Security + Implementation
Which one of the following ports would block outgoing email? 25 110 443 22
25 smtp - sends mail pop3 - receives mail Https ssh
You need to implement a tool that can be configured to detect abnormal activity for a cloud-based virtual network. The solution must be configured to send alert notifications to administrators. What should you deploy? A. NIDS B. HSM C. HIDS D. TPM
A. NIDS --------- A. A NIDS is not specific to a host but instead analyzes network traffic from many sources to detect potentially malicious activity. B, C, and D are incorrect. A hardware security module (HSM) is a dedicated tamper-resistant device designed to securely store and manage cryptographic keys. A HIDS can detect and report/alert/log any host-specific suspicious activity but does not take steps to stop or prevent those malicious activities. The Trusted Platform Module (TPM) is a firmware chip within a computing device that ensures device boot integrity and stores cryptographic keys used to encrypt storage devices. TPM is part of an overall computing security strategy and is often referred to as being part of the "hardware root of trust."
Your software development team is creating a custom app that will accept customer payments. The app calls upon existing third-party APIs, where those APIs result in a unique value generated from user payment methods and that unique value is sent over the network to complete payment transactions. Which technique is taking place when payments occur using this custom app? A. Tokenization B. Salting C. Encryption D. Hashing
A. Tokenization ---------- A. Tokenization is a security technique that uses a trusted centralized service to create a digital representation of sensitive data, such as credit card information. This "token" can then be used to authorize resource access or payments without ever sending the actual origin sensitive data. B, C, and D are incorrect. Salting is a technique used to add random data to plain text data prior to all of the data being fed into a one-way cryptographic algorithm. Linux user passwords stored in the /etc/shadow file are represented as a hash value generated from the salted user password string. Encryption uses one or more keys to render plain text to cipher text (encrypted data), thus providing data confidentiality for data at rest or in transit in that only the possessor of the correct decryption key can convert the cipher text back into plain text. Hashing feeds data into a one-way hashing algorithm, which results in a unique value that can't be easily reversed. An example of hashing would be generating file hashes periodically to see if files have been corrupted or tampered with in some way. If the current hash differs from the previous hashes, you know that a change in the data has occurred.
Your users are all connected to a wireless access point using WPA2-PSK. Your manager wants you to confirm what cryptographic standard is being used. Which of the following is most likely? AES DES MD5 WEP
AES
What two primary security services does the asymmetric key standard defining IPsec provide? DNSSEC and S/MIME SRTP and LDAPS SMTP and SNMPv3 AH and ESP
AH and ESP Authentication Header (AH) protocol = Authentication Encapsulating Security Payload (ESP) protocol = Confidentiality
Which of the following is a true statement regarding role-based access control? Access rights are first assigned to users. Roles are then associated with those access rights. Access rights are first assigned to roles. User accounts are then associated with those access rights. Access rights are first assigned to roles. User accounts are then associated with those roles. Access rights are first assigned to users. Roles are then associated with those users.
Access rights are first assigned to roles. User accounts are then associated with those roles.
You are implementing server load balancing. In which configuration is the passive server promoted to active if the active server fails? Active/active Round-robin Weighted round-robin Active/passive
Active/passive
Which security issue is being addressed? credit card data (Hashed) A. Data confidentiality B. Data integrity C. Data availability D. Data classification
B. Data integrity ------- B. Hashing provides data integrity. A, C, and D are incorrect. Encryption provides data confidentiality, which prevents unauthorized access to read encrypted data without possessing the correct decryption key. Data availability can be achieved with data backups and server clustering as well as load balancing. Data classification is used to assign sensitivity labels to data, which is in turn commonly used by data loss prevention (DLP) systems to prevent sensitive data leakage outside of an organization.
Which of the following are deployment strategies for mobile devices? (Select three.) BYOD CYOD COPE BYOB
BYOD CYOD COPE
You are traveling on a bus with a colleague, and you both have your laptops. You need to share files with each other during the trip with a minimum of inconvenience and minimal cost. The bus does not offer Wi-Fi connectivity. What should you do? A. Copy the files to external USB storage media. B. Copy the files to a MicroSD HSM. C. Enable Wi-Fi Direct. D. Enable satellite Internet connectivity.
