPs) B. SSH keys C. Smart card D. Password managers

C. Smart cards enable employees to easily carry cryptographic keys.

Which backup strategy focuses on copies of virtual machines? A. Incremental B. Full C. Snapshot D. Differential

C. Snapshots refer to copies of virtual machines. The incremental backup is a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, the incremental backup backs up only files that have changed since the last full or incremental backup occurred, thus requiring fewer files to be backed up. In a full backup, all files and software are copied onto the storage media. In a differential backup, only the files and software that have changed since the last full backup was completed are backed up.

Given a large quantity of data in the form of a streaming video file, what is the best type of encryption method to protect the content from unauthorized live viewing? A. Symmetric block B. Hashing algorithm C. Stream cipher D. Asymmetric block

C. Stream ciphers work best when the data is in very small chunks to be processed rapidly, such as live streaming video. Block ciphers are better when it comes to large chunks of data.

To remotely log information using a centralized log server, which of the following protocols should be used? A. DNS B. NetFlow C. Syslog D. IPFIX

C. Syslog is the protocol used to move log files to remote servers.

What is the purpose of the DNS protocol? A. It provides a function for charging SaaS on a per-use basis. B. It supports the networking infrastructure. C. It translates names into IP addresses. D. It defines tenants in a public cloud.

C. The Domain Name System (DNS) translates names into IP addresses.

Which of the following algorithms uses a secret key with a current timestamp to generate a one-time password? A. Hash-based Message Authentication Code B. Date-Hashed Message Authorization Password C. Time-based One-Time Password D. Single sign-on

C. The Time-based One-Time Password (TOTP) algorithm is a specific implementation of an HOTP that uses a secret key with a current timestamp to generate a one-time password. Note that timestamp is the key clue in the question.

While depositing cash from a charity fundraiser at a local bank, you notice bank employees are holding up cards next to a panel near a door. A light on the panel turns green and the employees are able to open the door. The light on the panel is normally red. What type of electronic door control is this bank using? A. Iris scanner B. Hardware token C. Proximity card D. Symmetric key token

C. The bank employees are using proximity cards, which are contactless access cards that provide information to the electronic door control system. Proximity cards just need to be close enough to the scanner to work—they do not need to actually touch the scanner.

You are preparing an e-mail to send to a colleague at work, and because the message information is sensitive, you decide you should encrypt it. When you attempt to apply the certificate that you have for the colleague, the encryption fails. The certificate was listed as still valid for another year, and the certificate authority is still trusted and working. What happened to this user's key? A. It was using the wrong algorithm. B. You are querying the incorrect certificate authority. C. It was revoked. D. The third-party trust model failed.

C. The certificate has likely been revoked, or removed from that user's identity and no longer marked valid by the certificate authority.

When you're designing and tweaking biometric systems, the point where both the accept and reject error rates are equal is known as which of the following? A. Crossover acceptance rate B. Accept-reject overlap rate C. Crossover error rate D. Overlap acceptance rate

C. The crossover error rate (CER) is the rate where both accept and reject error rates are equal. This is the desired state for the most efficient operation of a biometric system, and it can be managed by manipulating the threshold value used for matching.

Which of the following is a security policy enforcement point placed between cloud service consumers and cloud service providers to manage enterprise security policies as cloud-based resources are accessed? A. SWG B. VPC endpoint C. CASB D. Resource policies

C. The definition of a cloud access security broker (CASB) is a security policy enforcement point that is placed between cloud service consumers and cloud service providers to manage enterprise security policies as cloud-based resources are accessed.

What is the main security concern with Universal Serial Bus (USB) technology? A. It connects to cell phones for easy charging. B. It uses proprietary encryption. C. It automounts and acts like a hard drive attached to the computer. D. It uses older encryption technology.

C. The main security concern with USB technology is that it automounts and acts like a hard drive attached to the computer.

What is the term for notifying customers of your privacy policy and its effect on their information? A. Impact assessment B. Public notification of disclosure C. Privacy notice D. Terms of agreement

C. The privacy notice is the vehicle used to notify customers of the effects of a firm's privacy policy on their (the customers') data.

