Chapter 3 Test
130. What is the ideal humidity range for a server room? A. 70% to 80% B. 40% to 60% C. Below 30% D. Above 70%
B. Forty percent to 60 percent is considered ideal humidity. High humidity can cause corrosion, and low humidity can cause electrostatic discharge. Options A, C, and D are all incorrect. These are not the proper humidity values.
94. Greg is a programmer with a small company. He is responsible for the web application. He has become aware that one of the modules his web application uses may have a security flaw allowing an attacker to circumvent authentication. There is an update available for this module that fixes the flaw. What is the best approach for him to take to mitigate this threat? A. Submit an RFC. B. Immediately apply the update. C. Place the update on a test server, then if it works apply it to the production server. D. Document the issue.
A. All software changes must go through proper change management. That includes a request for changes (RFC) that will be evaluated. Option B is incorrect. Greg cannot know what effect the change might have on other aspects of the system. This fix could cause additional problems. Option C is incorrect. This is a better answer than B but still does not follow change control procedures. Option D is incorrect. Simply documenting the issue does nothing to correct it.
27. An IV attack is usually associated with which of the following wireless protocols? A. WEP B. WAP C. WPA D. WPA2
A. An IV attack is usually associated with the WEP wireless protocol. This is because WEP uses the RC4 stream cipher with an initialization vector. However, WEP improperly implements RC4 and reuses its IVs (an IV should only be used once, then discarded), making it vulnerable to IV attacks. Option B is incorrect. A WAP is a wireless access point, not a protocol. Option C is incorrect. WPA does not use an IV; it uses TKIP. Option D is incorrect. WPA2 does not use an IV; it uses AES with CBC and a MAC.
78. Sophia wants to test her company's web application to see if it is handling input validation and data validation properly. Which testing method would be most effective for this? A. Static code analysis B. Fuzzing C. Baselining D. Version control
B. Fuzzing is a technique whereby the tester intentionally enters incorrect values into input fields to see how the application will handle it. Option A is incorrect. Static code analysis tools simply scan the code for known issues. Option C is incorrect. Baselining is the process of establishing security standards. Option D is incorrect. Version control simply tracks changes in the code; it does not test the code.
57. A list of applications approved for use on your network would be known as which of the following? A. Blacklist B. Red list C. Whitelist D. Orange list
C. "Whitelists" are lists of those items that are allowed (as opposed to a blacklist—things that are prohibited). Answer A is incorrect. Blacklists are lists of blocked items (applications or websites). Options B and D are incorrect. These are not terms used in the industry.
118. Jeff is the security administrator for an e-commerce site. He is concerned about DoS attacks. Which of the following would be the most effective in addressing this? A. DDoS mitigator B. WAF with SPI C. NIPS D. Increased available bandwidth
A. A DDoS mitigator is a tool or service designed specifically to respond to distributed denial-of-service attacks. Such tools can both inhibit the attacking traffic and temporarily increase bandwidth to prevent legitimate users from being adversely affected by the attack. Option B is incorrect. Certainly, a web application firewall with stateful packet inspection would help, but it is not the most effective means of addressing this threat. Option C is incorrect. A network intrusion prevention system would be a good idea and would mitigate this threat. However, it is not the most effective means of mitigating this threat. Option D is incorrect. This would probably not help in a DDoS with attacks coming from multiple sources.
147. What is the primary security issue presented by monitors? A. Unauthorized users may see confidential data. B. Data can be detected from electromagnetic emanations. C. Poor authentication D. Screen burn
A. A monitor displays data, and it is possible others can see that data. For example, traveling employees with laptops may inadvertently disclose data on their monitor that someone else can see. For this reason, screen filters are recommended for laptops. Option B is incorrect. This may be theoretically possible but has not been reported to have actually ever occurred. And even if it should be encountered, it is not the primary security issue. Option C is incorrect. Although the monitor displays login screens, it is not where the actual authentication processing occurs. Option D is incorrect. Old CRT monitors were very susceptible to this issue. For modern monitors, screen burn is very unlikely to occur. If it is a concern, it is certainly not the primary concern. Chapter 4: Identity and Access Management 293
134. Fred is responsible for physical security in his company. He wants to find a good way to protect the USB thumb drives that have BitLocker keys stored on them. Which of the following would be the best solution for this situation? A. Store the drives in a secure cabinet. B. Encrypt the thumb drives. C. Don't store BitLocker keys on these drives. D. Lock the thumb drives in desk drawers.
A. A secure cabinet is tamper proof and provides a good place to store anything you are trying to physically protect. Option B is incorrect. This would then require you to store the key used to encrypt the thumb drive, thus continuing the problem. Option C is incorrect. It is actually a good practice to store BitLocker keys on removable media, provided that media is safeguarded. Option D is incorrect. Desk drawers are not secure and can easily be broken into.
145. What is the primary reason a company would consider implementing Agile programming? A. To speed up development time B. To improve development documentation C. To focus more on design D. To focus more on testing
A. Agile programming was developed specifically to speed up development time. Although it is not appropriate for all projects, it has become quite popular. Option B is incorrect. Usually the opposite occurs, and Agile programming leads to less documentation. Option C is incorrect. You could argue that if done properly, the many cycles of Agile programming, each with repeated design, lead to more focus on design. But this is not always the case, and it is not the reason companies consider Agile. Option D is incorrect. You could argue that if done properly, that the many cycles of Agile programming, each with repeated testing, lead to more focus on testing. But this is not always the case, and it is not the reason companies consider Agile.
53. Which of the following terms refers to the process of establishing a standard for security? A. Baselining B. Security evaluation C. Hardening D. Normalization
A. Baselining is the process of establishing a standard for security. A change from the original baseline value is referred to as baseline deviation. Option B is incorrect. Security evaluations or audits check security but don't establish security standards. Option C is incorrect. Hardening is the process of securing a given system, but it does not establish security standards. Option D is incorrect. Normalization is the process of removing redundant entries from a database.
109. Jane is concerned about servers in her datacenter. She is particularly worried about EMI. What damage might EMI most likely cause to servers? A. Damage to chips (CPU or RAM) B. Temperature control issues C. Malware infections D. The staff could be locked out of the servers.
A. Electromagnetic interference could cause damage to circuitry, including the RAM or CPU chips. At a minimum, it could wipe data from memory and drives. Options A, B, and C are incorrect. These do not describe the effects of electromagnetic inference.
116. Abigail is responsible for setting up an NIPS on her network. The NIPS is located in one particular network segment. She is looking for a passive method to get a copy of all traffic to the NIPS network segment so that it can analyze the traffic. Which of the following would be her best choice? A. Using a network tap B. Using port mirroring C. Setting the NIPS on a VLAN that is connected to all other segments D. Setting up an NIPS on each segment
A. Network taps are analogous to phone taps. They are completely passive methods of getting network traffic to a central location. Option B is incorrect. Port mirroring would get all the traffic to the NIPS but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configurations can cause looping. Configuring loop detection can prevent looped ports. Option C is incorrect. It is not clear that this answer would even work. Option D is incorrect. This is not the assignment. Setting up an NIPS on each segment would also dramatically increase administrative efforts.
110. You are concerned about VM escape attacks. Which of the following would provide the most protection against this? A. Completely isolate the VM from the host. B. Install a host-based antivirus on both the VM and the host. C. Implement FDE on both the VM and the host. D. Use a TPM on the host.
A. The correct answer is VM escape attacks are attacks that find some method for moving from the VM to the hypervisor and then the host. The most effective way to prevent this is to completely isolate the VM. Option B is incorrect. Antivirus is always a good idea and may even stop some malwarebased VM escape attacks. But isolating the VM is more effective. Option C is incorrect. Full disk encryption will have no effect since the disk must be unencrypted during operation. Option D is incorrect. A trusted platform module is used for storing cryptographic keys.
44. Which cloud service model gives the consumer the ability to use applications provided by the cloud provider over the Internet? A. SaaS B. PaaS C. IaaS D. CaaS
A. With the Software as a Service (SaaS) model, the consumer has the ability to use applications provided by the cloud provider over the Internet. SaaS is a subscription service where software is licensed on a subscription basis. Answer B is incorrect. Platform as a Service provides an operating system. Option C is incorrect. Infrastructure as a Service provides entire network infrastructure. Option D is incorrect. Cloud as a Service provides access to cloud storage.
112. Dennis is trying to set up a system to analyze the integrity of applications on his network. He wants to make sure that the applications have not been tampered with or Trojaned. What would be most useful in accomplishing this goal? A. Implement NIPS. B. Use cryptographic hashes. C. Sandbox the applications in question. D. Implement NIDS.
B. Cryptographic hashes are used for integrity checking of files, network packets, and a variety of other applications. Storing a cryptographic hash of the application and comparing the application on the network to that hash will confirm (or refute) whether the application has been altered in any way. Options A and D are both incorrect. Network intrusion detection or network intrusion prevention systems are useful, but they won't prevent an application from being altered. Option C is incorrect. Sandboxing is used to isolate an application, but it won't detect whether it has been tampered with.
124. Gerard is responsible for physical security at his company. He is considering using cameras that would detect a burglar entering the building at night. Which of the following would be most useful in accomplishing this goal? A. Motion-sensing camera B. Infrared-sensing camera C. Sound-activated camera D. HD camera
B. Infrared can still detect at night. A burglar is likely to be in the building at dark, so detecting via infrared is important. Options A and C are both incorrect. It does not matter how the camera is activated (motion or sound) if the area is dark the camera will not record adequate imagery. Option D is incorrect. High definition is a good choice if the area is well lit.
117. Janice is explaining how IPSec works to a new network administrator. She is trying to explain the role of IKE. Which of the following most closely matches the role of IKE in IPSec? A. It encrypts the packet. B. It establishes the SAs. C. It authenticates the packet. D. It establishes the tunnel.
B. Internet key exchange is used to set up security associations on each end of the tunnel. The security associations have all the settings (i.e., cryptographic algorithms, hashes, etc.) for the tunnel. Options A and C are incorrect. IKE is not directly involved in encrypting or authenticating. Option D is incorrect. One might argue that by establishing the security associations, IKE is establishing the tunnel. However, answer B is a more accurate answer.
148. Clark is responsible for mobile device security in his company. Which of the following is the most important security measure for him to implement? A. Encrypted drives B. Patch management C. Remote wiping D. Geotagging
B. Just like desktops, laptops, and servers, patch management is a fundamental security issue and must be addressed. Many malware outbreaks and other breaches can be prevented by simply having good patch management. Options A, C, and D are all incorrect. Each of these is a good idea and should at least be considered. However, they apply only to specific security issues, primarily how to handle lost or stolen mobile devices. Patch management affects all mobile devices, even if the device is never lost or stolen, and is thus more important.
99. Your development team primarily uses Windows, but they need to develop a specific solution that will run on Linux. What is the best solution to getting your programmers access to Linux systems for development and testing? A. Set their machines to dual-boot Windows and Linux. B. PaaS C. Set up a few Linux machines for them to work with as needed. D. IaaS
B. Platform as a Service is a good solution to this problem. The programmer can access a virtualized Linux machine with PaaS. Options A and C are both incorrect. Although these would work, they are less efficient than using PaaS. Option D is incorrect. Infrastructure as a Service is used to provide networking infrastructure via virtualization. In this scenario, you only need an operating system.
