Security+ Assessment Exam 2 (DG)
80. What type of encryption does the RADIUS protocol use? A. Symmetric B. Asymmetric C. MD5 D. SHA
A. Remote Authentication Dial-In User Service (RADIUS) uses symmetric encryption. It does not use asymmetric encryption, which uses a public key and a private key. Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are hashing algorithms.
36. Which of the following is the BEST description of why disabling SSID broadcast is not an effective security measure against attackers? A. The network name is contained in wireless packets in plaintext. B. The passphrase is contained in wireless packets in plaintext. C. The SSID is included in MAC filters. D. The SSID is not used with WPA2.
36. A. The service set identifier (SSID) is the network name and it is included in certain wireless packets in plaintext. Disabling SSID broadcast hides the wireless network from casual users, but not attackers. Passphrases are not sent across the network in plaintext and are unrelated to the SSID. Media access control (MAC) address filters do not include the SSID. Wi-Fi Protected Access II (WPA2) does use the SSID. See Chapter 4.
3. An e-commerce web site does not currently have an account recovery process for customers who have forgotten their passwords. Which of the following choices are the BEST items to include if web site designers add this process? (Select TWO.) A. Create a web-based form that verifies customer identities using another method. B. Set a temporary password that expires upon first use. C. Implement biometric authentication. D. Email the password to the user.
A, B. A web-based form using an identity-proofing method, such as requiring users to enter the name of their first pet, can verify their identity. Setting a password that expires upon first use ensures that the user changes the password. Biometric authentication is not reasonable for an online e-commerce web site. Emailing the password is a possibility, but not without configuring the password to expire upon first use. See Chapter 1.
52. Your organization is considering the purchase of new computers. A security professional stresses that these devices should include TPMs. What benefit does a TPM provide? (Choose all that apply.) A. It uses hardware encryption, which is quicker than software encryption. B. It uses software encryption, which is quicker than hardware encryption. C. It includes an HSM file system. D. It stores RSA keys.
A, D. A Trusted Platform Module (TPM) is a hardware chip that stores RSA encryption keys and uses hardware encryption, which is quicker than software encryption. A TPM does not use software encryption. An HSM is a removable hardware device that uses hardware encryption, but it does not have a file system and TPM does not provide HSM as a benefit. See Chapter 5.
90. An organization is planning to implement an internal PKI for smart cards. Which of the following should the organization do FIRST? A. Install a CA. B. Generate key pairs. C. Generate a certificate. D. Identify a recovery agent.
A. A Public Key Infrastructure (PKI) requires a certification authority (CA), so a CA should be installed first. Smart cards require certificates and would be issued by the CA. After installing the CA, you can generate key pairs to be used with certificates issued by the CA. A recovery agent can be identified, but it isn't required to be done as a first step for a CA. See Chapter 10.
26. Your organization wants to protect its web server from cross-site scripting attacks. Which of the following choices provides the BEST protection? A. WAF B. Network-based firewall C. Host-based firewall D. IDS
A. A web application firewall (WAF) is an Application layer firewall designed specifically to protect web servers. Although both host-based and network-based firewalls provide protection, they aren't necessarily Application layer firewalls, so they do not provide the same level of protection for a web server as a WAF does. An intrusion detection system (IDS) can help detect attacks, but it isn't as good as the WAF when protecting the web server. See Chapter 3.
91. Which of the following is a valid reason to use a wildcard certificate? A. Reduce the administrative burden of managing certificates. B. Support multiple private keys. C. Support multiple public keys. D. Increase the lifetime of the certificate.
A. A wildcard certificate reduces the certificate management burden by using an asterisk (*) in place of child domain names. The certificate still has a single public and private key pair. The wildcard doesn't affect the lifetime of the certificate. See Chapter 10.
5. Your organization issues laptops to mobile users. Administrators configured these laptops with full disk encryption, which requires users to enter a password when they first turn on the computer. After the operating system loads, users are required to log on with a username and password. Which of the following choices BEST describes this? A. Single-factor authentication B. Dual-factor authentication C. Multifactor authentication D. SAML
A. Both passwords are in the something you know factor of authentication, so this process is single-factor authentication. Dual-factor authentication requires the use of two different authentication factors. Multifactor authentication requires two or more factors of authentication. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO), but this is unrelated to this question. See Chapter 1.
54. Homer installed code designed to enable his account automatically, three days after someone disables it. What did Homer create? A. Backdoor B. Rootkit C. Armored virus D. Ransomware
A. By ensuring that his account is automatically reenabled, Homer has created a backdoor. He is creating this with a logic bomb, but a logic bomb isn't available as a choice in this question. Rootkits include hidden processes, but they do not activate in response to events. An armored virus uses techniques to make it difficult for researchers to reverse engineer it. Ransomware demands payment to release a user's computer or data. See Chapter 6.
99. You are reviewing incident response procedures related to the order of volatility. Which of the following is the LEAST volatile? A. Hard disk drive B. Memory C. RAID-6 cache D. CPU cache
A. Data on a hard disk drive is the least volatile of those listed. All other sources are some type of memory, which will be lost if a system is turned off. This includes data in a redundant array of inexpensive disks 6 (RAID-6) cache, normal memory, and the central processing unit's (CPU's) memory. See Chapter 11.
34. Administrators in your organization are planning to implement a wireless network. Management has mandated that they use a RADIUS server and implement a secure wireless authentication method. Which of the following should they use? A. LEAP B. WPA-PSK C. WPA2-PSK D. AES
A. Enterprise mode implements 802.1x as a Remote Authentication Dial-In User Service (RADIUS) server and Lightweight Extensible Authentication Protocol (LEAP) can secure the authentication channel. LEAP is a Cisco proprietary protocol, but other EAP variations can also be used, such as Protected EAP (PEAP), EAP-Transport Layer Security (EAP-TLS), and EAP Tunneled TLS (EAP-TTLS). Wi-Fi Protected Access (WPA) and WPA2 using a preshared key (PSK) do not use RADIUS. Many security protocols use Advanced Encryption Standard (AES), but AES by itself does not use RADIUS. See Chapter 4.
51. A business owner is preparing to decommission a server that has processed sensitive data. He plans to remove the hard drives and send them to a company that destroys them. However, he wants to be certain that personnel at that company cannot access data on the drives. Which of the following is the BEST option to meet this goal? A. Encrypt the drives using full disk encryption. B. Capture an image of the drives. C. Identify data retention policies. D. Use file-level encryption to protect the data.
A. Full disk encryption is the best option of the available answers. Another option (not listed) is to use disk wiping procedures to erase the data. Capturing an image of the drives won't stop someone from accessing data on the original drives. Retention policies identify how long to keep data, but do not apply here. Depending on how much data is on the drives, file-level encryption can be very tedious and won't necessarily encrypt all of the sensitive data. See Chapter 5.