What is the purpose of geofencing? A. It can be used to remotely wipe a lost device. B. It makes securing the mobile device simpler. C. It enables devices to be recognized by location and have actions taken. D. It can enforce device locking with a strong password.

C. The purpose of geofencing is to enable devices to be recognized by location and have actions taken.

Which of the following statements is true about smart devices and the Internet of Things (IoT)? A. The use of a Linux-type kernel as the core engine makes programming more complex. B. Mass production introduces significant security risks. C. The scaling of the software development over large numbers of units makes costs scalable, and functionality is paramount. D. Security or anything that might impact new expanded functionality is considered early and gets the focus and resources necessary

C. The scaling of the software development over large numbers of units makes costs scalable, and functionality is paramount in smart devices and IoT

Two major elements play a role in determining the level of response to an incident. Information criticality is the primary determinant. What is the other? A. Information sensitivity or the classification of the data B. The value of any data lost in the incident C. How the incident potentially affects the organization's operations D. Whether the organization wishes to pursue a legal settlement against the attacker(s)

C. The second factor involves a business decision on how an incident plays into current business operations. A series of breaches, whether minor or not, indicates a pattern that can have public relations and regulatory issues.

Which of the following statements is true regarding the risk of nextgeneration vehicles? A. There are minimal risks when next-generation automobiles share information. B. Passing traffic and other information between vehicles does not increase security risks. C. The sharing of navigation and other inputs between vehicles presents a potential security issue. D. Time-to-market and cost minimization have minimal impact on potential risks being exploited.

C. The sharing of navigation and other inputs presents a potential security issue for next-generation vehicles. False information, when shared, can cause problems.

Which of the following terms is used to describe the target time that is set for the resumption of operations after an incident? A. RPO B. MTBF C. RTO D. MTTR

C. The term recovery time objective (RTO) is used to describe the target time that is set for the resumption of operations after an incident. Recovery point objective (RPO) represents the maximum time period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure.

Which of the following are the three modes supported by Bluetooth 4.0? A. Classic, Low Speed, High Energy B. Enhanced Data Rate, Backward Compatible, High Energy C. Classic, High Speed, Low Energy D. Synchronous, High Speed, Low Energy

C. The three modes supported by Bluetooth 4.0 are Classic, High Speed, and Low Energy.

You are asked by the senior system administrator to refresh the SSL certificates on the web servers. The process is to generate a certificate signing request (CSR), send it to a third party to be signed, and then apply the return information to the CSR. What is this an example of? A. Pinning B. Borrowed authority C. Third-party trust model D. Stapling

C. This is an example of the third-party trust model. Although you are generating the encryption keys on the local server, you are getting these keys signed by a third-party authority so that you can present the third party as the trusted agent for users to trust your keys.

While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with the security tool netcat, you see a prompt that reads, "Enter password for access:". Your server may be infected with what type of malware? A. PUP B. Fileless virus C. Backdoor D. Man in the middle attack

C. This prompt most likely belongs to a backdoor—an alternate way of accessing the system. The TCP service is listening for incoming connections and prompts for a password when connections are established. Providing the correct password would grant command-line access to the system.

A friend of yours who works in the IT department of a bank tells you that tellers are allowed to log in to their terminals only from 9 A.M. to 5 P.M., Monday through Saturday. What is this restriction an example of? A. User auditing B. Least privilege C. Time-of-day restrictions D. Account verification

C. Time-of-day restrictions are often used to limit the hours during which a user is allowed to log in to or access a system. This helps prevent unauthorized access outside that user's normal working hours.

Which of these accounts represents the greater risk due to outside hacker infiltration? A. User accounts B. Temporary accounts C. Service accounts D. Third-party accounts

C. Unmanned accounts such as devices and service accounts have higher risks of abuse by hackers because of the lack of ability to change passwords.

To have easily available quick backup of critical user documents, which of the following is recommended for backing these items up? A. Differential B. Snapshot C. Copy D. NAS

C. User-managed copies on external media of critical documents can make it very easy for the end user to manage recovery in a quick manner.

