SEC+ 601 Practice Test 2
Emily wants to check on the success of her organization's system hardening process. What information gathering process is frequently used to quickly validate whether unneeded services have been disabled? A. A port scan B. A vulnerability scan C. A registry scan D. An Opal review
A. A port scan A quick port scan is often used to check if unnecessary and unwanted services remain accessible. Although a vulnerability scan can be used, a port scan will be faster. A registry scan might be used, but it wouldn't work for Linux systems or other non-Windows devices. Opal is an encryption package for drives.
Joanna wants to implement an access control schema for her organization and needs to identify staff members based on their job title, their location, and whether they are a member of a specific team. What type of access control mechanism should she choose? A. ABAC B. DAC C. MAC D. RBAC
A. ABAC ABAC, or attribute-based access control, is based on attributes of subjects. In this case, each of the items listed is an attribute that can be used to grant permissions or access. Discretionary access control gives resource owners the rights to decide what others can do with their resources. MAC enforces access control at the system or OS level, requiring the administrator to make those choices. RBAC can be either rule- or role-based access control. Here, there are more than roles involved, and no rules were mentioned.
Charles wants to use a lock to secure a high-security area in his organization. He wants to ensure that losing the code to the lock will not result in the lock being easily defeated by someone with that code. What type of lock should he put in place? A. Biometric B. Electronic C. Physical D. Time-based
A. Biometric A biometric lock will require the registered user to be present to unlock it. Electronic and physical locks that rely on codes or combinations can be defeated by someone who knows the code, and time-based locks merely control when the lock can be opened, and then rely on one of the other three types of locking mechanism once time-based enforcement is accomplished.
Jen is conducting a penetration test for a client. The client did not provide her with any details about their systems in advance of the test and Jen is determining this information using reconnaissance techniques. What type of test is Jen performing? A. Black box B. White box C. Gray box D. Blue box
A. Black box Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.
What term best describes data that resides on a hard drive attached to a server? A. Data at rest B. Data in motion C. Data in processing D. Data in use
A. Data at rest Data at rest is stored data that resides on hard drives, on tapes, in the cloud, or on other storage media. Data in processing, or data in use, is data that is actively in use by a computer system. Data being sent over a network is data in motion.
Cynthia has defined a boundary around her organization in the MDM tool she uses, and users are unable to access institutional data when their mobile devices are outside of that boundary. What is this technique called? A. Geofencing B. GeoIP C. Geotagging D. Geolocation
A. Geofencing Geofencing places a boundary around a location using geolocation services. Actions are taken based on where a device is in relation to the geofence. A geoIP system attempts to match IP addresses to a geographic location or region. Geotagging marks a specific spot, and geolocation is the ability to locate a device or system.
Jared wants to use an open source intelligence gathering tool to build a list of information like email addresses, domains, systems, and open ports and banners. Which of the following tools is best suited to the job? A. theHarvester B. THC Hydra C. Fierce D. InSpy
A. theHarvester theHarvester is a security tool that is designed to help collect open source intelligence from search engines, including the SHODAN security search engine. THC Hydra is a parallelized login cracker, Fierce is a high-speed domain DNS scanner, and InSpy is a LinkedIn enumeration tool.
Helen is reviewing network traffic in Wireshark and sees the traffic shown here. What should she identify as a likely network event? A. A system dropping its network connection B. A denial-of-service (DoS) attack C. A brute-force attack D. A dictionary attack
B. A denial-of-service (DoS) attack This traffic pattern is most likely to indicate a DoS attack involving a SYN flood. This is not a distributed DoS attack because there is only one system sending the SYN packets, so Helen might choose to investigate the system or block it.
Nadean is a software developer who is preparing a new application for release. She wishes to use code signing for the application file that will be deployed to a customer. What key should she use to sign the application? A. Her organization's public key B. Her organization's private key C. The customer's public key D. The customer's private key
B. Her organization's private key Digital signatures are always created using the private key of the person or organization creating the digital signature. In this case, Nadean should use her organization's private key to sign the application.
In what cloud security model does the cloud service customer bear the most responsibility for implementing security controls? A. SaaS B. IaaS C. PaaS D. FaaS
B. IaaS The cloud service customer bears the most responsibility for implementing security controls in an IaaS environment and the least responsibility in an SaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.
In a cryptographic system, what component is responsible for providing secrecy? A. Message digest B. Key C. Algorithm design D. Algorithm choice
B. Key In a cryptographic algorithm, only the keys provide secrecy. All other elements of the cryptographic system may be kept open for public inspection. Strong cryptographic algorithms depend only on the secrecy of the key and not the secrecy of their mechanism.
Brian would like to reduce the probability of a data breach that affects sensitive personal information. Which one of the following controls is most likely to achieve that objective? A. Limiting the purposes for which data may be used B. Minimizing the amount of data retained and the number of places where it is stored C. Purchasing cyber risk insurance D. Installing a new firewall
B. Minimizing the amount of data retained and the number of places where it is stored This question forces you to choose from several good options, as do many questions on the exam. We can rule out insurance because that does not alter the probability of a risk occurring. The remaining three options all do reduce the likelihood, but the best choice is minimizing the amount of data retained and the number of locations where it is stored, since doing this removes that data from the potential of a breach.
