Cybersecurity questions (Cert Mike)

Frank would like to set his organization's password length requirements to align with industry best practices. What should he set as the maximum password length? A. No maximum B. 8 characters C. 16 characters D. 255 characters

Correct Answer: A The best source for guidance on passwords and other authentication techniques is NIST Special Publication 800-63B: Digital Identity Guidelines. In the most recent revision of this document, NIST states that users should not be subjected to a maximum password length requirement and should be allowed to choose passwords as lengthy as they would like.

What metric would a SOC use to measure the amount of time that elapses between a security incident occurring and the SOC identifying the incident? A. MTTD B. MTTR C. MTBF D. MITRE

Correct Answer: A The mean time to repair (MTTR) and mean time between failures (MTBF) are business continuity metrics. So, these two are not the correct answers. The mean time to detection (MTTD) is the typical time taken to detect a security incident. This is the correct answer. MITRE is a security consulting firm and government think tank. So, that is not what we are looking for in this scenario.

Helen learned that there is a process isolation vulnerability in the hypervisor platform used by her organization. What is the most direct risk that this vulnerability poses? A. Privilege Escalation B. Denial of Service C. VM Sprawl D. VM Escape

Correct Answer: D The hypervisor is the component of a virtualization platform responsible for managing resources and isolating virtual machines from each other. A failure to properly perform isolation can result in a VM escape attack, where one virtual machine is able to access the resources assigned to other virtual machines, compromising the security of the entire platform. VM sprawl occurs when an organization has too many unused virtual machines and loses track of them. It is possible that a successful VM escape attack could lead to a denial of service or privilege escalation attack, but the question is asking us to identify the most direct risk, so I'm going to stick with VM escape here.

Which one of the following groups is not normally part of an organization's cybersecurity incident response team? A. Technical Subject Matter Experts B. Cybersecurity Experts C. Management D. Law Enforcement

Correct Answer: D The incident response team normally includes a wide range of internal experts, including those from cybersecurity and other technical disciplines, this also includes management representation. The team however, would not normally include outside organizations, such as representatives of law enforcement, although it may interact with those groups through a liaison function.

Wanda would like to implement an operational security control that increases the likelihood that internal fraud will be detected. Which one of the following controls would best meet her objective? A. Two-Person Control B. Least Privilege C. Separation of Duties D. Job Rotation

Correct Answer: D Two-person control, least privilege, and separation of duties are all designed to deter and prevent fraud from occurring in the first place. None of which would meet Wanda's objective. Of the controls listed, only job rotation serves to detect fraud that has already taken place. So, this is the correct answer.

Which one of the following sources of evidence contains the least volatile information? A. Memory contents B. Files stored on disk C. ARP tables D. Archival media

Correct Answer: D Volatile information is information that is likely to be altered or lost as time passes. Archival media is designed for long-term storage and is the least volatile data source listed here. ARP tables in a router and the contents of system memory may change frequently and are the most volatile. Files stored on disk fall in between these two extremes.

Bob is performing regular backups of a system and is asked by his boss to create an emergency backup. Which one of the following backup types will consume the most disk space? A. Full backup B. Incremental backup C. Differential backup D. Transaction log backup

Correct Answer: A Full backups always include all data stored on the backed up media and, therefore, are always at least as large as any other backup type. This system is being regularly backed up, so other backup types will be smaller than a full backup.

What software security technique can be added to a Secure DevOps approach to automate the evaluation of how software will respond to mutated input? A. Fuzz testing B. Penetration testing C. Vulnerability scanning D. Decompilation

Correct Answer: A Fuzz testing specifically evaluates the performance of applications in response to mutated input combinations. Penetration testing is a manual, not automated, process. Vulnerability scanning may be automated but does not necessarily include the use of mutated input. Decompilation attempts to reverse engineer code.

Which one of the following categories of account should normally exist on a secured server? A. Service account B. Shared account C. Generic account D. Guest account

Correct Answer: A Generic, shared, and guest accounts should not be used on secure servers due to their lack of accountability to an individual user. Service accounts normally exist on all servers and are required for routine operation of services.

ROT 13 is an example of what type of cipher? A. Hashing B. Transposition C. Substitution D. Cryptographically strong

Correct Answer: C The ROT13 cipher exchanges each letter of a message for the letter that is 13 places ahead of it in the alphabet. This is an example of a substitution operation. Transposition ciphers rearrange the letters in a message, which is not occurring here. ROT13 is quite weak and would never be considered cryptographically strong. It also does not perform hashing of messages into message digests.

What term is used to describe a network of decoy systems used to attract and study the activity of intruders? A. Honeynet B. Honeypot C. Darknet D. Darkpot

Correct Answer: A Honeynets are networks of decoy systems designed to attract intruders so that security analysts may study their activity. Honeypots are single systems designed for the same purpose. Darknets are unused portions of IP address space designed to detect scanning activity when a scanner attempts to access those unused addresses. Darkpots are what occur when I attempt to cook and leave a pot unattended on the stove for too long.

Paula is configuring her organization's firewall to support the secure remote retrieval of email using the IMAPS protocol. What port should she allow? A. TCP Port 993 B. TCP Port 143 C. UDP Port 993 D. UDP Port 143

Correct Answer: A IMAP is a connection-oriented protocol that uses TCP. UDP is not used with IMAPS or IMAP so we can eliminate both of those UDP options. TCP port 143 is used by the unencrypted and insecure version of the IMAP protocol, so we can rule that out as well. The secure version of IMAP, IMAPS, uses TCP port 993, so that's our correct answer.

Noah is a cybersecurity analyst for a mid-sized business. He is working with the user of a machine that is exhibiting suspicious behavior. The anomalous activity began immediately after the user downloaded and installed software from the Internet and Noah suspects that it contained malware hidden inside of its advertised functionality. What term best describes the malware in this situation? A. Trojan horse B. Virus C. Worm D. Logic bomb

Correct Answer: A From the description provided, we have sufficient information to identify this as a Trojan horse. Trojans are a type of malware that disguise themselves as a benign application, such as a game, but then carry a malicious payload.

Carla is the firewall administrator for a large university. She has recently seen a flurry of activity from student networks sending spam print jobs to printers located in administrative offices. She would like to block printer traffic between network segments using the standard HP JetDirect port. What port should she block? A. TCP port 9100 B. UDP port 9100 C. TCP port 8080 D. UDP port 8080

Correct Answer: A HP JetDirect printer traffic uses TCP port 9100 to transfer data from clients to printers.

Brandy is using a computer at a hotel business center and she is concerned that the operating system on the device may be compromised. What is the best way for her to use this computer in a secure fashion? A. Use live boot media B. Run a malware scan C. Connect to a VPN D. Only access secure websites

Correct Answer: A If Brandy's major concern is a compromised operating system, she can bypass the operating system on the device by booting it from live boot media and running her own operating system on the hardware. Running a malware scan may provide her with some information but may not detect all compromises and Brandy likely does not have the necessary permissions to correct any issues. Using a VPN or accessing secure sites would not protect her against a compromised operating system, as the operating system would be able to view the contents of her communication prior to encryption.

In which one of the following attacks against Bluetooth technology is the attacker able to steal information from the device? A. Bluesnarfing B. Bluejacking C. Blueballing D. Bluefeeding

Correct Answer: A In a bluesnarfing attack, the attacker establishes a Bluetooth connection to a target device and then retrieves information from that device. Bluejacking attacks only allow the attacker to display a message on the device. Blueballing attacks allow an attacker to break an existing Bluetooth connection between two devices. Bluefeeding attacks do not exist.

Kelly detected an attack on her network where the attacker used aircrack-ng to create a wireless network bearing her company's SSID. The attacker then boosted the power of that access point so that it was the strongest signal in an executive office area, prompting executive devices to connect to it. What type of attack took place? A. Evil twin B. Jamming C. Bluesnarfing D. WPS

Correct Answer: A In this attack, the perpetrator created a false wireless network, otherwise known as an evil twin. Although the attacker boosted the power of the signal to make the evil twin signal stronger than other signals, there is no indication of attempts to jam signals from legitimate access points. There is no indication in the scenario that Bluetooth or WPS technology was involved.

Katie is conducting testing of a new application and recently completed unit testing. She would now like to run a series of tests designed to confirm that the tested units will work together properly. What type of software testing should Katie run next? A. Integration testing B. Functional testing C. Design testing D. Acceptance testing

Correct Answer: A Integration testing occurs after unit testing and is designed to confirm that units of code will work together properly. Functional testing takes place upon the conclusion of requirements development, while design testing occurs after the design is complete. Both functional and design testing should be completed before, not after, unit testing. Acceptance testing occurs as the next step after successful integration testing.

Which one of the following device types is most susceptible to a pass-the-hash attack? A. Windows server B. Network firewall C. VPN concentrator D. Hardware security module

Correct Answer: A Pass-the-hash attacks exploit a vulnerability in the NTLM authentication protocol, used by Windows systems. The attack is not possible against non-Windows systems.

Connor would like to implement a multifactor authentication system for physical access to his data center. He is currently using a fingerprint scan. Which one of the following would be the best second authentication technique to use in combination with the fingerprint scan? A. ID card B. Retinal scan C. Security questions D. Voiceprint analysis

Correct Answer: A Retinal scans and voiceprint analysis are both examples of biometric controls and, when used in combination with a fingerprint scan, would not constitute multifactor authentication. Security questions are a knowledge-based factor but would be difficult to implement for physical access and are generally not a very secure authentication technique due to the ease of a third party discovering correct answers in many cases. ID cards are a "something you have" factor and would be an ideal pairing for the fingerprint scan.

Melanie is the system administrator for a database containing sensitive information. She is responsible for implementing security controls to protect the contents of the database. Which term best describes her role? A. Data custodian B. Data owner C. Data user D. Data steward

Correct Answer: A System administrators are examples of data custodians: individuals who are charged with the safekeeping of information under the guidance of the data owner.

Which one of the following categories of information is explicitly governed by HIPAA's security and privacy rules? A. PHI B. PCI C. PII D. PDI

Correct Answer: A The Health Insurance Portability and Accountability Act (HIPAA) contains security and privacy provisions covering protected health information (PHI). It does not apply to more general personally identifiable information (PII) or payment card information (PCI). PDI is not a common category of information.

Dawn is conducting the reconnaissance phase of a penetration test and would like to identify the registered owner of a domain name. Which one of the following tools would be most likely to provide her with this information? A. Whois B. Nslookup C. Dig D. Ping

Correct Answer: A Whois queries provide information about the registered owners of domain names and are a useful open source intelligence tool. The nslookup and dig commands perform standard DNS queries and can determine the IP addresses associated with domain names but do not normally reveal registration information. The ping command is used to test network connectivity.

Which one of the following security principles does NOT describe a standard best practice in cybersecurity? A. Security through obscurity B. Least privilege C. Separation of duties D. Defense in depth

Correct Answer: A ecurity through obscurity is an outdated concept that says that the security of a control may depend upon the secrecy of the details of that control's inner function. Security professionals should not use controls that rely upon security through obscurity. The principles of least privilege, separation of duties, and defense in depth are all sound security practices.

Which one of the following activities would not typically be a component of an employee onboarding process? A. Deprovisioning accounts B. Computer issuance C. Credential generation D. Security training Correct

Correct Answer: A During an employee onboarding process, the organization typically conducts a number of start-up activities for the new employee. These commonly include issuing a computer, generating account credentials, and conducting initial security training. Deprovisioning is the removal of user access and accounts and would occur during the offboarding process.

Greg is operating a web application that processes credit cards and determines that it is subject to a SQL injection vulnerability. He is unable to fix the vulnerability immediately because developers must create a patch that will take several weeks. The application is business critical and must remain running in the meantime. Which one of the following would serve as the best compensating control? A. Web Application Firewall B. Data Loss Prevention System C. Intrusion Detection System D. Privileged Access Management System

Correct Answer: A A web application firewall would be able to identify inbound traffic containing attempted injection attacks and stop that traffic from reaching the web server. It is the best compensating control in this situation. A data loss prevention system may notice exfiltration of sensitive data and block it, but this would only trigger after a successful attack, so this is not as good of an option as a web application firewall. An intrusion detection system would simply report the attack, not stop it, and a privileged access management system would not help in this situation.

Fran is investigating an attack that took place against a website operated by her organization. When she looked at the authentication log entries, she saw that the attacker attempted to log into thousands of different accounts using a series of common passwords before eventually finding a combination that worked. What term best describes this attack? A. Credential stuffing B. Brute force C. Password spraying D. Rainbow table

Correct Answer: A Answering this question is a little tricky because it depends upon you not only recognizing that each of these options are indeed password attacks but also knowing the details of how each one of them works. Let's start by knocking off two of the more clearly incorrect answers. First, this is not a brute force attack. A brute force attack attempts every possible password against an account and in this case we have a series of common passwords being used against a lot of accounts. Second, it is not a rainbow table attack. That type of attack requires that the attacker have access to a file containing hashed passwords, which is not the case here. That leaves us with password spraying and credential stuffing: two similar attack types. Password spraying attacks take username and password combinations that were compromised on other sites and use them to attempt logging into the target site, based on the presumption that people will reuse passwords from site to site. Credential stuffing attacks use a series of commonly chosen passwords to attempt to log into a series of accounts. That's what happened in this scenario.