To manage various releases of software over time, the organization uses which of the following? A. Staging environment B. Provisioning and deprovisioning steps C. Version control D. Continuous integration

C. Version control comprises the processes and procedures employed to manage different releases of software over time.

A judge has issued an order for all e-mail to be preserved and that order is in effect. Which of the following statements is correct? A. You can delete old e-mail after the standard retention period. B. You should have the legal department determine which records must be saved. C. You should continue archiving all e-mail. D. You can delete the e-mail after making a copy to save for ediscovery

C. You should continue archiving all e-mail. You must continue to comply with the court order. Letting legal make determinations when the order specifies "all e-mail" is a mistake. Making copies of the email is only legit if you make forensically secure copies, not just backups.

Your organization has grown too large to support assigning permissions to users individually. Within your organization, you have large groups of users who perform the same duties and need the same type and level of access to the same files. Rather than assigning individual permissions, your organization may wish to consider using which of the following access control methods? A. Group-based access control B. Shift-based access control C. Role-based access control D. File-based access control

C. Your organization could consider role-based access control. In rolebased access control, instead of each user being assigned specific access permissions for the objects associated with the computer system or network, each user is assigned a set of roles that he or she may perform. The roles are in turn assigned the access permissions necessary to perform the tasks associated with the roles. Users will thus be granted permissions to objects in terms of the specific duties they must perform—not according to a security classification associated with individual objects.

You are setting up a Wi-Fi hotspot for guest visitors. What is the best method of establishing connections? A. Open access B. A posted password visually available on site C. Use of a PSK solution D. Captive portal

D. A captive portal is a method of having users log on to your system. These are common in coffee shops, airports, hotels, and stores.

A certificate authority consists of which of the following? A. Hardware and software B. Policies and procedures C. People who manage certificates D. All of the above

D. A certificate authority (CA) is the hardware and software that manage the actual certificate bits, the policies and procedures that determine when certificates are properly issued, and the people who make and monitor the policies for compliance.

Your organization has experienced multiple incidents of graffiti tagging and people loitering in the parking lot despite the chain-link fence surrounding it. What is the best solution to the issue? A. "No Trespassing" signage B. More guard stations C. Additional external lighting D. Changing the chain-link fencing to anti-scale fencing

D. A change from chain-link fencing to anti-scale fencing to prevent intruders from climbing the fence is the best solution.

Which of the following represents a method of transferring risk to a third party? A. Applying controls that reduce risk impact B. Creating a record of information about identified risks C. Developing and forwarding the results of a risk matrix/heat map D. Purchasing cybersecurity insurance

D. A common method of transferring risk is to purchase cybersecurity insurance. Insurance allows risk to be transferred to a third party that manages specific types of risk for multiple parties, thus reducing the individual costs. Applying controls that reduce risk impact describes risk mitigation. A risk register is "a record of information about identified risks," as defined by the reference document ISO Guide 73:2009 Risk Management—Vocabulary. A risk matrix/heat map is used to visually display the results of a qualitative risk analysis.

Which type of security control is used to meet a requirement when the requirement cannot be directly met? A. Preventative B. Physical C. Deterrent D. Compensating

D. A compensating control is one that is used to meet a requirement when the requirement cannot be directly met. Fire suppression systems do not prevent fire damage, but if properly employed, they can mitigate or limit the level of damage from fire. A preventative control is one that prevents specific actions from occurring. A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. A deterrent control acts to influence the attacker by reducing the likelihood of success.

Which of the following performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check? A. Record offset B. Cryptographic algorithm C. Authentication code D. Hashing algorithm

D. A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file).

A system that is ready for immediate use in the event of an outage is called what? A. Standby system B. Disaster recovery site C. Backup site D. Hot site

D. A hot site is one that is ready for immediate use in the event of a failure. All of the other options are names created using distractor words.

