Security+ Exam Cram
#101: Which of the following is a true statement regarding role-based access control? A. Access rights are first assigned to users. Roles are then associated with those access rights. B. Access rights are first assigned to roles. User accounts are then associated with those access rights. C. Access rights are first assigned to roles. User accounts are then associated with those roles. D. Access rights are first assigned to users. Roles are then associated with those users.
#101: C. In a role-based access control (RBAC) scenario, access rights are first assigned to roles. Then user accounts are associated with those roles, without the direct assignment of resource access rights. The other choices are all incorrect statements, so Answers A, B, and D are incorrect.
#102: Which of the following statements are correct regarding Shibboleth SSO? (Select two.) A. The identity provider (IdP) authenticates the user. B. The service provider (SP) authenticates the user. C. The identity provider (IdP) performs the SSO process for the protected resource. D. The service provider (SP) performs the SSO process for the protected resource.
#102: A and D. Shibboleth works similarly to other SSO systems, and it supports services outside organizational boundaries. The identity provider (IdP) authenticates the user. The service provider (SP), performs the SSO process for the protected resource.
#103: What type of access control is often used in government systems, where resources and access are granted based on categorical assignments such as classified, secret, or top secret? A. Mandatory access control (MAC) B. Discretionary access control (DAC) C. Attribute-based access control (ABAC) D. Role-based access control (RBAC)
#103: A. This type of access control, called MAC, is often used in government systems. Answer B is incorrect because DAC scenarios allow individual resources to be individually made available or secured against access. Access rights are configured at the discretion of the accounts that have the authority over each resource, including the capability to extend administrative rights through the same mechanism. Answer C is incorrect because ABAC is a logical access control model that the Federal Identity, Credential, and Access Management (FICAM) Roadmap recommends as the preferred access control model for information sharing among diverse organizations. ABAC is based on Extensible Access Control Markup Language (XACML). Answer D is incorrect. In a role-based access control (RBAC) scenario, access rights are first assigned to roles. Then accounts are associated with these roles, without the direct assignment of resource access rights.
#104: Which of the following is a symmetric key-based authentication protocol that uses a key distribution center? A. TACACS+ B. Kerberos C. RADIUS D. HSM
#104: B. Kerberos is a symmetric key authentication protocol that has been around for decades and is an open standard. With Kerberos authentication, a client sends its authentication details not to the target server but to a key distribution center (KDC). Answer A is incorrect. TACACS+ is a protocol that handles authentication, authorization, and accounting (AAA) services. It is similar to RADIUS but uses TCP as a transport method; it uses port 49 as the default port. TACACS+ takes a client/server model approach. Answer C is incorrect. The Remote Authentication Dial-In User Service (RADIUS) remote access control system provides authentication and access control in an enterprise network, using UDP transport, to a central network access server. In turn, this provides credentials for client access to resources in the extended enterprise. Answer D is incorrect because the main focuses of hardware security modules (HSMs) are performance and key storage space. HSMs can also enforce separation of duties for key management by separating database and security administration.
#105: Based on the following permissions for a file, which one of the following statements is not true? rwxr----- A. The owner has read, write, and execute permissions. B. The group has read permissions. C. Those other than the owner or group have no permissions. D. Only the group has both read and write permissions.
#105: D. Based on the permissions shown, Answers A, B, and C are all true statements, while answer D is not. The first three permissions represent the owner, which has read, write, and execute permissions. The second three permissions represent the group, which only has read permissions. The third three permissions indicate that everyone else does not have any permissions.
#106: Your organization has established a hierarchical PKI and deployed several CAs in the process. Which one of the following steps should your organization be sure to take? A. Take the root CA offline. B. Take all subordinate CAs offline. C. Take the root CA online. D. Take all subordinate CAs online with the exception of the intermediates.
#106: A. Best practice is to take the root CA offline to reduce the risk of compromise of the entire PKI; thus, answer C is incorrect. Answer B is incorrect because the subordinate CAs are signed by the root CA and should not be taken offline as they need to manage requests. Although subordinate CAs should be online, Answer D is incorrect as it suggests taking the intermediates offline, which are the same as the subordinates
#107: What type of key goes into key escrow? A. Public B. Shared C. Private D. Session
#107: C. Confidential secret or private keys go into key escrow. Public keys are known and have no need for escrow, so answer A is incorrect. A shared key or session key (for single use) is a key that performs both encryption and decryption and would not be usable if left in key escrow.
#108: Your organization has developed a custom application that requires a check for the validity of digital certificates even when the Internet is not available. Which of the following meets this requirement? A. CRL B. OCSP C. SAN D. CPS
#108: A. CRL provides a mechanism to ensure the validity of digital certificates by using a list that must be updated every two weeks. Answer B is incorrect. While OCSP also checks for certificate validity, it works in real time and requires Internet access. Answer C is incorrect because SAN is a type of certificate that takes advantage of the subject alternate name extension. A CPS is a legal document that a CA creates and publishes, so Answer D is incorrect.
#109: Which of the following types of certificates allows you to digitally sign and encrypt email messages and attachments? A. DER B. PFX C. Self-signed D. S/MIME
#109: D. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol that allows you to encrypt email messages and attachments and digitally sign them. Answers A and B are incorrect because distinguished encoding rules (DER) and personal information exchange (PFX) are certificate formats/extensions. Answer C is incorrect because self-signed certificates are often used for testing purposes or when trust is not a concern.
#110: A security analyst identifies malware that is traced back to the IP address 93.184.216.34. Which one of the following tools might the security analyst use to determine if an active connection to that IP address still resides on the infected system? A. tracert B. ping C. netstat D. nslookup
#110: C. netstat is a command-line utility that displays incoming and outgoing network connections. Answer A is incorrect because tracert would show the path or hops taken from the infected system to the IP address. Answer B is incorrect because ping would show the analyst if the remote IP address is potentially still alive and responding to requests. Answer D is incorrect because this is a tool for querying DNS servers.
#111: Which of the following commands would you use to look for failure or warning errors in /var/log/secure? A. logger "failure or warning" /var/log/secure B. grep 'failure\warning' /var/log/secure C. head -n 15 errors D. cat failure warning
#111: B. grep searches in files, looking for desired data, based on patterns or regular expressions. In this example, grep is looking for either the word failure or the word warning in /var/log/secure. Answer A is incorrect because logger is used to write to the log file, and in this case it would write to the local log file the text contained between the quotes. Answer C is incorrect because head returns the beginning of a file, and this would return the first 15 lines in the file named errors. Answer D is incorrect because this command would concatenate the two files together.
#112: Which of the following utilities would result in the following output? HTTP/1.1 400 Bad Request Date: Thu, 21 May 2020 04:17:05 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 319 Connection: close Content-Type: text/html; charset=iso-8859-1 A. Netcat B. ping C. nslookup D. route
#112: A. Netcat can be used to grab website banners, and in this case, the website Netcat acquired on port 80 is running Apache web server 2.4.29 on Ubuntu. Answers B, C, and D are incorrect because ping, nslookup, and route would not return this information
#113: Which of the following is a software tool used to examine hard drives and mobile devices for evidence recovery? A. tcpdump B. Wireshark C. John the Ripper D. Autopsy
#113: D. Autopsy is a forensics software tool used to examine hard drives and mobile devices for evidence recovery. Answer A is incorrect because the tcpdump utility is a command-line packet analyzer tool that captures TCP/IP packets sent and received. Answer B is incorrect because Wireshark is a well-known packet analyzer that is similar to tcpdump but that provides a graphical user interface. Answer C is incorrect because John the Ripper is a password-cracking tool.
#114: Your rapid response team has been alerted about and identified a highly dangerous virus on a couple systems in one of your subnets. What step should your team take next? A. Identification B. Containment C. Recovery D. Eradication
#114: B. The team now knows that the virus has been identified and should seek to contain or isolate the virus to prevent its spread. If the team fails to contain the virus, it needs to take mitigating actions. Answer A is incorrect because the team has already identified the virus. As a result, answers C and D are incorrect. Eradication and then recovery would typically follow containment.
#115: Which of the following stakeholders are typically notified first when a confirmed incident has occurred? (Select two.) A. Press B. CISO C. End users D. Legal
#115: B and D. The exact reporting requirements vary among organizations, but parties that are typically notified include the chief information officer (CIO), chief information security officer (CISO), other internal incident response team members, human resources officers, public affairs personnel, the legal department, and law enforcement officers, when necessary. Answer A is incorrect because the press is not normally notified when an incident occurs. Answer C is incorrect because the end users are not normally notified initially when an incident occurs.
#116: What is the term given to a framework or model outlining the phases of attack to help security personnel defend their systems and respond to attacks? A. Command and control B. Intrusion kill chain C. Cyber-incident response D. CIRT
#116: B. An intrusion kill chain is often used to describe the stages of a cyberattack; it also helps security teams defend their systems and helps incident response teams respond to attacks. Answers A, C, and D are incorrect. Command and control usually represents a stage of an attack in which the attacker tries to gain remote capabilities. Cyber-incident response would certainly respond to incidents but does not represent a framework or model attack phase. Similarly, CIRT is the acronym for cyberincident response team.
#117: Which of the following is a written document that defines how an organization will recover from a disaster and how to restore business with minimal delay? A. Tabletop agreement B. Service-level agreement C. Disaster recovery policy D. Disaster recovery plan
#117: D. A disaster recovery plan is a written document that defines how the organization will recover from a disaster and how to restore business with minimal delay. The document also explains how to evaluate risks; how data backup and restoration procedures work; and the training required for managers, administrators, and users. Answer A is incorrect and invalid. However, in tabletop exercises, the appropriate individuals and teams are brought together for a discussion. In an exercise on a customer data breach, for example, the group members would discuss their individual roles and how they would coordinate. Answer B is incorrect because service-level agreements (SLAs) are contracts with ISPs, utilities, facilities managers, and other suppliers that detail the minimum levels of support that must be provided during a failure or disaster. Answer C is incorrect because a disaster recovery policy details the responsibilities and procedures to follow during disaster recovery events, including how to contact key employees, vendors, customers, and the press.