You experienced a power outage that disrupted access to your data center. What type of security concern occurred? A. Availability B. Confidentiality C. Non-Repudiation D. Integrity

Correct Answer: A Availability concerns occur when legitimate users are unable to gain access to systems or information. The major types of availability disruptions are denial of service, power outages, hardware failures, destruction, and service outages. Confidentiality concerns occur when unauthorized individuals may be able to gain access to sensitive information. Making it an incorrect answer here. Integrity concerns occur when there is the potential for unauthorized modification of information. The major types of integrity attacks include man-in-the-middle attacks, replay attacks, impersonation and unauthorized information alteration. Making it another incorrect answer. Nonrepudiation is a security goal that prevents someone from claiming that they did not send a message or engage in an activity. Nonrepudiation is commonly implemented by using digital signatures. So that is another incorrect answer.

Which one of the following statements about the Blowfish algorithm is incorrect? A. The algorithm is covered by a patent. B. The algorithm uses a 64-bit block size. C. The algorithm allows the use of any length key between 32 and 448 bits. D. The developer of the algorithm does not recommend it for use today.

Correct Answer: A Bruce Schneier designed the Blowfish algorithm as an open-source alternative to other patented encryption algorithms. The algorithm does support a 64-bit block size and variable length keys between 32-448 bits. Schneier does not recommend that people use Blowfish today, instead recommending the Twofish algorithm.

Fred would like to implement a new security platform that can coordinate access policies across the many cloud providers used by his organization. What technology would best meet his needs? A. CASB B. SIEM C. NGEP D. NGFW

Correct Answer: A Cloud access security brokers (CASB) are designed to coordinate security policy enforcement across the cloud providers used by an organization. This is the correct answer. Security information and event management (SIEM) solutions are designed to monitor and correlate activity across security devices. So, this is not the correct answer. Next-generation endpoint protection (NGEP) and next generation firewall (NGFW) technologies are an important part of evolving cybersecurity programs but they do not directly interact with cloud providers. So these are not the correct answers.

Rob's organization uses a variety of different cloud vendors. He is looking for a security solution that would allow him to enforce security policies consistently across those different vendors. Which one of the following technologies would best meet his needs? A. CASB B. SIEM C. VDI D. SOAR

Correct Answer: A Cloud access security brokers (CASB) are designed to enforce security policies across cloud services. Security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms are designed to aggregate, analyze, and react to security events. Virtual desktop infrastructure (VDI) offers desktop computing to end users in a virtualized manner.

Roger's company did not have a strong disaster recovery plan and suffered a catastrophic data center outage. With no plan in place, what option likely allows them the quickest recovery at their primary site? A. Mobile site B. Hot site C. Warm site D. Cold site

Correct Answer: A Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware, and possible software, to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment's notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan. They would work well in this scenario because Roger could bring a mobile site to their primary facility and use it to recover operations during the restoration effort at the primary site.

What type of scan can best help identify cases of system sprawl in an organization? A. Discovery scan B. Web application scan C. Detailed scan D. Database scan

Correct Answer: A Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.

Kevin would like to restrict users from accessing a list of prohibited websites while connected to his network. Which one of the following controls would best achieve his objective? A. URL Filter B. IP Address Block C. DLP Solution D. IPS Solution

Correct Answer: A IP-based restrictions are unreliable because sites may change IP addresses or use multiple IP addresses, making it difficult to maintain a current block list. Data loss prevention (DLP) systems do not filter web traffic.The best way to restrict website traffic is through the use of URL and content filtering. It is possible to use an intrusion prevention system (IPS) to filter web traffic, but this is not as simple and reliable as a dedicated URL/content filtering solution.

What protocol is normally used for communication between an authenticator and authentication server on a network using 802.1x authentication? A. RADIUS B. TACACS C. TACACS+ D. XTACACS

Correct Answer: A In 802.1x authentication, the end user's system contains a component called the supplicant that initiates the authentication process. The supplicant connects to the authenticator, normally a network switch or wireless access point, that then reaches out to an authentication server to confirm the user's identity. The communication between the authenticator and authentication server normally takes place using the RADIUS and EAP protocols.

Which one of the following types of access is necessary to engage in a pass-the-hash attack? A. Access to a domain workstation B. Access to a domain controller C. Access to a network segment D. Access to a public website

Correct Answer: A In a pass-the-hash attack, the attacker must gain access to hashed Windows account passwords. This is possible by gaining access to a Windows workstation where the target user logs into his or her domain account. Access to a domain controller is not necessary. Access to a network segment or public website is not sufficient because hashed passwords are not generally found in those locations in unencrypted form.

Ron is concerned about the potential of attackers exploiting issues in the operating system supporting a virtualization hypervisor to gain access to information stored by guest operating systems. What type of hypervisor can he use to minimize this risk? A. Type 1 hypervisor B. Type 2 hypervisor C. Type 3 hypervisor D. Type 4 hypervisor

Correct Answer: A In a type 1 hypervisor, the hypervisor runs directly on the system hardware, eliminating the need for an underlying operating system and reducing the environment's attack surface. Type 2 hypervisors require the use of a host operating system. Type 3 and 4 hypervisors do not exist.

Jake would like to find a security solution that protects users from malicious content hosted on websites that they visit and allows him to perform content filtering according to his company's policy. Which one of the following solutions would best meet his needs? A. SWG B. NGFW C. CASB D. IPS

Correct Answer: A It is possible that an intrusion prevention system (IPS) or next generation firewall (NGFW) could provide this functionality. However, a secure web gateway (SWG) is purpose-built for filtering user web traffic and, therefore, would be the best solution in this scenario. Cloud access security brokers (CASB) do not perform web content filtering.

Darcy is concerned about an attacker launching a MAC flooding attack on her network. Which one of the following controls would best protect against MAC flooding attacks? A. Port Security B. Port Tapping C. Protocol Validation D. Input Validation

Correct Answer: A MAC flooding occurs when a single device sends many different MAC addresses to a switch, causing it to overflow its ARP table and begin sending traffic to incorrect ports, potentially causing a breach of sensitive information. Input validation is a control used to protect applications from user input, so that's not relevant here. Port tapping is used to gain access to network traffic being sent through a switch, so we don't need that either. And protocol validation is used to verify the contents of network traffic, so it's also not the correct answer. MAC flooding can be prevented through the use of port security mechanisms, which limit the number of MAC addresses allowed from a single network port

Tom is a forensic analyst conducting a security investigation at his company after the firm experienced a data breach. He is planning to speak with some employees to gather evidence and suspects they may have been complicit in the breach. Which one of the following statements is incorrect about these conversations? A. Tom may not speak with employees without first advising them of their rights because he suspects they were involved in a security incident B. Interviews should be friendly and non-aggressive C. Tom may ask employees difficult questions during the interview D. Tom should consult Human Resources before speaking with employee who may have been involved in the incident

Correct Answer: A One of the keys to answering this question is understanding the difference between interviews and interrogations. In an interview, Tom may ask difficult questions, but should do so in a non-confrontational manner. If Tom gets more aggressive, he crosses the line from interview to interrogation. Tom should always consult with Human Resources before involving employees in an investigation, but he does not need to advise employees of their rights because he is not a law enforcement officer. So, that is the correct answer to this question.

What is the primary feature that distinguishes a smart card from other types of access card? A. Presence of an integrated circuit B. Presence of a magnetic stripe C. Requirement to enter a PIN or password D. Compatibility with biometric authentication

Correct Answer: A Smart cards contain an integrated circuit that interactively authenticates with the reader. They do not necessarily contain a magnetic stripe. There is no requirement that a smart card be combined with a PIN/passcode or biometric authentication, although this is often done to achieve multifactor authentication.

Rob is tracking down the unauthorized exfiltration of sensitive information from his organization and found suspicious emails sent by an employee to a Gmail address. The emails seem to only contain photos, but Rob suspects that the photos contain sensitive information. What technique might the employee have used to embed sensitive information within a photograph? A. Steganography B. Cartography C. Psychology D. Cryptography

Correct Answer: A Steganography is a set of techniques used to hide information within other files, in plain sight. The most common application of steganography is hiding information within images.

Under GDPR, which individual bears responsibility for ensuring that the company understands its privacy responsibilities and serves as the primary liaison to the supervising authority? A. Chief executive officer B. Data protection officer C. Chief information officer D. Chief information security officer

Correct Answer: B The data protection officer (DPO) is a formal designation under GDPR and the individual designated as DPO bears significant responsibilities for GDPR compliance.

Which one of the following statements about IPsec protocols is correct? A. AH supports authentication and integrity. ESP supports confidentiality, authentication, and integrity. B. AH supports authentication, integrity and confidentiality. ESP supports confidentiality and integrity. C. AH supports authentication and confidentiality. ESP supports integrity and authentication. D. AH supports authentication, integrity and confidentiality. ESP supports confidentiality and authentication.

Correct Answer: A The Authentication Headers (AH) protocol supports only authentication and integrity for IPsec connections. The Encapsulating Security Payload (ESP) protocol supports confidentiality, integrity, and authentication.

Which one of the following frameworks provides a mapping of cloud-specific security controls to security standards, best practices, and regulations? A. CCM B. CSF C. ISO 27001 D. ISO 3100

Correct Answer: A The Cloud Security Alliance's (CSA) Cloud Controls Matrix (CCM) provides a mapping of cloud-specific security controls to security standards, best practices, and regulations. So, this is the correct answer. The NIST Cybersecurity Framework (CSF) and ISO 27001 are broad security frameworks that are not cloud-specific. So, these aren't the correct answer. ISO 31000 is a risk management framework. So, this is also incorrect.

What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies? A. FISMA B. HIPAA C. GLBA D. FERPA

Correct Answer: A The Health Insurance Portability and Accountability Act (HIPAA) applies only to organizations involved in healthcare, so it would not apply to all government agencies. The Gramm Leach Bliley Act (GLBA) applies to financial institutions, so it also wouldn't apply to government agencies. Similarly, the Family Educational Rights and Privacy Act (FERPA) applies to educational institutions, not government agencies. The Federal Information Security Management Act (FISMA) requires that federal agencies implement vulnerability management programs for federal information systems, so that's our correct answer.

What does the PGP algorithm use to facilitate the trusted exchange of public keys between users? A. Web of trust B. Certificate authorities C. Central key management server D. Bittorrent

Correct Answer: A The PGP package uses a concept known as the web of trust to provide assurances that keys are accurate. This decentralized model requires having keys vouched for by trusted individuals within the network and eschews a centralized approach.

Which metric from a CVSS 3 rating describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability? A. AC B. PR C. UI D. AV

Correct Answer: A The Privileges Required (PR) metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. So, this is not the answer we are looking for.The Attack Complexity (AC) metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. So, this is the correct answer. The User Interaction (UI) metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. That is not what we are looking for here. The Attack Vector (AV) metric describes the context by which vulnerability exploitation is possible. So, that is not the correct answer here either.

Frank would like to set his organization's password length requirements to align with industry best practices. What should he set as the maximum password length? A. No maximum B. 8 characters C. 16 characters D. 255 characters

Correct Answer: A The best source for guidance on passwords and other authentication techniques is NIST Special Publication 800-63B: Digital Identity Guidelines. In the most recent revision of this document, NIST states that users should not be subjected to a maximum password length requirement and should be allowed to choose passwords as lengthy as they would like.

Carolyn is working with her team to develop her organization's disaster recovery plan. What stage of the planning process provides the information necessary to prioritize recovery efforts by service? A. Business Impact Assessment B. Design C. Implementation D. Preparation

Correct Answer: A The business impact assessment (BIA) stage of the disaster recovery planning process assesses services used by the organization and prioritizes their recovery based upon their potential impact on the business. The rest of the options are incorrect.

Roland recently wrote code that implements a new feature demanded by end users of an application he manages. He would like users to examine the feature and determine whether it meets their needs. What environment is most appropriate for this activity? A. Test B. Development C. Staging D. Production

Correct Answer: A The process described, where users evaluate features to determine whether they meet business requirements, is known as user acceptance testing (UAT) and it should take place in the test environment. So, that is the correct answer. Roland would have created the new feature in a development environment. After the code passes testing, it will move on to staging and then finally into production.

Ed is working with functional units in his organization to document the maximum amount of time that they could be without a critical IT service during a disaster. What metric should he use to document this requirement? A. RTO B. RPO C. MTTR D. MTBF

Correct Answer: A The recovery time objective (RTO) is the amount of time that the business can tolerate an outage during a disaster, making it our correct answer. The recovery point objective (RPO) is the amount of tolerable data loss, which is not what we are looking for here. The mean time to repair (MTTR) is the amount of time required to repair a damaged system, while the mean time between failures (MTBF) describes the frequency of failures, neither of which are correct answers.

Harold is examining the web server logs after detecting unusual activity on the system. He finds the log excerpt shown below. What type of attack did someone attempt against this system based upon the data shown in these logs? A. SQL injection B. Cross-site scripting C. Domain hijacking D. Directory traversal

Correct Answer: A The third log entry shows clear signs of a SQL injection attack. Notice that the parameters passed to the web page include an appended SQL command: UNION SELECT 1,2,3,4,5. This is designed to retrieve the first five columns from the database table and will likely succeed if the web application is not performing proper input validation.

What standard is used to define the format of a digital certificate? A. 802.1x B. X.509 C. RFC 1918 D. RFC 783

Correct Answer: B The digital certificate format is set out in the X.509 standard. RFC 1918 contains the standard for private IP addressing, while RFC 783 defines the TCP standard. IEEE 802.1x is a standard for wireless authentication.

Naomi is installing a new endpoint detection and response (EDR) solution for her organization. What category of control is she installing? A. Technical B. Operational C. Managerial D. Detective

Correct Answer: A There are three categories of security control: technical, operational, and managerial. Technical controls enforce CIA in the digital space. Naomi is installing an EDR system that uses technology to detect and respond to security incidents. Therefore, the EDR system is best described as a technical control. Operational controls include the processes that we put in place to manage technology in a secure manner. So this is not the correct answer. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. So this is not the correct answer either. Security controls also come in types such as: preventive, detective, corrective, deterrent, physical, and compensating controls. We are looking for control categories, not control types. So detective is another incorrect answer.