Maria wants to use a secure replacement for FTP and wants to use the tool that will require the least additional work to function through her firewall. Which secure replacement should she choose, and for which reason? A. FTPS, because it provides strong encryption B. SFTP, because it uses the same port as SSH C. FTPS, because it uses the same port as SSH D. SFTP, because it provides strong encryption
B. SFTP, because it uses the same port as SSH SFTP implements file transfers via SSH and only requires a single port to be open. FTPS uses a second port for file transfers, just like FTP. SFTP also allows the use of key-based authentication, making transfers even easier for users. Both SFTP and FTPS provide strong encryption, so this is not a deciding factor.
April is working with an independent auditor to produce an audit report that she will share with her customers under NDA to demonstrate that her organization has appropriate security controls in place and that those controls are operating effectively. What type of audit report should April expect? A. SOC 2 Type 1 B. SOC 2 Type 2 C. SOC 3 Type 1 D. SOC 3 Type 2
B. SOC 2 Type 2 The fact that the auditor will be assessing the effectiveness of the controls means that this is a Type 2 report, not a Type 1 report. The fact that it will be shared only under NDA means that it is a SOC 2 assessment.
Elaine has been asked to choose a physical backup medium to send to an offsite storage facility as part of her organization's disaster recovery planning. What is the least expensive commonly used option for reliable mass storage for backups in this scenario? A. Hard drives B. Tapes C. Flash media D. Optical media
B. Tapes The most common answer to large-scale backups that will be kept in a storage location is to use tapes. Tapes are relatively inexpensive, travel safely, and are available in very high capacities. Hard drives are more fragile, flash media does not come in the volumes needed in many cases and is not available at a cost that fits the usage model if it is high capacity, and optical media does not have the capacity that tape does for commonly available systems.
Theresa is concerned about application distributed denial-of-service (DDoS) attacks against her web application. Which of the following options is best suited to helping prevent resource exhaustion due to an application DDoS? A. Use SYN flood prevention techniques. B. Use CAPTCHA scripts. C. Disable API keys. D. Disable WAF.
B. Use CAPTCHA scripts. The only viable option is to use CAPTCHA scripts, which will require users to validate that they are human. SYN floods are not application DDoSs but are network layer DDoS attacks. Although using SYN flood prevention is a good idea, this won't address the specific issue that Theresa wants to tackle. Disabling either API keys or a web application firewall (WAF) would reduce the security of her application and potentially expose it to more application DDoS attacks.
The credit card reader that Susan used at the grocery store had a secondary reader and camera that captured her PIN and her card information. What type of attack is this? A. An MiTM attack B. A card shark attack C. A skimming attack D. A cardlock attack
C. A skimming attack Skimming is the process of stealing credit card information by capturing it during a transaction or while the card is out of the owner's hands. Skimmers may be automated, such as the model described in the question, or manual, such as workers capturing credit card information while they are processing the card. A man-in-the-middle (MiTM) attack redirects traffic to allow an attacker to read and/or modify it before sending it on. Card shark and cardlock attacks were made up for this question.
Carla is creating a new mobile application that will communicate with a backend server. What technology can she use to provide the app with a public key that it should expect from the backend server? A. Certificate stapling B. OCSP C. Certificate pinning D. CRL
C. Certificate pinning Certificate pinning provides a cryptographic communicator with the public key that it should expect from a remote server. Certificate stapling, the Online Certificate Status Protocol (OCSP), and certificate revocation lists (CRLs) are all used to manage the status of current and revoked digital certificates.
A coalition of universities banded together and created a cloud computing environment that is open to all member institutions. The services provided are basic IaaS components. What term best describes this cloud model? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud
C. Community cloud Community cloud deployments may offer IaaS, PaaS, and/or SaaS solutions. Their defining characteristic is that access is limited to members of a specific community.
Alaina has configured the switches and routers in her organization to use a private VLAN connected to dedicated management ports on her network devices. What type of management model is she using? A. SAN network management B. Serial console management C. Out-of-band management D. In-band management
C. Out-of-band management Connecting to a device via a distinct administrative interface from a protected network is an example of out-of-band management. An in-band management approach would use the same connectivity that the device normally uses to provide its function. A SAN is a storage area network, and serial connections were (and sometimes still are) used for direct console access to devices, but this question does not describe a serial connection.
Which of the following phrases best describes a man-in-the-browser attack? A. A plug-in virus B. A plug-in worm C. A browser rootkit D. A proxy Trojan
D. A proxy Trojan Man-in-the browser attacks insert malicious software that intercepts traffic from the browser and modifies for malicious purposes. This is an example of a proxy Trojan. Although this may be implemented as a plug-in, the important element here is that it is a proxy, rather than a rootkit, worm, or virus.
When Erica runs traceroute in her organization, she sees three hops and then gets no response. What common security practice is stopping her from seeing traceroute data? A. Blocking TCP B. Blocking UDP C. Blocking RDP D. Blocking ICMP
D. Blocking ICMP Many organizations have historically chosen to block ICMP to prevent information gathering and ICMP-based attacks such as the classic Ping of Death attack. traceroute relies on ICMP to gather information, and blocked ICMP responses will result in the scenario that Erica has encountered. traceroute does not rely on TCP or UDP, and RDP is a remote desktop protocol.
During a penetration test, Bonnie discovers in a web server log that the testers attempted to access the following URL: http://www.mycompany.com/sortusers.php?file=C:\uploads\attack.exe What type of attack did they most likely attempt? A. Remote file inclusion B. Persistent XSS C. Reflected XSS D. Local file inclusion
D. Local file inclusion This URL contains the address of a local file passed to a web application as an argument. It is most likely a local file inclusion exploit, attempting to execute a malicious file that the testers previously uploaded to the server.
