PF 1
LDAP LDAP (Lightweight Directory Access Protocol) is a common standard that works across many different operating systems. Microsoft Active Directory provides authentication using Kerberos, but it can also support LDAP. The incorrect answers: A. Local authentication Local authentication would create a username and password database on each individual switch. This would not provide any integration into the Active Directory database. C. Multi-factor authentication Multi-factor authentication can help secure the authentication process, but it would not provide any integration to Active Directory. D. Captive portal A captive portal is commonly used on web-based systems as an authentication method. Captive portal does not describe a method of integrating with other directory services.
A company has installed a new set of switches in their data center. The security team would like to authenticate to the switch using the same credentials as their existing Windows Active Directory network. However, the switches do not support Kerberos as an authentication method. Which of the following would be the BEST option for the security team's authentication requirement? ❍ A. Local authentication ❍ B. LDAP ❍ C. Multi-factor authentication ❍ D. Captive portal
C. Audit and verify the operational status of all accounts, and E. Validate the processes and procedures for all outgoing employees The disabling of an employee account is commonly part of the offboarding process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees. The incorrect answers: A. Confirm that no unauthorized accounts have administrator access It's always a good idea to periodically audit administrator accounts, but this audit won't provide any validation that all former employee accounts have been disabled. B. Validate the account lockout policy Account lockouts occur when a number of invalid authentication attempts have been made to a valid account. Disabled accounts would not be locked out because they are not currently valid accounts. D. Create a report that shows all authentications for a 24-hour period A list of all authentications would be quite large, and it would not be obvious to see which authentications were made with valid accounts and which authentications were made with former employee accounts. F. Schedule a required password change for all accounts A password change would not prevent access to an account that has not been properly disabled, and it would not provide the security administrator with any additional information about an account that has not been properly disabled.
A company hires a large number of seasonal employees, and those contracts commonly end after the beginning of the calendar year. All system access should be disabled when an employee leaves the company, and the security administrator would like to verify that their systems cannot be accessed by any of the former employee accounts. Which of the following would be the BEST way to provide this verification? (Select TWO) ❍ A. Confirm that no unauthorized accounts have administrator access ❍ B. Validate the account lockout policy ❍ C. Audit and verify the operational status of all accounts ❍ D. Create a report that shows all authentications for a 24-hour period ❍ E. Validate the processes and procedures for all outgoing employees ❍ F. Schedule a required password change for all accounts
A. AES The Advanced Encryption Standard (AES) cipher is used to encrypt traffic over SRTP (Secure Real-time Protocol) VoIP (Voice over IP) communication. The incorrect answers: B. TLS TLS (Transport Layer Security) is commonly used for HTTPS (Hypertext Transfer Protocol Secure) and FTPS (File Transfer Protocol Secure), but it's not used for SRTP traffic. C. Asymmetric encryption Asymmetric encryption isn't suited for real-time or streaming protocols, so it's not used for SRTP traffic. D. SSH SSH (Secure Shell) is useful for encrypted terminal sessions, but it's not used with SRTP. E. IPS An IPS (Intrusion Prevention System) is used to identify network-based attacks. An IPS is not used for implementing security over VOIP protocols.
A company is updating their VoIP handsets and would like to use SRTP for all phone calls. Which of these technologies would MOST commonly be used to implement this feature? ❍ A. AES ❍ B. TLS ❍ C. Asymmetric encryption ❍ D. SSH ❍ E. IPS
C. 4 Each incremental backup will archive all of the files that have changed since the last full or incremental backup. To complete this full restore, the administrator will need the full backup from Monday and the incremental backups from Tuesday, Wednesday, and Thursday.
A file server has a full backup performed each Monday at 1 AM. Incremental backups are performed at 1 AM on Tuesday, Wednesday, Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery? ❍ A. 2 ❍ B. 3 ❍ C. 4 ❍ D. 1
A. Partition data and D. Temporary file systems Both temporary file system data and partition data are part of the file storage subsystem. The incorrect answers: B. Kernel statistics Kernel statistics are stored in memory. C. ROM data ROM data is a type of memory storage. E. Process table The process table keeps track of system processes, and it stores this information in RAM.