Which one of the following fields would NOT be found in a NetFlow record? A. Payload B. Source Address C. Destination Address D. Timestamp

Correct Answer: A Think of NetFlow as similar to a telephone bill. You get a record of communications, but not the actual communications themselves. So, source address, destination address, and timestamp are included in those records and are not the correct answer to this question, where we're looking for something that is NOT included in NetFlow logs. NetFlow records only contain summary information about network connections. They do not contain the actual content, or payload, from the connection. So, payload is the correct answer here.

A contractor for the German company Siemens recently pled guilty to an attack where he altered software he sold to Siemens so that it would periodically break, requiring the company to hire him to fix it. What term best describes this type of attack? A. Logic Bomb B. RAT C. Worm D. Trojan Horse

Correct Answer: A This is an example of a logic bomb, a piece of malicious software that is configured to trigger its payload when some future conditions are met. In this case, the attacker programmed the software to wait until a certain time and then disable itself. A remote access trojan, or RAT, is malware that allows the attacker to access the infected system. There's no discussion of that happening in this situation. In fact, there's no indication that any malware was used in the attack, which tells us that the attack wasn't a regular Trojan horse or a worm either.

Shortly after Trish's organization fired a software developer, code on a server activated that determined the developer was no longer employed and deleted the source code from her projects. What type of attack did Trish's organization experience? A. Logic bomb B. Worm C. RAT D. Trojan horse

Correct Answer: A This is an example of a logic bomb, code that remains dormant until certain logical conditions are met and then releases its payload. In this case, the logic bomb was configured to release if the developer was no longer employed by the organization.

Alex is reviewing alerts generated by his organization's SIEM and determines that the SIEM is generating too many false positive alerts. What parameter can he alter to reduce the number of false positives? A. Reduce the SIEM sensitivity B. Increase the SIEM sensitivity C. Reduce the SIEM capacity D. Increase the SIEM capacity

Correct Answer: A To alter the false positive rate, Alex should adjust the SIEM sensitivity. Increasing the sensitivity of the SIEM reduces the threshold for an alert and would increase the number of false positives. Decreasing the sensitivity of the SIEM would increase the threshold for an alert and decrease the number of false positives. Adjusting the SIEM capacity would adjust the amount of information that it can process and store, rather than changing the false positive rate.

Tom would like to deploy NAC technology that is capable of constantly monitoring the configuration of endpoint machines and quarantining machines that fail to meet a security baseline. Which technology would be most appropriate for Tom to deploy? A. Agent-based NAC B. Agentless NAC C. Captive portal D. Dissolvable NAC

Correct Answer: A Tom should deploy an agent-based NAC solution or, more specifically, a permanent agent. This technology leaves software running on the endpoint that may remain in constant contact with the NAC solution. Agentless NAC, captive portal solutions, and dissolvable agents do not maintain a constant presence on the system and would not meet Tom's requirements.

Peter is analyzing network flow logs and finds that a server in his organization is sending a large amount of traffic to a single destination. Upon further investigation, he sees that the server is receiving very small repeated requests from the same source on UDP port 53 and sends very large responses. What type of attack should Peter suspect? A. DNS Amplification B. DNS Spoofing C. ARP Spoofing D. ARP Amplification

Correct Answer: A UDP port 53 is used by the Domain Name Service (DNS), so we can immediately eliminate the two answers that are about ARP-based attacks.The attack described in this scenario is indicative of an amplification attack, where the DNS requests are spoofed with a false source address belonging to the attack victim. This causes the DNS server to flood the victim with traffic. While this attack does use IP spoofing to insert a false source address, it is not a DNS spoofing attack because no DNS information is tampered with during the attack.

Randy wishes to segment his organization's network to enforce isolation between different classes of users. Users are scattered around the building and Randy must support each of these network segments anywhere within the facility. Which one of the following technologies will best meet Randy's needs? A. VLANs B. Physical segmentation C. VPNs D. WAFs

Correct Answer: A Virtual LANs (VLANs) provide the segmentation Randy desires at the logical level, allowing them to appear anywhere in the building. Physical segmentation is likely too costly and inflexible for these requirements. Virtual private networks (VPNs) are unwieldy and unnecessary in a fixed office environment. Web application firewalls (WAFs) do not provide the required segmentation functionality.

Julian is auditing the protocols in use on a Linux server and finds that it supports SSH, FTPS, LDAP, and RDP. Which one of these protocols does not use encryption when used in its default configuration? A. LDAP B. RDP C. FTPS D. SSH

Correct Answer: A What we need to do here is eliminate the answer choices that we know are encrypted protocols. SSH, the secure shell, allows administrative connections to servers over an encrypted channel, so that's not correct. FTPS is a secure version of the file transfer protocol and it is also encrypted. The remote desktop protocol, used by Windows systems, is also a secure protocol, so we can eliminate that answer choice. We're left with the lightweight directory access protocol, LDAP. LDAP is unencrypted by default, while the LDAPS protocol provides a secure, encrypted alternative. So the correct answer here is the unencrypted LDAP protocol

Tammy is running a set of three load balanced web servers for her domain. The first server is the primary server and handles requests until it reaches capacity, then new requests are assigned to the second server. The third server remains idle unless the other two servers are fully utilized. What IP address should Tammy use for the DNS entry for the domain? A. Virtual IP B. First server's IP C. Second server's IP D. Third server's IP

Correct Answer: A When registering DNS entries for a load balanced service, administrators should assign the entry to a virtual IP address that maps to the public interface of the load balancer.

Which one of the following regulations provides strict, detailed procedures for the use of compensating controls? A. PCI DSS B. HIPAA C. GLBA D. FERPA

Correct Answer: A While compensating controls may be used for any control requirement, PCI DSS includes very detailed procedures for documenting and approving acceptable compensating controls in credit card processing environments. The remaining answers are incorrect.

Jake is helping his organization move out of an office complex they are leaving and has a large quantity of sensitive paper records to dispose. Which one of the following destruction methods would not be appropriate to sufficiently destroy the information? A. Degaussing B. Burning C. Pulping D. Shredding

Correct Answer: A Burning, shredding, and pulping are all acceptable ways to destroy paper records. Degaussing is a magnetic destruction technique that is only appropriate for digital records.

Ryan is considering the deployment of an impossible travel time policy in his organization's SIEM. What technology should enable him to allow the implementation of this policy? A. Geotagging B. Lockout C. Disablement D. Time of Day Restrictions

Correct Answer: A Impossible travel time policies seek to prevent logins from two different geographic locations when it would not have been physically possible for the user to travel between those locations in the time interval between the logins. This is only possible if logins are geotagged with their geographic location.

Beth is using the Cyber Kill Chain approach to analyzing the actions of an intruder on her network. She finds evidence that the most recent activity of the attacker was to successfully use a buffer overflow attack to gain control of a system. What stage is the attacker in? A. Attacker in exploitation B. Weaponization C. Command and Control D. Installation

Correct Answer: A The stages of the Cyber Kill Chain are reconnaissance, weaponization, delivery, exploitation, installation, command-and-control, and actions on objectives. The exploitation stage is where the attacker exploits a vulnerability to execute code on the victim's system. That is the stage where a buffer overflow attack gains control of a system.

Tonya is developing a web application and is embedding a session ID in the application that is exchanged with each network communication. What type of attack is Tonya most likely trying to prevent? A. Replay B. Man-in-the-middle C. Buffer overflow D. SQL injection

Correct Answer: A. Session tokens, or session IDs, are used to prevent an eavesdropper from stealing authentication credentials and reusing them in a different session, in what is known as a replay attack. The use of session IDs would not prevent an attacker from carrying out an application layer attack, such as a buffer overflow or injection. It also would not be effective against a man-in-the-middle attack, as the attacker could simply establish a secure session with the server and would, therefore, have access to the session ID.

Tonya is analyzing host firewall logs in an effort to diagnose a service that is not responding to user requests. She finds entries in the host firewall logs indicating that the traffic was allowed. What is the most likely cause of the service not responding? A. Application failure B. Host firewall misconfiguration C. Network IPS misconfiguration D. Network firewall misconfiguration

Correct Answer: A. The fact that the packets are reaching the host rules out a network firewall or IPS issue. The fact that the logs indicate that the traffic was allowed rules out a host firewall issue. Therefore, the most likely remaining cause is an issue with the application.

Which one of the following security controls is most effective against zero-day attacks? A. Application control B. Signature-based antivirus C. Vulnerability scans D. Intrusion prevention systems

Correct Answer: A. Zero-day attacks are attacks that are not previously known to the security community. Therefore, signature based controls, such as vulnerability scans, antivirus software, and intrusion prevention systems are not effective against these attacks. Application control software may use whitelisting to limit software running on a system to a list of known good applications. This technique may prevent zero-day malware from running on the protected system.

Carla is concerned about the exfiltration of sensitive information from her corporate network by employees. Which one of the following controls would be least effective at meeting this requirement? A. Encrypting data in transit B. Blocking the use of personal email accounts C. Implementing data loss prevention systems D. Building least privilege access controls

Correct Answer: A. Carla should implement least privilege access controls to limit the amount of information available to any individual user. She can also use a data loss prevention (DLP) system to detect the exfiltration of sensitive information. Blocking the use of personal email accounts limits a common method for exfiltrating sensitive information. Adding encryption in transit is not likely to reduce the risk of internal theft, as employees may still access stored sensitive information.

Morgan is a web developer responsible for implementing an authentication system. She knows that she should store hashed versions of passwords rather than the passwords themselves but chooses to use unsalted passwords. What type of attack does this make the application more susceptible to? A. Rainbow table B. Online brute force attack C. Offline brute force attack D. Collision

Correct Answer: A. In a rainbow table attack, the attacker computes the hash values of common passwords and then searches the password file for those values. Adding a random salt to the password eliminates the performance benefit of this attack. Brute force attacks (online or offline) would not be more or less effective either way. The use of salting does not decrease the likelihood of a collision.

What technology does the PEAP protocol combine with EAP to provide secure communication of authentication credentials? A. SSL B. LEAP C. TLS D. IDEA

Correct Answer: C The Protected Extensible Authentication Protocol (PEAP) runs the standard EAP protocol within a TLS session to provide secure communications.

Carla noticed unusual spikes in network activity and, upon further investigation, determined that there are an usually high number of outbound DNS query responses. She also noticed that the query responses are significantly larger than the queries themselves. What type of attack should Carla suspect? A. Amplification B. Cross-site scripting C. DNS poisoning D. Pass the hash

Correct Answer: A. The fact that the traffic is exceeding normal baselines and that the responses are much larger than the queries indicates that a DNS amplification attack may be underway. In this type of attack, the attacker sends spoofed DNS queries asking for large amounts of information. The source address on those queries is the IP address of the target system, which then becomes overwhelmed by the response packets.

Ralph comes across a legacy infrastructure that uses telnet to create an administrative connection between a client and server. Even though this connection takes place over a private network link, Ralph would like to replace telnet with a secure protocol to prevent eavesdropping. What protocol would be the easiest drop-in replacement for telnet? A. SSH B. FTPS C. TLS D. SSL

Correct Answer: A. The secure shell (SSH) functions in a manner that is functionally equivalent to telnet but adds encryption and other security features. SSL and TLS may be used to encrypt communications but they do not provide the connection features of SSH on their own. The file transfer protocol - secure (FTPS) is used for transferring files and does not allow interactive administrative sessions similar to the ones provided by telnet.

Vince is investigating the compromise of a user's account credentials. The user reports that, in addition to her corporate account, the passwords to many of her online banking and bill payment accounts were also compromised. Vince examines her computer and determines that there is an unusual piece of hardware connected between the keyboard and the computer. What type of attack has most likely taken place? A. Spyware B. Keylogger C. Bot D. Adware

Correct Answer: B While any type of malware could be responsible for the symptoms described by the user, the compelling piece of evidence in this scenario is that Vince discovered an unusual hardware device attached to the keyboard. This is most likely a keylogger.

Which one of the following tools would be most helpful in detecting missing operating system patches? A. Network vulnerability scanner B. Configuration management tool C. Port scanner D. Documentation review

Correct Answer: B All of these tools may be useful in detecting missing patches. However, the most useful tool is a configuration management system. These tools have the ability to directly query the operating system to obtain real-time information on their patch level.

Roger recently deployed an IDS on his organization's network and tuned it to reduce the false positive rate. Which one of the following categories best describes this control? A. Preventive B. Detective C. Corrective D. Compensating

Correct Answer: B An intrusion detection system (IDS) has the ability to identify suspicious network traffic but cannot take any preventive action to block the traffic. Therefore, it is best classified as a detective control.

Gail is a software developer who recently completed the coding of a new module that will be incorporated into one of her organization's products. Now that her work is complete, she is ready to request that the code be moved to the next environment. Where should the code go next? A. Staging environment B. Test environment C. Production environment D. Development environment

Correct Answer: B Development environments are designed for active use by developers who are creating new code. These environments are the only location where code should be modified. Once code is ready for testing, it is released from the development environment into a test environment for software testing. After the completion of user acceptance testing, the code is moved from the test environment into a staging environment where it is prepared for final deployment into the production environment. Developers should never have permission to move code themselves but should only be able to move code between environments through the use of a managed change control system.