#118: What is the term for tying individual events together to provide meaningful alerts? A. Event correlation B. Alert respondence C. Event mutuality D. Alert aggregation
#118: A. Event correlation, often performed by security tools such as a SIEM system, provides the ability to tie together individual log entries from across systems into meaningful and actionable alerts. Answers B, C, and D are incorrect.
#119: You have been tasked with setting up a remote logging facility to send logs from various applications and network devices. Which of the following is the best choice? A. sFlow B. journalctl C. Syslog D. NetFlow
#119: C. A syslog server can listen for clients, thus acting as a remote logging facility. Answer B is incorrect as journalctl is only used to query journald. journald is a logging service, but it is not capable of logging to remote locations. Answers A and D are incorrect because these are both related to monitoring network flow packets.
#120: Which of the following provides information about other data? A. nxlog B. SNMP C. syslog-ng D. Metadata
#120: D. Metadata is data that provides information about other data. Metadata is useful in regard to investigations, and practically everything digital contains metadata, including files and email. Answer A is incorrect because nxlog is used for centralized logging across various platforms and supports a myriad of different log types and formats. Answer B is incorrect because Simple Network Management Protocol (SNMP) is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. Answer C is incorrect because syslog-ng is a log management solution that helps improve the performance of a SIEM system.
#121: Your administrators remotely access web servers in the DMZ only from the internal network over SSH. However, these servers have come under attack via SSH from the IP address 93.184.216.34. Which of the following should you do to stop this attack? A. Configure a rule to block outbound SSH requests to 93.184.216.34 B. Shut down the SSH service on all web servers C. Add a rule to block inbound requests on port 22 D. Add a rule to block port 21 inbound requests from 93.184.216.34
#121: C. Because your administrators access the servers from the internal network, you don't need to worry about preventing valid access on SSH port 22 from the outside. As a result, you should just close all inbound requests. Answer B wouldn't allow the administrators to access the systems even internally. The port for SSH is 22 and not port 21, which is FTP. Answers A, B, and D are incorrect.
#122: Your organization was recently the victim of a large-scale phishing attack. Your manager has tasked you with automating response to quickly notify users and, if feasible, automatically block outbound requests to the attacker's web page. Which of the following will accomplish this goal? A. Email the users to warn them of the phishing attack B. Update URL filters to block the site the phishing attack points to C. Email the users to warn them of the phishing attack and send an email to the security administrator to have him configure a URL filter to block the site that the phishing attack points to D. Implement SOAR or workflows to trigger emails to users and to use threat intelligence to automatically configure URL filters to block the attacker's site
#122: D. A SOAR platform provides orchestration and automation across systems and would accomplish the goal of automatically providing these functions when tied in with the other systems. Answers A and B are only partial solutions, and answer C doesn't achieve the goal of automation.
#123: Which of the following are benefits of application allow lists? (Select two.) A. Prevents users and attackers from executing unauthorized applications B. Allows end users to freely use any application that has not been explicitly denied C. Allows organizations to maintain strict control over applications employees can use D. Blocks specific applications from being executed
#123: A and C. An 'application allow' list describes what applications can be launched. It thus prevents the execution of unauthorized applications, which are all applications that are not explicitly allowed. Answers B and D describe the explicit block as a result of block/deny list and are incorrect answer choices.
#124: Organize the following items from the most volatile to the least volatile: removable media, main memory, hard drive, and cache. A. Removable media, main memory, hard drive, cache B. Main memory, hard drive, main memory, cache C. Cache, main memory, hard drive, removable media D. Cache, hard drive, main memory, removable media
#124: C. The correct order, from most volatile to least volatile, is cache, main memory, hard drive, removable media. Keep in mind that a hard drive is considered secondary memory.
#125: What are the five properties required for evidence to be useful? A. Objectionable, authentic, closed, mendacious, and genuine B. Didactic, authentic, complete, reliable, and believable C. Admissible, spurious, contrived, untried, and questionable D. Admissible, authentic, complete, reliable, and believable
#125: D. For evidence to be useful, it must have five properties: admissible, authentic, complete, reliable, and believable.
#126: Evidence from a recent breach consists of marked tags that indicate who was in possession of evidence on a given date and time. Which of the following does this represent? A. Chain of custody B. Time offset C. Data acquisition D. Order of volatility
#126: A. The chain of custody provides a clear record of the path evidence takes from acquisition to disposal. Answer B is incorrect because time offset is recorded against a verified time standard. Answer C is incorrect because data acquisition is specific to gathering data or copying data to an image or other media. Answer D is incorrect because the order of volatility has to do with first capturing the data that is most volatile.
#127: Which of the following are functional control types? (Select three.) A. Deterrent B. Preventive C. Compensating D. Detective
#127: A, B, and D. Functional controls can be deterrent, preventive, detective, and corrective controls. Compensating controls are alternative controls put in place to reduce the risk of an existing or potential control weakness. Thus, answer C is incorrect.
#128: A recent audit revealed that most of the organization is not properly handling sensitive data correctly. To address this shortcoming, your organization is implementing computer security awareness training. What type of control is this? A. Logical B. Administrative C. Detective D. Physical
#128: B. This is an example of a managerial or administrative control. Answers A, C, and D are incorrect. While technical controls such as data classification systems and DLP can help address this situation, security awareness training is not of a technical or logical nature. Awareness training can serve a functional use (for example, deterrent, preventive, detective, or corrective), but given the situation, this was not a detective functional control.
#129: Which of the following are the most compelling reasons that secure configuration baselines have been established? (Select three.) A. Industry representatives B. Organizational requests C. Government mandates D. Regulatory bodies
#129: A, C, and D. Security baselines are often established by government mandates, regulatory bodies, or industry representatives. For example, think of the PCI DSS requirements established by the credit card industry for businesses that collect and transact using credit information. Answer B is incorrect because organizational requests are merely requests, and security baselines are often established to comply with some type of regulation or standard.
#130: Your organization is looking to move the internally developed and managed HR system to a SaaS vendor. Which of the following should you request from the vendor? A. SOX report B. COBIT C. SOC 2 report D. Benchmark guides
#130: C. A SOC 2 report provides evidence to a third-party attestation around the service provider's security controls. Answer A is incorrect because SOX is a regulatory standard governing financial accounting. Answer B is incorrect because COBIT provides a set of best practices for IT management. Answer D is incorrect because benchmark guides are usually available to anyone and only serve as guides, though they still need to be followed.
#131: Say that you work for a cloud service provider. Prior to signing off on a purchase order for a new security cloud service, a prospective customer wants to understand the nature of what you are providing and what levels of service in regard to performance and uptime your service offers. What should you provide the prospective customer? A. ISA B. MOU C. BPA D. SLA
#131: D. A service-level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. An SLA often contains technical and performance parameters, such as response time and uptime, but it generally does not include security measures. Answers A, B, and C are also types of interoperability agreements, but they are not applicable in this case.
#132: Which of the following legally binding controls should you consider in order to protect sensitive information from being improperly disclosed by a third-party vendor you are hiring for consulting work in the organization? A. DLP B. SOP C. Separation of duties D. NDA
#132: D. A nondisclosure agreement (NDA) is a legally binding document that organizations might require of both their own employees and anyone else who comes into contact with confidential information, including vendors, consultants, and contractors. The purpose of an NDA is to protect an organization's intellectual property and trade secrets. While data loss prevention (DLP) can help protect an organization's data from being improperly disclosed, DLP is a program related to technical controls rather than a legally binding contract. Thus, answer A is incorrect. Answer B is incorrect as standard operating procedures (SOP) specify step-step-instructions for a task. Answer C is incorrect as this would help protect all areas of control being assigned to a single person.
#133: Your organization currently runs an operating system for which software developed after the end of last month may no longer work or even be installable. Which of the following best describes this milestone for the operating system? A. ISA B. EOL C. NDA D. MOU
#133: B. End of life (EOL) marks the end of a product's life cycle that began with the product first being generally available. While security patches may still be offered, the vendor does not provide for new features or continued compatibility. Answer A is incorrect because an ISA is an agreement between organizations that have connected or shared IT systems. Answer C is incorrect because an NDA is a legally binding document that organizations might require of both their own employees and anyone else who comes into contact with confidential information. Answer D is incorrect because an MOU is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities.
#134: Which of the following is the monetary loss that can be expected for an asset from risk over a year? A. ALE B. SLE C. ARO D. BIA
#134: A. The annual loss expectancy (ALE) is the expected monetary loss that can be expected for an asset from risk over a one-year period. It is calculated by multiplying the single loss expectancy by the annual rate of occurrence (SLE × ARO). Therefore, answers B and C are incorrect. Answer D is incorrect because this is a business impact analysis, which is the process for determining potential impacts resulting from the interruption of business processes.
#135: Your manager needs to know, for budgetary purposes, the average life span for each of the firewall appliances. Which of the following should you provide? A. MTBF B. RPO C. RTO D. MTTF
#135: D. The mean time to failure is the length of time a device or product is expected to last in operation. It represents how long a product can reasonably be expected to perform, based on specific testing. Answer A is incorrect because the mean time between failures (MTBF) is the average amount of time that passes between hardware component failures, excluding time spent repairing components or waiting for repairs. Answers B and C are incorrect because RPO and RTO are used for risk mitigation planning. The recovery point objective (RPO) specifies the allowable data loss. The recovery time objective (RTO) is the amount of time within which a process must be restored after a disaster to meet business continuity requirements.
#136: An organization is increasingly subject to compliance regulations and is making strong efforts to comply with them but is still concerned about issues that might occur. Management decides to buy insurance to help cover the costs of a potential breach. Which of the following risk response techniques is the organization using? A. Avoidance B. Transference C. Acceptance D. Mitigation
#136: B. Insurance is a classic example of transferring risk. Answers A, C, and D are incorrect because although these are all methods of transferring risk, none of them transfers the risk from one organization to another.
#137: Which of the following equations best represents the proper assessment of exposure to danger? A. Risk = Threat × Vulnerability × Impact B. Impact = Risk × Threat × Vulnerability C. Vulnerability = Threat × Risk × Impact D. Threat = Risk × Impact × Vulnerability
#137: A. Risk is a function of threats, vulnerabilities, and potential impact. Assessing the level of risk is often portrayed through the simple equation Risk = Threat × Vulnerability × Impact. Answers B, C, and D are incorrect because threat, vulnerability, and impact are considered together to provide an appropriate measure of risk.
