Greatest ISM 324 Study Guide Ever*
Lisa needs to calculate the total ALE for group of servers used in the network. During the past two years, five of the servers failed. The hardware cost to replace each server is 3,500, and the downtime has resulted in $2,500 of additional losses. What is the ALE?
$15,000
You need to calculate the ALE for a server. The value of the server is $3,000, but it has crashed 10 times in the past year. Each time it crashed, it resulted in a 10 percent loss. What is the ALE?
$3,000
You are trying to add additional security controls for a database server that includes customer records and need to justify the cost of $1,000 for these controls. The database includes 2,500 records. Estimates indicate a cost of $300 for each record if an attacker successfully gains access to them. Research indicates that there is a 10 percent possibility of a data breach in the next year. What is the ALE?
$300
(36) An attacker is trying to break into your wireless network. Of the following choices, what security controls can the attacker easily bypass with a protocol analyzer? (Choose all that apply) WPA2-PSK MAC filtering WPA2 with CCMP Disabled SSID broadcast
...
(5) Users in your organization can use a self-service password reset system. What does this provide? Password policy enforcement Password deletion Account expiration reset Password recovery
...
You need to enable the use of NetBIOS through a firewall. Which port should you open?
137 through 139
Of the following choices, what ports are used by NetBIOS? (Choose two.)
137, 139
(24) Your organization hosts a Microsoft SQL Server database in the internal network. You want to ensure that the firewall blocks access to this database from the Internet. What port should you block? 22 23 443 1433
1433
Which of the following IP addresses are on the same subnet? (Choose all that apply)
192.168.1.165,255.255.255.192, 192.168.1.189,255.255.255.192
What is the default port for SSH?
22
What port does SFTP use?
22
You need to manage a remote server. Which of the following ports should you open on the firewall between your system and the remote server?
22 and 3389
(23) What port does Telnet use? 22 23 443 500
23
What port does SMTP use?
25
(26) An audit of the firewall logs shows that attackers are attempting to remotely login to systems using remote desktop protocols. The security administrator decides administrator decides to block the port to prevent this activity. What port should the administrator close? 20 22 389 3389
3389
36. Which of the following is the BEST description of why disabling SSID broadcast is not an effective security measure against attackers? A. The network name is contained in wireless packets in plaintext. B. The passphrase is contained in wireless packets in plaintext. C. The SSID is included in MAC filters. D. The SSID is not used with WPA2.
36. A. The service set identifier (SSID) is the network name and it is included in certain wireless packets in plaintext. Disabling SSID broadcast hides the wireless network from casual users, but not attackers. Passphrases are not sent across the network in plaintext and are unrelated to the SSID. Media access control (MAC) address filters do not include the SSID. Wi-Fi Protected Access II (WPA2) does use the SSID. See Chapter 4.
A supply company has several legacy systems connected together within a warehouse. An external security audit discovered the company is using DES and mandated the company upgrade DES to meet minimum security requirements. The company plans to replace the legacy systems next year, but needs to meet requirements from the audit. What is MOST likely to be the simplest upgrade for these systems?
3DES
Which of the following is an encryption algorithm that uses multiple keys and encrypts data multiple times?
3DES
Which of the following formulas represent the complexity of a password policy that requires users to use only upper and lower case letters with a length of eight characters?
52^8
What ports do HTTP and HTTPS use?
80 and 443
D
A CA is compromised and attacks start distributing maliciously signed software updates. Which of the following can be used to warn users about the malicious activity? A. Key escrow B. Private key verification C. Public key verification D. Certificate revocation list
D
A CRL is comprised of: A. Malicious IP addresses. B. Trusted CA's. C. Untrusted private keys. D. Public keys.
An IDS alerts on increased traffic. Upon investigation, you realize it is due to a spike in network traffic from several sources. Assuming this is malicious, what is MOST likely explanation?
A DDoS attack
C
A PC technician has installed a new network printer that was preconfigured with the correct static IP address; subnet mask; and default gateway. The printer was installed with a new cable and appears to have link activity; but the printer will not respond to any network communication attempts. Which of the following is MOST likely the cause of the problem? A. Damaged cable B. Duplex mismatch C. Incorrect VLAN assignment D. Speed mismatch
Looking at logs for an online web application, you see that someone has entered the following phrase into several queries: ' or '1'='-- What is MOST likely the explanation for this?
A SQL injection attack
C
A SQL server needs several terabytes of disk space available to do an uncompressed backup of a database. Which of the following devices would be the MOST cost efficient to use for this backup? A. iSCSI SAN B. FCoE SAN C. NAS D. USB flash drive
What can you use to logically separate computers in two different departments within a company?
A VLAN
A
A VLAN with a gateway offers no security without the addition of A. An ACL. B. 802.1w. C. A RADIUS server. D. 802.1d.
Checking the logs of a web server, you see the following entry: 198.252.69.129--[1/Sep/2013:05:20] "GET/index.php?username=ZZZZZZZZZZZZZZZBBBBBBBBCCCCCCCHTTP/1.1""http://gcgapremium.com/security/""Chrome31"" What is the BEST choice to explain this entry?
A buffer overflow attack
Which of the following best describes the purpose of LDAP?
A central point of user management
D
A certificate authority takes which of the following actions in PKI? A. Signs and verifies all infrastructure messages B. Issues and signs all private keys C. Publishes key escrow lists to CRLs D. Issues and signs all root certificates
B
A certificate used on an ecommerce web server is about to expire. Which of the following will occur if the certificate is allowed to expire? A. The certificate will be added to the Certificate Revocation List (CRL). B. Clients will be notified that the certificate is invalid. C. The ecommerce site will not function until the certificate is renewed. D. The ecommerce site will no longer use encryption.
Security personnel confiscated a user's workstation after a security incident. Administrators removed the hard drive for forensic analysis, but left it unattended for several hours before capturing an image. What could prevent the company from taking the employee to court over this incident?
A chain of custody was not maintained.
B
A company has a new offering to provide access to their product from a central location rather than clients internally hosting the product on the client network. The product contains sensitive corporate information that should not be accessible from one client to another. This is an example of which of the following? A. Public SaaS B. Private SaaS C. Hybrid IaaS D. Community IaaS
A
A company has decided to update their usage policy to allow employees to surf the web unrestricted from their work computers. Which of the following actions should the IT security team implement to help protect the network from attack as a result of this new policy? A. Install host-based anti-malware software B. Implement MAC filtering on all wireless access points C. Add an implicit deny to the core router ACL D. Block port 80 outbound on the company firewall E. Require users to utilize two-factor authentication
D
A company has had several virus infections over the past few months. The infections were caused by vulnerabilities in the application versions that are being used. Which of the following should an administrator implement to prevent future outbreaks? A. Host-based intrusion detection systems B. Acceptable use policies C. Incident response team D. Patch management
B
A company has implemented the capability to send all log files to a central location by utilizing an encrypted channel. The log files are sent to this location in order to be reviewed. A recent exploit has caused the company's encryption to become unsecure. Which of the following would be required to resolve the exploit? A. Utilize a FTP service B. Install recommended updates C. Send all log files through SMTP D. Configure the firewall to block port 22
C
A company has seen an increase in ransomware across the enterprise. Which of the following should be implemented to reduce the occurrences? A. ARP inspection B. Intrusion detection system C. Web content filtering D. Port filtering
C
A company hires outside security experts to evaluate the security status of the corporate network. All of the company's IT resources are outdated and prone to crashing. The company requests that all testing be performed in a way which minimizes the risk of system failures. Which of the following types of testing does the company want performed? A. Penetration testing B. WAF testing C. Vulnerability scanning D. White box testing
A
A company is deploying a new wireless network and requires 800Mbps network throughput. Which of the following is the MINIMUM configuration that would meet this need? A. 802.11ac with 2 spatial streams and an 80MHz bandwidth B. 802.11ac with 3 spatial streams and a 20MHz bandwidth C. 802.11ac with 3 spatial streams and a 40MHz bandwidth D. 802.11ac with 4 spatial streams and a 160MHz bandwidth
A
A company is experiencing accessibility issues reaching services on a cloud-based system. Which of the following monitoring tools should be used to locate possible outages? A. Network analyzer B. Packet analyzer C. Protocol analyzer D. Network sniffer
D
A company is experiencing very slow network speeds of 54Mbps. A technician has been hired to perform an assessment on the existing wireless network. The technician has recommended an 802.11n network infrastructure. Which of the following allows 802.11n to reach higher speeds? A. MU-MIMO B. LWAPP C. PoE D. MIMO
C E
A company replaces a number of devices with a mobile appliance: combining several functions. Which of the following descriptions fits this new implementation? (Select TWO). A. Cloud computing B. Virtualization C. All-in-one device D. Load balancing E. Single point of failure
D
A company wants to create highly available datacenters. Which of the following will allow the company to continue to maintain an Internet presence at all sites in the event that a WAN circuit at one site goes down? A. Load balancer B. VRRP C. OSPF D. BGP
C
A company wants to ensure that its hot site is prepared and functioning. Which of the following would be the BEST process to verify the backup datacenter is prepared for such a scenario? A. Site visit to the backup data center B. Disaster recovery plan review C. Disaster recovery exercise D. Restore from backup
A
A company wants to make sure that users are required to authenticate prior to being allowed on the network. Which of the following is the BEST way to accomplish this? A. 802.1x B. 802.1p C. Single sign-on D. Kerberos
A
A company's business model was changed to provide more web presence and now its ERM software is no longer able to support the security needs of the company. The current data center will continue to provide network and security services. Which of the following network elements would be used to support the new business model? A. Software as a Service B. DMZ C. Remote access support D. Infrastructure as a Service
D
A company's chief information officer (CIO) has analyzed the financial loss associated with the company's database breach. They calculated that one single breach could cost the company $1:000:000 at a minimum. Which of the following documents is the CIO MOST likely updating? A. Succession plan B. Continuity of operation plan C. Disaster recovery plan D. Business impact analysis
B D
A company's employees were victims of a spear phishing campaign impersonating the CEO. The company would now like to implement a solution to improve the overall security posture by assuring their employees that email originated from the CEO. Which of the following controls could they implement to BEST meet this goal? (Select TWO) A. Spam filter B. Digital signatures C. Antivirus software D. Digital certificates
C
A company's security administrator wants to manage PKI for internal systems to help reduce costs. Which of the following is the FIRST step the security administrator should take? A. Install a registration server. B. Generate shared public and private keys. C. Install a CA. D. Establish a key escrow policy.
C
A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However: the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case: which of the following is likely to be an issue with this incident? A. Eye Witness B. Data Analysis of the hard drive C. Chain of custody D. Expert Witness
C
A computer program containing malicious segment that attaches itself to an application program or other executable component is called: A. Adware B. Spam C. Virus D. Flash Cookie
B
A computer that has been compromised by a virus or Trojan horse that puts it under the remote control of an online hijacker is called: A. Honeypot B. Zombie C. Rootkit D. Backdoor
C
A customer has engaged a company to improve the availability of all of the customer's services and applications; enabling the customer to minimize downtime to a few hours per quarter. Which of the following will document the scope of the activities the company will provide to the customer; including the intended outcomes? A. MLA B. MOU C. SOW D. SLA
A
A customer service department has a business need to send high volumes of confidential information to customers electronically. All emails go through a DLP scanner. Which of the following is the BEST solution to meet the business needs and protect confidential information? A. Automatically encrypt impacted outgoing emails B. Automatically encrypt impacted incoming emails C. Monitor impacted outgoing emails D. Prevent impacted outgoing emails
Your company is considering implementing SSO capabilities to company applications and linking them to a social media site. When implemented, users can log on to Facebook and than access company applications without logging on again. What is a potential risk related to this plan?
A data breach exposing passwords on the social media site will affect the company application
A
A database administrator receives a call on an outside telephone line from a person who states that they work for a well-known database vendor. The caller states there have been problems applying the newly released vulnerability patch for their database system: and asks what version is being used so that they can assist. Which of the following is the BEST action for the administrator to take? A. Thank the caller: report the contact to the manager: and contact the vendor support line to verify any reported patch issues. B. Obtain the vendor's email and phone number and call them back after identifying the number of systems affected by the patch. C. Give the caller the database version and patch level so that they can receive help applying the patch. D. Call the police to report the contact about the database systems: and then check system logs for attack attempts.
A
A desktop computer is connected to the network and receives an APIPA address but is unable to reach the VLAN gateway of 10.10.100.254. Other PCs in the VLAN subnet are able to reach the Internet. Which of the following is MOST likely the source of the problem? A. 802.1q is not configured on the switch port B. APIPA has been misconfigured on the VLAN C. Bad SFP in the PC's 10/100 NIC D. OS updates have not been installed
Of the following choices, what controls traffic between networks?
A firewall
A
A firewall ACL is configured as follows Deny Any Trust to Any DMZ eq to TCP port 22 Allow 10.200.0.0/16 to Any DMZ eq to Any Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80; 443 Deny Any Trust to Any DMZ eq to Any A technician notices that users in the 10.200.0.0/16 network are unable to SSH into servers in the DMZ. The company wants 10.200.0.0/16 to be able to use any protocol; but restrict the rest of the 10.0.0.0/8 subnet to web browsing only. Reordering the ACL in which of the following manners would meet the company's objectives? A. 11; 10; 12; 13 B. 12; 10; 11; 13 C. 13; 10; 12; 11 D. 13; 12; 11; 10
C
A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed at the site were facing the wrong direction to capture the incident. The analyst ensures the cameras are turned to face the proper direction. Which of the following types of controls is being used? A. Detective B. Deterrent C. Corrective D. Preventive
You need to implement a backup strategy that allows the fastest recovery of data. What provides the best solution?
A full backup daily
What is TPM?
A hardware chip that stores encryption keys
(47) What is TPM? A method used to erase data on lost mobile devices such as mobile phones A hardware ship that stores encryption keys A system that can examine email to detect if confidential data is included A removable device that stores encryption keys
A hardware ship that stores encryption keys
A
A host has been assigned the address 169.254.0.1. This is an example of which of the following address types? A. APIPA B. MAC C. Static D. Public
A
A major security risk with co-mingling of hosts with different security requirements is: A. Security policy violations. B. Zombie attacks. C. Password compromises. D. Privilege creep.
B
A malicious user floods a switch with frames hoping to redirect traffic to the user's server. Which of the following attacks is the user MOST likely using? A. DNS poisoning B. ARP poisoning C. Reflection D. SYN attack
Developers are planning to develop an application using role-based access control. What is MOST likely included in their planing?
A matrix of functions matched with their required privileges
B
A network administrator has created a virtual machine in the cloud. The technician would like to connect to the server remotely using RDP. Which of the following default ports needs to be opened? A. 445 B. 3389 C. 5004 D. 5060
B
A network administrator is configuring access control for the sales department which has high employee turnover. Which of the following is BEST suited when assigning user rights to individuals in the sales department? A. Time of day restrictions B. Group based privileges C. User assigned privileges D. Domain admin restrictions
C
A network administrator is looking for a way to automatically update company browsers so they import a list of root certificates from an online source. This online source will then be responsible for tracking which certificates are to be trusted or not trusted. Which of the following BEST describes the service that should be implemented to meet these requirements? A. Trust model B. Key escrow C. OCSP D. PKI
A
A network administrator recently installed a web proxy server at a customer's site. The following week; a system administrator replaced the DNS server overnight. The next day; customers began having issues accessing public websites. Which of the following will resolve the issue? A. Update the DNS server with the proxy server information. B. Implement a split horizon DNS server. C. Reboot the web proxy and then reboot the DNS server. D. Put the proxy server on the other side of the demarc.
A
A network administrator recently updated various network devices to ensure redundancy throughout the network. If an interface on any of the Layer 3 devices were to go down: traffic will still pass through another interface and the production environment would be unaffected. This type of configuration represents which of the following concepts? A. High availability B. Load balancing C. Backout contingency plan D. Clustering
A
A network engineer is dispatched to an employee office to troubleshoot an issue with the employee's laptop. The employee is unable to connect to local and remote resources. The network engineer flips the laptop's wireless switch on to resolve the issue. At which of the following layers of the OSI model was the issue resolved? A. Layer 1 B. Layer 2 C. Layer 3 D. Layer 4 E. Layer 7
C
A network engineer needs to set up a topology that will not fail if there is an outage on a single piece of the topology. However; the computers need to wait to talk on the network to avoid congestions. Which of the following topologies would the engineer implement? A. Star B. Bus C. Ring D. Mesh
A
A network technician has been assigned to install an additional router on a wireless network. The router has a different SSID and frequency. All users on the new access point and the main network can ping each other and utilize the network printer; but all users on the new router cannot get to the Internet. Which of the following is the MOST likely cause of this issue? A. The gateway is misconfigured on the new router. B. The subnet mask is incorrect on the new router. C. The gateway is misconfigured on the edge router. D. The SSID is incorrect on the new router.
D
A network technician has been tasked to configure a new network monitoring tool that will examine interface settings throughout various network devices. Which of the following would need to be configured on each network device to provide that information in a secure manner? A. S/MIME B. SYSLOG C. PGP D. SNMPv3 E. RSH
B
A network technician has been tasked with designing a WLAN for a small office. One of the requirements of this design is that it is capable of supporting HD video streaming to multiple devices. Which of the following would be the appropriate wireless technology for this design? A. 802.11g B. 802.11ac C. 802.11b D. 802.11a
B
A network technician has detected a personal computer that has been physically connected to the corporate network. Which of the following commands would the network technician use to locate this unauthorized computer and determine the interface it is connected to? A. nbtstat -a B. show mac address-table C. show interface status D. show ip access-list E. nslookup hostname
B
A network technician has detected duplicate IP addresses on the network. After testing the behavior of rogue DHCP servers; the technician believes that the issue is related to an unauthorized home router. Which of the following should the technician do NEXT in the troubleshooting methodology? A. Document the findings and action taken. B. Establish a plan to locate the rogue DHCP server. C. Remove the rogue DHCP server from the network. D. Identify the root cause of the problem.
D
A network technician has just installed a TFTP server on the administrative segment of the network to store router and switch configurations. After a transfer attempt to the server is made; the process errors out. Which of the following is a cause of the error? A. Only FTP can be used to copy configurations from switches B. Anonymous users were not used to log into the TFTP server C. An incorrect password was used and the account is now locked D. Port 69 is blocked on a router between the network segments
C
A network technician has received a help desk ticket indicating that after the new wireless access point was installed; all of the media department's devices are experiencing sporadic wireless connectivity. All other departments are connecting just fine and the settings on the new access point were copied from the baseline. Which of the following is a reason why the media department is not connecting? A. Wrong SSID B. Rogue access point C. Placement D. Channel mismatch
D
A network technician has received comments from several users that cannot reach a particular website. Which of the following commands would provide the BEST information about the path taken across the network to this website? A. ping B. netstat C. telnet D. tracert
C
A network technician has set up an FTP server for the company to distribute software updates for their products. Each vendor is provided with a unique username and password for security. Several vendors have discovered a virus in one of the security updates. The company tested all files before uploading them but retested the file and found the virus. Which of the following could the technician do for vendors to validate the proper security patch? A. Use TFTP for tested and secure downloads B. Require biometric authentication for patch updates C. Provide an MD5 hash for each file D. Implement a RADIUS authentication
A
A network technician is assisting the company with developing a new business continuity plan. Which of the following would be an appropriate suggestion to add to the plan? A. Build redundant links between core devices B. Physically secure all network equipment C. Maintain up-to-date configuration backups D. Perform reoccurring vulnerability scans
B
A network technician is attempting to connect a new host to existing manufacturing equipment on an Ethernet network. The technician is having issues trying to establish communication between the old equipment and the new host. The technician checks the cabling for breaks and finds that the CAT3 cable in use is in perfect condition. Which of the following should the technician check to ensure the new host will connect? A. Confirm the new host is using 10GBaseSR due to the manufacturing environment B. Confirm the new host is compatible with 10BaseT Ethernet C. Confirm the existing 10Base2 equipment is using the proper frame type D. Confirm that CSMA/CD is disabled on the Ethernet network
D
A network technician is attempting to locate a switch connected to the fourth floor west side of the building. Which of the following will allow quick identification of the switch; when looking at a logical diagram? A. Building layout B. Patch panel labeling C. Packet sniffing D. Naming conventions
D
A network technician is diligent about maintaining all system servers' at the most current service pack level available. After performing upgrades; users experience issues with server-based applications. Which of the following should be used to prevent issues in the future? A. Configure an automated patching server B. Virtualize the servers and take daily snapshots C. Configure a honeypot for application testing D. Configure a test lab for updates
C
A network technician is performing a tracert command to troubleshoot a website-related issue. The following output is received for each hop in the tracert * * * Request timed out. * * * Request timed out. * * * Request timed out. The technician would like to see the results of the tracert command. Which of the following will allow the technician to perform tracert on external sites but not allow outsiders to discover information from inside the network? A. Enable split horizon to allow internal tracert commands to pass through the firewall B. Enable IGMP messages out and block IGMP messages into the network C. Configure the firewall to allow echo reply in and echo request out of the network D. Install a backdoor to access the router to allow tracert messages to pass through
D
A network technician is performing a wireless survey in the office and discovers a device that was not installed by the networking team. This is an example of which of following threats? A. Bluesnarfing B. DDoS C. Brute force D. Rogue AP
D
A network technician is troubleshooting a problem at a remote site. It has been determined that the connection from router A to router B is down. The technician at the remote site re-terminates the CAT5 cable that connects the two routers as a straight through cable. The cable is then tested and is plugged into the correct interface. Which of the following would be the result of this action? A. The normal amount of errors and the connection problem has been resolved. B. The interface status will indicate that the port is administratively down. C. The traffic will flow; but with excessive errors. D. The interface status will show line protocol down.
D
A network technician is using a network monitoring system and notices that every device on a particular segment has lost connectivity. Which of the following should the network technician do NEXT? A. Establish a theory of probable cause. B. Document actions and findings. C. Determine next steps to solve the problem. D. Determine if anything has changed.
A; B
A network technician is utilizing a network protocol analyzer to troubleshoot issues that a user has been experiencing when uploading work to the internal FTP server. Which of the following default port numbers should the technician set the analyzer to highlight when creating a report? (Select TWO). A. 20 B. 21 C. 22 D. 23 E. 67 F. 68 G. 69
A
A network technician must create a wireless link between two buildings in an office park utilizing the 802.11ac standard. The antenna chosen must have a small physical footprint and minimal weight as it will be mounted on the outside of the building. Which of the following antenna types is BEST suited for this solution? A. Yagi B. Omni-directional C. Parabolic D. Patch
B; E
A network technician must utilize multimode fiber to uplink a new networking device. Which of the following Ethernet standards could the technician utilize? (Select TWO). A. 1000Base-LR B. 1000Base-SR C. 1000Base-T D. 10GBase-LR E. 10GBase-SR F. 10GBase-T
D
A network technician was tasked to respond to a compromised workstation. The technician documented the scene; took the machine offline; and left the PC under a cubicle overnight. Which of the following steps of incident handling has been incorrectly performed? A. Document the scene B. Forensics report C. Evidence collection D. Chain of custody
A
A network topology that utilizes a central device with point-to-point connections to all other devices is which of the following? A. Star B. Ring C. Mesh D. Bus
Employees regularly send email in and out of the company. The company suspects some employees are sending out confidential data, and it wants to take steps to reduce this risk. What can it use?
A network-based DLP
C
A new MPLS network link has been established between a company and its business partner. The link provides logical isolation in order to prevent access from other business partners. Which of the following should be applied in order to achieve confidentiality and integrity of all data across the link? A. MPLS should be run in IPVPN mode. B. SSL/TLS for all application flows. C. IPSec VPN tunnels on top of the MPLS link. D. HTTPS and SSH for all application flows.
(18) You want to ensure that users must use passwords with at least eight characters and a mix of at least three of the following four character types: uppercase, lowercase, numbers, and symbols. What would you use? An account lockout policy A password policy A training program IPsec encryption
A password policy
(70) Why is it important to gain consent from a system owner prior to starting a penetration test? This is not a requirement A penetration test can cause increased performance A penetration test can cause system instability A penetration test can reduce system resource usage
A penetration test can cause system instability
A user complains that his system is no longer able to access the blogs.getcertifiedgetahead.com site. Instead, his browser goes to a different site. After investigation, you notice the following entries in the user's hosts file: 127.0.0.1 localhost 72.52.230.233 blogs.getcertifiedgetahead.com What is the BEST explanation for this entry?