Bob is performing regular backups of a system and is asked by his boss to create an emergency backup. Which one of the following backup types will consume the most disk space? A. Differential backup B. Full backup C. Incremental backup D. Transaction log backup

Correct Answer: B Full backups always include all data stored on the backed up media and, therefore, are always at least as large as any other backup type. This system is being regularly backed up, so other backup types will be smaller than a full backup.

Beth used the sign-in with Facebook feature to access a website hosted by The Washington Post. This feature uses SAML-based authentication. In this scenario, what is the role played by The Washington Post? A. Certificate authority B. Service provider C. Identity provider D. User agent

Correct Answer: B In SAML authentication, the user agent is the web browser, application, or other technology used by the end user. The service provider is the service that the user would like to access. The identity provider is the organization providing the authentication mechanism. The certificate authority issues digital certificates required to secure the connections.

Which one of the following terms best describes the level of firewall protection that is typically found in router access control lists? A. Proxying B. Stateless C. Stateful D. Next generation

Correct Answer: B Router access control lists are only capable of performing stateless filtering, which does not take connection status into account. Other firewall technologies, including stateful inspection firewalls, next generation firewalls, and proxy firewalls, all track connection state and typically require dedicated firewall hardware.

Wendy is deploying mobile devices to field workers who must travel in rural areas and require constant data service availability. Which one of the following technologies can provide that access? A. Cellular B. SATCOM C. WiFi D. Bluetooth

Correct Answer: B Satellite communications (SATCOM) have the widest availability, as they may be used from any region of the world with satellite coverage. For large satellite networks, this covers the entire planet. Cellular signals do travel long distances but may not have constant availability in rural areas. WiFi and Bluetooth are only useful over short distances and would not be appropriate for this scenario.

Greg is working with remote users to troubleshoot issues that they are experiencing with VPN connections when traveling to customer sites. He believes that customer firewalls are interfering with the VPN connection and is considering altering the VPN configuration to prevent this issue. What type of VPN connection is least susceptible to this problem? A. IPsec B. TLS C. Split tunnel D. Full tunnel

Correct Answer: B TLS VPNs typically use port 443, the same port used for HTTPS web traffic. This port is commonly allowed full outbound access through firewalls. IPsec VPNs use UDP port 500 as well as IP protocols 50 and 51. It is much more likely that this traffic will be blocked at a firewall. It is irrelevant whether Greg uses a split tunnel or full tunnel policy in this case, as the policy will not help establish the connection through the firewall, it will only control what traffic is routed through the VPN connection once it is established.

Henry would like to capture network packets from the command line. What command would best meet his needs? A. dd B. tcpdump C. FTK D. Wireshark

Correct Answer: B Tcpdump is a command-line packet capture utility. Wireshark is also a packet capture utility but it is designed for interactive use through a GUI. FTK and dd are forensic utilities used to capture disk images, not network packets.

Which one of the following security controls would be MOST effective in combatting buffer overflow attacks? A. IDS B. ASLR C. VPN D. DLP

Correct Answer: B Address space layout randomization (ASLR) is a security technique that randomizes the location of objects in memory, making a buffer overflow attack less likely to succeed. Virtual private networks (VPN) provide transport encryption and data loss prevention (DLP) systems provide protection against data exfiltration. Neither would be effective against buffer overflow attacks. Intrusion detection systems (IDS) may identify a buffer overflow attack but would not prevent it from succeeding.

Which one of the following statements does NOT accurately describe an advanced persistent threat (APT) attacker? A. They focus on specific high-value targets. B. They typically work alone to reduce the likelihood of discovery. C. They often exploit previously undisclosed vulnerabilities. D. They commonly have access to significant financial resources.

Correct Answer: B Advanced Persistent Threats (APTs) are advanced attackers who have access to significant financial and technical resources. These attackers are typically sponsored by government/military agencies or large organized crime rings. They conduct research to identify previously unknown vulnerabilities and exploit those vulnerabilities to gain access to systems in an undetected manner. APTs are called "persistent" because they typically select a single high-value target and then attack that target with intense focus. APT attackers do not generally work alone, but rather work in highly organized teams.

Ricky is concerned about the security of his organization's domain name records and would like to adopt a technology that ensures their authenticity by adding digital signatures. What technology should he use. A. DNSSIGN B. DNSSEC C. CERTDNS D. DNS2

Correct Answer: B DNSSIGN, CERTDNS, and DNS2 are not valid terms. So, they are not the correct answer. DNSSEC focuses on ensuring that DNS information is not modified or malicious. DNS Security (DNSSEC) adds digital signatures to traditional DNS records to provide the user with verification of the record's authenticity.

Tina is deploying a NAC solution for a university network and she wishes to perform host health checking. The network has many unmanaged student machines and students do not want to have software installed on their systems that remains behind after they leave the network. Which one of the following approaches would be best for Tina to use? A. Captive portal B. Dissolvable NAC C. Permanent NAC D. Active Directory NAC

Correct Answer: B Dissolvable NAC uses a temporary agent that is removed immediately after the health check completes. This would be the best solution for Tina to deploy. A captive portal solution does not necessarily have the ability to perform health checking unless it is combined with a dissolvable agent. Permanent NAC would install software that remains on the student computers. Active Directory NAC would not be appropriate because the systems are unmanaged and, therefore, not accessible through AD.

Dylan and Liam are using symmetric cryptography to communicate with each other. They have a shared secret key that no other person knows. What goal of cryptography is impossible for them to achieve? A. Confidentiality B. Non-Repudiation C. Integrity D. Authentication

Correct Answer: B Dylan and Liam can easily achieve confidentiality and integrity by using the key to encrypt and decrypt messages, which is not what we are looking for here. They can also achieve authentication because they know that if a message decrypts with the key, it must have been encrypted by the only other person with knowledge of the key. They cannot, however, achieve non-repudiation because they have no way to prove to a third party that a message came from the other party and wasn't forged by themselves.

Paul is helping to develop the security controls for a new high security facility. The requirements specify that some equipment must be housed in a Faraday cage. What is the primary purpose of this control? A. Block physical access to equipment B. Block electromagnetic radiation C. Prevent tailgating attacks D. Prevent theft of equipment

Correct Answer: B Faraday cages are enclosures designed to prevent electromagnetic radiation from entering or leaving an area. They are used to shield very sensitive equipment and to prevent electromagnetic signals that might be intercepted from leaving a facility.

Which one of the following technologies can be used to mitigate the effects of a denial of service attack on a local area network? A. Split horizon B. Flood guard C. Loop prevention D. Hold-down timers

Correct Answer: B Flood guard prevents a single device from flooding the network with traffic, which may cause a denial of service. Loop prevention, hold-down timers, and split horizon routing are all used to detect and correct routing loops.

Domer Industries is conducting a risk analysis of the risk of an earthquake damaging their data center. The data center is valued at $10 million and seismologists expect that a serious earthquake will damage 75% of the facility once every 50 years. In this scenario, what is the annualized loss expectancy? A. $7,500,000 B. $150,000 C. $5,625,000 D. $10,000,000

Correct Answer: B In this scenario, the annualized rate of occurrence (ARO) is once every 50 years, or a 0.02 ARO on an annual basis. The asset value (AV) is $10,000,000 and the exposure factor (EF) is 75%, resulting in a single loss expectancy (SLE) of $7,500,000. The annualized loss expectancy (ALE) is computed by multiplying the SLE by the ARO to get $150,000.

Brynn is concerned about the risks associated with web application attacks and wishes to perform input validation. What is the best place to perform this task? A. In the user's browser via HTML B. On the web server C. In the user's browser via JavaScript D. On the database server

Correct Answer: B Input validation should always be performed on the web server. Database servers do not see the full input provided by the user and are not well-situated to perform input validation. Input validation should never be performed at the web browser because a malicious user can disable that validation code.

In order to improve the security of his network, Tony is placing systems onto small subnets that are designed for systems that share a common purpose. What term best describes this technique? A. Isolation B. Segmentation C. Refactoring D. Shimming

Correct Answer: B Isolation disconnects a system from all other networked devices. So, that is not what we are looking for in this scenario. Refactoring and shimming are terms related to device drivers and not network structure. So, those two are incorrect as well. Segmentation is a term used to describe placing systems onto specialized subnets, rather than having them all on a larger network, making it our correct answer.

Matt is ranking systems in his organization in order of priority for disaster recovery. Which one of the following systems should have the highest impact rating? A. Routing and switching B. Fire suppression C. Enterprise resource planning D. Customer relationship management

Correct Answer: B Life safety systems should always have a higher impact rating than other systems. Therefore, Matt should prioritize the fire suppression system over other restoration efforts.

What do most physical security professionals consider the minimum fence height to slow down a determined intruder? A. 4 feet B. 8 feet C. 6 feet D. 12 feet

Correct Answer: B Most security professionals consider eight feet to be the minimum height for a fence protecting critical assets. It is trivial for an intruder to climb a fence of six feet or less. A fence that stands twelve feet high is likely unnecessary and aesthetically unpleasant. For added security, organizations may add barbed wire to the top of the fence.

Ken would like to configure his organization's password security policy to be in line with current NIST guidelines. What is the minimum password length that Ken should require to be consistent with those guidelines? A. 6 characters B. 8 characters C. 12 characters D. No minimum

Correct Answer: B NIST's digital identity security guidelines suggest that organizations set a minimum password length of 8 characters for passwords that are memorized by the user. (NIST SP 800-63B)

What IPSec mode is most commonly used to create site-to-site VPNs between locations? A. Internet key exchange mode B. Tunnel mode C. Transport mode D. Security association mode

Correct Answer: B Organizations deploying IPsec for site-to-site VPNs typically use tunnel mode to connect two VPN concentrators to each other and then route traffic through that tunnel in a manner that is transparent to the communicating devices. Transport mode is more commonly used for remote access VPNs. Internet key exchange (IKE) and security associations (SAs) are not modes of IPSec VPN operation.

Samantha is the administrator of her organization's mobile devices and wants to ensure that users have current versions of operating system firmware. Which one of the following approaches will best meet this need? A. Administrator installation B. OTA upgrades C. User installation D. Sideloading

Correct Answer: B Over-the-air (OTA) upgrades occur automatically and without user or administrator intervention, making them the best way to ensure that devices remain current. If Samantha wants to control when these updates occur, she can manage OTA updates through her mobile device management (MDM) platform. Manual installation or sideloading by users or administrators is not likely to keep devices consistently updated.

Jena would like to configure her organization's switches so that they do not allow systems connected to a switch to spoof MAC addresses. Which one of the following features would be helpful in this configuration? A. Loop protection B. Port security C. Flood guard D. Traffic encryption

Correct Answer: B Port security restricts the number of unique MAC addresses that may originate from a single switch port. It is commonly used to prevent someone from unplugging an authorized device from the network and connecting an unauthorized device but may also be used to prevent existing devices from spoofing MAC addresses of other devices.

Veronica is developing a web application that must interact with the database. She would like to safeguard it against SQL injection attacks. Which one of the following controls would best achieve her goal? A. Inline Queries B. Stored Procedures C. Normalizing her database structure D. Performing data wrangling

Correct Answer: B Stored procedures are a form of parameterized query where the query template is stored on the database server, safe from modification. Making it our correct answer here. Users may only provide parameters to that query, which are executed in a manner that prevents SQL injection attacks.

What is the purpose of STIX? A. To provide a set of services to enable sharing of threat intelligence B. To represent threat information in a standardized manner C. Offer a standardized schema for the specification and communication of system and network events D. Provide an API for security platform integration

Correct Answer: B TAXII provides a set of services to enable sharing of threat intelligence. So that is not the correct answer. STIX is a collaborative effort to develop a standardized, structured language to represent cyber threat information. The STIX framework intends to convey the full range of potential cyber threat data elements and strives to be as expressive, flexible, extensible, automatable, and human-readable as possible. This is the correct answer. CEE, or the common event expression, offers a standardized schema for the specification and communication of system and network events. So, this is not the correct answer. And STIX does not provide an API for security platform integration. So that is not the correct answer either.

What static code analysis technique seeks to identify the variables in a program that may contain user input? A. Lexical analysis B. Taint analysis C. Control flow analysis D. Signature detection

Correct Answer: B Taint analysis traces variables that may contain user input and ensures that they are sanitized before being used by a potentially vulnerable function. Lexical analysis converts source code into a tokenized form. Control flow analysis traces the execution path of code. Signature detection looks for known patterns of malicious activity.

Ryan is building out a cloud web architecture and wishes to provide the maximum possible degree of fault tolerance while still working with a single IaaS vendor. Which one of the following solutions would best meet his needs? A. Creating redundant web servers across multiple vendors B. Creating redundant web servers in different regions C. Creating redundant web servers in different availability zones D. Creating redundant web servers in the same availability zone

Correct Answer: B The most fault-tolerant solution would involve multiple vendors, but Ryan specified that he wanted to work with a single vendor, so this is not an acceptable solution. Therefore, Ryan should strive for the solution that has the greatest geographic and logical redundancy within his vendor's environment. The best solution would be to use redundant servers in multiple regions. Availability zones are subsets of regions and provide less redundancy, not meeting Ryans architecture needs. Operating servers in the same availability zone would create multiple single points of failure, making it another incorrect answer.

Which one of the following keying options creates the most secure implementation of the 3DES encryption algorithm? A. K1=K2, K2 is not equal to K3 B. K1, K2, and K3 are independent C. K2=K3, K1 is not equal to K3 D. K1=K2=K3

Correct Answer: B The most secure implementation of 3DES uses three independent keys. This approach creates a key with 168 (56x3) independent bits. When all three keys are the same, the key length is only 56 bits. When only two keys are independent, the key length is 112 bits.