#138: Your organization uses the private and public labels to classify data, as the internal security policy details how data should be protected based on the classification label. The decision was made to add an additional "proprietary" label. Which is the most likely reason this was done? A. To create more searchable data B. To provide better data classification C. To clarify data that should not be shared outside the organization D. To reduce costs
#138: B. This additional level of classification will help differentiate how data should be protected. While it could help make data more searchable, the question indicates that it's related to the policy for how data should be protected. Thus, answer A is incorrect. Answer C is incorrect because proprietary data may still be shared outside the organization. Answer D is also incorrect because there may arguably be an indirect cost reduction as a result, but this is not the most appropriate choice, given the question.
#139: Which one of the following is responsible for implementing the data classification and security controls? A. Data owner B. Data custodian C. Data privacy officer D. Data controller
#139: B. The data custodian is responsible for implementing the data classification and security controls, given the classification determined by the data owner. The data custodian is also known as the data steward. Answers A, C, and D are incorrect. The owner is responsible for determining the classification level of the data. The data privacy officer (DPO) is responsible for legal compliance with regulations. The controller is the manager of personal data according to General Data Protection Regulation (GDPR).
#140: Which data classification type contains data that would have a severe impact to the organization were it exposed, that should not be broadly shared internally or externally, and that should be tightly controlled? A. Public B. Proprietary C. Confidential D. Sensitive
#140: D. Data that is classified as sensitive would have a severe impact to an organization if it were exposed. It typically should not be broadly shared internally or externally. Access to sensitive data should be limited and tightly controlled. Answer A is incorrect. Public data is non-sensitive data that has the least, if any, negative impact on the organization. Answer B is incorrect. Proprietary data often includes information that is exchanged with prospective customers and business partners. Answer C is incorrect. Confidential data might cause damage to the organization if it were exposed. It might be widely distributed within an organization but is typically reserved for employees only and should not be shared outside.
#34. A ______ team is ______, and a ______ team is ______. A. blue, offensive, red, defensive B. red, offensive, blue, defensive C. red, offensive, white, defensive D. white offensive, blue defensive
#34: B. In teaming exercises, red teams are offensive, and blue teams are defensive. Answer A is incorrect. Answers C and D are also incorrect, as white teams are neutral.
#69. Which one of the following ports would block outgoing email? A. 25 B. 110 C. 443 D. 22
#69: A. Port 25 would block outgoing email. This is the unsecured port for SMTP, which sends mail. Answer B is incorrect as this is the port for POP3, which is used to retrieve email. Answer C is incorrect, as this is the port for secure web access over HTTPS. Answer D is incorrect, as this is the port used for SSH and SFTP.
#100: Which of the following use SAML? (Select two.) A. Secure token B. OpenID C. OAuth D. LDAP
#100: B and C. OpenID and OAuth are both federated services that use SAML technology. These technologies do use secure tokens for authentication, but secure tokens don't necessarily use SAML, so Answer A is incorrect. Answer D is incorrect as this is a directory service that does not specifically use SAML.
#10. Which of the following attacks often occurs when security configurations are not updated? A. Birthday B. Downgrade C. Spraying D. Skimming
#10: B. A downgrade attack may occur when security configurations are not being updated. Often this stems from the desire to maintain backward compatibility. Answer A is incorrect because a birthday attack is a cryptographic method of attack against a secure hash. It is based on what is known as the birthday paradox. Answer C is incorrect. Password spraying is an attack that attempts to access a large number of user accounts with a very small number of commonly used passwords. Answer D is incorrect because skimming involves copying data from a card (ATM or other) by using a specialized terminal. The card can subsequently be cloned, by encoding a blank card with the stolen data.
#12. Which of the following attacks can be related to the length of a variable in an input not being properly checked and contained by an application? A. Input validation B. Shimming C. Buffer overflow D. Privilege escalation
#12: C. A buffer overflow may result from the length of a variable in an input not properly being checked and contained by an application. Answer B is incorrect. Shimming is a device driver manipulation technique. Answer D is incorrect as privilege escalation occurs when an attacker is able to gain elevated access to areas that otherwise should be restricted. Answer A is incorrect. Input validation is a solution to prevent a buffer overflow by ensuring that input variables are properly formatted.
#39. Which of the following should be part of the configuration management process? (Select three.) A. HSM B. Diagrams C. Standard naming conventions D. IP schema
#39: B, C, and D. Diagrams, standard naming conventions, IP schema, and baseline configurations should all be part of the configuration management process. Answer A is incorrect as a hardware security module is a device used to protect and manage the keys required as part of an encryption or ecryption operation.
#55. Which one of the following best describes an outcome of vendor diversity? A. Lack of innovation B. Rigidity C. Resiliency D. Greater risk
#55: C. Vendor diversity provides an organization with resiliency. Answers A, B, and D are associated with a lack of vendor diversity and not with having a diverse set of vendors to rely on.
#83: Your users are all connected to a wireless access point using WPA2-PSK. Your manager wants you to confirm what cryptographic standard is being used. Which of the following is most likely? A. AES B. DES C. MD5 D. WEP
#83: A. The correct answer is AES. WPA2 introduced the use of Advanced Encryption Standard (AES) for encryption. Answer B is incorrect as DES is a deprecated algorithm. Answer C is incorrect as MD5 is a hashing algorithm. Answer D is incorrect as WEP is the original wireless encryption mechanism but is rarely used today due various security issues.
#88: As more users are using mobile devices for work, you have been tasked with supporting the compliance team by ensuring that policies can be enforced. You also need remote management capabilities of the devices. Which of the following solutions should you consider? A. GPS B. MDM C. OTP D. PIN
#88: B. A mobile device management (MDM) solution helps with management of mobile devices, including remote management capabilities as well as policy enforcement. Answer A is incorrect because GPS relies on satellite technology to provide location services. Answers C and D are both incorrect but are important to ensuring authentication to the device and applications: OTP is a one-time password, usually for applications, and a PIN provides a means to authenticate into the device.
#97: What is the term for disabling, deactivating, or deleting a user identity from the environment based on company policy when the user leaves the company? A. Least privilege B. IdP C. Onboarding D. Offboarding
#97: D. Offboarding means that identities of users who no longer require access to the environment are disabled or deactivated and then deleted from the environment, based on organizational policy. Onboarding is the opposite process, so answer C is incorrect. Answer A is incorrect because least privilege is an access control practice in which a logon is provided only the minimum access to the resources required to perform its tasks. Answer B is incorrect because the organization creating and managing identity, known as the identity provider (IdP), is responsible for authenticating the identity.
#11. An attacker exploited an interactive process in a recently developed and deployed application and was able to gain access to areas of the application from which users are otherwise restricted. Which of the following best describes what occurred? A. Driver manipulation B. Directory traversal C. Buffer overflow D. Privilege escalation
#11: D. Privilege escalation occurs when an attacker is able to gain elevated access to areas that otherwise should be restricted. Although a buffer overflow may lead to privilege escalation, it's not clear from the question that this is the best description, and so answer C is incorrect. Answer A is incorrect. Driver manipulation is done to improve performance, compatibility, or security of device drivers, and it is sometimes used by attackers with malicious intent. Answer B is incorrect. Directory traversal provides a user or an attacker the ability to list and navigate a web server or an operating system's filesystem.
#13. A security analyst discovered on the dark web a text file containing a list of usernames along with many other attributes belonging to the organization. A review of the web server access logs reveals the following requests: https://example.com/loadImage?filename=../../scripts https://example.com/loadImage?filename=.//.//.//etc/shadow https://example.com/loadImage?filename=../../../etc/passwd What type of attack occurred? A. Cross-site scripting B. Refactoring C. Race condition D. Directory traversal
#13: D. Directory traversal can expose system directories and files. The logs reveal someone making requests to try to access system files from the web server's base directory. Answer A is incorrect because cross-site scripting is a code injection technique that uses client-side scripts. Answer B is incorrect because refactoring is a driver manipulation technique. Answer C is incorrect. A race condition relates to the way a program executes sequences of code.
#14. Which of the following can a race condition result in? (Select three.) A. Extensively Marked-Up Language B. System crash C. Unauthorized access D. Privilege escalation
#14: B, C, and D. A race condition exploits a small window of time in which one action impacts another. These out-of-sequence actions can result in a system crash, loss of data, unauthorized access, and privilege escalation. Answer A is incorrect and invalid because the proper term is Extensible Markup Language (XML), which is a text-based markup language that is both machine and human readable.
#15. An attacker removes the encryption between a client and a website server and then establishes a secure connection between himself and the server. What is this technique called? A. Replay B. Integer overflow C. SSL stripping D. Cross-site request forgery
#15: C. With Secure Sockets Layer (SSL) stripping, an attacker strips or removes the encryption between the client and the website. Acting as a proxy or middleman, the attacker establishes a secure connection between himself and the server. Answer A is incorrect because in a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer B is incorrect. An integer overflow is specific to whole numbers, known as integers. For example, 12 is an integer, but 12.1 is not. When programs do not carefully account for integer overflows, undesirable behaviors and consequences can occur. Answer D is incorrect. A cross-site request forgery (CSRF) causes end users to execute an unwanted action on sites they are already logged in to. The attacker prepares a specially crafted URL that is client-side-initiated from the web browser
#16. The sales team reports that when it was traveling recently, team members received unsolicited photos to their mobile devices at the airport. Which of the following occurred? A. Bluesnarfing B. Bluejacking C. On-path attack D. Deauthentication
#16: B. Bluejacking involves the receipt of unsolicited photos or messages on a Bluetooth-enabled device from a nearby device. Bluesnarfing is also a Bluetooth attack, but it involves unauthorized pairing and access to the device, so answer A is incorrect. Answer C is incorrect. An on-path attack occurs when an attacker intercepts traffic between two parties. Answer D is incorrect as deauthentication refers to a frame being received when access points are disconnected.