A pharming attack
A
A process in which the functionality of an application is tested without any knowledge of the internal mechanisms of the application is known as: A. Black box testing B. White box testing C. Black hat testing D. Gray box testing
D
A quality assurance analyst is reviewing a new software product for security: and has complete access to the code and data structures used by the developers. This is an example of which of the following types of testing? A. Black box B. Penetration C. Gray box D. White box
Which of the following statements are true regarding risk assessments? (Choose two).
A quantitative risk assessment uses hard numbers. A qualitative risk assessment uses a subjective ranking.
B D
A recent audit of a company's identity management system shows that 30% of active accounts belong to people no longer with the firm. Which of the following should be performed to help avoid this scenario? (Select TWO). A. Automatically disable accounts that have not been utilized for at least 10 days. B. Utilize automated provisioning and de-provisioning processes where possible. C. Request that employees provide a list of systems that they have access to prior to leaving the firm. D. Perform regular user account review / revalidation process. E. Implement a process where new account creations require management approval.
C
A recent computer breach has resulted in the incident response team needing to perform a forensics examination. Upon examination: the forensics examiner determines that they cannot tell which captured hard drive was from the device in question. Which of the following would have prevented the confusion experienced during this examination? A. Perform routine audit B. Chain of custody C. Evidence labeling D. Hashing the evidence
C
A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident: a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment? A. Chain of custody B. Tracking man hours C. Record time offset D. Capture video traffic
An organization is implementing a data policy and wants to designate a recovery agent. Which of the following indicates what a recovery agent can do?
A recovery agent can decrypt data if users lose their private key
(27) A file server failed and a user was unable to access it. After repairing the program, you attempt to ping the server to verify it was working. The ping fails, but the user is able to access the server. What is the most likely reason why the ping fails? A router between you and the file server is blocking ICMP TCP and UDP is blocked at a router between you and the file server A flood guard blocked the ping A host enumeration sweep is running
A router between you and the file server is blocking ICMP
A
A security administrator has been tasked to ensure access to all network equipment is controlled by a central server such as TACACS+. This type of implementation supports which of the following risk mitigation strategies? A. User rights and permissions review B. Change management C. Data loss prevention D. Implement procedures to prevent data theft
C
A security administrator has concerns about new types of media which allow for the mass distribution of personal comments to a select group of people. To mitigate the risks involved with this media: employees should receive training on which of the following? A. Peer to Peer B. Mobile devices C. Social networking D. Personally owned devices
C
A security administrator has installed a new KDC for the corporate environment. Which of the following authentication protocols is the security administrator planning to implement across the organization? A. LDAP B. RADIUS C. Kerberos D. XTACACS
C
A security administrator is aware that a portion of the company's Internet-facing network tends to be non-secure due to poorly configured and patched systems. The business owner has accepted the risk of those systems being compromised: but the administrator wants to determine the degree to which those systems can be used to gain access to the company intranet. Which of the following should the administrator perform? A. Patch management assessment B. Business impact assessment C. Penetration test D. Vulnerability assessment
A
A security administrator is responsible for performing periodic reviews of user permission settings due to high turnover and internal transfers at a corporation. Which of the following BEST describes the procedure and security rationale for performing such reviews? A. Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned. B. Review the permissions of all transferred users to ensure new permissions are granted so the employee can work effectively. C. Ensure all users have adequate permissions and appropriate group memberships: so the volume of help desk calls is reduced. D. Ensure former employee accounts have no permissions so that they cannot access any network file stores and resources.
C
A security administrator is tasked with calculating the total ALE on servers. In a two year period of time: a company has to replace five servers. Each server replacement has cost the company $4:000 with downtime costing $3:000. Which of the following is the ALE for the company? A. $7:000 B. $10:000 C. $17:500 D. $35:000
A D F
A security administrator must implement all requirements in the following corporate policy: - Passwords shall be protected against offline password brute force attacks. - Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE). A. Account lockout B. Account expiration C. Screen locks D. Password complexity E. Minimum password lifetime F. Minimum password length
D
A security administrator needs a locally stored record to remove the certificates of a terminated employee. Which of the following describes a service that could meet these requirements? A. OCSP B. PKI C. CA D. CRL
C
A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allow for faster imaging to a second hard drive? A. cp /dev/sda /dev/sdb bs=8k B. tail -f /dev/sda > /dev/sdb bs=8k C. dd in=/dev/sda out=/dev/sdb bs=4k D. locate /dev/sda /dev/sdb bs=4k
D
A security administrator plans on replacing a critical business application in five years. Recently: there was a security flaw discovered in the application that will cause the IT department to manually re-enable user accounts each month at a cost of $2:000. Patching the application today would cost $140:000 and take two months to implement. Which of the following should the security administrator do in regards to the application? A. Avoid the risk to the user base allowing them to re-enable their own accounts B. Mitigate the risk by patching the application to increase security and saving money C. Transfer the risk replacing the application now instead of in five years D. Accept the risk and continue to enable the accounts each month saving money
A
A security administrator visits a remote data center dressed as a delivery person. Which of the following is MOST likely being conducted? A. Social engineering B. Remote access C. Vulnerability scan D. Trojan horse
C
A security administrator wants to check user password complexity. Which of the following is the BEST tool to use? A. Password history B. Password logging C. Password cracker D. Password hashing
A
A security administrator wants to deploy a physical security control to limit an individual's access into a sensitive area. Which of the following should be implemented? A. Guards B. CCTV C. Bollards D. Spike strip
B
A security administrator wants to get a real time look at what attackers are doing in the wild: hoping to lower the risk of zero-day attacks. Which of the following should be used to accomplish this goal? A. Penetration testing B. Honeynets C. Vulnerability scanning D. Baseline reporting
D
A security analyst informs the Chief Executive Officer (CEO) that a security breach has just occurred. This results in the Risk Manager and Chief Information Officer (CIO) being caught unaware when the CEO asks for further information. Which of the following strategies should be implemented to ensure the Risk Manager and CIO are not caught unaware in the future? A. Procedure and policy management B. Chain of custody management C. Change management D. Incident management
A C
A security analyst performs the following activities: monitors security logs: installs surveillance cameras and analyzes trend reports. Which of the following job responsibilities is the analyst performing? (Select TWO). A. Detect security incidents B. Reduce attack surface of systems C. Implement monitoring controls D. Hardening network devices E. Prevent unauthorized access
C
A security architect has developed a framework in which several authentication servers work together to increase processing power for an application. Which of the following does this represent? A. Warm site B. Load balancing C. Clustering D. RAID
B D
A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally: the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO). A. Patch Audit Policy B. Change Control Policy C. Incident Management Policy D. Regression Testing Policy E. Escalation Policy F. Application Audit Policy
A
A security specialist has been asked to evaluate a corporate network by performing a vulnerability assessment. Which of the following will MOST likely be performed? A. Identify vulnerabilities: check applicability of vulnerabilities by passively testing security controls. B. Verify vulnerabilities exist: bypass security controls and exploit the vulnerabilities. C. Exploit security controls to determine vulnerabilities and mis-configurations. D. Bypass security controls and identify applicability of vulnerabilities by passively testing security controls.
B
A service provider is unable to maintain connectivity to several remote sites at predetermined speeds. The service provider could be in violation of the A. MLA. B. SLA. C. SOW. D. MOU.
A
A set of standardized system images with a pre-defined set of applications is used to build end user workstations. The security administrator has scanned every workstation to create a current inventory of all applications that are installed on active workstations and is documenting which applications are out-of-date and could be exploited. The security administrator is determining the: A. Attack surface. B. Application hardening effectiveness. C. Application baseline. D. OS hardening effectiveness.
C
A software development company has hired a programmer to develop a plug-in module to an existing proprietary application. After completing the module: the developer needs to test the entire application to ensure that the module did not introduce new vulnerabilities. Which of the following is the developer performing when testing the application? A. Black box testing B. White box testing C. Gray box testing D. Design review
D
A software development company wants to implement a digital rights management solution to protect its intellectual property. Which of the following should the company implement to enforce software digital rights? A. Transport encryption B. IPsec C. Non-repudiation D. Public key infrastructure
B
A standalone malicious computer program that replicates itself over a computer network is known as: A. Firmware B. Worm C. Spyware D. Spam
C
A supervisor in the human resources department has been given additional job duties in the accounting department. Part of their new duties will be to check the daily balance sheet calculations on spreadsheets that are restricted to the accounting group. In which of the following ways should the account be handled? A. The supervisor should be allowed to have access to the spreadsheet files: and their membership in the human resources group should be terminated. B. The supervisor should be removed from the human resources group and added to the accounting group. C. The supervisor should be added to the accounting group while maintaining their membership in the human resources group. D. The supervisor should only maintain membership in the human resources group.
A system encrypts data prior to transmitting it over a network, and the system on the other end if transmission media decrypts it. If the systems are using a symmetic encryption algorithm for encryption and decryption, which of the following statements is true?
A symmetic encryption algorithm uses the same key to encrypt and decrypt data at both ends of the transmission media.
A
A system administrator has been tasked to ensure that the software team is not affecting the production software when developing enhancements. The software that is being updated is on a very short SDLC and enhancements must be developed rapidly. These enhancements must be approved before being deployed. Which of the following will mitigate production outages before the enhancements are deployed? A. Implement an environment to test the enhancements. B. Implement ACLs that only allow management access to the enhancements. C. Deploy an IPS on the production network. D. Move the software team's workstations to the DMZ.
A D
A system administrator is notified by a staff member that their laptop has been lost. The laptop contains the user's digital certificate. Which of the following will help resolve the issue? (Select TWO). A. Revoke the digital certificate B. Mark the key as private and import it C. Restore the certificate using a CRL D. Issue a new digital certificate E. Restore the certificate using a recovery agent
D
A system administrator is responding to a legal order to turn over all logs from all company servers. The system administrator records the system time of all servers to ensure that: A. HDD hashes are accurate. B. the NTP server works properly. C. chain of custody is preserved. D. time offset can be calculated.
B
A system administrator is using a packet sniffer to troubleshoot remote authentication. The administrator detects a device trying to communicate to TCP port 49. Which of the following authentication methods is MOST likely being attempted? A. RADIUS B. TACACS+ C. Kerberos D. LDAP
D
A system administrator wants to update a web-based application to the latest version. Which of the following procedures should the system administrator perform FIRST? A. Remove all user accounts on the server B. Isolate the server logically on the network C. Block all HTTP traffic to the server D. Install the software in a test environment
B
A system security analyst using an enterprise monitoring tool notices an unknown internal host exfiltrating files to several foreign IP addresses. Which of the following would be an appropriate mitigation technique? A. Disabling unnecessary accounts B. Rogue machine detection C. Encrypting sensitive files D. Implementing antivirus
D
A technician has been given a list of requirements for a LAN in an older building using CAT6 cabling. Which of the following environmental conditions should be considered when deciding whether or not to use plenum-rated cables? A. Workstation models B. Window placement C. Floor composition D. Ceiling airflow condition
C
A technician has finished configuring AAA on a new network device. However; the technician is unable to log into the device with LDAP credentials but is able to do so with a local user account. Which of the following is the MOST likely reason for the problem? A. Username is misspelled is the device configuration file B. IDS is blocking RADIUS C. Shared secret key is mismatched D. Group policy has not propagated to the device
B
A technician has prolonged contact with a thermal compound. Which of the following resources should be consulted? A. HCL B. MSDS C. SLA D. HVAC
D
A technician has verified that a recent loss of network connectivity to multiple workstations is due to a bad CAT5 cable in the server room wall. Which of the following tools can be used to locate its physical location within the wall? A. Cable certifier B. Multimeter C. Cable tester D. Toner probe
A
A technician is configuring a managed switch and needs to enable 802.3af. Which of the following should the technician enable? A. PoE B. Port bonding C. VLAN D. Trunking
C
A technician is connecting a NAS device to an Ethernet network. Which of the following technologies will be used to encapsulate the frames? A. HTTPS B. Fibre channel C. iSCSI D. MS-CHAP
B
A technician is helping a SOHO determine where to install the server. Which of the following should be considered FIRST? A. Compatibility requirements B. Environment limitations C. Cable length D. Equipment limitations
D
A technician is installing a surveillance system for a home network. The technician is unsure which ports need to be opened to allow remote access to the system. Which of the following should the technician perform? A. Disable the network based firewall B. Implicit deny all traffic on network C. Configure a VLAN on Layer 2 switch D. Add the system to the DMZ
C
A technician is setting up a computer lab. Computers on the same subnet need to communicate with each other using peer to peer communication. Which of the following would the technician MOST likely configure? A. Hardware firewall B. Proxy server C. Software firewall D. GRE tunneling
B
A technician is setting up a new network and wants to create redundant paths through the network. Which of the following should be implemented to prevent performance degradation? A. Port mirroring B. Spanning tree C. ARP inspection D. VLAN
A
A technician is tasked with connecting a router to a DWDM. The technician connects the router to the multiplexer and confirms that there is a good signal level. However; the interface on the router will not come up. Which of the following is the MOST likely cause? A. The wrong wavelength was demuxed from the multiplexer. B. The SFP in the multiplexer is malfunctioning. C. There is a dirty connector on the fiber optic cable. D. The fiber optic cable is bent in the management tray.
D
A technician is troubleshooting a wired device on the network. The technician notices that the link light on the NIC does not illuminate. After testing the device on a different RJ-45 port; the device connects successfully. Which of the following is causing this issue? A. EMI B. RFI C. Cross-talk D. Bad wiring
B
A technician just completed a new external website and setup access rules in the firewall. After some testing; only users outside the internal network can reach the site. The website responds to a ping from the internal network and resolves the proper public address. Which of the following could the technician do to fix this issue while causing internal users to route to the website using an internal address? A. Configure NAT on the firewall B. Implement a split horizon DNS C. Place the server in the DMZ D. Adjust the proper internal ACL
C
A technician needs to ensure that new systems are protected from electronic snooping of Radio Frequency emanations. Which of the following standards should be consulted? A. DWDM B. MIMO C. TEMPEST D. DOCSIS
C
A technician needs to install software onto company laptops to protect local running services; from external threats. Which of the following should the technician install and configure on the laptops if the threat is network based? A. A cloud-based antivirus system with a heuristic and signature based engine B. A network based firewall which blocks all inbound communication C. A host-based firewall which allows all outbound communication D. A HIDS to inspect both inbound and outbound network communication
B
A technician needs to limit the amount of broadcast traffic on a network and allow different segments to communicate with each other. Which of the following options would satisfy these requirements? A. Add a router and enable OSPF. B. Add a layer 3 switch and create a VLAN. C. Add a bridge between two switches. D. Add a firewall and implement proper ACL.
A
A technician needs to secure web traffic for a new e-commerce website. Which of the following will secure traffic between a web browser and a website? A. SSL B. DNSSEC C. WPA2 D. MTU
D
A technician needs to set aside addresses in a DHCP pool so that certain servers always receive the same address. Which of the following should be configured? A. Leases B. Helper addresses C. Scopes D. Reservations
B
A technician recently ran a 20-meter section of CAT6 to relocate a control station to a more central area on the production floor. Since the relocation; the helpdesk has received complaints about intermittent operation. During the troubleshooting process; the technician noticed that collisions are only observed on the switch port during production. Given this information; which of the following is the cause of the problem? A. Distance limitation B. Electromagnetic interference C. Cross talk D. Speed and duplex mismatch
C
A technician wants to securely manage several remote network devices. Which of the following should be implemented to securely manage the devices? A. WPA2 B. IPv6 C. SNMPv3 D. RIPv2
C
A technician would like to track the improvement of the network infrastructure after upgrades. Which of the following should the technician implement to have an accurate comparison? A. Regression test B. Speed test C. Baseline D. Statement of work
E
A technician; Joe; has been tasked with assigning two IP addresses to WAN interfaces on connected routers. In order to conserve address space; which of the following subnet masks should Joe use for this subnet? A. /24 B. /32 C. /28 D. /29 E. /30
B
A technician; Joe; needs to troubleshoot a recently installed NIC. He decides to ping the local loopback address. Which of the following is a valid IPv4 loopback address? A. 10.0.0.1 B. 127.0.0.1 C. 172.16.1.1 D. 192.168.1.1
C
A third party application has the ability to maintain its own user accounts or it may use single signon. To use single sign-on: the application is requesting the following information: OU=Users: DC=Domain: DC=COM. This application is requesting which of the following authentication services? A. TACACS+ B. RADIUS C. LDAP D. Kerberos
(9) Which of the following accurately identifies a three-factor authentication system? A username, password, and PIN A token, password, and a retina scan A token, a password, and a PIN A fingerprint, retina scan, and password
A token, password, and a retina scan
D
A training class is being held in an auditorium. Hard-wired connections are required for all laptops that will be used. The network technician must add a switch to the room through which the laptops will connect for full network access. Which of the following must the technician configure on a switch port; for both switches; in order to create this setup? A. DHCP B. Split horizon C. CIDR D. TRUNK
C
A user calls the help desk and states that he was working on a spreadsheet and was unable to print it. However; his colleagues are able to print their documents to the same shared printer. Which of the following should be the FIRST question the helpdesk asks? A. Does the printer have toner? B. Are there any errors on the printer display? C. Is the user able to access any network resources? D. Is the printer powered up?
B
A user connects to a wireless network at the office and is able to access unfamiliar SMB shares and printers. Which of the following has happened to the user? A. The user is connected using the wrong channel. B. The user is connected to the wrong SSID. C. The user is experiencing an EMI issue. D. The user is connected to the wrong RADIUS server.
B
A user has received an email from an external source which asks for details on the company's new product line set for release in one month. The user has a detailed spec sheet but it is marked "Internal Proprietary Information". Which of the following should the user do NEXT? A. Contact their manager and request guidance on how to best move forward B. Contact the help desk and/or incident response team to determine next steps C. Provide the requestor with the email information since it will be released soon anyway D. Reply back to the requestor to gain their contact information and call them
C
A user makes a password that is rather weak. However, the system is set up to take that weak password and strengthen it by adding random data to the end, resulting in a passphrase that is much harder to brute force break. This is known as: A. Hashing B. Encrypting C. Key Stretching D. Ciphering
A
A user name is an example of which of the following? A. Identification B. Authentication C. Authorization D. Access
C
A user with a 802.11n WLAN card is connected to a SOHO network and is only able to connect at 11 Mbps with full signal strength. Which of the following standards is implemented on the network? A. 802.11a B. 802.11ac C. 802.11b D. 802.11g
B
A wireless network technician for a local retail store is installing encrypted access points within the store for real-time inventory verification; as well as remote price checking capabilities; while employees are away from the registers. The store is in a fully occupied strip mall that has multiple neighbors allowing guest access to the wireless networks. There are a finite known number of approved handheld devices needing to access the store's wireless network. Which of the following is the BEST security method to implement on the access points? A. Port forwarding B. MAC filtering C. TLS/TTLS D. IP ACL
What is the difference between a worm and a virus?
A worm is self-replicating but a virus isn't self-replicating
3. An e-commerce web site does not currently have an account recovery process for customers who have forgotten their passwords. Which of the following choices are the BEST items to include if web site designers add this process? (Select TWO.) A. Create a web-based form that verifies customer identities using another method. B. Set a temporary password that expires upon first use. C. Implement biometric authentication. D. Email the password to the user.
A, B. A web-based form using an identity-proofing method, such as requiring users to enter the name of their first pet, can verify their identity. Setting a password that expires upon first use ensures that the user changes the password. Biometric authentication is not reasonable for an online e-commerce web site. Emailing the password is a possibility, but not without configuring the password to expire upon first use. See Chapter 1.
52. Your organization is considering the purchase of new computers. A security professional stresses that these devices should include TPMs. What benefit does a TPM provide? (Choose all that apply.) A. It uses hardware encryption, which is quicker than software encryption. B. It uses software encryption, which is quicker than hardware encryption. C. It includes an HSM file system. D. It stores RSA keys.
A, D. A Trusted Platform Module (TPM) is a hardware chip that stores RSA encryption keys and uses hardware encryption, which is quicker than software encryption. A TPM does not use software encryption. An HSM is a removable hardware device that uses hardware encryption, but it does not have a file system and TPM does not provide HSM as a benefit. See Chapter 5.
90. An organization is planning to implement an internal PKI for smart cards. Which of the following should the organization do FIRST? A. Install a CA. B. Generate key pairs. C. Generate a certificate. D. Identify a recovery agent.
A. A Public Key Infrastructure (PKI) requires a certification authority (CA), so a CA should be installed first. Smart cards require certificates and would be issued by the CA. After installing the CA, you can generate key pairs to be used with certificates issued by the CA. A recovery agent can be identified, but it isn't required to be done as a first step for a CA. See Chapter 10.
26. Your organization wants to protect its web server from cross-site scripting attacks. Which of the following choices provides the BEST protection? A. WAF B. Network-based firewall C. Host-based firewall D. IDS
A. A web application firewall (WAF) is an Application layer firewall designed specifically to protect web servers. Although both host-based and network-based firewalls provide protection, they aren't necessarily Application layer firewalls, so they do not provide the same level of protection for a web server as a WAF does. An intrusion detection system (IDS) can help detect attacks, but it isn't as good as the WAF when protecting the web server. See Chapter 3.
91. Which of the following is a valid reason to use a wildcard certificate? A. Reduce the administrative burden of managing certificates. B. Support multiple private keys. C. Support multiple public keys. D. Increase the lifetime of the certificate.
A. A wildcard certificate reduces the certificate management burden by using an asterisk (*) in place of child domain names. The certificate still has a single public and private key pair. The wildcard doesn't affect the lifetime of the certificate. See Chapter 10.
5. Your organization issues laptops to mobile users. Administrators configured these laptops with full disk encryption, which requires users to enter a password when they first turn on the computer. After the operating system loads, users are required to log on with a username and password. Which of the following choices BEST describes this? A. Single-factor authentication B. Dual-factor authentication C. Multifactor authentication D. SAML
A. Both passwords are in the something you know factor of authentication, so this process is single-factor authentication. Dual-factor authentication requires the use of two different authentication factors. Multifactor authentication requires two or more factors of authentication. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO), but this is unrelated to this question. See Chapter 1.
54. Homer installed code designed to enable his account automatically, three days after someone disables it. What did Homer create? A. Backdoor B. Rootkit C. Armored virus D. Ransomware
A. By ensuring that his account is automatically reenabled, Homer has created a backdoor. He is creating this with a logic bomb, but a logic bomb isn't available as a choice in this question. Rootkits include hidden processes, but they do not activate in response to events. An armored virus uses techniques to make it difficult for researchers to reverse engineer it. Ransomware demands payment to release a user's computer or data. See Chapter 6.
99. You are reviewing incident response procedures related to the order of volatility. Which of the following is the LEAST volatile? A. Hard disk drive B. Memory C. RAID-6 cache D. CPU cache
A. Data on a hard disk drive is the least volatile of those listed. All other sources are some type of memory, which will be lost if a system is turned off. This includes data in a redundant array of inexpensive disks 6 (RAID-6) cache, normal memory, and the central processing unit's (CPU's) memory. See Chapter 11.
34. Administrators in your organization are planning to implement a wireless network. Management has mandated that they use a RADIUS server and implement a secure wireless authentication method. Which of the following should they use? A. LEAP B. WPA-PSK C. WPA2-PSK D. AES
A. Enterprise mode implements 802.1x as a Remote Authentication Dial-In User Service (RADIUS) server and Lightweight Extensible Authentication Protocol (LEAP) can secure the authentication channel. LEAP is a Cisco proprietary protocol, but other EAP variations can also be used, such as Protected EAP (PEAP), EAP-Transport Layer Security (EAP-TLS), and EAP Tunneled TLS (EAP-TTLS). Wi-Fi Protected Access (WPA) and WPA2 using a preshared key (PSK) do not use RADIUS. Many security protocols use Advanced Encryption Standard (AES), but AES by itself does not use RADIUS. See Chapter 4.
51. A business owner is preparing to decommission a server that has processed sensitive data. He plans to remove the hard drives and send them to a company that destroys them. However, he wants to be certain that personnel at that company cannot access data on the drives. Which of the following is the BEST option to meet this goal? A. Encrypt the drives using full disk encryption. B. Capture an image of the drives. C. Identify data retention policies. D. Use file-level encryption to protect the data.
A. Full disk encryption is the best option of the available answers. Another option (not listed) is to use disk wiping procedures to erase the data. Capturing an image of the drives won't stop someone from accessing data on the original drives. Retention policies identify how long to keep data, but do not apply here. Depending on how much data is on the drives, file-level encryption can be very tedious and won't necessarily encrypt all of the sensitive data. See Chapter 5.