Which of the following is used to essentially set the requisite level of performance of a given contractual service? A. Memorandum of understanding (MOU) B. Nondisclosure agreement (NDA) C. Memorandum of agreement (MOA) D. Service level agreement (SLA)

D. A service level agreement (SLA) essentially sets the requisite level of performance for a given contractual service.

Which of the following poses a significant potential risk of unmanned aerial vehicles? A. They have sophisticated autopilot functions. B. They have cameras, sensors, and payloads. C. Some models have a low price. D. Because they are pilotless, their remote-control systems may be networked and therefore vulnerable to potential risks.

D. A significant potential risk of unmanned aerial vehicles is that, because they are pilotless, their remote-control systems may be networked and therefore vulnerable to potential risks.

Which of the following statements is true about redundancy? A. It prevents failures. B. It is complicated and expensive to do. C. It applies only to hardware. D. It can be done across many systems.

D. A wide range of options are associated with creating redundant systems—some as simple as configuration elements and system choices.

Alarms are effective only if which of the following is true? A. They alert on abnormal conditions. B. Every entrance is monitored with a sensor. C. They are not tied to the information systems. D. They are tuned to provide accurate and useful alerts.

D. Alarms are effective only if they are tuned to provide accurate and useful alerting information.

Which of the following statements concerning elasticity and scalability are true? A. Scalability requires elasticity. B. Elasticity involves enabling software to use more processors to do more work. C. Elasticity means being prepared to take advantage of scalability. D. All of the above.

D. All of the above is the correct answer. Scalability requires elasticity to scale, elasticity involves enabling software to use more processors to do more work, and elasticity means developing software that is prepared to take advantage of scalability.

Which of the following are characteristics of remote-access trojans? A. They can be deployed through malware such as worms. B. They allow attacks to connect to the system remotely. C. They give attackers the ability to modify files and change settings. D. All of the above

D. All of these are characteristics of remote-access trojans (RATs). RATs are often deployed through other malware, allow remote access to the affected system, and give the attacker the ability to manipulate and modify the affected system.

Which statement is false regarding cryptographic practices and weak encryption? A. Developing your own cryptographic algorithm is considered an insecure practice. B. Cryptographic algorithms become trusted only after years of scrutiny and repelling attacks. C. The ability to use ever-faster hardware has enabled attackers to defeat some cryptographic methods. D. Because TLS is deprecated, SSL should be used instead.

D. All versions of SSL are now considered deprecated and should not be used. Everyone should switch their systems to TLS-based solutions. All other statements are true.

What is one of the challenges of NetFlow data? A. Proprietary format B. Excess data fields C. Record size D. Removing duplicate records along a path

D. Although NetFlow is a proprietary standard, its format is published. It has a small record size, and data it can be repeated from multiple devices along a packet's path. Removing the duplicates (records) in a distributed system can be a challenge.

What is the name given to a policy that outlines what an organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks? A. Resource usage policy (RUP) B. Acceptable use of resources policy (AURP) C. Organizational use policy (OUP) D. Acceptable use policy (AUP)

D. An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks.

Your organization is considering using a new ticket identifier with your current help desk system. The new identifier would be a 16-digit integer created by combining the date, time, and operator ID. Unfortunately, when you've tried using the new identifier in the "ticket number" field on your current system, the application crashes every time. The old method of using a five-digit integer works just fine. This is most likely an example of which of the following? A. Common misconfiguration B. Zero-day vulnerability C. Memory leak D. Integer overflow

D. An integer overflow is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it. In this case, the 16-digit integer is too large for the field, which is working just fine with the five-digit integer.

You desire to prove a vulnerability can be a problem. The best method would be to use a(n) _____________ scan? A. credentialed B. non-intrusive C. non-credentialed D. intrusive

D. An intrusive scan attempts to exercise a vulnerability. This presents risk in that it might upset the system, but if it works, it is clear proof of the risk associated with a vulnerability.

Which of the following is not a common form of hardware token? A. Proximity card B. Common access card C. USB token D. Iris scan

D. An iris scan would be considered a biometric technique and is not a hardware token. A hardware token is a physical item the user must be in possession of to access their account or certain resources.