C. Enable Wi-Fi Direct. --------- C. Desktop, laptop, and mobile devices can be quickly linked together wirelessly for transferring files using Wi-Fi Direct, even when no Internet connection is available. A, B, and D are incorrect. Wi-Fi Direct is more convenient than plugging cables and devices into each computer to share files, including the use of satellite Internet connectivity. MicroSD hardware security modules (HSMs) plug directly into mobile devices to provide cryptographic authentication and management functions and are irrelevant to this discussion.
You are configuring a security appliance with the following rule: alert tcp any any -> $CORP_NET 23 (msg:"Telnet connection attempt";sid:1000002; rev:1;) Which type of device are you configuring? A. Packet filtering firewall B. Proxy server C. IDS D. HSM
C. IDS ------- C. An intrusion detection (IDS) analyzes network or host-specific traffic for potentially malicious activity. An IDS can write alerts to logs or send notifications to administrators about the activity. In this example, when TCP port 23 (used by default from Telnet) traffic is detected from anywhere destined to the corporate network, an alert message is generated. A, B, and D are incorrect. A packet filtering firewall can allow or block traffic based on details such as source and destination IP addresses, protocol types, or port addresses. A proxy server (also called a forward proxy) sits between an internal network and the Internet. The proxy server accepts user requests for Internet content, fetches the content, and serves it back to the requesting internal client. Proxy servers can also be configured to cache content for quicker subsequent requests for the same content. A hardware security module (HSM) is a dedicated tamper-resistant device designed to securely store and manage cryptographic keys.
You no longer require data stored on a self-encrypting drive (SED). What is the quickest way to wipe the drive so that it can be reused, while ensuring data artifacts are not recoverable? A. Overwrite all disk sectors with random data. B. Overwrite all disk sectors with 0's. C. Remove and destroy SED cryptographic keys. D. Attach the SED in a different computer.
C. Remove and destroy SED cryptographic keys. ----- A, B, and D are incorrect. Overwriting disk sectors takes much longer than simply destroying decryption keys. Placing the SED in a different computer does not destroy decryption keys and does not overwrite data on the drive.
Which abilities are unique to end-point detection and response solutions in comparison to host-based packet filtering firewalls? (Choose two.) A. Block incoming traffic initiated from outside the machine B. Allow incoming response traffic initiated from the machine C. Stop attacks in progress D. Detect threats
C. Stop attacks in progress D. Detect threats ----------- C and D. The "response" part of end-point detection and response solution refers to the ability to stop attacks from continuing after threats have been detected. A and B are incorrect. While the listed items are important security hardening techniques, they apply to end-point detection and response solutions as well as packet filtering firewalls.
Your organization has developed a custom application that requires a check for the validity of digital certificates even when the Internet is not available. Which of the following meets this requirement? CRL OCSP SAN CPS
CRL ----------------------------------- Certificate Revocation List (CRL) A CRL is a list that contains the names of two different types of certificates
A user does not have an identity-based policy and requires access to a storage resource but is denied access. Which of the following do you need to do in order to allow him access? Assign an identity-based policy to the user to allow access Assign an override for any deny attribute in the identity-based policy Remove the deny from the resource-based policy Change the deny to an allow permission on the resource-based policy
Change the deny to an allow permission on the resource-based policy
In which device provisioning strategy does an organization pay for and provide a mobile device to employees while allowing employees personal use of the device? A. BYOD B. CYOD C. VDI D. COPE
D. COPE (company pays) ---------- D. In the corporate owned personally enabled (COPE) mobile device provisioning strategy, the organization provides mobile devices to employees for both personal and business use. The organization will often pay partial or full monthly costs related to the mobile device, and in some jurisdictions this is considered an income tax benefit to the employee. A, B, and C are incorrect. Bring your own device (BYOD) is a corporate mobile device strategy that enables employees to use their own personal mobile devices for business use. BYOD organizations will often pay a portion of the monthly cost of the device usage. With choose your own device (CYOD), employees are provided a selection of mobile devices that they can choose from for business use. Virtual Desktop Infrastructure (VDI) provides remote desktop and apps access from any type of device, even using only a web browser.
You work in the IT department at a military base. The IT department has secured issued smartphones to require that users must provide not only user credentials to sign in, but they must also be present at the base. Which term best describes this scenario? A. Single sign-on B. Multifactor authentication C. Identity federation D. Context-aware authentication
D. Context-aware authentication ---------- D. Context-aware authentication uses not only standard identification mechanisms such as usernames and passwords, but it also uses factors such as device location, type of configuration, time of day, and so on. A, B, and C are incorrect. Single sign on (SSO) is an authentication configuration that enables users to sign in once and access multiple resources without having to re-enter authentication credentials. Multifactor authentication (MFA) uses multiple authentication categories together, such as something you know (username and password), something you are (fingerprint), and something you have (smartcard, key fob, unique authentication PIN derived from alternative device). Identity federation is an authentication configuration that links identity stores across administrative boundaries, such as between organizations. As an example, users in organization B may require access to resources in organization A. With identity federation, resources in organization A may be configured to "trust" successful authentication tokens from organization B. This means organization B user identities do not have to be duplicated in organization A to enable access to resources in organization A by organization B user accounts.
After sensitive data is leaked from within your organization, you decide to implement security solutions on all desktop computers that will ensure that sensitive documents are shared only with authorized parties. Desktop computers must also be protected from malicious code and must block network traffic not initiated by the desktop itself. Which of the following solutions will best address these concerns? A. Opal-compliant self-encrypting drive full-disk encryption, DLP, firewall B. DLP, full disk backup, firewall C. Anti-malware, disk encryption using TPM, firewall D. DLP, anti-malware, firewall
D. DLP, anti-malware, firewall ----------- D. Data loss prevention (DLP) software solutions can reduce the potential of intentional and unintentional sensitive data leaks, such as preventing the forwarding of confidential data to e-mail addresses outside the organization. Anti-malware, if kept up-to-date, can help protect devices from malicious code. A desktop computer with a host-based firewall configured can allow or block network traffic to or from that computer. Next-generation firewalls take this a step further by inspecting all details in the transmissions. A, B, and C are incorrect. The listed items, such as a self-encrypting drive (SED) that uses the Opal security specification, do not address the malicious code or sensitive data leak concerns. Answers not addressing the prevention of data leakage, malware mitigation, or network traffic control through a firewall are incorrect.
You have been tasked with deploying a security solution that will monitor activity related to a specific application server. The solution must be able to detect suspicious activity and take steps to prevent the activity from continuing. What should you deploy? A. NIDS B. NIPS C. HIDS D. HIPS
D. HIPS ------- D. A host-based intrusion prevention system (HIPS) runs on a specific host such as an application server. A HIPS can be configured to detect anomalous behavior related to that specific host and is not limited only to reporting/alerting/logging the activity; it can also be configured to take action to stop the activity, such as blocking specific types of network traffic from specific hosts. A, B, and C are incorrect. A network-based intrusion detection system (NIDS) is not specific to a host but instead analyzes network traffic from many sources to detect potentially malicious activity. A network-based instruction prevention system (NIPS) has the additional capability of stopping a potential attack, such as by blocking or limiting the type and amount of network traffic from hosts. A host-based intrusion detection system (HIDS) can detect and report/alert/log any host-specific suspicious activity but does not take steps to stop or prevent those malicious activities.
You have been tasked with disabling the SMS text messaging multimedia message service (MMS) on user smartphones. Which type of SMS texting risk is directly mitigated with this configuration? A. Injection attack B. Identity theft C. Ransomware triggered from an e-mail message file attachment D. Malicious code embedded in video files
D. Malicious code embedded in video files ---------- D. When MMS is enabled, malicious code embedded in media files could be distributed through MMS. Disabling MMS reduces this likelihood. MMS is also sometimes referred to as rich communication services (RCS).
Your organization manages valuable pharmaceutical research data. Company security policies require Android mobile device users to use cryptographic keys to protect sensitive data. The keys cannot be stored on the device itself. What type of accompanying hardware should be used for securely storing cryptographic keys? A. Next-generation firewall B. USB On-The-Go C. Secondary SIM card D. MicroSD HSM
D. MicroSD HSM ------------- HSM USB On-The-Go (OTG) is often used to plug standard USB storage devices (end-point devices) into a smartphone (host) charging port through a USB OTG adapter device to enable the smartphone to access the USB storage device. Mobile devices do not normally support more than one SIM card.
A member of your team made changes to the configuration of the wireless network. Existing devices are still able to connect to the network, but you are unable to find the network to connect to when trying to deploy a new laptop. What change did the team member most likely make? Disabled MAC filtering Disabled SSID broadcasting Enabled MAC filtering Enabled SSID broadcasting
Disabled SSID broadcasting
As you are deploying wireless authentication protocols, a request comes up to eliminate the need for client certificates. Which of the following requires a client certificate? EAP-TLS PEAP EAP-TTLS EAP-FAST
EAP-TLS
What feature enables users to secure sensitive information on a mobile device's removable flash memory storage card? FDE UEM OTA updates VDI
FDE full disk encryption (FDE)
Which of the following enables the use of location services for applications on mobile devices? BYOD GPS MMS OTA
GPS
Every photo taken with a smartphone at an investigation firm includes data on the geographic coordinates where the photograph was taken. What term describes this action? Geofencing Geosynchronous GPO Geotagging
Geotagging
You want your users' valid authentication information to be shared across trusted entities so the users can seamlessly roam across different wireless networks without having to reauthenticate. Which of the following can allow this? RADIUS federation WPA3 CCMP Captive portal
RADIUS federation
Your organization is conducting a wireless site survey for proper AP placement. Which of the following provides a visual method for understanding the coverage and signal strength and may help with this process? MAC filtering Yagi MU-MIMO Heat map
Heat map
Your account policies require employees to change their passwords every 30 days. The employees, however, continue to create passwords that are susceptible to dictionary attacks, and they are just alternating between two passwords with each change. Which of the following policies would be the best choices for fixing this? (Select two.) Lockout Length History Complexity
History Complexity
You are a security administrator and learn that a user has been emailing files containing credit card number data from the corporate domain to his personal email account. This data is typically required to go to a third-party business partner. Which of the following solutions could you implement to prevent these emails or attachments from being sent to personal email accounts? Implement a DLP solution to prevent employees from emailing sensitive data. Implement a mail solution that requires TLS connections to encrypt the emails. Implement a mail solution that employs encryption and that will prevent email from being sent externally. Implement a DLP solution to prevent sensitive data from being emailed to non-business accounts.
Implement a DLP solution to prevent sensitive data from being emailed to non-business accounts.
Which of the following is a symmetric key-based authentication protocol that uses a key distribution center? TACACS+ Kerberos RADIUS HSM
Kerberos
Your corporate policies require the use of passphrases rather than passwords. Which of the following technical controls could be put in place to best promote the use of passphrases? (Select two.) Lockout Length History Complexity
Length Complexity
Your company requires a switch feature that makes additional checks in Layer 2 networks to prevent STP issues. Which of the following safeguards should be implemented? Loop Guard Flood protections Implicit deny Port security
Loop Guard
As more users are using mobile devices for work, you have been tasked with supporting the compliance team by ensuring that policies can be enforced. You also need remote management capabilities of the devices. Which of the following solutions should you consider? GPS MDM OTP PIN
MDM
What type of access control is often used in government systems, where resources and access are granted based on categorical assignments such as classified, secret, or top secret? Mandatory access control (MAC) Discretionary access control (DAC) Attribute-based access control (ABAC) Role-based access control (RBAC)
Mandatory access control (MAC)
Ramone, a user in your organization, is a member of the accounting group, which has full access permission to a folder named Private Information Assigned. Ramone also belongs to the sales group, which has deny access permission assigned to the same private information folder. What can Ramone do to the private information folder? Nothing Everything Save files to the folder Save files to the folder and delete files in the folder
Nothing
What is the term for disabling, deactivating, or deleting a user identity from the environment based on company policy when the user leaves the company? Least privilege IdP Onboarding Offboarding
Offboarding
Based on the following permissions for a file, which one of the following statements is not true? rwxr----- The owner has read, write, and execute permissions. The group has read permissions. Those other than the owner or group have no permissions. Only the group has both read and write permissions.
Only the group has both read and write permissions.
Which of the following use SAML? (Select two.) Secure token OpenID OAuth LDAP
OpenID OAuth -------- Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. This allows a user's login credentials to be stored with a single identity provider instead of being stored on each web service provider's server.
What type of key goes into key escrow? Public Shared Private Session
Private
Which of the following types of certificates allows you to digitally sign and encrypt email messages and attachments? DER PFX Self-signed S/MIME
S/MIME --------------- Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol for securing email messages. MIME is a standard for how an electronic message will be organized, so S/MIME describes how encryption information and a digital certificate can be included as part of the message body. It allows users to send encrypted messages that are also digitally signed. PFX (Personal Information Exchange) - is a file format for creating certificates to authenticate applications or websites
Which of the following protocols use SSH? (Select two.) SCP FTPS SFTP SSL
SCP SFTP -------- scp( secure copy protocol ) - copy files between remote computers
Which of the following correctly matches each protocol to its default port? SSH:22; SMTP:25; DNS:53; HTTP:80; LDAPS:389 SSH:21; SMTP:22; DNS:35; HTTP:110; LDAPS:636 SSH:22; SMTP:25; DNS:53; HTTP:80; LDAPS:636 SSH:22; SMTP:23; DNS:35; HTTP:69; LDAPS:389
SSH:22; SMTP:25; DNS:53; HTTP:80; LDAPS:636
You are consulting for an organization that has only ever required outbound Internet access. The organization now needs to deploy a web server for its customers (and it will maintain the web server) but is concerned about inbound access to the organization network. Which one of the following should you recommend? VLAN VPN Load balancer Screened subnet
Screened subnet
Your company will have a new branch office. You need to seamlessly provide branch office users access to the corporate network resources as if they were at the corporate offices. Which of the following would best enable you to accomplish this goal? VLANs Site-to-site VPN Spanning Tree Protocol Screened subnet
Site-to-site VPN
Which of the following is a white-box testing process for detecting bugs in the early stages of program development? Dynamic analysis Static analysis Fuzzing Sandboxing
Static analysis ---------------- The difference between static analysis and dynamic analysis detection is similar to how airport security personnel in some nations screen for terrorists. A known terrorist attempting to go through security can be identified by comparing his face against photographs of known terrorists (static analysis). What about a new terrorist with no photograph? Security personnel can look at the person's characteristics—holding a one-way ticket, not checking any luggage, showing extreme nervousness—as possible indicators that the individual may need to be questioned (dynamic analysis).
What device security methods can be implemented to protect business content from security risks associated with personal usage? (Select two.) Jailbreaking Storage segmentation Containerization Rooting
Storage segmentation Containerization
Your organization has established a hierarchical PKI and deployed several CAs in the process. Which one of the following steps should your organization be sure to take? Take the root CA offline. Take all subordinate CAs offline. Take the root CA online. Take all subordinate CAs online with the exception of the intermediates.
Take the root CA offline.
Which of the following statements are correct regarding Shibboleth SSO? (Select two.) The identity provider (IdP) authenticates the user. The service provider (SP) authenticates the user. The identity provider (IdP) performs the SSO process for the protected resource. The service provider (SP) performs the SSO process for the protected resource.
The identity provider (IdP) authenticates the user. The service provider (SP) performs the SSO process for the protected resource.
Your developers made certain that any input to a search function they developed would result in commas, quotes, and other certain special characters being stripped out. Which of the following is likely their reasoning? They are paranoid, and they should allow the original input term to process as is. They want to prevent SQL injection by validating the input. They want to prevent privilege escalation by providing proper exception handling. They are lazy and didn't want to have to refactor their search algorithm.
They want to prevent SQL injection by validating the input.
Why do vendors provide MD5 values for their software patches? To provide the necessary key for patch activation To allow the downloader to verify the authenticity of the site providing the patch To ensure that auto-updates are enabled for subsequent patch releases To allow the recipient to verify the integrity of the patch prior to installation
To allow the recipient to verify the integrity of the patch prior to installation
Your network IDS is reporting a high number of false positives. What does this mean? Typical or expected behavior is being identified as irregular or malicious. Alerts that should have been generated are not occurring. The activity is being categorized into one of the following types: benign, suspicious, or unknown. The IDS is preventing intrusions instead of detecting them.
Typical or expected behavior is being identified as irregular or malicious.
Which of the following allows a VPC to be connected with other services without the need for additional technologies such as a VPN connection or an Internet gateway? CASB SWG VPC endpoint DevSecOps
VPC endpoint (virtual private cloud)