126. You are working for a large company. You are trying to find a solution that will provide controlled physical access to the building and record every employee who enters the building. Which of the following would be the best for you to implement? A. A security guard with a sign-in sheet B. Smart card access C. A camera by the entrance D. A sign-in sheet by the front door
B. Smartcards can be used to allow entrance into a building. The smartcard can also store information about the user, and thus the system can log who enters the building. Option A is incorrect. A security guard with a sign-in sheet would function, but there are many ways to subvert a sign-in sheet, and a guard can be distracted or become inattentive. This makes smartcard access a better solution. Option C is incorrect. Yes, a camera would record who enters but would not control access. A nonemployee could enter the building. Option D is incorrect. An uncontrolled/supervised sign-in sheet would not be secure.
71. Which of the following is the most important benefit from implementing SDN? A. It will stop malware. B. It provides scalability. C. It will detect intrusions. D. It will prevent session hijacking.
B. Software-defined networking makes the network very scalable. It is relatively easy to add on new resources or remove unneeded resources. Options A, C, and D are all incorrect. SDN does not accomplish these goals.
101. Hanz is responsible for the e-commerce servers at his company. He is concerned about how they will respond to a DoS attack. Which software testing methodology would be most helpful in determining this? A. Regression testing B. Stress testing C. Integration testing D. Fuzz testing
B. Stress testing is designed to test an application under workloads that are larger than normal. Although this may not be adequate to test for DoS response, it is the most relevant software test. Option A is incorrect. Regression testing is done after a change to ensure the change did not cause any other issues. Option C is incorrect. Integration testing is done to see whether two or more components function together. Option D is incorrect. Fuzz testing is testing an application by entering nonstandard/ unexpected values.
143. Ryan is concerned about the security of his company's web application. Since the application processes confidential data, he is most concerned about data exposure. Which of the following would be the most important for him to implement? A. WAF B. TLS C. NIPS D. NIDS
B. The correct answer is to encrypt all the web traffic to this application using Transport Layer Security (TLS). This is one of the most fundamental security steps to take with any website. Option A is incorrect. A web application firewall is probably a good idea, but it is not the most important thing for Ryan to implement. Options C and D are incorrect. Either a network intrusion detection service or network intrusion prevent service may be a good idea, but those should be considered after TLS is configured.
104. Helga works for a bank and is responsible for secure communications with the online banking application. The application uses TLS to secure all customer communications. She has noticed that since migrating to larger encryption keys, the server's performance has declined. What would be the best way to address this issue? A. Implement a VPN concentrator. B. Implement an SSL accelerator. C. Return to smaller encryption keys. D. Upgrade all servers.
B. The correct answer is to use an SSL accelerator. SSL accelerators are a method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to a hardware accelerator. Option A is incorrect. A VPN concentrator is a hardware device used to create remote access VPNs. The concentrator creates encrypted tunnel sessions between hosts, and many use two-factor authentication for additional security. Option C is incorrect. Returning to smaller encryption keys would have a deleterious effect on security. Option D is incorrect. This may, or may not, correct the problem, but it would entail a significantly greater cost and difficulty than implementing and SSL accelerator.
137. Mike is a network administrator for an e-commerce company. There have been several updates to the operating system, the web server software, and the web application, all within the last 24 hours. It appears that one of these updates has caused a significant security problem. What would be the best approach for Mike to take to correct this problem? A. Remove the updates one at a time to see which corrects the problem. B. Roll the server back to the last known good state. C. Investigate and find out which update caused the problem, and remove only that update. D. Investigate and find out which update caused the problem, and find a patch for that issue.
B. There is now a serious security issue on the web server. The primary concern must be to correct this. Rolling back to the last known good state will immediately correct the problem; then Mike can investigate to find the cause. Option A is incorrect. This would be too slow, and in the interim the flaw would be on the live website. Options C and D are both incorrect. These would be the slowest solutions and thus leave the security flaw in place for an unacceptable amount of time.
125. Tim is implementing a Faraday cage around his server room. What is the primary purpose of a Faraday cage? A. Regulate temperature B. Regulate current C. Block intrusions D. Block EMI
D. A Faraday cage is a metal wire mesh designed to block electromagnetic interference. Options A, B, and C are all incorrect. These are not functions of a Faraday cage.
120. Liam is responsible for monitoring security events in his company. He wants to see how diverse events may connect. He is interested in identifying different indicators of compromise that may point to the same breach. Which of the following would be most helpful for him to implement? A. NIDS B. SIEM C. Correlation engine D. Aggregation switch
C. A correlation engine is software that is used to aggregate events and to seek out correlations. In some cases, this is done with advanced analytic algorithms, including fuzzy logic. Option A is incorrect. A network intrusion detection system would be helpful but will not (by itself) necessarily correlate events. Option B is incorrect. A security information event manager will certainly aggregate log information but may not correlate the events. Option D is incorrect. An aggregation switch simply combines bandwidth.
114. Tom is responsible for VPN connections in his company. His company uses IPSec for VPNs. What is the primary purpose of AH in IPSec? A. Encrypt the entire packet. B. Encrypt just the header. C. Authenticate the entire packet. D. Authenticate just the header.
C. Authentication headers provide complete packet integrity, authenticating the packet and the header. Options A and B are incorrect. Authentication headers do not provide any encryption at all. Option D is incorrect. Authentication headers authenticate the entire packet, not just the header.
127. David is responsible for cryptographic keys in his company. What is the best way to deauthorize a public key? A. Send out a network alert. B. Delete the digital certificate. C. Publish that certificate in the CRL. D. Notify the RA.
C. Certificate revocation lists are designed specifically for revoking certificates. Since public keys are distributed via certificates, this is the most effective way to deauthorize a public key. Option A is incorrect. Simply notifying users that a key/certificate is no longer valid is not effective. Option B is incorrect. Deleting a certificate is not always possible and ignores the possibility of a duplicate of that certificate existing. Option D is incorrect. The registration authority is used in creating new certificates, not in revoking them.
129. Carole is concerned about security for her server room. She wants the most secure lock she can find for the server room door. Which of the following would be the best choice for her? A. Combination lock B. Key-in-knob C. Deadbolt D. Padlock
C. Of the locks listed here, deadbolts are the most secure. The locking bolt goes into the door frame, making it more secure. Option A is incorrect. Whether a lock uses a key or combination does not change how secure it is. Option B is incorrect. Key-in-knob is a very common, and fairly insecure, solution. Option D is incorrect. Padlocks can be cut off with common bolt cutters.
102. You are the CIO for a small company. The company wants to use cloud storage for some of its data, but cost is a major concern. Which of the following cloud deployment models would be best? A. Community cloud B. Private cloud C. Public cloud D. Hybrid cloud
C. The correct answer is a public cloud. Public clouds are usually less expensive. The cloud provider has a number of customers and costs are dispersed. Even individuals can afford to use cloud storage with services like iCloud and Amazon Cloud. Option A is incorrect. A community cloud is usually private for a small group of partners. Each of the partners must share a greater part of the expense than they would with a public cloud. But they retain more control over the cloud than they would with a public cloud. Option B is incorrect. Private clouds are the most expensive. The company must completely develop and maintain the cloud resources. Option D is incorrect. A hybrid deployment model is a good compromise for many situations, but it will be more expensive than a public cloud.
144. Arjun has just taken over web application security for a small company. He notices that some values are temporarily stored in hidden fields on one of the web pages. What is this called and how would it be best characterized? A. This is obfuscation, a weak security measure. B. This is data hiding, a weak security measure. C. This is obfuscation, a possible security flaw. D. This is data hiding, a possible security flaw.
C. This is commonly called obfuscation. Many years ago (i.e., late 1990s) it was thought of as a weak security measure. Today it can only be thought of as a possible security flaw and should not be used. Options A, B, and D are all incorrect. These are not accurate descriptions of what is being done in this scenario.
138. Which device would most likely process the following rules? PERMIT IP ANY EQ 443 DENY IP ANY ANY A. NIPS B. HIPS C. Content filter D. Firewall
D. A firewall has two types of rules. One type is to allow specific traffic on a given port. The other type of rule is to deny traffic. What is shown here is a typical firewall rule. Options A, B, and C are incorrect. The rule shown is clearly a firewall rule.
108. Farès is responsible for security at his company. He has had bollards installed around the front of the building. What is Farès trying to accomplish? A. Gated access for people entering the building B. Video monitoring around the building C. Protecting against EMI D. Preventing a vehicle from being driven into the building
D. Bollards are large barriers that are often made of strong substances like concrete. They are effective in preventing a vehicle from being driven into a building. Options A, B, and C are incorrect. These do not describe the purpose of a bollard.
135. Juanita is responsible for servers in her company. She is looking for a fault-tolerant solution that can handle two drives failing. Which of the following should she select? A. RAID 1+0 B. RAID 3 C. RAID 5 D. RAID 6
D. RAID 6, disk striping with dual parity, uses a minimum of four disks with distributed parity bits. RAID 6 can handle up to two disks failing. Option A is incorrect. RAID 1+0 is disk striping with mirroring. Option B is incorrect. RAID 3, disk striping with dedicated parity, can only handle one disk failing. Option C is incorrect. RAID 5, disk striping with distributed parity, can only handle one disk failing.
150. You are the CISO for a mid-sized health care company. Which of the following is the most important for you to implement? A. Industry best practices B. Contractual requirements C. Strong security policies D. Regulatory requirements
D. Regulatory requirements are enforced by law. You must implement these; therefore, they are the most important. Options A, B, and C are incorrect. Each is very important, and you should implement all three. But they are less important than regulatory requirements
103. Alisha is monitoring security for a mid-sized financial institution. Under her predecessor there were multiple high-profile breaches. Management is very concerned about detecting any security issues or breach of policy as soon as possible. Which of the following would be the best solution for this? A. Monthly audits B. NIPS C. NIDS D. Continuous monitoring
D. The correct answer is continuous monitoring. There are technologies that perform continuous monitoring of a network. These systems can identify any issue as it is occurring, or very soon thereafter. Option A is incorrect. Monthly audits won't give notice of an issue until they are conducted, as much as a month after the issue. Options B and C are incorrect. A network intrusion detection system or network intrusion prevention system could certainly be part of the solution. But such systems would only detect breaches, not policy violations, login issues, and so forth.
136. You are a network administrator for a mid-sized company. You need all workstations to have the same configuration. What would be the best way for you to accomplish this? A. Push out a configuration file. B. Implement a policy requiring all workstations to be configured the same way. C. Ensure all computers have the same version of the operating system and the same applications installed. D. Use a master image that is properly configured and image all workstations from that.
D. The correct answer is to use a master image that is properly configured and to create all workstations from that image. This is a standard way large corporations configure systems. Option A is incorrect. Many things cannot be configured by a single configuration file, so this option simply would not work. Option B is incorrect. Policies are always a good idea, but this would not ensure that all systems are properly configured. Option C is incorrect. The operating system and applications are only a part of configuration. This solution would not fully configure the workstations.