Your company has merged with another company, and it uses a different release of accounting software than your company does. How could you provision user machines in accounting so they will not inadvertently run the incorrect version? A. Application allowlisting B. Isolation C. Configurations associated with the application D. Application block listing

D. Application block listing the application by version number will prevent specific versions from being executed on selected machines.

A disgruntled administrator is fired for negligence at your organization. Thirty days later, your organization's internal file server and backup server crash at exactly the same time. Examining the servers, you determine that critical operating system files were deleted from both systems. If the disgruntled administrator was responsible for administering those servers during her employment, this is most likely an example of what kind of malware? A. Crypto-malware B. Trojan C. Worm D. Logic bomb

D. Because both servers crashed at exactly the same time, this is most likely a logic bomb. A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload—in this case, 30 days after the disgruntled employee was fired.

Which of the following is a formal approach to identifying system or network weaknesses and is open to the public? A. Active reconnaissance B. Passive reconnaissance C. OSINT D. Bug bounty

D. Bug bounty programs can open up vulnerability discovery to the public with a set of rules that manages the disclosure process and the engaging of the systems.

Which of the following is a requirement for a CRL? A. It must have the e-mail addresses of all the certificate owners. B. It must contain a list of all expired certificates. C. It must contain information about all the subdomains covered by the CA. D. It must be posted to a public directory.

D. Certificate revocation lists (CRLs) must be posted to a public directory so that all users of the system can query it.

There is no direct way to detect and respond to a specific threat. What is the best control type to employ for this case? A. Technical B. Corrective C. Preventative D. Compensating

D. Compensating controls are used when there is no direct way to address a risk.

All of the wireless users on the third floor of your building are reporting issues with the network. Every 15 minutes, their devices disconnect from the network. Within a minute or so they are able to reconnect. What type of attack is most likely underway in this situation? A. Evil twin B. Jamming C. Domain hijacking D. Disassociation

D. Disassociation attacks against a wireless system are attacks designed to disassociate a host from the wireless access point and from the wireless network. If the attacker has a list of MAC addresses for the wireless devices, they can spoof de-authentication frames, causing the wireless devices to disconnect from the network.

Which code analysis method is performed while the software is executed, either on a target system or an emulated system? A. Static analysis B. Runtime analysis C. Sandbox analysis D. Dynamic analysis

D. Dynamic analysis is performed while the software is executed, either on a target system or an emulated system. Static analysis is when the code is examined without being executed. Sandboxing refers to the execution of computer code in an environment designed to isolate the code from direct contact with the target system. Runtime analysis is descriptive of the type of analysis but is not the term used in the industry.

You are using EAP-TTLS, which includes what unique aspect? A. It cannot be used in WPA3. B. It requires client-side certificates. C. It cannot be used with CHAP. D. It is easier to set up than other EAP schemes.

D. EAP-TTLS is easier to set up than other EAP networks because of its ability to operate without client-side certificates.

Which of the following is not a limitation associated with cryptographic solutions? A. Speed B. Computational overhead C. Longevity D. Entropy

D. Entropy is a measure of randomness, not a limitation of a cryptographic solution.

Your database server is returning a large dataset to an online user, saturating the network. The normal return of records would be a couple at most. This is an example of what form of attack? A. Memory leak B. LDAP injection C. Man in the middle D. SQL injection

D. Excessive records being returned from a SQL query is a sign of SQL injection.

You have been directed by upper management to block employees from accessing Facebook from the corporate machines. Which would be the easiest way to exercise this control? A. Application allow list B. Application block list C. DLP D. Content filtering

D. Facebook is accessed via a browser, so you would need to install content filtering.

Fuzz testing works best in which of the following testing environments? A. Known environment testing B. Partially known environment testing C. Unknown environment testing D. Fuzz testing works equally well in all of the above.

D. Fuzz testing works well in known environment, unknown environment, and partially known environment testing, as it can be performed without knowledge of the specifics of the application under test.