60. A web developer is adding input validation techniques to a web site application. Which of the following should the developer implement during this process? A. Perform the validation on the server side. B. Perform the validation on the client side. C. Prevent boundary checks. D. Encrypt data with TLS.
A. Input validation should be performed on the server side. Client-side validation can be combined with server-side validation, but it can be bypassed so it should not be used alone. Boundary or limit checks are an important part of input validation. Input validation does not require encryption of data with Transport Layer Security (TLS) or any other encryption protocol. See Chapter 7.
77. You need to modify the network infrastructure to increase availability of web-based applications for Internet clients. Which of the following choices provides the BEST solution? A. Load balancing B. Proxy server C. UTM D. Content inspection
A. Load-balancing solutions increase the availability of web-based solutions by spreading the load among multiple servers. A proxy server is used by internal clients to access Internet resources and does not increase availability of a web server. A unified threat management (UTM) system protects internal resources from attacks, but does not directly increase the availability of web-based applications. Content inspection is one of the features of a UTM, and it protects internal clients but does not directly increase the availability of web-based applications. See Chapter 9.
45. Your company has recently standardized servers using imaging technologies. However, a recent security audit verified that some servers were immune to known OS vulnerabilities, whereas other systems were not immune to the same vulnerabilities. Which of the following would reduce these vulnerabilities? A. Patch management B. Sandboxing C. Snapshots D. Baselines
A. Patch management procedures ensure operating systems (OS) are kept up to date with current patches. Patches ensure systems are immune to known vulnerabilities, but none of the other answers protects systems from these known vulnerabilities. Sandboxing isolates systems for testing. Snapshots record the state of a virtual machine at a moment in time. Baselines identify the starting point for systems. See Chapter 5.
70. Your organization develops web application software, which it sells to other companies for commercial use. To ensure the software is secure, your organization uses a peer assessment to help identify potential security issues related to the software. Which of the following is the BEST term for this process? A. Code review B. Change management C. Routine audit D. Rights and permissions review
A. Peers, such as other developers, perform code reviews going line-by-line through the software code looking for vulnerabilities, such as buffer overflows and race conditions. Change management helps prevent unintended outages from configuration changes. Routine audits review processes and procedures, but not software code. A user rights and permissions review ensures users have appropriate privileges. See Chapter 8.
80. What type of encryption does the RADIUS protocol use? A. Symmetric B. Asymmetric C. MD5 D. SHA
A. Remote Authentication Dial-In User Service (RADIUS) uses symmetric encryption. It does not use asymmetric encryption, which uses a public key and a private key. Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are hashing algorithms.
18. The Retirement Castle uses groups for ease of administration and management. They recently hired Jasper as their new accountant. Jasper needs access to all the files and folders used by the Accounting department. What should the administrator do to give Jasper appropriate access? A. Create an account for Jasper and add the account to the Accounting group. B. Give Jasper the password for the Guest account. C. Create an account for Jasper and use rule-based access control for accounting. D. Create an account for Jasper and add the account to the Administrators group.
A. The administrator should create an account for Jasper and add it to the Accounting group. Because the organization uses groups, it makes sense that they have an Accounting group. The Guest account should be disabled to prevent the use of generic accounts. This scenario describes role-based access control, not rule-based access control. Jasper does not require administrator privileges, so his account should not be added to the Administrators group. See Chapter 2.
37. You are reviewing logs from a wireless survey within your organization's network due to a suspected attack and you notice the following entries: MAC SSID Encryption Power 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 47 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 62 56:CD:34:EF:12:AB GetCertifiedGetAhead WPA2 20 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 57 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 49 Of the following choices, what is the MOST likely explanation of these entries? A. An evil twin is in place. B. Power of the AP needs to be adjusted. C. A rogue AP is in place. D. The AP is being pharmed.
A. The logs indicate an evil twin is in place. An evil twin is a rogue wireless access point with the same service set identifier (SSID) as a live wireless access point. The SSID is GetCertifiedGetAhead and most of the entries are from an access point (AP) with a media access control (MAC) address of 12:AB:34:CD:56:EF. However one entry shows a MAC of 56:CD:34:EF:12:AB, indicating an evil twin with the same name as the legitimate AP. Power can be adjusted if necessary to reduce the visibility of the AP, but there isn't any indication this is needed. The power of the evil twin is lower, indicating it is in a different location farther away. A rogue AP is an unauthorized AP and although the evil twin is unauthorized, it is more correct to identify this as an evil twin because that is more specific. Generically, a rogue AP has a different SSID. A pharming attack redirects a web site's traffic to another web site, but this isn't indicated in this question at all. See Chapter 4.
98. Your organization wants to prevent damage from malware. Which stage of the common incident response procedures is the BEST stage to address this? A. Preparation B. Identification C. Mitigation D. Lessons learned
A. The preparation stage is the first phase of common incident response procedures, and attempts to prevent incidents and plan methods to respond to incidents. Incident identification occurs after a potential incident occurs and verifies it is an incident. You attempt to reduce or remove the effects of an incident during the mitigation stage. Lessons learned occurs later and involves analysis to identify steps that will prevent a future occurrence. See Chapter 11.
65. A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command: telnet server1 80. What is the purpose of this command? A. Identify if server1 is running a service using port 80 and is reachable. B. Launch an attack on server1 sending 80 separate packets in a short period of time. C. Use Telnet to remotely administer server1. D. Use Telnet to start an RDP session.
A. This command sends a query to server1 over port 80 and if the server is running a service on port 80, it will connect. This is a common beginning command for a banner grabbing attempt. It does not send 80 separate packets. If 80 was omitted, Telnet would attempt to connect using its default port of 23 and attempt to create a Telnet session. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario. See Chapter 8.
95. An organizational policy specifies that duties of application developers and administrators must be separated. What is the MOST likely result of implementing this policy? A. One group develops program code and the other group deploys the code. B. One group develops program code and the other group modifies the code. C. One group deploys program code and the other group administers databases. D. One group develops databases and the other group modifies databases.
A. This describes a separation of duties policy where the application developers create and modify the code, and the administrators deploy the code to live production systems, but neither group can perform both functions. Developers would typically develop the original code, and modify it when necessary. This scenario does not mention databases. See Chapter 11.
32. Security personnel recently noticed a successful exploit against an application used by many employees at their company. They notified the company that sold them the software and asked for a patch. However, they discovered that a patch wasn't available. What BEST describes this scenario? A. Zero-day B. Buffer overflow C. LSO D. SQL injection
A. This scenario describes a zero-day exploit on the software application. A zero-day exploit is one that is unknown to the vendor, or the vendor knows about, but hasn't yet released a patch or update to mitigate the threat. The other answers are specific types of attacks, but the scenario isn't specific enough to identify the type of exploit. A buffer overflow attack occurs when an attacker attempts to write more data into an application's memory than it can handle, or to bypass the application's structured exception handling (SEH). Adobe Flash content within web pages uses locally shared objects (LSOs), similar to how regular web pages use cookies, and attackers can modify both cookies and LSOs in different types of attacks. A Structured Query Language (SQL) injection attack attempts to inject SQL code into an application to access a database. See Chapter 4.
43. A company is implementing a feature that allows multiple servers to operate on a single physical server. What is this? A. Virtualization B. IaaS C. Cloud computing D. DLP
A. Virtualization allows multiple virtual servers to exist on a single physical server. Infrastructure as a Service (IAAS) is a cloud computing option where the vendor provides access to a computer, but customers manage it. Cloud computing refers to accessing computing resources via a different location than your local computer. Data loss prevention (DLP) techniques examine and inspect data looking for unauthorized data transmissions. See Chapter 5.
33. What type of encryption is used with WPA2 CCMP? A. AES B. TKIP C. RC4 D. SSL
A. Wi-Fi Protected Access II (WPA2) with Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) uses Advanced Encryption Standard (AES). Temporal Key Integrity Protocol (TKIP) and Secure Sockets Layer (SSL) both use Rivest Cipher 4 (RC4), but not AES. See Chapter 4.
56. Your organization has been receiving a significant amount of spam with links to malicious web sites. You want to stop the spam. Of the following choices, what provides the BEST solution? A. Add the domain to a block list B. Use a URL filter C. Use a MAC filter D. Add antivirus software
A. You can block emails from a specific domain sending spam by adding the domain to a block list. While the question doesn't indicate that the spam is coming from a single domain, this is still the best answer of the given choices. A URL filter blocks outgoing traffic and can be used to block the links to the malicious web sites in this scenario, but it doesn't stop the email. Switches use MAC filters to restrict access within a network. Antivirus software does not block spam. See Chapter 6.
What type of encryption is used with WPA2 CCMP?
AES
Which of the following is an encryption algorithm that uses 128-bit keys?
AES
Some encryption algorithms use stream ciphers and some use block ciphers. What are examples of block ciphers?
AES DES Blowfish
A security expert is attempting to identify the number of failures a web server has in a year. Which of the following is the expert MOST likely identifying?
ALE
You need to calculate the expected loss of an incident. What value combinations would you MOST likely use?
ALE and ARO
You are asked to identify the number of times a specific type of incident the number of times a specific type of incident occurs per year. What of the following BEST identifies this?
ARO
An attacker is sending false hardware address updates to a system, causing the system to redirect traffic to an attacker. What type of attack is this?
ARP poisoning
What policy informs users of proper system usage?
Acceptable use policy
What would you configure on a Layer 3 device to allow FTP traffic to pass through?
Access control list
(40) What does NAC provide for an organization? Strong security for a large number of VPN clients A method of observing attackers using zero day exploits Access to a network based on predetermined characteristics An encrypted tunnel over the internet
Access to a network based on predetermined characteristics
Your company has hired a temporary contractor that needs a computer account for 60 days. You want to ensure the account is automatically disable after 60 days. What feature would you use?
Account expiration
Your organization includes the following statement in the security policy: "Security controls need to protect against both online and offline password brute force attacks.'' What controls is the LEAST helpful to meet these goals?
Account expiration
An attacker is using an account from an employee that left the company three years ago. What could prevent this?
Account expiration policy
Which of the following is the BEST method to protect against someone trying to guess the correct PIN to withdraw money from an ATM?
Account lockout
A user entered the incorrect password for his account three times in a row and can no longer log on because his account is disable. What caused this?
Account lockout policy
You want to deter an attacker from using brute force to gain access to a mobile device. What would you configure?
Account lockout settings
(19) An administrator needs to record any access to a file server. The record should include the date and time when the user accessed the system, and the user's identity. What supports this? Time of day restrictions Kerberos log Account login log User rights log
Account login log
You have recently added a server to your network that will host data used and updated by employees. You want to monitor security events on the system. Of the following, what is the most important security event to monitor?
Account logon attempts
Security personnel recently performed a security audit. They identified several employees who had permissions for previously held jobs within the company. What should the organization implement to prevent this in the future?
Account management controls
A security professional is performing a penetration test on a system. Of the following choices, what identifies the best description of what this will accomplish?
Actively assess security controls
Your organization hosts a web-based server that remote administrators access via Telnet. Management wants to increase their rights to prosecute unauthorized personnel who access this server. What is the BEST choice?
Add a warning banner
Company management suspects an employee is stealing critical project information and selling it to a competitor. They'd like to identify who is doing this, without compromising any live data. What is the BEST option to meet this goal?
Add fabricated project data on a honeypot.
(60) An attacker recently used a SQL injection attack against a company's website. How can the company prevent future SQL injection attacks? Add SSL encryption Add input validation Add antivirus software Add cross-site scripting capabilities
Add input validation
Your organization has been receiving a significant amount of spam with links to malicious web sites. You want to stop the spam. Of the following choices, what provides the BEST solution?
Add the domain to a block list
Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with the following two rules in the ACL along with an implicit allow rule at the end: PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80 You have detected DNS requests and zone transfer request coming through the firewall and you need to block them. What would meet this goal?
Add the following rule to the firewall: DENY IP ALL ALL 53 and Change the implicit allow rule to implicit deny
Security experts at your organization have determined that your network has been repeatedly attacked from multiple entities in a foreign country. Research indicates these are coordinated and sophisticated attacks. What BEST describes this activity?
Advanced persistent threat
What type of malware uses marketing pop-ups and does not attempt to hide itself?
Adware
E
After a company rolls out software updates; Ann; a lab researcher; is no longer able to use lab equipment connected to her PC. The technician contacts the vendor and determines there is an incompatibility with the latest IO drivers. Which of the following should the technician perform so that Ann can get back to work as quickly as possible? A. Reformat and install the compatible drivers. B. Reset Ann's equipment configuration from a backup. C. Downgrade the PC to a working patch level. D. Restore Ann's PC to the last known good configuration. E. Roll back the drivers to the previous version.
A
After a network outage: a PC technician is unable to ping various network devices. The network administrator verifies that those devices are working properly and can be accessed securely. Which of the following is the MOST likely reason the PC technician is unable to ping those devices? A. ICMP is being blocked B. SSH is not enabled C. DNS settings are wrong D. SNMP is not configured properly
A
After a number of highly publicized and embarrassing customer data leaks as a result of social engineering attacks by phone: the Chief Information Officer (CIO) has decided user training will reduce the risk of another data leak. Which of the following would be MOST effective in reducing data leaks in this situation? A. Information Security Awareness B. Social Media and BYOD C. Data Handling and Disposal D. Acceptable Use of IT Systems
B
After a production outage: which of the following documents contains detailed information on the order in which the system should be restored to service? A. Succession planning B. Disaster recovery plan C. Information security plan D. Business impact analysis
C
After a recent breach; the security technician decides the company needs to analyze and aggregate its security logs. Which of the following systems should be used? A. Event log B. Syslog C. SIEM D. SNMP
D
After a recent security breach: the network administrator has been tasked to update and backup all router and switch configurations. The security administrator has been tasked to enforce stricter security policies. All users were forced to undergo additional user awareness training. All of these actions are due to which of the following types of risk mitigation strategies? A. Change management B. Implementing policies to prevent data loss C. User rights and permissions review D. Lessons learned
B C
After an assessment: auditors recommended that an application hosting company should contract with additional data providers for redundant high speed Internet connections. Which of the following is MOST likely the reason for this recommendation? (Select TWO). A. To allow load balancing for cloud support B. To allow for business continuity if one provider goes out of business C. To eliminate a single point of failure D. To allow for a hot site in case of disaster E. To improve intranet communication speeds
B E
After an audit: it was discovered that the security group memberships were not properly adjusted for employees' accounts when they moved from one role to another. Which of the following has the organization failed to properly implement? (Select TWO). A. Mandatory access control enforcement. B. User rights and permission reviews. C. Technical controls over account management. D. Account termination procedures. E. Management controls over account management. F. Incident management and response plan.
A
After encrypting all laptop hard drives: an executive officer's laptop has trouble booting to the operating system. Now that it is successfully encrypted the helpdesk cannot retrieve the data. Which of the following can be used to decrypt the information for retrieval? A. Recovery agent B. Private key C. Trust models D. Public key
C
After repairing a computer infected with malware; a technician determines that the web browser fails to go to the proper address for some sites. Which of the following should be checked? A. Server host file B. Subnet mask C. Local hosts file D. Duplex settings
D
After running into the data center with a vehicle: attackers were able to enter through the hole in the building and steal several key servers in the ensuing chaos. Which of the following security measures can be put in place to mitigate the issue from occurring in the future? A. Fencing B. Proximity readers C. Video surveillance D. Bollards
What are two basic components of encryption?
Algorithms and keys
Your are configuring a host-based firewall so that it will allow SFTP connections. What is required?
Allow TCP 22
B
Although SSL and TLS are often used in conjunction with each other, which one is actually the latest version? A. SSL B. TLS
D
An F-connector is used on which of the following types of cabling? A. CAT3 B. Single mode fiber C. CAT5 D. RG6
Which of the following BEST describes a false negative?
An IDS does not detect a buffer overflow attack.
D
An IT auditor tests an application as an authenticated user. This is an example of which of the following types of testing? A. Penetration B. White box C. Black box D. Gray box
A
An IT director is looking to reduce the footprint of their company's server environment. They have decided to move several internally developed software applications to an alternate environment: supported by an external company. Which of the following BEST describes this arrangement? A. Infrastructure as a Service B. Storage as a Service C. Platform as a Service D. Software as a Service
D
An IT staff member was entering the datacenter when another person tried to piggyback into the datacenter as the door was opened. While the IT staff member attempted to question the other individual by politely asking to see their badge: the individual refused and ran off into the datacenter. Which of the following should the IT staff member do NEXT? A. Call the police while tracking the individual on the closed circuit television system B. Contact the forensics team for further analysis C. Chase the individual to determine where they are going and what they are doing D. Contact the onsite physical security team with a description of the individual
B
An Information Systems Security Officer (ISSO) has been placed in charge of a classified peer-topeer network that cannot connect to the Internet. The ISSO can update the antivirus definitions manually: but which of the following steps is MOST important? A. A full scan must be run on the network after the DAT file is installed. B. The signatures must have a hash value equal to what is displayed on the vendor site. C. The definition file must be updated within seven days. D. All users must be logged off of the network prior to the installation of the definition file.
Two companies have decided to work together on a project and implemented an MOU. What represents the GREATEST security risk in this situation?
An MOU doesn't have strict guidelines to protect sensitive data
While analyzing a packet capture log, you notice the following entry: 16:12:50, src 10.80.1.5:3389, dst 192.168.1.100:8080, syn/ack What is the BEST explanation of this entry?
An RDP connection attempt
D
An administrator has a virtualization environment that includes a vSAN and iSCSI switching. Which of the following actions could the administrator take to improve the performance of data transfers over iSCSI switches? A. The administrator should configure the switch ports to auto-negotiate the proper Ethernet settings. B. The administrator should configure each vSAN participant to have its own VLAN. C. The administrator should connect the iSCSI switches to each other over inter-switch links (ISL). D. The administrator should set the MTU to 9000 on the each of the participants in the vSAN.
A
An administrator has successfully implemented SSL on srv4.comptia.com using wildcard certificate *.comptia.com: and now wishes to implement SSL on srv5.comptia.com. Which of the following files should be copied from srv4 to accomplish this? A. certificate: private key: and intermediate certificate chain B. certificate: intermediate certificate chain: and root certificate C. certificate: root certificate: and certificate signing request D. certificate: public key: and certificate signing request
A
An administrator is concerned that a company's web server has not been patched. Which of the following would be the BEST assessment for the administrator to perform? A. Vulnerability scan B. Risk assessment C. Virus scan D. Network sniffer
A
An administrator notices an unused cable behind a cabinet that is terminated with a DB-9 connector. Which of the following protocols was MOST likely used on this cable? A. RS-232 B. 802.3 C. ATM D. Token ring
D
An administrator only has telnet access to a remote workstation. Which of the following utilities will identify if the workstation uses DHCP? A. tracert B. ping C. dig D. ipconfig E. netstat
B
An administrator reassigns a laptop to a different user in the company. Upon delivering the laptop to the new user; the administrator documents the new location; the user of the device and when the device was reassigned. Which of the following BEST describes these actions? A. Network map B. Asset management C. Change management D. Baselines
A
An administrator wants to minimize the amount of time needed to perform backups during the week. It is also acceptable to the administrator for restoration to take an extended time frame. Which of the following strategies would the administrator MOST likely implement? A. Full backups on the weekend and incremental during the week B. Full backups on the weekend and full backups every day C. Incremental backups on the weekend and differential backups every day D. Differential backups on the weekend and full backups every day
A
An antivirus software identifying non-malicious file as a virus due to faulty virus signature file is an example of: A. False Positive B. False Negative C. Fault Tolerance D. Incident isolation
B
An attacker has connected to an unused VoIP phone port to gain unauthorized access to a network. This is an example of which of the following attacks? A. Smurf attack B. VLAN hopping C. Bluesnarfing D. Spear phishing
C
An auditor is given access to a conference room to conduct an analysis. When they connect their laptop's Ethernet cable into the wall jack: they are not able to get a connection to the Internet but have a link light. Which of the following is MOST likely causing this issue? A. Ethernet cable is damaged B. The host firewall is set to disallow outbound connections C. Network Access Control D. The switch port is administratively shutdown
A
An auditor's report discovered several accounts with no activity for over 60 days. The accounts were later identified as contractors' accounts who would be returning in three months and would need to resume the activities. Which of the following would mitigate and secure the auditors finding? A. Disable unnecessary contractor accounts and inform the auditor of the update. B. Reset contractor accounts and inform the auditor of the update. C. Inform the auditor that the accounts belong to the contractors. D. Delete contractor accounts and inform the auditor of the update.
Your organization is planning to implement a wireless network using WPA2 Enterprise. What is required?
An authentication server with a digital certificate installed on the authentication server
Of the following choices, what is the best explanation of what a PaaS provides to customers?
An easy-to-configure operating system and on-demand computing capabilities
You are reviewing logs from a wireless survey within your organization's network due to a suspected attack and you notice the following entries: MAC SSID Encryption Power 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 47 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 62 56:CD:34:EF:12:AB GetCertifiedGetAhead WPA2 20 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 57 12:AB:34:CD:56:EF GetCertifiedGetAhead WPA2 49 Of the following choices, what is the MOST likely explanation of these entries?
An evil twin is in place.
B
An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team member to perform the examination with minimal impact to the potential evidence? A. Using a software file recovery disc B. Mounting the drive in read-only mode C. Imaging based on order of volatility D. Hashing the image after capture
C
An online store wants to protect user credentials and credit card information so that customers can store their credit card information and use their card for multiple separate transactions. Which of the following database designs provides the BEST security for the online store? A. Use encryption for the credential fields and hash the credit card field B. Encrypt the username and hash the password C. Hash the credential fields and use encryption for the credit card field D. Hash both the credential fields and the credit card field
A
An organization does not have adequate resources to administer its large infrastructure. A security administrator wishes to integrate the security controls of some of the network devices in the organization. Which of the following methods would BEST accomplish this goal? A. Unified Threat Management B. Virtual Private Network C. Single sign on D. Role-based management
A
An organization is moving to a new datacenter. During the move; several technicians raise concerns about a system that could potentially remove oxygen from the server room and result in suffocation. Which of the following systems are they MOST likely discussing? A. Fire suppression B. Mantraps at the entry C. HVAC D. UPS and battery backups
C
An organization is recovering data following a datacenter outage and determines that backup copies of files containing personal information were stored in an unsecure location: because the sensitivity was unknown. Which of the following activities should occur to prevent this in the future? A. Business continuity planning B. Quantitative assessment C. Data classification D. Qualitative assessment
D
An organization notices a large amount of malware and virus incidents at one satellite office; but hardly any at another. All users at both sites are running the same company image and receive the same group policies. Which of the following has MOST likely been implemented at the site with the fewest security issues? A. Consent to monitoring B. Business continuity measures C. Vulnerability scanning D. End-user awareness training
D
An organization requires a second technician to verify changes before applying them to network devices. When checking the configuration of a network device; a technician determines that a coworker has improperly configured the AS number on the device. This would result in which of the following? A. The OSPF not-so-stubby area is misconfigured B. Reduced wireless network coverage C. Spanning tree ports in flooding mode D. BGP routing issues
A
Ann has taken over as the new head of the IT department. One of her first assignments was to implement AAA in preparation for the company's new telecommuting policy. When she takes inventory of the organizations existing network infrastructure: she makes note that it is a mix of several different vendors. Ann knows she needs a method of secure centralized access to the company's network resources. Which of the following is the BEST service for Ann to implement? A. RADIUS B. LDAP C. SAML D. TACACS+
A
Ann is starting a disaster recovery program. She has gathered specifics and team members for a meeting on site. Which of the following types of tests is this? A. Structured walk through B. Full Interruption test C. Check list test D. Table top exercise
D
Ann: a company's security officer: often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Ann should immediately implement which of the following? A. Acceptable Use Policy B. Physical security controls C. Technical controls D. Security awareness training
D
Ann: a security administrator: wishes to replace their RADIUS authentication with a more secure protocol: which can utilize EAP. Which of the following would BEST fit her objective? A. CHAP B. SAML C. Kerberos D. Diameter
A
Ann: a security analyst: is preparing for an upcoming security audit. To ensure that she identifies unapplied security controls and patches without attacking or compromising the system: Ann would use which of the following? A. Vulnerability scanning B. SQL injection C. Penetration testing D. Antivirus update
C
Ann: a security technician: is reviewing the IDS log files. She notices a large number of alerts for multicast packets from the switches on the network. After investigation: she discovers that this is normal activity for her network. Which of the following BEST describes these results? A. True negatives B. True positives C. False positives D. False negatives
A
Ann: the security administrator: received a report from the security technician: that an unauthorized new user account was added to the server over two weeks ago. Which of the following could have mitigated this event? A. Routine log audits B. Job rotation C. Risk likelihood assessment D. Separation of duties
D
Ann: the software security engineer: works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions: buffer overflows: and other similar vulnerabilities prior to each production release? A. Product baseline report B. Input validation C. Patch regression testing D. Code review
B
Ann; a network technician; was asked to remove a virus. Issues were found several levels deep within the directory structure. To ensure the virus has not infected the .mp4 files in the directory; she views one of the files and believes it contains illegal material. Which of the following forensics actions should Ann perform? A. Erase the files created by the virus B. Stop and escalate to the proper authorities C. Check the remaining directories for more .mp4 files D. Copy the information to a network drive to preserve the evidence
D
Ann; a user; is experiencing an issue with her wireless device. While in the conference area; the wireless signal is steady and strong. However; at her desk the signal is consistently dropping; yet the device indicates a strong signal. Which of the following is the MOST likely cause of the issue? A. Signal-to-noise ratio B. AP configuration C. Incorrect SSID D. Bounce
Management is concerned about malicious activity on your network and wants to implement a security control that will detect unusual traffic on the network. What is the BEST choice to meet this goal?
