CompTIA Security+ (SYO-601) Study Guide
You are the IT security technician for a water treatment facility that uses PLCs to control water pressure and chemical release valves. You need to prevent unauthorized network access to the PLC network. Which mitigation will be the most effective in preventing unauthorized remote network access? A. Air gapping B. User account MFA C. Network intrusion detection system D. IPsec
A. Air gapping
You are configuring a Windows file server so that files marked as "PII-Finance" are accessible only to full-time users in the Finance department. What type of access control model are you configuring? A. ABAC B. RBAC C. DAC D. MAC
A. Attribute-based Access Control (ABAC) Correct Answer: Attribute-based Access Control (ABAC) allows resource access based on user, device and resource attributes. Incorrect Answers: Role-based Access Control (RBAC) uses roles, which are collections of related permissions, to control resource access. Discretionary Access Control (DAC) allows the data custodian to set permissions in accordance with policies set forth by the data owner. Mandatory Access Control (MAC) labels resources and ties security clearance levels to specific labels to allow resource access.
Which physical security item mitigates the ramming of vehicles into buildings? A. Bollard B. Security guards C. Access control vestibule D. Door locks
A. Bollard Correct Answer: Bollards are concrete or steel pillars embedded deep into the ground near sensitive areas to prevent vehicle ramming. Incorrect Answers: Security guards cannot effectively prevent vehicles from ramming buildings. Access control vestibules (man traps) prevent a second inner door from opening until the first outer door closes and locks. Door locks prevent physical entry to a room but do not mitigate vehicles ramming buildings.
Which block cipher mode uses the ciphertext from the previous block to be fed into the algorithm to encrypt the next block? A. CFB B. ECB C. CBC D. OFB
A. Cipher Feedback Mode (CFB) Correct Answer: With Cipher Feedback Mode (CFB), each previous block ciphertext is encrypted and fed into the algorithm to encrypt the next block. Incorrect Answers: Electronic Code Book (ECB), given the same plaintext, always results in the same ciphertext and is thus considered insecure. Cipher Block Chaining (CBC) is similar to ECB except that it used a random Initialization Vector (IV). Output Feedback Mode (OFB) uses a keystream of bits to encrypt data blocks.
Users complain that lately, when connecting to secured web sites, they initially receive authentication and certificate errors. After investigating the issue, host logs show that some user devices are infected with malware that modified entries in the DNS resolver cache. Which attack is most likely to have caused this type of behavior? A. DNS poisoning B. URL hacking C. ARP cache poisoning D. Ransomware
A. DNS poisoning
You are reviewing Web server logs after a Web application security breach. To what type of security control do log reviews relate? A. Detective B. Preventative C. Compensating D. Technical
A. Detective Correct Answer: Reviewing logs allows technicians to detect anomalous activity. Incorrect Answers: Preventative controls take steps to reduce the possibility of threat incidents such as keeping antivirus databases up to date. Compensating controls are used when it is not feasible to implement the preferred control due to cost, time or complexity. Technical controls use technology to safeguard assets, such as a firewall appliance.
Which cryptographic algorithm uses smaller keys but provides just as much crypto strength as other algorithms with larger key spaces? A. ECC B. RSA C. MD5 D. SHA256
A. Elliptic Curve Cryptography (ECC) Correct Answer: Elliptic Curve Cryptography (ECC) uses small keys to achieve strong crypto strength. Incorrect Answers: RSA keys are larger than ECC keys. MD5 and SHA256 do not use keys; they are hashing algorithms.
During a post-incident review, you determine that an attacker executed an ARP poisoning attack. Which mitigations would be most effective in preventing this from occurring in the future? A. Network access control B. Disable all network broadcasts C. Spanning Tree Protocol (STP) D. Static ARP cache entries
A. Network access control and D. Static ARP cache entries
You are a member of a pen testing team embarking on a new pen test engagement. Which type of document are pen testers most likely to be asked to sign? A. NDA B. MOA C. MOU D. ISA
A. Non-Disclosure Agreement (NDA)
Which term describes a specialized computer interface that controls industrial devices such as manufacturing robots and centrifuges? A. PLC B. SLA C. ICS D. HSM
A. Programmable Logic Controller (PLC) Correct Answer: Programmable Logic Controllers (PLCs) are used extensively in manufacturing and various industries such as oil refining, electricity and water treatment. Incorrect Answers: Service Level Agreements (SLAs) guarantee uptime for services such as those offered in the cloud. An Industrial Control System (ICS) refers to a collection of computerized solution used for industrial process control. A Hardware Security Module (HSM) is a tamper-resistant device used for cryptographic operations and the storage of cryptographic keys.
Your company has determined that incident response to security events must be automated to reduce incident response time. What type of solution should be implemented? A. SOAR B. SIEM C. ICS D. PLC
A. Security, Orchestration, Automation, and Response (SOAR) Correct Answer: A Security, Orchestration, Automation, and Response (SOAR) solution allows the creation of playbooks that can automate some or all incident response tasks. Incorrect Answers: Security Information Event Management (SIEM) is a solution that ingests activity data from numerous sources to detect indicators of compromise. An Industrial Control System (ICS) is a collection of computerized solutions used for industry, such as with manufacturing, oil refining, or power plants. A Programmable Logic Controller (PLC) is a network device that connects with industrial components.
You are verifying a digital signature. Which key will be used? A. Sender public key B. Your public key C. Sender private key D. Your private key
A. Sender public key Correct Answer: Sender public key. Verifying digital signatures is done using the sender's public key (the sender's private key creates the digital signature). Incorrect Answers: The listed keys are not used to verify a digital signature.
Which TCP/IP protocol is used for configuring and gathering remote network host statistics? A. SNMP B. DNSSEC C. IPsec D. HTTPS
A. Simple Network Management Protocol (SNMP) Correct Answer: The Simple Network Management Protocol (SNMP) uses a management station that connects to network devices to retrieve statistics and to allow remote configuration. Incorrect Answers: DNS Security (DNSSEC) digitally signs DNS zone records. Clients validate the signature to ensure DNS responses are authentic. IP security (IPsec) is a suite of network security protocols that can be used to encrypt and authenticate network messages. Hyper Text Transfer Protocol Secure (HTTPS) encrypts HTTP network transmissions between clients and servers.