To search through a system to find files containing a phrase, what would the best tool be? A. curl B. logger C. chmod D. grep

D. Grep is the pattern-matching tool that can be used to match patterns and search for matches.

Which of these is not associated with syslog files? A. Journalctl B. NXLog C. SIP CTL D. IPFIX

D. IPFIX is not associated with syslog files.

Which ISO standard covers risk management activities? A. ISO 27001 B. ISO 27701 C. ISO 27002 D. ISO 31000

D. ISO 31000 covers risk management processes and procedures.

Which backup strategy includes only the files and software that have changed since the last full backup? A. Incremental B. Full C. Snapshot D. Differential

D. In a differential backup, only the files and software that have changed since the last full backup was completed are backed up. The incremental backup is a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, the incremental backup backs up only files that have changed since the last full or incremental backup occurred, thus requiring fewer files to be backed up. In a full backup, all files and software are copied onto the storage media. Snapshots refer to copies of virtual machines.

Which of the following is not part of SIEM processes? A. Data collection B. Event correlation C. Alerting/reporting D. Incident investigation

D. Incident investigations occur after and as a result of SIEM processes but are not typically part of them.

Why is it important to establish policies governing remote wiping of mobile devices? A. Mobile devices typically do not mix personal and business data. B. Mobile devices are more easily secured. C. Thieves cannot decrypt mobile devices. D. They are more susceptible to loss than other devices.

D. It is important to establish policies governing the remote wiping of mobile devices because they are more susceptible to loss than other devices.

A ticket-granting server is an important element in which of the following authentication models? A. 802.1X B. RADIUS C. TACACS+ D. Kerberos

D. Kerberos uses ticket-granting servers to manage the issuance of tickets granting various permissions on the system.

You need to design an authentication system where users who have never connected to the system can be identified and authenticated in a single process. Which is the best solution? A. RADIUS B. Password vault-based authentication C. TPM-based authentication D. Knowledge-based authentication

D. Knowledge-based authentication schemes allow the authentication of users who have not previously established their identity via a combined identification and authentication methodology.

What is masking? A. The use of stand-in data to replace real-time data B. The marking of regions where data is not allowed by policy C. The use of backups to preserve data during disruptive events D. Redacting portions of data using a covering symbol such as * or x

D. Masking is the marking over of portions of information to prevent disclosure (for example, using x's for all but the last four numbers of a credit card).

You need to use cryptographic keys between several devices. Which of the following can manage this task? A. MAM solutions B. Firmware OTA updates C. USB OTG D. MicroSD HSM

D. MicroSD HSM facilitates HSM functionality via a MicroSD connection. It can be connected via an adapter to any USB device.

What technology can check the client's health before allowing access to the network? A. DLP B. Reverse proxy C. NIDS/NIPS D. NAC

D. NAC, or network access control, is a technology that can enforce the security health of a client machine before allowing it access to the network.

Why is pinning more important on mobile devices? A. It uses elliptic curve cryptography. B. It uses less power for pinned certificate requests. C. It reduces network bandwidth usage by combining multiple CA requests into one. D. It allows caching of a known good certificate when roaming to low-trust networks.

D. Pinning is important on mobile devices because they are much more likely to be used on various networks, many of which have much lower trust than their home network.

To coordinate team activities during an incident response event, what is the best way to communicate approved instructions? A. Runbook B. MDM solution C. Quarantine rule D. Playbook

D. Playbooks focus on communication team responses in the form of business-focused elements as opposed to technical machine elements

To automate system administration across an enterprise Windows network, including using Windows objects, the best choice would be which of the following? A. Bash scripting B. Python C. Wireshark D. PowerShell

D. PowerShell is the best tool to use in this case. The key is the inclusion of Windows objects.

Data that is labeled "private" typically pertains to what category? A. Proprietary data B. Confidential information C. Legal data D. Personal information

D. Private data frequently refers to personal data.

Which of the following is an open standard that uses security tokens and assertions and allows you to access multiple websites with one set of credentials? A. PAP B. CHAP C. SSO D. SAML

D. SAML is an XML-based protocol that uses security tokens and assertions to pass information about a "principal" (typically an end user) to a SAML authority (an "identity provider" or IdP) and the service provider (SP). In simpler terms, by allowing identity providers to pass on credentials to service providers, SAML allows you can log in to many different websites using one set of credentials.