60. A web developer is adding input validation techniques to a web site application. Which of the following should the developer implement during this process? A. Perform the validation on the server side. B. Perform the validation on the client side. C. Prevent boundary checks. D. Encrypt data with TLS.
A. Input validation should be performed on the server side. Client-side validation can be combined with server-side validation, but it can be bypassed so it should not be used alone. Boundary or limit checks are an important part of input validation. Input validation does not require encryption of data with Transport Layer Security (TLS) or any other encryption protocol. See Chapter 7.
77. You need to modify the network infrastructure to increase availability of web-based applications for Internet clients. Which of the following choices provides the BEST solution? A. Load balancing B. Proxy server C. UTM D. Content inspection
A. Load-balancing solutions increase the availability of web-based solutions by spreading the load among multiple servers. A proxy server is used by internal clients to access Internet resources and does not increase availability of a web server. A unified threat management (UTM) system protects internal resources from attacks, but does not directly increase the availability of web-based applications. Content inspection is one of the features of a UTM, and it protects internal clients but does not directly increase the availability of web-based applications. See Chapter 9.
45. Your company has recently standardized servers using imaging technologies. However, a recent security audit verified that some servers were immune to known OS vulnerabilities, whereas other systems were not immune to the same vulnerabilities. Which of the following would reduce these vulnerabilities? A. Patch management B. Sandboxing C. Snapshots D. Baselines
A. Patch management procedures ensure operating systems (OS) are kept up to date with current patches. Patches ensure systems are immune to known vulnerabilities, but none of the other answers protects systems from these known vulnerabilities. Sandboxing isolates systems for testing. Snapshots record the state of a virtual machine at a moment in time. Baselines identify the starting point for systems. See Chapter 5.
70. Your organization develops web application software, which it sells to other companies for commercial use. To ensure the software is secure, your organization uses a peer assessment to help identify potential security issues related to the software. Which of the following is the BEST term for this process? A. Code review B. Change management C. Routine audit D. Rights and permissions review
A. Peers, such as other developers, perform code reviews going line-by-line through the software code looking for vulnerabilities, such as buffer overflows and race conditions. Change management helps prevent unintended outages from configuration changes. Routine audits review processes and procedures, but not software code. A user rights and permissions review ensures users have appropriate privileges. See Chapter 8.
18. The Retirement Castle uses groups for ease of administration and management. They recently hired Jasper as their new accountant. Jasper needs access to all the files and folders used by the Accounting department. What should the administrator do to give Jasper appropriate access? A. Create an account for Jasper and add the account to the Accounting group. B. Give Jasper the password for the Guest account. C. Create an account for Jasper and use rule-based access control for accounting. D. Create an account for Jasper and add the account to the Administrators group.
A. The administrator should create an account for Jasper and add it to the Accounting group. Because the organization uses groups, it makes sense that they have an Accounting group. The Guest account should be disabled to prevent the use of generic accounts. This scenario describes role-based access control, not rule-based access control. Jasper does not require administrator privileges, so his account should not be added to the Administrators group. See Chapter 2.
37. You are reviewing logs from a wireless survey within your organization's network due to a suspected attack and you notice the following entries: MAC SSID Encryption Power 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 47 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 62 56:CD:34:EF:12:AB GetCertifiedGetAhead WPA2 20 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 57 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 49 Of the following choices, what is the MOST likely explanation of these entries? A. An evil twin is in place. B. Power of the AP needs to be adjusted. C. A rogue AP is in place. D. The AP is being pharmed.
A. The logs indicate an evil twin is in place. An evil twin is a rogue wireless access point with the same service set identifier (SSID) as a live wireless access point. The SSID is GetCertifiedGetAhead and most of the entries are from an access point (AP) with a media access control (MAC) address of 12:AB:34:CD:56:EF. However one entry shows a MAC of 56:CD:34:EF:12:AB, indicating an evil twin with the same name as the legitimate AP. Power can be adjusted if necessary to reduce the visibility of the AP, but there isn't any indication this is needed. The power of the evil twin is lower, indicating it is in a different location farther away. A rogue AP is an unauthorized AP and although the evil twin is unauthorized, it is more correct to identify this as an evil twin because that is more specific. Generically, a rogue AP has a different SSID. A pharming attack redirects a web site's traffic to another web site, but this isn't indicated in this question at all. See Chapter 4.
98. Your organization wants to prevent damage from malware. Which stage of the common incident response procedures is the BEST stage to address this? A. Preparation B. Identification C. Mitigation D. Lessons learned
A. The preparation stage is the first phase of common incident response procedures, and attempts to prevent incidents and plan methods to respond to incidents. Incident identification occurs after a potential incident occurs and verifies it is an incident. You attempt to reduce or remove the effects of an incident during the mitigation stage. Lessons learned occurs later and involves analysis to identify steps that will prevent a future occurrence. See Chapter 11.
65. A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command: telnet server1 80. What is the purpose of this command? A. Identify if server1 is running a service using port 80 and is reachable. B. Launch an attack on server1 sending 80 separate packets in a short period of time. C. Use Telnet to remotely administer server1. D. Use Telnet to start an RDP session.
A. This command sends a query to server1 over port 80 and if the server is running a service on port 80, it will connect. This is a common beginning command for a banner grabbing attempt. It does not send 80 separate packets. If 80 was omitted, Telnet would attempt to connect using its default port of 23 and attempt to create a Telnet session. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario. See Chapter 8.
95. An organizational policy specifies that duties of application developers and administrators must be separated. What is the MOST likely result of implementing this policy? A. One group develops program code and the other group deploys the code. B. One group develops program code and the other group modifies the code. C. One group deploys program code and the other group administers databases. D. One group develops databases and the other group modifies databases.
A. This describes a separation of duties policy where the application developers create and modify the code, and the administrators deploy the code to live production systems, but neither group can perform both functions. Developers would typically develop the original code, and modify it when necessary. This scenario does not mention databases. See Chapter 11.
32. Security personnel recently noticed a successful exploit against an application used by many employees at their company. They notified the company that sold them the software and asked for a patch. However, they discovered that a patch wasn't available. What BEST describes this scenario? A. Zero-day B. Buffer overflow C. LSO D. SQL injection
A. This scenario describes a zero-day exploit on the software application. A zero-day exploit is one that is unknown to the vendor, or the vendor knows about, but hasn't yet released a patch or update to mitigate the threat. The other answers are specific types of attacks, but the scenario isn't specific enough to identify the type of exploit. A buffer overflow attack occurs when an attacker attempts to write more data into an application's memory than it can handle, or to bypass the application's structured exception handling (SEH). Adobe Flash content within web pages uses locally shared objects (LSOs), similar to how regular web pages use cookies, and attackers can modify both cookies and LSOs in different types of attacks. A Structured Query Language (SQL) injection attack attempts to inject SQL code into an application to access a database. See Chapter 4.