When pen testing Wi-Fi networks, why is deauthentication sometimes used? A. To forcibly disconnect Wi-Fi clients to observe authentication. B. To forcibly disconnect Wi-Fi clients to prevent their Wi-Fi connectivity. C. To test RADIUS authentication resiliency. D. To perform offline dictionary attacks.
A. To forcibly disconnect Wi-Fi clients to observe authentication. Correct Answer: To forcibly disconnect Wi-Fi clients to observe authentication. Deauthentication kicks connected devices off the Wi-Fi network in order observe the reconnection authentication information. Incorrect Answers: The listed explanations do not explain why deauthentication is often used with Wi-Fi pen testing.
You are a Linux sys admin attempting to execute privileged commands in Linux but you keep receiving "Permission denied" messages. What should you do? A. Use the sudo command B. Use the chmod command C. Login as root D. Disable SELinux enforcing mode
A. Use the sudo command Correct Answer: The sudo command prefix allows non-root users to run privileged commands as long as they are granted this permission in the sudoers file. Incorrect Answers: The chmod command is used to set Linux file system permissions. Logging in as root is not recommended because it is such a powerful account. Security Enhanced Linux (SELinux) is not causing permission denied messages in this scenario.
You are configuring SSH public key authentication for a Linux host that will be managed from a Windows computer. Where must the public key be stored? A. User home directory on the Linux server B. User home directory on the Windows host C. Root directory on the Linux server D. Root directory on the Windows host
A. User home directory on the Linux server Correct Answer: User home directory on the Linux server. SSH public keys must be stored on the server in the user home directory in a file called "authorized_keys". Incorrect Answers: None of the listed options specifies the correct location of the SSH public key.
Which of the following constitutes multifactor authentication (MFA)? A. Username + password device PIN B. Fingerprint scan C. Facial recognition D. Username + password + answer to security question
A. Username + password device PIN Correct Answer: Username + password device PIN. MFA uses multiple categories of authentication such as something you know (username, password) along with something you have (a device on which you receive a PIN). Incorrect Answers: The listed items constitute only single factor authentication (SFA) because they use only one authentication category such as something you are (fingerprint scan, facial recognition) or something you know (username, password, answer to security question).
You are using the AWS cloud to host custom code running within a virtual machine. The code requires limited access to resources within a cloud network, or VPC. What should you configure? A. VPC endpoint B. VPC peering C. VPC gateway transit D. VPC Internet gateway
A. VPC endpoint
You need to use the Windows command line to determine if the RDP listener is running. Which command should you use? A. netstat -p tcp -n | find "3389" B. netstat -p tcp -n |find "389" C. netstat -p udp -n | find "3389" D. netstat -p icmp -n | find "3389"
A. netstat -p tcp -n | find "3389" Correct Answer: netstat -p tcp -n | find "3389". Remote Desktop Protocol (RDP) uses TCP port 3389. Incorrect Answers: RDP does not use port 389, nor does it use UDP or ICMP.
You are configuring a public WiFi hotspot. Before providing Internet access to guests, you would like to first read and agree to a terms of use document. Which solution best addresses the scenario? A. Load balance B. Captive portal C. VLAN D. Reverse proxy
B. Captive portal
To which OSI layer do packet filtering firewalls apply? A. 2 B. 3 C. 4 D. 7
B. 3 Correct Answer: Layer 3. Packet filtering firewall can examine only packet headers. Layer 3 protocol data units (PDUs) are packets. Incorrect Answers: The listed layers do not correctly represent where packet filtering firewalls fit into the OSI model.
What approximate range do Bluetooth Class 2 devices have? A. 10 feet B. 30 feet C. 60 feet D. 150 feet
B. 30 feet Correct Answer: Bluetooth Class 2 devices have a range of approximately 30 feet. Incorrect Answers: The listed ranges are not valid.
A user gains access to a secured Web application using a digitally signed security token in the form of a Web browser cookie. To which security term does this best apply? A. Accounting B. Authorization C. Availability D. Authentication
B. Authorization Correct Answer: Authorization (gaining access to a resource) occurs only after successful authentication. Incorrect Answers: Accounting, also referred to as auditing, is used to track activity in an IT environment. Availability ensures that data or IT systems are available when needed. Authentication proves the identity of a user, device, or software component in an IT environment.
Which type of password attack tries every possible combination of letters, numbers and symbols? A. Dictionary B. Brute-force C. Spraying D. Offline
B. Brute-force Correct Answer: Brute-force attacks use automation tools to try every possible combination of letters, numbers and symbols to crack passwords. Incorrect Answers: Dictionary attacks use dictionary word or phrase files to try them in combination with a username to crack user passwords. Password spraying blasts many accounts with a best-guess common password before trying a new password; this is slower (per-user account basis) than traditional attacks and is less likely to trigger account lockout thresholds. Offline password attacks use an offline copy of passwords for cracking passwords.
Which term describes the result of plaintext that has been fed into an encryption algorithm along with an encryption key? A. Hash B. Ciphertext C. Message digest D. Digital signature
B. Ciphertext Correct Answer: Ciphertext results from feeding plaintext and an encryption key into an encryption algorithm. Incorrect Answers: A hash is a unique representation of data that was fed into a one-way hashing algorithm; no key is used. "Message digest" is synonymous with hash. A digital signature is created with a sender's private key and verified by the recipient with the related public key; it assures the recipient of message authenticity and that the message has not been tampered with.
Which cloud configuration enforces security policies when accessing cloud resources? A. CSP B. CASB C. SLA D. IaaS
B. Cloud Access Security Broker (CASB) Correct Answer: A Cloud Access Security Broker (CASB) sits between users and cloud services to enforce organizational security policies. Incorrect Answers: Cloud Service Providers (CSPs) host cloud services. Service Level Agreements (SLAs) guarantee cloud service uptime. Infrastructure as a Service (IaaS) includes storage, network and virtual machines. IaaS virtual machine software patching is the responsibility of the cloud tenant.