Which of the following properly defines supervisory control and data acquisition (SCADA)? A. A scaled-down version of Linux designed for use in an embedded system B. The standard used for communicating between intelligent car systems C. The risk created by connecting control systems in buildings D. A system designed to control automated systems in cyber-physical environments

D. SCADA is a system designed to control automated systems in cyber-physical environments.

Which reports are done over a period of time to verify operational efficiency and effectiveness of controls? A. SOC Type I B. PCI DSS audit report C. CSA CCM D. SOC Type II

D. SOC Type II reports are done over a period of time to verify operational efficiency and effectiveness of controls. SOC Type I reports, on the other hand, evaluate whether proper controls are in place at a specific point in time.

What structure is used to manage users in cloud environments? A. Permissions B. Incident awareness C. Dynamic resource allocations D. Security groups

D. Security groups are used to manage users in the cloud environment.

Which of the following represents the greatest risk when used? A. Service accounts B. User accounts C. Guest accounts D. Shared accounts

D. Shared accounts are the greatest risk because you don't know who is using them.

To develop secure software that prevents attackers from directly injecting attacks into computer memory and manipulating the application's process, one should employ which method? A. Elasticity B. Dead code C. Normalization D. Software diversity

D. Software diversity in the form of diverse binaries will prevent direct memory attacks against known software structures.

Which of the following is not a term used in multifactor authentication? A. Someone you know B. Somewhere you are C. Something you have D. Something you see

D. Something you see is neither a factor (something you know, something you have, or something you are) nor an attribute (somewhere you are, something you can do, something you exhibit, or someone you know).

Which standard of evidence states the evidence must be convincing or measure up without question? A. Direct evidence B. Competent evidence C. Relevant evidence D. Sufficient evidence

D. Sufficient evidence states the evidence must be convincing or measure up without question. Direct evidence is oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. Competent evidence states the evidence must be legally qualified and reliable. Relevant evidence states the evidence must be material to the case or have a bearing on the matter at hand.

If end-to-end encryption is used, which of the following technologies facilitates security monitoring of encrypted communication channels? A. Fake telemetry B. Tokenization C. Hashing D. TLS inspections

D. TLS inspection systems allow TLS channels to be broken and reestablished, permitting monitoring of secure traffic.

While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to a locked door with a large box in his hands. He waits for someone else to come along and open the locked door and then proceeds to follow her inside. What type of social engineering attack have you just witnessed? A. Impersonation B. Phishing C. Boxing D. Tailgating

D. Tailgating (or piggybacking) is the simple tactic of following closely behind a person who has just used their own access card, key, or PIN to gain physical access to a room or building. The large box clearly impedes the person in the red shirt's ability to open the door, so they let someone else do it for them and follow them in.

What should you do to protect your IP-based CCTV system from a DDoS attack? A. Reconfigure your firewalls. B. Connect it to an intrusion detection system. C. Require multifactor authentication to access the CCTV system. D. Place all CCTV components on a separate network.

D. The CCTV system should be on a completely separate network, air gapped if possible, with only security personnel having access.

A user reports to the help desk that he is getting "cannot resolve address" error messages from his browser. Which port is likely a problem on his firewall? A. 22 B. 553 C. 440 D. 53

D. The Domain Name System (DNS) uses TCP and UDP port 53 for standard queries and responses.

Your business application server sends data to partners using encrypted (signed) messages. You hear from one of the partners that their messages have ceased coming. What should you investigate? A. Application whitelist B. Application blacklist C. The playbook for the system D. Configuration settings of the process

D. The certificate has likely been revoked or removed from that user's identity and no longer marked valid by the certificate authority. This is a configuration error.

Who is responsible for determining what data is needed by the enterprise? A. Data steward B. Data privacy officer C. Data custodian D. Data owner

D. The data owner determines the business need. The privacy officer ensures that laws and regulations are followed, and the custodian/steward maintains the data.