A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) ❍ A. Partition data ❍ B. Kernel statistics ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table
B. Backdoor A backdoor would allow an attacker to access a system at any time without any user intervention. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for signs of a compromised system. The incorrect answers: A. ARP poisoning ARP (Address Resolution Protocol) poisoning is a local exploit that is often associated with a man-in-the-middle attack. The attacker must be on the same local IP subnet as the victim, so this is not often associated with an external attack. C. Polymorphic virus Polymorphic viruses will modify themselves each time they are downloaded. Although a virus could potentially install a backdoor, a polymorphic virus would not be able to install itself without user intervention. D. Trojan horse A Trojan horse is malware that is hidden inside of a seemingly harmless application. Once the Trojan horse is executed, the malware will be installed onto the victim's computer. Trojan horse malware could possibly install backdoor malware, but the Trojan horse itself would not be the reason for these traffic patterns.
A security manager has created a report that shows intermittent network communication from external IP addresses to certain workstations on the internal network. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. ARP poisoning ❍ B. Backdoor ❍ C. Polymorphic virus ❍ D. Trojan horse
D. RC4 RC4 (Rivest Cipher 4) is the only encryption cipher in the list. All of the other algorithms are used for hashing. The incorrect answers: A. MD5 MD5 (Message Digest 5) is a hashing algorithm and does not provide a method of encrypting and decrypting information. B. HMAC HMAC (Hash-based Message Authentication Code) can check for data integrity and authenticity with a hash, but it does not provide encryption or decryption features. C. SHA-2 SHA-2 (Secure Hash Algorithm 2) is a hashing algorithm. SHA-2 does not provide any encryption or decryption functionality.
A service technician would like to protect some private information sent over email. This information should only be viewable by the recipient. Which of these cryptographic algorithms would be the BEST choice? ❍ A. MD5 ❍ B. HMAC ❍ C. SHA-2 ❍ D. RC4
C. Offboarding The offboarding process is a pre-planned set of tasks that occur when someone leaves an organization. This plan documents the process of turning over company computers, how to maintain the user's data after their departure, and the automatic deactivation of any company accounts. The incorrect answers: A. Least privilege Least privilege sets user rights and permissions to the bare minimum, but it does not provide a method of disabling accounts after a user leaves the organization. B. Auditing In this question, an audit was performed that identified the authorization attempts. However, the security practice that originally prevented the login listed in the audit logs was related to the offboarding process. Auditing documents historical activities and does not generally prevent real-time access. D. Location-based policies The authorization attempts in this question did not specify a particular geographical location. The location of the user was not the reason for preventing the authentication.
A systems engineer in the sales department has left the organization for a position with another company. The engineer's accounts were disabled on his last day with the company, but security logs show that attempts were made to access email accounts after the account was disabled. Which of these security practices protected the organization from any unauthorized access? ❍ A. Least privilege ❍ B. Auditing ❍ C. Offboarding ❍ D. Location-based policies
-Hoax
A virus alert appears in your browser from Microsoft with a phone number to call for support.
C. MFD An all-in-one printer that can print, scan, and fax is often categorized as an MFD (Multifunction Device). The incorrect answers: A. IoT Wearable technology and home automation devices are commonly called IoT (Internet of Things) devices. B. RTOS RTOS (Real-time Operating Systems) are commonly used in manufacturing and automobiles. D. SoC Multiple components that run on a single chip are categorized as an SoC (System on a Chip).
An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allows the device to be remotely controlled by a third-party. Which category would BEST describe these devices? ❍ A. IoT ❍ B. RTOS ❍ C. MFD ❍ D. SoC
integrity measurement
An _________________ is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions.
D. Someone is performing a traceroute to the DMZ server A traceroute maps each hop by slowly incrementing the TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drops the packet and sends an ICMP (Internet Control Message Protocol) TTL Exceeded message back to the original station. The incorrect answers: A. Someone is performing a vulnerability scan against your firewall and DMZ server Vulnerability scans are usually very specific requests, and they won't get to their destination if the TTL is zero. The question did not provide any information that would indicate an active vulnerability scan. B. Your users are performing DNS lookups Properly working DNS (Domain Name System) responses would not have a TTL of zero, and nothing in the question indicated information that would commonly be included in a DNS query. C. A remote user is grabbing banners of your firewall and DMZ server Banners can provide useful reconnaissance information about a service, but the TTL of zero and the lack of connection to a specific service would not indicate a banner grabbing session.