Jodie is helping her organization move services into a new cloud-based service. This includes transferring PII about her company's customers. She is concerned about the regulatory impact of that move. What country/countries may have jurisdiction over customer PII used in the new cloud service? A. The countries where Jodie's company is headquartered and the customer resides B. The countries where the data is stored, Jodie's company is headquartered and the customer resides C. The country where the customer resides D. The country where Jodie's company is headquartered

Correct Answer: B The use of cloud services is complicated from a regulatory perspective. It is possible that each of the countries involved has some jurisdiction over the data.These include the country where the cloud provider has its data centers, the country where the customer resides, and the home country of Jodie's company.

Bernard is considering using a new cloud service where the vendor offers a managed environment for the execution of customer-supplied code. What term best describes this service? A. IaaS B. PaaS C. SaaS D. XaaS

Correct Answer: B This environment, where customers supply code and vendors supply managed infrastructure, is known as platform as a service (PaaS) computing. In infrastructure as a service (IaaS) computing, the vendor offers access to the basic building blocks of a computing infrastructure, such as servers, storage, and networking and the customer assembles those building blocks to create their own solutions. In the software as a service (SaaS) model, the vendor provides a fully functional application to the customer. Anything as a service (XaaS) is a term describing the fact that virtually any computing service may be delivered in a cloud model and it is not a good description of this specific scenario.

Vickie recently gathered digital evidence and would like to be able to provide future users of that evidence with the ability to verify non-repudiation. How can she provide this? A. Generate a hash value from the evidence B. Digitally sign the evidence C. Encrypt the evidence D. Generate a checksum from the evidence

Correct Answer: B Using a hash value or checksum can verify that the evidence was not altered, but does not provide non-repudiation. Encrypting the evidence protects it from unauthorized disclosure and also verifies integrity, but it does not provide non-repudiation. Vickie can provide non-repudiation by digitally signing the evidence with her private key.

Devin manages a shared computing environment for multiple customers and is worried about one of his customers accessing virtual machines owned by other customers. He would like to protect against these virtual machine escape attacks. What is the best control that he can implement? A. Network firewall B. Hypervisor patching C. Port security D. Input validation

Correct Answer: B Virtual machine (VM) escape attacks target vulnerabilities in the hypervisor supporting a virtualized environment. The strongest control to protect hypervisors against these attacks is to keep them patched. Network firewalls and port security are network security controls that occur outside of the virtualized environment and would not be effective in this case. Input validation is an application security control.

Charlie received an alert from file integrity monitoring software running on a server in his organization. Which one of the following is NOT a likely reason for this alert? A. Operating system update B. CPU failure C. Application update D. Security incident

Correct Answer: B Operating system updates and application updates frequently trigger file integrity alerts, as do system compromises. A CPU failure would result in a system crash, rather than a file integrity alert.

Why should administrators only allow employees to download digitally signed applications to mobile devices? A. Digitally signed applications are free of malware B. Digitally signed applications are certified to function properly C. Digitally signed applications come from trusted sources D. Digitally signed applications are guaranteed by Apple

Correct Answer: C Digital signatures validate that the application came from the entity that signed the application. Security professionals should not draw any other conclusions from the fact that an application is digitally signed.

Rudy is configuring a router that sits at the connection between his organization's network and the Internet. He is concerned about spoofed packets and would like to configure the router to perform anti-spoofing filtering. Which one of the following source IP addresses should be blocked at the router for inbound traffic? A. 12.168.1.100 B. 278.168.1.100 C. 192.168.1.100 D. 129.168.1.100

Correct Answer: C 12.168.1.100 and 129.168.1.100 are valid public IP addresses and should be permitted as inbound source addresses. 278.168.1.100 is not a valid IP address because the first octet is greater than 255. It does not need to be blocked because it is not possible. This leaves 192.168.1.100. This address is a private address and should never be seen as a source address on packets crossing an external network connection.

Kevin runs a vulnerability scan on a system on his network and identifies a SQL injection vulnerability. Which one of the following security controls is likely not present on the network? A. DLP B. TLS C. WAF D. IDS

Correct Answer: C A web application firewall (WAF), if present, would likely block SQL injection attack attempts, making SQL injection vulnerabilities invisible to a vulnerability scanner. A data loss prevention system (DLP) does not protect against web application vulnerabilities, such as SQL injection. An intrusion detection system (IDS) might identify a SQL injection exploit attempt but it is not able to block the attack. Transport layer security (TLS) encrypts web content but encryption would not prevent an attacker from engaging in SQL injection attacks.

Ray is configuring a highly secure web application that is being used by a limited number of users. He would like to apply a client-side control that informs the client browser exactly what certificate to expect from the server. Which one of the following controls meets his requirement? A. Certificate chaining B. Certificate stapling C. Certificate pinning D. Certificate folding

Correct Answer: C Certificate pinning is a control that provides the client browser with instructions about the certificate(s) that it may accept from a specific web server. Certificates not matching the pinned certificate are rejected.

Eddie is concerned about the security of cryptographic keys that his organization uses with a cloud service provider. What mechanism can he use to best safeguard those keys from access by unauthorized individuals? A. CASB B. DLP C. HSM D. IPS

Correct Answer: C Cloud access security brokers (CASB) are used to consistently apply security policies across cloud services and don't protect encryption keys, making it an incorrect answer. Hardware security modules (HSMs) are specifically designed to safeguard encryption keys, avoiding the need for a human being to directly interact with the key, making it our correct answer here. Some cloud providers offer cloud-based HSM services to their customers as an advanced security offering. Data loss prevention (DLP) systems block the exfiltration of sensitive information and, again, don't protect encryption keys. Neither do intrusion prevention systems (IPSs), which detect and block security threats.

Rob is conducting a penetration test against a wireless network and would like to gather network traffic containing successful authentication attempts but the network is not heavily trafficked and he wants to speed up the information gathering process. What technique can he use? A. Brute force B. Rainbow table C. Disassociation D. Replay

Correct Answer: C Disassociation attacks intentionally disconnect a wireless user from their access point to force a reauthentication that the attacker may collect with a wireless eavesdropping tool. Brute force attacks, rainbow table attacks and replay attacks do not gather network traffic and, therefore, would not be useful in this scenario.

Barry was reviewing his organization's perimeter firewall ruleset and determined that it contains rules that allow unnecessary access. What type of control flaw has Barry discovered? A. Corrective B. Detective C. Preventive D. Deterrent

Correct Answer: C Firewalls serve to block attempted access to the organization's networks and systems. Therefore, they are best described as preventative controls. The purpose of a detective control is to identify attacks that are currently taken place or have taken place in the past. The purpose of a deterrent control is to discourage an attacker from attempting to undermine security. The purpose of a corrective control is to help the organization recover after a security incident.

Flo is the administrator for a server that is using RAID 5 with a six-disk array. In this approach, what is the maximum number of disks that may fail without the permanent loss of data? A. 2 B. 4 C. 1 D. 3

Correct Answer: C In a RAID 5 array, all of the disks contain data except for the parity disk. Therefore, regardless of the number of disks in the array, only a single disk may fail before data is permanently lost.

In which one of the following types of penetration test does the attacker not have any access to any information about the target environment prior to beginning the attack? A. White box B. Red box C. Black box D. Grey box

Correct Answer: C In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.

Which one of the following assertions can NOT be made by validating the card authentication certificate on a US government PIV card? A. The card is not expired. B. The card has not been revoked. C. The holder of the credential is the same individual the card was issued to. D. The card was issued by an authorized entity.

Correct Answer: C PIVs contain four digital certificates. The card authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, and has not been revoked. The PIV authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, has not been revoked, and holder of the credential (YOU) is the same individual it was issued to. The digital signature certificate allows the user to digitally sign a document or email, providing both integrity and non-repudiation. The encryption certificate allows the user to digitally encrypt documents or email.

Which one of the following firewall types is capable of monitoring connection status by tracking the stages of the TCP handshake and then using that information when deciding whether to allow future packets that are part of an active connection? A. Router ACL B. Packet filter C. Stateful inspection D. Stateless firewall

Correct Answer: C Stateful inspection firewalls monitor connection status by tracking the TCP handshake. They maintain a table of active connections and automatically allow traffic that is part of an established connection without requiring the reevaluation of the ruleset for each packet. The other firewall types listed are more primitive and do not track connection status. They simply reevaluate every packet that they receive.

After implementing a SIEM solution, Amanda discovers that the timestamps on log entries are not synchronized. What protocol can Amanda deploy in her organization to ensure clock synchronization? A. DNS B. DHCP C. NTP D. BGP

Correct Answer: C The Network Time Protocol (NTP) performs clock synchronization across devices. The Domain Name Service performs translations between domain names and IP addresses. The Dynamic Host Configuration Protocol (DHCP) provides IP addresses to systems. The Border Gateway Protocol (BGP) is used to configure network routing.

Bruce would like to implement an authentication mechanism that requires that users connecting via mobile devices use a second authentication factor when they are connecting from an unfamiliar IP address. What term best describes this technique? A. Rule-based authentication B. Device-based authentication C. Context-based authentication D. Role-based authentication

Correct Answer: C The use of different authentication requirements depending upon the circumstances of the user's request is known as context-based authentication. In this scenario, authentication requirements are changing based upon the user's IP address, making it an example of context-based authentication.

In what type of attack does the attacker place malicious content on a website that is frequented by individuals in the target organization, in the hopes that one of those individuals will visit the site with a vulnerable system and become compromised? A. Man-in-the-middle attack B. Man-in-the-browser attack C. Watering hole attack D. DDoS attack

Correct Answer: C Watering hole attacks take advantage of the fact that many people are predictable in their web surfing patterns. They place malicious content at a site likely to attract the target audience (the watering hole) and then wait for a compromise to occur.

What common clause in software is used specifically for error handling? A. For loop B. Do...while C. Try...catch D. If...then

Correct Answer: C While it is possible to perform error handling with a variety of constructs, the most appropriate tool is the use of the try...catch construct. In this approach, developers include the code that might generate an error in the try clause and then provide error handling code in the catch clause.

Harry believes that an employee of his organization launched a privilege escalation attack to gain root access on one of the organization's database servers. The employee does have an authorized user account on the server. What log file would be most likely to contain relevant information? A. Database Application Log B. Firewall Log C. Operating System Log D. IDS Log

Correct Answer: C A privilege escalation attack takes place against the operating system and information relevant to this attack is most likely found in the operating system logs. It is unlikely that the database application itself would be involved, so that application's logs would not likely contain relevant information. The user has authorized access to the system, so the firewall and IDS logs would simply show that authorized access taking place.

Brenda recently participated in an incident response training program where members of the team met in a conference room to discuss their roles in an incident using the context of a simulated emergency situation. What term best describes this event? A. Partial Activation B. Walkthrough C. Tabletop D. Full Activation

Correct Answer: C Activations, whether full or partial, only occur in response to an actual incident. So, that is not the correct answer. Walkthroughs are instructional sessions designed to familiarize team members with their roles and are not structured around a scenario. So, that is not the correct answer either. Tabletop exercises are informal sessions that gather team members to discuss how they would respond in a given scenario. Making tabletop the correct answer.

When designing a security awareness program for employees, which one of the following groups would generally receive the most technical security training? A. Users B. Data owners C. System administrators D. Executives

Correct Answer: C All employees should receive security awareness training that is tailored to their role in the organization. System administrators are the most technical employees mentioned here, so they should receive the most technical training.

Which one of the following attacks is a critical threat that applies specifically to NTLM authentication? A. Rainbow table B. Man-in-the-middle C. Pass-the-hash D. Brute force

Correct Answer: C All of these attacks are authentication attacks. Brute force and rainbow table attacks are generic attacks that may be used against any authentication system that stores hashed passwords. Man-in-the-middle attacks are generally used against web applications. Pass-the-hash attacks are specifically effective against NTLM authentication.

Carmen recently collected evidence from a variety of sources and is concerned that the clocks on the systems generating the evidence may not be synchronized. What would be her best course of action? A. Modify the system clocks B. Configure the systems to use an NTP server C. Record the time offsets for each device D. Modify the time stamps in the evidence to match real time

Correct Answer: C At this point, Carmen has already collected the evidence, so changing the system clocks (manually or through NTP) would have no effect. Carmen should never modify evidence that has already been collected, so her best course of action is to record the time offsets and make the adjustments in her analysis.

Bijan is configuring an automated data transfer between two servers and is choosing an authentication technique for one server to connect to the other. What approach would be best-suited for this scenario? A. Biometric Authentication B. Smart Card Authentication C. SSH Key D. Hard Coded Password

Correct Answer: C Biometrics and smart cards require the administrator to intervene by either submitting to biometric or manipulating a smart card. This question asked about automated transfers, so those techniques are not appropriate. The use of an SSH key can automate the connection between these two systems without requiring human intervention, making it the correct answer. Passwords should not be hard-coded in applications to prevent theft. So they're not appropriate here either.

Which one of the following approaches attaches an OCSP validation message to the digital certificate sent to users by a website? A. Certificate Chaining B. Certificate Pinning C. Certificate Stapling D. Certificate Attachment

Correct Answer: C Certificate chaining is used to delegate authority to subordinate certificate authorities. So, that is not the correct answer. Certificate pinning is a technique used to prevent changes in the valid certificate for a domain, which is another incorrect answer. Certificate stapling attaches an OCSP validation to the digital certificate, making it our correct answer. Certificate stapling also saves the client and server the time of repeatedly querying the OCSP server for certificate validity. That last choice, certificate attachment, is just a made-up term and it's not a valid technique.