43. A company is implementing a feature that allows multiple servers to operate on a single physical server. What is this? A. Virtualization B. IaaS C. Cloud computing D. DLP
A. Virtualization allows multiple virtual servers to exist on a single physical server. Infrastructure as a Service (IAAS) is a cloud computing option where the vendor provides access to a computer, but customers manage it. Cloud computing refers to accessing computing resources via a different location than your local computer. Data loss prevention (DLP) techniques examine and inspect data looking for unauthorized data transmissions. See Chapter 5.
33. What type of encryption is used with WPA2 CCMP? A. AES B. TKIP C. RC4 D. SSL
A. Wi-Fi Protected Access II (WPA2) with Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) uses Advanced Encryption Standard (AES). Temporal Key Integrity Protocol (TKIP) and Secure Sockets Layer (SSL) both use Rivest Cipher 4 (RC4), but not AES. See Chapter 4.
56. Your organization has been receiving a significant amount of spam with links to malicious web sites. You want to stop the spam. Of the following choices, what provides the BEST solution? A. Add the domain to a block list B. Use a URL filter C. Use a MAC filter D. Add antivirus software
A. You can block emails from a specific domain sending spam by adding the domain to a block list. While the question doesn't indicate that the spam is coming from a single domain, this is still the best answer of the given choices. A URL filter blocks outgoing traffic and can be used to block the links to the malicious web sites in this scenario, but it doesn't stop the email. Switches use MAC filters to restrict access within a network. Antivirus software does not block spam. See Chapter 6.
55. Your local library is planning to purchase new computers that patrons can use for Internet research. Which of the following are the BEST choices to protect these computers? (Choose TWO.) A. Mantrap B. Anti-malware software C. Cable locks D. Pop-up blockers E. Disk encryption
B, C. Anti-malware software and cable locks are the best choices to protect these computers. Anti-malware software protects the systems from viruses and other malware. The cable locks deter theft of the computers. A mantrap prevents tailgating, but this is unrelated to this question. Pop-up blockers are useful, but they are often included with anti-malware software, so anti-malware software is most important. Disk encryption is useful if the computers have confidential information, but it wouldn't be appropriate to put confidential information on a public computer. See Chapters 2 and 6.
87.Which two protocols provide strong security for the Internet with the use of certificates? (Choose TWO.) A. SSH B. SSL C. SCP D. TLS E. SFTP
B, D. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) secure Internet traffic with the use of certificates. Secure Shell (SSH) encrypts traffic such as Secure Copy (SCP), Secure File Transfer Protocol (SFTP), and Telnet but none of these use certificates. See Chapter 10.
78. A security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential lost sales, fines, and impact on the organization's customers. Which of the following documents is she MOST likely creating? A. BCP B. BIA C. DRP D. RPO
B. A business impact analysis (BIA) includes information on potential monetary losses and is the most likely document of those listed that would include this information. A business continuity plan (BCP) includes a BIA, but the BIA is more likely to include this information than the BCP is. A disaster recovery plan (DRP) includes methods used to recover from an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose but does not include monetary losses. See Chapter 9.
100. Security personnel confiscated a user's workstation after a security incident. Administrators removed the hard drive for forensic analysis, but left it unattended for several hours before capturing an image. What could prevent the company from taking the employee to court over this incident? A. Witnesses were not identified. B. A chain of custody was not maintained. C. An order of volatility was not maintained. D. A hard drive analysis was not complete.
B. A chain of custody was not maintained because the hard drive was left unattended for several hours before capturing an image. Witnesses were not mentioned, but are not needed if the chain of custody was maintained. The order of volatility does not apply here, but the hard drive is not volatile. Analysis would occur after capturing an image, but there isn't any indication it wasn't done or wasn't complete. See Chapter 11.
71. Your organization plans to deploy new systems within the network within the next six months. What should your organization implement to ensure these systems are developed properly? A. Code review B. Design review C. Baseline review D. Attack surface review
B. A design review ensures that systems and software are developed properly. A code review is appropriate if the organization is developing its own software for these new systems, but the scenario doesn't indicate this. A baseline review identifies changes from the initial baseline configuration, but couldn't be done for systems that aren't deployed yet. Identifying the attack surface, including the required protocols and services, would likely be part of the design review, but the design review does much more. See Chapter 8.
57. Attackers have launched an attack using multiple systems against a single target. What type of attack is this? A. DoS B. DDoS C. SYN flood D. Buffer overflow
B. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target's resources. A DoS attack comes from a single system and a SYN flood is an example of a DoS attack. A buffer overflow is a type of DoS attack that attempts to write data into an application's memory. See Chapter 7.
75. You are troubleshooting issues between two servers on your network and need to analyze the network traffic. Of the following choices, what is the BEST tool to capture and analyze this traffic? A. Switch B. Protocol analyzer C. Firewall D. NIDS
B. A protocol analyzer (also called a sniffer) is the best choice to capture and analyze network traffic. Although the traffic probably goes through a switch, the switch doesn't capture the traffic in such a way that you can analyze it. It's unlikely that the traffic is going through a firewall between two internal servers and even if it did, the best you could get is data from the firewall log, but this wouldn't provide the same level of detail as a capture from the sniffer. A network intrusion detection system (NIDS) detects traffic, but it isn't the best tool to capture and analyze it. See Chapter 8.
74. A security administrator needs to inspect protocol headers of traffic sent across the network. What tool is the BEST choice for this task? A. Web security gateway B. Protocol analyzer C. Honeypot D. Vulnerability assessment
B. A protocol analyzer (or sniffer) can capture traffic allowing an administrator to inspect the protocol headers. A web security gateway is a type of security appliance that protects against multiple threats, but doesn't necessarily capture traffic for inspection. A honeypot contains fake data designed to entice attackers. A vulnerability assessment identifies a system or network's security posture and it might include using a protocol analyzer, but does much more. See Chapter 8.
27. Management recently learned that several employees are using the company network to visit gambling and gaming web sites. They want to implement a security control to prevent this in the future. Which of the following choices would meet this need? A. WAF B. UTM C. DMZ D. NIDS
B. A unified threat management (UTM) device typically includes a URL filter and can block access to web sites, just as a proxy server can block access to web sites. A web application firewall (WAF) protects a web server from incoming attacks. A demilitarized zone (DMZ) is a buffered zone between protected and unprotected networks, but it does not include URL filters. A network-based intrusion detection system (NIDS) can detect attacks, but doesn't include outgoing URL filters. See Chapter 3.
39. Management within your organization wants some users to be able to access internal network resources from remote locations. Which of the following is the BEST choice to meet this need? A. WAF B. VPN C. IDS D. IPS
B. A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice. A web application firewall (WAF) provides protection for a web application or a web server. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks, but do not control remote access. See Chapter 4.
38. Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but on other days they don't have any problems. Which of the following types of attacks could cause this? A. IV B. Wireless jamming C. Replay D. WPA cracking
B. A wireless jamming attack is a type of denial-of-service (DoS) attack that can cause wireless devices to lose their association with access points and disconnect them from the network. None of the other attacks are DoS attacks. An initialization vector (IV) is a specific type of attack on Wired Equivalent Privacy (WEP) to crack the key. A replay attack captures traffic with the goal of replaying it later to impersonate one of the parties in the original transmission. Wi-Fi Protected Access (WPA) cracking attacks attempt to discover the passphrase. See Chapter 4.
41. Lisa has scanned all the user computers in the organization as part of a security audit. She is creating an inventory of these systems, including a list of applications running on each computer and the application versions. What is she MOST likely trying to identify? A. System architecture B. Application baseline C. Code vulnerabilities D. Attack surface
B. Administrators create a list of applications installed on systems as part of an application baseline (also called a host software baseline). An architecture review typically looks at the network architecture, not individual systems. A code review looks for vulnerabilities within code, but applications are compiled so the code is not easily available for review. The attack surface looks at much more than just applications and includes protocols and services. See Chapter 5.
10. Your organization wants to reduce the amount of money it is losing due to thefts. Which of the following is the BEST example of an equipment theft deterrent? A. Remote wiping B. Cable locks C. Strong passwords D. Disk encryption
B. Cable locks are effective equipment theft deterrents for laptops and other systems. Remote wiping can erase data on stolen systems, but it doesn't deter thefts. Strong passwords help prevent someone from accessing a stolen device, but it doesn't deter thefts. Disk encryption can protect the data after a device is stolen, but it doesn't deter theft. See Chapter 2.
88. Lenny and Carl work in an organization that includes a PKI. Carl needs to send a digitally signed file to Lenny. What does Carl use in this process? A. Carl's public key B. Carl's private key C. Lenny's public key D. Lenny's private key
B. Carl uses his private key to digitally sign the file. Lenny uses Carl's public key to decrypt the digital signature. Lenny's keys are not used in this scenario. See Chapter 10.
22. While analyzing a firewall log, you notice traffic going out of your network on UDP port 53. What does this indicate? A. Connection with a botnet B. DNS traffic C. SMTP traffic D. SFTP traffic
B. Domain Name System (DNS) traffic uses UDP port 53 by default to resolve host names to IP addresses. It is not malicious traffic connecting to a botnet. Simple Mail Transfer Protocol (SMTP) uses port 25. Secure File Transfer Protocol (SFTP) uses port 22. See Chapter 3.
62. During a penetration test, a tester injected extra input into an application causing the application to crash. What does this describe? A. SQL injection B. Fuzzing C. Transitive access D. XSRF
B. Fuzzing or fuzz testing sends extra input to an application to test it. Ideally, the application can handle the extra input, but it is possible that fuzz testing causes an application to crash. Other answers do not cause the application to crash. A SQL injection attack sends specific SQL code to access or modify data in a database. A cross-site request forgery (XSRF) attack uses HTML or JavaScript code to take actions on behalf of a user. See Chapter 7.
16. You configure access control for users in your organization. Some departments have a high employee turnover, so you want to simplify account administration. Which of the following is the BEST choice? A. User-assigned privileges B. Group-based privileges C. Domain-assigned privileges D. Network-assigned privileges
B. Group-based privileges is a form of role-based access control and it simplifies administration. Instead of assigning permissions to new employees individually, you can just add new employee user accounts into the appropriate groups to grant them the rights and permissions they need for the job. User-assigned privileges require you to manage privileges for each user separately, and it increases the account administration burden. Domain-assigned and network-assigned privileges are not valid administration practices. See Chapter 2.
24. An organization recently updated its security policy. A new requirement dictates a need to increase protection from rogue devices plugging into physical ports. Which of the following choices provides the BEST protection? A. Disable unused ports B. Implement 802.1x C. Enable MAC limiting D. Enable MAC filtering
B. IEEE 802.1x is a port-based authentication protocol and it requires systems to authenticate before they are granted access to the network. If an attacker plugged a rogue device into a physical port, the 802.1x server would block it from accessing the network. Disabling unused ports is a good practice, but it doesn't prevent an attacker from unplugging a system from a used port and plugging the rogue device into the port. While MAC limiting and filtering will provide some protection against rogue devices, an 802.1x server provides much stronger protection. See Chapter 3.
66. A recent vulnerability assessment identified several issues related to an organization's security posture. Which of the following issues is MOST likely to affect the organization on a day-to-day basis? A. Natural disasters B. Lack of antivirus software C. Lack of protection for data at rest D. Lack of protection for data in transit
B. Malware is a constant threat and without antivirus software, systems are sure to become infected in a short period of time. Natural disasters are a risk, but not on a day-to-day basis. Encryption protects data at rest and data in transit, but a lack of encryption isn't likely to affect the organization on a day-to-day basis. See Chapter 8.
23. A team of users in your organization needs a dedicated subnet. For security reasons, other users should not be able to connect to this subnet. Which of the following choices is the BEST solution? A. Restrict traffic based on port numbers. B. Restrict traffic based on physical addresses. C. Implement DNS on the network. D. Enable SNMP.
B. Of the given choices, the best answer is to restrict traffic based on physical addresses. This is also known as media access control (MAC) address filtering and is configured on a switch. Port numbers are related to protocols, so it wouldn't be feasible to restrict traffic for this group based on protocols. Domain Name System (DNS) provides name resolution, but it doesn't restrict traffic. Simple Network Management Protocol version 3 (SNMPv3) monitors and manages network devices. See Chapter 3.
49. Management wants to implement a system that will provide automatic notification when personnel remove devices from the building. Which of the following security controls will meet this requirement? A. Video monitoring B. RFID C. Geo-tagging D. Account lockout
B. Radio-frequency identification (RFID) provides automated inventory control and can detect movement of devices. Video monitoring might detect removal of devices, but it does not include automatic notification. Geo-tagging provides geographic location for pictures posted to social media sites. Account lockout controls lock accounts when the incorrect password is entered too many times. See Chapter 5.
94. An organization is implementing a data policy and wants to designate a recovery agent. Which of the following indicates what a recovery agent can do? A. A recovery agent can retrieve a user's public key. B. A recovery agent can decrypt data if users lose their private key. C. A recovery agent can encrypt data if users lose their private key. D. A recovery agent can restore a system from backups.
B. Recovery agents can decrypt data and messages if users lose their private key. Public keys are publicly available, so recovery agents aren't needed to retrieve them. A recovery agent wouldn't encrypt a user's data. Although backups are important, this isn't the role of a recovery agent. See Chapter 10.
82. An organization is implementing a PKI and plans on using public and private keys. Which of the following can be used to create strong key pairs? A. MD5 B. RSA C. AES D. HMAC
B. Rivest, Shamir, Adleman (RSA) is used to create key pairs. Message Digest 5 (MD5) and Hash-based Message Authentication Code (HMAC) are hashing algorithms. Advanced Encryption Standard (AES) is a symmetric encryption algorithm. See Chapter 10.