Anomaly-based IDS
Your local library is planning to purchase new computers that patrons can use for Internet research. Which of the following are the BEST choices to protect these computers? (Choose TWO.)
Anti-malware software Cable locks
What can reduce unwanted e-mail that contains advertisements?
Anti-spam software
A user wants to reduce the threat of an attacker capturing her personal information while she surfs the Internet. What is the BEST choice?
Anti-spyware software
What type of signature-based monitoring can detect and remove known worms and Trojans?
Antivirus
A user's computer has recently been slower than normal and has been sending out email without user interaction. Of the following choices, what is the best choice to resolve this issue?
Antivirus software
Lisa has scanned all the user computers in the organization as part of a security audit. She is creating an inventory of these systems, including a list of applications running on each computer and the application versions. What is she MOST likely trying to identify?
Application baseline
You manage a server hosting a third-party database application. You want to ensure that the application is secure and all unnecessary service are disabled. What should you perform?
Application hardening
Administrators ensure server operating systems are updated at least once a month with relevant patches, but they do not track other software updates. What BEST choice to mitigate risks on these servers?
Application patch management
Your organization wants to ensure that employees do not install or play operating system games such as solitaire and FreeCell, on their computers. What is the BEST choice to prevent this?
Application whitelisting
Which of the following types of malware is the MOST difficult to reverse engineer?
Armored Virus
C
At an organization: unauthorized users have been accessing network resources via unused network wall jacks. Which of the following would be used to stop unauthorized access? A. Configure an access list. B. Configure spanning tree protocol. C. Configure port security. D. Configure loop protection.
A security administrator is reviewing an organization's security policy and notices that the policy does not define a time frame for reviewing user rights and permissions. What is the MINIMUM time frame that she should recommend?
At least once a year
What is completed when a user's password has been verified?
Authentication
A network includes a ticket-granting ticket server. What is the primary purpose of this server?
Authenticaton
(3) Your organization is considering virtualizing some servers in your network. Of the following choices, what can virtualization provide? Confidentiality Integrity Availability Encryption
Availability
(73) What does RAID-1 provide for a system? Authentication Availability Confidentiality Integrity
Availability
An organization hosts serveral bays of servers used to support a large online ecommerce business. It wants to ensure that customer data hosted within the datacenter is protected, and it implements serveral access controls, including an HVAC system. What does the HVAC system help protect?
Availability
Your organization is addressing single points of failure as potential risks to security. What are they addressing?
Availability
Your organization recently implemented two servers that act as failover devices for each other. Which security goal is your organization pursuing?
Availability
55. Your local library is planning to purchase new computers that patrons can use for Internet research. Which of the following are the BEST choices to protect these computers? (Choose TWO.) A. Mantrap B. Anti-malware software C. Cable locks D. Pop-up blockers E. Disk encryption
B, C. Anti-malware software and cable locks are the best choices to protect these computers. Anti-malware software protects the systems from viruses and other malware. The cable locks deter theft of the computers. A mantrap prevents tailgating, but this is unrelated to this question. Pop-up blockers are useful, but they are often included with anti-malware software, so anti-malware software is most important. Disk encryption is useful if the computers have confidential information, but it wouldn't be appropriate to put confidential information on a public computer. See Chapters 2 and 6.
87.Which two protocols provide strong security for the Internet with the use of certificates? (Choose TWO.) A. SSH B. SSL C. SCP D. TLS E. SFTP
B, D. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) secure Internet traffic with the use of certificates. Secure Shell (SSH) encrypts traffic such as Secure Copy (SCP), Secure File Transfer Protocol (SFTP), and Telnet but none of these use certificates. See Chapter 10.
78. A security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential lost sales, fines, and impact on the organization's customers. Which of the following documents is she MOST likely creating? A. BCP B. BIA C. DRP D. RPO
B. A business impact analysis (BIA) includes information on potential monetary losses and is the most likely document of those listed that would include this information. A business continuity plan (BCP) includes a BIA, but the BIA is more likely to include this information than the BCP is. A disaster recovery plan (DRP) includes methods used to recover from an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose but does not include monetary losses. See Chapter 9.
100. Security personnel confiscated a user's workstation after a security incident. Administrators removed the hard drive for forensic analysis, but left it unattended for several hours before capturing an image. What could prevent the company from taking the employee to court over this incident? A. Witnesses were not identified. B. A chain of custody was not maintained. C. An order of volatility was not maintained. D. A hard drive analysis was not complete.
B. A chain of custody was not maintained because the hard drive was left unattended for several hours before capturing an image. Witnesses were not mentioned, but are not needed if the chain of custody was maintained. The order of volatility does not apply here, but the hard drive is not volatile. Analysis would occur after capturing an image, but there isn't any indication it wasn't done or wasn't complete. See Chapter 11.
71. Your organization plans to deploy new systems within the network within the next six months. What should your organization implement to ensure these systems are developed properly? A. Code review B. Design review C. Baseline review D. Attack surface review
B. A design review ensures that systems and software are developed properly. A code review is appropriate if the organization is developing its own software for these new systems, but the scenario doesn't indicate this. A baseline review identifies changes from the initial baseline configuration, but couldn't be done for systems that aren't deployed yet. Identifying the attack surface, including the required protocols and services, would likely be part of the design review, but the design review does much more. See Chapter 8.
57. Attackers have launched an attack using multiple systems against a single target. What type of attack is this? A. DoS B. DDoS C. SYN flood D. Buffer overflow
B. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target's resources. A DoS attack comes from a single system and a SYN flood is an example of a DoS attack. A buffer overflow is a type of DoS attack that attempts to write data into an application's memory. See Chapter 7.
75. You are troubleshooting issues between two servers on your network and need to analyze the network traffic. Of the following choices, what is the BEST tool to capture and analyze this traffic? A. Switch B. Protocol analyzer C. Firewall D. NIDS
B. A protocol analyzer (also called a sniffer) is the best choice to capture and analyze network traffic. Although the traffic probably goes through a switch, the switch doesn't capture the traffic in such a way that you can analyze it. It's unlikely that the traffic is going through a firewall between two internal servers and even if it did, the best you could get is data from the firewall log, but this wouldn't provide the same level of detail as a capture from the sniffer. A network intrusion detection system (NIDS) detects traffic, but it isn't the best tool to capture and analyze it. See Chapter 8.
74. A security administrator needs to inspect protocol headers of traffic sent across the network. What tool is the BEST choice for this task? A. Web security gateway B. Protocol analyzer C. Honeypot D. Vulnerability assessment
B. A protocol analyzer (or sniffer) can capture traffic allowing an administrator to inspect the protocol headers. A web security gateway is a type of security appliance that protects against multiple threats, but doesn't necessarily capture traffic for inspection. A honeypot contains fake data designed to entice attackers. A vulnerability assessment identifies a system or network's security posture and it might include using a protocol analyzer, but does much more. See Chapter 8.
27. Management recently learned that several employees are using the company network to visit gambling and gaming web sites. They want to implement a security control to prevent this in the future. Which of the following choices would meet this need? A. WAF B. UTM C. DMZ D. NIDS
B. A unified threat management (UTM) device typically includes a URL filter and can block access to web sites, just as a proxy server can block access to web sites. A web application firewall (WAF) protects a web server from incoming attacks. A demilitarized zone (DMZ) is a buffered zone between protected and unprotected networks, but it does not include URL filters. A network-based intrusion detection system (NIDS) can detect attacks, but doesn't include outgoing URL filters. See Chapter 3.
39. Management within your organization wants some users to be able to access internal network resources from remote locations. Which of the following is the BEST choice to meet this need? A. WAF B. VPN C. IDS D. IPS
B. A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice. A web application firewall (WAF) provides protection for a web application or a web server. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks, but do not control remote access. See Chapter 4.
38. Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but on other days they don't have any problems. Which of the following types of attacks could cause this? A. IV B. Wireless jamming C. Replay D. WPA cracking
B. A wireless jamming attack is a type of denial-of-service (DoS) attack that can cause wireless devices to lose their association with access points and disconnect them from the network. None of the other attacks are DoS attacks. An initialization vector (IV) is a specific type of attack on Wired Equivalent Privacy (WEP) to crack the key. A replay attack captures traffic with the goal of replaying it later to impersonate one of the parties in the original transmission. Wi-Fi Protected Access (WPA) cracking attacks attempt to discover the passphrase. See Chapter 4.
41. Lisa has scanned all the user computers in the organization as part of a security audit. She is creating an inventory of these systems, including a list of applications running on each computer and the application versions. What is she MOST likely trying to identify? A. System architecture B. Application baseline C. Code vulnerabilities D. Attack surface
B. Administrators create a list of applications installed on systems as part of an application baseline (also called a host software baseline). An architecture review typically looks at the network architecture, not individual systems. A code review looks for vulnerabilities within code, but applications are compiled so the code is not easily available for review. The attack surface looks at much more than just applications and includes protocols and services. See Chapter 5.
10. Your organization wants to reduce the amount of money it is losing due to thefts. Which of the following is the BEST example of an equipment theft deterrent? A. Remote wiping B. Cable locks C. Strong passwords D. Disk encryption
B. Cable locks are effective equipment theft deterrents for laptops and other systems. Remote wiping can erase data on stolen systems, but it doesn't deter thefts. Strong passwords help prevent someone from accessing a stolen device, but it doesn't deter thefts. Disk encryption can protect the data after a device is stolen, but it doesn't deter theft. See Chapter 2.
88. Lenny and Carl work in an organization that includes a PKI. Carl needs to send a digitally signed file to Lenny. What does Carl use in this process? A. Carl's public key B. Carl's private key C. Lenny's public key D. Lenny's private key
B. Carl uses his private key to digitally sign the file. Lenny uses Carl's public key to decrypt the digital signature. Lenny's keys are not used in this scenario. See Chapter 10.
22. While analyzing a firewall log, you notice traffic going out of your network on UDP port 53. What does this indicate? A. Connection with a botnet B. DNS traffic C. SMTP traffic D. SFTP traffic
B. Domain Name System (DNS) traffic uses UDP port 53 by default to resolve host names to IP addresses. It is not malicious traffic connecting to a botnet. Simple Mail Transfer Protocol (SMTP) uses port 25. Secure File Transfer Protocol (SFTP) uses port 22. See Chapter 3.
62. During a penetration test, a tester injected extra input into an application causing the application to crash. What does this describe? A. SQL injection B. Fuzzing C. Transitive access D. XSRF
B. Fuzzing or fuzz testing sends extra input to an application to test it. Ideally, the application can handle the extra input, but it is possible that fuzz testing causes an application to crash. Other answers do not cause the application to crash. A SQL injection attack sends specific SQL code to access or modify data in a database. A cross-site request forgery (XSRF) attack uses HTML or JavaScript code to take actions on behalf of a user. See Chapter 7.
16. You configure access control for users in your organization. Some departments have a high employee turnover, so you want to simplify account administration. Which of the following is the BEST choice? A. User-assigned privileges B. Group-based privileges C. Domain-assigned privileges D. Network-assigned privileges
B. Group-based privileges is a form of role-based access control and it simplifies administration. Instead of assigning permissions to new employees individually, you can just add new employee user accounts into the appropriate groups to grant them the rights and permissions they need for the job. User-assigned privileges require you to manage privileges for each user separately, and it increases the account administration burden. Domain-assigned and network-assigned privileges are not valid administration practices. See Chapter 2.
24. An organization recently updated its security policy. A new requirement dictates a need to increase protection from rogue devices plugging into physical ports. Which of the following choices provides the BEST protection? A. Disable unused ports B. Implement 802.1x C. Enable MAC limiting D. Enable MAC filtering
B. IEEE 802.1x is a port-based authentication protocol and it requires systems to authenticate before they are granted access to the network. If an attacker plugged a rogue device into a physical port, the 802.1x server would block it from accessing the network. Disabling unused ports is a good practice, but it doesn't prevent an attacker from unplugging a system from a used port and plugging the rogue device into the port. While MAC limiting and filtering will provide some protection against rogue devices, an 802.1x server provides much stronger protection. See Chapter 3.
66. A recent vulnerability assessment identified several issues related to an organization's security posture. Which of the following issues is MOST likely to affect the organization on a day-to-day basis? A. Natural disasters B. Lack of antivirus software C. Lack of protection for data at rest D. Lack of protection for data in transit
B. Malware is a constant threat and without antivirus software, systems are sure to become infected in a short period of time. Natural disasters are a risk, but not on a day-to-day basis. Encryption protects data at rest and data in transit, but a lack of encryption isn't likely to affect the organization on a day-to-day basis. See Chapter 8.
23. A team of users in your organization needs a dedicated subnet. For security reasons, other users should not be able to connect to this subnet. Which of the following choices is the BEST solution? A. Restrict traffic based on port numbers. B. Restrict traffic based on physical addresses. C. Implement DNS on the network. D. Enable SNMP.
B. Of the given choices, the best answer is to restrict traffic based on physical addresses. This is also known as media access control (MAC) address filtering and is configured on a switch. Port numbers are related to protocols, so it wouldn't be feasible to restrict traffic for this group based on protocols. Domain Name System (DNS) provides name resolution, but it doesn't restrict traffic. Simple Network Management Protocol version 3 (SNMPv3) monitors and manages network devices. See Chapter 3.
49. Management wants to implement a system that will provide automatic notification when personnel remove devices from the building. Which of the following security controls will meet this requirement? A. Video monitoring B. RFID C. Geo-tagging D. Account lockout
B. Radio-frequency identification (RFID) provides automated inventory control and can detect movement of devices. Video monitoring might detect removal of devices, but it does not include automatic notification. Geo-tagging provides geographic location for pictures posted to social media sites. Account lockout controls lock accounts when the incorrect password is entered too many times. See Chapter 5.
94. An organization is implementing a data policy and wants to designate a recovery agent. Which of the following indicates what a recovery agent can do? A. A recovery agent can retrieve a user's public key. B. A recovery agent can decrypt data if users lose their private key. C. A recovery agent can encrypt data if users lose their private key. D. A recovery agent can restore a system from backups.
B. Recovery agents can decrypt data and messages if users lose their private key. Public keys are publicly available, so recovery agents aren't needed to retrieve them. A recovery agent wouldn't encrypt a user's data. Although backups are important, this isn't the role of a recovery agent. See Chapter 10.
82. An organization is implementing a PKI and plans on using public and private keys. Which of the following can be used to create strong key pairs? A. MD5 B. RSA C. AES D. HMAC
B. Rivest, Shamir, Adleman (RSA) is used to create key pairs. Message Digest 5 (MD5) and Hash-based Message Authentication Code (HMAC) are hashing algorithms. Advanced Encryption Standard (AES) is a symmetric encryption algorithm. See Chapter 10.
97. Which of the following is a type of media that allows the mass distribution of personal comments to specific groups of people? A. P2P B. Social media C. Media devices D. News media
B. Social media is a type of media that allows the mass distribution of personal comments to specific groups of people and it is a potential risk to organizations due to possible data leakage. Peer-to-peer (P2P) sites allow users to share data, but it is also a source of data leakage. Media devices such as MP3 players don't support sharing comments among specific groups of users. The news media reports on news stories. See Chapter 11.
84. A user wants to hide confidential data within a .jpg file. Which of the following is the BEST choice to meet this need? A. ECC B. Steganography C. CRL D. File-level encryption
B. Steganography allows users to hide data within the white space of other files, including .jpg files. None of the other choices hides data within another file. Elliptic curve cryptography (ECC) is often used with mobile devices for encryption because it has minimal overhead. A certificate revocation list (CRL) identifies revoked certificates. File-level encryption encrypts a file, such as a master password list, but does not hide data within another file. See Chapter 10.
A security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential lost sales, fines, and impact on the organization's customers. Which of the following documents is she MOST likely creating?
BIA
After a recent attack causing a data breach, an executive is analyzing the financial losses. She determined that the attack is likely to cast at least $1 million. She wants to ensurer that his information is documented for future planning purposes. Where is she MOST likely to document it?
BIA
An organization is creating a business continuity plan (BCP). What will identify business requirements used in the development of the plan?
BIA
Of the following choices, what identifies RPOs and RTOs?
BIA
You need to reboot your DNS server. What type of server are you MOST likely to reboot?
BIND server
A recent antivirus scan on a server detected a Trojan. A technician removed the Trojan, but a security administrator expressed concern that unauthorized personnel might be able to access data on the server. The security administrator decided to check the server further. What is the administrator MOST likely looking for on this server?
Backdoor
Homer installed code designed to enable his account automatically, three days after someone disables it. What did Homer create?
Backdoor
Lisa recently completed an application used by the personnel department to store PII and other employee information. She programmed in the ability to access the application with a username and password that only she knows, so that she can preform remote maintenance on the application if necessary. What does this describe?
Backdoor
Bart, an employee at your organization, is suspected of leaking data to a competitor. Investigations indicate he sent several email messages containing pictures of his dog. Investigators have not been able to identify any other suspicious activity. What is the MOST likely occurring?
Bart is leaking data using steganography
Bart wants to send a secure email to Lisa so he decides to encrypt it. Bart wants to ensure that Lisa can verify that he sent it. What does Lisa need to meet this requirement?
Bart's public key
A
Based on information leaked to industry websites: business management is concerned that unauthorized employees are accessing critical project information for a major: well-known new product. To identify any such users: the security administrator could: A. Set up a honeypot and place false project documentation on an unsecure share. B. Block access to the project documentation using a firewall. C. Increase antivirus coverage of the project servers. D. Apply security updates and harden the OS on all project servers.
You are preparing to deploy an anomaly-based detection system to monitor network activity. What would you create first?
Baseline
You are troubleshooting a server that users claim is running slow. You notice that the server frequently has about twenty active SSH sessions. What can you use to determine if this is normal behavior?
Baseline report
You need to periodically check the configuration of a server and identify any changes. What are you performing?
Baseline review
Network administrators identified what appears to be malicious traffic coming from an internal computer, but only when on one is logged on to the computer. You suspect the system is infected with malware. It periodically runs an application that attempts to connect to websites over port 80 with Telnet. After comparing the computer with a list of services from the standard image, you verify this application is very likely the problem. What process allowed you to make this determination?
Baselining
An application requires users to log on with passwords. The application developers want to store the passwords in such a way that it will thwart rainbow table attacks. What is the BEST solution?
Bcrypt
C
Before logging into the company network; users are required to sign a document that is to be stored in their personnel file. This standards and policies document is usually called which of the following? A. SOP B. BEP C. AUP D. SLA
Of the following choices, what is likely response to a security breach?
Begin a forensic evaluation
Which type of authentication is a fingerprint scan?
Biometric
Which type of authentication is retina scan?
Biometric
(7) Of the following choices, what method is the most difficult for an attacker to falsify? Passwords XSRF Biometrics Usernames
Biometrics
You need to secure access to a data center. What provides the BEST physical security to meet this need?
Biometrics; CCTV & Mantrap
Which of the following is PII when it is associated wih a person's full name?
Birthdate
A security professional is testing the functionality of an application, but does not have any knowledge about the internal coding of the application. What type of test is this test performing ?
Black box
Testers do not have access to product documentation or any experience with an application. What type of test will they MOST likely perform?
Black box
A tester is fuzzing an application. What is another name for this?
Black box testing
Your organization hired an external security expert to test a web application. The security expert is not given any access to the application interfaces, code, or data. What type of test will the security expert perform?
Black hat
(29) Your organization wants to prevent attackers from performing host enumeration sweeps. What can be done to prevent these sweeps? Block ICMP at the network perimeter Allow ICMP at the network perimeter Block FTPS at the network perimeter Block SMTP at the network perimeter
Block ICMP at the network perimeter
An administrator decides to block Telnet access to an internal network from any remote device on the Internet. Which of the following is the best choice to accomplish this?
Block port 23 at the network firewall
An application developer needs to use an encryption protocol to encrypt credit card within a database used by the application. What would be the FASTEST, while also providing strong confidentiality?
Blowfish
Which of the following is an attack against a mobile device?
Bluejacking
An attacker is able to access email contact lists on your smartphone. What type of attack is this?
Bluesnarfing
Thieves recently rammed a truck through the entrance to your company's main building. During the chaos, their partners proceeded to steal a significant amount of IT equipment. What can you use to prevent this from happening again?
Bollards
A computer is regularly communicating with an unknown IRC server and sending traffic without user interaction. What is likely causing this?
Botnet
Of the following choices, what uses a command and control server?
Botnet
Security administrators are reviewing security controls and their usefulness. Which of the following attacks will account lockout controls prevent? (Choose TWO.)
Brute force Dictionary
A web-based application expects a user to enter eight characters into a text box. However, the application allows a user to copy more than eight characters into the text box. What is a potential vulnerability for this application
Buffer overflow
An IDS detected a NOOP sled. What kind of attack does this indicate?
Buffer overflow
An application on one of your database servers has crashed several times recently. Examining detailed debugging logs, you discover that just prior to crashing, the database application is receiving a long series off x90 characters. What is MOST likely occurring?
Buffer overflow
An attacker is attempting to write more data into a web application's memory than it can handle. What type of attack is this?
Buffer overflow
While reviewing logs for a web application, a developer notices that it has crashed several times reporting a memory error. Shortly after it crashes, the logs show malicious code that isn't part of a known application. What is MOST likely occurring?
Buffer overflow
58. Security administrators are reviewing security controls and their usefulness. Which of the following attacks will account lockout controls prevent? (Choose TWO.) A. DNS poisoning B. Replay C. Brute force D. Buffer overflow E. Dictionary
C, E. Brute force and dictionary attacks attempt to guess passwords, but an account lockout control locks an account after the wrong password is guessed too many times. The other attacks are not password attacks, so they aren't mitigated using account lockout controls. Domain name system (DNS) poisoning attempts to redirect web browsers to malicious URLs. Replay attacks attempt to capture packets to impersonate one of the parties in an online session. Buffer overflow attacks attempt to overwhelm online applications with unexpected code or data. See Chapter 7.
13. You have discovered that some users have been using the same passwords for months, even though the password policy requires users to change their password every 30 days. You want to ensure that users cannot reuse the same password. Which settings should you configure? (Select TWO.) A. Maximum password age B. Password length C. Password history D. Password complexity E. Minimum password age
C, E. The password history setting records previously used passwords (such as the last 24 passwords) to prevent users from reusing the same passwords. Using password history setting combined with the minimum password age setting prevents users from changing their password repeatedly to get back to their original password. The maximum password age setting ensures users change their passwords regularly, but this is already set to 30 days in the scenario. Password length requires a minimum number of characters in a password. Password complexity requires a mix of uppercase and lowercase letters, numbers, and special characters. See Chapter 2.
93. You need to request a certificate for a web server. Which of the following would you MOST likely use? A. CA B. CRL C. CSR D. OCSP
C. A certificate signing request (CSR) uses a specific format to request a certificate. You submit the CSR to a Certificate Authority (CA), but the request needs to be in the CSR format. A certificate revocation list (CRL) is a list of revoked certificates. The Online Certificate Status Protocol (OCSP) is an alternate method of validating certificates and indicates if a certificate is good, revoked, or unknown. See Chapter 10.