#17. Which of the following is an attack that affects data availability? A. Rogue AP B. MAC address C. On-path attack D. DDoS attack
#17: D. A distributed denial-of-service (DDoS) attack is an attack from multiple infected systems that seeks to disrupt the victim, often affecting the ability of the system to respond and making the services and data unavailable. Answers A and C are incorrect, as a rogue access point and an on-path attack would still provide for availability but would compromise confidentiality. Answer B is incorrect as a MAC address is not an attack but a factory-assigned address for a network interface.
#51. The business units you represent are complaining that there are too many applications for which they need to remember unique complex passwords. This is leading many to write down their passwords. Which of the following should you implement? A. TOTP B. HOTP C. MFA D. SSO
#51: D. SSO refers to single sign-on capabilities. With SSO, a user can log in to multiple applications during a session after authenticating only once. Answers A, B, and C are incorrect. These all refer to multifactor authentication and the use of one-time passwords.
#52. Which of the following measures the likelihood that an access system will wrongly accept an access attempt and allow access to an unauthorized user? A. FRR B. FAR C. CER D. CAC
#52: B. The false acceptance rate (FAR) measures the likelihood that an access system will wrongly accept an access attempt (in other words, allow access to an unauthorized user). Answer A is incorrect because the false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. Answer C is incorrect. The crossover error rate (CER) is the percentage of times the FAR and FRR are equal. Answer D is incorrect because a Common Access Card (CAC) is a smart card used in military, reserve officer, and military contractor identity authentication systems.
#53. Which of the following RAID configurations can be configured with only two drives? (Select all that apply.) A. Raid 0 B. Raid 1 C. Raid 3 D. Raid 5
#53: A and B. RAID 0 and RAID 1 both have a two-drive minimum. The other two choices, C and D, are incorrect as RAID 3 and RAID 5 have a three-drive minimum.
#54. A weekly full backup is performed on a system every Sunday at 1 a.m., and differential backups are performed daily at 1 a.m. If the system is restored on Wednesday at 3 p.m., how many of the individual backups are required to completely restore the system? A. 1 B. 2 C. 3 D. 4
#54: B. A differential backup will require two tapes to completely restore the system: the full tape backup from Sunday and the differential tape backup from Wednesday. Answer A is incorrect. If you use only the tape from Sunday, you will still be missing the data between that tape and the differential tape from Wednesday.
#64. Which of the following is a type of barricade used to prevent unauthorized vehicles from entering an area? A. Screened subnet B. Faraday cage C. SIPRNET D. Bollard
#64: D. A barricade used in many environments is a bollard, a short post that prevents vehicles from entering an area. Answer A is incorrect because a screened subnet is an isolated network that sits between the public Internet and a private internal network. Answer B is incorrect because a Faraday cage is a well-grounded metal box of conductive material used to protect electronic equipment from eavesdropping. Answer C is incorrect because Secure Internet Protocol Router Network (SIPRNET) is a private government-run network used for exchanging sensitive information in a secure manner.
#65. Which of the following attacks would be rendered ineffective by the use of salting? A. Hash B. Brute force C. Dictionary D. Rainbow table
#65: D. A rainbow table attack can be rendered ineffective by salting, which defends against precomputed hash values. Dictionary and brute-force attacks don't necessarily rely on precomputed hash values. Thus, answers B and C are incorrect. Answer A is incorrect because a hash is not a type of attack but instead describes a function.
#76. Which of the following is a white-box testing process for detecting bugs in the early stages of program development? A. Dynamic analysis B. Static analysis C. Fuzzing D. Sandboxing
#76: B. Static analysis is a white-box software testing process for detecting bugs. Static analysis is a thorough approach to bug detection in the early stages of program development. Answers A and C are incorrect because dynamic analysis is done while a program is in operation. Dynamic analysis uses a technique called fuzzing, which is a black-box software-testing process in which semi-random data is injected into a program or protocol stack to detect bugs. Answer D is incorrect. Sandboxing allows programs and processes to be run in an isolated environment in order to limit access to files and the host system.
#77. Your company will have a new branch office. You need to seamlessly provide branch office users access to the corporate network resources as if they were at the corporate offices. Which of the following would best enable you to accomplish this goal? A. VLANs B. Site-to-site VPN C. Spanning Tree Protocol D. Screened subnet
#77: B. Besides being configured to secure traffic between a remote user and the corporate network, a VPN can be configured as a site-to-site VPN. Answer A is incorrect, as VLANs are logical separations of a physical network. Answer C is incorrect. Spanning Tree Protocol is a link-management protocol that provides path redundancy. Answer D is incorrect. A screened subnet is a subnetwork where an organization places externally facing servers.
#78: You are consulting for an organization that has only ever required outbound Internet access. The organization now needs to deploy a web server for its customers (and it will maintain the web server) but is concerned about inbound access to the organization network. Which one of the following should you recommend? A. VLAN B. VPN C. Load balancer D. Screened subnet
#78: D. A screened subnet is the best choice as it would allow the organization to expose a web server to the public yet have it isolated from the internal network via a logical subnetwork. Answers A and B are incorrect. VLANs are logical separations of a physical network. A VPN would provide for secure remote access into internal resources for the employees. Answer C is incorrect. While a load balancer can be used to manage the traffic to the organization's website and may be something the organization wants to consider, it does not meet the need to prevent inbound access to the network.
#87: Which of the following enables the use of location services for applications on mobile devices? A. BYOD B. GPS C. MMS D. OTA
#87: B. GPS services built into mobile devices provide a number of useful services related to the location of the device. Answer A is incorrect because bring your own device (BYOD) is a model for allowing users to use their own devices in the workplace. Answer C is incorrect because MMS is used to send multimedia via text. Answer D is incorrect because OTA is a mechanism for updating software over the air.
#89: Which of the following are deployment strategies for mobile devices? (Select three.) A. BYOD B. CYOD C. COPE D. BYOB
#89: A, B, and C are correct. BYOD, COPE, and CYOD are all deployment strategies for mobile devices in organizations. Answer D is not a mobile device deployment strategy, and thus it is incorrect.
#8. Which of the following are unique characteristics of a rainbow table attack but not of a brute-force attack? (Select two.) A. This attack doesn't require the hashed passwords. B. This attack involves precomputed hash values. C. This attack must be conducted online. D. This attack circumvents account lockout restrictions.
#8: B and D. A rainbow table is a large set of precomputed hash values used to reverse cryptographic hash functions, and such an attack may be performed offline. Answer A is incorrect, as the attack needs the hashed password values in order to do a lookup or search. Answer C is incorrect as rainbow table attacks may be performed offline.
#90: What device security methods can be implemented to protect business content from security risks associated with personal usage? (Select two.) A. Jailbreaking B. Storage segmentation C. Containerization D. Rooting
#90: B and C are correct. Storage segmentation and containerization separate personal and business content on a device. They are necessary when an organization has a BYOD policy. These approaches are used in conjunction with MAM as a way to apply policies to mobile devices. Answers A and D are incorrect; illegally gaining administrative privileges on Apple iOS is called jailbreaking and on Android devices is called rooting.
#91: What feature enables users to secure sensitive information on a mobile device's removable flash memory storage card? A. FDE B. UEM C. OTA updates D. VDI
#91: A. Full device encryption (FDE) enables users to secure sensitive information on a mobile device's removable flash memory storage card. Answer B is incorrect because unified endpoint management (UEM) is a newer security approach that focuses on managing and securing all devices, including desktops, laptops, tablets, and smartphones, from a single location. Answer C is incorrect because mobile devices have the capability to receive and install over-the-air (OTA) systems and application updates that are pushed over Wi-Fi to devices. Answer D is incorrect because virtual desktop infrastructure (VDI) is the process by which an organization hosts virtual desktops on a centralized server.
#92: A user does not have an identity-based policy and requires access to a storage resource but is denied access. Which of the following do you need to do in order to allow him access? A. Assign an identity-based policy to the user to allow access B. Assign an override for any deny attribute in the identity-based policy C. Remove the deny from the resource-based policy D. Change the deny to an allow permission on the resource-based policy
#92: D. An explicit deny prevents access and overrides any allow statement. The deny needs to be removed. Because the user doesn't have an identity-based policy, the allow permission on the resource also needs to be granted. Answer A is incorrect because the explicit deny still overrides the allow. Answer B is incorrect, as explicit denies take precedent and there is no such option for an override attribute. Answer C is incorrect, as by default without any policies assigned, the user does not have access.
#93: You need to block SSH inbound traffic on a virtual instance. Which of the following would accomplish this goal? A. Assign an explicit inbound block rule for port 22 on the security group. B. Assign a resource-based policy on the instance to block port 22. C. Remove the inbound allow rule from the security group for port 22. D. Remove the resource-based policy on the instance allowing port 22.
#93: C. Remove the inbound rule that allows port 22 from the security group. This rule is enabled by default. Security groups do not block traffic. They only allow specific traffic, so answer A is incorrect. Finally, resource-based policies do not pertain to network traffic, so answers B and D are incorrect.
#94: Which of the following allows a VPC to be connected with other services without the need for additional technologies such as a VPN connection or an Internet gateway? A. CASB B. SWG C. VPC endpoint D. DevSecOps
#94: C. A virtual private cloud (VPC) endpoint allows a VPC to be connected with other services without the need for additional technologies such as a VPN connection or an Internet gateway. Resources in the VPC must make any requests, as the connected services are not able to initiate requests via the VPC endpoint. Answers A and B are incorrect because cloud access security brokers (CASBs) along with next-generation secure-web gateways (SWGs) provide the capability to deliver static and dynamic access to the management plane of IaaS providers, just as they do any SaaS app. Answer D is incorrect because DevSecOps involves automated and continuous process management for continual integration and delivery of secure applications.
#95: Your corporate policies require the use of passphrases rather than passwords. Which of the following technical controls could be put in place to best promote the use of passphrases? (Select two.) A. Lockout B. Length C. History D. Complexity
#95: B and D. Length would ensure longer choices, and complexity would ensure the use of special characters and mixed case. Answer A is incorrect as a lockout would lock the user out after a specified number of incorrect attempts. Answer C is incorrect as history would enforce the allowed number of times a new password must be used before an old password can be reused.