97. Which of the following is a type of media that allows the mass distribution of personal comments to specific groups of people? A. P2P B. Social media C. Media devices D. News media
B. Social media is a type of media that allows the mass distribution of personal comments to specific groups of people and it is a potential risk to organizations due to possible data leakage. Peer-to-peer (P2P) sites allow users to share data, but it is also a source of data leakage. Media devices such as MP3 players don't support sharing comments among specific groups of users. The news media reports on news stories. See Chapter 11.
84. A user wants to hide confidential data within a .jpg file. Which of the following is the BEST choice to meet this need? A. ECC B. Steganography C. CRL D. File-level encryption
B. Steganography allows users to hide data within the white space of other files, including .jpg files. None of the other choices hides data within another file. Elliptic curve cryptography (ECC) is often used with mobile devices for encryption because it has minimal overhead. A certificate revocation list (CRL) identifies revoked certificates. File-level encryption encrypts a file, such as a master password list, but does not hide data within another file. See Chapter 10.
58. Security administrators are reviewing security controls and their usefulness. Which of the following attacks will account lockout controls prevent? (Choose TWO.) A. DNS poisoning B. Replay C. Brute force D. Buffer overflow E. Dictionary
C, E. Brute force and dictionary attacks attempt to guess passwords, but an account lockout control locks an account after the wrong password is guessed too many times. The other attacks are not password attacks, so they aren't mitigated using account lockout controls. Domain name system (DNS) poisoning attempts to redirect web browsers to malicious URLs. Replay attacks attempt to capture packets to impersonate one of the parties in an online session. Buffer overflow attacks attempt to overwhelm online applications with unexpected code or data. See Chapter 7.
13. You have discovered that some users have been using the same passwords for months, even though the password policy requires users to change their password every 30 days. You want to ensure that users cannot reuse the same password. Which settings should you configure? (Select TWO.) A. Maximum password age B. Password length C. Password history D. Password complexity E. Minimum password age
C, E. The password history setting records previously used passwords (such as the last 24 passwords) to prevent users from reusing the same passwords. Using password history setting combined with the minimum password age setting prevents users from changing their password repeatedly to get back to their original password. The maximum password age setting ensures users change their passwords regularly, but this is already set to 30 days in the scenario. Password length requires a minimum number of characters in a password. Password complexity requires a mix of uppercase and lowercase letters, numbers, and special characters. See Chapter 2.
93. You need to request a certificate for a web server. Which of the following would you MOST likely use? A. CA B. CRL C. CSR D. OCSP
C. A certificate signing request (CSR) uses a specific format to request a certificate. You submit the CSR to a Certificate Authority (CA), but the request needs to be in the CSR format. A certificate revocation list (CRL) is a list of revoked certificates. The Online Certificate Status Protocol (OCSP) is an alternate method of validating certificates and indicates if a certificate is good, revoked, or unknown. See Chapter 10.
96. Application developers in your organization currently update applications on live production servers when needed. However, they do not follow any predefined procedures before applying the updates. What should the organization implement to prevent any risk associated with this process? A. Risk assessment B. Tabletop exercises C. Change management D. Incident management
C. A change management process ensures that changes are approved before being implemented and would prevent risks associated with unintended outages. A risk assessment identifies risks at a given point in time. Tabletop exercises test business continuity and disaster recovery plans. Incident management is only related to security incidents. See Chapter 11.
2. You are the security administrator in your organization. You want to ensure that a file maintains integrity. Which of the following choices is the BEST choice to meet your goal? A. Steganography B. Encryption C. Hash D. AES
C. A hash provides integrity for files, emails, and other types of data. Steganography provides confidentiality by hiding data within other data and encryption provides confidentiality by ciphering the data. Advanced Encryption Standard (AES) is an encryption protocol. See Chapter 1.
31. Attackers frequently attack your organization, and administrators want to learn more about zero-day attacks on the network. What can they use? A. Anomaly-based HIDS B. Signature-based HIDS C. Honeypot D. Signature-based NIDS
C. A honeypot is a server designed to look valuable to an attacker and can help administrators learn about zero-day exploits, or previously unknown attacks. A host-based intrusion detection system (HIDS) protects host systems, but isn't helpful against network attacks. Signature-based tools would not have a signature for zero-day attack because the attack method is unknown by definition. See Chapter 4.
76. Which of the following is the lowest cost solution for fault tolerance? A. Load balancing B. Clustering C. RAID D. Cold site
C. A redundant array of inexpensive disks (RAID) subsystem is a relatively low-cost solution for fault tolerance for disks. RAID also increases data availability. Load balancing and failover clustering add in additional servers, which is significantly more expensive than RAID. A cold site is a completely separate location, which can be expensive, but a cold site does not provide fault tolerance. See Chapter 9.
48. Homer wants to ensure that other people cannot view data on his mobile device if he leaves it unattended. What should he implement? A. Encryption B. Cable lock C. Screen lock D. Remote wiping
C. A screen lock locks a device until the proper passcode is entered and prevents access to mobile devices when they are left unattended. Encryption protects data, especially if the device is lost or stolen. A cable lock is used with laptops to prevent them from being stolen. Remote wiping can erase data on a lost or stolen device. See Chapter 5.
44. A software vendor recently developed a patch for one of its applications. Before releasing the patch to customers, the vendor needs to test it in different environments. Which of the following solutions provides the BEST method to test the patch in different environments? A. Baseline image B. BYOD C. Virtualized sandbox D. Change management
C. A virtualized sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state. A baseline image is a starting point of a single environment. Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network, and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented. See Chapter 5.
69. Which of the following tools is the LEAST invasive and can verify if security controls are in place? A. Pentest B. Protocol analyzer C. Vulnerability scan D. Host enumeration
C. A vulnerability scan can verify if security controls are in place, and it does not try to exploit these controls using any invasive methods. A pentest (or penetration test) can verify if security controls are in place, but it is invasive and can potentially compromise a system. A protocol analyzer is not invasive, but it cannot determine if security controls are in place. Host enumeration identifies hosts on a network, but does not check for security controls. See Chapter 8.
63. A security expert is attempting to identify the number of failures a web server has in a year. Which of the following is the expert MOST likely identifying? A. SLE B. MTTR C. ALE D. MTTF
C. Annualized loss expectancy (ALE) is part of a quantitative risk assessment and is the most likely answer of those given. It is calculated by multiplying the single loss expectancy times the annualized rate of occurrence (ARO). Mean time to recover (MTTR) and mean time to failure (MTTF) do not identify the number of failures in a year. See Chapter 8.
6. Users at your organization currently use a combination of smart cards and passwords, but an updated security policy requires multifactor security using three different factors. Which of the following can you add to meet the new requirement? A. Four-digit PIN B. Hardware tokens C. Fingerprint readers D. USB tokens
C. Fingerprint readers would add biometrics from the something you are factor of authentication as a third factor of authentication. The current system includes methods in the something you have factor (smart cards) and in the something you know factor (passwords), so any solution requires a method that isn't using one of these two factors. A PIN is in the something you know factor. Hardware tokens and USB tokens are in the something you have factor. See Chapter 1.