96. Application developers in your organization currently update applications on live production servers when needed. However, they do not follow any predefined procedures before applying the updates. What should the organization implement to prevent any risk associated with this process? A. Risk assessment B. Tabletop exercises C. Change management D. Incident management
C. A change management process ensures that changes are approved before being implemented and would prevent risks associated with unintended outages. A risk assessment identifies risks at a given point in time. Tabletop exercises test business continuity and disaster recovery plans. Incident management is only related to security incidents. See Chapter 11.
2. You are the security administrator in your organization. You want to ensure that a file maintains integrity. Which of the following choices is the BEST choice to meet your goal? A. Steganography B. Encryption C. Hash D. AES
C. A hash provides integrity for files, emails, and other types of data. Steganography provides confidentiality by hiding data within other data and encryption provides confidentiality by ciphering the data. Advanced Encryption Standard (AES) is an encryption protocol. See Chapter 1.
31. Attackers frequently attack your organization, and administrators want to learn more about zero-day attacks on the network. What can they use? A. Anomaly-based HIDS B. Signature-based HIDS C. Honeypot D. Signature-based NIDS
C. A honeypot is a server designed to look valuable to an attacker and can help administrators learn about zero-day exploits, or previously unknown attacks. A host-based intrusion detection system (HIDS) protects host systems, but isn't helpful against network attacks. Signature-based tools would not have a signature for zero-day attack because the attack method is unknown by definition. See Chapter 4.
76. Which of the following is the lowest cost solution for fault tolerance? A. Load balancing B. Clustering C. RAID D. Cold site
C. A redundant array of inexpensive disks (RAID) subsystem is a relatively low-cost solution for fault tolerance for disks. RAID also increases data availability. Load balancing and failover clustering add in additional servers, which is significantly more expensive than RAID. A cold site is a completely separate location, which can be expensive, but a cold site does not provide fault tolerance. See Chapter 9.
48. Homer wants to ensure that other people cannot view data on his mobile device if he leaves it unattended. What should he implement? A. Encryption B. Cable lock C. Screen lock D. Remote wiping
C. A screen lock locks a device until the proper passcode is entered and prevents access to mobile devices when they are left unattended. Encryption protects data, especially if the device is lost or stolen. A cable lock is used with laptops to prevent them from being stolen. Remote wiping can erase data on a lost or stolen device. See Chapter 5.
44. A software vendor recently developed a patch for one of its applications. Before releasing the patch to customers, the vendor needs to test it in different environments. Which of the following solutions provides the BEST method to test the patch in different environments? A. Baseline image B. BYOD C. Virtualized sandbox D. Change management
C. A virtualized sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state. A baseline image is a starting point of a single environment. Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network, and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented. See Chapter 5.
69. Which of the following tools is the LEAST invasive and can verify if security controls are in place? A. Pentest B. Protocol analyzer C. Vulnerability scan D. Host enumeration
C. A vulnerability scan can verify if security controls are in place, and it does not try to exploit these controls using any invasive methods. A pentest (or penetration test) can verify if security controls are in place, but it is invasive and can potentially compromise a system. A protocol analyzer is not invasive, but it cannot determine if security controls are in place. Host enumeration identifies hosts on a network, but does not check for security controls. See Chapter 8.
63. A security expert is attempting to identify the number of failures a web server has in a year. Which of the following is the expert MOST likely identifying? A. SLE B. MTTR C. ALE D. MTTF
C. Annualized loss expectancy (ALE) is part of a quantitative risk assessment and is the most likely answer of those given. It is calculated by multiplying the single loss expectancy times the annualized rate of occurrence (ARO). Mean time to recover (MTTR) and mean time to failure (MTTF) do not identify the number of failures in a year. See Chapter 8.
6. Users at your organization currently use a combination of smart cards and passwords, but an updated security policy requires multifactor security using three different factors. Which of the following can you add to meet the new requirement? A. Four-digit PIN B. Hardware tokens C. Fingerprint readers D. USB tokens
C. Fingerprint readers would add biometrics from the something you are factor of authentication as a third factor of authentication. The current system includes methods in the something you have factor (smart cards) and in the something you know factor (passwords), so any solution requires a method that isn't using one of these two factors. A PIN is in the something you know factor. Hardware tokens and USB tokens are in the something you have factor. See Chapter 1.
47. Your organization has issued mobile devices to several key personnel. These devices store sensitive information. What can administrators implement to prevent data loss from these devices if they are stolen? A. Inventory control B. GPS tracking C. Full device encryption D. Geo-tagging
C. Full device encryption helps prevent data loss in the event of theft of a mobile device storing sensitive information. Other security controls (not listed as answers in this question) that help prevent loss of data in this situation are a screen lock, account lockout, and remote wipe capabilities. Inventory control methods help ensure devices aren't lost or stolen. Global positioning system (GPS) tracking helps locate the device. Geo-tagging includes geographical information with pictures posted to social media sites. See Chapter 5.
21. Which of the following provides the largest address space? A. IPv4 B. IPv5 C. IPv6 D. IPv7
C. Internet Protocol version 6 provides the largest address space using 128 bits to define an IP address. IPv4 uses 32 bits. IPv5 uses 64 bits but was never adopted. IPv7 has not been defined. See Chapter 3.
8. You are modifying a configuration file used to authenticate Unix accounts against an external server. The file includes phrases such as DC=Server1 and DC=Com. Which authentication service is the external server using? A. Diameter B. RADIUS C. LDAP D. SAML
C. Lightweight Directory Access Protocol (LDAP) uses X.500-based phrases to identify components such as the domain component (DC). Diameter is an alternative to Remote Authentication Dial-In User Service (RADIUS), but neither of these use X.500-based phrases. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for web-based single sign-on (SSO) solutions. See Chapter 1.
9. Which of the following choices is an AAA protocol that uses shared secrets as a method of security? A. Kerberos B. SAML C. RADIUS D. MD5
C. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting (AAA) protocol that uses shared secrets (or passwords) for security. Kerberos uses tickets. SAML provides SSO for web-based applications, but it is not an AAA protocol. MD5 is a hashing protocol, not an AAA protocol. See Chapter 1.
46. Someone stole an executive's smartphone, and the phone includes sensitive data. What should you do to prevent the thief from reading the data? A. Password-protect the phone. B. Encrypt the data on the phone. C. Use remote wipe. D. Track the location of the phone.
C. Remote wipe capabilities can send a remote wipe signal to the phone to delete all the data on the phone, including any cached data. The phone is lost, so it's too late to password-protect or encrypt the data now if these steps weren't completed previously. Although tracking the phone might be useful, it doesn't prevent the thief from reading the data. See Chapter 5.
14. A company recently hired you as a security administrator. You notice that some former accounts used by temporary employees are currently enabled. Which of the following choices is the BEST response? A. Disable all the temporary accounts. B. Disable the temporary accounts you've noticed are enabled. C. Craft a script to identify inactive accounts based on the last time they logged on. D. Set account expiration dates for all accounts when creating them.
C. Running a last logon script allows you to identify inactive accounts, such as accounts that haven't been logged on to in the last 30 days. It's appropriate to disable unused accounts, but it isn't necessarily appropriate to disable all temporary accounts, because some might still be in use. If you disable the accounts you notice, you might disable accounts that some employees are still using, and you might miss some accounts that should be disabled. Setting expiration dates for newly created accounts is a good step, but it doesn't address previously created accounts. See Chapter 2.
11. A manager recently observed an unauthorized person in a secure area, which is protected with a cipher lock door access system. After investigation, he discovered that an authorized employee gave this person the cipher lock code. Which of the following is the BEST response to this issue at the minimum cost? A. Implement a physical security control. B. Install tailgates C. Provide security awareness training. D. Place a guard at the entrance.
C. Security awareness training is often the best response to violations of security policies. If individuals do not abide by the policies after training, management can take disciplinary action. The cipher lock is a physical security control, but it is not effective due to employees bypassing it. Tailgating occurs when one user follows closely behind another user without using credentials and mantraps prevent tailgating, but tailgates are on the back of trucks. Guards can prevent this issue by only allowing authorized personnel in based on facial recognition or identification badges, but at a much higher cost. See Chapter 2 and 11.
50. Your organization was recently attacked, resulting in a data breach, and attackers captured customer data. Management wants to take steps to better protect customer data. Which of the following will BEST support this goal? A. Succession planning and data recovery procedures B. Fault tolerance and redundancy C. Stronger access controls and encryption D. Hashing and digital signatures
C. Strong access controls and encryption are two primary methods of protecting the confidentiality of any data, including customer data. Succession planning and data recovery procedures are part of business continuity. Fault tolerance and redundancy increase the availability of data. Hashing and digital signatures provide integrity. See Chapter 5.
64. You are trying to add additional security controls for a database server that includes customer records and need to justify the cost of $1,000 for these controls. The database includes 2,500 records. Estimates indicate a cost of $300 for each record if an attacker successfully gains access to them. Research indicates that there is a 10 percent possibility of a data breach in the next year. What is the ALE? A. $300 B. $37,500 C. $75,000 D. $750,000
C. The annual loss expectancy (ALE) is $75,000. The single loss expectancy (SLE) is $750,000 ($300 per record × 2,500 records). The annual rate of occurrence (ARO) is 10 percent or .10. You calculate the ALE as SLE × ARO ($750,000 x .10). One single record is $300, but if an attacker can gain access to the database, the attacker can access all 2,500 records. If the ARO was .05, the ALE would be $37,500. See Chapter 8.
86. Personnel within your company are assisting an external auditor perform a security audit. They frequently send documents to the auditor via email and some of these documents contain confidential information. Management wants to implement a solution to reduce the possibility of unintentionally exposing this data. Which of the following is the BEST choice? A. Hash all outbound email containing confidential information. B. Use digital signatures on all outbound email containing confidential information. C. Encrypt all outbound email containing confidential information. D. Implement DLP to scan all outbound email.
C. The best method of preventing unintentional exposure of confidential information is encryption, so encrypting all outbound emails containing confidential information is the best choice. Hashing the emails doesn't protect the confidentiality of the information. Digital signatures provide proof of who sent an email, but don't protect confidentiality. Data loss prevention (DLP) techniques can detect when employees send out some types of data, but block the transmission and would prevent the auditors from getting the data they need. See Chapter 10.
15. An organization supports remote access, allowing users to work from home. However, management wants to ensure that personnel cannot log on to work systems from home during weekends and holidays. Which of the following BEST supports this goal? A. Least privilege B. Need to know C. Time-of-day restrictions D. Mandatory access control
C. Time-of-day restrictions prevent users from logging on during certain times. Least privilege and need to know restrict access to only what the user needs, and these concepts are not associated with time. Mandatory access control uses labels and can restrict access based on need to know, but it is not associated with time. See Chapter 2.
85. You need to ensure data sent over an IP-based network remains confidential. Which of the following provides the BEST solution? A. Stream ciphers B. Block ciphers C. Transport encryption D. Hashing
C. Transport encryption techniques such as Internet Protocol security (IPsec) provide confidentiality. Both stream ciphers and block ciphers can be used by different transport encryption protocols. Hashing provides integrity, but encryption is needed to provide confidentiality. See Chapters 3, 4, and 10.
Homer wants to use digital signatures for his emails and realizes he needs a certificate. What will issue Homer a certificate?
CA
What entity verifies the authenticity of certificates?
CA
Which one of the following includes a photo and can be used as identification?
CAC and PIV
Employees access a secure area by entering a cipher code, but this code does not identify individuals. After a recent security incident, management has decided to implement a key card system that will identify individuals who enter and exit this secure area. However, the installation might take six months or longer. What can the organization install immediately to identify individuals who enter or exit the secure area?
CCTV
Of the following choices, What is a detective security control?
CCTV
Personnel within your organization turned off the HR data server for over six hours to perform a test. What is the MOST likely purpose of this?
COOP
(89) What includes a list of compromised or invalid certificates? CA Digital signature S/MIME CRL
CRL
An organization wants to ensure that it does not use compromised certificate. What should it check?
CRL
Your organization is planning to implement an internal PKI. What is required to ensure users can validate certificates?
CRL
You need to request a certificate for a web server. Which of the following would you MOST likely use?
CSR
Your organization wants to reduce the amount of money it is losing due to thefts. Which of the following is the BEST example of an equipment theft deterrent?
Cable locks
A forensic expert is preparing to analyze a hard drive. What should the expert do FIRST?
Capture an image
Lenny and Carl work in an organization that includes a PKI. Carl needs to send a digitally signed file to Lenny. What does Carl use in this process?
Carl's private key
A D
Certificates are used for: (Select TWO). A. Client authentication. B. WEP encryption. C. Access control lists. D. Code signing. E. Password hashing.
(100) The computer incident response team (CIRT) is trained on documenting the location of data they collect in an investigation. What does this documentation provide? Integrity Basis for imaging Chain of custody Least privilege
Chain of custody
A forensic expert collected a laptop as evidence. What provides assurances that the system was properly handled while it was transported?
Chain of custody
A technician confiscated an employee's computer after management learned the employee had unauthorized material on his system. Later, a security expert captured a forensic image of the system disk. However, the security expert reported the computer was left unattended for several hours before he captured the image. What is a potential issue if this incident goes to court?
Chain of custody
Application developers in your organization currently update applications on live production servers when needed. However, they do not follow any predefined procedures before applying the updates. What should the organization implement to prevent any risk associated with this process?
Change management
Security experts want to reduce risks associated with updating critical operating systems . What will BEST meet this goal?
Change management
You organization wants to prevent unintended outages caused from changes to systems. What could it use?
Change management
Which of the following is a perventative control that can prevent outages due to ad-hoc configuration errors?
Change management plan
(46) A vendor released a firmware update that applies to several routers used in your organization, and you have updated each of the routers. Where should you document the completion of this work? Security log Change management system CCTV ACL
Change management system
(91) An organization wants users to organize their areas to reduce data theft. What would it most likely use to identify this requirement? Clean desk policy Requirement for administrators to have two accounts Whaling education Privacy screens
Clean desk policy
A security manager is reviewing security policies related to data loss. What is the security administrator MOST likely to be reviewing?
Clean desk policy
An organization wants to reduce the possibility of data theft. Of the following choices, what can assist with this goal?
Clean desk policy
What technology can an organization use to assist with computing requirements in heavily utilized systems?
Cloud computing
What can remove a server as a single point of failure?
Clustering
An organization develops its own software. Of the following choices, what is a security practice that should be included in the process?
Code review
An organization has released an application. Of the following choices, what is the most thorough way to discover vulnerabilities with the application?
Code review
Your organization develops web application software, Which it sells to other companies for commercial use. Your organization wants to ensure that the software isn't susceptible to common vulnerabilities, such as buffer overflow attacks and race conditions. What should the organization implement to ensure software meets this standard?
Code review
Your organization develops web application software, which it sells to other companies for commercial use. To ensure the software is secure, your organization uses a peer assessment to help identify potential security issues related to the software. Which of the following is the BEST term for this process?
Code review
Security personnel recently released on online training module advising employees not to share personal information on any social media web sites that they visit. What is the advice MOST likely trying to prevent?
Cognitive password attacks
(76) Which of the following continuity of operations solutions is the least expensive? Hot site Cold site Warm site BIA site
Cold site
While analyzing an application log, you discover several entries where a user has entered the following command into a web-based from: ../ect/password. What does this indicate?
Command injection attack
D
Company A sends a PGP encrypted file to company B. If company A used company B's public key to encrypt the file: which of the following should be used to decrypt data at company B? A. Registration B. Public key C. CRLs D. Private key
C
Company employees are required to have workstation client certificates to access a bank website. These certificates were backed up as a precautionary step before the new computer upgrade. After the upgrade and restoration: users state they can access the bank's website: but not login. Which is the following is MOST likely the issue? A. The IP addresses of the clients have change B. The client certificate passwords have expired on the server C. The certificates have not been installed on the workstations D. The certificates have been installed on the CA
C
Company policies require that all network infrastructure devices send system level information to a centralized server. Which of the following should be implemented to ensure the network administrator can review device error information from one central location? A. TACACS+ server B. Single sign-on C. SYSLOG server D. Wi-Fi analyzer
An administrator used a disaster recovery plan to rebuild a critical server after an attack. Of the following choices, how can the administrator verify the system's functionality?
Compare the system's performance against a performance baseline
Management recently rewrote the organization's security policy to strengthen passwords created by users. It now states that passwords should support special characters. Which of the following choices is the BEST setting to help the organization achieve this goal?
Complexity
C
Computer code or commands that takes advantage of a design flaw in software is commonly referred to as: A. Bug B. Backdoor C. Exploit D. Rootkit
C
Concurrent use of a firewall: content filtering: antivirus software and an IDS system would be considered components of: A. Redundant systems. B. Separation of duties. C. Layered security. D. Application control.
(1) An organization hosts online gaming and wants to ensure that customer data hosted within the datacenter is protected. It implements several access controls, including a mantrap. What is the organization trying to protect? Social engineering Availability Confidentiality Integrity
Confidentiality
(87) Sally sent an encrypted email with a digital signature to Joe. What would Joe's public key provide in this situation? Integrity Non-repudation Confidentiality Availability
Confidentiality
Lisa hid several plaintext documents within an image file. Which security goal is she pursuing?
Confidentiality
You want to ensure that data is only viewable by authorized users. What security principle are you trying to enforce?
Confidentiality
You need to create an account for a contractor who will be working at your company for 90 days. What is the BEST security step to take when crating this account?
Configure an expiration date on the account
Homer noticed that several generators within the nuclear power plant have been turning on without user interaction. Security investigators discovered that an unauthorized file was installed and causing these generators to start at timed intervals. Further, they determined this file was installed during a visit by external engineers. What should Homer recommend to mitigate this threat in the future?
Configure the SCADA within a VLAN
B C
Connections using point-to-point protocol authenticate using which of the following? (Select TWO). A. RIPEMD B. PAP C. CHAP D. RC4 E. Kerberos
(33) An IPS is monitoring data streams looking for malicious behavior. When it detects malicious behavior, it blocks the traffic. What is this IPS using? Smurf detection Honeypot Content Inspection Port scanner
Content Inspection
An organization has a web security gateway installed. What function is this performing?
Content filtering
Your organization wants to ensure that security controls continue to function, helping to maintain an appropriate security posture. What is the BEST choice to meet this goal?
Continuous security monitoring
What is the purpose of a cipher lock system?
Control door access with a keypad
B C D
Corporate IM presents multiple concerns to enterprise IT. Which of the following concerns should Jane: the IT security manager: ensure are under control? (Select THREE). A. Authentication B. Data leakage C. Compliance D. Malware E. Non-repudiation F. Network loading
A company recently hired you as a security administrator. You notice that some former accounts used by temporary employees are currently enabled. Which of the following choices is the BEST response?
Craft a script to identify inactive accounts based on the last time they logged on.
An organization recently suffered a significant outage after a technician installed an application updated on a vital server during peck hours. The server remained down until administrators were able to install a previous version of the application on the server. What could the organization implement to prevent a reoccurrence of this problem?
Create a patch management policy
An organization recently suffered a significant outage due to attacks on unpatched systems. Investigation showed that administrators did not have a clear idea of when they should apply the patches. What can they do to prevent a reoccurrence of this problem?
Create a patch management policy
An e-commerce web site does not currently have an account recovery process for customers who have forgotten their passwords. Which of the following choices are the BEST items to include if web site designers add this process? (Select TWO.)
Create a web-based form that verifies customer identities using another method. Set a temporary password that expires upon first use.
The Retirement Castle uses groups for ease of administration and management. They recently hired Jasper as their new accountant. Jasper needs access to all the files and folders used by the Accounting department. What should the administrator do to give Jasper appropriate access?
Create an account for Jasper and add the account to the Accounting group.
A company was recently involved in a legal issue that resulted in administrators spending a significant amount of time retrieving data from archives in response to a court order. The company wants to limit the time spent on similar events in the future. What can it do?
Create storage and retention policies
(61) A web application is blocking users from including HTML tags in data inputs. What is it trying to prevent? Cross-site scripting Trojans Rootkits SQL injection
Cross-site scripting
A website prevents users from using the less-than character (<) when entering data into forms. What is it trying to prevent?
Cross-site scripting
4. Your organization is planning to implement stronger authentication for remote access users. An updated security policy mandates the use of token-based authentication with a password that changes every 30 seconds. Which of the following choices BEST meets this requirement? A. CHAP B. Smart card C. HOTP D. TOTP
D. A Time-based One-Time Password (TOTP) creates passwords that expire after 30 seconds. An HMAC-based One Time Password (HOTP) creates passwords that do not expire. Challenge Handshake Authentication Protocol uses a nonce (a number used once), but a nonce does not expire after 30 seconds. See Chapter 1.
72. You need to periodically check the configuration of a server and identify any changes. What are you performing? A. Code review B. Design review C. Attack surface review D. Baseline review
D. A baseline review identifies changes from the original deployed configuration. The original configuration is also known as the baseline. A code review checks internally developed software for vulnerabilities. A design review verifies the design of software or applications to ensure they are developed properly. Determining the attack surface is an assessment technique, but it does not identify changes. See Chapter 8.
73. Your organization hired an external security expert to test a web application. The security expert is not given any access to the application interfaces, code, or data. What type of test will the security expert perform? A. Black hat B. White box C. Gray box D. Black box
D. A block box tester doesn't have access to any data prior to a test and this includes application interfaces, code, and data. White box testers would be given full access to the application interfaces, code, and data, and gray box testers would be given some access. Black hat refers to a malicious attacker. See Chapter 8.
79. Your organization is updating its business continuity documents. You're asked to review the communications plans for possible updates. Which of the following should you ensure is included in the communications plan? A. A list of systems to recover in hierarchical order B. Incident response procedures C. List of critical systems and components D. Methods used to respond to media requests, including templates
D. A communications plan will include methods used to respond to media requests, including basic templates. Although not available as a possible answer, it would also include methods used to communicate with response team members, employees, suppliers, and customers. None of the other answers are part of a communications plan. A DRP includes a list of systems to recover in hierarchical order. An incident response plan identifies incident response procedures. A BIA identifies critical systems and components. See Chapter 9.
53. What functions does an HSM include? A. Reduces the risk of employees emailing confidential information outside the organization B. Provides webmail to clients C. Provides full drive encryption D. Generates and stores keys used with servers
D. A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers for data encryption. A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization. Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud. A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops. See Chapter 5.
67. Which of the following tools would a security administrator use to identify misconfigured systems within a network? A. Pentest B. Virus scan C. Load test D. Vulnerability scan
D. A vulnerability scan checks systems for potential vulnerabilities, including vulnerabilities related to misconfiguration. Although a penetration test (pentest) can identify misconfigured systems, it also attempts to exploit vulnerabilities on these systems, so it isn't appropriate if you only want to identify the systems. A virus scan identifies malware and a load test determines if a system can handle a load, but neither of these identifies misconfigured systems. See Chapter 8.
68. A security expert is running tests to identify the security posture of a network. However, these tests are not exploiting any weaknesses. Which of the following types of test is the security expert performing? A. Penetration test B. Virus scan C. Port scan D. Vulnerability scan
D. A vulnerability scan identifies the security posture of a network but it does not actually exploit any weaknesses. In contrast, a penetration test attempts to exploit weaknesses. A virus scan searches a system for malware and a port scan identifies open ports, but neither identifies the security posture of an entire network. See Chapter 8.
25. What would administrators typically place at the end of an ACL of a firewall? A. Allow all all B. Timestamp C. Password D. Implicit deny
D. Administrators would place an implicit deny rule at the end of an access control list (ACL) to deny all traffic that hasn't been explicitly allowed. Many firewalls place this rule at the end by default. An allow all all rule explicitly allows all traffic and defeats the purpose of a firewall. Timestamps aren't needed in an ACL. ACLs are in cleartext so should not include passwords. See Chapter 3.
29. Which of the following BEST describes a false negative? A. An IDS falsely indicates a buffer overflow attack occurred. B. Antivirus software reports that a valid application is malware. C. A locked door opens after a power failure. D. An IDS does not detect a buffer overflow attack.
D. An intrusion detection system (IDS) should detect a buffer overflow attack and report it, but if it does not, it is a false negative. If the IDS falsely indicates an attack occurred, it is a false positive. If antivirus software indicates a valid application is malware, it is a false positive. A locked door that opens after a power failure is designed to fail-open. See Chapter 4.
40. You suspect that an executable file on a web server is malicious and includes a zero-day exploit. Which of the following steps can you take to verify your suspicious? A. Perform a code review. B. Perform an architecture review. C. Perform a design review. D. Perform an operating system baseline comparison.