139. Ixxia is responsible for security at a mid-sized company. She wants to prevent users on her network from visiting job-hunting sites while at work. Which of the following would be the best device to accomplish this goal? A. Proxy server B. NAT C. Firewall D. NIPS
A. A web proxy can be used to block certain websites. It is common practice for network administrators to block either individual sites or general classes of sites (like job-hunting sites). Option B is incorrect. Network address translation is used to translate the private IP addresses of internal computers to public IP addresses. Option C is incorrect. A firewall can block traffic on a given port or using a particular protocol, but generally they are not able to block specific websites. Option D is incorrect. Network intrusion prevention systems identify and block attacks. They cannot prevent users from visiting specific websites.
131. Molly is implementing biometrics in her company. Which of the following should be her biggest concern? A. FAR B. FRR C. CER D. EER
A. False acceptance rate is the rate at which the system incorrectly allows in someone it should not. This is clearly a significant concern. Option B is incorrect. Any error is a concern, but the false rejection rate is less troublesome than the false acceptance rate. Option C is incorrect. The cross-over error rate is when the FAR and FRR become equal. This actually indicates a consistent operation of the biometric system. Option D is incorrect. The equal error rate is another name for cross-over error rate.
142. Darrel is looking for a cloud solution for his company. One of the requirements is that the IT staff can make the transition with as little change to the existing infrastructure as possible. Which of the following would be his best choice? A. Off-premises cloud B. On-premises cloud C. Hybrid solution D. Use only a community cloud
A. Off-premises clouds are always less expensive and require less changes to the existing infrastructure. That is true for public, private, or community clouds. Option B is incorrect. An on-premises cloud is always the most expensive solution and has a tremendous impact on the existing IT infrastructure. Few companies opt for this approach. Option C is incorrect. A hybrid solution is better than on-premises but not as good as offpremises. Option D is incorrect. It need not be a community cloud. An off-premises public cloud or even a private cloud would fulfill the requirements.
149. Which of the following security measures is most effective against phishing attacks? A. User training B. NIPS C. Spam filters D. Content filter
A. Phishing depends on deceiving the user. The only true protection against that is proper user training. There are some technologies that can reduce the chance of phishing emails getting through, but none can stop all phishing emails. The best protection is user training Option B is incorrect. Network intrusion prevention systems are usually not effective against phishing emails. Options C and D are incorrect. Both of these should block at least some phishing emails. But no filter can block all phishing emails; therefore, user training is the most important security measure against phishing.
121. Emily manages the IDS/IPS for her network. She has an NIPS installed and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most efficient way for her to address this? A. Implement port mirroring for that segment. B. Install an NIPS on that segment. C. Upgrade to a more effective NIPS. D. Isolate that segment on its own VLAN.
A. The NIPS is not seeing the traffic on that network segment. By implementing port mirroring, the traffic from that segment can be copied to the segment where the NIPS is installed. Option B is incorrect. This would work but is not the most efficient approach. Option C is incorrect. Nothing in this scenario suggests that the NIPS is inadequate. It just is not seeing all the traffic. Option D is incorrect. This would isolate that network segment but would still not allow the NIPS to analyze the traffic from that segment.
133. Donald is responsible for networking for a defense contractor. He is concerned that emanations from UTP cable could reveal classified information. Which of the following would be his most effective way to address this? A. Migrate to CAT 7 cable. B. Implement protected cabling. C. Place all cable in a Faraday cage. D. Don't send any classified information over the cable.
B. Protected cabling will secure the cable and prevent anyone from eavesdropping. These systems, also called protected distribution systems, use a variety of safeguards so that classified information can be sent unencrypted. Option A is incorrect. Cat 7 will improve bandwidth, not security. Option C is incorrect. This is not even a practical solution. To place a Faraday cage around all cable would require extensive rework of the building(s). Option D is incorrect. That is not a viable option. The scenario indicates that Donald needs to send classified data.
106. Which of the following is the best description for VM sprawl? A. When VMs on your network outnumber physical machines B. When there are more VMs than IT can effectively manage C. When a VM on a computer begins to consume too many resources D. When VMs are spread across a wide area network
B. VM sprawl refers to a situation in which the network has more virtual machines than the IT staff can effectively manage. Options A, C, and D are incorrect. These descriptions have nothing to do with the term VM sprawl.
122. You have been instructed to find a VPN solution for your company. Your company uses TACACS+ for remote access. Which of the following would be the best VPN solution for your company? A. PPTP B. RADIUS C. L2TP D. CHAP
C. Layer 2 Tunneling Protocol is a VPN technology that supports a wide range of remote access methods, including TACACS+. L2TP also supports a range of protocols, including ATM and X.25. Option A is incorrect. Point-to-Point Tunneling Protocol is a VPN protocol but won't support TACACS+. Option B is incorrect. Remote Authentication Dial-In User Service is a remote access protocol, not a VPN protocol. It is an early predecessor to TACACS+. Option D is incorrect. Challenge Handshake Authentication Protocol is an authentication protocol, not a VPN protocol.
105. What is the primary advantage of allowing only signed code to be installed on computers? A. It guarantees that malware will not be installed. B. It improves patch management. C. It verifies who created the software. D. It executes faster on computers with a TPM.
C. Only using code that is digitally signed verifies the creator of the software. For example, if a printer/MFD driver is digitally signed, this gives you confidence that it really is a printer driver from the vendor it purports to be from, and not malware masquerading as a printer driver. Option A is incorrect. Signed software gives you a high degree of confidence that it is not malware but does not provide a guarantee. For example, the infamous Flame virus was signed with a compromised Microsoft digital certificate. Option B is incorrect. Digital signing of software has no effect on patch management. Option D is incorrect. Digitally signed software will not execute faster or slower than nonsigned software.
132. Daniel is responsible for physical security in his company. All external doors have electronic smart card access. In an emergency such as a power failure, how should the doors fail? A. Fail secure B. Fail closed C. Fail open D. Fail locked
C. Physical locks must always fail open, which is also called fail safe. The safety of employees must take precedence over the safety of property. If the lock does not fail open, then employees could be trapped in the building. Options A, B, and D are incorrect. Fail secure is the usual term, but it also means fail closed or fail locked. This puts lives at danger. In the case of fire, power will fail, and then the doors would fail locked, trapping people in the building.
111. Teresa is the network administrator for a small company. The company is interested in a robust and modern network defense strategy but lacks the staff to support it. What would be the best solution for Teresa to use? A. Implement SDN. B. Use automated security. C. Use Security as a Service. D. Implement only as much security controls as they can support.
C. Security as a Service uses an outside company to handle security tasks. Some or even all security tasks can be outsourced, including IDS/IPS management, SIEM integration, and other security controls. Option A is incorrect. Software-defined networking would make managing security somewhat easier but would itself be difficult to implement. Option B is incorrect. Automating as much security activity as is practical would help alleviate the problem but would not be as effective as Security as a Service. Option D is incorrect. This would mean intentionally not implementing some security controls.
113. George is a network administrator at a power plant. He notices that several turbines had unusual ramp-ups in cycles last week. After investigating, he finds that an executable was uploaded to the system control console and caused this. Which of the following would be most effective in preventing this from affecting the SCADA system in the future? A. Implement SDN. B. Improve patch management. C. Place the SCADA system on a separate VLAN. D. Implement encrypted data transmissions.
C. Separating the SCADA system from the main network makes it less likely that the SCADA system can be affected from the main network. This includes malware as well human action. Option A is incorrect. Software-defined networking would make isolating the SCADA system easier but would not actually isolate it. Option B is incorrect. Patch management is always important, but in this case it would not have prevented the issue. Option D is incorrect. Encrypted data transmissions, such as TLS, would have no effect on this situation.
107. Which of the following is the best description of a stored procedure? A. Code that is in a DLL, rather than the executable B. Server-side code that is called from a client C. SQL statements compiled on the database server as a single procedure that can be called D. Procedures that are kept on a separate server from the calling application, such as in middleware
C. Stored procedures are commonly used in many database management systems to contain SQL statements. The database administrator, or someone designated by the DBA, creates the various SQL statements that are needed in that business, and then programmers can simply call the stored procedures. Option A is incorrect. Stored procedures are not related to dynamic linked libraries. Option B is incorrect. This is close but inaccurate, because stored procedures can be called by other stored procedures that are also on the server. Option D is incorrect. Stored procedures are not related to middleware.
128. Thomas is trying to select the right fire extinguisher for his company's server room. Which of the following would be his best choice? A. Type A B. Type B C. Type C D. Type D
C. Type C fire extinguishers are used for electrical fires, including computer equipment fires. Option A is incorrect. Type A fire extinguishers are for paper and wood fires. Option B is incorrect. Type B fire extinguishers are for fuel fires such as gasoline. Option D is incorrect. Type D fire extinguishers are for chemical fires.
123. Jacob is the CIO for a mid-sized company. His company has very good security policies and procedures. The company has outsourced its web application development to a wellknown web programming company. Which of the following should be the most important security issue for Jacob to address? A. The web application vendor's hiring practices B. The financial stability of the web application vendor C. Security practices of the web application vendor D. Having an escrow for the source code
C. Whenever any part of your business process is outsourced, you need to ensure that the vendor meets or exceeds all of your security policies and procedures. Supply chain assessment security is a critical issue. Options A, B, and D are all incorrect. Each of these is something that needs to be addressed, but the most important issue is the supply chain assessment security.
141. When you are concerned about application security, what is the most important issue in memory management? A. Never allocate a variable any larger than is needed. B. Always check bounds on arrays. C. Always declare a variable where you need it (i.e., at function or file level if possible). D. Make sure you release any memory you allocate.
D. Failure to release memory you have allocated can lead to a memory leak. Therefore, if you are using a programming language like C++ that allows you to allocate memory, make certain you deallocate that memory as soon as you are finished using it. Options A and C are incorrect. Both of these are good programming practices. However, failure to follow them just leads to wasteful use of memory; it does not lead to a security problem like a memory leak. Option B is incorrect. Although this is a good idea to prevent buffer overflows, it is not a memory management issue.
119. Doug is a network administrator for a small company. The company has recently implemented an e-commerce server. This has placed a strain on network bandwidth. What would be the most cost-effective means for him to address this issue? A. Isolate the new server on a separate network segment. B. Upgrade the network to CAT 7. C. Move to fiber optic. D. Implement aggregation switches.
D. Link aggregation switches allow you to combine the bandwidth of multiple links into one connection. This would allow Doug to improve bandwidth to the e-commerce server. Option A is incorrect. This would reduce the impact on the rest of the network but would not address the bandwidth needs of the e-commerce server. Options B and C are both incorrect. Each of these would most likely address the problem, but neither is cost effective.
140. You are responsible for an e-commerce site. The site is hosted in a cluster. Which of the following techniques would be best in assuring availability? A. A VPN concentrator B. Aggregate switching C. An SSL accelerator D. Load balancing
D. Load balancing the cluster will prevent any single server from being overloaded. And if a given server is offline, other servers can take on its workload. Option A is incorrect. A VPN concentrator, as the name suggests, is used to initiate VPNs. Option B is incorrect. Aggregate switching can shunt more bandwidth to the servers but won't mitigate the threat of one or more servers being offline. Option C is incorrect. SSL accelerators are a method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to a hardware accelerator.