Brian discovers a printed roster of employees that contains the information shown here. What type of data protection has most likely been applied to this report? A. Tokenization B. Hashing C. Encryption D. Masking
D. Masking In this report, the first five digits of the Social Security number have been replaced with X's. This is clearly an example of data masking.
What scripting language is most commonly associated with attacks involving malicious code embedded in Microsoft Office documents? A. PowerShell B. Python C. Bash D. VBA
D. VBA VBA, or Visual Basic for Applications, is most commonly associated with Microsoft office scripting attacks. PowerShell is more commonly used for command-line scripts and attacks for Windows systems. Python and Bash are commonly used on Linux systems for similar purposes.
Tony finds the digital certificate files shown here in a repository. Which one is most likely to contain a certificate in ASCII format? A. certificate.der B. certificate.p12 C. certificate.pfx D. certificate.pem
D. certificate.pem Certificates in DER, CER, PFX, and P12 files are usually in binary format. Certificates in PEM and P7B files are usually in ASCII format. Certificates in CRT files may be either ASCII or binary.
Tarin ran a port scan on a web server hosting her organization's public website and discovered that it is exposing ports 22, 80, and 443 to the world. Which one of these ports poses the greatest security risk? A. 22 B. 80 C. 443 D. None of these ports pose a significant risk.
A. 22 Port 22 is used by the Secure Shell (SSH) protocol and should generally never be exposed to public access because it enables brute-force SSH attacks. Ports 80 and 443 are commonly exposed on web servers to provide public web access using HTTP and HTTPS, respectively. Although organizations generally now prefer the use of HTTPS, port 80 remains open for the purposes of redirecting connections to port 443.
What security control can be used to clearly communicate to users the level of protection required for different data types? A. Classification policies B. Retention standards C. Lifecycle practices D. Compensating controls
A. Classification policies Classification policies create different categories of data used within an organization and then specify the level of security control required for each classification level. Using classifications helps users understand the type of protection necessary for each data type they encounter.
Abby's organization was recently the victim of an attack in which malicious actors implemented a man-in-the-middle attack that captured credentials and then attempted to use those credentials across many different sites and platforms. What type of attack is this? A. Credential harvesting B. A watering hole attack C. Whaling D. Pretexting
A. Credential harvesting Credential harvesting attacks can use many different techniques to acquire credentials. The important element that makes it credential harvesting is the intent to use those credentials elsewhere, typically by trying them on a variety of sites to see if account owners have reused usernames and passwords, or just passwords. A watering hole attack focuses on redirecting a commonly used website to a malicious site. Whaling is phishing targeting specific important users, and pretexting is a social engineering technique that provides an excuse for why a person is conducting an activity or needs specific access.
Kevin is attempting to determine whether he can destroy a cache of old records that he discovered. What type of policy would most directly answer his question? A. Data retention B. Data ownership C. Data classification D. Data minimization
A. Data retention The most relevant policy here is the organization's data retention policy, which should outline the standards for keeping records before destruction or disposal.
Jill is reviewing the security controls that her organization uses to protect a sensitive network segment. She determines that the network is lacking adequate IDS capability. What type of control deficiency has Jill identified? A. Detective B. Corrective C. Preventive D. Deterrent
A. Detective An intrusion detection system (IDS) identifies potential intrusions that may be taking place on a network and is, therefore, an example of a detective control. An intrusion prevention system (IPS), on the other hand, might actually block the attack and would be an example of a preventive control.
Ursula wants to allow users to connect to her small organization's wireless network who do not have organizational credentials, but she wants to allow them to use encryption while on the network. Which of the following options is best suited to her needs? A. PSK B. Enterprise authentication C. An open network D. Captive portal authentication
A. PSK Ursula can use a preshared key, or PSK. Many small organizations simply put up a sign with the key, allowing encryption without requiring authentication via WPA Enterprise. Captive portals are used when some minimal amount of information needs to be captured before connection but are otherwise an open network in most cases.
Which one of the following penetration testing techniques does not involve expanding the scope of a compromise to additional systems? A. Privilege escalation B. Pivoting C. Maneuver D. Lateral movement
A. Privilege escalation Pivoting, maneuver, and lateral movement are all similar terms that involve moving from one compromised system to compromise other systems on the same network. Privilege escalation is a technique used to expand the access an attacker has to an already compromised system.
Eve is investigating a security incident where the user of a web application submitted an internal URL to the application and tricked the web server into retrieving sensitive data from that URL and displaying it as output. What term best describes this attack? A. SSRF B. CSRF C. XSS D. Command injection
A. SSRF Server-side request forgery (SSRF) attacks trick a server into visiting a URL based on user-supplied input. SSRF attacks are possible when a web application accepts URLs from a user as input and then retrieves information from that URL. If the server has access to nonpublic URLs, an SSRF attack can unintentionally disclose that information to an attacker.
Which one of the following terms best describes the ability of a system to incorporate added capacity as demand increases? A. Scalability B. Version control C. Provisioning D. Deprovisioning
A. Scalability Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand.
Angela wants to implement an SSL/TLS inspection capability. What will occur when she enables it? A. TLS traffic will be intercepted, decrypted, inspected, then reencrypted and sent on to its destination. B. TLS traffic will be checked for insecure encryption options. C. TLS traffic will be hashed and validated against the original traffic that was sent. D. Intact TLS traffic will be inspected for malicious traffic.