Which one of the following would not be considered an OSINT tool? A. WHOIS lookups B. Google searches C. Website perusal D. Vulnerability scans

Correct Answer: D Open source intelligence (OSINT) includes the use of any publicly available information. This would include domain registration records found in WHOIS entries, the contents of public websites, and the use of Google searches. Vulnerability scans are an active reconnaissance technique and would not be considered OSINT.

Alison is preparing to testify in court about the results of a forensic investigation conducted after a security breach. As an expert witness, she will be sharing her interpretation of the evidence collected by others. What type of evidence will Alison be giving? A. Hearsay B. Documentary C. Testimonial D. Tangible

Correct Answer: C Expert witness evidence is best described as testimonial evidence, where a witness is making statements about their own observations and experience. The scenario does not specify that Alison will be introducing any documents or tangible objects herself. Hearsay would only apply if Alison makes statements about what other people said to her, which is also not described in the scenario.

Carla's firm is preparing to deploy a large network of Internet of Things sensors. Which one of the following is the least common security concern with IoT deployments? A. Patches to embedded operating systems B. Network segmentation C. Multifactor authentication D. Data encryption

Correct Answer: C Generally speaking, IoT deployments do not typically require multifactor authentication. They do, however, call for maintenance of the embedded operating systems, network segmentation, and the encryption of sensitive information.

Helen is concerned about eavesdropping on a network that she manages. If a user on the network accesses only HTTPS sites, what information would an eavesdropper be able to determine about the sites that the user visits? A. IP addresses, site domains, and site content B. IP addresses and site domains C. IP addresses only D. An eavesdropper would not be able to gather any of this information

Correct Answer: C HTTPS traffic is protected by Transport Layer Security (TLS). An eavesdropper would not be able to see any information from inside the connection, such as the site domain or content. So these are not the correct answers. However, an eavesdropper would be able to determine the IP addresses of sites visited by the user. Making IP addresses the correct answer.

Jessica believes that a server in her organization was compromised by an attacker. Which one of the following endpoint security platforms would provide the most visibility into activity on that device? A. HIPS B. Microsoft Configuration Manager C. EDR D. MDM

Correct Answer: C If the organization uses host intrusion prevention systems (HIPS) or Microsoft Configuration Manager , those technologies may provide useful information during the investigation but they do not provide the comprehensive tracking found in an EDR platform.Endpoint detection and response (EDR) platforms are designed specifically to track all activity that occurs on a device for use in forensic analysis and security operations, making it our correct answer. A server would generally not be regulated by a mobile device management (MDM) solution.

Harold is investigating a security incident where the victim was visiting a message board and viewed a message containing malicious code. He had another tab open in his browser that was logged into a popular shopping website. The malicious code on the message board made a purchase on the shopping website without his knowledge and shipped the merchandise to an overseas address. What type of attack likely took place? A. Server-side request forgery B. Cross-site scripting C. Cross-site request forgery D. Phishing

Correct Answer: C In this case, the attack depended upon the fact that the victim was already logged into the shopping website. The attacker knew that some portion of the visitors to the message board would be logged into that site and took advantage of that trust relationship to send commands through the user's browser to the shopping site. That's an example of a cross-site request forgery attack. Cross-site scripting attacks work in a similar manner but they do not leverage those trust relationships. Server-side request forgery attacks target the web server itself rather than the end user. Phishing attacks attempt to trick the user into sharing sensitive information, but this attack took place without the victim's knowledge.

Tom would like to amend his organization's exit interview process to protect against former employees leaking sensitive information. Which one of the following approaches would best meet his needs? A. Asking employees to sign an NDA before departure B. Threatening employees with legal action if they violate the NDA C. Reminding employees of the NDA that they signed upon employment D. No action is appropriate

Correct Answer: C It is not appropriate to ask a former employee to sign an NDA, as they have no obligation or incentive to do so. So this is not the correct answer. Threatening an employee would likely be counterproductive. So this is not the correct answer. Tom should remind employees of their obligations under their existing NDA.

Which one of the following statements about block and stream ciphers is correct? A. Stream ciphers commonly use Feistel networks. B. Block ciphers are faster than equivalent stream ciphers. C. Most modern ciphers are block ciphers. D. Block ciphers encrypt one byte at a time.

Correct Answer: C It is true that block ciphers make up the vast majority of modern encryption algorithms. Stream ciphers are faster, not slower, than block ciphers. Block ciphers may make use of Feistel networks, while stream ciphers cannot. Block ciphers work on chunks of data, rather than a single byte at a time.

Jan is working as a team member during a cybersecurity exercise. As part of her work, she is researching and testing different tactics that her team might use to gain access to target systems. What team is Jan most likely a member of? A. Blue team B. Purple team C. Red team D. White team

Correct Answer: C Jan is helping her team research tactics to attack systems, which is an example of an offensive operation. During a cybersecurity exercise, the red team is responsible for conducting offensive operations, while the blue team conducts defensive operations. The white team consists of the officials who moderate the exercise and arbitrate rules disputes. Purple teaming occurs after the exercise when the red and blue teams come together to discuss tactics and lessons learned.

Maureen is implementing TLS encryption to protect transactions run against her company's web services infrastructure. Which one of the following cipher suites would not be an appropriate choice? A. AES256-CCM B. ECDHE-RSA-AES256-SHA384 C. ADH-RC4-MD5 D. DH-RSA-AES256-GCM-SHA384

Correct Answer: C The key to this question is focusing on the encryption algorithms used by each option. Three of the four options use AES 256-bit encryption, which provides strong cryptography. One uses RC4 encryption, which is a weak implementation of cryptography and should be avoided.

Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? A. Daily B. Weekly C. Monthly D. Quarterly

Correct Answer: D PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.

Under GDPR, which one of the following statements about Data Protection Officers (DPOs) is incorrect? A. DPOs must be appointed based upon professional qualities and expert knowledge B. Regulatory bodies must be informed of the name and contact information for the DPO C. DPOs must be employees of the organization D. Organizations may not provide instructions to the DPO on performing their tasks under GDPR Article 39

Correct Answer: C Let's walk through these and eliminate the statements that we know are correct about the GDPR. First, it is true that data protection officers, or DPOs, must be appointed based upon their professional expertise. DPOs must be well-qualified for their positions. So we can eliminate that answer. And once an organization appoints a DPO, they must notify regulators of the appointment and provide contact information so that the regulators may contact the DPO. Finally, organizations must provide the DPO with autonomy to perform their work under GDPR Article 39, so we'll eliminate that answer. Organizations are allowed to designate a contractor or service provider as an external DPO, if they wish to do so, so that makes the statement that DPOs must be employees of the organization the incorrect statement and our correct answer.

Fred created a set of IP restrictions on his Cisco router using Cisco's extended access control list (ACL) functionality. What type of access control model is Fred enforcing? A. Role-based access control B. Discretionary access control C. Rule-based access control D. Attribute-based access control

Correct Answer: C Network access control lists are examples of rule-based access control because the router will make decisions based upon the rules that Fred provides. The router does not know the identity of the user, so it cannot perform role-based or attribute-based access control. Users have no authority to delegate access control decisions, so this is not an example of discretionary access control.

Katie is reviewing the security of a web server used by her organization. She discovers each of the items listed below. Which one of these items poses the greatest security risk and should be prioritized for remediation? A. The server uses TLS 1.2. B. The server supports access on port 80. C. The server runs Apache and MySQL. D. The server supports access on port 443.

Correct Answer: C One of the basic server security principles is that each server should support only one primary function. Best practice dictates separating the web server (Apache) from the database server (MySQL). It is normal and standard for a web server to support both unencrypted access on port 80 and encrypted access on port 443. TLS 1.2 is a modern version of the protocol and is secure and acceptable for use.

Frank is reviewing the security of a customer environment and finds that they are using the Password Authentication Protocol on their network. What finding should Frank bring to the customer's attention. A. PAP is not compatible with non-Windows operating systems B. PAP is commonly configured by attackers and this may be a sign that the network is compromised C. PAP is an insecure protocol D. No finding is necessary, as PAP is a commonly used secure protocol

Correct Answer: C PAP is not compatible with non-Windows operating systems and PAP is commonly configured by attackers and this may be a sign that the network is compromised are incorrect answers in this scenario. This is because PAP does not provide any encryption capability and is, therefore, not considered a secure protocol. Frank should recommend that his customer replace PAP with a secure alternative. This is the correct answer.

Which one of the following authentication mechanisms is most susceptible to pass-the-hash attacks? A. Kerberos B. SAML C. NTLM D. Shibboleth

Correct Answer: C Pass the hash attacks do not affect the Kerberos authentication system and they are also not likely found in the technologies supporting federation, such as the Security Assertion Markup Language (SAML), or Shibboleth. The NT LAN Manager (NTLM) authentication system used in some Windows-based networks is particularly susceptible to pass-the-hash attacks, so that's our correct answer.

Norma has held several positions in her company and is still able to carry out system actions that were granted to her based upon her previous roles. She no longer has a job-based requirement to perform those activities. What term describes what has happened here? A. Least privilege B. Privileged account C. Privilege creep D. Privilege migration

Correct Answer: C Privilege creep is the term used to describe the situation where a user moves through various job roles and accumulates permissions over time without having unnecessary permissions revoked. Privilege creep is a violation of the principle of least privilege.

Susan is looking for a security solution that is capable of reacting automatically to security information and performing a variety of tasks across other security solutions. Which one of the following technologies would best meet her needs? A. CASB B. SIEM C. SOAR D. IPS

Correct Answer: C Security orchestration, automation, and response (SOAR) platforms are specifically designed to react to security information and perform workflows across a variety of other systems, which would make it the best choice. Security information and event management (SIEM) platforms are capable of doing this to some degree, but they are not as well suited to the task as SOAR platforms, so while SIEM might be a good answer, it's not the best possible answer. When you take a security certification exam, it's very important to remember that questions may have one or more possible answers. You always want to choose the best of those choices. That's why it's very important to read the entire question carefully! Cloud access security brokers (CASB) and intrusion prevention systems (IPS) are not designed for correlating and responding to security information. CASB systems enforce security policies across cloud environments while an IPS is designed to detect and block intrusions.

In the eDiscovery reference model, what phase includes an attorney analysis of material to determine what is relevant to the case? A. Processing B. Identification C. Review D. Production

Correct Answer: C The eDiscovery Reference Model uses nine stages to describe the discovery process. During stage 5, processing, data is processed to remove irrelevant information as well as prepared for review and analysis. So, this isn't the correct answer. During stage 2, identification, stored information is identified in order to know what you have and where it is. So, this isn't the correct answer either. During stage 6, review, attorney review of collected material takes place to ensure that it only contains what it is supposed to, and that information that should not be shared is not included. This is done after identification, collection, and processing, but prior to production, and is the correct answer. During stage 8, production data is produced to provide the information to third parties or those involved in legal proceedings. So, this is another incorrect answer.

Which one of the following cryptographic algorithms does not depend upon the prime factorization problem? A. RSA B. GPG C. ECC D. PGP

Correct Answer: C The prime factorization problem forms the basis for most public key cryptographic algorithms, including RSA, PGP, and GPG. So, that eliminates all three of those - RSA, PGP, and GPG - as the answer. The elliptic curve cryptosystem (ECC) does not depend upon the prime factorization problem. The security of ECC depends upon the difficulty of finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point. That makes it our correct answer!

In a recent social engineering attack, the attacker found an employee of the target company at his gym and struck up a friendship there for several months before trying to slowly extract sensitive corporate information from the employee. What principle of social engineering is the attacker trying to exploit? A. Urgency B. Authority C. Familiarity D. Consensus

Correct Answer: C This is a clear example of familiarity and liking. The attacker built up a relationship over time with the employee until they had a strong bond. He then leveraged that relationship to slowly extract information from the target.

Tina is an independent security researcher who tests the security of systems of large corporations. She is working with a large automotive supplier to test the security of their systems. What term best describes Tina's work on this engagement? A. Black hat B. Blue hat C. White hat D. Grey hat

Correct Answer: C Tina is working under an authorized contract, so her work is clearly that of a white hat hacker. White hats do not need to be employees of the company being tested, they merely must be authorized to do their work. If Tina was working without permission, but intended to report results only to the target company, her work would be considered grey hat. If she had malicious intent, she would be a black hat hacker. Blue hat is not a term commonly used to categorize attackers.

Barry is configuring 802.1x authentication for his wireless network. In a typical wireless authentication scenario, what device would act as the 802.1x client? A. Mobile devices connecting to the network B. Router C. Wireless access point D. Back-end authentication server

Correct Answer: C In an 802.1x wireless network, the wireless access point or wireless controller typically serves as the 802.1x client, sending authentication requests to a back-end authentication server.

Vincent is tasked with establishing a disaster recovery site but is charged with providing bare-bones functionality at minimal cost. Which option should he consider? A. Warm site B. Hot site C. Cold site D. Mobile site

Correct Answer: C. Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware, and possible software, to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment's notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan.

After an incident responder identifies that a security incident is in progress, what is the next step in the incident response process? A. Preparation B. Recovery C. Eradication D. Containment

Correct Answer: D After identifying an incident, the team should next move into the containment phase where they seek to limit the damage caused by the incident. Containment occurs prior to the eradication and recovery phases. The preparation phase occurs before incident identification.

Carl is selecting a computing environment for a machine learning workload. The nature of the workload is that it uses resources intensely for several hours each evening and does not need resources at other times during the day. What computing model would be most cost-effective for this type of workload? A. On-premises computing B. Remote data center C. Colocation facility D. Cloud computing

Correct Answer: D Cloud computing environments provide on-demand computing and allow users to pay for resources on an as-needed basis. In that model, Carl can power down servers that are not needed and reduce his costs. Other computing models have high fixed costs that would not be as cost-effective for this type of bursty workload.