An intrusion detection alarm notifies you of suspicious activity on a specific user workstation. You immediately disable the network switch port where the workstation is connected. Which term most accurately describes the action taken? A. Recovery B. Containment C. Prevention D. Detection
B. Containment
You need to ensure that DNS client query responses are authentic and have not been tampered with. What should you configure? A. IPsec B. DNSSEC C. PKI D. HTTPS
B. DNS Security (DNSSEC) Correct Answer: DNS Security (DNSSEC) digitally signs DNS zone records. Clients validate the signature to ensure DNS responses are authentic. Incorrect Answers: IP security (IPsec) is a suite of network security protocols that can be used to encrypt and authenticate network messages. Public Key Infrastructure (PKI) is a hierarchy of digital security certificates. Hyper Text Transfer Protocol Secure (HTTPS) encrypts HTTP network transmissions between clients and servers.
Which server room consideration focuses on pulling warm equipment exhaust air away from equipment? A. Cold aisles B. Hot aisles C. Air conditioning D. Blanking panels
B. Hot aisles Correct Answer: Hot aisles are designed to pull warm exhaust air away from equipment. Incorrect Answers: The listed items are not focused on removing warm exhaust air from server rooms.
You are building a Web application that will allow users to sign in with their Google account. Which term best describes this scenario? A. Multifactor authentication B. Identity federation C. SAML D. LDAP
B. Identity federation Correct Answer: Identity federation uses a central trusted Identity Provider (IdP) to allow access to resources such as Web sites. Incorrect Answers: Multifactor authentication (MFA) combines authentication categories such as a username (something you know) with a private key (something you have). Security Assertion Markup Language (SAML) is an authentication scheme whereby an identity provider issues digitally signed security tokens which are then used to gain resource access. The Lightweight Directory Access Protocol (LDAP) is a protocol used to access a central network directory.
Where do XSS attacks execute? A. On the Web server B. In the client Web browser C. In the client operating system D. On the Web server operating system
B. In the client Web browser Correct Answer: In the client Web browser. A Cross-site Scripting (XSS) attack occurs when a victim views a Web page where a malicious user has injected malicious code, normally written in JavaScript, that executes in the victim Web browser. Incorrect Answers: The listed locations do not correctly identity where XSS attacks execute.
With which cloud service model is the cloud tenant responsible for patching virtual machines? A. SaaS B. IaaS C. SECaaS D. PaaS
B. Infrastructure as a Service (IaaS) Correct Answer: Infrastructure as a Service (IaaS) includes storage, network and virtual machines. IaaS virtual machine software patching is the responsibility of the cloud tenant. Incorrect Answers: Software as a Service (SaaS) refers to end-user productivity software running in the cloud, Security as a Service (SECaaS) refers to cloud security services, and Platform as a Service (PaaS) refers to database and software development platforms, all of which do not place the responsibility of virtual machine patching on the cloud tenant.
Your company is hiring new employees that may come into contact with sensitive data during the course of their jobs. Which type of document is normally signed by employees during the user on-boarding process to ensure that they will not disclose sensitive data? A. ISA B. NDA C. MOU D. MOA
B. Non-disclosure Agreement (NDA) Correct Answer: A Non-disclosure Agreement (NDA) is used to ensure that any sensitive data will not be disclosed to unauthorized parties. Incorrect Answers: An Interconnection Security Agreement (ISA) defines how to secure communications when linking organizations, sites, or government agencies together. A Memorandum of Understanding (MOU) defines general terms of agreement between two parties, where a Memorandum of Agreement (MOA) defines granular contractual details between two parties.
Which type of risk assessment is based on subjective opinions regarding threat likelihood and threat impact severity? A. Risk heat map B. Qualitative C. Risk register D. Quantitative
B. Qualitative Correct Answer: A qualitative risk assessment organizes risks by a severity or threat rating which may differ from one organization to another. Incorrect Answers: A risk heat map plots risks on a grid using colors to represent severities; red is high, green low. A risk register is a centralized list of risks that includes details such as a risk priority value, risk severity rating, mitigating controls, responsible person, etc. Quantitative risk assessments use numbers to calculate the impact realized threats can have on assets.
You are configuring the disks in a server so that in the event of a single disk loss, a second disk will already have all of the data. Which RAID level should you configure? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 6
B. RAID 1 Correct Answer: RAID level 1 (disk mirroring) writes each file to all disks in the mirrored array. Incorrect Answers: RAID 0 (disk striping) writes data across an array of disks to improve performance. RAID 5 (disk striping with distributed parity) writes data across an array of disks but also writes parity (error recovery information) across the disks in the array, providing betters performance and resiliency against a single failed disk. RAID 6 uses at least 4 disks for striping and stores 2 parity stripes on each disk in the array; this allows for a tolerance of 2 disk failures.
What type of authentication server is used with IEEE 802.1x network access control? A. LDAP B. RADIUS C. Identity federation D. Active Directory
B. Remote Authentication Dial-In User Service (RADIUS) Correct Answer: Remote Authentication Dial-In User Service (RADIUS) servers are centralized authentication servers that receive authentication requests from RADIUS clients such as network switches and Wi-Fi routers. Incorrect Answers: The Lightweight Directory Access Protocol (LDAP) is a protocol used to access a central network directory. Identity federation uses a central trusted Identity Provider (IdP) to allow access to resources such as Web sites. Active Directory is a Microsoft Windows Server role that uses a replicated database containing user, computer and application configuration
After analysing the risk associated with working with an external organization to fulfil a government contract, you decide to enter into a contractual agreement after applying security settings to the external organization. What type of risk treatment is this? A. Risk acceptance B. Risk mitigation C. Risk transfer D. Risk avoidance
B. Risk mitigation Correct Answer: Mitigating risk means putting security controls in place to eliminate or reduce the impact or realized threats. Incorrect Answers: Risk acceptance occurs when the potential benefit of engaging in an activity outweighs the risks and no changes are made to mitigate risk. Risk transfer shifts some or all risk responsibility to a third party, as is the case with cybersecurity attack insurance. With risk avoidance, the risk is not undertaken due to potential benefits not outweighing the risks.