Which of the following is not a packet capture/analysis tool? A. Wireshark B. tcpreplay C. tcpdump D. dd

D. The dd utility captures files from file systems, not packets on a network.

Password policies are needed for all of the following except? A. Password complexity B. Password history C. Password reuse D. Password language

D. The language used in the creation of passwords is not an issue, especially given that most passwords are ideally strings of random characters.

What is the purpose of the Simple Network Management Protocol version 3 (SNMPv3)? A. It provides asymmetric encryption values. B. It achieves specific communication goals. C. It provides a common language for developers. D. It is used to securely manage devices on IP-based networks.

D. The purpose of SNMPv3 is to securely manage devices on IP-based networks.

What is the purpose of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol? A. It is used in audio encryption. B. It optimizes the use of ports 80 and 443. C. It encrypts HTTP traffic. D. It provides cryptographic protections to e-mails.

D. The purpose of the S/MIME protocol is to provide cryptographic protections to e-mail and attachments.

What does a salt provide? A. It tells the algorithm how many digits of primes to use. B. It primes the algorithm by giving it initial noncritical data. C. It adds additional rounds to the cipher. D. It provides additional entropy.

D. The salt adds additional entropy, or randomness, to the encryption key, specifically providing separation between equal inputs such as identical passwords on different accounts.

Which of the following environments is used to test compatibility against multiple target environments? A. Production B. Test C. Quality assurance D. Staging

D. The staging environment can be used to manage software releases against different targets to ensure compatibility.

You have a database full of very sensitive data. Salespeople need to access some of this sensitive data when onsite with a customer. The best method to prevent leakage of critical data during these access sessions would be to employ which of the following? A. Salting B. Hashing C. Block list D. Tokenization

D. The use of tokens to join records while hiding sensitive fields is common practice for views on database tables.

You use a "golden disk" to provision new machines from your vendors. As part of the incident response, you have discovered that the source of the malware you are seeing comes from this golden disk. This is an example of what vector? A. Insider B. Direct access C. Removeable media D. Supply chain

D. This is a supply chain vector. Although the work was done inhouse, the supply chain stretches from each part to functioning system, and you added the final software to create the functioning system, so your own team is part of the supply chain.

A piece of malware is infecting the desktops in your organization. Every hour, more systems are infected. The infections are happening in different departments and in cases where the users don't share any files, programs, or even e-mails. What type of malware can cause this type of infection? A. Virus B. Trojan C. RAT D. Worm

D. This is most likely a worm attack. Attacks that move across the network, seemingly without user intervention, are commonly worms.

You need to manage a whole host of different endpoints in the enterprise, including mobile devices, iPads, printers, PCs and phones. Which of the following is the most comprehensive solution? A. COPE-based solutions B. MAM solutions C. MDM solutions D. UEM solutions

D. UEM (unified endpoint management) solutions can address a wider range of devices in a more comprehensive manner than MDM and MAM solutions.

Why is VM sprawl an issue? A. VM sprawl uses too many resources on parallel functions. B. The more virtual machines in use, the harder it is to migrate a VM to a live server. C. Virtual machines are so easy to create, you end up with hundreds of small servers only performing a single function. D. When servers are no longer physical, it can be difficult to locate a specific machine.

D. VM sprawl is an issue because when virtual machines proliferate, they can be easily moved and potentially easily copied to random locations. This can make finding a specific machine difficult without a carefully constructed and consistently managed organizational structure.

Which of the following is not part of the Diamond Model of Intrusion Analysis? A. Victim B. Infrastructure C. Adversary D. Vulnerability

D. Vulnerability is not a formal node of the Diamond Model for Intrusion Analysis. The fourth node is capability.

The use of an eight-digit PIN to set up a wireless connection is part of which of the following? A. WPA B. SAE C. WPA3 D. WPS

D. Wi-Fi Protected Setup (WPS) uses an eight-digit PIN to establish a connection between devices.