#96: Your account policies require employees to change their passwords every 30 days. The employees, however, continue to create passwords that are susceptible to dictionary attacks, and they are just alternating between two passwords with each change. Which of the following policies would be the best choices for fixing this? (Select two.) A. Lockout B. Length C. History D. Complexity
#96: C and D. A history policy determines the number of times a user must create new passwords before being able to reuse a previous one, so it prevents a user from alternating between two passwords. For example, a history setting of 30 would mean the user could not reuse the same password until the 31st password change. Complexity would help prevent password cracking. Answers A and B are incorrect. While length seems viable, complexity is a better choice, given the dictionary attacks. Lockout is related to requiring an account reset (based on too many invalid passwords, for example).
#98: Every photo taken with a smartphone at an investigation firm includes data on the geographic coordinates where the photograph was taken. What term describes this action? A. Geofencing B. Geosynchronous C. GPO D. Geotagging
#98: D. Geotagging adds an identifying tag to something based on location. For example, every photo taken with a smartphone is tagged with the geographic coordinates of where the photograph was taken. Geolocation can be used in account policy decision making, much like the network location of an IP address. Answer A is incorrect because geofencing is used to trigger some type of action when the user exits or enters a geographic boundary. Answer B is incorrect because the term geosynchronous describes a satellite that follows the pattern of the earth's orbit. Answer C is incorrect because Active Directory (AD) domains use group policy objects (GPOs) to store a wide variety of configuration information, including password policy settings.
#18. Before leaving for the day, one of the security administrators sends an email to the director of security, informing him that an evil twin had been found and removed from the network. The director forwards the email to you and asks what this means. Which of the following is the best reply? A. A rogue wireless access point was found connected to the network. B. A user's laptop was discovered to have had a spoofed MAC address. C. Two identical antennas were lying in the hallway. D. A network sniffer had been downloaded but not yet installed to a user's laptop.
#18: A. An evil twin is a rogue wireless access point and is the most accurate choice here. Answers B and C are both incorrect answers. Answer D is also incorrect. However, an attacker can use a network sniffer in conjunction with a rogue wireless access point. In addition, a wireless network sniffer can be used to help locate rogue access points.
#19. Which specific type of attack occurs when a perpetrator redirects traffic by changing the IP record for a specific domain in order to be able to send legitimate traffic anywhere he chooses? A. DNS poisoning B. Domain hijacking C. On-path browser attack D. Port stealing
#19: A. Domain Name System (DNS) poisoning enables a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose. DNS poisoning sends a requestor to a different website and also caches this information for a short period, distributing the attack's effect to the server users. Answer B is incorrect. Domain hijacking, the act of changing domain name registration, occurs when an entire domain is taken over without the original owner's knowledge or consent. Answer C is incorrect. An on-path browser attack is a Trojan that infects web browser components such as browser plug-ins and other browser helper objects. Answer D is incorrect because port stealing is an on-path attack that exploits the binding between a port and a MAC address.
#1. Many employees fell for a phishing email that appeared to be from a department head and demanded that employees click on a link and complete an online survey by the end of the day. Which one of the following principles of influence did these employees succumb to? A. Authority B. Scarcity C. Whaling D. Social proof
#1: A. Employees likely felt obligated to quickly comply based on the perceived authority of the email. Often such an email would attempt to replicate the status of the department head by using the appropriate formatting and signature line. Answer C is incorrect. Whaling is a specific phishing attack against an important specific target. Answers B and D describe other principles of influence but are incorrect. Scarcity relies on a sense of urgency due to limited availability. Social proof involves consensus around the trust of like-minded people.
#20. How would you mitigate ARP poisoning on a small network? A. Implement whitelisting B. Validate the input of URLs passed C. Use a three-way handshake D. Use static mappings for IP addresses
#20: D. To mitigate Address Resolution Protocol (ARP) poisoning on a small network, you can use static or script-based mappings for IP addresses and ARP tables. Answers A and B are incorrect because validating the input of URLs passed and using whitelists applies to mitigating URL redirection in the context of this chapter. Answer C is incorrect and applies to a SYN flood attack, which takes advantage of the TCP threeway handshake.
#21. How do relationship and capability pertain to understanding specific threat actors? A. They indicate the likelihood of vulnerabilities being discovered. B. They are characteristics associated with building a threat profile. C. They describe attributes that apply equally to all threats. D. They are the two most important attributes when analyzing threat actors.
#21: B. Relationship and capability are characteristics that can be attributed to threat actors. Other common attributes are motive and intent. Answer A is incorrect because these do not pertain to the discovery of vulnerabilities. Answer C is incorrect because attributes vary, depending on the specific threat actor. Answer D is incorrect because threat actors and overall risk are unique to each organization.
#22. With which of the following is a "low and slow" attack most associated? A. APT B. Ransomware C. OSINT D. Script kiddies
#22: A. An advanced persistent threat (APT) is a "low and slow" style of attack executed to infiltrate a network and remain inside while going undetected. Answer B is incorrect because ransomware is obvious and sends a clear message to the end user in an attempt to extort compensation from the victim. Answer C is incorrect. OSINT stands for open-source intelligence, which is the term given to information available for collection from publicly available sources. Answer D is incorrect because script kiddies, unlike APTs, are usually not sophisticated in their methods and are usually easily detected.
#23. Which one of the following best describes an ISAC? A. A private information security database for attack countermeasures B. A standardized language for the exchange of cybersecurity threat indicators C. A center or group that promotes threat information sharing within a specific sector D. A specification for machine-to-machine communications to share security information
#23: C. Information Sharing and Analysis Centers (ISACs) promote industry specific sharing of threat intelligence. Answer A is incorrect. Answer B is also incorrect as it describes Structured Threat Information eXpression (STIX). Answer D is incorrect as this describes Trusted Automated eXchange of Indicator Information (TAXII).
#24. Which threat actor is considered the most sophisticated and has the most resources? A. Unauthorized hacker B. Authorized hacker C. Semi-authorized hacker D. State actor
#24: D. A state actor is arguably the most sophisticated threat actor with the most resources. Answers A, B, and C are incorrect. Unauthorized hacker (black hat) describes malicious hackers who may be involved with criminal activities and have a wide range of skill. An authorized hacker (white hat), also known as an ethical hacker, uses his or her powers for good. A semi-authorized hacker (gray hat) falls somewhere in the middle of unauthorized and authorized hackers; they don't typically have malicious intent but often run afoul of ethical standards and principles.
#42. Which of the following are core services provided by cloud computing? (Select three.) A. Self-service capability B. Elasticity C. Pay as you go D. Perpetual licensing
#42: A, B, and C. Cloud computing delivers the following key services: self-service capability, elasticity, automated management, scalability, and a pay-as-you-go model. Perpetual licensing is a payment and licensing method for on-premises hardware and software, and so answer D is incorrect.
#25. You are analyzing pieces of forensic data found in log entries to identify malicious activities. Which of the following is a collection of evidence or components that points to a security breach or event? A. Indicators of compromise B. Automatic indicator sharing C. Requests for comments D. Adversary tactics, techniques, and procedures
#25: A. The best answer here is indicators of compromise (IOC), which provide evidence or components that point to a security breach or event. IOCs can include items such as malware signatures, IP addresses, domain names, and file hash values. Answer B is incorrect. Automated indicator sharing (AIS) is an initiative from the U.S. DHS that enables the exchange of cybersecurity threat indicators. Answer C is incorrect. A request for comments (RFC) is a type of document that describes behaviors, methods, research, or innovations that have to do with technologies and the working of the Internet and systems connected to the Internet. Answer D in incorrect. Adversary tactics, techniques, and procedures (TTP) provide attack methods and activities associated with specific threat actors.
#26. Your company provides outsourced information security services and has a static web presence as most business is conducted over the phone and in person. Your website was hacked due to a vulnerability in the Apache web server. The attacker ended up modifying your home page with a message disparaging the company. Which one of the following impacts to the organization is most likely? A. Data loss B. Financial loss C. Reputation loss D. Data exfiltration
#26: C. Often an attack on a vulnerability has multiple consequences. The best choice in this case is that an impact on the reputation of the company is the most likely consequence—particularly given that the company doesn't conduct business online, and the company that was hacked is a security company. Answers A, B, and D are incorrect.
#27. Which of the following threats is unknown to others and does not yet have a patch available? A. Unsecured root accounts B. Weak encryption C. Unsecure protocols D. Zero-day attack
#27: D. A zero-day attack is an attack that tries to exploit computer application vulnerabilities that are unknown to others—even the software developer—and so there is not yet a patch available for them. Effective security policies, training, and mitigation are the most effective ways to deal with zero-day vulnerabilities. Although they all represent weak or improper configurations, answers choices A, B, and C are incorrect.
#28. Which of the following will go a long way toward ensuring that expectations and requirements around data security and potential vulnerabilities are understood and addressed with third parties? (Select three.) A. Governance B. Policies C. Due diligence D. DoS
#28: A, B, and C. Maintaining proper governance is key when dealing with areas that are often out of sight, such as the supply chain, outsourced code development, and data storage. Governance, policies, and due diligence will go a long way toward ensuring that expectations and requirements around data security and potential vulnerabilities are understood and addressed with third parties. Answer D is incorrect. A denial-of service (DoS) attack against an unneeded web service is an example of how a nonessential service can potentially cause problems for an otherwise functional system.
#29. After conducting a vulnerability assessment, which of the following is the best action to perform? A. Disable all vulnerable systems until mitigating controls can be implemented. B. Contact the network team to shut down all identified open ports. C. Immediately conduct a penetration test against identified vulnerabilities. D. Organize and document the results based on severity.
#29: D. After an assessment, the results should be organized based on the severity of risk to the organization. Answer A is incorrect because it is generally an extreme response, except in rare situations. Answer B is incorrect because many open ports are required for a network to function. Answer C is incorrect because, although a penetration test often does follow a vulnerability scan, it is not an immediate necessity and certainly is not required for all identified vulnerabilities.