You are planning the configuration of HTTPS for a Web site. Which items should be acquired/configured? A. Client PKI certificates B. Server PKI certificate C. Enable security protocols that precede SSL v3.0 D. Enable security protocols that precede TLS v1.0
B. Server PKI certificate Correct Answer: Server PKI certificate. HTTP Web sites require a server PKI certificate to secure communications and normally use TCP port 443. Incorrect Answers: Client PKI certificates are not required to enable an HTTPS Web application. TLS v1.2 should be configured on clients and servers as the network security protocol used for HTTPS; SSL v3.0 and TLS v1.0 are deprecated and should not be used.
Which type of phishing attack occurs over SMS text messaging? A. Vishing B. Smishing C. Spear-phishing D. Whaling
B. Smishing Correct Answer: Smishing occurs when social engineering phishing attacks take place over SMS text. Incorrect Answers: Vishing occurs when social engineering attacks take place using phone calls. Spear phishing is a form of phishing that is targeted to a subset of potential victims. Whaling relates to targeted phishing scams, such as to a company CEO.
Which type of hypervisor runs within an existing operating system? A. Type 1 B. Type 2 C. Type A D. Type B
B. Type 2 Correct Answer: Type 2 hypervisors run as an app within an existing operating system. Incorrect Answers: Type 1 hypervisors are a specialized operating system designed to host multiple virtual machine guests. Type A and B are not valid hypervisor types.
Which Wi-Fi standard pairs devices together using a PIN? A. WPA B. WPS C. WEP D. TKIP
B. Wi-Fi Protected Setup (WPS) Correct Answer: Wi-Fi Protected Setup (WPS) pairs Wi-Fi devices using a PIN. Incorrect Answers: The listed Wi-Fi standards do not pair Wi-Fi devices using a PIN.
You need to test DNS name resolution on a Windows client device. Which command should you use? A. dig B. nslookup C. tracert D. icacls
B. nslookup Correct Answer: The name server lookup (nslookup) command is used to test and troubleshoot DNS name resolution. Incorrect Answers: While the dig command can also be used to test and troubleshoot DNS name resolution, this command is not native to Windows as it is with Linux. The tracert command show the hops (routers) that traffic traverses to reach an ultimate network target. The icacls command is used to set Window NTFS file system permissions.
What is the proposed maximum speed of a 5G network? A. 1 Gbps B. 3 Gbps C. 10 Gbps D. 50 Gbps
C. 10 Gbps Correct Answer: The maximum proposed speed for 5G is 10 Gbps. Incorrect Answers: The listed transmission rates are incorrect.
TCP port numbers apply to which layer of the OSI model? A. 2 B. 3 C. 4 D. 7
C. 4 Correct Answer: Port numbers apply to the OSI model transport layer (layer 4). Incorrect Answers: The listed OSI layers are not related to port numbers.
What is the approximate signal range for 4G cell towers? A. 1 mile B. 3 miles C. 6 miles D. 20 miles
C. 6 miles Correct Answer: 4G cell towers have an approximate range of 6 miles. Incorrect Answers: The listed distances are incorrect.
You are configuring automatic malware scanner updates for network hosts. Which attacks will not be mitigated by malware scanning? A. Software key logger B. Ransomware C. ARP cache poisoning D. Hardware key logger
C. ARP cache poisoning and D. Hardware key logger
Your company has numerous public-facing Web sites that use the same DNS domain suffix. You need to use PKI to secure each Web site. Which solution involves the least amount of administrative effort? A. Generate self-signed certificates for each Web site B. Acquire public certificates for each Web site C. Acquire a wildcard certificate D. Acquire an extended validation certificate
C. Acquire a wildcard certificate Correct Answer: Wildcard certificates allow a single certificate tied a DNS domain to be used by hosts within subdomains. Incorrect Answers: Using self-signed or public certificates for each Web site requires more effort than using a wildcard certificate. Extended validation certificates require the certificate issuer to perform extra due diligence in ensuring that the certificate request is legitimate.
Your company runs sensitive medical research equipment and servers on a network named RNET-A. You need to ensure external network access to RNET-A is not possible. Which technique should you use? A. VLANs B. Layer 4 firewall C. Air-gapping D. Reverse proxy
C. Air-gapping Correct Answer: Air-gapping ensures that there is not a physical wired or wireless connection to a sensitive network. Incorrect Answers: The listed items can be used for optimizing network throughput (VLAN) and limiting network access (Layer 4 firewall, reverse proxy), but these options do not ensure external network access to RNET-A is impossible.
Which type of security problem stems from improper memory handling? A. Race condition B. Driver shimming C. Buffer overflow D. Driver refactoring
C. Buffer overflow Correct Answer: Common buffer overflow problems occur when too much data is provided to a memory variable due to a lack of input validation by the programmer. Incorrect Answers: Driver shimming is normally used to allow legacy software to run; it intercepts API calls. A race condition is a multi-threaded code runtime phenomenon whereby one code action that might occur before a security control or programmatic result is in effect from another thread. Driver refactoring restructures internal code while maintaining external behaviour.
What type of attack hijacks authenticated sessions between a client and a server? A. Cross-site scripting B. Denial of service C. Cross-site request forgery D. Distributed denial of service
C. Cross-site request forgery (CSRF) Correct Answer: A Cross-site Request Forgery (CSRF) attack occurs when the attacker takes over an existing authenticated user session and issues commands to the server that appear to originate from the authenticated user. Incorrect Answers: An XSS attack is when a victim views a Web page where a malicious user has injected malicious code, normally written in JavaScript, that executes in the victim Web browser. A DoS attack renders a service unreachable by legitimate users, often by flooding the network with useless traffic. A DDoS is similar to a DoS attack but instead uses multiple hosts to attack
What is the most prevalent risk related to NOT shredding paper documents? A. Impersonation B. Shoulder surfing C. Dumpster diving D. Tailgating
C. Dumpster diving Correct Answer: Dumpster diving involves malicious actors going through garbage seeking documents that could contain some kind of sensitive information. Incorrect Answers: Impersonation is more related to social engineering than it is with not shredding paper documents. Shoulder surfing occurs when malicious actors can watch unsuspecting victims using computing devices to learn of passwords or to see sensitive information on their screens. Tailgating occurs when malicious actors follow legitimate users into a secured facility before a locked door closes.