An analyst is examining the traffic logs to a server in the DMZ. The analyst has identified a number of sessions from a single IP address that appear to be received with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has a destination of your DMZ server. Which of the following BEST describes this log information? ❍ A. Someone is performing a vulnerability scan against your firewall and DMZ server ❍ B. Your users are performing DNS lookups ❍ C. A remote user is grabbing banners of your firewall and DMZ server ❍ D. Someone is performing a traceroute to the DMZ server
A. Compensating A compensating security control doesn't prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage occurs. The incorrect answers: B. Preventive A preventive control physically limits access to a device or area. C. Administrative An administrative control sets a policy that is designed to control how people act. D. Detective A detective control may not prevent access, but it can identify and record any intrusion attempts.
An organization is installing a UPS for their new data center. Which of the following would BEST describe this type of control? ❍ A. Compensating ❍ B. Preventive ❍ C. Administrative ❍ D. Detective
D. Data custodian The data custodian manages access rights and sets security controls to the data. The incorrect answers: A. Data steward The data steward is responsible for data accuracy, privacy, and adding sensitivity labels to the data. B. Data owner The data owner is usually a higher-level executive who makes business decisions regarding the data. C. Privacy officer A privacy officer sets privacy policies and implements privacy processes and procedures.
An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? ❍ A. Data steward ❍ B. Data owner ❍ C. Privacy officer ❍ D. Data custodian
-SRTP
Best secure protocol: Talk with customers on scheduled conference calls.
PEAP (Protected Extensible Authentication Protocol)
EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake Authentication Protocol v2) is a common implementation of ___________.
using multiple authentication types within a TLS tunnel.
EAP-TLS does not provide a mechanism for ______________________________________
the use of any authentication while maintaining confidentiality with TLS.
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of multiple authentication protocols transported inside of an encrypted TLS (Transport Layer Security) tunnel. This allows ____________________________________
D. CPU registers, memory, temporary files, remote monitoring data The most volatile data disappears quickly, so data such as the CPU registers and information in memory will be lost before temporary files and remote monitoring data are no longer available.
Jack is a member of the incident response team at his company. Jack has been asked to respond to a potential security breach of the company's databases, and he needs to gather the most volatile data before powering down the database servers. In which order should Jack collect this information? ❍ A. CPU registers, temporary files, memory, remote monitoring data ❍ B. Memory, CPU registers, remote monitoring data, temporary files ❍ C. Memory, CPU registers, temporary files, remote monitoring data ❍ D. CPU registers, memory, temporary files, remote monitoring data
D. False negative A false negative is a result that fails to detect an issue when one actually exists. The incorrect answers: A. Exploit An exploit is an attack against a vulnerability. Vulnerability scans do not commonly attempt to exploit the vulnerabilities that they identify. B. False positive A false positive is when an issue is identified but it doesn't actually exist. C. Zero-day attack A zero-day attack focuses on previously unknown vulnerabilities. In this example, the vulnerability scan isn't an attack, and the vulnerabilities are already known and patches are available.
Jack, a security engineer, runs a monthly vulnerability scan and creates a report with the results. The latest report doesn't list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. The vulnerability scanner is running the latest set of signatures. Which of the following best describes this result? ❍ A. Exploit ❍ B. False positive ❍ C. Zero-day attack ❍ D. False negative
D. Reimage the computer Completely wiping the drive with a new image is an effective way to completely remove any malware from a computer. Incorrect answers: A. Run a virus scan A virus scan may identify and attempt to remove the malware, but there's no guarantee that the anti-virus software can completely remove all of the malware. To guarantee removal, you must delete everything and reload or reimage from scratch. B. Degauss the hard drive Degaussing the hard drive will remove everything on the drive, but it will also erase any ROM or flash memory components on the drive. If the goal is to completely destroy the drive, then degaussing would be a good choice. C. Format the system partition Malware can embed itself in other parts of the operating system, such as the boot partition or boot record. To completely remove the malware, you must wipe the entire drive and not just a single partition.