#2. At your place of employment, you are rushing to the door with your arms full of bags. As you approach, the woman before you scans her badge to gain entrance while holding the door for you, but she asks to see your badge first. What has she just prevented? A. Phishing B. Whaling C. Tailgating D. Intimidation principle
#2: C. Tailgating involves piggybacking, or following closely behind someone who has authorized physical access. Answers A and B are incorrect as they describe attempts to acquire sensitive information. Answer D is one of the principles of influence and is incorrect.
#30. Your team is tasked with conducting a vulnerability assessment and reports back with a high number of false positives. Which of the following might you recommend to reduce the number of false positives? A. Have the team run a vulnerability scan using non-credentialed access. B. Have the team run a vulnerability scan using credentialed access. C. Have the team run a port scan across all common ports. D. Have the team run a port scan across all ports.
#30: B. Non-credentialed vulnerability scans result in a greater number of false positives. This type of scan provides an outsider point of view, and although it might indicate what an outsider is more likely to see, it does not show as effectively the full extent of vulnerabilities. A credentialed vulnerability scan provides access to systems that might otherwise not be accessible, making it possible to further determine legitimate vulnerabilities. As a result, answer A is incorrect. Answers C and D are incorrect because vulnerability scans initially do scan specified ports as part of the process.
#31. SOAR combines functions from which of the following? (Select three.) A. Security orchestration and automation B. Incident response platforms C. Threat intelligence platforms D. Penetration tests
#31: A, B, and C. Security orchestration, automation, and response (SOAR) combines functions from security orchestration and automation, incident response platforms, and threat intelligence platforms either as a complete solution or as an integrated solution. Penetration tests are not part of the SOAR platform, so answer D is incorrect.
#50. Which of the following is an example of two-factor authentication? A. Website requiring username and password B. ATM requiring credit card and PIN C. Website requiring a one-time token code to log in D. ATM requiring facial recognition
#50: B. A credit card is something you have, and the PIN is something you know. Answer A is incorrect as the username and password are both something you know (and the username is really just something to identify you). Answer C is incorrect, as this is just a single factor. (However, a one-time token code is commonly used as a second factor when used with a password, for example.) Answer D, like answer C, is just a single factor and is incorrect.
#32. Which of the following studies human emotions in data to detect patterns such as negative, positive, or neutral opinions or attitudes? A. False positive B. False negative C. Sentiment analysis D. Log aggregation
#32: C. Sentiment analysis studies human emotions present within data, such as negative, neutral, or positive opinions or attitudes. The data can be tracked and analyzed to look for patterns that rely on human sentiment. Answers A and B are incorrect because a false positive occurs when a security scanner detects or flags a vulnerability when one does not exist and a false negative says you don't have a vulnerability when in fact you do. Answer D is incorrect. Log aggregation is the process by which SIEM systems combine similar events to reduce event volume. SIEM systems aggregate data from many network sources and consolidate the data so that crucial events are not missed.
#33. You are conducting a penetration test on a software application for a client. The development team has provided you with complete details around the source code and development process. What type of test will you likely be conducting? A. Black box B. Vulnerability C. White box D. Answers A and B
#33: C. White box testing (known environment) is transparent. Because you are provided with source code, you have more knowledge about the system before you begin your penetration testing. Answer A is incorrect because black box testing (unknown environment) assumes no prior knowledge. Answer B is incorrect because this refers to a weakness. Therefore, answer D is also incorrect.
#35. Place the following steps in the correct order for the attack phase: a. Persistence, b. Cleanup, c. Lateral movement, d. Privilege escalation, e. Initial exploitation. A. a, b, c, d, e B. e, d, c, a, b C. e, a, c, d, b D. a, e, d, b, c
#35: B. The steps during the attack phase of a penetration test are 1. Initial exploration, 2. Privilege escalation, 3. Pivoting and lateral movement, 4. Persistence and 5. Cleanup.
#36. Which of the following is part of a passive reconnaissance process and is used to gather as much information about a target as possible in order to penetrate it? A. Footprinting B. War driving C. War flying D. Bug bounty
#36: A. Footprinting is part of a reconnaissance process. This process is used to gather as much information about a target as possible in order to penetrate it. This is similar to a burglar first staking out a neighborhood to find unoccupied homes or surveilling a specific home to understand when the residents come and go. Answer B is incorrect. War driving is the act of searching for wireless networks using a portable computer or other mobile device from a moving vehicle on the ground. Answer C is incorrect. War flying is the act of searching for wireless networks by using a portable computer or other mobile device from an aircraft, such as a drone or other unmanned aerial vehicles. Answer D is incorrect because a bug bounty is a form of penetration testing; it is a formalized program to identify bugs that lead to a vulnerability or an exploit.
#37. You are responsible for a critical business system. In case of disaster, this system needs to be operational within a minimal period of time at another site, regardless of cost. Which of the following recovery sites is most appropriate in this scenario? A. Hot site B. Warm site C. Cold site D. Resilient site
#37: A. A hot site is a location that is already running and available 7 days a week, 24 hours a day. Such a site allows a company to continue normal business operations usually within a minimal period after the loss of a facility. Answer B is incorrect as a warm site is a scaled-down version of a hot site. Answer C is incorrect as a cold site would be the cheapest and the weakest in terms of resiliency after a disaster. Answer D is incorrect. While all sites represent site resiliency, only a hot site provides the most resiliency.
#38. You decided to implement TLS encryption between two servers to protect the data being transferred between them. Which of the following states of data best represents what you are putting in place? A. Data at rest B. Data in transit C. Data in processing D. Data in use
#38: B. Data in transit (or motion) represents data moving across a network or from one system to another, and it is what transport layer encryption protocols like TLS protect. Answers A and C are both incorrect. Data at rest represents data in its stored or resting state, which is typically on some type of persistent storage, such as a hard drive or tape. Data in processing represents data being processed in memory or cache. Answer D is also incorrect as this is often associated with data in processing, particularly as it pertains to DLP systems.
#3. Which of the following is an effective way to get information in crowded places such as airports, conventions, or supermarkets? A. Vishing B. Shoulder surfing C. Typo squatting D. Phishing
#3: B. Shoulder surfing involves using direct observation techniques. It gets its name from the tactic of looking over someone's shoulder to obtain information. Answer A is incorrect because vishing involves using a phone to obtain information. Answer C is incorrect because typo squatting relies on typographic errors users make on the Internet. Answer D is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email.
#40. Which of the following helps an organization extend on-premises security solutions to the cloud? A. CASB B. Honeynet C. Honeyfile D. DNS sinkhole
#40: A. A cloud access security broker (CASB) helps an organization extend on premises security solutions to the cloud. It is a solution that acts as an intermediary between users and cloud service providers (CSPs). Answers B, C, and D are incorrect as they are all deception technologies.
#41. As part of its digital transformation strategy, your company no longer wants to be responsible for hosting the email system on premises or even in the cloud. Which of the following service models might you recommend? A. IaaS B. PaaS C. SaaS D. Either IaaS or PaaS
#41: C. SaaS delivers a licensed application to customers over the Internet for use as a service on demand. An example would be email like that provided by Google or Microsoft in the cloud. Answer A is incorrect. IaaS delivers computer infrastructure in a hosted service model over the Internet. IaaS would be appropriate for an organization that wants to manage its own mail server in the cloud, for example. Answer B is incorrect. PaaS delivers a computing platform—such as an operating system with associated services—over the Internet without downloads or installation. Neither IaaS nor PaaS would be appropriate, and so answer D is incorrect.
#75. Which of the following correctly matches each protocol to its default port? A. SSH-22; SMTP-25; DNS-53; HTTP-80; LDAPS-389 B. SSH-21; SMTP-22; DNS-35; HTTP-110; LDAPS-636 C. SSH-22; SMTP-25; DNS-53; HTTP-80; LDAPS-636 D. SSH-22; SMTP-23; DNS-35; HTTP-69; LDAPS-389
#75: C. Answer C maps the protocols with their correct default ports.
#43. You have been asked to provide a virtualized environment. Which of the following makes it possible for many instances of an operating system to be run on the same machine? A. API B. Virtual machine C. Hypervisor D. Container
#43: C. An important component of virtualization is the hypervisor. A hypervisor is a software- or hardware-layer program that permits the use of many instances of an operating system or instances of different operating systems on the same machine, independent of each other. Answer A is incorrect. An API is a set of functions that provides services across an application or operating system. Answer B is incorrect. A virtual machine is a hosted virtual system part of the hypervisor. Answer D is incorrect. Containers only contain the core applications and libraries required to run and talk directly to the host operating system on which they are placed.
#44. Your company is expanding, and your boss asks for your recommendation regarding assistance with security management of the network perimeter, day-to-day monitoring, and penetration testing and vulnerability assessments. What should you propose? A. Virtual sprawl avoidance B. A transit gateway C. A thin client D. An MSSP
#44: D. Today, many businesses are looking to managed security service providers (MSSP) for their security needs. The services vary but include management of the network perimeter, day-to-day monitoring, and penetration testing and vulnerability assessment. Answer A is incorrect because VM sprawl happens when the number of virtual machines in a network grows to a point that is no longer manageable. Answer B is incorrect. A transit gateway acts as a hub, providing a single connection point from the on-premises environment to the many virtual cloud networks provided by the CSP. Answer C is incorrect. When using thin clients or virtual desktops, user desktop environments are stored remotely on a server. This facilitates configurations that can be created, deleted, copied, archived, and downloaded over a network or that can be remotely hosted very quickly.
#45. Your team wants to use automation in the development process to help identify vulnerabilities that have been incorrectly identified before now. Which of the following best describes this type of mistaken identification? A. Identity theft B. False positive C. False negative D. Identity provider
#45: B. A false positive is a result that incorrectly indicates that a particular condition, such as a vulnerability, is present. Answer C is incorrect as a false negative is not identified but is missed. Answers A and D are incorrect and refer to the use of someone else's identity and a system that manages identity information, respectively.