Which Wi-Fi EAP configuring uses both client and server PKI certificates? A. EAP-FAST B. EAP-TTLS C. EAP-TLS D. Protected EAP
C. EAP-TLS Correct Answer: EAP-TLS can use client and server PKI certificates for mutual authentication. Incorrect Answers: The listed EAP configurations do not require both client and server PKI certificates.
A malicious attacker at a cafe enables her phone as a WiFi hotspot using a name very similar to the cafe hotspot in order to capture customer wireless traffic. What type of wireless attack is this? A. ARP poisoning B. Deauthentication C. Evil twin D. Disassociation
C. Evil twin
Which technique adds location metadata to social media posts and pictures? A. Geofencing B. Global positioning system C. Geotagging D. Triangulation
C. Geotagging Correct Answer: Geotagging uses GPS coordinates or IP address block information to add detailed location information to social media posts and pictures. Incorrect Answers: Geofencing is used to allow app access within a specific location. The Global Positioning System (GPS) uses satellites to pinpoint the location of objects on the Earth's surface. Triangulation is a technique used to determine the distances and relative positions of points spread over a geographical region.
You are developing a Web application that uses cookies. You want to prevent client Javascript access to cookies. Which HTTP response header attribute flag should you set? A. Samesite B. Secure C. HTTPOnly D. Domain
C. HTTPOnly Correct Answer: The HTTPOnly flag ensures that client Javascript cannot access the cookie which can help mitigate cross-site scripting (XSS) attacks. Incorrect Answers: The Samesite attribute helps mitigate cross-site request forgery (CSRF) attacks. The Secure attribute requires HTTPS connectivity. The Domain attribute controls the target host to which the cookie will be sent.
At a press conference, a government official announces a new government policy related to a controversial social issue. Attackers from around the world whose views differ from the government render government websites unreachable due to a DDoS attack. What type of threat actor is characterized in this scenario? A. Script Kiddie B. State-sponsored C. Hacktivist D. Criminal syndicate
C. Hacktivist
Which type of planning is designed to deal with security events as they occur? A. Disaster recovery plan B. Business continuity plan C. Incident response plan D. Backup plan
C. Incident Response Plan (IRP) Correct Answer: An Incident Response Plan (IRP) is a plan created to deal with incidents as they occur such as enabling incident containment and ultimately eradication. Incorrect Answers: A Disaster Recovery Plan (DRP) is specific to a business process, IT system, or data, and it focuses on recovering from a security incident as quickly as possible. A Business Continuity Plan (BCP) is a document specifying general terms organizations will take to ensure continued business operations. A backup plan is not a standard accepted term in this context.
Which type of device records everything a user types? A. Common Access Card B. Ransomware C. Keylogger D. Hardware security module
C. Keylogger Correct Answer: Keyloggers come in the form of hardware and software. User keystrokes are captured and can later be viewed by malicious actors. Incorrect Answers: A Common Access Card (CAC) is a single card used to authenticate to many systems such as buildings, floors in a building, as well as computer systems. Ransomware is malware that encrypts user data files and demands a ransom payment in exchange for a decryption key. A Hardware Security Module (HSM) is a tamper-proof device used for cryptographic operations and the secure storage of cryptographic keys.
What is the general premise of ARP cache poisoning? A. Network devices modify their DNS cache to use the attacker MAC address for the default gateway. B. Network devices modify their ARP cache to use the attacker IP address for the default gateway. C. Network devices modify their ARP cache to use the attacker MAC address for the default gateway. D. Network devices modify their DNS cache to use the attacker IP address for the default gateway.
C. Network devices modify their ARP cache to use the attacker MAC address for the default gateway Correct Answer: Network devices modify their ARP cache to use the attacker MAC address for the default gateway. ARP cache poisoning forces client traffic destined for a router (default gateway) first through an attacker machine. Incorrect Answers: The listed items do not properly describe ARP cache poisoning.
You need a network security solution that can not only detect, but also stop current suspicious activity. What should you implement? A. Layer 4 firewall B. Reverse proxy server C. Network intrusion prevention system D. Network intrusion detection system
C. Network intrusion prevention system Correct Answer: A network intrusion prevention system can not only detect but also be configured to stop suspicious activity. Incorrect Answers: Layer 4 firewalls are packet filtering firewalls which do not detect or prevent suspicious activity. Reverse proxy servers map public IP addresses and ports to internal servers to protect their true identities. Intrusion detection systems only detect and report, log, or notify of suspicious activity.
Which authentication mechanism generates a code for use only once? A. Multifactor authentication B. Single factor authentication C. One-time password D. Digital signature
C. One-time password Correct Answer: One-time passwords (OTPs) enhance user sign in security since the code is supplied through a separate mechanism than the login mechanism (out of band), and the code can only be used once. Incorrect Answers: Multifactor authentication (MFA) combines authentication categories such as a username (something you know) with a private key (something you have), where single factor uses only one category. Digital signatures are used to prove the authenticity of received network messages.
Which file extension is normally used for Microsoft PowerShell scripts? A. BAT B. PY C. PS1 D. SH
C. PS1 Correct Answer: PS1. Microsoft PowerShell scripts normally use a .PS1 file extension. Incorrect Answers: Batch files use a .BAT extension, Python scripts use a .PY extension and shell scripts often use the .SH file extension.
While reviewing server audit logs, you notice numerous failed login attempts for hundreds of user accounts. Some accounts have multiple failed login attempts separated by more than 10 minutes. What type of attack most likely took place? A. Distributed Denial of Service (DDoS) B. Privilege escalation C. Password spraying D. Dictionary
C. Password spraying
You have determined that your department can withstand the loss of no more than 3 hours of data, so you have adjusted your backups to occur once every three hours. To which term does this scenario best apply? A. SLA B. HSM C. RPO D. RTO
C. Recovery Point Objective (RPO) Correct Answer: The Recovery Point Objective (RPO) specifies, in time, the maximum tolerable amount of data loss due to a negative occurrence. Incorrect Answers: The Service Level Agreement (SLA) is a document detailing guaranteed service uptime. A Hardware Security Module (HSM) is a tamper-resistant device used for cryptographic operations. The Recovery Time Objective (RTO) specifies, in time, the maximum amount of tolerable downtime for a business process or IT system.
Which load balancing algorithm sends each client app request to the next backend virtual machine? A. Weighted B. Active/passive C. Round robin D. Least connections
C. Round robin Correct Answer: Round robin load balancing sends each client app request to the next backend server. Incorrect Answers: Weighted load balancing uses a configured relative weight value for each backend server to determine how much traffic each server gets. Active/passive is a load balancing redundancy configuration where a standby server is not active until the active server fails. Least connections send client app requests to the backend server that is currently the least busy.
Which type of malicious actor is characterized by lacking sophisticated technical skills and using cracking tools created by others? A. Hactivist B. State-sponsored C. Script kiddie D. Criminal syndicate
C. Script kiddie Correct Answer: Script kiddies have basic IT knowledge and the ability to read tutorials to learn how to execute attacks. Incorrect Answers: Hacktivists are motivated by a belief or ideology and execute attacks in an attempt to bring about social change. State-sponsored actors are funded by one or more nations, often for the purposes of protecting national interests. Criminal syndicate actors are related to organized crime that use technology to ply their nefarious trade.
Which term describes an end user device attempting to connect to an IEEE 802.1x Wi-Fi network configured with network authentication? A. RADIUS client B. Applicant C. Supplicant D. RADIUS requester
C. Supplicant Correct Answer: RADIUS supplicants (client devices) initiate authentication requests. Incorrect Answers: RADIUS clients are network edge devices such as Wi-Fi routers or network switches that forward RADIUS supplication authentication requests to a RADIUS server. Application is not a valid term in this context. RADIUS requester is not a valid term in this context.
Which type of encryption uses a single key for encryption and decryption? A. Asymmetric B. RSA C. Symmetric D. SHA256
C. Symmetric Correct Answer: Symmetric encrypting uses a single "secret" key for encrypting and decrypting. Incorrect Answers: Asymmetric keys (public and private keys) are used for security in the form of encryption, digital signatures and so on; the recipient public key is used to encrypt and the related private key is used to decrypt. RSA is a public and private key pair cryptosystem. SHA256 is a hashing algorithm.
You are decrypting a message sent over the network. Which key will be used for decryption? A. Your public key B. Sender public key C. Your private key D. Sender private key
C. Your private key Correct Answer: Your private key. Recipient private keys decrypt network messages (the recipient's related public key encrypts network messages). Incorrect Answers: The listed keys are not used for decryption.
Which smart home wireless networking protocol does not use TCP/IP? A. ICS B. PLC C. Zigbee D. IoT
C. Zigbee Correct Answer: Zigbee is designed to make connecting smart home devices together simple and convenient, and it does not use TCP/IP. Incorrect Answers: An Industrial Control System (ICS) refers to a collection of computerized solution used for industrial process control. Programmable Logic Controllers (PLCs) are used extensively in manufacturing and various industries such as oil refining, electricity and water treatment. Internet of Things (IoT) refers to devices that connect to and send and receive data over the Internet.
You are setting file system permissions for a Linux script named "script1.sh." You need to ensure that anybody can execute the script. Which command should you use? A. chmod 777 script1.sh B. chmod 074 script1.sh C. chmod o+rx script1.sh D. chmod u+rw script1.sh
C. chmod o+rx script1.sh Correct Answer: chmod o+rx script1.sh. The change mode (chmod) command sets file system permissions. Use the 'o' mnemonic to set 'other' permissions, in this case, read and execute. Incorrect Answers: The other listed commands do not set read and execute permissions for 'other'.
You need to start a Docker container named "cust-dev-lamp1." The container image has a small HTTP Web server stack configure for TCP port 443 but you want connectivity to occur using TCP port 4443. Which Docker command should you use? A. sudo docker init -d -p 4443:443 cust-dev-lamp1 B. sudo docker run -d -p 443:4443 cust-dev-lamp1 C. sudo docker run -d -p 4443:443 cust-dev-lamp1 D. sudo docker init -d -p 443:4443 cust-dev-lamp1
C. sudo docker run -d -p 4443:443 cust-dev-lamp1 Correct Answer: sudo docker run -d -p 4443:443 cust-dev-lamp1. The first port number is the local Docker host port number, the second port number after the colon is the configured listening port number within the application container. Incorrect Answers: The listed syntax options are incorrect.
You are performing a Wi-Fi site survey due to complaints about slow wireless network connectivity. Which reading indicates a strong signal that will provide the best wireless network speeds? A. -120 dBm B. -80 dBm C. -50 dBm D. -30 dBm
D. -30 dBm Correct Answer: A -30 dBm wireless signal strength is considered excellent. Incorrect Answers: The listed wireless signal strengths are sub-standard.
Why is it important to install blanking panels on equipment rack spaces that do not contain equipment? A. Rack security is enhanced B. Inventory gathering is made easier C. Visual equipment inspection is made easier D. Air flow is improved
D. Air flow is improved Correct Answer: Air flow is improved by installing blanking panels in racks where there is no equipment. Incorrect Answers: The listed items are not valid reasons for installing blanking panels.
When gathering digital evidence, what is the correct order of volatility that dictates the order in which evidence should be acquired? A. Hard disk, USB thumb drive, RAM, CPU registers B. Hard disk, USB thumb drive, RAM, temporary files C. CPU registers, hard disk, RAM, temporary files D. CPU registers, RAM, temporary files, hard disk
D. CPU registers, RAM, temporary files, hard disk Correct Answer: CPU registers, RAM, temporary files, hard disk. The most volatile, or fragile types of evidence should be gathered first, such as CPU registers followed by RAM contents since they depend on power. Temporary files might persist without power, and files on hard disks are non-volatile; they persist even when the machine is not turned on.
When connecting to a public Wi-Fi hotspot you are presented with a Web page where you must agree to the terms of use before gaining Internet access. What is this? A. Reverse proxy server B. Port address translation C. RADIUS authentication D. Captive portal
D. Captive portal Correct Answer: Captive portals present a Web page when users connect to a Wi-Fi network; sometimes a user account is required (often users must agree to the terms of use before connecting to the Internet). Incorrect Answers: The listed security configurations would not result with the Web page presented when connection to a public Wi-Fi hotspot.
While comparing previous and current network traffic patterns, you notice new numerous DNS client queries for TXT records. What might this indicate? A. Client devices are performing normal forward lookup DNS queries for Web sites B. Client devices are performing normal reverse lookup DNS queries for IP addresses C. Client devices are infected and are attempting to remove the infection D. Client devices are infected and are attempting to discover a command and control server
D. Client devices are infected and are attempting to discover a command and control server Correct Answer: Client devices are infected and are attempting to discover a command and control server. Client devices normally query IPv4 A records or IPv6 AAAA records to resolve FQDNs to IP addresses. Clients querying DNS TXT records is abnormal. Incorrect Answers: The listed reasons are invalid in this scenario.
Which term is the most closely related to social engineering? A. Firewall B. Ransomware C. Password D. Deception
D. Deception Correct Answer: Deception. Attackers use social engineering to trick (deceive) unsuspecting victims into somehow divulging sensitive information over the phone, via SMS text messages, through email with infected links or attachments, and so on. Incorrect Answers: While the listed terms can be related to social engineering in some cases, they are not always associated as is the word "deception".
Which Wi-Fi term is synonymous with the WLAN name? A. BSSID B. WPA C. TKIP D. ESSID
D. Extended Set Service Identification (ESSID) Correct Answer: The Extended Set Service Identification (ESSID) is synonymous with the wireless network name. Incorrect Answers: The Basic Service Set Identifier (BSSID) represents the Wi-Fi access point MAC address. Wi-Fi Protected Access (WPA) is a deprecated Wi-Fi network security protocol. Temporal Key Integrity Protocol (TKIP) was introduced with WPA to address WEP security issues related to unchanging keys.
You need to force user authentication and time-based restrictions for internal client devices connecting out to the Internet. You also need to ensure client device IP addresses are not exposed to the Internet. What should you implement? A. Reverse proxy server B. Port address translation C. Network address translation D. Forward proxy server
D. Forward proxy server Correct Answer: Forward proxy servers fetch content on behalf of internal client devices, and they can require authentication and enforce time of day restrictions. Incorrect Answers: Reverse proxy servers map public IP addresses and port numbers to internal servers. Port Address Translation (PAT) allows many internal clients to get to the Internet using a single public IP address. Network Address Translation (NAT) is similar to a reverse proxy server except it cannot force user authentication or time of day restrictions; it applies to OSI layer 4 (Transport), not layer 7 (Application).
Which language is commonly used by attackers for XSS attacks? A. PowerShell B. Python C. Perl D. JavaScript
D. JavaScript Correct Answer: JavaScript. A Cross-site Scripting (XSS) attack occurs when a victim views a Web page where a malicious user has injected malicious code, normally written in JavaScript, that executes in the victim Web browser. Incorrect Answers: The listed languages are not commonly used for XSS attacks.
You are ordering laptops for sales executives that travel for work. The laptops will run the Windows 10 Enterprise operating system. You need to ensure that protection of data at rest is enabled for internal laptop disks. The encryption must be tied to the specific laptop. What should you do? A. Order laptops with HSM chips and configure BitLocker disk encryption B. Order laptops with HSM chips and configure EFS encryption C. Order laptops with TPM chips and configure EFS encryption D. Order laptops with TPM chips and configure BitLocker disk encryption
D. Order laptops with TPM chips and configure BitLocker disk encryption Correct Answer: Order laptops with TPM chips and configure BitLocker disk encryption. A Trusted Platform Module (TPM) chip in a computer is used to secure the integrity of the machine boot process and to store disk volume encryption keys. Incorrect Answers: A Hardware Security Module (HSM) is not a chip installed within a computer; it is a tamper-resistant device used for cryptographic operations and the storage of encryption keys. Encrypting File System (EFS) file encryption is tied to the user account, not tied to the machine.
Which type of cloud is owned and used by a single organization? A. Public B. Hybrid C. Community D. Private
D. Private Correct Answer: Private clouds are owned and used by a single organization. Incorrect Answers: Public clouds are accessible by anybody over the Internet. Hybrid clouds combine Public and Private clouds. Community clouds serve the specific cloud computing needs of a group of tenants, such as for government cloud usage.
Which technique is used to enhance the security of password hashes? A. Password length B. Key pinning C. Multifactor authentication D. Salting
D. Salting Correct Answer: Salting adds random data to passwords before they are hashed thus making them much more difficult to crack. Incorrect Answers: The listed items do not enhance the security of password hashes. The password length does not affect the password hash; the hash is always a fixed length. Key pinning is an older technique that associates a certificate stored on a client device with a Web site. Multifactor authentication (MFA) uses multiple factors for authentication, such as a username (something you know) and a private key (something you have).
After several data breaches involving stolen laptops and stolen removable media you are asked to implement a solution to mitigate the issue. The solution must protect data at rest with a minimum of user inconvenience. What solution best addresses the scenario? A. Encrypting File System (EFS) B. Hardware Security Module (HSM) C. Trusted Platform Module (TPM) D. Self-encrypting drive (SED)
D. Self-encrypting drive (SED)
Which term describes installing a smart phone app directly, without going through an app store? A. Geotagging B. Geofencing C. Registering D. Sideloading
D. Sideloading Correct Answer: Sideloading refers to installing mobile device apps directly from installation files, without using an app store. Incorrect Answers: Geotagging adds geographic metadata (such as GPS coordinates) to files, such as photos taken with a smart phone. Geofencing uses geographical location to control app access. Registering refers to linking a mobile device to a centralized Mobile Device Management (MDM) system.
Which term refers to hiding files within other files? A. Digital signature B. Hashing C. Encrypting D. Steganography
D. Steganography Correct Answer: Steganography is a technique used to hide files within other files; it is a form of obfuscation. Incorrect Answers: Digital signatures are created with the sender's private key and are used by the message recipient to ensure the message is authentic and has not been tampered with. Hashing feeds data into a 1-way algorithm which results in a fixed-length unique value called a "hash". Encryption is used to scramble data; the correct decryption key is needed to reverse the process thus revealing the original data.
Which mitigation can prevent network switching loops? A. Disable link auto negotiation B. MAC filtering C. Intrusion detection sensor D. Spanning Tree Protocol
D. The Spanning Tree Protocol (STP) Correct Answer: The Spanning Tree Protocol (STP) is a network switch configuration option that can prevent network switching loops. Incorrect Answers: The listed mitigations are not designed to prevent network switching loops.
You have created a Python script named "remove_temp.py." When you attempt to run the script at the Linux command line, it does not execute at all. What is the most probable reason? A. You must be logged in as root to execute Python scripts. B. The chgrp command was not used to set the script owning group. C. The script does not include the #!/user/bin/bash python directive. D. The script does not include the #!/usr/bin/env python directive.
D. The script does not include the #!/usr/bin/env python directive. Correct Answer: To run a Python script either specify the script name after the python command, or specific python as the script engine using the #!/usr/bin/env python directive. Incorrect Answers: The listed items are not as probable reasons for the Python script failing, and the script should not refer to /usr/bin/bash, but instead it should instead refer to the Python binary.
You need to subscribe to a threat intelligence feed using your Unified Threat Management (UTM) solution. Which standard protocol is used by UTM tools to exchange threat intelligence information? A. STIX B. HSM C. PKI D. TAXII
D. Trusted Automated Exchange of Intelligence (TAXII) Correct Answer: Trusted Automated Exchange of Intelligence (TAXII) is a standard that defines how threat intelligence information is relayed from sources to subscribers. Incorrect Answers: Structured Threat Information Expression (STIX) defines a standard format used to express threat intelligence data. A Hardware Security Module (HSM) is a cryptographic tamper-proof appliance used to carry out cryptographic operations, as well as to securely store encryption keys. A Public Key Infrastructure (PKI) is a hierarchy of digital security certificates.
Your hotel provides free Wi-Fi to guests. The Wi-Fi network is secured. You would like to provide a simple convenient way for guests to immediately connect to the Wi-Fi network using their smartphones. What should you do? A. Send automated emails to registered guests with Wi-Fi connection information. B. Provide guests with a printout of Wi-Fi connection information. C. Use RFID tags that contain Wi-Fi connection information. D. Use NFC tags that contain Wi-Fi connection information.
D. Use NFC tags that contain Wi-Fi connection information. Correct Answer: Use NFC tags that contain Wi-Fi connection information. With a smartphone app, you can write data to a physical NFC tag that can be purchased inexpensively. Users with NFC-enabled smartphones can retrieve NFC tag information such as Wi-Fi connection details. Incorrect Answers: The listed options are not as convenient as using NFC tags.
Which of the following Wi-Fi configurations is considered to be the weakest? A. WPA3 B. RADIUS authentication C. Disable DHCP D. WEP
D. Wired Equivalent Privacy (WEP) Correct Answer: Wired Equivalent Privacy (WEP) is a deprecated insecure wireless security protocol and should not be used. Incorrect Answers: Wi-Fi Protected Access 3 (WPA3) is a current wireless network security protocol. Remote Access Dial-in User Service (RADIUS) authentication uses a central authentication server to service authentication requests from RADIUS clients. Disabling DHCP is a hardening technique because it makes it more difficult for attackers to get on an IP network.
Which type of security flaw is not known by the vendor? A. Firmware B. Denial of service C. Application D. Zero-day
D. Zero-day Correct Answer: Zero-days are security flaws not yet known by vendors. Incorrect Answers: The listed flaw types do not reflect security problems unknown to the vendor.
You are logged into a Linux host and need to view its IP address. Which command should you use? A. dig B. nslookup C. ipconfig D. ifconfig
D. ifconfig Correct Answer: The ifconfig command shows Linux network interfaces and IP address information. Incorrect Answers: The dig command in Linux can be used to test and troubleshoot DNS name resolution. The name server lookup (nslookup) command is used to test and troubleshoot DNS name resolution in both Windows and Linux. Ipconfig is used to view network interface and IP address information in Windows.
Which Linux command can be used to create an SSH public and private key pair? A. md5sum B. sha256sum C. ssh D. ssh-keygen
D. ssh-keygen Correct Answer: The ssh-keygen command creates an SSH public and private key pair. Incorrect Answers: The listed commands do not create key pairs. md5sum and sha256sum are used to generate file hashes. The ssh command allows remote management of any device with an SSH daemon over an encrypted connection.
How is an asset's Single Loss Expectancy (SLE) derived?
Multiply the Asset Value (AV) by the Exposure Factor (EF) Correct Answer: Multiple the Asset Value (AV) by the Exposure Factor (EF). The SLE reflects the cost associated with an asset being unavailable, such as a server going down for a period of time. The Single Loss Expectancy (SLE) is calculated by multiplying the Asset Value (AV) by the Exposure Factor (EF) where the EF is a percentage expressing how much of an asset's value is loss due to a negative event. Incorrect Answers: The listed options do not reflect the values used to calculate the SLE.
How is the Annual Loss Expectancy (ALE) calculated?
Multiply the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO) Correct Answer: Multiply the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The Annual Loss Expectancy (ALE) represents a cost related to the downtime of an asset over a one-year period. It is calculated by multiplying the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). Incorrect Answers: The listed options do not reflect the values used to calculate the ALE.
You have deployed a new on-premises Linux virtual machine. Organizational security policies require SSH public key authentication as opposed to username and password authentication for Linux hosts. What is the correct order of commands to enable SSH public key authentication? Drag the steps on the left and place them in the correct sequence on the right. a) ssh-copy-id -i ~/.shh/pub.key user@host b) ssh-keygen c) ssh -p 22 user@host d) ssh -i ~/.shh/priv.key user@host
b) ssh-keygen a) ssh-copy-id -i ~/.shh/pub.key user@host d) ssh -i ~/.shh/priv.key user@host