D. An operating system baseline comparison is the best choice of the available answers. It can verify if the file is in the baseline, or was added after the server was deployed. A code review is possible if you have access to the original code, but this isn't easily possible with an executable file. Code reviews look at the code before it is released and architecture reviews look at architecture designs, but neither of these identifies malicious files after a web server has been deployed. See Chapter 5.
83. Your organization is investigating possible methods of sharing encryption keys over a public network. Which of the following is the BEST choice? A. CRL B. PBKDF2 C. Hashing D. ECDHE
D. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) allows entities to negotiate encryption keys securely over a public network. Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching technique designed to make password cracking more difficult. A certificate revocation list (CRL) identifies revoked certificates and is unrelated to sharing encryption keys. Hashing methods do not support sharing encryption keys over a public network. See Chapter 10.
30. Company management suspects an employee is stealing critical project information and selling it to a competitor. They'd like to identify who is doing this, without compromising any live data. What is the BEST option to meet this goal? A. Install antivirus software on all user systems. B. Implement an IPS. C. Implement an IDS. D. Add fabricated project data on a honeypot.
D. Fabricated data on a honeypot could lure the malicious insider and entice him to access it. Antivirus software blocks malware. An intrusion prevention system (IPS) and an intrusion detection system (IDS) each detect attacks, but won't detect someone accessing data on a server. See Chapter 4.
92. Homer works as a contractor at a company on a one-year renewing contract. After renewing his contract, the company issues him a new smart card. However, he is now having problems digitally signing email or opening encrypted email. What is the MOST likely solution? A. Copy the original certificate to the new smart card. B. Copy his original private key to the new smart card. C. Copy his original public key to the new smart card. D. Publish the certificate in his new smart card.
D. He should publish the certificate in his new smart card in a global address list within the domain. It is not possible for users to copy a certificate, a public key, or a private key to a smart card. See Chapter 10.
1. Lisa hid several plaintext documents within an image file. Which security goal is she pursuing? A. Encryption B. Integrity C. Steganography D. Confidentiality
D. Hiding files in another file is one way to achieve the security goal of confidentiality. In this scenario, Lisa is using steganography as the method by hiding files within a file. Encryption is the best way to achieve confidentiality, but simply hiding files within a file doesn't encrypt the data. Hashing methods and digital signatures provide integrity. See Chapters 1 and 10.
7. A network includes a ticket-granting ticket server used for authentication. What authentication service does this network use? A. TACACS+ B. SAML C. LDAP D. Kerberos
D. Kerberos uses a ticket-granting ticket server, which creates tickets for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) is an authentication service created by Cisco. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO) solutions. Lightweight Directory Access Protocol (LDAP) is an X.500-based authentication service that can be secured with Transport Layer Security (TLS). See Chapter 1.
35. Which of the following wireless security mechanisms is subject to a spoofing attack? A. WEP B. IV C. WPA2 Enterprise D. MAC address filtering
D. Media access control (MAC) address filtering is vulnerable to spoofing attacks because attackers can easily change MAC addresses on network interface cards (NICs). Wired Equivalent Privacy (WEP) can be cracked using an initialization vector (IV) attack, but not by spoofing. WPA2 Enterprise requires users to enter credentials, so it isn't susceptible to a spoofing attack. See Chapter 4.
89. Bart recently sent out confidential data via email to potential competitors. Management suspects he did so accidentally, but Bart denied sending the data. Management wants to implement a method that would prevent Bart from denying accountability in the future. What are they trying to enforce? A. Confidentiality B. Encryption C. Access control D. Non-repudiation
D. Non-repudiation methods such as digital signatures prevent users from denying they took an action. Encryption methods protect confidentiality. Access control methods protect access to data. See Chapters 1 and 10.
61. An attacker is attempting to write more data into a web application's memory than it can handle. What type of attack is this? A. XSRF B. LDAP injection C. Fuzzing D. Buffer overflow
D. One type of buffer overflow attack attempts to write more data into an application's memory than it can handle. A cross-site request forgery (XSRF) attack attempts to launch attacks with HTML code. Lightweight Directory Application Protocol (LDAP) injection attacks attempt to query directory service databases such as Microsoft Active Directory. Fuzzing inputs random data into an application during testing. See Chapter 7.
81. Your organization is planning to implement videoconferencing, but it wants to protect the confidentiality of the streaming video. Which of the following would BEST meet this need? A. PBKDF2 B. DES C. MD5 D. RC4
D. Rivest Cipher 4 (RC4) is a symmetric encryption stream cipher, and a stream cipher is often the best choice for encrypting data of an unknown size, such as streaming video. Encryption is the best way to ensure the confidentiality of data. Password-Based Key Derivation Function 2 (PBKDF2) is a key stretching technique designed to protect passwords against brute force attempts and is not used for streaming data. Data Encryption Standard (DES) is an older block cipher that is not secure. Message Digest 5 (MD5) is a hashing algorithm used for integrity. See Chapter 10.
28. Which of the following protocols operates on Layer 7 of the OSI model? A. IPv6 B. TCP C. ARP D. SCP
D. Secure Copy (SCP) operates on Layer 7 of the OSI model. IPv6 operates on Layer 3. TCP operates on Layer 4. Address Resolution Protocol (ARP) operates on Layer 3. See Chapter 3.
19. Your organization recently updated its security policy and indicated that Telnet should not be used within the network. Which of the following should be used instead of Telnet? A. SCP B. SFTP C. SSL D. SSH
D. Secure Shell (SSH) is a good alternative to Telnet. SSH encrypts transmissions, whereas Telnet transmits data in cleartext. Secure Copy (SCP) and Secure File Transfer Protocol (SFTP) use SSH to encrypt files sent over the network. See Chapter 3.
20. One of your web servers was recently attacked and you have been tasked with reviewing firewall logs to see if you can determine how an attacker accessed the system remotely. You identified the following port numbers in log entries: 21, 22, 25, 53, 80, 110, 443, and 3389. Which of the following protocols did the attacker MOST likely use? A. Telnet B. HTTPS C. DNS D. RDP
D. The attacker most likely used Remote Desktop Protocol (RDP) over port 3389. Telnet can connect to systems remotely, but it uses port 23 and that isn't one of the listed ports. HTTPS uses port 443 for secure HTTP sessions. DNS uses port 53 for name resolution queries and zone transfers. See Chapter 3.
12. Management recently rewrote the organization's security policy to strengthen passwords created by users. It now states that passwords should support special characters. Which of the following choices is the BEST setting to help the organization achieve this goal? A. History B. Maximum age C. Minimum length D. Complexity
D. The complexity setting is the best answer because it includes using multiple character types, such as special characters, numbers, and uppercase and lowercase letters. The history setting remembers previous passwords and prevents users from reusing them. The maximum age setting forces users to change their password after a set number of days has passed. The minimum length setting forces users to create passwords with a minimum number of characters, such as eight. See Chapter 2.
59. A web developer wants to reduce the chances of an attacker successfully launching XSRF attacks against a web site application. Which of the following provides the BEST protection? A. Client-side input validation B. Web proxy C. Antivirus software D. Server-side input validation
D. Validating and filtering input using server-side input validation can restrict the use of special characters needed in cross-site request forgery (XSRF) attacks. Both server-side and client-side input validation is useful, but client-side input validation can be bypassed, so it should not be used alone. A web proxy can filter URLs, but it cannot validate data. Additionally, web proxies can be used to bypass client-side input validation techniques. Antivirus software cannot detect XSRF attacks. See Chapter 7.
42. An updated security policy identifies authorized applications for company-issued mobile devices. Which of the following would prevent users from installing other applications on these devices? A. Geo-tagging B. Authentication C. ACLs D. Whitelisting
D. Whitelisting identifies authorized software and prevents users from installing or running any other software. Geo-tagging adds location information to media such as photographs, but the scenario only refers to applications. Authentication allows users to prove their identity, such as with a username and password, but isn't relevant in this question. Access control lists (ACLs) are used with routers, firewalls, and files, but do not restrict installation of applications. See Chapter 5.
17. You are configuring a file server used to share files and folders among employees within your organization. However, employees should not be able to access all folders on this server. Which of the following choices is the BEST method to manage security for these folders? A. Assign permissions to each user as needed. B. Wait for users to request permission and then assign the appropriate permissions. C. Delegate authority to assign these permissions. D. Use security groups with appropriate permissions.
D. You can create security groups, place users into these groups, and grant access to the folders by assigning appropriate permissions to the security groups. For example, the security groups might be Sales, Marketing, and HR, and you place users into the appropriate group based on their job. This is an example of using group-based privileges. Waiting for users to ask, and then assigning permissions to users individually has a high administrative overhead. Although delegating authority to assign permissions might work, it doesn't provide the same level of security as centrally managed groups, and without groups, it will still have a high administrative overhead for someone. See Chapter 2.
(56) What type of attack is launched from multiple systems from different geographic locations? DoS DDoS SYN Floof Kiting
DDoS
Attackers have launched an attack using multiple systems against a single target. What type of attack is this?
DDoS
You are troubleshooting an intermittent connectivity issue with a web server. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. What is MOST likely occurring?
DDoS attack
Which of the following algorithms encrypts data in 64-bit blocks?
DES
Which of the following uses 56-bit keys for encryption?
DES
Management wants to ensure that employees do not print any documents that include customer PII. What would meet this goal?
DLP
Management within your organization wants to limit documents copied to USB flash drives. Which of the following can be used to meet this goal?
DLP
Of the following choices, what can be used to allow access to specific services from the internet while protecting access to an internal network?
DMZ
Your organization hosts a web server and wants to increase its security. You need to separate all web-facing traffic from internal network traffic. What provides the BEST solution?
DMZ
While analyzing a firewall log, you notice traffic going out of your network on UDP port 53. What does this indicate?
DNS traffic
A critical system failed. Of the following choices, what would an organization implement to restore it?
DRP
Your organization is working on its business continuity plan. Management wants to ensure that document s provide detailed information on what technicians should do after an outage. Specifically, they want to list the systems to restore and the order in which to restore them. What document includes this information?
DRP
Which of the following statements accurately describes the relationship between keys in a PKI?
Data encrypted with a public key can only be decrypted with the matching private key
What represents a primary security concern when authorizing mobile devices on a network?
Data security
Your organization host a web site with a back-end-database. The databases stores customer data, including credit card numbers. What is the BEST way to protect the credit card data?
Database column encryption
An organization is considering using virtualization in their datacenter. What benefits will this provide? (Choose all that apply)
Decreased footprint, Reduction in physical equipment needing security
Most firewalls have a default rule placed at the end of the firewall's ACL. Which of the following is the most likely default rule?
Deny any any
Your organization plans to deploy new systems within the network within the next six months. What should your organization implement to ensure these systems are developed properly?
Design review
Your primary job activities include monitoring security logs, analyzing trend reports, and installing CCTV systems. Which choices BEST identifies your responsibilities? (Select TWO)
Detecting security incidents; Implementing monitoring controls
Your organization regularly performs routine security audits to assess the security posture. What type of control is this?
Detective
Users in your organization access your network from remote locations. Currently, the remote access solution uses RADIUS. However, the organization wants to implement a stronger authentication service that supports EAP. What is the BEST meets this goal?
Diameter
Your network requires a secure method of sharing encryption keys over a public network. What is the BEST choice?
Diffie-Hellman
C E
Digital certificates can be used to ensure which of the following? (Select TWO). A. Availability B. Confidentiality C. Verification D. Authorization E. Non-repudiation
An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, Acme realized it couldn't meet the requirements of the contact. Acme instead stated that it never submitted the bid. Which of the following would provide proof to the organization that Acme did submit the bid?
Digital signature
A recent spear phishing attack that appeared to come from your organization's CEO resulted in several employees revealing their passwords to attackers. Management wants to implement a security control to provide assurance to employees that email that appears to come from the CEO actually came from the CEO. What should be implemented?
Digital signatures
An organization wants to verify the identity of anyone sending e-mails. The solution should also verify integrity of the e-mails. What can it use?
Digital signatures
B C
Digital signatures are used for ensuring which of the following items? (Select TWO). A. Confidentiality B. Integrity C. Non-Repudiation D. Availability E. Algorithm strength
Developers in your organization have created an application designed for the sales team. Salespeople can log on to the application using a simple password of 1234. However, this password does not meet the organization's password policy. What is the BEST response by the security administrator after learning about this?
Direct the application team manager to ensure the application adheres to the organization's password policy
You recently learned that a network router has TCP ports 22 and 80 open, but the organizations's security policy mandates that these should not be accessible. What should you do?
Disable the SSH and HTTP services on the router
After an employee is terminated, what should be done to revoke the employee's access?
Disable the account
A recent security audit discovered several apparently dormant user accounts. Although users could log on to the accounts, on one had logged on to them for more than 60 days. You later discovered that these accounts are for contractors who work approximately one week every quarter. What is the Best response to this situation?
Disable the accounts
Your organization has several switches used within the network. You need to implement a security control to secure thee switch from physical access. What should you do?
Disable unused ports
Your organization use switches for connectivity. Of the following choices, what will protect the switch?
Disable unused ports
Of the following choices, What is a step used to harden a database application?
Disabling default accounts and changing default passwords
Your company has recently provided mobile devices to several employees. A security manager has expressed concerns related to data saved on these devices. What would BEST address these concerns?
Disabling the use of removable media
You need to reduce the attack surface of a web server. Which of the following is a preventive control that will assist with this goal?
Disabling unnecessary Services
Attackers recently attacked a web server hosted by your organization. Management has tasked administrators with reducing the attack surface of this server to prevent future attacks. What will meet this goal?
Disabling unnecessary services
Your organization wants to improve the security posture of internal database servers. What provides the BEST solution?
Disabling unnecessary services
Your organization wants to reduce threats from zero day vulnerabilities. Of the following choices, what provides the best solution?
Disabling unnesessary services
An administrator recently discovered an active attack on a database server. The server hosts customer PII and other data. What should the administrator do first.
Disconnect the server from the network
Windows systems protects files and folders with New Technology File System (NTFS). What access control model does NFTS use?
Discrentionary access control (DAC)
Your organization issues users a variety of different mobile device. However management wants to reduce potential data losses if the devices are lost or stolen. What is the BEST technical control to achieve this goal?
Disk encryption
Web developers are implementing error and exception handling in a web site application. What represents a best practice for this?
Displaying a generic error message but logging detailed information on the error
An attacker enters a string of data in a web application's input form and crashes it. What type of attack is this?
DoS
A forensic expert created an image copy of a hard drive and created a chain of custody. What does the chain of custody provide?
Documentation on who handled the evidence
Your network infrastructure requires users to authenticate with something they are and something they know. What BEST describes this authentication method?
Dual-factor
An organization's security policy requires employees to incinerate paper documents. What type of attack is this MOST likely to prevent?
Dumpster diving
While cleaning out his desk, Bart threw several papers containing PII into the recycle bin. Which type of attack can exploit this action?
Dumpster diving
C; D; E
During a check of the security control measures of the company network assets; a network administrator is explaining the difference between the security controls at the company. Which of the following would be identified as physical security controls? (Select THREE). A. RSA B. Passwords C. Man traps D. Biometrics E. Cipher locks F. VLANs G. 3DES
A
During a recent user awareness and training session: a new staff member asks the Chief Information Security Officer (CISO) why the company does not allow personally owned devices into the company facilities. Which of the following represents how the CISO should respond? A. Company A views personally owned devices as creating an unacceptable risk to the organizational IT systems. B. Company A has begun to see zero-day attacks against personally owned devices disconnected from the network. C. Company A believes that staff members should be focused on their work while in the company's facilities. D. Company A has seen social engineering attacks against personally owned devices and does not allow their use.
A
During a security assessment: an administrator wishes to see which services are running on a remote server. Which of the following should the administrator use? A. Port scanner B. Network sniffer C. Protocol analyzer D. Process list
B
During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware? A. Lessons Learned B. Preparation C. Eradication D. Identification
Your organization plans to issue some employees mobile devices such as smartphones and tablets. These devices don't have a lot of processing power. What cryptographic methods has the LEAST overhead and will work with these mobile devices?
ECC
A security technician runs an automated script every night designed to detect changes in files. What are the most likely protocols used in this script?
ECC and HMAC
Your organization is investigating possible methods of sharing encryption keys over a public network. Which of the following is the BEST choice?
ECDHE
Which of the following is an environmental control?
EMI
(80) What can you use to prevent data loss in a CAT 6 cable? Fiber optics Unshielded cable RAID EMI shielding
EMI shielding
Of the following choices, what is the best choice to help prevent someone from capturing network traffic?
EMI shielding
Users are complaining of intermittent connectivity issues. When you investigate, you discover that new network cables for these user systems were run across several fluorescent lights. What environmental control will resolve this issue?
EMI shielding
Of the following choices, what is an encryption algorithm that is commonly used in small portable devices, such as mobile phones?
Elliptic curve
Your organization routinely hires contractors to assist with different projects. Administrators are rarely notified when a project ends and contractors leave. What is the BEST choice to ensure that contractors cannot log on with their account after they leave?
Enable account expiration
A user plugged a cable into two RJ-45 wall jacks connected to unused ports on a switch. In a short period, this disrupted the overall network performance. What should you do to protect against this problem in the future?
Enable loop protection on the switch
You are assisting a small business owner in setting up a public wireless hot spot for her customers. What actions are MOST appropriate for this hot spot?
Enabling Open System Authentication
Personnel within your company are assisting an external auditor perform a security audit. They frequently send documents to the auditor via email and some of these documents contain confidential information. Management wants to implement a solution to reduce the possibility of unintentionally exposing this data. Which of the following is the BEST choice?
Encrypt all outbound email containing confidential information.
You need to transmit PII via email and you want to maintain its confidentiality. What is the BEST solution?
Encrypt it before sending
A business owner is preparing to decommission a server that has processed sensitive data. He plans to remove the hard drives and send them to a company that destroys them. However, he wants to be certain that personnel at that company cannot access data on the drives. Which of the following is the BEST option to meet this goal?
Encrypt the drives using full disk encryption.
(38) What would you use to protect against loss of confidentiality of data stored on a mobile phone? Hashing Evil twin Encryption IPSec
Encryption
Homer needs to send an email to his HR department with an attachment that includes PII. He want to maintain the confidentiality of this attachment. What is the BEST choice to meet his needs?
Encryption
Of the following choices, what is the best way to protect the confidentiality of data?
Encryption
A
End-user awareness training for handling sensitive personally identifiable information would include secure storage and transmission of customer: A. Date of birth. B. First and last name. C. Phone number. D. Employer name.
A security administrator is implementing a security program that addresses confidentiality and availability. What else should the administrator include?
Ensure systems are not susceptible to unauthorized change
Of the following choices, what is a primary benefit of data labeling?
Ensure that employees understand data they are handling
You are helping implement your company's business continuity plan. For one system, the plan requires an RTO of five hours and an RPO of one day. What would meet this requirement?
Ensure the system can be restored within five hours and ensure it does not lose more than one day of data
A company's account management policy dictates that administrators should disable user accounts instead of deleting them when an employee leaves the company. What security benefit does this provide?
Ensures that user keys are retained
C
Ensuring that the party that sent the data remains associated with it, and cannot deny sending it is known as: A. Identification B. Accountability C. Non-repudiation D. Integrity
You manage a group of computers in an isolated network without Internet access. You need to update the antivirus definitions manually on these computers. What is the MOST important concern?
Ensuring the definition file hash is equal to the hash on the antivirus vendor's web site
D
Entry fields of web forms lacking input validation are vulnerable to what kind of attacks? A. Spear phishing B. Watering hole attack C. Tailgating D. SQL injection
C
Environmental control measures include which of the following? A. Access list B. Lighting C. Motion detection D. EMI shielding
With out adequate physical security controls, attackers can cause significant damage to systems within a data center. What could an attacker manipulate to cause extensive physical damage?
Environmental controls
An attacker is entering incorrect data into a form on a web page. The result shows the attacker the type of database used by the website and provides hints on what SQL statements the database accepts. What can prevent this?
Error handling
An organization requires administrators to have two accounts. One account has administrator access and the other account is a regular user account. What can this prevent?
Escalation of privileges
B
Establishing a published chart of roles: responsibilities: and chain of command to be used during a disaster is an example of which of the following? A. Fault tolerance B. Succession planning C. Business continuity testing D. Recovery point objectives
You need to monitor the security posture of several servers in your organization and keep a security administrator aware of their status. What will BEST help you meet this goal?
Establishing baseline reporting
Which of the following is an IPv6 address?
FE80:0000:0000:0000:20D4:3FF7:003F:DE62
Of the following choices, which one provides the most security for FTP?
FTPS
Humidity controls in your data center are failing. You need to convince management of the importance of these. What would you tell them?
Failing humidity controls can cause damage from ESD and condensation
A recent vulnerability scan reported that a web application server is missing some patches. However, after inspecting the server you realize that the patches are for a protocol that administrators removed from the server. What is the BEST explanation for this disparity?
False positive
You recently completed a vulnerability scan on your network. It reported that several servers are missing key operating system patches. However, after checking the servers, you've verified the servers have these patches installed. What BEST describes this?
False positive
Administrators have noticed an increased workload recently. What can cause an increased workload from incorrect reporting?
False positives
Serveral servers in your server room are connected to an UPS. What does this provide?
Fault tolerance
Network administrators in your organization need to administer firewalls, security appliances, and other network devices. These devices are protected with strong passwords, and the passwords are stored in a file listing these passwords. What is the BEST choice to protect this password list?
File encryption
Which of the following choices is an example of using multiple authentication factors?
Fingerprint and password
Users at your organization currently use a combination of smart cards and passwords, but an updated security policy requires multifactor security using three different factors. Which of the following can you add to meet the new requirement?
Fingerprint readers
An organization designed its datacenter with hot and cold aisles. Of the following choices, what is not a vaild purpose of hot and cold aisles?
Fire suppression
What type of device would have the following entries used to define its operation? Permit IP any any eq 80 Permit IP any any eq 443 deny IP any any
Firewall
Of the following choices, what best describes a method of managing the flow of network traffic by allowing or denying traffic based on ports, protocols, and addresses?
Firewall rules
What can a header manipulation attack modify?
Flags
What will protect against a SYN attack?
Flood guard
(30) What services does a proxy server provide? Forwards requests for services from a client Reduces usage of cache Ensures that all URLs are allowed Filters traffic into a network
Forwards requests for services from a client
Your backup policy for a database server dictates that the amount of time needed to perform backups should be minimized. What backup plans would BEST meet his need?
Full backups on Sunday and incremental backups every other day of the week
Your organization has issued mobile devices to several key personnel. These devices store sensitive information. What can administrators implement to prevent data loss from these devices if they are stolen?
Full device encryption
your organization is planning to issue mobile devices to some employees, but management is concerned about protecting the confidentiality of data if the devices are lost or stolen. What is the BEST way to secure data at rest on a mobile device?
Full device encryption
Your organization wants to prevent losses due to data leakage on portable devices. What provides the best protection?
Full disk encryption
(69) What can an attacker use to identify vulnerabilities in an application? Protocol analyzer Port scanner Fuzzing IPS
Fuzzing
A security tester is sending random data to a program. What does this describe?
Fuzzing
During a penetration test, a tester injected extra input into an application causing the application to crash. What does this describe?
Fuzzing
Your organization is preparing to deploy a web-based application, which will accept user input. What will test the reliability of this application to maintain availability and data integrity?
Fuzzing
You need to submit a CSR to a CA. What would you do FIRST?
Generate a new RSA-Based private key
What functions does an HSM include?
Generates and store keys
What functions does an HSM include?
Generates and stores keys used with servers
An organization hosts several bays of servers used to support a large online eCommerce business. Which one of the following choices would increase the availability of this database?
Generators
What helps ensure availability in the event of an extended power outage?
Generators
You configure access control for users in your organization. Some departments have a high employee turnover, so you want to simplify account administration. Which of the following is the BEST choice?
Group-based privileges
Your company whats to control access to a restricted area of the building by adding an additional physical security control that includes facial recognition. What provides the BEST solution?
Guards
You are planning to encrypt data in transit with IPsec. What is MOST likely to be used with IPsec
HMAC
(48) Your organization needs to improve the performance of SSL sessions on an e-commerce server. What can they use to improve performance while also providing a secure method of storing the digital certificates used by the SSL sessions? HSM CA A private CRL A database
HSM
Of the following choices, what is the best choice to provide encryption services in a clustered environment?
HSM
You are reviewing incident response procedures related to the order of volatility. Which of the following is the LEAST volatile?