#46. Your organization's compute needs are relatively the same throughout the year except for the two months leading up to a holiday. The board of directors is interested in how the organization can handle this additional capacity for this time period without incurring unnecessary costs the rest of the year. Which of the following best describes the board's request? A. Elasticity B. Scripting C. Continuous integration D. Scalability
#46: A. Elasticity is the capacity to dynamically expand or reduce infrastructure resources by adjusting workloads to maximize resources. Answer B is incorrect as this is not the most specific answer. Scripting refers to automation, which elastic capabilities are likely to require. Answer C is incorrect. Continuous integration refers to the development process of continuous monitoring and merging. Answer D, while closely related to elasticity is incorrect, as scalability refers to the ability to expand the amount of production from the current infrastructure without negatively impacting performance.
#47. Your organization has been moving new applications from the testing environment directly to production, but lately there have been many issues. You have been asked to help mitigate these issues. Which of the following are the most appropriate? (Select two.) A. Move the code to both production environments to troubleshoot on one in case the other fails. B. Set up a parallel production environment. C. Set up a staging environment to closely match the production environment. D. Move the code to staging prior to moving it to production.
#47: C and D. A staging environment is often implemented to reduce the risk of introducing issues upon deployment into the production environment. The code will be moved to production after being moved to staging. Answers A and B are incorrect. This would not be done in the application development process and is more akin to providing for redundancy.
#48. Your organization's development team wants to protect trade secrets and intellectual property. What should the team implement during the software development process to prevent software from being reverse engineered? A. Normalization B. Stored procedures C. Obfuscation and camouflage D. Automation and scripting
#48: C. Obfuscation, camouflage, and encryption are all often used in the software development process to prevent software from being reverse engineered. These practices protect the trade secrets and intellectual property of an organization. Answer A is incorrect. Normalization is the conversion of data to its anticipated, or "normal," value. Answer B is incorrect because stored procedures are combinations of precompiled SQL statements, stored in a database, that execute some task. Answer D is incorrect because automation and scripting greatly increase an organization's capability to detect and respond to threats. They combine machine learning with automation to respond to threats and maintain critical operations.
#49. Which one of the following is provided to an AAA system for identification? A. Passcode B. Username C. Password D. One-time token code
#49: B. A username is the most common factor used for identification. Answers A, C, and D are all incorrect as they represent forms of authentication and not identification.
#4. An attacker wishes to infect a website that employees at your company often visit in order to infect them with malware. What type of computer attack strategy is the attacker setting up? A. Zero-day B. Credential harvesting C. Identity fraud D. Watering hole attack
#4: D. In a watering hole attack, the attacker attacks a site that the target frequently visits. The goal is often to compromise the larger environment—for example, the company the target works for. Answer A is incorrect. A zero-day attack is a cyberattack targeting a software vulnerability that is unknown to the software vendor or to antivirus vendors. Answer B is incorrect. Credential harvesting is a common purpose of phishing campaigns to capture usernames and passwords. Answer C is incorrect. Identity fraud is the use of a person's personal information, without authorization, to deceive or commit a crime.
#56. Which solution gives you enough time to safely power down equipment until power is fully restored? A. NIC teaming B. Load balancer C. PDU D. UPS
#56: D. An uninterruptible power supply (UPS) gives you enough time to safely power down equipment until power is fully restored. UPSs are used to protect electronic equipment and provide immediate emergency power in case of failure. Answer A is incorrect because NIC teaming allows a NIC to be grouped with multiple physical NICs to form a logical network device known as a bond. This provides for fault tolerance and load balancing. B is incorrect because network load balancers are reverse proxy servers configured in a cluster to provide scalability and high availability. Answer C is incorrect because a power distribution unit (PDU) is like a power strip that distributes power to the critical equipment. Many PDUs have advanced functions to improve power quality and provide load balancing as well as remote monitoring.
#57. Which of the following are the most important constraints that need to be considered when implementing cryptography, particularly for embedded devices? (Select three.) A. Security B. Time C. Performance D. Power
#57: A, C, and D. With smaller and lower-power devices, trade-offs and resource constraints need to be considered when implementing cryptography. These constraints include, for example, security, performance, and power. As a result, answer B is incorrect.
#58. Which of the following are associated with critical infrastructure systems where segmentation from public networks should be strongly considered? (Select two.) A. SCADA B. IoT C. ICS D. NIST
#58: A and C. Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICSs) include critical infrastructure systems such as networks related to manufacturing, logistics and transportation, energy and utilities, telecommunication services, agriculture, and food production. Answer B is incorrect. Internet of Things (IoT) devices are connected to public networks. This does not necessarily mean they aren't important, however, and IoT devices should be secured properly. Answer D is incorrect. The National Institute of Standards and Technology (NIST) publishes various papers, including guidance for protecting critical infrastructure
#59. Your organization manufactures SoC technology. You have been tasked with ensuring secure design for these systems on chip. Which of the following suggestions are most appropriate? (Select two.) A. Sensitive data should not be stored in the register after processing. B. The device should be shielded from electromagnetic interference at the minimum level. C. A separate security verification tool should be used to store sensitive data. D. A separate security verification tool should be used to check the design.
#59: A and D. System on chip (SoC) design should ensure that the device is shielded from electromagnetic interference (EMI) at the maximum level (not a minimum level); sensitive data should not be stored in the register or cache after processing; and a separate security verification tool should be used to check the design.
#5. Which of the following is the best defense against social engineering? A. Cross-site Scripting B. Intimidation C. Awareness and education D. Influence campaign
#5: C. It is important to understand that the best defense against social engineering is ongoing user awareness and education. Cross-site Scripting (XSS) is a clientside code injection attack, so answer A is incorrect. Answer B is incorrect because a social engineer may use the principle of intimidation to play on one's fear of getting in trouble or getting fired. Answer D is incorrect. An influence campaign involves coordinated actions that seek to affect the development, actions, and behavior of the targeted population.
#60. Which of the following is a small operating system used in embedded systems and IoT applications that allow applications to run with precise timing and high reliability? A. RTOS B. FPGA C. NERC D. UAV
#60: A. A real-time operating system (RTOS) is a small operating system used in embedded systems and IoT applications that allows applications to run with precise timing and high reliability. Answer B is incorrect because a field-programmable gate array (FPGA) is an integrated circuit that can be programmed or modified in the field. Answer C is incorrect because North American Electric Reliability Corporation (NERC) develops reliability standards that are overseen by the Federal Energy Regulatory Commission (FERC). Answer D is incorrect because a UAV is an unmanned aerial vehicle, such as a drone.
#61. The aerospace company you work for is developing a highly secret new component. The computers to develop the component need to be isolated to prevent connections to the outside world. Which of the following should you put in place to provide the most secure setup? A. Firewall B. Air gap C. Hot and cold aisles D. Pulverized network
#61: B. An air-gapped network provides the most secure setup. The computers inside the air gap may be interconnected but have no external access. Answer A is incorrect because a firewall may be required to be connected to the outside; although it could possibly secure the network, this setup would not provide the security of a completely closed network. Answer C is incorrect because hot and cold aisles are for data center HVAC. Answer D is incorrect because pulverizing is related to the secure destruction of materials.
#62. Your training director has an unsupervised room that he wants to use as a training lab for the next few months. The lab will hold 20 laptops and confidential training manuals. Which the following controls are most appropriate in this situation? (Select two.) A. Cable locks B. Locking cabinets C. Mantrap D. Biometric reader
#62: A and B. The unsupervised training lab will benefit from cable locks and locking cabinets. The laptops can be secured to prevent theft. The locking cabinets can potentially be used to store the laptops and can also be used to protect the confidential documents. Answer C is incorrect. A mantrap is a holding area between two doors. Answer D is incorrect. Because this is an unsupervised lab where many people may have open access, the focus should be on protecting equipment and material from being taken. Biometric readers do not prevent this.
#63. Employees in your data center have notified you that they are receiving minor electrical shocks when they touch the metal enclosures and are worried about handling equipment such as servers and hard drives. Which of the following should you consider doing? A. Decrease the humidity B. Increase the humidity C. Increase the temperature D. Decrease the temperature
#63: B. Humidity is a measure of moisture content in the air. A low level of humidity can subject components to electrostatic discharge (ESD), which can cause damage; at extremely low humidity levels, components might be affected by the air itself. Answer A is incorrect given the circumstance, although a high level of humidity can cause components to rust and degrade electrical resistance or thermal conductivity. Adjusting the temperature is incorrect, so both C and D are incorrect.
#66. You are exchanging secure emails with another user. You use a key to encrypt your outbound email, but then you are unable to decrypt the email you receive in return by using the same key you used to encrypt the outbound email. Which best explains what's happening? A. Email clients do not support cryptography. B. Asymmetric cryptography is being used. C. You are using a stream cipher. D. You are using a block cipher.
#66: B. In asymmetric cryptography, key pairs are used: one key to encrypt and the other to decrypt. The email you received would have been encrypted with your public key, and you would need to decrypt the email with your private key. This private key would not have been the key used to encrypt the original outgoing email. You would have used the recipient's public key for that. Answers A, C, and D are incorrect because you were able to originally encrypt an email outbound. Further, most email clients do support cryptography, and stream and block ciphers are methods for encrypting plaintext in symmetric algorithms.
#67. Which of the following is true regarding block and stream ciphers? (Select three.) A. Block ciphers are more complex than and not as fast as stream ciphers. B. Stream ciphers, unlike block ciphers, require padding. C. Block ciphers have higher diffusion than stream ciphers. D. Stream ciphers perform encryption bit by bit.
#67: A, C, and D. Stream ciphers do not require padding because each bit is processed and is the smallest unit; thus answer B is incorrect. All the other choices are true statements comparing block ciphers and stream ciphers.
#68. Which statement is false? A. Symmetric key algorithms use the same private key to encrypt and decrypt. B. Symmetric key algorithms are often referred to as public key algorithms. C. ECC is an example of an asymmetric public key cryptosystem. D. Symmetric key algorithms are typically faster than asymmetric systems.
#68: B. Symmetric key algorithms are often referred to as secret key algorithms, private key algorithms, and shared secret algorithms. Asymmetric algorithms are often referred to as public key algorithms because they use the public key as the focal point for the algorithm. Answers A, C, and D are all true statements and are therefore incorrect answer choices.
#6. A user in finance opens a help desk ticket identifying many problems with her desktop computer, including sluggish performance and unfamiliar pop-ups. The issues started after she opened an invoice from a vendor. The user subsequently agreed to several security warnings. Which of the following is the user's device most likely infected with? A. Ransomware B. Spyware C. Backdoor D. Adware
#6: C. Because the user opened an attachment that masqueraded as something legitimate and required agreement to various security prompts, it is most likely a backdoor installed on the system. Answer A is incorrect because with ransomware, the attacker would be asking for a ransom payment. While both spyware and adware may cause problems with performance, they would not likely prompt the user with security dialogs. Thus, answers B and D are incorrect.
#70. Which of the following protocols use SSH? (Select two.) A. SCP B. FTPS C. SFTP D. SSL
#70: A and C. Both SCP and SFTP use SSH. Do not get confused here. SSH FTP (SFTP) uses SSH, whereas FTP Secure (FTPS) uses SSL. SSL does not use SSH either. Therefore, answers B and D are incorrect.
#71. What two primary security services does the asymmetric key standard defining IPsec provide? A. DNSSEC and S/MIME B. SRTP and LDAPS C. SMTP and SNMPv3 D. AH and ESP
#71: D. The asymmetric key standard defining IPsec provides two primary security services: Authentication Header (AH), which provides authentication of the data's sender, along with integrity and nonrepudiation, and Encapsulating Security Payload (ESP), which supports authentication of the data's sender and encryption of the data being transferred, along with confidentiality and integrity protection. Answers A, B, and C are incorrect because DNSSEC was developed to strengthen DNS through the use of digital signatures and public key cryptography. S/MIME is a widely accepted technology for sending digitally signed messages. SRTP is used to secure VoIP or video network communications. LDAPS protects the authentication session when an application authenticates with Active Directory. SMTP, over port 25, is used for sending email. SNMPv3 is used to collect statistics from TCP/IP devices.
#72. Why do vendors provide MD5 values for their software patches? A. To provide the necessary key for patch activation B. To allow the downloader to verify the authenticity of the site providing the patch C. To ensure that auto-updates are enabled for subsequent patch releases D. To allow the recipient to verify the integrity of the patch prior to installation
#72: D. MD5 is a hashing value used to verify integrity. Software developers provide these hash values so users can verify that nothing has changed. Answers A and B are incorrect. MD5 is for integrity checking, not authentication, and some patches may be downloaded from sites other than the original author's site. Answer C is incorrect.
#73. Your developers made certain that any input to a search function they developed would result in commas, quotes, and other certain special characters being stripped out. Which of the following is likely their reasoning? A. They are paranoid, and they should allow the original input term to process as is. B. They want to prevent SQL injection by validating the input. C. They want to prevent privilege escalation by providing proper exception handling. D. They are lazy and didn't want to have to refactor their search algorithm.
#73: B. The developers are following a best practice of input validation by preventing various types of negative impacts, such as SQL injection. Answers A, C, and D are all incorrect and are not directly related to the issue described here.
#74. You are a security administrator and learn that a user has been emailing files containing credit card number data from the corporate domain to his personal email account. This data is typically required to go to a third-party business partner. Which of the following solutions could you implement to prevent these emails or attachments from being sent to personal email accounts? A. Implement a DLP solution to prevent employees from emailing sensitive data. B. Implement a mail solution that requires TLS connections to encrypt the emails. C. Implement a mail solution that employs encryption and that will prevent email from being sent externally. D. Implement a DLP solution to prevent sensitive data from being emailed to non-business accounts.
#74: D. Implementing a DLP solution to prevent sensitive data from being emailed to non-business accounts is the best choice. Answer A is incorrect as this solution isn't necessarily needed to halt all email. Answer B is incorrect as transport encryption will still allow personal email accounts to receive the sensitive data. Answer C is incorrect because encryption will still allow the email to be sent externally.
#79: Your Company requires a switch feature that makes additional checks in Layer 2 networks to prevent STP issues. Which of the following safeguards should be implemented? A. Loop Guard B. Flood protections C. Implicit deny D. Port security
#79: A. The Loop Guard feature makes additional checks in Layer 2 switched networks to prevent loops. Answer B is incorrect because flood protection is a firewall feature to control network activity associated with DoS attacks. Answer C is incorrect because implicit deny is an access control practice in which resource availability is restricted to only logons that are explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses to come in through the port.
#7. A user has reported consistent activity delays with his PC when using a specific web browser. A quick investigation reveals abnormally high CPU usage. Which of the following types of malware is most likely affecting the user's PC? A. Crypto-malware B. Worm C. Macro virus D. Keylogger
#7: A. Crypto-malware is most likely. While crypto-malware may have worm-like capabilities, such malware is known for heavy CPU use, and, because this particular issue happens when using the web browser, the problem is likely to be a cryptojacking variant. The other choices may result in anomalous CPU behavior, but that is not as likely as it would be with crypto-malware. Further, a macro virus would involve the use of office software. Thus, answers B, C, and D are incorrect.
#80: You are implementing server load balancing. In which configuration is the passive server promoted to active if the active server fails? A. Active/active B. Round-robin C. Weighted round-robin D. Active/passive
#80: D. In an active/passive configuration, all traffic is sent to the active server. The passive server is promoted to active if the active server fails or is taken down for maintenance. Answer A is incorrect. In an active/active configuration, two or more servers work together to distribute the load to network servers. Answers B and C are incorrect because in a round-robin load-balancing strategy traffic is sent in a sequential, circular pattern to each node of a load balancer, and in a weighted round-robin strategy traffic is sent in a circular pattern to each node of a load balancer, based on the assigned weight number.
#81: Your network IDS is reporting a high number of false positives. What does this mean? A. Typical or expected behavior is being identified as irregular or malicious. B. Alerts that should have been generated are not occurring. C. The activity is being categorized into one of the following types: benign, suspicious, or unknown. D. The IDS is preventing intrusions instead of detecting them.
#81: A. A false positive occurs when a typical or expected behavior is identified as irregular or malicious. Answer B is incorrect. A false negative occurs when an alert that should have been generated did not occur. Answer C is incorrect because this describes heuristic intrusion detection rules, which tend to categorize activity into one of the following types: benign, suspicious, or unknown. Answer D is incorrect. In fact, the opposite is true: An intrusion detection system (IDS) detects intrusions and sends alerts, whereas an intrusion prevention system (IPS) detects and prevents intrusions.
#82: A member of your team made changes to the configuration of the wireless network. Existing devices are still able to connect to the network, but you are unable to find the network to connect to when trying to deploy a new laptop. What change did the team member most likely make? A. Disabled MAC filtering B. Disabled SSID broadcasting C. Enabled MAC filtering D. Enabled SSID broadcasting
#82: B. The team member most likely disabled SSID broadcasting, as the network name can no longer be seen from the wireless clients. The network is still there, and existing clients can still connect as they have already been configured; however, the name of the network doesn't show. As a result, answer D is incorrect. Answers A and C are incorrect. MAC filtering would specifically deny the clients specified from joining, but they would still see the network name if SSID broadcasting were enabled.
#84: As you are deploying wireless authentication protocols, a request comes up to eliminate the need for client certificates. Which of the following requires a client certificate? A. EAP-TLS B. PEAP C. EAP-TTLS D. EAP-FAST
#84: A. EAP-TLS requires a client certificate and provides the strongest security of the protocols listed here. PEAP, EAP-TTLS, and EAP-FAST do not require client certificates, so Answers B, C, and D are incorrect.
#85: Your organization is conducting a wireless site survey for proper AP placement. Which of the following provides a visual method for understanding the coverage and signal strength and may help with this process? A. MAC filtering B. Yagi C. MU-MIMO D. Heat map
#85: D. Site surveys use Wi-Fi and other wireless analyzers to understand and map out the wireless infrastructure. One output is a wireless heat map, which provides a visual method for understanding coverage and signal strength. Answer A is incorrect because MAC filtering is a security access control method in which the MAC address is used to determine access to the network. Answers B and C are incorrect because a Yagi antenna is an example of a directional antenna, and multiuser multiple-input, multiple output (MU-MIMO) antennas take advantage of multipath signal reflections.
#86: You want your users' valid authentication information to be shared across trusted entities so the users can seamlessly roam across different wireless networks without having to reauthenticate. Which of the following can allow this? A. RADIUS federation B. WPA3 C. CCMP D. Captive portal
#86: A. RADIUS federation allows a user's valid authentication to be shared across trusted entities. This enables users to seamlessly roam across different wireless networks without having to reauthenticate with the unique credentials of another entity. Answer B is incorrect because WPA3 is the latest Wi-Fi specification and offers greater wireless security for Wi-Fi-certified WPA3 devices. Answer C is incorrect. Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) is based on the AES encryption algorithm and provides significant security improvements over TKIP. Answer D is incorrect because captive portals are common in public places such as airports and coffee shops. The user simply clicks Accept, views an advertisement, provides an email address, or performs some other required action. The network then grants access to the user and no longer holds the user captive to the portal.
#99: Ramone, a user in your organization, is a member of the accounting group, which has full access permission to a folder named Private Information Assigned. Ramone also belongs to the sales group, which has deny access permission assigned to the same private information folder. What can Ramone do to the private information folder? A. Nothing B. Everything C. Save files to the folder D. Save files to the folder and delete files in the folder
#99: A. No matter what OS you are working with, if you give a user full access in one group and deny access in another group, the result is deny access. However, group permissions are cumulative. Therefore, if a user belongs to two groups, and one has more liberal access, the user will have the more liberal access, except where the deny access permission is involved. If a user has difficulty accessing information after he or she has been added to a new group, the first item to check for is conflicting permissions. Therefore, answers B, C, and D are incorrect.
#9. Which of the following allow machines to solve problems and do analysis without specifically being programmed? (Select two.) A. RATs B. PUPs C. AI D. ML
#9: C and D. Artificial intelligence (AI) involves applying various techniques to solve a variety of problems and challenges, and machine learning (ML) is one of the key techniques used in AI. Answer A is incorrect because remote access Trojans (RATs) installed on a system allow a remote attacker to take control of the targeted system. Answer B is incorrect. PUPs (potentially unwanted programs) include spyware and adware that are often downloaded with a program the user wants.