146. When you're implementing security cameras in your company, which of the following is the most important concern? A. High-definition video B. Large storage capacity C. How large an area the camera can cover D. Security of the camera and video storage
D. The most important issue is that the camera itself is tamper proof and that the data stored is tamper proof. Wireless security cameras are an example of home automation and is one of the driving factors behind the IoT movement. Options A, B, and C are all incorrect. These are important considerations, and you should consider all three of these. But the most important issue is the security of the camera and the video storage.
115. Mia is a network administrator for a bank. She is responsible for secure communications with her company's customer website. Which of the following would be the best for her to implement? A. SSL B. PPTP C. IPSec D. TLS
D. Transport Layer Security provides a reliable method of encrypting web traffic. It supports mutual authentication and is considered secure. Option A is incorrect. Although SSL can encrypt web traffic, TLS was created in 1999 as its successor. Although many network administrators still use the term SSL, in most cases today what you are using is actually TLS, not the outdated SSL. Options B and C are incorrect. These are protocols for establishing a VPN, not for encrypting web traffic.
79. Omar is using the waterfall method for software development in his company. Which of the following is the proper sequence for the waterfall method? A. Requirements, design, implementation, testing, deployment, maintenance B. Planning, designing, coding, testing, deployment C. Requirements, planning, designing, coding, testing, deployment D. Design, coding, testing, deployment, maintenance
A. The waterfall method has the steps of requirements gathering, design, implementation (also called coding), testing (also called verification), deployment, and maintenance. Options B, C, and D are all incorrect. These are not the proper steps for the waterfall method.
46. Which type of hypervisor implementation is known as "bare metal"? A. Type I B. Type II C. Type III D. Type IV
A. Type I hypervisor implementations are known as "bare metal." Option B is incorrect. Type II hypervisors have to be installed on an underlying operating system. Options C and D are incorrect. These are not valid hypervisor types.
64. Mary is responsible for virtualization management in her company. She is concerned about VM escape. Which of the following methods would be the most effective in mitigating this risk? A. Only share resources between the VM and host if absolutely necessary. B. Keep the VM patched. C. Use a firewall on the VM. D. Use host-based antimalware on the VM.
A. VM escape is a situation wherein an attacker is able to go through the VM to interact directly with the hypervisor, and potentially the host operating system. The best way to prevent this is to limit the ability of the host and the VM to share resources. If possible, they should not share any resources. Option B is incorrect. This is one method that might mitigate the situation, but it is not the most effective. Options C and D are incorrect. Both of these are good security practices but would have minimal effect on mitigating VM escape.
23. Which of the following would prevent a user from installing a program on a companyowned mobile device? A. Whitelisting B. Blacklisting C. ACL D. HIDS
A. Whitelists are lists of approved software. Only if software appears on the whitelist can it be installed. Option B is incorrect. Blacklisting blocks specific applications, but it cannot account for every possible malicious application. Option C is incorrect. Access control lists determine who can access a resource. Option D is incorrect. A host intrusion detection system (HIDS) does not prevent software from being installed.
54. You are trying to increase security at your company. You're currently creating an outline of all the aspects of security that will need to be examined and acted on. Which of the following terms describes the process of improving security in a trusted OS? A. FDE B. Hardening C. SED D. Baselining
B. Hardening is the process of improving the security of an operating system or application. One of the primary methods of hardening an trusted OS is to eliminate unneeded protocols. This is also known as creating a secure baseline that allows the OS to run safely and securely. Option A is incorrect. FDE is full disk encryption. Option C is incorrect. SED is self-encrypting drive. Option D is incorrect. Baselining is the process of establishing security standards.
12. Mohaned is concerned about malware infecting machines on his network. One of his concerns is that malware would be able to access sensitive system functionality that requires administrative access. What technique would best address this issue? A. Implementing host-based antimalware B. Using a nonadministrative account for normal activities C. Implementing FDE D. Making certain the operating systems are patched
B. If a system is infected with malware, the malware will operate with the privileges of the current user. If you use nonadministrative accounts, with least privileges, then the malware won't be able to access administrative functionality. Options A, C, and D are all incorrect. These are all good security measures, but they won't address the issue of malware accessing administrative functionality.
83. John is examining the logs for his company's web applications. He discovers what he believes is a breach. After further investigation, it appears as if the attacker executed code from one of the libraries the application uses, code that is no longer even used by the application. What best describes this attack? A. Buffer overflow B. Code reuse attack C. DoS attack D. Session hijacking
B. In a code reuse attack, the attacker executes code that is meant for some other purposes. In many cases this can be old code that is no longer even used (dead code), even if that code is in a third-party library. Option A is incorrect. A buffer overflow occurs when too much data is sent to a buffer. For example, say a buffer is designed to hold 10 bytes, and it is sent 100 bytes. Option C is incorrect. A denial-of-service attack is meant to make a service unavailable to legitimate users. Option D is incorrect. Session hijacking involves taking over an existing authenticated session.
43. Which cloud service model provides the consumer with the infrastructure to create applications and host them? A. SaaS B. PaaS C. IaaS D. CaaS
B. In the Platform as a Service (PaaS) model, the consumer has access to the infrastructure to create applications and host them. Option A is incorrect. Software as a Service simply supplies a particular application. Option C is incorrect. Infrastructure as a Service provides entire network infrastructure. Option D is incorrect. Cloud as a Service provides access to cloud storage.
89. Erik is responsible for the security of a SCADA system. Availability is a critical issue. Which of the following is most important to implement? A. SIEM B. IPS C. Automated patch control D. Honeypot
B. Intrusion prevention systems are critical for a system that needs high availability. Depending on the nature of the system, it may require an HIPS, NIPS, or both. Option A is incorrect. Security information and event management consolidates logs. Although this can be a valuable security feature, it is not the most important in this situation. Option C is incorrect. Automated patch control is usually a good idea; however, it is not the most important in this situation. Option D is incorrect. Honeypots can be a valuable security control, but they are far less important than IPS or patch control.
49. Jarod is concerned about EMI affecting a key escrow server. Which method would be most effective in mitigating this risk? A. VLAN B. SDN C. Trusted platform module D. Faraday cage
D. A Faraday cage, named after the famous physicist Michael Faraday, involves placing wire mesh around an area or device to block electromagnetic signals. Option A is incorrect. A VLAN can segment a network but won't block EMI. Option B is incorrect. Software-defined networking virtualizes a network but does not protect against EMI. Option C is incorrect. A trusted platform module is used for cryptographic applications.
70. Gerald is concerned about unauthorized people entering the company's building. Which of the following would be most effective in preventing this? A. Alarm systems B. Fencing C. Cameras D. Security guards
D. A security guard is the most effective way to prevent unauthorized access to a building. Options A, B, and C are all incorrect. These are all good physical security measures, but they are not the most effective ways to prevent entry into a building.
59. Elizabeth has implemented agile development for her company. What is the primary difference between agile development and the waterfall method? A. Agile has fewer phases. B. Waterfall has fewer phases. C. Agile is more secure. D. Agile repeats phases.
D. Agile development works in cycles, each cycle producing specific deliverables. This means that phases like design and development are repeated. Options A and B are incorrect. The issue is not how many phases; it is the fact that in waterfall when a phase is finished, there is no returning to that phase. Option C is incorrect. Neither method is inherently more secure.
40. Which of the following 802.11 standards is supported in WPA2, but not in WEP or WPA? A. 802.11a B. 802.11b C. 802.11i D. 802.11n
C. The WPA2 standard fully implements the 802.11i security standard. Options A, B, and D are incorrect. These standards are concerning bandwidth and frequency, not security.
74. Mia has to deploy and support a legacy application. The configuration for this application and the OS it runs on are very specific and cannot be changed. What is the best approach for her to deploy this? A. Use an immutable server. B. Use a VM. C. Set permissions on the application so it cannot be changed. D. Place the application on a separate VLAN.
A. An immutable server's configuration cannot be changed. Option B is incorrect. A virtual machine won't stop the application or the OS from being altered. Option C is incorrect. This won't prevent the OS from being altered. Option D is incorrect. Segregating the application on a separate VLAN won't address the issues.
97. Tom works as a software development manager for a large company. He is trying to explain to management the difference between compiled code and runtime code. What is the biggest advantage of compiled code? A. Better performance B. Platform independence C. More secure D. Faster development time
A. Compiled code runs faster. This is because runtime code, such as Java, is compiled at runtime (thus the name) and thus performance is slower. Option B is incorrect. In fact, the opposite is true. Runtime code can be platform independent, as with Java. Compiled code is compiled for a specific operating system. Option C is incorrect. Security is not directly related to whether the code is compiled or runtime. This issue has minimal impact on security. Option D is incorrect. Development time is not impacted by whether the code will be compiled or runtime code.
18. Which design concept limits access to systems from outside users while protecting users and systems inside the LAN? A. DMZ B. VLAN C. Router D. Guest network
A. A DMZ provides limited access to public facing servers, for outside users, but blocks outside users from accessing systems inside the LAN. It is a common practice to place web servers in the DMZ. Option B is incorrect. A VLAN is most often used to segment the internal network. Option C is incorrect. Routers direct traffic based on IP address. Option D is incorrect. A guest network allows internal users who are not employees to get access to the Internet.
14. Juanita is implementing virtualized systems in her network. She is using Type I hypervisors. What operating system should be on the machines for her to install the hypervisor? A. None B. Windows C. Any operating system D. Windows or Linux
A. A Type I hypervisor is also known as a bare-metal hypervisor. It installs directly onto hardware and does not require an operating system to be installed first. Options B, C, and D are all incorrect. Type I hypervisors do not require a preinstalled operating system.
11. Terrance is responsible for secure communications on his company's network. The company has a number of traveling salespeople who need to connect to network resources. What technology would be most helpful in addressing this need? A. VPN concentrator B. SSL accelerator C. DMZ D. Guest network
A. A VPN concentrator is a hardware device used to create remote access VPNs. The concentrator creates encrypted tunnel sessions between hosts, and many use two-factor authentication for additional security. Option B is incorrect. SSL accelerators are a method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to a hardware accelerator. Option C is incorrect. A demilitarized zone is a place to locate public-facing servers. Option D is incorrect. Guest networks provide nonemployees with Internet access.
100. Daniel works for a mid-sized financial institution. The company has recently moved some of its data to a cloud solution. Daniel is concerned that the cloud provider may not support the same security policies as the company's internal network. What is the best way to mitigate this concern? A. Implement a cloud access security broker. B. Perform integration testing. C. Establish cloud security policies. D. Implement Security as a Service.
A. A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises network and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies into the cloud. Option B is incorrect. Integration testing is used to test two or more components to ensure they integrate. Option C is incorrect. Although security policies are a good idea, just having policies in your company won't affect the cloud solution. Option D is incorrect. Security as a Service is a process of outsourcing certain security functions.
9. You are the network administrator for a large company. Your company frequently has nonemployees in the company such as clients and vendors. You have been directed to provide these nonemployees with access to the Internet. Which of the following is the best way to implement this? A. Establish a guest network. B. Allow nonemployees to connect only to the DMZ. C. Allow nonemployees to connect only to the intranet. D. Establish limited accounts on your network for nonemployees to use.
A. A guest network is separate from your production network; therefore, even if there is some breach of that network, it won't affect your production network. It is a common security practice to establish a guest network so that guests can access the Internet, without providing them with access to the corporate network resources. Option B is incorrect. A DMZ is used to locate public-facing servers such as web servers. Option C is incorrect. An intranet consists of internal web-based resources for employees. Option D is incorrect. This would provide nonemployees with access to the corporate network.