Hard disk drive
An adminstrator is improving the avaliablitity of a server and needs to ensure that a hard drive failure does not result in the failure of the server. What will support this goal? (Choose all that apply)
Hardware RAID-1, Software RAID-1, Software RAID-5
A small business owner modified his wireless router with the following setting: PERMIT 1A:2B:3C:4D:5E:6F DENY 6F:5E:4D:3C:2B:1A After saving the settings, an employee reports that he cannot access the wireless network anymore. What is the MOST likely reason that the employee cannot access the network?
Hardware address filtering
The security manager at your company recently updated the security policy. one of the changes requires dual-factor authentication. What will meet this requirement?
Hardware token and PIN
B
Harmful programs used to disrupt computer operation, gather sensitive information, or gain access to private computer systems are commonly referred to as: A. Adware B. Malware C. Computer viruses D. Spyware
You are the security administrator in your organization. You want to ensure that a file maintains integrity. Which of the following choices is the BEST choice to meet your goal?
Hash
(2) What can you use to ensure that stored data has retained integrity? BIA Hashing Digital signatures SaaS
Hashing
(99) Of the following choices, what can help a forensic expert identify evidence tampering with a disk driver? Chain of custody Imaging AES-128 Hashing
Hashing
A function converts data into a string of characters and the string of characters cannot be reversed to re-create the original data. What type of function is this?
Hashing
Users in your organization sign their emails with digital signatures. What provides integrity for these certificates?
Hashing
An administrator recently learned of an attack on a Virginia-based web Server form IP address 72.52.206.134 at 11:35:33 GMT. However, after investigating the logs, he is unable to see any traffic form that IP address at that time. What is the MOST likely reason why the administrator was unable to identify the attack?
He did not account for time offsets
Homer recently implemented a wireless network in his home using WEP. He asks you for advice. What is the BEST advice you can give him?
He should not use WEP because it implements weak IVs for encryption Keys
Sally and Joe decide to use PGP to exchange secure e-mail. What should Sally provide to Joe so that Joe can encrypt e-mail before sending it to her?
Her public key
(78) Of the following choices, what is included in a DRP? Report or resting results CRL List of vulnerabilities Hierarchical list of critical systems
Hierarchical list of critical systems
Your organization is evaluating replacement HVAC systems and is considering increasing current capacities. What is potential security benefit of increasing the HVAC capabilities?
Higher MTBF times of hardware components due to lower temperatures
Homer is able to connect to his company's wireless network with his smartphone but not with his laptop computer. What is the MOST likely reason for this disparity?
His company's network has a MAC address filter in place
A security company wants to gather intelligence about current methods attackers are using against its clients. What can it use?
Honeynet
(32) A security company wants to identify and learn about the latest unknown attacks. What can it use? Nothing, the attacks are unknown Honeypot MAC filtering Evil Twin
Honeypot
A security company wants to identify and learn about current and new attack methodologies. What is the BEST choice to meet this objective?
Honeypot
Attackers frequently attack your organization, and administrators want to learn more about zeroday attacks on the network. What can they use?
Honeypot
What can you use to divert malicious attacks on your network away from valuable data to worthless fabricated data?
Honeypot
Maggie is compiling a list of approved software for desktop operating systems within a company. What is the MOST likely purpose of this list?
Host software baseline
Of the following choices, what represents the best choice to prevent intrusions on an individual computer?
Host-based firewall
A business impact analysis (BIA) determined that a critical business function had a Recovery Time Objective (RTO) of an hour. What site will meet this objective?
Hot site
An organization is considering an alternate location as part of its business continuity plan. It wants to identify a solution that provides the shortest recovery time. What will it choose?
Hot site
Which of the following continuity-of-operations solutions is the most expensive?
Hot site
A
How often: at a MINIMUM: should Sara: an administrator: review the accesses and right of the users on her system? A. Annually B. Immediately after an employee is terminated C. Every five years D. Every time they patch the server
(79) What can an HVAC system control to reduce potential damage from electrostatic discharges? Humidity Hot and cold aisles Temperatures Air flow
Humidity
Which of the following networks tools includes sniffing capabilities?
IDS
Of the following choices, what password has a dissimilar key space than the other?
IL0ve$ecr1ty
(39) Of the following choices, what can you use in tunnel mode for a VPN? SSL ICMP HTTPS IPSec
IPSec
You are planning to encrypt data in transit. Which of the following protocols meets this need and encapsulates IP packets within an additional IP header?
IPsec
Your organization is planning to implement a VPN and wants to ensure it is secure. What protocols is the BEST choice to use with the VPN?
IPsec
(22) Of the following choices, what identifies computers on the Internet and some internal networks using a long string of numbers and characters? NAT IPv4 IPv6 ICMP
IPv6
Network administrators connect to a legacy server using Telnet. They want to secure these transmissions using encryption at a lower of the OSI model. What could they use?
IPv6
Which of the following provides the largest address space?
IPv6
Your organization is considering storage of sensitive data in a cloud provider. Your organization wants to ensure the data is encrypted wile at rest and while in transit. What type of interoperability agreement can your organization use to ensure the data is encrypted wile in transit?
ISA
(50) A company needs to deploy a large database for a new venture. It does not want to purchase servers or hire additional personnel until it has proven the venture can succeed. What can it use? IaaS PaaS SaaS HSM
IaaS
You are logging on to your bank's web site using your email address and a password. What is the purpose of the email address in this example?
Identification
You work as a help-desk professional in a large organization. You have begun to receive an extraordinary number of calls from employees related to malware. Using common incident response procedures, What should be your FIRST response?
Identification
A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command: telnet server1 80. What is the purpose of this command?
Identify if server1 is running a service using port 80 and is reachable.
Bart is performing a vulnerability assessment. What BEST represents the goal of this task?
Identify the system's security posture
C
Identifying a list of all approved software on a system is a step in which of the following practices? A. Passively testing security controls B. Application hardening C. Host software baselining D. Client-side targeting
A
If Organization A trusts Organization B and Organization B trusts Organization C: then Organization A trusts Organization C. Which of the following PKI concepts is this describing? A. Transitive trust B. Public key trust C. Certificate authority trust D. Domain level trust
A
If you wish to change Password, Audit or Account Settings for the entire network, where would you go to do so? A. Group Policy Management B. Active Directory Users and Computers C. Control Panel D. MS Configuration
B
If you wish to restrict an application from running, you would add it to the application _________? A. Whitelist B. Blacklist
What should a forensics expert do before analyzing a hard drive for evidence?
Image the drive
An organization recently updated its security policy. A new requirement dictates a need to increase protection from rogue devices plugging into physical ports. Which of the following choices provides the BEST protection?
Implement 802.1x
You are configuring a switch and need to ensure that only authorized devices can connect to it and access the network trough this switch. What is the BEST choice to meet this goal?
Implement 802.1x
A network technician incorrectly wired switch connections in your organization's network. It effectively disabled the switch as though it was a victim of a denial-of-service attack. What should be done to prevent this in the future?
Implement STP or RSTP
Social engineers have launched several successful phone-based attacks against your organization resulting in several data leaks. What is MOST effective at reducing the success of these attacks?
Implement a program to increase security awareness
(13) An organization wants to simplify user administration. What strategy would it use? Implement a password policy Require users to provide their passwords to the administrators Assign permissions to users individually Implement access based on groups
Implement access based on groups
Your organization wants to reduce the administrative workload related to account management. What is the BEST choice?
Implement group-based privileges
Your organization is increasing security and wants to prevent attackers from mapping out the IP addresses used on your internal network. What is the BEST option?
Implement secure zone transfers
Mangement is reviewing a hardware inventory in a datacenter. They relize that many of the servers are underutilized resulting in wasted resources. What can they do to improve the situation?
Implement virtualization
You want to implement the STRONGEST level of security on a wireless network. What supports this goal?
Implementing WPA2
A security analyst is evaluating a critical industrial control system. The analyst wants to ensure the system has security controls to support availability. What would be the BEST to meet this need?
Implementing control redundancy and diversity
(28) Of the following choices, what are you most likely to see as the last rule in a firewall's ACL? Implicit deny Block ICMP Allow FTP traffic Filter spam
Implicit deny
What would administrators typically place at the end of an ACL of a firewall?
Implicit deny
An organization recently created a security policy. Of the following choices, what is a technical implementation of security policy?
Implicit deny rule in a firewall
B C
In PKI: a key pair consists of: (Select TWO). A. A key ring B. A public key C. A private key D. Key escrow E. A passphrase
C; E
In an engineering office; all plotters are configured via static IP. Which of the following best practices will alleviate many issues if equipment moves are required? (Select TWO). A. Rack monitoring B. Device placement C. Wall plate labeling D. Room numbering E. Patch panel labeling
A
In computer security, the part of malware code responsible for performing malicious action is referred to as: A. Payload B. Header C. Frame D. Preamble
A
In order to maintain oversight of a third party service provider: the company is going to implement a Governance: Risk: and Compliance (GRC) system. This system is promising to provide overall security posture coverage. Which of the following is the MOST important activity that should be considered? A. Continuous security monitoring B. Baseline configuration and host hardening C. Service Level Agreement (SLA) monitoring D. Security alerting and trending
B
In order to use a two-way trust model the security administrator MUST implement which of the following? A. DAC B. PKI C. HTTPS D. TPM
B
In security terms, what is meant by Authorization? A. Ensuring a entity using a set of credentials is the true owner of those credentials B. Determining what rights and privileges an entity has C. Validating the unique credentials of an entity
A
In security terms, what is meant by Identification? A. Ensuring a entity using a set of credentials is the true owner of those credentials B. Determining what rights and privileges an entity has C. Validating the unique credentials of an entity
A
In the case of a major outage or business interruption: the security office has documented the expected loss of earnings: potential fines and potential consequence to customer service. Which of the following would include the MOST detail on these objectives? A. Business Impact Analysis B. IT Contingency Plan C. Disaster Recovery Plan D. Continuity of Operations
A D
In the initial stages of an incident response: Matt: the security administrator: was provided the hard drives in question from the incident manager. Which of the following incident response procedures would he need to perform in order to begin the analysis? (Select TWO). A. Take hashes B. Begin the chain of custody paperwork C. Take screen shots D. Capture the system image E. Decompile suspicious files
B
In which of the following categories would creating a corporate privacy policy: drafting acceptable use policies: and group based access control be classified? A. Security control frameworks B. Best practice C. Access control methodologies D. Compliance activity
C
In which of the following scenarios is PKI LEAST hardened? A. The CRL is posted to a publicly accessible location. B. The recorded time offsets are developed with symmetric keys. C. A malicious CA certificate is loaded on all the clients. D. All public keys are accessed by an unauthorized user.
Management within your company is considering allowing users to connect to the corporate network with their personally owned devices. What represents a security concern with this policy?
Inability to ensure devices are up to date with current system patches
Organizations often restrict employee access to social networking sites from work locations. What are they trying to prevent?
Information disclosure
(67) Of the following choices, what represents the most important information a penetration test can provide when compared with a vulnerability scan? Information on the impact of a threat Information on security controls Information on vulnerabilities Information on system configuration
Information on the impact of a threat
What is a cloud-computing option that allows customers to apply patches to the operating system?
Infrastructure as a Service
(58) A web application developer uses code to check data entered into a web form. The code prevents the web application from sending certain characters or commands to other servers. What is the developer using? Cross-site scripting SQL injection Input validation NOOP sleds
Input validation
A code review of a web application discovered that the application is not performing boundary checking. What should the web developer add to this application to resolve this issue?
Input validation
Your organization hosts serveral websites accessible on the Internet and is conducting a security review of these sites. Of the following choices, what is the most common security issue for web-based applications?
Input validation
An organization is planning to implement an internal PKI for smart cards. Which of the following should the organization do FIRST?
Install a CA.
Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA system. Although they removed the malware, management is still concerned. Lisa needs to continue using her system and it's not possible to update the SCADA systems. What can mitigate this risk?
Install a NIPS on the border of the SCADA network
Your building is reseaching the costs and funtionality of fire alarm systems for a new building. What capability should the system include to prevent a fire from spreading?
Integration with an HVAC system
A database adminstrator is tasked with increasing the retail prices of all products in a database by 10 percent. The administrator writes a script performing a bulk update of the database and executes it. However, all retail prices are doubled (increased by 100 percent instead of 10 percent). What has been lost?
Integrity
Lisa manages network devices in your organization and maintains copies of the configuration files for all the managed routers and switches. On a weekly basis, she creates hashes for these files and compares them with hashes she created on the same files the previous week. Which security goal is she pursuing?
Integrity
You want to ensure that data has not been changed between the time when it was sent and when it arrived at its destination. What provides this assurance?
Integrity
You want to ensure that messages sent from administrators to managers arrive unchanged. Which security goal are you addressing?
Integrity
A software company occasionally provides application updates and patches via its web site. It also provides a checksum for each update and patch. What BEST describes the purpose of the checksum?
Integrity of updates and patches
Of the following choices, what best identifies the purpose of a change management program?
It defines the process and accounting structure for handling system modifications
B
It has been determined by network operations that there is a severe bottleneck on the company's mesh topology network. The field technician has chosen to use log management and found that one router is making routing decisions slower than others on the network. This is an example of which of the following? A. Network device power issues B. Network device CPU issues C. Storage area network issues D. Delayed responses from RADIUS
Your organization is considering purchasing new computers that include hardware encryption capabilities. What benefit does this provide?
It is faster than software encryption
A company is using a key escrow for its PKI. What does this provide?
It maintains a copy of a private key for recovery purposes
You are evaluating the security and availability of a system. Security is more important than availability in the system. If it fails, what state should it fail in?
It should fail closed
Your organization is considering the purchase of new computers. A security professional stresses that these devices should include TPMs. What benefit does a TPM provide? (Choose all that apply)
It uses hardware encryption, which is quicker than software encryption, It stores RSA keys
Your organization is considering the purchase of new computers. A security professional stresses that these devices should include TPMs. What benefit does a TPM provide? (Choose all that apply.) A. It uses hardware encryption, which is quicker than software encryption.
It uses hardware encryption, which is quicker than software encryption. It stores RSA keys.
A
Jane has implemented an array of four servers to accomplish one specific task. This is BEST known as which of the following? A. Clustering B. RAID C. Load balancing D. Virtualization
A
Jane has recently implemented a new network design at her organization and wishes to passively identify security issues with the new network. Which of the following should Jane perform? A. Vulnerability assessment B. Black box testing C. White box testing D. Penetration testing
A
Jane: a security administrator: has been tasked with explaining authentication services to the company's management team. The company runs an active directory infrastructure. Which of the following solutions BEST relates to the host authentication protocol within the company's environment? A. Kerberos B. Least privilege C. TACACS+ D. LDAP
B
Jane: a security analyst: is reviewing logs from hosts across the Internet which her company uses to gather data on new malware. Which of the following is being implemented by Jane's company? A. Vulnerability scanner B. Honeynet C. Protocol analyzer D. Port scanner
A
Jane: an IT administrator: is implementing security controls on a Microsoft Windows based kiosk used at a bank branch. This kiosk is used by the public for Internet banking. Which of the following controls will BEST protect the kiosk from general public users making system changes? A. Group policy implementation B. Warning banners C. Command shell restrictions D. Host based firewall
(14) Which of the following best describes RBAC? Single-factor authentication Job function specific Two-factor authentication A method of increasing user administration
Job function specific
(93) An organization wants to ensure that if employees do engage in any fraudulent activities, they wont be able to continue them indefinitely. What policy would provide this protection? Separation of duties policy Job rotation policy Acceptable use policy Data labeling policy
Job rotation policy
Two administrators within an organization perform different functions and have different privileges. They are required to swap roles annually. What policy would direct this?
Job rotation policy
Sally is sending data to Joe. She uses asymmetric encryption to encrypt the data to ensure that only Joe can decrypt it. What key does Sally use to encrypt the data?
Joe's public key
A
Joe: a newly hired employee: has a corporate workstation that has been compromised due to several visits to P2P sites. Joe insisted that he was not aware of any company policy that prohibits the use of such web sites. Which of the following is the BEST method to deter employees from the improper use of the company's information systems? A. Acceptable Use Policy B. Privacy Policy C. Security Policy D. Human Resource Policy
B
Joe: a security administrator: is concerned with users tailgating into the restricted areas. Given a limited budget: which of the following would BEST assist Joe with detecting this activity? A. Place a full-time guard at the entrance to confirm user identity. B. Install a camera and DVR at the entrance to monitor access. C. Revoke all proximity badge access to make users justify access. D. Install a motion detector near the entrance.
A C
Joe: a security analyst: asks each employee of an organization to sign a statement saying that they understand how their activities may be monitored. Which of the following BEST describes this statement? (Select TWO). A. Acceptable use policy B. Risk acceptance policy C. Privacy policy D. Email policy E. Security policy
D
Joe: an administrator: installs a web server on the Internet that performs credit card transactions for customer payments. Joe also sets up a second web server that looks like the first web server. However: the second server contains fabricated files and folders made to look like payments were processed on this server but really were not. Which of the following is the second server? A. DMZ B. Honeynet C. VLAN D. Honeypot
D
Joe: the security administrator: has determined that one of his web servers is under attack. Which of the following can help determine where the attack originated from? A. Capture system image B. Record time offset C. Screenshots D. Network sniffing
D
Joe: the system administrator: is performing an overnight system refresh of hundreds of user computers. The refresh has a strict timeframe and must have zero downtime during business hours. Which of the following should Joe take into consideration? A. A disk-based image of every computer as they are being replaced. B. A plan that skips every other replaced computer to limit the area of affected users. C. An offsite contingency server farm that can act as a warm site should any issues appear. D. A back-out strategy planned out anticipating any unforeseen problems that may arise.
A; B; F
Joe; a network technician; is setting up a DHCP server on a LAN segment. Which of the following options should Joe configure in the DHCP scope; in order to allow hosts on that LAN segment using dynamic IP addresses; to be able to access the Internet and internal company servers? (Select THREE). A. Default gateway B. Subnet mask C. Reservations D. TFTP server E. Lease expiration time of 1 day F. DNS servers G. Bootp
A security professional is performing a qualitative risk analysis. Of the following choices, what will most likely to be used in the assessment?
Judgment
You are helping your organization create a security policy for incident response. What is the BEST choice to include when an incident requires confiscation of a physical asset?
Keep a record of everyone who took possession of the physical asset
(10) Which of the following authentication protocols uses a key distribution center to generate tokens? LDAP AES 3DES Kerberos
Kerberos
A network includes a ticket-granting ticket server used for authentication. What authentication service does this network use?
Kerberos
What is used for authentication in a Microsoft Active Directory domain?
Kerberos
Which of the following authentication services uses tickets for user credentials?
Kerberos
B
Key cards at a bank are not tied to individuals: but rather to organizational roles. After a break in: it becomes apparent that extra efforts must be taken to successfully pinpoint who exactly enters secure areas. Which of the following security measures can be put in place to mitigate the issue until a new key card system can be installed? A. Bollards B. Video surveillance C. Proximity readers D. Fencing
Which of the following choices are vaild reasons to revoke a certificate holding a key? (Choose all that apply.)
Key compromise and CA compromise
D
Key elements of a business impact analysis should include which of the following tasks? A. Develop recovery strategies: prioritize recovery: create test plans: post-test evaluation: and update processes. B. Identify institutional and regulatory reporting requirements: develop response teams and communication trees: and develop press release templates. C. Employ regular preventive measures such as patch management: change management: antivirus and vulnerability scans: and reports to management. D. Identify critical assets systems and functions: identify dependencies: determine critical downtime limit: define scenarios by type and scope of impact: and quantify loss potential.
(90) Where can a key be stored so that anyone can recover data even if the original key is destroyed? Recovery agent CRL Digital signature Key escrow
Key escrow
(45) Your organization regularly tests and deploys patches. What types of attacks will this prevent? Zero day attacks Unknown attacks Known attacks Hotfix attacks
Known attacks
What is an attack against servers hosting a directory service?
LDAP
You are modifying a configuration file used to authenticate Unix accounts against an external server. The file includes phrases such as DC=Server1 and DC=Com. Which authentication service is the external server using?
LDAP
Your network uses an authentication service based on the X.500 specification. When encrypted, it uses TLS. Which authentication service is your network using?
LDAP
D
LDAP and Kerberos are commonly used for which of the following? A. To perform queries on a directory service B. To store usernames and passwords for Federated Identity C. To sign SSL wildcard certificates for subdomains D. To utilize single sign-on capabilities
Administrators in your organization are planning to implement a wireless network. Management has mandated that they use a RADIUS server and implement a secure wireless authentication method. Which of the following should they use?
LEAP
A recent vulnerability assessment identified several issues related to an organization's security posture. Which of the following issues is MOST likely to affect the organization on a day-to-day basis?
Lack of antivirus software
An organization wants to provide protection against malware attacks. Administrators have installed antivirus software on all computers. Additionally, they implemented a firewall and an IDS on the network. What BEST identifies this principle?
Layered security
(92) An organization system automatically ensures that if a user creates a file, the user is the only person granted access to the file. What principle is this operating system using? Least privilege Multifactor authentication Separation of duties Due care
Least privilege
You maintain a training lab with 18 computers. You have enough rights and permissions on these machines so that you can configure them as needed for classes. However, you do not have the rights to add them to your organization's domain. What BEST describes this example?
Least privilege
An incident response team is following typical incident response procedures. What phase is the BEST choice for analyzing an incident with a goal of identifying steps to prevent a reoccurrence of the incident?
Lessons learned
Bart wants to send a secure email to Lisa, so he decides to encrypt it. He wants to ensure that only Lisa can decrypt it. What does Lisa need to meet his requirement?
Lisa's private key
Your organization hosts a large website served by multiple servers. They need to optimize the workload and distribute it equally among all servers. What should they use?
Load balancer
A network administrator configured several servers to work together to increase the processing capabilities for a web application. What does the administrator MOST likely implement?
Load balancing
You need to modify the network infrastructure to increase availability of web-based applications for Internet clients. Which of the following choices provides the BEST solution?
Load balancing
Your company's web site experiences a large number of client requests during certain times of the year. What could your company add to ensure the web site's availability during these times?
Load balancing
Your organization hosts a high-volume web site, which generates a significant amount of revenue. You are asked to recommend a method to increase the availability of this web site. What is the BEST choice?
Load balancing
Your organization has several portable USB drives that users are able to use to transfer large video files instead of copying them over the network. What should be used to prevent the theft of those drives when they are not being used?
Locked cabinet
An employee has added malicious code into the company's personnel system. The code verifies the employment status of the employee once a month. If the check shows the person is no longer an active employee, it launches attacks on internal servers. What type of code is this?
Logic bomb
At 9am on January 31, an administrator starts receiving alerts from monitoring systems indicating problems with servers in the datacenter. He discovers that all servers are unreachable. Of the following choices, what is the most likely cause?
Logic bomb
Bart installed code designed to enable his account automatically, three days after anyone disables it. What does this describe?
Logic bomb
Recently, malware on a company computer destroyed several important files after it detected that Homer was no longer employed at the company. What BEST identifies this malware?
Logic bomb
An organization regularly shreds paper instead of throwing it away. What are they trying to prevent?
Loss due to dumpster diving
A user's system has spyware installed. What is the most likely result?
Loss of confidentiality
You are planning to host a free online forum for users to share IT security-related information with each other. Any user anonymously view data. Users can post messages after logging in, but you do no want users to be able to modify other user's posts. What levels of confidentiality, integrity, and availability should you seek?
Low confidentiality, medium integrity, and medium availability
(37) You regularly perform wireless audits around your organization's campus. While war driving, you discover many unauthorized devices connected to the network. What can explain this? Rogue Access Point Low power level on the WAP Incorrectly placed antenna on the WAP Bluesnarfing
Low power level on the WAP Bluesnarfing
An organization has implemented an access control model that enforces permissions based on data labels assigned at different levels. What type of model is this?
MAC
Which of the following wireless security mechanisms is subject to a spoofing attack?
MAC address filtering
Of the following choices, what can ensure the integrity of e-mail messages?
MD5
What will always create a fixed-sized string of bits regardless of the size of the original data?(Choose all that apply.)
MD5 and SHA
B
Malicious code activated by a specific event is known as: A. Trojan horse B. Logic bomb C. Spyware D. Armored virus
C
Malicious software performing unwanted and harmful actions in disguise of a legitimate and useful program is known as: A. Adware B. Worm C. Trojan Horse D. Spyware
C
Malware that restricts access to a computer system by encrypting files or locking the entire system down until the user performs requested action is known as: A. Grayware B. Adware C. Ransomware D. Spyware
Of the following choices what type of attack can intercept traffic and insert malicious code into a network conversation?