Donna was recently approached by the manager of a former employee who was seeking access to that employee's email account. She believes there is a valid business need for the access but is unsure how to obtain approval. What type of control would assist Donna and others in her organization in making these decisions? A. Service level agreement B. Data classification policy C. Data handling guidelines D. Standard operating procedure

Correct Answer: D Donna's organization should consider implementing a standard operating procedure (SOP) for data access requests. This procedure could spell out the appropriate approval process for granting access to data stored in another user's account. A guideline is not mandatory and would not be appropriate in this case. A data classification policy would generally not cover access request procedures, nor would a service level agreement.

Gayle is logging onto a website managed by a third party vendor using credentials provided by her employer. The authentication system uses SAML-based authentication. In this scenario, who is the identity provider? A. The vendor B. Gayle's web browser C. The certificate authority D. Gayle's employer

Correct Answer: D In SAML authentication, the user agent is the web browser, application, or other technology used by the end user. The service provider is the service that the user would like to access. The identity provider is the organization providing the authentication mechanism. The certificate authority issues digital certificates required to secure the connections.

Corwin is beginning a penetration test and is reviewing the technical documentation provided by management that explains how the systems are designed and laid out. What type of test is Corwin most likely performing? A. Grey Box B. Black Box C. Red Box D. White Box

Correct Answer: D In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.

In a data center using the hot aisle/cold aisle approach, where should air conditioner vents be positioned to distribute cold air? A. At the back of racks B. At the front and back of racks C. Above racks D. At the front of racks Correct

Correct Answer: D In a hot aisle/cold aisle layout, cold air should be distributed at floor level in the front of racks (cold aisle) so that it is pulled into the front of equipment and vented out the back into the hot aisle.

Bill is securing a set of terminals used to access a highly sensitive web application. He would like to protect against a man-in-the-browser attack. Which one of the following actions would be most effective in meeting Bill's goal? A. Requiring multifactor authentication B. Requiring TLS encryption C. Disabling certificate pinning D. Disabling browser extensions

Correct Answer: D In a man-in-the-browser attack, the attacker manages to gain a foothold inside the user's browser, normally by exploiting a browser extension. This gives him or her access to all information accessed with the browser, regardless of whether the site uses strong authentication or transport encryption (such as TLS). Certificate pinning is a technique used to protect against inauthentic digital certificates and would not protect against a man-in-the-browser attack.

Christina is building a new capability for her organization's data centers that allows the automatic shifting of workloads to Amazon Web Services when the organization's own resources are overwhelmed. What type of environment is Christina building? A. Community cloud B. Private cloud C. Public cloud D. Hybrid cloud

Correct Answer: D In a public cloud environment, providers offer services on the same shared computing platform to all customers. Customers do not necessarily have any relationship to, or knowledge of, each other. In a private cloud environment, an organization builds its own computing environment. In a hybrid cloud environment, an organization combines elements of public and private cloud computing. In a community cloud environment, a group of related organizations builds a shared cloud environment that is not open for general public use.

Peter is conducting a penetration test of his own organization. He completed his reconnaissance work and is now attempting to gain access to a system with Internet exposure. What phase of the test is Peter in? A. Pivot B. Privilege escalation C. Persistence D. Initial exploitation

Correct Answer: D In this scenario, Peter has already completed his reconnaissance but has not yet gained access to any systems on the target network. Therefore, he is still in the initial exploitation phase of the penetration test.

Harold is designing an access control system that will require the concurrence of two system administrators to gain emergency access to a root password. What security principle is he most directly enforcing? A. Least privilege B. Separation of duties C. Security through obscurity D. Two-person control.

Correct Answer: D Systems that require two individuals to concur before performing a single action follow the principle of two-person control. There is no indication in the question that the control also enforces separation of duties or least privilege. There is also no indication that the mechanism relies upon the dangerous practice of security through obscurity.

Which one of the following key lengths is not supported by the AES encryption algorithm? A. 128 bits B. 192 bits C. 256 bits D. 512 bits

Correct Answer: D The Advanced Encryption Standard (AES) supports key sizes of 128, 192, and 256 bits. It does not support 512 bit keys.

Donna is looking for a secure way to transfer files between systems. The systems in question are already configured for SSH connections. What file transfer method could she use that would leverage the SSH protocol? A. FTPS B. Dropbox C. HTTPS D. SFTP

Correct Answer: D The Secure File Transfer Protocol (SFTP) provides a file transfer capability through a Secure Shell (SSH) connection. The File Transfer Protocol Secure (FTPS) also provides secure file transfers, but does so through a modified version of the FTP protocol and does not use SSH. Dropbox is a proprietary file sharing service that does not use SSH. The HyperText Transfer Protocol Secure (HTTPS) is a secure web protocol that may be used for file transfers but does not leverage SSH.

Ed is selecting a load balancing algorithm for use in his organization's web environment. There are substantial differences between the performance characteristics of the servers in the web farm and there are also significant differences in the lengths of user connections. Which load balancing algorithm would produce the best results for Ed? A. Least Connections B. Round Robin C. Weighted Round Robin D. Weighted Least Connections

Correct Answer: D The fact that the servers have different performance characteristics indicate that Ed should choose a weighted algorithm that allows him to specify that some servers should handle more load than others. The fact that users have sessions of differing length indicates that he should use a least connections approach that tracks the number of active sessions instead of a round robin approach that simply balances the number of assignments made. Therefore, Ed should choose the Weighted Least Connections algorithm.

Ben would like to identify all of the active network connections and services listening for connections on a Linux system that he is analyzing. What command-line utility can he use to meet this need? A. tcpdump B. pstools C. netcat D. netstat

Correct Answer: D The netstat command lists all of the active network connections on a system as well as the status of ports that are listening for requests. The tcpdump command captures network traffic and would see active network connections but does not identify ports that are listening without an active connection. The pstools comand is used to find infomration about processes running on a system but does not provide network port or version information. The netcat command is used to send information via a network pipe.

Tim is choosing a card-based control system for physical access to his facility. His primary concern is the speed of authentication. Which type of card would be most appropriate for this situation? A. Photo ID card B. Magnetic stripe card C. Smart card D. Proximity card

Correct Answer: D The proximity card provides the fastest scanning time, as the user simply needs to hold it near the reader. Smart cards and magnetic stripe cards require more time-consuming interaction with the reader. Photo ID cards require scrutiny by a human guard.

Greg recently detected a system on his network that occasionally begins sending streams of TCP SYN packets to port 80 at a single IP address for several hours and then stops. It later resumes, but directs the packets at a different address. What type of attack is taking place? A. Port scanning B. IP scanning C. SQL injection D. DDos

Correct Answer: D This is a clear example of a distributed denial of service (DDoS) attack. The system is flooding the target with connection requests, hoping to overwhelm it. The port and IP address are not changing, so this is not indicative of a scanning attack. There is no indication that the connection is completed, so it cannot be a SQL injection attack.

Tim's organization is planning the future of their data center infrastructure and has decided that they would like to move to a cloud service model. They have already embraced virtualization but would like to gain the management benefits of a cloud offering. They are working with a service provider who will provision hardware for their exclusive use. That equipment will reside in a data center that serves many customers. What type of cloud deployment model is Tim's organization considering? A. Public B. Hybrid C. Community D. Private

Correct Answer: D This is an example of a private cloud deployment, where the service provider is dedicating hardware to this specific customer. Private clouds may operate in data centers that are dedicated to that single customer or, as in this case, they may operate in shared data centers. The difference is that each customer's equipment is segregated and customers do not share hardware. That shared hardware approach is the hallmark of public and community cloud models. Hybrid cloud models mix elements of public and private clouds. There is no indication that Tim's organization intends to do this.

Carl is a help desk technician and received a call from an executive who received a suspicious email message. The content of the email appears below. What type of attack most likely took place? A. Whaling B. Spear phishing C. Vishing D. Phishing

Correct Answer: D This is most likely a straightforward phishing attack. The message is generic and not targeted at a specific user, as you would find in a spear phishing attack. Although the user is an executive, there is no indication that the message was specifically sent to this user because of his status as an executive, so it is not likely a whaling attack. The attack was sent over email, not the telephone, so it is not an example of vishing.

Gavin is managing the access control system for his organization. Users often change jobs and he would like to select an approach that will make it easy to reassign permissions when users move around the organization. Which access control model is best suited for his needs? A. ABAC B. DAC C. MAC D. RBAC

Correct Answer: D This situation calls for role-based access control, where authorizations are assigned based upon a user's role in the organization. This approach would allow Gavin to simply change a user's role when they switch jobs and then the permissions would automatically update based upon the user's new role.

Dylan is creating a cloud architecture that requires connections between systems in two different private VPCs. What would be the best way for Dylan to enable this access? A. VPN Connection B. Internet Gateway C. Public IP Address D. VPC Endpoint

Correct Answer: D A VPN connection seamlessly links endpoints on different networks, but is not the best answer in this case. An internet gateway connects an endpoint out to the Internet and is not the best choice for this situation. A public address is used to identify a host on the Internet, making it another incorrect answer.These three incorrect answers would allow the access but would require crossing public networks, reducing security, and adding inefficiency. The easiest and most secure way for Dylan to enable this access is through the use of a VPC endpoint that allows direct connections between the VPCs without leaving the cloud provider's secure network.

As you increase the length of a key by a single bit, how much more resilient does that key become against a brute force attack? A. Four times stronger B. Ten times stronger C. One percent stronger D. Twice as strong

Correct Answer: D Adding a single bit to a cryptographic key doubles the number of possible keys, making the new key length twice as strong as the previous key length.

Alan is conducting a penetration test and gains access to an application server. During his attack, he creates a new administrative account on the server that he can use to access the system through its standard user interface. What testing goal is Alan hoping to achieve with this action? A. Pivoting B. Cleanup C. Lateral Movement D. Persistence

Correct Answer: D Alan is providing himself with a way to access the system at a later date through alternative channels. This is an example of persistence, allowing his access to the system to remain intact even if the original vulnerability he exploited is later patched. Pivoting and lateral movement are techniques where the attacker gains access to one system and then uses that access to gain access to other systems. That's not what's happening here. Finally, cleanup occurs when the attacker removes traces of their presence from the network. That hasn't yet happened in this scenario.

Dan recently received a digitally signed message and when he attempted to verify the digital signature received an error that the hash values did not match. What can Dan conclude from this error? A. The message was altered by a malicious individual after being sent. B. The message was accidentally corrupted in transit. C. There was an error creating the digital signature. D. Dan can't draw one of these specific conclusions.

Correct Answer: D Any one of these scenarios is a plausible reason that the digital signature would not verify. Dan cannot draw a specific conclusion other than that the message he received is not the message that was sent by the originator.

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain Administrator B. Local Administrator C. Root Account D. Read Only Account

Correct Answer: D Credentialed scans only require read-only access to target servers. Using a local administrator account would have similar issues but the problems caused by the scanner would be limited to the local system. The root account is just another name for the local administrator account. Renee should follow the principle of least privilege and limit the access available to the scanner by using a read-only account. Using a domain administrator account would provide far more privileges than necessary, allowing the scanner to potentially disrupt almost any device on the network.

What is the purpose of a DNS amplification attack? A. Host redirection B. Record poisoning C. Man-in-the-middle D. Resource exhaustion

Correct Answer: D DNS amplification is a denial of service technique that sends small queries with spoofed source addresses to DNS servers, generating much larger, amplified, responses back to the spoofed address. The purpose is to consume all of the bandwidth available to the target system, resulting in a resource exhaustion denial of service attack. Interested

Julie is beginning a penetration test against a client and would like to begin with passive reconnaissance. Which one of the following tools may be used for passive reconnaissance? A. Nessus B. Metasploit C. Nmap D. Aircrack-ng

Correct Answer: D Nmap, Nessus, and Metasploit are all active reconnaissance tools that interact with their target environments. Aircrack-ng may be used to passively gather information about a wireless network and crack a pre-shared key.

What cryptographic technology enables anonymity in the Tor network? A. Elliptical Curve Cryptography B. Quantum Cryptography C. Key Stretching D. Perfect Forward Secrecy

Correct Answer: D Elliptic curve cryptography has several uses including public key encryption, digital signatures, and secure protocols, but it is not the right answer. Quantum cryptography also has several uses including key exchange and secure communications, but it too is not the right answer either. Key stretching is used to strengthen encryption keys and passwords. So, that is not the correct answer here. The Tor network depends upon perfect forward secrecy to enable true anonymity. In this approach, each link in the Tor chain only knows the identity of the immediately adjacent links in the chain.

Gina is reviewing the configuration of an Apache Ubuntu web server environment and would like to review appropriate security configuration guides. Which one of the following guides would be least relevant to her situation? A. Apache web server configuration guide B. Web application firewall configuration guide C. Firewall configuration guide D. Windows operating system configuration guide

Correct Answer: D Gina should consult the configuration guides for all devices, operating systems, and applications associated with the web server or involved in handling traffic directed to the web server. This would include the Apache web server itself, the firewall, and the web application firewall. A Windows configuration guide would not be useful because the web server is running Ubuntu Linux.

Thomas is considering using guard dogs to patrol the fenced perimeter of his organization's data processing facility. What category best describes this control? A. Compensating B. Preventive C. Corrective D. Deterrent

Correct Answer: D Guard dogs may be described as either a deterrent or preventive control, depending upon the context. They do serve in a preventive role because they have the ability to corner a potential intruder. However, this is not their primary role. Their main function is to serve as a deterrent to intrusion attempts through their menacing appearance. When taking the exam, remember that you may face questions like this asking you to choose the BEST answer from among several correct possibilities.