One of the computers in the shipping department is showing signs of a malware infection. Which of the following would be the BEST next step to completely remove the malware? ❍ A. Run a virus scan ❍ B. Degauss the hard drive ❍ C. Format the system partition ❍ D. Reimage the computer
-EAP within a TLS tunnel
PEAP (Protected Extensible Authentication Protocol) encapsulates _________________, but does not provide a method of encapsulating other authentication methods
A. One-way trust A one-way trust would allow the manufacturing company to trust the transportation company, but there would not be a trust in the other direction. The incorrect answers: B. Mobile device location services Mobile device location services would use a GPS (Global Positioning System) coordinate to authenticate a user. This example did not require the location of the users as part of the authentication method. C. Smartphone software tokens Software tokens are inexpensive authentication factors, but they would not provide the trust requirement described in this question. D. Two-factor authentication Two-factor authentication may be part of the authentication factor for the transportation network, but it does not provide any additional trust or access to the manufacturing network.
Rodney is a security administrator for a large manufacturing company. His company has just acquired a transportation company, and Rodney has connected the two networks together with an IPsec VPN. Rodney needs to allow access to the manufacturing company network for anyone who authenticates to the transportation company network. Which of these authentication methods BEST meets Rodney's requirements? ❍ A. One-way trust ❍ B. Mobile device location services ❍ C. Smartphone software tokens ❍ D. Two-factor authentication
-SNMPv3
Secure version for SNMP?
D. Different tables are required for different hashing methods, and E. A rainbow table won't be useful if the passwords are salted A rainbow table is built prior to an attack to match a specific password hashing technique. If a different hashing technique is used, a completely different rainbow table must be built. The use of a salt will modify the expected results of a hash. Since a salted hash will not be predictable, the rainbow table can't be built for these hashes. The incorrect answers: A. The rainbow table is built in real-time during the attack One of the benefits of a rainbow table is that the table is built before an attack begins. This provides a significant speed increase at attack time. B. Rainbow tables are the most effective online attack type Rainbow tables are almost exclusively used as an offline attack type. The most common use of a rainbow table is for the attacker to obtain a list of password hashes from a system and then use the rainbow tables while offline. C. Rainbow tables require significant CPU cycles at attack time Rainbow tables are built prior to an attack, so most of the CPU (Central Processing Unit) calculations and time is spent building the tables before an attack begins.
Which of the following is true of a rainbow table? (Select TWO) ❍ A. The rainbow table is built in real-time during the attack ❍ B. Rainbow tables are the most effective online attack type ❍ C. Rainbow tables require significant CPU cycles at attack time ❍ D. Different tables are required for different hashing methods ❍ E. A rainbow table won't be useful if the passwords are salted
C. Penetration test A penetration test is used to determine if a system or application can be exploited. This process actively attempts to break into a system as part of the testing. The incorrect answers: A. Vulnerability scan A vulnerability scan queries a device to determine if a vulnerability may exist. A vulnerability scan does not attempt to exploit a vulnerability. B. Active reconnaissance Active reconnaissance is one technique commonly used when gathering information about services on the network. An active reconnaissance does not attempt to exploit a vulnerability. D. Port scan A port scan is a type of active reconnaissance that's used to determine what services may be active on a particular device. Port scans will not exploit a vulnerability.
Which of the following would attempt to exploit a vulnerability associated with a specific application? ❍ A. Vulnerability scan ❍ B. Active reconnaissance ❍ C. Penetration test ❍ D. Port scan
B. A list of applications in use E. Verification of encrypted data transfers A CASB (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats. The incorrect answers: A. List of all internal Windows devices that have not installed the latest security patches A CASB focuses on policies associated with cloud-based services and not internal devices. C. Centralized log storage facility Using Syslog to centralize log storage is most commonly associated with a SIEM (Security Information and Event Manager). D. List of network outages for the previous month A network availability report would be outside the scope of a CASB. F. VPN connectivity for remote users VPN concentrators are commonly used to provide security connectivity for remote users.
Which of the following would be commonly provided by a CASB? (Select TWO) ❍ A. List of all internal Windows devices that have not installed the latest security patches ❍ B. List of applications in use ❍ C. Centralized log storage facility ❍ D. List of network outages for the previous month ❍ E. Verification of encrypted data transfers ❍ F. VPN connectivity for remote users
A. HTTPS and C. FTPS TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication. HTTPS is the Hypertext Transfer Protocol over TLS, and FTPS is the File Transfer Protocol over TLS. An earlier version of TLS is SSL (Secure Sockets Layer). Although we don't commonly see SSL in use any longer, you may see TLS communication colloquially referenced as SSL. The incorrect answers: B. SSH SSH (Secure Shell) can use symmetric or asymmetric encryption, but those ciphers are not associated with TLS. D. SNMPv2 SNMPv2 (Simple Network Management Protocol version 2) does not implement TLS, or any encryption, within the network communication. E. DNSSEC DNSSEC (DNS security extensions) do not provide any confidentiality of data. F. SRTP SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP) protocol used for encrypting conversations. SRTP protocol commonly uses AES (Advanced Encryption Standard) for confidentiality.
Which of these protocols use TLS to provide secure communication? (Select TWO) ❍ A. HTTPS ❍ B. SSH ❍ C. FTPS ❍ D. SNMPv2 ❍ E. DNSSEC ❍ F. SRTP
C. Password The authentication portion of the AAA framework is used to prove that you are who you say you are. This would include passwords and other authentication factors. The incorrect answers: A. Username A username is part of the identification phase of the AAA framework. You make a claim during the identification process and then provide authentication with a password or other authentication factor. B. Login time The accounting phase of the AAA framework stores information such as login timestamps, data transferred, and logout timestamps. D. Access to the /home directory The authorization phase of the AAA framework provides appropriate access to resources based on the identification and authorization of a user.
Which of these would be commonly used during the authentication phase of the AAA framework? ❍ A. Username ❍ B. Login time ❍ C. Password ❍ D. Access to the /home directory
B. Prevents replay attacks during authentication A nonce adds additional randomization to a cryptographic function. This means that an authentication hash sent across the network will be different for each authentication request. The incorrect answers: A. Information encrypted with a public key is decrypted with a private key The use of public and private keys in asymmetric cryptography can be used to provide confidentiality. A nonce is not necessary to provide this functionality. C. Information is hidden inside of an image Steganography is the process of concealing information within an image. D. The sender of an email can be verified Digital signatures are commonly used to ensure the integrity of the transmitted data and confirm that the author of the message is genuine (non-repudiation).
Which of these would best describe the use of a nonce? ❍ A. Information encrypted with a public key is decrypted with a private key ❍ B. Prevents replay attacks during authentication ❍ C. Information is hidden inside of an image ❍ D. The sender of an email can be verified
B. Passive reconnaissance Passive reconnaissance focuses on learning as much information from open sources such as social media, corporate websites, and business organizations. The incorrect answers: A. Backdoor testing Some active reconnaissance tests will directly query systems to see if a backdoor has been installed. C. OS fingerprinting To fingerprint an operating system, you must actively query and receive responses across the network. D. Grey box penetration testing A grey box penetration test is a focused approach that usually provides detailed information about specific systems or applications.
You've hired a third-party to gather information about your company's servers and data. The third-party will not have direct access to your internal network but can gather information from any other source. Which of the following would best describe this approach? ❍ A. Backdoor testing ❍ B. Passive reconnaissance ❍ C. OS fingerprinting ❍ D. Grey box penetration testing
C. The version of web server software in use A scanner like Nmap can query services and determine version numbers without any special rights or permissions, which makes it well suited for non-credentialed scans. The incorrect answers: A. A summary of all files with invalid group assignments Viewing file permissions and rights requires authentication to the operating system, so you would not expect to see this information if the scan did not have credentials. B. A list of all unpatched operating system files Viewing detailed information about the operating system files requires authentication to the OS, and an uncredentialed scan does not have those permissions. D. A list of local user accounts Local user accounts are usually protected by the operating system, so you would need to have credentials to view this information.
Your security team has been provided with an uncredentialed vulnerability scan report created by a third-party. Which of the following would you expect to see on this report? ❍ A. A summary of all files with invalid group assignments ❍ B. A list of all unpatched operating system files ❍ C. The version of web server software in use ❍ D. A list of local user accounts