47. Your organization has issued mobile devices to several key personnel. These devices store sensitive information. What can administrators implement to prevent data loss from these devices if they are stolen? A. Inventory control B. GPS tracking C. Full device encryption D. Geo-tagging
C. Full device encryption helps prevent data loss in the event of theft of a mobile device storing sensitive information. Other security controls (not listed as answers in this question) that help prevent loss of data in this situation are a screen lock, account lockout, and remote wipe capabilities. Inventory control methods help ensure devices aren't lost or stolen. Global positioning system (GPS) tracking helps locate the device. Geo-tagging includes geographical information with pictures posted to social media sites. See Chapter 5.
21. Which of the following provides the largest address space? A. IPv4 B. IPv5 C. IPv6 D. IPv7
C. Internet Protocol version 6 provides the largest address space using 128 bits to define an IP address. IPv4 uses 32 bits. IPv5 uses 64 bits but was never adopted. IPv7 has not been defined. See Chapter 3.
8. You are modifying a configuration file used to authenticate Unix accounts against an external server. The file includes phrases such as DC=Server1 and DC=Com. Which authentication service is the external server using? A. Diameter B. RADIUS C. LDAP D. SAML
C. Lightweight Directory Access Protocol (LDAP) uses X.500-based phrases to identify components such as the domain component (DC). Diameter is an alternative to Remote Authentication Dial-In User Service (RADIUS), but neither of these use X.500-based phrases. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for web-based single sign-on (SSO) solutions. See Chapter 1.
9. Which of the following choices is an AAA protocol that uses shared secrets as a method of security? A. Kerberos B. SAML C. RADIUS D. MD5
C. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting (AAA) protocol that uses shared secrets (or passwords) for security. Kerberos uses tickets. SAML provides SSO for web-based applications, but it is not an AAA protocol. MD5 is a hashing protocol, not an AAA protocol. See Chapter 1.
46. Someone stole an executive's smartphone, and the phone includes sensitive data. What should you do to prevent the thief from reading the data? A. Password-protect the phone. B. Encrypt the data on the phone. C. Use remote wipe. D. Track the location of the phone.
C. Remote wipe capabilities can send a remote wipe signal to the phone to delete all the data on the phone, including any cached data. The phone is lost, so it's too late to password-protect or encrypt the data now if these steps weren't completed previously. Although tracking the phone might be useful, it doesn't prevent the thief from reading the data. See Chapter 5.
14. A company recently hired you as a security administrator. You notice that some former accounts used by temporary employees are currently enabled. Which of the following choices is the BEST response? A. Disable all the temporary accounts. B. Disable the temporary accounts you've noticed are enabled. C. Craft a script to identify inactive accounts based on the last time they logged on. D. Set account expiration dates for all accounts when creating them.
C. Running a last logon script allows you to identify inactive accounts, such as accounts that haven't been logged on to in the last 30 days. It's appropriate to disable unused accounts, but it isn't necessarily appropriate to disable all temporary accounts, because some might still be in use. If you disable the accounts you notice, you might disable accounts that some employees are still using, and you might miss some accounts that should be disabled. Setting expiration dates for newly created accounts is a good step, but it doesn't address previously created accounts. See Chapter 2.
11. A manager recently observed an unauthorized person in a secure area, which is protected with a cipher lock door access system. After investigation, he discovered that an authorized employee gave this person the cipher lock code. Which of the following is the BEST response to this issue at the minimum cost? A. Implement a physical security control. B. Install tailgates C. Provide security awareness training. D. Place a guard at the entrance.
C. Security awareness training is often the best response to violations of security policies. If individuals do not abide by the policies after training, management can take disciplinary action. The cipher lock is a physical security control, but it is not effective due to employees bypassing it. Tailgating occurs when one user follows closely behind another user without using credentials and mantraps prevent tailgating, but tailgates are on the back of trucks. Guards can prevent this issue by only allowing authorized personnel in based on facial recognition or identification badges, but at a much higher cost. See Chapter 2 and 11.
50. Your organization was recently attacked, resulting in a data breach, and attackers captured customer data. Management wants to take steps to better protect customer data. Which of the following will BEST support this goal? A. Succession planning and data recovery procedures B. Fault tolerance and redundancy C. Stronger access controls and encryption D. Hashing and digital signatures
C. Strong access controls and encryption are two primary methods of protecting the confidentiality of any data, including customer data. Succession planning and data recovery procedures are part of business continuity. Fault tolerance and redundancy increase the availability of data. Hashing and digital signatures provide integrity. See Chapter 5.
64. You are trying to add additional security controls for a database server that includes customer records and need to justify the cost of $1,000 for these controls. The database includes 2,500 records. Estimates indicate a cost of $300 for each record if an attacker successfully gains access to them. Research indicates that there is a 10 percent possibility of a data breach in the next year. What is the ALE? A. $300 B. $37,500 C. $75,000 D. $750,000
C. The annual loss expectancy (ALE) is $75,000. The single loss expectancy (SLE) is $750,000 ($300 per record × 2,500 records). The annual rate of occurrence (ARO) is 10 percent or .10. You calculate the ALE as SLE × ARO ($750,000 x .10). One single record is $300, but if an attacker can gain access to the database, the attacker can access all 2,500 records. If the ARO was .05, the ALE would be $37,500. See Chapter 8.
86. Personnel within your company are assisting an external auditor perform a security audit. They frequently send documents to the auditor via email and some of these documents contain confidential information. Management wants to implement a solution to reduce the possibility of unintentionally exposing this data. Which of the following is the BEST choice? A. Hash all outbound email containing confidential information. B. Use digital signatures on all outbound email containing confidential information. C. Encrypt all outbound email containing confidential information. D. Implement DLP to scan all outbound email.
C. The best method of preventing unintentional exposure of confidential information is encryption, so encrypting all outbound emails containing confidential information is the best choice. Hashing the emails doesn't protect the confidentiality of the information. Digital signatures provide proof of who sent an email, but don't protect confidentiality. Data loss prevention (DLP) techniques can detect when employees send out some types of data, but block the transmission and would prevent the auditors from getting the data they need. See Chapter 10.
15. An organization supports remote access, allowing users to work from home. However, management wants to ensure that personnel cannot log on to work systems from home during weekends and holidays. Which of the following BEST supports this goal? A. Least privilege B. Need to know C. Time-of-day restrictions D. Mandatory access control
C. Time-of-day restrictions prevent users from logging on during certain times. Least privilege and need to know restrict access to only what the user needs, and these concepts are not associated with time. Mandatory access control uses labels and can restrict access based on need to know, but it is not associated with time. See Chapter 2.