Which one of the following industry standards describes a standard approach for setting up an information security management system? A. CIS B. ISO 27002 C. OWASP D. ISO 27001

Correct Answer: D ISO 27001 describes a standard approach for setting up an information security management system, making it our correct answer here. While ISO 27002 goes into more detail on the specifics of information security controls, which is not what we are looking for. The Center for Internet Security (CIS) produces a set of configuration benchmarks used to securely configure operating systems, applications, and devices, which is an incorrect answer. The Open Web Application Security Project (OWASP) provides advice and tools focused on web application security, another incorrect answer here.

Which ISO standard contains specific guidance on the privacy of personally identifiable information? A. ISO 27001 B. ISO 27002 C. ISO 31000 D. ISO 27701

Correct Answer: D ISO standard 27701 contains guidance on enhancing an information security management system to establish privacy standards for personally identifiable information. ISO 27001 and 27002 cover the standards and best practices for implementing an information security management system. The ISO 31000 family of standards cover the design and implementation of a risk management program.

Molly's organization has a shared account that they use to provide access to vendors. What is the primary security objective that is sacrificed using this model, assuming that the password is not shared with unauthorized individuals? A. Integrity B. Confidentiality C. Least privilege D. Accountability

Correct Answer: D If the password remains known only to authorized individuals, this does not violate the principles of confidentiality or integrity. There is no indication from the scenario that the account has excess privileges, so least privilege is not violated. However, the use of a shared account prevents security staff from determining which individual performed an action, violating the principle of accountability.

Which one of the following mobile device deployment models allows employees to select the device they would like to use from a list of approved corporate-owned models? A. COPE B. BYOD C. Corporate-owned D. CYOD

Correct Answer: D In a choose-your-own-device (CYOD) model, the employee is permitted to choose from a selection of approved devices. The company owns the device. In a bring-your-own-device (BYOD) model, the employee owns the device. In corporate-owned, personally-enabled (COPE) and corporate-owned models, the company owns the device but the employee does not necessarily have the ability to choose the device.

Pete is investigating a domain hijacking attack against his company that successfully redirected web traffic to a third party website. Which one of the following techniques is the most effective way to carry out a domain hijacking attack? A. Network eavesdropping B. DNS poisoning C. ARP poisoning D. Social engineering

Correct Answer: D In a domain hijacking attack, the attacker changes the registration of a domain with the registrar. DNS and ARP poisoning attacks may redirect web traffic, but they would do so by providing bogus address information, not by hijacking the domain. Network eavesdropping could theoretically be used to steal credentials used to alter information with a registrar, but this is unlikely. The most likely source of a domain hijacking attack is using social engineering with the registrar to gain access to the account used to manage registration information.

Christina is building a new capability for her organization's data centers that allows the automatic shifting of workloads to Amazon Web Services when the organization's own resources are overwhelmed. What type of environment is Christina building? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud

Correct Answer: D In a public cloud environment, providers offer services on the same shared computing platform to all customers. Customers do not necessarily have any relationship to, or knowledge of, each other. In a private cloud environment, an organization builds its own computing environment. In a hybrid cloud environment, an organization combines elements of public and private cloud computing. In a community cloud environment, a group of related organizations builds a shared cloud environment that is not open for general public use.

Ryan is experiencing interference on his WiFi network. Which one of the following options is not an effective solution to the problem? A. Relocate access points B. Relocate wireless clients C. Change wireless channels D. Increase bandwidth

Correct Answer: D Moving the access point or the client may resolve the interference, as might changing the wireless channel/band in use. Increasing bandwidth will only provide more capacity. Additional capacity will not resolve interference.

Maliah is responding to a security incident where a call center representative was tricked into disclosing his password. The representative went to visit a company website and was redirected to an illegitimate site that looked like the corporate site, but stole his password. What term best describes this attack? A. Phishing B. Watering Hole C. Whaling D. Pharming

Correct Answer: D Phishing is a broad term used to describe obtaining user credentials and sensitive data fraudulently, usually through unsolicited email. In this case, the victim was redirected to an illegitimate website, so that wasn't a phishing attack. A watering hole attack is designed around a website that a particular group visits often. For example, it might place malicious code on a message board visited by employees of a company. Watering hole attacks don't redirect users. So, that's not the correct answer either. Whaling is a type of phishing aimed at high profile employees. We've already ruled out phishing attacks, so this is another incorrect answer .This scenario is an example of a pharming attack, where the victim was redirected to an illegitimate site and had their credentials stolen.

Which one of the following technologies is not commonly used in embedded systems? A. FPGA B. Raspberry Pi C. Arduino D. SELinux

Correct Answer: D Raspberry Pis, Arduinos, and field-programmable gate arrays (FPGA) are all hardware platforms that are easily reconfigurable for use in embedded systems. So, these are not the correct answers. Security Enhanced Linux (SELinux) is a security-focused version of the Linux operating system. It is not commonly used in embedded systems because it has significant overhead and complexity. This is the correct answer.

Which one of the following authentication mechanisms is generally not used in smartphone devices? A. Facial recognition B. Passcode C. Fingerprint scanning D. Retinal scanning

Correct Answer: D Retinal scanning is a slow, intrusive technique that requires specialized hardware and cannot be performed with a standard smartphone. Smartphones do commonly use passcodes, fingerprint scanning and facial recognition for authentication.

Which one of the following security vulnerabilities is NOT a common result of improper input handling? A. SQL injection B. Cross-site scripting C. Buffer overflow D. Distributed denial of service

Correct Answer: D SQL injection, cross-site scripting, and buffer overflow attacks all occur when applications do not properly screen user-provided input for potentially malicious content. Distributed denial of service attacks use botnets of compromised systems to conduct a brute force resource exhaustion attack against a common target.

Gary is configuring a wireless access point that supports the WPS service. What risk exists in all implementations of WPS that he should consider? A. Weak encryption B. Offline brute force attack C. Impossible to disable WPS D. Physical access to the device

Correct Answer: D Several vulnerabilities exist in different implementations of WPS. Some allow an offline brute force attack known as Pixie Dusk. Others may make it impossible for device administrators to disable WPS. Other may use weak encryption. The risk that applies to all WPS devices is the risk of physical access. If an attacker gains physical access to the device, he or she can join the network.

Which one of the following security controls provides the best defense against tailgating? A. Air Gaps B. Biometrics C. Turnstiles D. Access Control Vestibule

Correct Answer: D Tailgating attacks occur when an unauthorized individual slips into a facility behind an authorized user who opens the door. Air gaps are not sufficient on their own as someone can easily catch up with an authorized person as the door is opened. So this is not the correct answer. With biometrics, once one person has authenticated, another person can still slip in following the authorized person. So this is not the correct answer. Turnstiles may help with tailgating attacks, but an attacker could jump over the turnstile, making it not as effective. So this is not the best answer option either. Access control vestibules are isolation areas where one person completes the authentication process and accesses the facility before a second person can enter the vestibule. This is the correct answer.

Patrick is investigating a security incident. He believes that the incident is originating from a single system on the Internet and targeting multiple systems on his network. What control could he put in place to stop the incident as quickly as possible? A. Host firewall rule B. Operating system update C. DDoS Mitigation D. Network Firewall Rule

Correct Answer: D The attack in question could be most quickly stopped with a network firewall rule blocking all traffic from the origin system. Host firewall rules would also address the issue but would be more time-consuming to create on every system. An operating system update would not stop attack traffic, making it another incorrect answer. There is also no indication that a DDoS attack is underway, so a DDoS mitigation service would not be helpful.

Chris is investigating a security incident at his organization where an attacker entered the building wearing a company uniform and demanded that the receptionist provide him access to a network closet. He told the receptionist that he needed to access the closet immediately to prevent a major network disaster. Which one of the following principles of social engineering did the attacker NOT exploit? A. Intimidation B. Urgency C. Authority D. Consensus

Correct Answer: D The attacker entered the building wearing a uniform, which is a sign of authority. He threatened the receptionist (intimidation) with an impending network outage (urgency). There is no indication that he tried to build consensus.

Jessica is creating a virtual private cloud (VPC) with a private subnet in her IaaS environment. Which one of the following IP address ranges would not be appropriate for this subnet? A. 172.16.0.0/16 B. 10.16.0.0/16 C. 192.168.0.0/16 D. 181.10.0.0/16

Correct Answer: D The following address ranges are available for use on private networks and subnets: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255. Three of the subnets presented in this question fall into these ranges while the fourth, 181.10.0.0/16 does not. That subnet is a public address range assigned to a particular user and should not be used on a private subnet.

Paula is reviewing her organization's account management lifecycle. She is paying particular attention to the timeliness of account management activities and would like to prioritize areas that have the greatest risk. Which one of the following activities should be her highest priority? A. Access modifications B. Onboarding C. Access reviews D. Offboarding

Correct Answer: D The offboarding process is the area of greatest risk to the organization because failure to execute deprovisioning activities in a prompt manner may mean that employees who have left the organization retain access to sensitive information or systems.

Brenda is assisting a user who is traveling on business and is unable to access a critical system. Brenda is able to access the system herself and the user was able to access it last week from the office. The user connected to the VPN and is still having the same issue. What type of access restriction is most likely in place? A. Time-based restriction B. Role-based restriction C. Content-based restriction D. Location-based restriction

Correct Answer: D The only factor that changed is the user's location, making a location-based restriction the most likely culprit. This type of restriction can apply even when a user connects to a VPN. We know that it is not a content-based restriction or role-based restriction because the user was able to access the same system when in the office. We also can surmise that it is not likely a time-based restriction because Brenda is able to access the system at the same time.

What is the primary risk associated with using motion detectors to automatically unlock a data center door when a person is attempting to exit? A. The motion detector may not sense some employees based upon their physical characteristics. B. The motion detector may not work during a power failure. C. An employee may exit the facility with unauthorized materials. D. An intruder may attempt to trigger the motion detector from the outside to gain entry.

Correct Answer: D The primary risk associated with automated exit motion detectors is that an intruder outside the facility may be able to gain access by triggering the motion detector. For example, if it is possible to slide a piece of paper under the door, it may be possible to forcefully push the paper through so it flies up in the air and triggers the detector.

Vivian is investigating a website outage that brought down her company's ecommerce platform for several hours. During her investigation, she noticed that the logs are full of millions of connection attempts from systems around the world, but those attempts were never completed. What type of attack likely took place? A. DoS B. Cross-site request forgery C. Cross-site scripting D. DDoS

Correct Answer: D This is a clear example of a distributed denial of service (DDoS) attack. The half-open connections indicate the use of a denial of service attack. The fact that the requests came from all over the world makes it clear that it is more than a standard denial of service attack. There is no indication that there was a web application flaw, such as cross-site request forgery or cross-site scripting.

Roland's company requires that supervisors approve payment requests entered by accounting clerks when the total amount of the payment is over $10,000. What type of control is this? A. Least privilege B. Separation of duties C. Job rotation D. Two-person control

Correct Answer: D Two-person control requires the concurrence of two individuals for sensitive actions. That is the scenario described here. Separation of duties says that an individual should not have both permissions necessary to perform a sensitive action. This is a closely related, but distinct principle. There is no evidence given that supervisors do not have the ability to create payments, so separation of duties is not in play here.

Bill suspects that an attacker is exploiting a zero-day vulnerability against his organization. Which one of the following attacker types is most likely to engage in this type of activity? A. Hacktivist B. White hat C. Script kiddie D. APT

Correct Answer: D While it is possible that any type of attacker might engage in a zero-day attack, it is most likely to find these vulnerabilities exploited by an advanced persistent threat (APT). APT attackers are more likely to have the technical resources to discover and use zero-day vulnerabilities.

During a web application security review, Crystal discovered that one of her organization's applications is vulnerable to SQL injection attacks. Where would be the best place for Crystal to address the root cause issue? A. Database server configuration B. Web application firewall C. Web server configuration D. Application code

Correct Answer: D While it may be possible to mitigate this issue by adjusting settings on any of the devices mentioned here, the root cause of a SQL injection vulnerability is faulty input validation in the application's source code. This root cause may only be addressed by modifying the application code.

When operating in a cloud environment, what cloud deployment model provides security teams with the greatest access to forensic information? A. FaaS B. SaaS C. PaaS D. laaS

Correct Answer: D With Function as a Service (FaaS), you may not be able to access the computing system the function is operating on. So, that is not the best answer. With Software as a Service, (SaaS) again, you may only have access to the application. So, that is another incorrect answer. With Platform as a Service (PaaS), you have additional access to the coding environment. But that is not what we are looking for. Finally, Infrastructure as a service (IaaS) environments provide analysts with access to the operating system, allowing deeper forensic analysis than other cloud platforms that operate higher in the stack.

Alan is assessing the results of a penetration test and discovered that the attackers managed to install a back door on one of his systems. What activity were the attackers most likely engaged in when they installed the back door? A. Pivoting B. Privilege Escalation C. Lateral Movement D. Persistence

Correct Answer: D Back doors are an example of a persistence technique. They are designed to allow the attacker to regain access to the system even after the original flaw they exploited is patched. Pivoting and lateral movement techniques are used to switch targets after gaining initial access to an environment. Privilege escalation techniques are used to gain administrative privileges after obtaining access to a standard user account

Andy is developing requirements for a disaster recovery site and needs the ability to recover operations as quickly as possible. Which one of the following recovery site options provides the quickest activation time? A. Warm site B. Mobile site C. Cold site D. Hot site

Correct Answer: D. Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware, and possible software, to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment's notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan.