Security+ Practice Test #7
At Kelly Innovations Corp., during a routine audit, Alex discovered that the database supporting their CRM application was corrupted. He immediately informed Kevin, the senior database administrator. Kevin decided to restore the database from the most recent clean backup, ensuring that the CRM would be functional with minimal data loss. What action is Kevin taking to address the issue?
Application recovery
Which of the following activities is MOST crucial for ensuring that known vulnerabilities in software or hardware are addressed before they can be exploited by attackers?
Applying security updates
When comparing and contrasting different architecture models, which of the following is a key consideration that can be impacted MOST by the chosen architecture?
Availability
A security analyst is performing a security assessment of an application that processes sensitive data. He uses a tool that injects random data into the application's input fields and monitors its behavior. He notices that when he injects a long string of characters into one of the input fields, he gets an error message that indicates a memory address and some hexadecimal values. What type of application-based attack is he potentially able to perform?
Buffer overflow
Which of the following terms refers to the delivery of computing services over the internet, such as servers, storage, databases, networking, software, analytics, and intelligence?
Cloud
Jamario, after consulting with Mary at Dion Training, decided to standardize the software environment across all company workstations. He wanted a consistent and reproducible setup that could easily be deployed on any new workstation. Which of the following is the BEST technique for Jamario to maintain this consistent setup?
Creating a standardized system image.
While monitoring the company's encrypted data transmissions, Jamario noticed that certain data streams, which usually employed robust encryption protocols, were now using older, less-secure encryption standards. He recognized this could make the data more vulnerable to unauthorized decryption. Which of the following BEST captures the type of attack Jamario discovered affecting Kelly Innovations LLC's encrypted transmissions?
Cryptographic Downgrade
Sasha, the head of IT at Kelly Innovations LLC, has already implemented both SPF and DKIM. She now wants to ensure that if emails from her domain fail these checks at the receiver's end, the emails are quarantined and she also gets a report about such occurrences. Which additional protocol should she adopt?
DMARC
Kelly Investments LLC is preparing datasets for a third-party analytics company. They want to ensure that personally identifiable information (PII) of its customers remains confidential, while still keeping the structure of the data intact for analysis. Which of the following techniques would be MOST appropriate for the institution to employ?
Data Masking
After infiltrating the secure servers of Dion Innovations, an organized crime group discreetly transfers massive amounts of proprietary data to an external location for later sale on the dark web. What is this action an example of?
Data exfiltration
Kelly Innovations LLC, a Software as a Service (SaaS) provider, intends to store data pertaining to its European clientele. In accordance with GDPR, there are stipulations regarding the physical locality of data storage. Which of the following terms defines the mandate that data be stored and processed in compliance with the legal provisions of its residing nation?
Data sovereignty
Which of the following BEST describes the primary purpose of establishing rules of engagement when conducting a security assessment for a third-party vendor?
Defining the boundaries and limitations during the assessment.
Dion Training's IT department decided to upgrade a Windows server's OS from Windows Server 2016 to Windows Server 2019. This required a scheduled outage for three hours during off-peak hours, where none of the services running on the server would be available. Which of the following terms BEST describes the state of the system?
Downtime
Which of the following methods BEST ensures the security of data at rest?
Encryption and access control lists (ACLs).
Mary, a network administrator at Dion Training, is discussing with Enrique ways to harden the company's mobile devices. Which technique would be the MOST effective for them to implement first?
Enforce full device encryption.
An organization aims to elevate its security posture through improved system configurations. Which of the following BEST describes how automation supports this initiative?
Enforcing consistent baselines across devices.
Sarah, a cloud engineer, often needs to perform maintenance on cloud resources. To ensure high security, her organization wants to grant her access credentials that last only for the duration of her maintenance task and then automatically expire. Which of the following methods is BEST suited for this scenario?
Ephemeral credentials
Employees at Dion Training Solutions began to complain about extremely slow internet speeds. The network team noticed that a significant amount of bandwidth was being used up by a single IP address streaming high-definition videos non-stop. Which of the following BEST describes the issue faced by Dion Training Solutions?
Excessive resource consumption.
Which set of standards and guidelines is developed by NIST and specifies requirements for cryptographic modules used within federal computer systems in the United States?
FIPS
Which of the following terms refers to a scenario where a potentially harmful or malicious event goes undetected by a system or tool, resulting in no alert or action being taken?
False negative
Upon returning from vacation, Vanessa noticed that her workstation seemed slower than usual. Not only were applications lagging, but there were also instances when scripts would momentarily appear and vanish from her screen. Concerned, she ran her antivirus software, but it didn't detect any malicious files. Puzzled, she decided to consult her company's cybersecurity team. They initiated a deep dive and found that the system was running a series of unusual command line tasks, and there was evidence of unauthorized WMI queries. They also observed that some of the tasks appeared to be initiated by a host process, yet no associated files were detected on the disk. Which of the following types of malware is MOST likely responsible for the oddities on Vanessa's workstation?
Fileless Malware
Which of the following legislation focuses on ensuring the privacy and security of patient health information in the US?
HIPAA
To improve security on consumer passwords, Alpha Omega Funerals purchased software that will use an algorithm to create a new string of a specific length. The process is completed once. This will prevent the passwords from being transferred in plaintext. What is this method known as?
Hashing
Dion Training, an international streaming service, wants to ensure its content is only accessible in countries where it has distribution rights. To ensure compliance with content licensing agreements, which of the following methods would be the BEST solution?
IP geolocation filtering
Dion Training Solutions wants to implement a security system that can inspect incoming traffic in real-time, detect malicious activities, and then take action to block those activities immediately. Which of the following would be the MOST appropriate solution?
IPS
To ensure compliance with international data protection laws and safeguard clients' confidential legal details, which of the following strategies would be BEST for a multinational law firm to adopt?
Implementations of GDPR-compliant data handling practices.
At Dion Training Solutions, Susan, the network administrator, wants a solution that examines webpage addresses in real-time to ensure employees are only accessing safe websites. Which of the following would be the MOST effective method to achieve this?
Implementing URL scanning.
What key principle underpins the European Union's General Data Protection Regulation (GDPR) concerning personal data collection and processing?
Informed consent
Reed, a disgruntled employee at Dion Training, began copying sensitive company data onto a flash drive, planning to sell it to a competitor after feeling overlooked for a promotion. Which of the following terms BEST describes Reed's actions?
Insider Threat
At NovoTech, employees often use the same password for their email, CRM, and intranet platforms. The typical password format they use is "PlatformName123!" (e.g., "Email123!", "CRM123!"). Recognizing the security risk, what should NovoTech's cybersecurity lead recommend to address the issue of password reuse effectively?
Introduce unique password requirements for each platform.
Which mitigation technique ensures that different network components are separated to prevent potential breaches from spreading?
Isolation
Carlos, a new security consultant at Dion Training Solutions, is tasked with identifying potential security vulnerabilities in the company's data center. He requests the latest server architecture diagram but receives one that's over a year old. Why is using this diagram potentially problematic for Carlos's task?
It might not reflect the current architecture, leading to overlooked vulnerabilites.
John is an IT administrator at Dion Training Solutions. Due to the dynamic nature of his job, he often requires access to various servers and systems on an as-needed basis. The organization wants to ensure that John is granted access only when required and for a short duration. Which security approach would be MOST suitable for John's role?
Just-in-time permissions
You are a network engineer for a large hospital that has a complex network infrastructure that supports various devices and applications. You want to use a mitigation technique that can help you apply the minimum level of access or privileges required for users or processes to perform their tasks, such as doctors, nurses, patients, etc. Which of the following mitigation techniques can help you achieve this goal?
Least privilege
Which of the following is a disadvantage of agentless posture assessment in Network Access Control (NAC) solutions?
Less detailed information about the client is available.
Dion Training Solutions is experiencing high volumes of web traffic, leading to delays and downtimes on their main website. They want a solution that distributes incoming web requests across multiple servers to ensure uptime and responsiveness. Which of the following would BEST address this concern?
Load balancer
Globex Corporation is looking to enter into a long-term business relationship with a vendor to provide IT services. They want to establish the general terms and conditions that will apply to future agreements with the vendor. Which type of agreement do they want to set up?
MSA
Which term is defined as the average operational period between the occurrence of two consecutive failures in a system or component?
MTBF
You receive an email from your bank asking you to verify your account details by clicking on a link. The email looks legitimate, but you are suspicious. What kind of threat vector was used for this attack?
Message-based
Which of the following is the MOST effective method to defend against unauthorized access to the memory of a physical server through VM escaping?
Monitoring and promptly patching hypervisor software.
Dion Training Solutions is deploying a new security system to monitor and detect malicious activities in real-time on their network. They want a device that can analyze network traffic without interfering or disrupting the flow. Which of the following would best meet this requirement?
Network appliance sensor
Which of the following terms refers to an organization that maintains a balanced approach towards risk, willing to engage in risks that are aligned with strategic objectives and are within their capacity to manage?
Neutral risk appetite
What kind of data typically requires processing by machines and specialized software?
Non-human readable
Which of the following terms refers to a comprehensive evaluation of risks within an organization that occurs at a specific moment, often to assess the impact of a new system implementation or gain an independent view of operational maturity?
One-time
Dion Training is researching cryptographic solutions that distribute transactional data across a peer-to-peer network, ensuring that no single entity controls the entire transaction history. What solution emphasizes this peer-to-peer distribution?
Open public ledger
Which of the following statements BEST explains the importance and security implications of ownership concerning hardware, software, and data asset management?
Ownership establishes accountability, reducing insider threat risks.
Which standard mandates specific security requirements for organizations that handle branded credit cards from the major card issuers, aiming to protect cardholder data?
PCI DSS
Dion Solutions, an e-commerce platform, has decided to overhaul its user authentication system. Instead of relying on traditional passwords, they want to provide users with an option where their online account credentials are proven only when they unlock their biometric-enabled laptops, all underpinned by public key cryptography. By doing this, users won't need to remember or enter passwords for their accounts. Which of the following BEST describes this authentication solution?
Passkey
Kelly Innovations LLC is launching a new mobile banking application. Their security team wants to leverage a more robust authentication mechanism that doesn't require users to remember complex passwords. Instead, when a user tries to sign in, they would just unlock their phone to prove their identity, with no need for entering a password on the application. This is achieved using a mechanism based on public key cryptography. Which of the following MOST describes this authentication solution?
Passkey
Which of the following terms refers to the ability to obtain and apply security updates or fixes for software or systems?
Patch availability
Which of the following BEST describes data that is considered sensitive under the EU's General Data Protection Regulations (GDPR)?
Personal data that includes religious beliefs and political opinions.
What is the main reason for implementing multi-cloud systems in security architecture?
Platform diversity
Which sensor type is designed to measure the force or load applied on it, often used to detect presence or absence of objects?
Pressure
Jason receives an email at his Kelly Innovations LLC account. The email seems to be from Reed, a coworker, and states that Reed urgently needs to see the invoice for a recent project. However, Reed specifies he needs it within the next 10 minutes as he is in a meeting with Sasha and top executives. Jason quickly sends over the invoice without double-checking with Reed. Which type of attack best describes this situation?
Pretexting
Which of the following techniques involves an attacker creating a scenario in order to deceive someone into providing sensitive information?
Pretexting
To enhance the privacy of its users, Kelly Innovations LLC is considering a system that can act as an intermediary for internet requests, hiding the origin of the request from the destination server. Which solution would BEST fit this purpose?
Proxy Server
Recently, the IT team at Dion Training Solutions noticed multiple instances of security mishaps by the employees. There were incidents involving weak passwords, improper data storage, and unreported phishing attempts. Management was concerned about these repeated mistakes and sought a method to educate and guide their employees about maintaining cybersecurity best practices. Which of the following solutions would BEST assist the organization in preventing future security incidents?
Publishing security policies, best practices, and training materials.
Which of the following cryptographic methods involves two distinct keys - one private and one public - ensuring that a message encrypted with one key can only be decrypted by its counterpart?
RSA
After resolving reported SQL injection vulnerabilities in their database, Dion Training wishes to confirm that these specific weaknesses have indeed been patched. Which action is MOST appropriate for this purpose?
Re-executing vulnerability scans on affected database endpoints.
Alexis, a network security specialist at DeltaCorp, was alerted to an unusual activity on the company's server. She discovered that software, appearing to be a legitimate control program, was installed without the IT department's knowledge. This software was covertly allowing an external entity to upload files, change configurations, and even execute commands, all without raising any immediate alarms. Which type of malware is MOST likely responsible for the activities on DeltaCorp's server?
Remote Access Trojan (RAT)
A company's single-factor authentication system has failed. Which of the following would be an example of a compensating control that the company could implement to maintain security?
Requiring multi-factor authentication if singlefactor authentication fails.
During e-discovery, which activity is a key focus?
Reviewing electronic files to extract relevant documents for a legal case.
A pharmaceutical company decides that while it will invest heavily in research and development for cutting-edge treatments, it will not pursue medical devices due to the different regulatory environment and company expertise. This decision is an example of:
Risk appetite
Which element of the risk management process involves identifying the individuals or departments responsible for managing and mitigating specific risks?
Risk owners
At Dion Training, the risk management team has completed a comprehensive risk assessment and identified potential risks across various departments. To ensure proactive risk management and response, they want to establish a system for continuously monitoring and tracking these identified risks. Which element of the risk management process should the risk management team implement to monitor and track the identified risks over time?
Risk register
At Dion Defenders, the risk management team has completed the risk assessment process and identified various risks to the company's information systems. They are now preparing to communicate the risk-related information to relevant stakeholders and management for informed decision-making. What part of the risk assessment process are they undertaking?
Risk reporting
Good Sense Incense, a spice producer has hired a penetration tester. Before the testing begins, the two companies agree on the overall project to be completed, the deliverables, timelines, and costs and sign a formal document with the details included. What is the document they have signed
SOW
Which of the following BEST emphasizes the critical role of sanitization in ensuring secure hardware, software, and data asset management?
Sanitization erases all data from a storage device, rendering it unrecoverable.
Elaborate You, a fashion design studio, is reviewing their security systems. Stanley, an IT manager, has explained the PKI system to his boss. Their boss is alarmed by the idea of public keys and wants to purchase a storage device to save symmetric and assymmetric keys. Stanley has explained that the Apple based devices the company uses have a storage system like this on a chip embedded in the devices. What is the name of the device that Stanley is referring to?
Secure Enclave
Which of the following provides a human presence, often at entry points, to monitor, deter, and respond to potential security incidents?
Security guard
Which of the following mobile device vulnerabilities that is created by installing applications from sources other than the official app store?
Side loading
Enrique is making a detailed list of every application installed on Dion Training's server. Which of the following tasks BEST describes Enrique's task?
Software enumerations
You were recently hired by a large software company that specializes in developing mobile applications. After receiving your username and password, the company requires you to use a smart card that uses radio frequency identification (RFID) to gain access to the company's development environment. Which type of multi-factor authentication (MFA) factor does the card represent?
Something you have
On completion of orientation, Reed, HR Manager at Kelly Innovations, LLC, gives Susan a company laptop. Who is primarily responsible for the laptop's security?
Susan
Which of the following statements BEST explains the importance of a tabletop exercise in the incident response process?
Tabletop exercises are interactive discussions and role-playing exercises used to test and improve incident response plans and team coordination.
Dwayne has told his friends to always turn off geolocation on their devices. What BEST explains why he would suggest his friends turn off geolocation data in applications?
The data can be used to tracking a person's movements.
You are a security analyst tasked with investigating a suspected security breach involving leaked corporate documents. You decide to examine the metadata associated with these documents. Which of the following pieces of information would be MOST valuable in these metadata logs to investigate the incident?
The timestamps of the documents.
Dion Training wants to increase the trustworthiness of its website for its clients. They are seeking a certificate that is signed and verified by a recognized external authority. What type of certificate should they pursue?
Third-part certificate
Which of the following certificates is issued by a recognized external authority and inherently carries more trust for users and systems unfamiliar with the certificate's originator?
Third-party certificate
Which of the following statements is NOT true regarding the role of Ticket Creation in the context of automation for secure operations?
Ticket creation fosters more security team cohesion and makes collaboration within the team more effective.
Which of the following is a type of race condition that occurs when a process performs an action on a resource without verifying that it is still in the same state or value as when it was last checked?
Time-of-use (TOU)
In the context of penetration testing, what is the purpose of passive reconnaissance?
To gather information without directly engaging the target.
What is the primary purpose of a NDA in the vendor relationship?
To protect sensitive information and maintain confidentiality.
Which of the following is a type of human vector attack that involves creating a fake website address or domain name that resembles a legitimate one, but with slight spelling or punctuation differences?
Typosquatting
Rock Crest Ventures is in the process of choosing vendors for a major project. They are committed to conducting business with suppliers who uphold ethical and legal standards in their operations. The company wants to ensure that the selected vendors align with their values and meet the necessary criteria. What process will help ensure the chosen company's values match Rock Crest's values from the beginning of their partnership?
Vendor selection
Which of the following is a primary concern when obtaining new hardware, software, and data assets?
Verifying products' security compliance.
Which of the following is a type of message-based attack that involves sending fraudulent voice calls to trick recipients into revealing sensitive information or performing certain actions?
Vishing
Which option BEST explains the importance of having vulnerability scanners?
Vulnerability scanners are critical in detecting and assessing security weaknesses in applications and systems.
A History professor visits the American Historical Society nearly every day to check the discussion boards and information about conferences. One day, he sees link to a conference he's never heard of. He clicks the link and it takes him to a site that doesn't seem legitimate. He clicks on the back button. The next day, he gets a call from the IT department asking why he has begun logging into the university's system at 3:00 am. What type of attack has the professor most likely fallen victim to?
Watering hole
You are visiting a website that is related to your hobby and you see an article that interests you. You click on the article and it takes you to another website that asks you to install a browser extension to view the content. However, the browser extension is actually malware that steals your browsing history and personal information. What type of attack is this an example of?
Watering hole