85. You need to ensure data sent over an IP-based network remains confidential. Which of the following provides the BEST solution? A. Stream ciphers B. Block ciphers C. Transport encryption D. Hashing
C. Transport encryption techniques such as Internet Protocol security (IPsec) provide confidentiality. Both stream ciphers and block ciphers can be used by different transport encryption protocols. Hashing provides integrity, but encryption is needed to provide confidentiality. See Chapters 3, 4, and 10.
4. Your organization is planning to implement stronger authentication for remote access users. An updated security policy mandates the use of token-based authentication with a password that changes every 30 seconds. Which of the following choices BEST meets this requirement? A. CHAP B. Smart card C. HOTP D. TOTP
D. A Time-based One-Time Password (TOTP) creates passwords that expire after 30 seconds. An HMAC-based One Time Password (HOTP) creates passwords that do not expire. Challenge Handshake Authentication Protocol uses a nonce (a number used once), but a nonce does not expire after 30 seconds. See Chapter 1.
72. You need to periodically check the configuration of a server and identify any changes. What are you performing? A. Code review B. Design review C. Attack surface review D. Baseline review
D. A baseline review identifies changes from the original deployed configuration. The original configuration is also known as the baseline. A code review checks internally developed software for vulnerabilities. A design review verifies the design of software or applications to ensure they are developed properly. Determining the attack surface is an assessment technique, but it does not identify changes. See Chapter 8.
73. Your organization hired an external security expert to test a web application. The security expert is not given any access to the application interfaces, code, or data. What type of test will the security expert perform? A. Black hat B. White box C. Gray box D. Black box
D. A block box tester doesn't have access to any data prior to a test and this includes application interfaces, code, and data. White box testers would be given full access to the application interfaces, code, and data, and gray box testers would be given some access. Black hat refers to a malicious attacker. See Chapter 8.
79. Your organization is updating its business continuity documents. You're asked to review the communications plans for possible updates. Which of the following should you ensure is included in the communications plan? A. A list of systems to recover in hierarchical order B. Incident response procedures C. List of critical systems and components D. Methods used to respond to media requests, including templates
D. A communications plan will include methods used to respond to media requests, including basic templates. Although not available as a possible answer, it would also include methods used to communicate with response team members, employees, suppliers, and customers. None of the other answers are part of a communications plan. A DRP includes a list of systems to recover in hierarchical order. An incident response plan identifies incident response procedures. A BIA identifies critical systems and components. See Chapter 9.
53. What functions does an HSM include? A. Reduces the risk of employees emailing confidential information outside the organization B. Provides webmail to clients C. Provides full drive encryption D. Generates and stores keys used with servers
D. A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers for data encryption. A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization. Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud. A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops. See Chapter 5.
67. Which of the following tools would a security administrator use to identify misconfigured systems within a network? A. Pentest B. Virus scan C. Load test D. Vulnerability scan
D. A vulnerability scan checks systems for potential vulnerabilities, including vulnerabilities related to misconfiguration. Although a penetration test (pentest) can identify misconfigured systems, it also attempts to exploit vulnerabilities on these systems, so it isn't appropriate if you only want to identify the systems. A virus scan identifies malware and a load test determines if a system can handle a load, but neither of these identifies misconfigured systems. See Chapter 8.
68. A security expert is running tests to identify the security posture of a network. However, these tests are not exploiting any weaknesses. Which of the following types of test is the security expert performing? A. Penetration test B. Virus scan C. Port scan D. Vulnerability scan
D. A vulnerability scan identifies the security posture of a network but it does not actually exploit any weaknesses. In contrast, a penetration test attempts to exploit weaknesses. A virus scan searches a system for malware and a port scan identifies open ports, but neither identifies the security posture of an entire network. See Chapter 8.
25. What would administrators typically place at the end of an ACL of a firewall? A. Allow all all B. Timestamp C. Password D. Implicit deny
D. Administrators would place an implicit deny rule at the end of an access control list (ACL) to deny all traffic that hasn't been explicitly allowed. Many firewalls place this rule at the end by default. An allow all all rule explicitly allows all traffic and defeats the purpose of a firewall. Timestamps aren't needed in an ACL. ACLs are in cleartext so should not include passwords. See Chapter 3.
29. Which of the following BEST describes a false negative? A. An IDS falsely indicates a buffer overflow attack occurred. B. Antivirus software reports that a valid application is malware. C. A locked door opens after a power failure. D. An IDS does not detect a buffer overflow attack.
D. An intrusion detection system (IDS) should detect a buffer overflow attack and report it, but if it does not, it is a false negative. If the IDS falsely indicates an attack occurred, it is a false positive. If antivirus software indicates a valid application is malware, it is a false positive. A locked door that opens after a power failure is designed to fail-open. See Chapter 4.
40. You suspect that an executable file on a web server is malicious and includes a zero-day exploit. Which of the following steps can you take to verify your suspicious? A. Perform a code review. B. Perform an architecture review. C. Perform a design review. D. Perform an operating system baseline comparison.
D. An operating system baseline comparison is the best choice of the available answers. It can verify if the file is in the baseline, or was added after the server was deployed. A code review is possible if you have access to the original code, but this isn't easily possible with an executable file. Code reviews look at the code before it is released and architecture reviews look at architecture designs, but neither of these identifies malicious files after a web server has been deployed. See Chapter 5.
83. Your organization is investigating possible methods of sharing encryption keys over a public network. Which of the following is the BEST choice? A. CRL B. PBKDF2 C. Hashing D. ECDHE
D. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) allows entities to negotiate encryption keys securely over a public network. Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching technique designed to make password cracking more difficult. A certificate revocation list (CRL) identifies revoked certificates and is unrelated to sharing encryption keys. Hashing methods do not support sharing encryption keys over a public network. See Chapter 10.
30. Company management suspects an employee is stealing critical project information and selling it to a competitor. They'd like to identify who is doing this, without compromising any live data. What is the BEST option to meet this goal? A. Install antivirus software on all user systems. B. Implement an IPS. C. Implement an IDS. D. Add fabricated project data on a honeypot.
D. Fabricated data on a honeypot could lure the malicious insider and entice him to access it. Antivirus software blocks malware. An intrusion prevention system (IPS) and an intrusion detection system (IDS) each detect attacks, but won't detect someone accessing data on a server. See Chapter 4.
92. Homer works as a contractor at a company on a one-year renewing contract. After renewing his contract, the company issues him a new smart card. However, he is now having problems digitally signing email or opening encrypted email. What is the MOST likely solution? A. Copy the original certificate to the new smart card. B. Copy his original private key to the new smart card. C. Copy his original public key to the new smart card. D. Publish the certificate in his new smart card.
D. He should publish the certificate in his new smart card in a global address list within the domain. It is not possible for users to copy a certificate, a public key, or a private key to a smart card. See Chapter 10.
1. Lisa hid several plaintext documents within an image file. Which security goal is she pursuing? A. Encryption B. Integrity C. Steganography D. Confidentiality
D. Hiding files in another file is one way to achieve the security goal of confidentiality. In this scenario, Lisa is using steganography as the method by hiding files within a file. Encryption is the best way to achieve confidentiality, but simply hiding files within a file doesn't encrypt the data. Hashing methods and digital signatures provide integrity. See Chapters 1 and 10.
7. A network includes a ticket-granting ticket server used for authentication. What authentication service does this network use? A. TACACS+ B. SAML C. LDAP D. Kerberos
D. Kerberos uses a ticket-granting ticket server, which creates tickets for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) is an authentication service created by Cisco. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO) solutions. Lightweight Directory Access Protocol (LDAP) is an X.500-based authentication service that can be secured with Transport Layer Security (TLS). See Chapter 1.
35. Which of the following wireless security mechanisms is subject to a spoofing attack? A. WEP B. IV C. WPA2 Enterprise D. MAC address filtering
D. Media access control (MAC) address filtering is vulnerable to spoofing attacks because attackers can easily change MAC addresses on network interface cards (NICs). Wired Equivalent Privacy (WEP) can be cracked using an initialization vector (IV) attack, but not by spoofing. WPA2 Enterprise requires users to enter credentials, so it isn't susceptible to a spoofing attack. See Chapter 4.
89. Bart recently sent out confidential data via email to potential competitors. Management suspects he did so accidentally, but Bart denied sending the data. Management wants to implement a method that would prevent Bart from denying accountability in the future. What are they trying to enforce? A. Confidentiality B. Encryption C. Access control D. Non-repudiation
D. Non-repudiation methods such as digital signatures prevent users from denying they took an action. Encryption methods protect confidentiality. Access control methods protect access to data. See Chapters 1 and 10.
61. An attacker is attempting to write more data into a web application's memory than it can handle. What type of attack is this? A. XSRF B. LDAP injection C. Fuzzing D. Buffer overflow
D. One type of buffer overflow attack attempts to write more data into an application's memory than it can handle. A cross-site request forgery (XSRF) attack attempts to launch attacks with HTML code. Lightweight Directory Application Protocol (LDAP) injection attacks attempt to query directory service databases such as Microsoft Active Directory. Fuzzing inputs random data into an application during testing. See Chapter 7.
81. Your organization is planning to implement videoconferencing, but it wants to protect the confidentiality of the streaming video. Which of the following would BEST meet this need? A. PBKDF2 B. DES C. MD5 D. RC4
D. Rivest Cipher 4 (RC4) is a symmetric encryption stream cipher, and a stream cipher is often the best choice for encrypting data of an unknown size, such as streaming video. Encryption is the best way to ensure the confidentiality of data. Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching technique designed to protect passwords against brute force attempts and is not used for streaming data. Data Encryption Standard (DES) is an older block cipher that is not secure. Message Digest 5 (MD5) is a hashing algorithm used for integrity. See Chapter 10.
28. Which of the following protocols operates on Layer 7 of the OSI model? A. IPv6 B. TCP C. ARP D. SCP
D. Secure Copy (SCP) operates on Layer 7 of the OSI model. IPv6 operates on Layer 3. TCP operates on Layer 4. Address Resolution Protocol (ARP) operates on Layer 3. See Chapter 3.
19. Your organization recently updated its security policy and indicated that Telnet should not be used within the network. Which of the following should be used instead of Telnet? A. SCP B. SFTP C. SSL D. SSH
D. Secure Shell (SSH) is a good alternative to Telnet. SSH encrypts transmissions, whereas Telnet transmits data in cleartext. Secure Copy (SCP) and Secure File Transfer Protocol (SFTP) use SSH to encrypt files sent over the network. See Chapter 3.
20. One of your web servers was recently attacked and you have been tasked with reviewing firewall logs to see if you can determine how an attacker accessed the system remotely. You identified the following port numbers in log entries: 21, 22, 25, 53, 80, 110, 443, and 3389. Which of the following protocols did the attacker MOST likely use? A. Telnet B. HTTPS C. DNS D. RDP
D. The attacker most likely used Remote Desktop Protocol (RDP) over port 3389. Telnet can connect to systems remotely, but it uses port 23 and that isn't one of the listed ports. HTTPS uses port 443 for secure HTTP sessions. DNS uses port 53 for name resolution queries and zone transfers. See Chapter 3.
12. Management recently rewrote the organization's security policy to strengthen passwords created by users. It now states that passwords should support special characters. Which of the following choices is the BEST setting to help the organization achieve this goal? A. History B. Maximum age C. Minimum length D. Complexity
D. The complexity setting is the best answer because it includes using multiple character types, such as special characters, numbers, and uppercase and lowercase letters. The history setting remembers previous passwords and prevents users from reusing them. The maximum age setting forces users to change their password after a set number of days has passed. The minimum length setting forces users to create passwords with a minimum number of characters, such as eight. See Chapter 2.
59. A web developer wants to reduce the chances of an attacker successfully launching XSRF attacks against a web site application. Which of the following provides the BEST protection? A. Client-side input validation B. Web proxy C. Antivirus software D. Server-side input validation
D. Validating and filtering input using server-side input validation can restrict the use of special characters needed in cross-site request forgery (XSRF) attacks. Both server-side and client-side input validation is useful, but client-side input validation can be bypassed, so it should not be used alone. A web proxy can filter URLs, but it cannot validate data. Additionally, web proxies can be used to bypass client-side input validation techniques. Antivirus software cannot detect XSRF attacks. See Chapter 7.
42. An updated security policy identifies authorized applications for company-issued mobile devices. Which of the following would prevent users from installing other applications on these devices? A. Geo-tagging B. Authentication C. ACLs D. Whitelisting
D. Whitelisting identifies authorized software and prevents users from installing or running any other software. Geo-tagging adds location information to media such as photographs, but the scenario only refers to applications. Authentication allows users to prove their identity, such as with a username and password, but isn't relevant in this question. Access control lists (ACLs) are used with routers, firewalls, and files, but do not restrict installation of applications. See Chapter 5.
17. You are configuring a file server used to share files and folders among employees within your organization. However, employees should not be able to access all folders on this server. Which of the following choices is the BEST method to manage security for these folders? A. Assign permissions to each user as needed. B. Wait for users to request permission and then assign the appropriate permissions. C. Delegate authority to assign these permissions. D. Use security groups with appropriate permissions.
D. You can create security groups, place users into these groups, and grant access to the folders by assigning appropriate permissions to the security groups. For example, the security groups might be Sales, Marketing, and HR, and you place users into the appropriate group based on their job. This is an example of using group-based privileges. Waiting for users to ask, and then assigning permissions to users individually has a high administrative overhead. Although delegating authority to assign permissions might work, it doesn't provide the same level of security as centrally managed groups, and without groups, it will still have a high administrative overhead for someone. See Chapter 2.