36. Gerard is responsible for secure communications with his company's e-commerce server. All communications with the server use TLS. What is the most secure option for Gerard to store the private key on the e-commerce server? A. HSM B. FDE C. SED D. SDN
A. A hardware security module (HSM) is the most secure way to store private keys for the e-commerce server. An HSM is a physical device that safeguards and manages digital keys. Option B is incorrect. Full disk encryption will protect the data on the e-commerce server, but it won't help store the key. It is also difficult to fully encrypt the e-commerce server drive, since the drive will need to be in use for the e-commerce to function. Option C is incorrect. A self-encrypting drive (SED) is just an automatic full disk encryption. Option D is incorrect. Software-defined networking won't address the issues in this scenario.
39. Denish is concerned about the security of embedded devices in his company. He is most concerned about the operating system security for such devices. Which of the following would be the best option for mitigating this threat? A. RTOS B. SCADA C. FDE D. TPM
A. A real-time operating system is a secure system used for embedded devices. RTOSs were originally developed for military applications but were not available to the public. Option B is incorrect. Although SCADA systems can sometimes be embedded systems, this won't address the security concerns. Option C is incorrect. Full drive encryption won't address issues with the security of the operating system. Option D is incorrect. A trusted platform module can be very useful for cryptographic applications, but it will not address the security of the operating system.
25. Upper management has decreed that a firewall must be put in place immediately, before your site suffers an attack similar to one that struck a sister company. Responding to this order, your boss instructs you to implement a packet filter by the end of the week. A packet filter performs which function? A. Prevents unauthorized packets from entering the network B. Allows all packets to leave the network C. Allows all packets to enter the network D. Eliminates collisions in the network
A. Filters prevent unauthorized packets from entering or leaving a network. Packet filters are a type of firewall that blocks specified port traffic. Options B and C are incorrect. A packet filter will allow some packets to enter and will block others. The same goes for exiting packets: some will be allowed and others will be blocked, based on the rules implemented in the firewall. Option D is incorrect. Packet filtering does nothing to eliminate collisions in the network.
10. Juan is a network administrator for an insurance company. His company has a number of traveling salespeople. He is concerned about confidential data on their laptops. What is the best way for him to address this? A. FDE B. TPM C. SDN D. DMZ
A. Full disk encryption fully encrypts the hard drive on a computer. This is an effective method for ensuring the security of data on a computer. Option B is incorrect. Trusted platform modules are crypto-processors and won't affect this problem. Option C is incorrect. Software-defined networking is virtualized networking and won't affect this problem. Option D is incorrect. Demilitarized zones are used to segment a network and won't affect this problem.
21. You have instructed all administrators to disable all nonessential ports on servers at their sites. Why are nonessential protocols a security issue that you should be concerned about? A. Nonessential ports provide additional areas of attack. B. Nonessential ports can't be secured. C. Nonessential ports are less secure. D. Nonessential ports require more administrative effort to secure.
A. Nonessential protocols provide additional areas for attack. The fact that all protocols have weaknesses would be sufficient to eliminate nonessential protocols. Those nonessential protocols' ports provide possible avenues of attack. You should always follow the principle of least privilege. Option B is incorrect. Any port can be secured. This is an example of security control. Option C is incorrect. It is not the case that specific ports are less secure. But every port that is open provides a possible mode of entry into a system. Option D is incorrect. There is no additional effort to secure a port that is nonessential.
62. Mary is concerned about application security for her company's application development. Which of the following is the most important step for addressing application security? A. Proper error handling B. Regular data backups C. Encrypted data transmission D. Strong authentication
A. Proper error handling is the most fundamental item to address in application development. Robust and thorough error handling will mitigate many security risks. Options B, C, and D are all incorrect. Each of these is a good security measure but not the most important step for Mary to take.
55. Which level of RAID is a "stripe of mirrors"? A. RAID 1+0 B. RAID 6 C. RAID 0 D. RAID 1
A. RAID 1+0 is a mirrored data set (RAID 1), which is then striped (RAID 0): a "stripe of mirrors." Option B is incorrect. RAID 6 is disk striping with dual parity (distributed). Option C is incorrect. RAID 0 is just striping. Option D is incorrect. RAID 1 is just mirroring.
91. Vincent works for a company that manufactures portable medical devices, such as insulin pumps. He is concerned about ensuring these devices are secure. Which of the following is the most important step for him to take? A. Ensure all communications with the device are encrypted. B. Ensure the devices have FDE. C. Ensure the devices have individual antimalware. D. Ensure the devices have been fuzz tested.
A. Such systems need to have all communications encrypted. As of the current date, breaches of portable network devices have all involved unencrypted communications. Option B is incorrect. Full disk encryption may or may not even be appropriate for such devices. Many don't have a disk to encrypt. Option C is incorrect. It may not be possible to install anti-malware on many such devices. Option D is incorrect. Fuzz testing is used for applications.
1. Caroline has been asked to find a standard to guide her company's choices in implementing information security management systems. She is looking for a standard that is international. Which of the following would be the best choice for her? A. ISO 27002 B. ISO 27017 C. NIST 800-12 D. NIST 800-14
A. The correct answer is ISO 27002. ISO 27002 is an international standard for implementing and maintaining information security systems. Option B is incorrect. ISO 27017 is an international standard for cloud security. Option C is incorrect. NIST 800-12 is a general security standard and it is a U.S. standard, not an international one. Option D is incorrect. NIST 800-14 is a standard for policy development, and it is a U.S. standard, not an international one.
31. You have been asked to implement security for SCADA systems in your company. Which of the following standards will be most helpful to you? A. NIST 800-82 B. PCI-DSS C. NIST 800-30 D. ISO 27002
A. The correct answer is NIST 800-82. Special Publication 800-82, Revision 2, "Guide to Industrial Control System (ICS) Security," is specific to industrial control systems. Industrial systems include SCADA (Supervisor Control And Data Acquisition) and PLCs (primary logic controllers). Option B is incorrect. PCI-DSS is a standard for credit card security. Option C is incorrect. NIST 800-30 is the U.S. standard for conducting risk assessments. Option D is incorrect. This standard recommends best practices for initiating, implementing, and maintaining information security management systems (ISMSs).
2. You are responsible for network security at an e-commerce company. You want to ensure that you are using best practices for the e-commerce website your company hosts. What standard would be the best for you to review? A. OWASP B. NERC C. NIST D. ISA/IEC
A. The correct answer is the Open Web Application Security Project. It is the de facto standard for web application security. Option B is incorrect. The North American Electric Reliability Corporation is concerned with electrical power plant security. Option C is incorrect. The National Institute of Standards does not, as of this writing, publish web application standards. Option D is incorrect. ISA/IEC standards are for securing industrial automation and control systems (IACSs).
41. Teresa is responsible for WiFi security in her company. Which wireless security protocol uses TKIP? A. WPA B. CCMP C. WEP D. WPA2
A. The encryption technology associated with WPA is TKIP. Option B is incorrect. CCMP is the technology used in WPA2. It combines AES in cipherblock chaining mode with a message authentication code. Option C is incorrect. WEP uses RC4. Option D is incorrect. WPA2 uses CCMP.
81. Edward is responsible for web application security at a large insurance company. One of the applications that he is particularly concerned about is used by insurance adjusters in the field. He wants to have strong authentication methods to mitigate misuse of the application. What would be his best choice? A. Authenticate the client with a digital certificate. B. Implement a very strong password policy. C. Secure application communication with TLS. D. Implement a web application firewall (WAF).
A. The correct answer is to assign digital certificates to the authorized users and to use these to authenticate them when logging in. This is an effective way to ensure that only authorized users can access the application. Options B, C, and D are all incorrect. These are each good security measures but not the best way to authenticate the client and prevent unauthorized access to the application.
51. Mark is responsible for cybersecurity at a small college. There are many computer labs that are open for students to use. These labs are monitored only by a student worker, who may or may not be very attentive. Mark is concerned about the theft of computers. Which of the following would be the best way for him to mitigate this threat? A. Cable locks B. FDE on the lab computers C. Strong passwords on the lab computers D. Having a lab sign-in sheet
A. The correct answer is to attach cable locks to the computers that lock them to the table. This makes it more difficult for someone to steal a computer. Option B is incorrect. Full disk encryption won't stop someone from stealing the computer. Option C is incorrect. Strong passwords won't stop someone from stealing a computer. Option D is incorrect. A sign-in sheet is a good idea and may deter some thefts. But it is not the best approach to stopping theft.
17. You are concerned about peripheral devices being exploited by an attacker. Which of the following is the first step you should take to mitigate this threat? A. Disable WiFi for any peripheral that does not absolutely need it. B. Enable BIOS protection for peripheral devices. C. Use strong encryption on all peripheral devices. D. Configure antivirus on all peripherals.
A. The correct answer is to disable WiFi if it is not absolutely needed. Many peripheral devices are WiFi enabled. If you don't require this functionality, then disabling it is a very basic and essential security measure you can take. For example, WiFi enabled MiroSD cards is vulnerable to attacks. Option B is incorrect. Very few peripheral devices will even have a BIOS. Option C is incorrect. Encryption may be warranted for some specific peripherals, but many don't have storage that can be encrypted, and this would not be the first step one takes. Option D is incorrect. Many peripherals don't have a hard drive to install antivirus on.
67. You are responsible for server room security for your company. You are concerned about physical theft of the computers. Which of the following would be best able to detect theft or attempted theft? A. Motion sensor-activated cameras B. Smart card access to the server rooms C. Strong deadbolt locks for the server rooms D. Logging everyone who enters the server room
A. The correct answer is to have a motion-activated camera that records everyone who enters the server room. Options B, C, and D are all incorrect. These are all good security measures but won't detect theft.
65. You work at a large company. You are concerned about ensuring that all workstations have a common configuration, no rogue software is installed, and all patches are kept up to date. Which of the following would be the most effective for accomplishing this? A. Use VDE. B. Implement strong policies. C. Use an image for all workstations. D. Implement strong patch management.
A. The correct answer is to implement a virtual desktop environment. If all the desktops are virtualized, then from a single central location you can manage patches, configuration, and software installation. This single implementation will solve all the issues mentioned in the question. Option B is incorrect. Strong policies are a good idea but are often difficult to enforce. Option C is incorrect. Imaging workstations affects only their original configuration. It won't keep them patched or prevent rogue software from being installed. Option D is incorrect. Strong patch management will address only one of the three concerns.
86. Victor is a network administrator for a medium-sized company. He wants to be able to access servers remotely so that he can perform small administrative tasks from remote locations. Which of the following would be the best protocol for him to use? A. SSH B. Telnet C. RSH D. SNMP
A. The correct answer is to use Secure Shell. This protocol is encrypted. SSH also authenticates the user with public key cryptography. Option B is incorrect. Telnet is insecure. It does not encrypt data. Option C is incorrect. Remote Shell sends at least some data unencrypted and is thus insecure. Option D is incorrect. Simple Network Management Protocol is used to manage a network and is not used for remote communications.
72. Mark is an administrator for a health care company. He has to support an older, legacy application. He is concerned that this legacy application might have vulnerabilities that would affect the rest of the network. What is the most efficient way to mitigate this? A. Use an application container. B. Implement SDN. C. Run the application on a separate VLAN. D. Insist on an updated version of the application.
A. The correct answer is to use an application container to isolate that application from the host operating system. Applications containers provide a virtualized environment in which to run an application. Option B is incorrect. Moving to software-defined networking is a very involved process and does not provide an efficient solution. Option C is incorrect. Not only will this not separate the application from the host operating system; it might not solve the problem. Option D is incorrect. This is not an option in this question. Mark must support the legacy application.
5. Gabriel is setting up a new e-commerce server. He is concerned about security issues. Which of the following would be the best location to place an e-commerce server? A. DMZ B. Intranet C. Guest network D. Extranet
A. The demilitarized zone (DMZ) is a zone between an outer firewall and an inner firewall. It is specifically designed as a place to locate public-facing servers. The outer firewall is more permissive, thus allowing public access to the servers in the DMZ. However, the inner firewall is more secure, thus preventing outside access to the corporate network. Option B is incorrect. An intranet is for internal web pages. Option C is incorrect. Guest networks provide network access, often wireless, to guests. This is not an appropriate place for any server. Option D is incorrect. An extranet is a scenario wherein external partners are allowed access to limited portions of the company network.
24. You're designing a new network infrastructure so that your company can allow unauthenticated users connecting from the Internet to access certain areas. Your goal is to protect the internal network while providing access to those areas. You decide to put the web server on a separate subnet open to public contact. What is this subnet called? A. Guest network B. DMZ C. Intranet D. VLAN
B. A demilitarized zone (DMZ) is a separate subnet coming off the separate router interface. Public traffic may be allowed to pass from the external public interface to the DMZ, but it won't be allowed to pass to the interface that connects to the internal private network. Option A is incorrect. A guest network provides visitors with internet access. Option C is incorrect. An intranet consists of internal web resources. Frequently companies put up web pages that are accessible only from within the network for items like human resources notifications, requesting vacation, and so forth. Option D is incorrect. A VLAN is used to segment your internal network.
33. John is installing an HVAC system in his datacenter. What will this HVAC have the most impact on? A. Confidentiality B. Availability C. Fire suppression D. Monitoring access to the datacenter
B. A heating, ventilation, and air conditioning system will affect availability. By maintaining temperature and humidity, the servers in the datacenter are less likely to crash and thus be more available. Option A is incorrect. HVACs have no effect on data confidentiality. Option C is incorrect. HVACs are not fire suppression systems. Option D is incorrect. HVACs are not monitoring systems.
16. You are responsible for setting up a kiosk computer that will be in your company's lobby. It will be accessible for visitors to locate employee offices, obtain the guest WiFi password, and retrieve general public company information. What is the most important thing to consider when configuring this system? A. Using a strong administrator password B. Limiting functionality to only what is needed C. Using good antivirus protection D. Implementing a host-based firewall
B. A kiosk computer must be limited to only those functions that are required. It is important to remove or disable any unnecessary functions, and to have the system logged in with the least privileges necessary for the kiosk functionality. Option A is incorrect. Although this is always a good idea, it is not the most important issue for a kiosk computer. Option C is incorrect. Yes, antivirus is important. However, if this machine is locked down so that it only performs the specified functions, it is unlikely to get a virus. Option D is incorrect. A host-based firewall is not even absolutely necessary in this scenario, and it is certainly less important that limiting the computer's functionality.
22. Which type of firewall examines the content and context of each packet it encounters? A. Packet filtering firewall B. Stateful packet filtering firewall C. Application layer firewall D. Gateway firewall
B. A stateful inspection firewall examines the content and context of each packet it encounters. This means that an SPI firewall understands the preceding packets that came from the same IP address. This makes certain attacks, like a SYN flood, almost impossible. Option A is incorrect. Packet filtering firewalls examine each packet, but not the context. Option C is incorrect. Application layer firewalls can use SPI or simple packet filtering, but their primary role is to examine application-specific issues. A classic example is a web application firewall. Option D is incorrect. A gateway firewall is simply a firewall at the network gateway. This does not tell us whether it is packet filtering or SPI.
8. Mary is the CISO for a mid-sized company. She is attempting to mitigate the danger of computer viruses. Which administrative control can she implement to help achieve this goal? A. Implement host-based antimalware. B. Implement policies regarding email attachments and file downloads. C. Implement network-based antimalware. D. Block portable storage devices from being connected to computers.
B. Administrative controls are policies and processes designed to mitigate some threat. The use of policies that govern the opening of email attachments and the downloading of files is an administrative control for malware. Options A, C, and D are incorrect. Each of these are good steps to take, but they are all technical controls, not administrative ones.
6. Enrique is concerned about backup data being infected by malware. The company backs up key servers to digital storage on a backup server. Which of the following would be most effective in preventing the backup data being infected by malware? A. Place the backup server on a separate VLAN. B. Air-gap the backup server. C. Place the backup server on a different network segment. D. Use a honeynet.
B. Air gapping refers to the server not being on a network. This means literally that there is "air" between the server and the network. This prevents malware from infecting the backup server. Options A and C are incorrect. A separate VLAN or physical network segment can enhance security but is not as effective as air gapping. Option D is incorrect. A honeynet is a good security measure, but it won't provide the best protection against malware.
93. Ariel is responsible for software development in her company. She is concerned that the software development team integrate well with the network system. She wants to ensure that software development processes are aligned with the security needs of the entire network. Which of the following would be most important for her to implement? A. Integration testing B. Secure DevOps C. Clear policies D. Employee training
B. DevOps is a compound term: software DEVelopment and information technology OPerationS. The term refers to collaboration between software developers and IT professionals to align software development with infrastructure issues. Option A is incorrect. Integration testing refers to testing two or more components. Options C and D are both incorrect. Although clear policies and employee training are usually a good idea, they won't be the best way to address Ariel's concerns.
45. Which feature of cloud computing involves dynamically provisioning (or deprovisioning) resources as needed? A. Multitenancy B. Elasticity C. CMDB D. Sandboxing
B. Elasticity is a feature of cloud computing that involves dynamically provisioning (or deprovisioning) resources as needed. Option A is incorrect. Multitenancy refers to the ability to host multiple different virtualized environments. Option C is incorrect. A configuration management database is used to store configuration information. Option D is incorrect. Sandboxing refers to the ability to isolate an environment.
29. John is responsible for security in his company. He is implementing a kernel integrity subsystem for key servers. What is the primary benefit of this action? A. To detect malware B. To detect whether files have been altered C. To detect rogue programs being installed D. To detect changes to user accounts
B. Kernel integrity subsystems are a form of integrity measurement used to detect whether files have been accidentally or maliciously altered, both remotely and locally; to appraise a file's measurement against a "good" value stored as an extended attribute; and to enforce local file integrity. These goals are complementary to Mandatory Access Control (MAC) protections provided by Linux Security Modules. Option A is incorrect. Antivirus software is used to detect malware. Option C is incorrect. Kernel integrity subsystems cannot detect what programs have been installed. Option D is incorrect. Kernel integrity systems don't detect changes to user accounts.
34. Maria is a security engineer with a manufacturing company. During a recent investigation, she discovered that an engineer's compromised workstation was being used to connect to SCADA systems while the engineer was not logged in. The engineer is responsible for administering the SCADA systems and cannot be blocked from connecting to them. What should Maria do to mitigate this threat? A. Install host-based antivirus software on the engineer's system. B. Implement account usage auditing on the SCADA system. C. Implement an NIPS on the SCADA system. D. Use FDE on the engineer's system.
B. Maria should implement ongoing auditing of the account usage on the SCADA system. This will provide a warning that someone's account is being used when they are not actually using it. Option A is incorrect. Host based antivirus is almost never a bad idea. But this scenario did not indicate that the compromise was due to malware, so anti-malware may not address the threat. Option C is incorrect. Since the engineer has access to the SCADA system, a NIPS is unlikely to block him from accessing the system. Option D is incorrect. Full disk encryption will not mitigate this threat.
19. Which of the following is the equivalent of a VLAN from a physical security perspective? A. Perimeter security B. Partitioning C. Security zones D. Firewall
B. Physically portioning your network is the physical equivalent of a VLAN. A VLAN is designed to emulate physical partitioning. Option A is incorrect. Perimeter security does not segment the network. Option C is incorrect. Security zones are useful, but don't, by themselves, segment a network. Often a network is segmented, using physical partitions or VLAN, to create security zones. Option D is incorrect. A firewall is meant to block certain traffic, not to segment the network.
68. Teresa has deployed session tokens on her network. These would be most effective against which of the following attacks? A. DDoS B. Replay C. SYN flood D. Malware
B. Session tokens are used to authenticate sessions. These can be effective against replay attacks and session hijacking. Options A, C, and D are all incorrect. Session tokens will not be effective in mitigating these attacks.
87. Mark is responsible for a server that runs sensitive software for a major research facility. He is very concerned that only authorized software execute on this server. He is also concerned about malware masquerading as legitimate, authorized software. What technique would best address this concern? A. Secure boot B. Software attestation C. Sandboxing D. TPM
B. Software attestation is often done with digital certificates and digital signing. The software proves that it is the legitimate program before being allowed to execute. Option A is incorrect. Secure boot involves the system booting into a trusted configuration. Option C is incorrect. Sandboxing is used to isolate an application. Option D is incorrect. Trusted platform module is a cryptoprocessor, often used for key management.
90. You are concerned about the security of new devices your company has implemented. Some of these devices use SoC technology. What would be the best security measure you could take for these? A. Using a TPM B. Ensuring each has its own cryptographic key C. Using SED D. Using BIOS protection
B. System on a Chip devices are complete self-contained systems on a single chip. Therefore, having their own unique cryptographic keys is the best way to implement authentication and security. Option A is incorrect. A system on a chip is self-contained, so a TPM would not be an appropriate solution. Option C is incorrect. A self-encrypting drive is not relevant to system on a chip, since that system does not have a "drive." Option D is incorrect. Many SoC technologies don't use a BIOS.
50. John is responsible for physical security at his company. He is particularly concerned about an attacker driving a vehicle into the building. Which of the following would provide the best protection against this threat? A. A gate B. Bollards C. A security guard on duty D. Security cameras
B. The correct answer is bollards. These are large objects, often made of concrete or similar material, designed specifically to prevent a vehicle getting past them. Option A is incorrect. Most gates can be breached with a vehicle. Option C is incorrect. A security guard is a good idea, but he or she would not be able to stop a vehicle from ramming the building. Option D is incorrect. Security cameras will provide evidence of a crime that was committed, but won't prevent the crime.
75. To mitigate the impact of a software vendor going out of business, a company that uses vendor software should require which one of the following? A. A detailed credit investigation prior to acquisition B. A third-party source-code escrow C. Substantial penalties for breach of contract D. Standby contracts with other vendors
B. The correct answer is to have the source code for the application stored with a thirdparty source code escrow. Should the vendor go out of business, or otherwise be unable to continue to support the application, the source code escrow will supply you with the source code you can then maintain yourself (or hire a new company). Option A is incorrect. Detailed credit checks of vendors are a good idea, but are no guarantee against the vendor failing. Option C is incorrect. If the vendor goes out of business, contractual penalties will be ineffective. Option D is incorrect. Even if another vendor is willing to be a backup for you, they cannot effectively support the application without the source code.
52. Joanne is responsible for security at a power plant. The facility is very sensitive and security is extremely important. She wants to incorporate two-factor authentication with physical security. What would be the best way to accomplish this? A. Smart cards B. A mantrap with a smart card at one door and a pin keypad at the other door C. A mantrap with video surveillance D. A fence with a smart card gate access
B. The correct answer is to incorporate two-factor authentication with a mantrap. By having a smartcard at one door (type II authentication) and a pin number (type I authentication) at the other door, Joanne will combine strong two-factor authentication with physical security. Option A is incorrect. Smartcards by themselves are single-factor authentication. Option C is incorrect. Video surveillance, though often a good idea, won't help with twofactor authentication. Option D is incorrect. Again, the smartcard by itself is a single-factor authentication.
84. Emiliano is a network administrator and is concerned about the security of peripheral devices. Which of the following would be a basic step he could take to improve security for those devices? A. Implement FDE. B. Turn off remote access (SSH, telnet, etc.) if not needed. C. Utilize fuzzy testing for all peripherals. D. Implement digital certificates for all peripherals.
B. The correct answer is to turn off any remote access to such devices that is not absolutely needed. Many peripheral devices come with SSH, telnet, or similar services. If you are not using them, turn them off. Option A is incorrect. Full disk encryption will improve peripheral security, and many peripherals don't have a disk to encrypt. Option C is incorrect. Fuzzy testing is for applications. Option D is incorrect. Not all devices are even capable of having a digital certificate assigned to them.
37. You are the security officer for a large company. You have discovered malware on one of the workstations. You are concerned that the malware might have multiple functions and might have caused more security issues with the computer than you can currently detect. What is the best way to test this malware? A. Leave the malware on that workstation until it is tested. B. Place the malware in a sandbox environment for testing. C. It is not important to test it; just remove it from the machine. D. Place the malware on a honeypot for testing.
B. The correct answer is to use a sandboxed environment to test the malware and determine its complete functionality. A sandboxed system could be an isolated virtual machine or an actual physical machine that is entirely isolated from the network. Option A is incorrect. Leaving the malware on a production system is never the correct approach. Option C is incorrect. You should test the malware to determine exactly what damage it causes. Option D is incorrect. A honeypot is used for trapping attackers, not for testing malware.
35. Lucy works as a network administrator for a large company. She needs to administer several servers. Her objective is to make it easy to administer and secure these servers, as well as making the installation of new servers more streamlined. Which of the following best addresses these issues? A. Setting up a cluster B. Virtualizing the servers C. Putting the servers on a VLAN D. Putting the servers on a separate subnet
B. The correct answer is virtualization. By virtualizing the servers Lucy can administer them all in a single location, and it is very easy to set up a new virtual server, should it be needed. Option A is incorrect. A cluster won't make installing a new server any more streamlined. Options C and D are incorrect. Segmenting the servers, such as with a VLAN or subnet, won't address the issues presented in this question.
13. John works for an insurance company. His company uses a number of operating systems, including Windows and Linux. In this mixed environment, what determines the network operating system? A. The OS of the DNS server B. The OS of the domain controller C. The OS of the majority of servers D. The OS of the majority of client computers
B. The network operating system is determined by the operating system running on a domain controller. A network could be mostly Windows, but as long as the domain controller is Unix, the network operating system is Unix. Options A, C, and D are all correct. These items do not determine the network operating system.
3. Cheryl is responsible for cybersecurity at a mid-sized insurance company. She has decided to utilize a different vendor for network antimalware than she uses for host antimalware. Is this a recommended action, and why or why not? A. This is not recommended; you should use a single vendor for a particular security control. B. This is recommended; this is described as vendor diversity. C. This is not recommended; this is described as vendor forking. D. It is neutral. This does not improve or detract from security.
B. Vendor diversity gives two security benefits. The first is that there is not a single point of failure should one vendor cease operations. The second benefit is that each vendor has a specific methodology and algorithms used for detecting malware. If you use the same vendor at all points where you need malware detection, any flaw or weakness in that vendor's methodology will persist across the network. Option A is incorrect. Using a single vendor means that any weakness in that vendor's methodology permeates the entire network. Option C is incorrect. Vendor forking is not a term in the industry. Option D is incorrect. This is not a neutral act. Vendor diversity improves security.
32. Joanne works for a large insurance company. Some employees have wearable technology, such as smart watches. What is the most significant security concern from such devices? A. These devices can distract employees. B. These devices can be used to carry data in and out of the company. C. These devices may not have encrypted drives. D. These devices may not have strong passwords.
B. Wearable devices have storage and thus can be used to bring in files to a network, or to exfiltrate data from the network. Option A is incorrect. Distractions are not a security concern, though they may be a management issue. Options C and D are incorrect. Although either of these might be appropriate security concerns to mitigate, they are not the most significant concern.
63. Farès is responsible for managing the many virtual machines on his company's networks. Over the past two years, the company has increased the number of virtual machines significantly. Farès is no longer able to effectively manage the large number of machines. What is the term for this situation? A. VM overload B. VM sprawl C. VM spread D. VM zombies
B. When virtualization reaches the point that IT can no longer effectively manage it, the condition is known as VM sprawl. Options A and C are incorrect. These are not the terms used in industry. Option D is incorrect. VM zombie is a term for a virtual machine that is running and consuming resources but no longer has a purpose.
98. Your company is interested in keeping data in the cloud. Management feels that public clouds are not secure but is concerned about the cost of a private cloud. What is the solution you would recommend? A. Tell them there are no risks with public clouds. B. Tell them they will have to find a way to budget for a private cloud. C. Suggest that they consider a community cloud. D. Recommend against a cloud solution at this time.
C. A community cloud presents a compromise solution. Community clouds are semiprivate. They are not accessible to the general public but only to a small community of specific entities. Option A is incorrect. This would not be true. Option B is incorrect. The cost of a private cloud is beyond many small companies. Option D is incorrect. This is not a good answer. It ignores the company's desire to find a cloud solution.
47. Mohaned is a security analyst and has just removed malware from a virtual server. What feature of virtualization would he use to return the virtual server to a last known good state? A. Sandboxing B. Hypervisor C. Snapshot D. Elasticity
C. A snapshot is an image of the virtual machine at some point in time. It is standard practice to periodically take a snapshot of a virtual system so that you can return that system to a last known good state. Option A is incorrect. Sandboxing is the process of isolating a system. Option B is incorrect. The hypervisor is the mechanism whereby the virtual environment interacts with the hardware. Option D is incorrect. Elasticity is the ability for the system to scale.
28. Suzan is responsible for application development in her company. She wants to have all web applications tested prior to being deployed live. She wants to use a test system that is identical to the live server. What is this called? A. Production server B. Development server C. Test server D. Predeployment server
C. A test server should be identical to the production server. This can be used for functional testing as well as security testing, prior to deploying the application. Option A is incorrect. The production server is the live server. Option B is incorrect. A development server would be one the programmers use during development of a web application. Option D is incorrect. Predeployment server is not a term used in the industry.
30. You are responsible for BIOS security in your company. Which of the following is the most fundamental BIOS integrity technique? A. Verifying the BIOS version B. Using a TPM C. Managing BIOS passwords D. Backing up the BIOS
C. BIOS password management is the most basic security measure for the BIOS. Without this fundamental step, any other steps will be far less effective. Options A and B are incorrect. NIST 800-155 does list both of these as BIOS integrity measures, but they are not the most fundamental measures—passwords are. Option D is incorrect. Backing up the BIOS is not a common security measure, and it certainly would not be the most fundamental step.
42. Juan is responsible for wireless security in his company. He has decided to disable the SSID broadcast on the single AP the company uses. What will the effect be on client machines? A. They will no longer be able to use wireless networking. B. They will no longer see the SSID as a preferred network when they are connected. C. They will no longer see the SSID as an available network. D. They will be required to make the SSID part of their HomeGroup.
C. Disabling the SSID broadcast keeps it from being seen in the list of available networks, but it is still possible to connect to it and use the wireless network. Options A, B, and D are all incorrect. These are not accurate descriptions of what happens when you disable SSID broadcast.
69. Hector is using infrared cameras to verify that servers in his datacenter are being properly racked. Which of the following datacenter elements is he concerned about? A. EMI blocking B. Humidity control C. Hot and cold aisles D. HVAC
C. Hot aisle/cold aisle is a layout design for server racks and other computing equipment in a data center. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing airflow. An infrared camera will detect heat levels on the aisles. Options A, B, and D are all incorrect. Although these are issues to be concerned about in a data center, the infrared camera is not an appropriate way to monitor them.
15. You are responsible for security at your company. You want to improve cloud security by following the guidelines of an established international standard. What standard would be most helpful? A. NIST 800-14 B. NIST 800-53 C. ISO 27017 D. ISO 27002
C. ISO 27017 is an international standard for cloud security. Option A is incorrect. NIST 800-14 describes common security principles that should be addressed within security policies. Option B is incorrect. NIST 800-53 organizes security measures into families of controls, such as risk assessment, access control, incident response, and others. Option D is incorrect. ISO 27002 recommends best practices for initiating, implementing, and maintaining information security management systems (ISMSs).
95. You are using a sophisticated system that models various attacks on your networks. You intend for this system to help your team realize weak areas and improve response to incidents. What is the most important step to take before relying on data from this system? A. Get approval from a CAB. B. Thoroughly review the systems documentation. C. Verify the models being used. D. Perform integration testing on the system.
C. Model verification must be completed before you can rely on the models used. It is important to verify that all aspects of a simulation model are accurate. If the model has any inaccurate data or settings, then the results will not be accurate. Option A is incorrect. Change approval boards (CABs) are part of the change control process. Option B is incorrect. Although it is always a good idea to thoroughly read documentation, this is not the most critical issue in this scenario. Option D is incorrect. Integration testing involves testing two or more components to ensure they function together.
66. Juan is responsible for the physical security of the company server room. He has been asked to recommend a type of fire suppression system for the server room. Which of the following would be the best choice? A. Wet pipe B. Deluge C. Pre-action D. Halon
C. Pre-action fire suppression is ideal for computers. The pipes have no water in them during normal operations. When the temperature rises to a certain level, water fills the pipes. Then if the temperature continues to rise, the fire suppression system activates. This provides time to stop the fire before the servers are soaked with water. Option A is incorrect. Wet pipes have water in them at all times. If a pipe freezes and/or bursts, then the servers will be damaged. Option B is incorrect. Deluge fire suppression, as the name suggests, uses a very large amount of water. This is not appropriate for computers. Option D is incorrect. Halon is now banned.
76. Abigail is responsible for datacenters in a large, multinational company. She has to support multiple datacenters in diverse geographic regions. What would be the most effective way for her to manage these centers consistently across the enterprise? A. Hire datacenter managers for each center. B. Implement enterprise-wide SDN. C. Implement Infrastructure as Code (IaC). D. Automate provisioning and deprovisioning.
C. The correct answer is to implement IaC. Infrastructure as Code (IaC) is the process of managing and provisioning computer datacenters through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. Whether the data center(s) use physical machines or virtual machines, this is an effective way to manage the data centers. Option A is incorrect. Although data center managers may be needed, that won't necessarily provide consistent management across the enterprise. Option B is incorrect. Software-defined networking will not fix this problem. Option D is incorrect. The issue is not just provisioning; it is management.
58. Hans is a security administrator for a large company. Users on his network visit a wide range of websites. He is concerned they might get malware from one of these many websites. Which of the following would be his best approach to mitigate this threat? A. Implement host-based antivirus. B. Blacklist known infected sites. C. Set browsers to allow only signed components. D. Set browsers to block all active content (ActiveX, JavaScript, etc.).
C. The correct answer is to only allow signed components to be loaded in the browser. Code signing verifies the originator of the component (such as an ActiveX component) and thus makes malware far less likely. Option A is incorrect. Although host-based anti-malware is a good idea, it is not the best remedy for this specific threat. Option B is incorrect. Blacklists cannot cover all sites that are infected, just the sites you know about. And given that users on Hans's network visit a lot of websites, blacklisting is likely to be ineffective. Option D is incorrect. If you block all active content, many websites will be completely unusable.
85. Ixxia is a software development team manager. She is concerned about memory leaks in code. What type of testing is most likely to find memory leaks? A. Fuzzing B. Stress testing C. Static code analysis D. Normalization
C. The correct answer is to use static code analysis. Memory leaks are usually caused by failure to deallocate memory that has been allocated. A static code analyzer can check to see if all memory allocation commands (malloc, alloc, etc.) have a matching deallocation command. Option A is incorrect. Fuzzing involves entering data that is outside expected values to see how the application handles it. Option B is incorrect. Stress testing involves testing how a system handles extreme workloads. Option D is incorrect. Normalization is a technique for deduplicating a database.
7. Janelle is the security administrator for a small company. She is trying to improve security throughout the network. Which of the following steps should she take first? A. Implement antimalware on all computers. B. Implement acceptable use policies. C. Turn off unneeded services on all computers. D. Turn on host-based firewalls on all computers.
C. The first step in security is hardening the operating system, and one of the most elementary aspects of that is turning off unneeded services. This is true regardless of the operating system. Options A, B, and D are incorrect. Each of these is a good security measure and should be implemented. However, none of these are as fundamental as turning off unneeded services and therefore would not be done first.
77. Olivia is responsible for web application security for her company's e-commerce server. She is particularly concerned about XSS and SQL injection. Which technique would be most effective in mitigating these attacks? A. Proper error handling B. The use of stored procedures C. Proper input validation D. Code signing
C. These particular web application attacks are best mitigated with proper input validation. Any user input should be checked for indicators of XSS or SQL injection. Option A is incorrect. Error handling is always important, but it won't mitigate these particular issues. Option B is incorrect. Stored procedures can be a good way of ensuring SQL commands are standardized, but that won't prevent these attacks. Option D is incorrect. Code signing is used for code that is downloaded from a web application to the client computer. It is used to protect the client, not the web application.
26. You're outlining your plans for implementing a wireless network to upper management. Which protocol was designed to provide security for a wireless network and is considered equivalent to the security of a wired network? A. WAP B. WPA C. WPA2 D. WEP
C. WiFi Protected Access 2 (WPA2) was intended to provide security that's equivalent to that on a wired network, and it implements elements of the 802.11i standard. Option A is incorrect. A WAP is a wireless access point. Option B is incorrect. A WPA is not as secure as WPA2. Option D is incorrect. WEP is the oldest, and least secure, wireless security protocol.
38. Web developers in your company currently have direct access to the production server and can deploy code directly to it. This can lead to unsecure code, or simply code flaws being deployed to the live system. What would be the best change you could make to mitigate this risk? A. Implement sandboxing. B. Implement virtualized servers. C. Implement a staging server. D. Implement deployment policies.
C. You should implement a staging server so that code can be deployed to an intermediate staging environment. This will allow testing of security features, as well as checking to see that the code integrates with the entire system. Using third-party libraries and SDKs can help reduce errors and vulnerabilities in the code. Option A is incorrect. Sandboxing is used to isolate a particular environment. Option B is incorrect. Virtualization will not mitigate this risk. Even if the production server is virtualized, the risks are the same. Option D is incorrect. Deployment policies are a good idea, but they are not the most effective way to mitigate this particular risk.
96. Your company has an accounting application that was developed in-house. It has been in place for 36 months, and functioning very well, with very few issues. You have just made a minor change to the tax calculation based on a change in tax law. What should be your next step? A. Deploy the change. B. Get CAB approval for the change. C. Perform stress testing. D. Perform regression testing.
D. Any change to a system requires regression testing. Regression testing ensures that the change made does not cause any new issues. Option A is incorrect. Full disk encryption may or may not even be appropriate for such devices. Many don't have a disk to encrypt. Option B is incorrect. You should have received approval from the change approval board prior to making the change. Option C is incorrect. Stress testing is designed to see what loads the system can handle.
80. Lilly is responsible for security on web applications for her company. She is checking to see that all applications have robust input validation. What is the best way to implement validation? A. Server-side validation B. Client-side validation C. Validate in transit D. Client-side and server-side validation
D. Both client-side and server-side validation are important, so both should be used for a complete validation solution. Options A and B are both incorrect since they are both incomplete. Option C is incorrect. This is not a validation method.
4. Maria is a security administrator for a large bank. She is concerned about malware, particularly spyware that could compromise customer data. Which of the following would be the best approach for her to mitigate the threat of spyware? A. Computer usage policies, network antimalware, and host antimalware B. Host antimalware and network antimalware C. Host and network antimalware, computer usage policies, and website whitelisting D. Host and network antimalware, computer usage policies, and employee training
D. Control diversity means utilizing different controls to mitigate the same threat. For malware, the use of technical controls, such as anti-malware, is critical. But it is also important to have administrative controls, such as good policies, and to ensure employees are properly trained. Option A is incorrect. This approach ignores training employees. Policies are only useful if employees are properly trained. Option B is incorrect. This approach uses only one type of control: technical controls. Option C is incorrect. This approach ignores training employees. Policies are useful only if employees are properly trained. Furthermore, website whitelisting can be beneficial but leaves many websites unchecked, each of which could be hosting malware.
20. In an attempt to observe hacker techniques, a security administrator configures a nonproduction network to be used as a target so that he can covertly monitor network attacks. What is this type of network called? A. Active detection B. False subnet C. IDS D. Honeynet
D. Honeypots are designed to attract a hacker by appearing to be security holes that are ripe and ready for exploitation. A honeynet is a network honeypot. This security technique is used to observe hackers in action while not exposing vital network resources. Option A is incorrect. Active detection is not a term used in the industry. Option B is incorrect. False subnet is not a term used in the industry. Option C is incorrect. An intrusion detection system is used to detect activity that could indicate an intrusion or attack.
56. Isabella is responsible for database management and security. She is attempting to remove redundancy in the database. What is this process called? A. Integrity checking B. Deprovisioning C. Baselining D. Normalization
D. Normalization is the process of removing duplication or redundant data from a database. There are typically four levels of normalization ranging from 1N at the lowest (i.e., the most duplication) to 4N at the highest (i.e., the least duplication). Option A is incorrect. Although database integrity is important, that is not what is described in the question. Furthermore, integrity checking usually refers to checking the integrity of files. Option B is incorrect. Deprovisioning is a virtualization term for removing a virtual system (server, workstation, etc.) and reclaiming those resources. Option C is incorrect. Baselining involves setting security standards.
48. Lisa is concerned about fault tolerance for her database server. She wants to ensure that if any single drive fails, it can be recovered. What RAID level would support this goal while using distributed parity bits? A. RAID 0 B. RAID 1 C. RAID 3 D. RAID 5
D. RAID level 5 is disk striping with distributed parity. It can withstand the loss of any single disk. Option A is incorrect. RAID 0 is disk striping; it does not provide any fault tolerance. Option B is incorrect. RAID 1 is mirroring. It does protect against the loss of a single disk but not with distributed parity. Option C is incorrect. RAID 3 is disk striping with dedicated parity. This means a dedicated drive containing all the parity bits.
60. John is using the waterfall method for application development. At which phase should he implement security measures? A. Requirements B. Design C. Implementation D. All
D. Security should be addressed at every stage of development. This means requirements, design, implementation, verification/testing, and maintenance. Options A, B, and C are incorrect. These are all only partially correct.
61. You are responsible for database security at your company. You are concerned that programmers might pass badly written SQL commands to the database, or that an attacker might exploit badly written SQL in applications. What is the best way to mitigate this threat? A. Programmer training B. Programming policies C. Agile programming D. Stored procedures
D. Stored procedures are the best way to have standardized SQL. Rather than programmers writing their own SQL commands, they simply call the stored procedures that the database administrator creates. Options A and B are both incorrect. Although these are good ideas, they are not as effective as stored procedures in addressing concerns about bad SQL commands. Option C is incorrect. Agile programming is a method for developing applications rapidly and won't determine how SQL commands are created.
82. Sarah is the CIO for a small company. The company uses several custom applications that have complicated interactions with the host operating system. She is concerned about ensuring that systems on her network are all properly patched. What is the best approach in her environment? A. Implement automatic patching. B. Implement a policy that has individual users patch their systems. C. Delegate patch management to managers of departments so they can find the best patch management for their departments. D. Immediately deploy patches to a test environment, then as soon as testing is complete have a staged rollout to the network.
D. The correct answer is to first test patches. It is always possible that a patch might cause issues for one or more current applications. This is particularly a concern with applications that have a lot of interaction with the host operating system. An operating system patch can prevent the application from executing properly. But as soon as the patches are tested, a phased rollout to the company should begin. Option A is incorrect. Automatic patching is not recommended in corporate environments because a patch could possibly interfere with one or more applications. Option B is incorrect. This is a very bad idea and will lead to inconsistent patching and the application of untested patches. Option C is incorrect. This is only slightly better than having end users handle their own patching.
73. Lars is auditing the physical security of a company. The company uses chain-link fences on its perimeter. The fence is over pavement, not soft ground. How close to the ground should the bottom of the fence be? A. Touching the ground B. Within 4 inches C. There is no standard for this. D. Within 2 inches
D. The fence should reach within 2 inches of hard surfaces like pavement or concrete. For soft dirt it should actually go into the ground. Options A and B are incorrect. These are not the correct measurements. Option C is incorrect. Per the standard, chain-link fence should reach within 2 inches of hard surfaces like pavement or concrete. For soft dirt, it should actually go into the ground.
92. Emile is concerned about securing the computer systems in vehicles. Which of the following vehicle types has significant cybersecurity vulnerabilities? A. UAV B. Automobiles C. Airplanes D. All of the above
D. The more vehicles utilize computers and have network communication capabilities, the more they will be vulnerable to cyberattacks. Options A, B, and C are all incorrect. These are incomplete.
88. Hannah is a programmer with a large software company. She is interested in ensuring that the module she just created will work well with a module created by another program. What type of testing is this? A. Unit testing B. Regression testing C. Stress testing D. Integration testing
D. When two or more components are tested together, this is referred to as integration testing. Option A is incorrect. Unit testing is testing a single unit of code. Option B is incorrect. Regression testing is testing a system after a change to ensure that the change did not cause any other problems. Option C is incorrect. Stress testing involves subjecting a system to extensive loads to determine if it can handle them.