A. TLS traffic will be intercepted, decrypted, inspected, then reencrypted and sent on to its destination. SSL and TLS inspection systems rely on the ability to intercept and decrypt encrypted communications. This can cause concerns from users who know that otherwise secure communications can be accessed and may lead to some security warnings, depending on the implementation. It is not a protocol analysis tool, nor does it hash and validate traffic or inspect intact TLS traffic.
Tom wants to duplicate all traffic passing through a network connection but does not want to add any additional load to the switch that it is passing through. What component should he add to accomplish this? A. Use a tap. B. Enable port spanning. C. Enable port mirroring. D. Use a tap while enabling port spanning.
A. Use a tap. A tap is a device that independently sends a copy of network traffic to another path or location. Both active and passive taps exist, and they offer the advantage of not requiring the switch or router to process the traffic. Span ports can result in problems ranging from dropped packets to changing how frames interact due to load on the device and timing, depending on the scope of the span.
Which one of the following techniques would allow an attacker to gain access to a target's network with the lowest investment and lowest probability of detection? A. War driving B. Direct physical access C. War flying D. Social engineering
A. War driving War driving takes place using a vehicle on streets and parking facilities adjacent to the target's facilities and is likely to avoid detection. War flying uses drones or UAVs for the same purpose and requires a significant investment in technology. Direct physical access and social engineering may be successful but have a higher likelihood of detection.
Which one of the following threat vectors can an attacker exploit with the least dependence on intentional or inadvertent cooperation by another person? A. Wireless B. Removable media C. Email D. Supply chain
A. Wireless Wireless network attacks can take place remotely, as long as the attacker is within radio range of the organization's facilities. No cooperation from other individuals is necessary. Email and removable media attacks require a victim who must act upon an email message or use infected removable media. Supply chain attacks are complex and typically require the cooperation of a vendor, delivery contractor, or other insider.
Kirk wants to learn more about attacker techniques, and to do so he sets up a system that appears to be vulnerable to attacks he is curious about. He carefully instruments the system and captures all attacker data and actions. What type of system has Kirk set up? A. A beartrap B. A honeypot C. A darknet D. A tarpit
B. A honeypot Kirk has set up a honeypot, an intentionally vulnerable and instrumented system designed to allow defenders to analyze attacker tools and techniques. A darknet is unused network space that is instrumented to allow the observation of network probes and attacks, particularly those that target network space by iterating through IP address ranges. Tarpits are systems that are designed to slow attackers down, such as those that respond to vulnerability scans very slowly with a service on every port. Beartraps are not a security term.
Which one of the following is the best example of a fog computing environment? A. A camera that performs motion detection on board and only sends motion footage back to the cloud B. A network of oil field sensors that send data to a local IoT gateway for preprocessing C. A satellite that streams live weather data back to a cloud datacenter for processing D. A vehicle that contains onboard computers that interact with the GPS system for navigation
B. A network of oil field sensors that send data to a local IoT gateway for preprocessing The oil field sensor example is the best example of fog computing because the remote sensors are sending data to a local gateway for preprocessing. The camera that performs preprocessing itself is a better example of edge computing. The satellite is a standard cloud client-server computing model, and the vehicle is not using the cloud at all.
When Lucca wants to test a potentially malicious file, he uploads it to a third-party website. That website places the software in a secured testing environment and documents what it does, and then uses antimalware tools to try to identify it. What is that type of secure testing environment called? A. A software jail B. A sandbox C. A litterbox D. A root dungeon
B. A sandbox Running software in an isolated, instrumented, and protected sandbox is a useful technique when testing unknown, potentially malicious software. Sandboxing techniques are used by many malware analysis tools and companies to allow them to determine what a new malicious application does. The remaining options are made up.
Lucca notices that one of his coworkers has been watching his boss as he types in his password. Later, Lucca sees that coworker log in as their boss. What type of attack did Lucca witness? A. A phishing attack B. A shoulder surfing attack C. Eliciting D. Credential harvesting
B. A shoulder surfing attack Shoulder surfing attacks can be as simple as watching someone else type in their password. In general, it describes watching someone use their passwords or other credentials or access and then using that information to gain illicit access. Phishing attacks are meant to gather credentials and other personal information but are typically conducted via email or similar means. It is not as specific a term as shoulder surfing. Eliciting is a social engineering technique that focuses on getting a target to volunteer information by leading them to a conversational topic. Credential harvesting is the capture of volumes of credentials with the intent of reusing them on other sites and services.
Patrick is a security analyst with a government agency who believes that his organization was targeted by a sophisticated foreign government attack that used a zero-day exploit. What term best describes this threat actor? A. Hacktivist B. APT C. Criminal syndicate D. Insider
B. APT This attack was waged by a foreign government using a sophisticated zero-day attack. The group waging this attack clearly qualifies as an advanced persistent threat (APT).
Job title, job location, age, and home zip code are all examples of what component of identities? A. Tokens B. Attributes C. Credentials D. Settings
B. Attributes Attributes are used to describe and provide more information about identities. Job title, location, age, and home zip code are all examples of attributes that may be used in an identity management system to allow various needed functionality like geofencing, time based logins, or impossible travel/risky login detection.
Matt wants to use a freely available, open source forensics tool. Which of the following tools will provide him with timelining and other advanced forensic capabilities? A. FTK B. Autopsy C. Encase D. Windump
B. Autopsy Although FTK and Encase are popular commercial tools, Autopsy is the only open source forensics suite listed. It provides a broad range of forensics capabilities and is freely available, making it a popular solution for companies that need forensics software or for individuals learning the trade.
What device deployment model is least likely to support an agent-based NAC solution? A. Corporate-owned B. Bring your own device (BYOD) C. Corporate-owned, personally enabled D. Choose your own device
B. Bring your own device (BYOD) BYOD environments are less likely to find general acceptance of agent-based NAC solutions since they require the installation of an agent that can be obtrusive. That means that agentless NAC solutions are more common when security needs must still be met without an agent being installed.
Christopher received a message from Renee that was encrypted using an asymmetric encryption algorithm. What key should he use to decrypt the message? A. Christopher's public key B. Christopher's private key C. Renee's public key D. Renee's private key
B. Christopher's private key In an asymmetric encryption algorithm, the recipient of a message uses their own private key to decrypt messages that they receive.
Carl's organization is subject to PCI DSS. He determines that he will be unable to meet one of the PCI DSS objectives due to technical limitations and has obtained permission from his merchant bank to implement an alternative mechanism in place of the PCI DSS requirement. What type of control is Carl implementing? A. Preventive B. Compensating C. Detective D. Corrective
B. Compensating The scenario does not tell us whether the control is preventive, detective, or corrective. We do know, however, that it is being used in place of another control requirement that Carl's organization is unable to meet and is, therefore, a compensating control.
Hank has purchased servers that have dual power supplies. How should he connect the power supplies to ensure that systems stay online? A. Connect both power supplies to the same UPS or power distribution system. B. Connect the power supplies to different UPS or power distribution systems. C. Leave one power supply disconnected so that it can be enabled in case of an issue. D. Leave one power supply disconnected to avoid providing too much power to the system.
B. Connect the power supplies to different UPS or power distribution systems. A dual power supply system is typically connected to two different power infrastructures to ensure that, if one side fails, the server or system will remain online. This is part of designing and building a fully redundant power infrastructure.
What two factors are weighted most heavily when determining the severity of a risk? A. Likelihood and probability B. Likelihood and impact C. Magnitude and impact D. Impact and control
B. Likelihood and impact The two factors that determine the severity of a risk are its probability and magnitude. Impact is a synonym for magnitude. Likelihood is a synonym for probability. Controls are a risk mitigation technique that might be applied to reduce the magnitude and/or probability after determining the severity of a risk.
Tonya would like to use the cloud reference architecture to help her understand the interactions between different organizations and services in her cloud deployment. What document can best assist her with this task? A. CSA CCM B. NIST SP 500-292 C. PCI DSS D. ISO 27001
B. NIST SP 500-292 NIST SP 500-292 is a reference model for cloud computing and operates at a high level. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards. ISO 27001 is a general standard for cybersecurity, and PCI DSS is a regulatory requirement for organizations involved in processing credit card transactions.
After user accounts belonging to users from her organization for other third-party sites were breached, Sally begins to see attempts against services she is responsible for using those usernames and passwords from the breach. She receives notices from other sites that the same usernames and passwords are being tried there too. What type of attack is occurring? A. A dictionary attack B. Password spraying C. A known plain-text attack D. An offline password crack
B. Password spraying Password spraying attacks use known passwords to attempt to log in as the same user on other services and sites. A dictionary attack uses a list of likely passwords as well as likely variants to try to log into for one or more accounts. A known plain-text attack uses plain text to try to crack a cryptographic cipher to recover other encrypted data. An offline password attack is conducted against a stolen password file to try to crack the passwords, not against online services and sites.
Kayla is conducting threat research and would like to keep up-to-date on new security vulnerabilities. Which one of the following information sources is most likely to provide her with this information? A. Academic journal B. Vendor website C. Local industry group D. RFC documents
B. Vendor website Vendor websites commonly contain security bulletins with the most recent vulnerability information. Academic journals have long publishing cycles and rarely contain information about recent threats. Local industry groups are not a reliable source of timely information about vulnerabilities. RFC documents contain technical specifications and generally do not list recent vulnerabilities.
As part of her organization's response and recovery controls, Charleen has implemented a remote site that has all the systems needed to operate her company's IT infrastructure. In the event of a major outage or issue, she would need to bring copies of data to the site. What type of disaster recovery site has she set up? A. Cold site B. Warm site C. Hot site D. Availability zone
B. Warm site A warm site has all the hardware and networking needed to run essential operations, but it does not have the data ready to go. A hot site has everything you need, and you may have to bring just the last data update. A cold site is essentially just space to bring in equipment, networking, and data. Availability zones are a cloud computing concept used by Amazon.
Henry wants to review the first few lines of a file to see header information. How many lines at the start of a file will the head command display by default? A. 1 B. 5 C. 10 D. 100
C. 10 The head and tail commands are used to see the start and end of a file, respectively. They both display 10 lines by default, although you can use command-line flags to change how much they display.
Nathaniel is scanning for SSH servers on his network. What port and protocol should he scan for to find them? A. 22/UDP B. 443/UDP C. 22/TCP D. 443/TCP
C. 22/TCP The default SSH port is 22 via TCP. Although some administrators move SSH to a nonstandard port, most invest time in protecting the SSH server and accounts instead.
Erica provides laptops and mobile devices for her organization's traveling staff members. She has read a number of articles about data being stolen through the use malicious charging cables or chargers. What type of solution can she give her organization's traveling staff to prevent this attack? A. A USB IPS B. A USB proxy C. A USB data blocker D. A USB IDS
C. A USB data blocker USB data blockers can simply block signals to and from the data pins on a USB port or adapter, or it can use a chip to remove USB commands from the connection. The other devices listed here were made up for the question.
Catherine wants to deploy a split tunnel VPN. What is the key difference between a split tunnel and a full tunnel VPN? A. A full tunnel VPN is given more network bandwidth than a split tunnel VPN. B. A split tunnel only sends traffic intended for the VPN client through the tunnel. C. A split tunnel only sends traffic intended for the remote network through the tunnel. D. A full tunnel VPN makes the system appear as if it is on the local network.
C. A split tunnel only sends traffic intended for the remote network through the tunnel. A split tunnel VPN sends traffic intended for the remote VPN network through the tunnel, and responses back to the client. It does not force all traffic meant to go to the VPN client through the tunnel—in fact, traffic from systems that are not part of the remote VPN network continues to bypass the VPN tunnel. A full tunnel VPN makes the system appear as if it is on the remote network, although some VPN systems may actually prevent local network access while the VPN is turned on. Finally, bandwidth is not determined by the type of tunnel.
Adam wants to deploy one-time passwords to his staff, and he wants to be able to support many different sites while also providing the ability to enroll users using his MDM system. What tool should he select? A. Hardware tokens B. Static codes C. An authentication application D. Phone-based push authentication
C. An authentication application Adam should select an authentication application. Tools like Google Authenticator, Duo, and Microsoft Authenticator all provide the capabilities that he is looking for. Some hardware tokens can handle multiple sites but are not manageable via MDM. Static codes are just that—printed-out codes. Phone-based push authentication could support multiple sites but is far less secure and, again, is not managed via MDM.
Robin is planning to conduct a risk assessment in her organization. She is concerned that it will be difficult to perform the assessment because she needs to include information about both tangible and intangible assets. What would be the most effective risk assessment strategy for her to use? A. Quantitative risk assessment B. Qualitative risk assessment C. Combination of quantitative and qualitative risk assessment D. Neither quantitative nor qualitative risk assessment
C. Combination of quantitative and qualitative risk assessment Robin would have achieve the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing tangible, financial risks, whereas qualitative risk assessment is good for intangible risks. Combining the two techniques provides a well-rounded risk picture.
What type of attack depends on the fact that users are often logged in to many websites simultaneously in the same browser? A. Server-side request forgery B. Cross-site scripting C. Cross-site request forgery (XSRF) D. File inclusion
C. Cross-site request forgery (XSRF) XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that sends a command to a second website.
Ron receives an emergency alert that computers throughout his organization have begun to display a message demanding that a ransom be paid in Bitcoin to allow restoration of access to important business documents and other files. What type of malware often uses this type of behavior? A. Worms B. Viruses C. Crypto malware D. Spyware
C. Crypto malware Crypto malware frequently demands a ransom paid in Bitcoin to unlock files. Although paying does often result in the files being restored, this is a dangerous option and does not guarantee results. Secure, independent backups are the best insurance against cryptographic malware taking your business out of operation. Worms spread themselves, but the actions they take vary from worm to worm, as do the actions taken by viruses. Spyware gathers information about user browsing habits but does not demand a ransom.
Renee is responding to a cybersecurity incident at her organization in which the attackers used a botnet to disrupt access to the organization's website, preventing legitimate customers from placing orders. What type of attack took place? A. Destruction B. Alteration C. Denial D. Integrity
C. Denial This is an example of a denial-of-service attack that disrupted the availability of the website for legitimate users.
Bart runs a backup service for his organization, and every day he backs up the changes since the last backup operation he performed. What type of backup is he performing? A. Differential B. Full C. Incremental D. Partial
C. Incremental Bart is conducting an incremental backup. Differential backups back up all data that has changed since the last full backup. Incremental backups backup the changes since the last full or incremental backup. Full backups back up all data, and partial backups are not a defined technical term.
Which one of the following statements about inline CASB is incorrect? A. Inline CASB solutions often use software agents on endpoints. B. Inline CASB solutions intercept requests from users to cloud providers. C. Inline CASB solutions can monitor activity but cannot actively enforce policy. D. Inline CASB solutions may require network reconfiguration.
C. Inline CASB solutions can monitor activity but cannot actively enforce policy. Inline CASB solutions require either network reconfiguration or the use of a software agent. They intercept requests from users to cloud providers and, by doing so, are able to both monitor activity and enforce policy.
Dana needs to deploy and manage applications on mobile devices for her organization and knows that a broad variety of tools support this. Which of the following is not a common tool for this purpose? A. MDM B. MAM C. MARS D. UEM
C. MARS Mobile device management (MDM), mobile application management (MAM), and universal endpoint management (UEM) tools are all commonly used to manage applications on mobile devices. Although MARS isn't a common acronym, Cisco's MARS product is a monitoring and analysis tool used to manage network devices, not mobile devices.
Chris is concerned about the possibility that former employees will disclose sensitive personal information about customers to unauthorized individuals. What is the best mechanism that Chris can use to manage this risk? A. AUP B. Privacy policy C. NDA D. Data ownership policy
C. NDA All of the mechanisms listed here may be used to protect private information. However, acceptable use policies, privacy policies, and data ownership policies are internal policies that would not be binding on former employees. To manage this risk, Chris's organization should have all employees sign nondisclosure agreements (NDAs) that remain binding after the end of the employment relationship.
Colleen's organization recently suffered a security breach in which the attacker was able to destroy a system that processes customer orders. Colleen is concerned that the breach is slowing down the delivery of those orders. What type of risk concerns Colleen the most? A. Strategic B. Financial C. Operational D. Reputational
C. Operational A breach that disrupts customer order processing may cause many different impacts on the organization, including operational, financial, and reputational risk. However, in this scenario, Colleen's primary concern is the disruption to the business, making this an operational risk.
Norm is conducting a penetration test and has gained access to an organization's database server. He then creates a user account for himself on that system in the hope that he can use this account to access the system at a later date, even if the original exploit that he used is patched. What term best describes Norm's activity? A. Lateral movement B. Pivoting C. Persistence D. Maneuver
C. Persistence Persistence includes any technique used to maintain access to a system, even after the attack is discovered. Norm is creating this user account for this purpose, so his activity is best described as persistence.
Sarah's security team has recommended that she place the offsite storage facility for her organization's backups at least 90 miles away from the primary office location. What is the primary driver of this recommendation? A. Placing the offsite storage facility 90 miles away prevents theft by making the backups hard to get to for local thieves. B. Ninety miles away is the minimum distance to prevent latency issues for backups. C. Placing the offsite storage facility 90 means a single disaster won't destroy both the main facility and the backups. D. Placing the offsite storage facility 90 miles away ensures that different local jurisdiction laws will apply, making it harder for a single legal case to involve the primary data and the backups.
C. Placing the offsite storage facility 90 means a single disaster won't destroy both the main facility and the backups. Geographic diversity is an important concept for redundant sites and backup locations. Although the minimum distance considered safe varies based on the guidelines you choose to follow, a distance like this is intended to ensure that a single disaster cannot destroy both the primary datacenter or storage location and the backups. Although the remainder of the answers may sound reasonable, they are not actual reasons for this type of geographic dispersion.
Rick has been asked to secure a legacy SCADA environment that his organization uses to manage power generation facilities. What recommendation is best suited to a legacy environment that uses a combination of proprietary and open protocols and systems? A. Require regular patching and enable local firewalls on all devices to build a zero-trust environment. B. Deploy a HIPS for each device to protect each system from both known and behavioral threats. C. Put the SCADA system on an isolated network and strictly control ingress and egress. D. None of the above.
C. Put the SCADA system on an isolated network and strictly control ingress and egress. Aging infrastructure that is tightly coupled to critical systems like a power generation facility is a common issue that enterprise security practitioners encounter in many industries. Placing devices that cannot otherwise be secured onto an isolated network and ensuring that only trusted and inspected access is allowed is a common solution. Since aging devices are often out of support, cannot be patched, and do not have support for firewalls or HIPS, those solutions are often unable to be implemented, particularly for the embedded and specialized devices found in SCADA and industrial control systems (ICS) environments.
Which of the following is the most volatile according to the order of volatility for forensics practitioners? A. Backups B. Disk drives C. RAM D. Virtual memory
C. RAM RAM, CPU cache, and CPU state (registers) are considered the most volatile for forensics purposes. Virtual memory, disk drives, and backups follow.
Gary discovers that his organization is storing some old files in a cloud service that are exposed to the world. He deletes those files. What type of risk management strategy is this? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference
C. Risk avoidance Gary is changing business practices to eliminate the risk entirely. This is, therefore, an example of risk avoidance.
Chris is designing a data loss prevention implementation for his organization. His primary goal is to protect a set of product plans that reside in a small data repository. New files are added to this repository on a periodic basis, and all of the files in the repository require protection. What technology would best meet Chris's needs? A. Pattern recognition B. Host-based C. Watermarking D. Network-based
C. Watermarking Chris could use either host-based or network-based DLP to meet his needs. The key technology in this scenario is the use of watermarking as the identification technique for sensitive data. Chris can tag all the documents in the secure repository with digital watermarks to flag them to the DLP system. Pattern recognition would not be a useful tool in this case because new documents are regularly added to the repository.
Jim wants to equip his mobile phone with the ability to create, store, and manage certificates. What hardware device is purpose-built for this use? A. A hashing store B. An OTP C. A MicroSD HSM D. A USB blocker
D. A USB blocker Hardware security modules (HSMs) come in many forms, ranging from rack-mounted servers and appliances to USB-based HSMs. MicroSD HSMs are designed to allow mobile devices equipped with the proper application to interact with the HSM, providing a way to create, manage, and store certificates using a mobile device with hardware-based assurance. A USB blocker blocks data from being sent via USB cables to prevent data theft. Both a hashing store and a one-time password (OTP) are not hardware devices.
Joanna has discovered that one of her staff has connected an access point in their office to allow them to have wireless access to the network because her organization only uses a wired network in secure areas. What type of attack is this? A. A fake AP B. An evil twin C. An access clone D. A rogue AP
D. A rogue AP Rogue access points are access points connected to a network that are not supposed to be there. Evil twins are access points set up with the same SSID so that they appear to be a legitimate access point. Once unsuspecting users connect to them, attackers can monitor or modify their traffic. Both fake APs and access clones attacks were made up for this question.
Gwen is working on the implementation of a new feature in an application used by her organization. She is writing code to improve the user interface. What environment should Gwen be working in? A. Test B. Staging C. Production D. Development
D. Development Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.
Greg is reviewing a list of the security concerns commonly associated with an IPv6 rollout. Which of the following is not a common concern with IPv6 networks? A. Scanning sequential IP addresses is no longer viable for many networks. B. Blocking ICMP can cause significant problems. C. Devices may have more than one IP stack and interface. D. Device identification via MAC address is difficult.
D. Device identification via MAC address is difficult. IPv6 can actually make device identification via MAC address easier since IP addresses are configured based on MAC address if systems are using stateless address autoconfiguration. Since IPv6 networks can be very large, sequential scanning to discover hosts is unlikely to be a viable idea. Instead, scanning known hosts is the preferred solution. The habitual blocking of ICMP in IPv4 networks can cause problems in IPv6 networks, requiring security policy changes, and in many cases systems use both IPv4 and IPv6 network stacks, leading to multiple interfaces and addresses being potential targets. Since many organizations are not set up for IPv6 firewalling or security monitoring, this can lead to entire networks that can bypass current security protections.
What is the primary difference between HIDSs and HIPSs? A. HIDSs can only be installed on servers. B. HIDSs can stop attacks and HIPSs only log them. C. HIPSs can only be installed on servers. D. HIDSs only log attacks and HIPSs can stop them.
D. HIDSs only log attacks and HIPSs can stop them. The primary difference between a host intrusion detection system and a host intrusion prevention system is that a host-based intrusion prevention system (HIPS) can stop attacks by dropping or modifying traffic whereas a host-based intrusion detection system (HIDS) will only log and alert on attacks.
Veronica would like to use a service from her cloud provider that will manage the encryption keys used in her environment. What technology would best meet this goal? A. TPM B. PKI C. GPG D. HSM
D. HSM Hardware security modules (HSMs) are special-purpose computing devices that manage encryption keys and also perform cryptographic operations in a highly efficient manner. Trusted Platform Modules (TPMs) do manage encryption keys, but they are specific to a device and are not available in the cloud.
Ben would like to join a group of security professionals in his industry who share information about current threats. What would be the best type of group to join? A. ISSA chapter B. Private social media group C. Law enforcement agency D. ISAC
D. ISAC Information sharing and analysis centers (ISACs) are groups organized specifically for the purpose of sharing information about security threats. Although the other sources listed here may be able to provide Ben with threat information, an ISAC is likely to have the highest quality information relevant to his industry.
Greg's desktop system stores hashes of the system's firmware, bootloader, drivers, and other components that are loaded at boot in the TPM, and then boots. The OS then uses a remote attestation client to send that information to a server. What type of boot process is he using? A. BIOS boot B. UEFI hashing C. Secure boot D. Measured boot
D. Measured boot This is a UEFI measured boot process. Secure boot validates hashes against known good hashes for those boot elements. BIOS does not support either of these processes. UEFI hashing was made up for this question.
Paul is concerned that network devices in his organization may have exposed management interfaces. Which one of the following tests is most likely to discover this vulnerability? A. Web application scan B. Dynamic application test C. Static application test D. Network vulnerability scan
D. Network vulnerability scan Exposed management interfaces are a standard test conducted during network vulnerability scans. Application testing of any kind is unlikely to discover this type of vulnerability.
Jen's firm is planning to open a new retail store that will accept credit cards. What regulation must the firm comply with as a result of this processing? A. FERPA B. HIPAA C. GLBA D. PCI DSS
D. PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an industry regulatory framework that specifies the cybersecurity requirements for organizations involved in credit card transactions.
Marek finds the following code on a Linux workstation that he is reviewing. What language is it, and what does it do? my_socket = socket.socket(socket. AF_INET, socket.SOCK_STREAM) rhost = ("10.11.24.8", 22) result_detail = my_socket.connect_ex(rhost) if result_detail == 0: print("Open") else: print("Closed") a_socket. close() A. Python; checks for API accessibility B. Bash; checks if FTP is accessible C. Bash; checks for API accessibility D. Python; checks if SSH is accessible
D. Python; checks if SSH is accessible This simple Python code defines a socket, defines a remote host and port, and then checks to see if it can open a TCP connection. Since the port is 22, we can assume this is checking for SSH. Bash doesn't directly support sockets the same way that Python does, and this code should clearly look like Python code instead of Bash code, allowing you to rule out the potential of this being a Bash script.
Jan is concerned that attackers might use a rainbow table attack against her organization's stored passwords. What is the most effective defense against this type of attack? A. Pinning B. Key escrow C. Input validation D. Salting
D. Salting Rainbow table attacks attempt to reverse hashed password value by precomputing the hashes of common passwords. The attacker takes a list of common passwords and runs them through the hash function to generate the rainbow table. They then search through lists of hashed values, looking for matches to the rainbow table. The most common approach to preventing these attacks is salting, which adds a randomly generated value to each password prior to hashing.
Frank's organization recently suffered an attack in which a senior system administrator executed some malicious commands and then deleted the log files that recorded his activity. Which one of the following controls would best mitigate the risk of this activity recurring in the future? A. Two-person control B. Job rotation C. Security awareness D. Separation of duties
D. Separation of duties Separation of duties is the most effective way to mitigate this risk. Administrators who have access to perform privileged activities on systems should not also have the ability to alter log files. Two-person control could work but would be very cumbersome. Job rotation and security awareness would not address this risk.
Which one of the following statements is not true about zero-day attacks? A. They may be found in software or hardware. B. They have a limited window of use. C. They are generally unpatchable. D. They are often widely publicized.
D. They are often widely publicized. Zero-day attacks are generally known only to a small group of researchers who discover the vulnerabilities. They are not known to the general public and would likely be patched by the vendor if they became widely known. Zero-day vulnerabilities may exist in any technology component: software or hardware. They are only effective during the limited window of opportunity when they remain unpatchable before the vendor issues a fix.