Man-in-the-middle
Of the following choices, what type of control is a vulnerability assessment?
Management
B
Management has been informed of an increased number of tailgating violations into the server room. Which of the following is the BEST method of preventing future violations? A. Security Guards B. Man Traps C. Proximity Cards D. Biometrics authentication
Your organization hosts several classified systems in the data center. Management wants to increase security with these systems by implementing two-factor authentication. Management also wants to restrict access to these systems to employees who a have need to know. What should management implement for authorization?
Mandatory access control
Employees in the accounting department are forced to take time off from their duties on a regular basis. What would direct this?
Mandatory vacation policy
A security manager needs to identify a policy that will reduce the risk of personnel within an organization colluding to embezzle company funds. What is the BEST choice?
Mandatory vacations
A company hosts a datacenter with highly sensitive data. Of the following choices, what can provide the best type of physical security to prevent unauthorized entry.
Mantrap
A security professional has reported an increase in the number of tailgating violations into a secure data center. What can prevent this?
Mantrap
A security professional needs to identify a physical security control that will identify and authenticate individuals before allowing them to pass, and restrict passage to only a single person at a time. What should the professional recommend?
Mantrap
B
Matt: a security consultant: has been tasked with increasing server fault tolerance and has been given no budget to accomplish his task. Which of the following can Matt implement to ensure servers will withstand hardware failure? A. Hardware load balancing B. RAID C. A cold site D. A host standby
B
Matt: the Chief Information Security Officer (CISO): tells the network administrator that a security company has been hired to perform a penetration test against his network. The security company asks Matt which type of testing would be most beneficial for him. Which of the following BEST describes what the security company might do during a black box test? A. The security company is provided with all network ranges: security devices in place: and logical maps of the network. B. The security company is provided with no information about the corporate network or physical locations. C. The security company is provided with limited information on the network: including all network diagrams. D. The security company is provided with limited information on the network: including some subnet ranges and logical network diagrams.
You are redesigning your password policy. You want to ensure that users change their passwords regularly, but they are unable to reuse passwords. What settings should you configure? (Select THREE)
Maximum password age; Password history; Minimum password age
Investigators suspect that an internal computer was involved in an attack, but the computer has been turned off. What information is unavailable for an investigation? (Choose all that apply)
Memory, Network processes, and Master boot record
Your organization is updating its disaster recovery documents. You're asked to review the communication plan for possible updates. What should you ensure is included in the communication plan?
Methods used to communicate with response team members, employees, suppliers, and customers
Your organization is updating its business continuity documents. You're asked to review the communications plans for possible updates. Which of the following should you ensure is included in the communications plan?
Methods used to respond to media requests, including templates
B
Migrating from a SQL database to a NoSQL database has some advantages, but also may have some disadvantages. What is one possible disadvantage of running NoSQL? A. Much slower than SQL B. No Authorization C. No scalibility D. Doesnt work over the Web
Your password policy includes a password history. What else should be configured to ensure that users aren't able to easily reuse the same password?
Minimum age
An organization needs to identify a continuity of operations plan that will allow it to provide temporary IT support during a disaster. The organization does not want to have a dedicated site. What provides the best solution?
Mobile site
Your organization has a password policy that requires employees to change their passwords at least every 45 days and prevents users from reusing any of their last five passwords. However, when forced to change their passwords users are changing their passwords, users are changing their password five more times to keep their original password. What can resolve this security vulnerability?
Modify the password policy to prevent users from changing the password until a day has passed
Users are required to log on to their computers with a smart card and a PIN. What BEST describes this?
Multifactor authentication
D
Multiple students within a networking lab are required to simultaneously access a single switch remotely. The administrator checks and confirms that the switch can be accessed using the console; but currently only one student can log in at a time. Which of the following should be done to correct this issue? A. Increase installed memory and install a larger flash module. B. Increase the number of VLANs configured on the switch. C. Decrease the number of VLANs configured on the switch. D. Increase the number of virtual terminals available.
Of the following choices, what provides the strongest authentication factors?
Mutifactor authentication
An automated process isolated a computer in a restricted VLAN because the process noticed the computer's antivirus definitions were not up to date. What is the name of this process?
NAC
Of the following choices, what hides the IP addresses of computers inside a network from computers outside the network?
NAT
What protocol does IPv6 use for hardware address resolution?
NDP
(31) Which of the following controls can detect smurf attacks? Firewall NIDS Honeypot NAC
NIDS
(52) Your organization issues laptops to employees used while on the road. Of the following choices, what software does not enhance their security? (Choose 2) Spam filter Host-based firewall Antivirus software NIDS NIPS
NIDS NIPS
(34) An administrator wants to detect and mitigate malicious activity on the network. What should the administrator use? NIDS NIPS HIDS HIPS
NIPS
(59) Which of the following is related to a buffer overflow attack? NOOP instructions Small intialization vector Spear phishing Pharming
NOOP instructions
A
Network segmentation provides which of the following benefits? A. Security through isolation B. Link aggregation C. Packet flooding through all ports D. High availability through redundancy
Which of the following tools can perform a port scan? (Choose all that apply)
Nmap, Netcat
Bart recently sent out confidential data via email to potential competitors. Management suspects he did so accidentally, but Bart denied sending the data. Management wants to implement a method that would prevent Bart from denying accountability in the future. What are they trying to enforce?
Non-repudiation
Sally is sending an e-mail, and she encrypted a portion of the e-mail with her private key. What can this provide?
Non-repudiation
You have created an image for a database server that you plan to deploy to five physical servers. At the last minute, management decides to deploy these as virtual servers. What additional security steps do you need to take with these virtual images before deploying them?
None
Your organization has hired a group of external testers to perform a black box penetration test. One of the testers asks you to provide information about your internal network. What should you provide?
Nothing
A web site is using a certificate. Users have recently been receiving errors from the web site indicating that the web site's certificate is revoked. What includes a list of certificates that have been revoked?
OCSP
Your organization requires the use of a PKI and it wants to implement a protocol to validate trust with minimal traffic. What protocol validates trust by returning short responses, such as "good" or "revoked"?
OCSP
An organization regularly performs backups of critical systems. Where should it keep a copy of the backups for retention?
Off-site
An organizational policy specifies that duties of application developers and administrators must be separated. What is the MOST likely result of implementing this policy?
One group develops program code and the other group deploys the code
Which type of authentication does a hardware token provide?
One-time password
A security administrator is performing a vulnerability assessment. Which of the following actions would be included?
Organize data based on severity and asset value
Which of the following provides authentication services and uses PPP?
PAP and CHAP
Your organization has implemented a network design that allows internal computers to share one public IP address. What did they MOST likely implement?
PAT
Application developers are creating an application that requires users to log on with strong passwords. The developers want to store the password in such a way that it will thwart brute force attacks. What is the BEST solution?
PBKDF2
Which of the following protocols requires a CA for authentication?
PEAP-TLS
(96) Of the following choices, what requires special handling related to retention and distribution of data? Virtual servers PII VLAN CRL
PII
Two systems need to establish a secure session between each other without any prior communication. What is needed to support this?
PKI
A
Packet analysis reveals multiple GET and POST requests from an internal host to a URL without any response from the server. Which of the following is the BEST that describes this scenario? A. Compromised system B. Smurf attack C. SQL injection attack D. Man-in-the-middle
You are redesigning your password policy to increase the security of the passwords. What provides the BEST security?
Password Complexity and Password length
Sally used WinZip to create an archive of several sensitive documents on an upcoming merger, and she password-protected the archive file. Of the following choices, what is the best way to test the security of the archive file?
Password cracker
A user has forgotten his password and calls the help desk for assistance. The help-desk professional will reset the password and tell the user the new password. What should the help desk professional configure to ensure the user immediately resets the password?
Password expiration
Users in your network are required to change their password every sixty days. What is this an example of?
Password expiration requirement
You have discovered that some users have been using the same passwords for months, even though the password policy requires users to change their password every 30 days. You want to ensure that users cannot reuse the same password. Which settings should you configure? (Select TWO.)
Password history & Minimum password age
An outside security auditor recently completed an in-depth security audit on your network. One of the issues he reported was related to passwords. Specifically, he found the following password used on the network: Pa$$, 1@W2, and G7bT3. What should be changed to avoid the problem shown with these passwords?
Password length
Your organization requires users to create password of at least ten characters for their user accounts. Which of the following is being enforced?
Password length
Your organization has implemented a self-service password reset system. What does this provide?
Password recovery
A recent risk assessment identified several problems with servers in your organization. They occasionally reboot on their own and the operating systems do not have current security fixes. Administrators have had to rebuild some servers from scratch due to mysterious problems. What will mitigate these problems?
Patch management
Of the following choices, what indicates the best method of reducing operating system vulnerabilities?
Patch management
Your company has recently standardized servers using imaging technologies. However, a recent security audit verified that some servers were immune to known OS vulnerabilities, whereas other systems were not immune to the same vulnerabilities. Which of the following would reduce these vulnerabilities?
Patch management
Of the following choices, what is a benefit of IPsec?
Payload encryption
An organization wants to test how well employees can respond to a compromised system. Of the following choices, what identifies the best choice to test the response?
Penetrations test
An organization has a legacy server within the DMZ. It is running older software that is not compatible with current patches, so it remains unpatched. Management accepts the risk on this system, but wants to know if attackers can access the internal network if they successfully compromise this server. What is the MOST appropriate test?
Pentest
What is the MOST invasive type of testing?
Pentest
A continuity of operations plan for an organization includes the use of a warm site. The BCP coordinator want to verify that the organization's backup data center is prepared to implement the warm site if necessary. What is the BEST choice to meet this need?
Perform a disaster recovery exercise
(64) An organization wants to identify how threats may affect it without actually exploiting the findings. What can it do? Perform a risk assessment Hire external black box testers Perform a penetration test Perform a fuzz test
Perform a risk assessment
Lisa needs to identify if a risk exists on a web application and if attackers can potentially bypass security controls. However, she should not actively test the application. What is the BEST Choice?
Perform a vulnerability scan
You suspect that an executable file on a web server is malicious and includes a zero-day exploit. Which of the following steps can you take to verify your suspicious?
Perform an operating system baseline comparison.
(98) Anonymous reports indicate a user is processing inappropriate data on a computer. However, a search of files on the system doesn't indicate anything inappropriate. What else can a security administrator do to investigate this? Capture an image of the hard drive Examine the firewall logs Perform memory forensics Implement password masking
Perform memory forensics
An organization wants to verify that a tape backup can be restored in its entirety. What should it do?
Perform test restores of the full backup
A web developer is adding input validation techniques to a web site application. Which of the following should the developer implement during this process?
Perform the validation on the server side.
Users have been complaining that their systems are running slow when interacting with a Windows e-mail server. What can an administrator use to check the performance of the mail server?
Performance Monitor
What can an administrator use to detect a DDoS attack?
Performance baseline
(42) Users have been complaining that their systems are running slow when interacting with Windows email server. What can an administrator use to check the performance of the mail server? Security templates Performance monitor Imaging software Data Loss Prevention System
Performance monitor
A
Pete: a developer: writes an application. Jane: the security analyst: knows some things about the overall application but does not have all the details. Jane needs to review the software before it is released to production. Which of the following reviews should Jane conduct? A. Gray Box Testing B. Black Box Testing C. Business Impact Analysis D. White Box Testing
A
Pete: a security auditor: has detected clear text passwords between the RADIUS server and the authenticator. Which of the following is configured in the RADIUS server and what technologies should the authentication protocol be changed to? A. PAP: MSCHAPv2 B. CHAP: PAP C. MSCHAPv2: NTLMv2 D. NTLM: NTLMv2
B
Pete: an IT Administrator: needs to secure his server room. Which of the following mitigation methods would provide the MOST physical protection? A. Sign in and sign out logs B. Mantrap C. Video surveillance D. HVAC
B D
Pete: an employee: is terminated from the company and the legal department needs documents from his encrypted hard drive. Which of the following should be used to accomplish this task? (Select TWO). A. Private hash B. Recovery agent C. Public key D. Key escrow E. CRL
A
Pete: an employee: needs a certificate to encrypt data. Which of the following would issue Pete a certificate? A. Certification authority B. Key escrow C. Certificate revocation list D. Registration authority
A
Pete: the Chief Executive Officer (CEO) of a company: has increased his travel plans for the next two years to improve business relations. Which of the following would need to be in place in case something happens to Pete? A. Succession planning B. Disaster recovery C. Separation of duty D. Removing single loss expectancy
A
Pete: the system administrator: is reviewing his disaster recovery plans. He wishes to limit the downtime in the event of a disaster: but does not have the budget approval to implement or maintain an offsite location that ensures 99.99% availability. Which of the following would be Pete's BEST option? A. Use hardware already at an offsite location and configure it to be quickly utilized. B. Move the servers and data to another part of the company's main campus from the server room. C. Retain data back-ups on the main campus and establish redundant servers in a virtual environment. D. Move the data back-ups to the offsite location: but retain the hardware on the main campus for redundancy.
An attacker wants to obtain bank account information from a user. What of the following methods do attackers use?
Phishing
Which of the following developer techniques results in significant security vulnerabilities for online web site applications?
Poor input validation
Additional windows are appearing when a user surfs the internet. These aren't malicious, but the user wants them to stop. What can stop this behavior?
Pop-up blocker
Bart is complaining that new browser windows keep opening on his computer. What is the BEST choice to stop these in the future?
Pop-up blocker
(25) Of the following choices, what would be the easiest to use to help you determine what services are running on a remote server? Port scanner Sniffer CRL Load balancer
Port scanner
You want to identify all of the services running on a server. What tools is the BEST choice to meet this goal?
Port scanner
Of the following choices, what is needed in a cold site used for continuity of operations?
Power and connectivity
B
Power and data cables from the network center travel through the building's boiler room. Which of the following should be used to prevent data emanation? A. Video monitoring B. EMI shielding C. Plenum CAT6 UTP D. Fire suppression
Your organization wants to prevent damage from malware. Which stage of the common incident response procedures is the BEST stage to address this?
Preparation
C
Prior to leaving for an extended vacation: Joe uses his mobile phone to take a picture of his family in the house living room. Joe posts the picture on a popular social media site together with the message. "Heading to our two weeks vacation to Italy." Upon returning home: Joe discovers that the house was burglarized. Which of the following is the MOST likely reason the house was burglarized if nobody knew Joe's home address? A. Joe has enabled the device access control feature on his mobile phone. B. Joe's home address can be easily found using the TRACEROUTE command. C. The picture uploaded to the social media site was geo-tagged by the mobile phone. D. The message posted on the social media site informs everyone the house will be empty.
Your company has a public website. Where could you identify what data is collected from users on this website?
Privacy policy
What can a PKI recovery agent recover?
Private key
(68) A black box tester is attempting data exfiltration. What will the tester most likely attempt after gaining access to a system? Vulnerability scan Privilege escalation Erase rules of engagement logs Create chain of custody
Privilege escalation
A company prohits the use of USB flash drives to prevent data leakage. Of the following choices, what could the company also do to reduce data leakage?
Prohibit personal music devices
Your organization blocks access to social media web sites. The primary purpose is to prevent data leakage, such as the accidental disclosure of proprietary information. What is an additional security benefit of this policy?
Protects against banner ad malware
(71) What tool allows an administrator to view unencrypted network traffic? Vulnerability scanner PKI Protocol analyzer HSM
Protocol analyzer
A network administrator is attempting to identify all traffic on an internal network. What is the BEST choice?
Protocol analyzer
A network administrator is troubleshooting a communication problem between a web server and a database server. What tool would MOST likely be useful in this scenario?
Protocol analyzer
A network administrator needs to identify the type of traffic and packet flags used in traffic sent from a specific IP address. What is the BEST tool to meet this need?
Protocol analyzer
A security administrator needs to inspect protocol headers of traffic sent across the network. What tool is the BEST choice for this task?
Protocol analyzer
An administrator suspects that a computer is sending out large amounts of sensitive data to an external system. What tool can the administrator use to verify this?
Protocol analyzer
An administrator suspects that a web application is sending database credentials across the network in clear text. What can the administrator use to verify this?
Protocol analyzer
What can you use to examine IP headers in a data packet?
Protocol analyzer
What can you use to examine text transmitted over a network by an application?
Protocol analyzer
You are troubleshooting issues between two servers on your network and need to analyze the network traffic. Of the following choices, what is the BEST tool to capture and analyze this traffic?
Protocol analyzer
A manager recently observed an unauthorized person in a secure area, which is protected with a cipher lock door access system. After investigation, he discovered that an authorized employee gave this person the cipher lock code. Which of the following is the BEST response to this issue at the minimum cost?
Provide security awareness training.
Personnel in an organization are sharing their access codes to cipher locks with unauthorized personnel. As a result, unauthorized personnel are accessing restricted areas of the building. What is the BEST response to reduce this risk?
Provide security training to personnel
What can you use to electronically unlock a door for specific users?
Proximity card
An attacker is bypassing client-side input validation by intercepting and modifying data within the HTTP POST command. What does the attacker use in this attack?
Proxy
Of the following choices, what is the best choice for a device to filter and cache content from web pages?
Proxy server
A user visits an e-commerce website and intiates a secure connection. What type of key does the website provide to the user?
Public key
D
Public key certificates and keys that are compromised or were issued fraudulently are listed on which of the following? A. PKI B. ACL C. CA D. CRL
Homer works as a contractor at a company on a one-year renewing contract. After renewing his contract, the company issues him a new smart card. However, he is now having problems digitally signing email or opening encrypted email. What is the MOST likely solution?
Publish the certificate in his new smart card.
Of the following protocols, which one does not encrypt the entire authentication process, but instead only encrypts the password in traffic between the client and server?
RADIUS
Which of the following choices is an AAA protocol that uses shared secrets as a method of security?
RADIUS
Your company recently began allowing workers to telecommute from home one or more days a week. However, your company doesn't currently have a remote access solution. They want to implement an AAA solution that supports different vendors. What is the BEST choice?
RADIUS
D
RADIUS provides which of the following? A. Authentication: Authorization: Availability B. Authentication: Authorization: Auditing C. Authentication: Accounting: Auditing D. Authentication: Authorization: Accounting
What provide authentication services for remote users and devices?
RADIUS; Diameter
An organization needs to improve fault tolerance to increase data availability. However, the organization has a limited budget. What is the BEST choice to meet the organization's needs?
RAID
Which of the following is the lowest cost solution for fault tolerance?
RAID
Which of the following provides fault tolerance through disk mirroring?
RAID-1
You are a technician at a small organization. You need to add fault-tolerance capabilities within the business to increase the availability of data. However, you need to keep costs as low as possible. What is the BEST choice to meet these needs needs?
RAID-6
Where would a security specialist look for a hooked process?
RAM
An administrator is assigning access to users in different departments based on their job functions. What access control model is the administrator using?
RBAC
You manage user accounts for a sale department. You have created a sale user account template to comply with the principle of least privilege. What access control model are you following?
RBAC
Your organization is planning to implement videoconferencing, but it wants to protect the confidentiality of the streaming video. Which of the following would BEST meet this need?
RC4
One of your web servers was recently attacked and you have been tasked with reviewing firewall logs to see if you can determine how an attacker accessed the system remotely. You identified the following port numbers in log entries: 21, 22, 25, 53, 80, 110, 443, and 3389. Which of the following protocols did the attacker MOST likely use?
RDP
Management wants to implement a system that will provide automatic notification when personnel remove devices from the building. Which of the following security controls will meet this requirement?
RFID
(83) Anew security policy has mandated that executives within a company must encrypt all email they send and receive between each other. Of the following choices, what can support this? MD5 TPM SHA-1 RSA
RSA
An organization is implementing a PKI and plans on using public and private keys. Which of the following can be used to create strong key pairs?
RSA
Which encryption algorithm uses prime numbers to generate keys?
RSA
Your organization uses several different types of cryptographic techniques. What techniques uses a private key and a public key?
RSA
After Maggie turned on her computer, She saw a message indicating that unless she made a payment, her hard drive would be formatted. What does this indicate?
Ransomware
A business continuity expert is creating a BIA. What elements is MOST likely to be omitted from the BIA?
Recommended solutions
A user's laptop developed a problem and can no longer boot. Help-desk personnel tried to recover the data on the disk, but the disk is encrypted. What can be used to retrieve data from the hard drive?
Recovery agent
Your organization maintains a separate wireless network for visitors in a conference room. However, you have recently noticed that people are connecting to this network even when there aren't any visitors in the conference room. You want to prevent these connections, while maintaining easy access for visitors in the conference room. What is the Best solution?
Reduce antenna power
A recent change in an organization's security policy states that monitors need to be positioned so that they cannot be viewed from outside any windows. What is the purpose of this policy?
Reduce success of shoulder surfing
Which of the following is a valid reason to use a wildcard certificate?
Reduce the administrative burden of managing certificates.
What is the purpose of risk mitigation?
Reduce the chances that the threat will exploit a vulnerability
(43) An organization is planning to implement virtualization technology within its datacenter. Of the following choices, what benefit will this provide? Eliminate VM escape attacks Reduce the datacenter footprint Ensure systems include mandated security configurations Provide the accounting structure for system modifications
Reduce the datacenter footprint
An organization is planning to implement virtualization technology within its datacenter Of the following choices what benefit will this provide?
Reduce the datacenter footprint
Your organization hosts a web site with a back-end database server. During a recent power outage, the server crashed, resulting in a significant amount of lost data. What can your organization implement to prevent this loss from occurring again?
Redundancy
Of the following choices, what would you use in a patch management process?
Regression testing
Your company provides electrical and plumbing services to homeowners. Employees use tablets during service calls to record activity, create invoices, and accept credit card payments. What would BEST prevent disclosure of customer data if any of these devices are lost or stolen?
Remote wiping
Which of thee following represent the BEST action to increase security in a wireless network?
Replace TKIP with CCMP
Some protocols include timestamps and sequence numbers. These components help protect against what type of attacks?
Replay
C
Requiring technicians to report spyware infections is a step in which of the following? A. Routine audits B. Change management C. Incident management D. Clean desk policy
Homer Called into the help desk and says he forgot his password. What is the BEST choice for what the help-desk professional should do?
Reset the password and configure the password to expire after the first use
A team of users in your organization needs a dedicated subnet. For security reasons, other users should not be able to connect to this subnet. Which of the following choices is the BEST solution?
Restrict traffic based on physical addresses.
An organization implemented a disaster recovery plan in response to a hurricane. What is the last step in the disaster recovery process?
Review
Get certified Get Ahead (GCGA) has outsourced some application development to your organization. Unfortunately, developers at your organization are having problems getting an application module to work and they want to send the module with accompanying data to a third-party vendor for help in resolving the problem. What should developers consider before doing so?
Review NDAs
Which of thee following is most closely associated with residual risk?
Risk acceptance
(62) Which of the following choices are valid risk management methods? (Choose all that apply) Risk acceptance Risk avoidance Risk deterrence Risk elimination Risk Transference
Risk acceptance Risk avoidance Risk deterrence Risk Transference
(63) A company briefly considered providing an additional service to its customers. However, it decided not to provide the service due to the risks involved. What method of risk management is the company using? Risk acceptance Risk avoidance Risk deterrence Risk mitigation Risk transference
Risk avoidance
An organization has purchased fire insurance to manage the risk of a potential fire. What method are they using?
Risk transference
Your organization hosts three wireless networks for different purposes. A recent site survey audit discovered the information shown in the following table: SSID Security Channel Power GetCertifiedVisitors WPA2 1 71dBm GetCertifiedEmployee WPA2 2 94dBm GetCertifiedEmployees WPA2 3 73dBm GetCertifiedKiosk WPA2 4 79 dBm What does this indicate?
Rogue access point
An administrator needs to grant users access to different servers based on their job functions. Which access control model is the BEST choice to use?
Role-based access control
A user is issued a token with a number displayed in an LCD. What does this provide?
Rolling password for one-time use
(51) Sally is helping a user who system is running slow and randomly rebooting. While troubleshooting it, she realizes she no longer has administrative rights on the system. What is a likely cause of these symptoms? Adware Rootkit DDoS Spam
Rootkit
A file integrity checker on a database server detected several modified system files. What could cause this?
Rootkit
A process running on a system has system level access to the operating systems kernel. Investigation show that it has modified system files. What best describes this behavior?
Rootkit
A security administrator recently noticed abnormal activity on a workstation. It is connecting to computers outside the organization's internal network, using uncommon ports. Using a security toolkit, the administrator discovered the computer is also running several hidden processes. What BEST indicates what the administrator has found?
Rootkit
Security administrators have recently implemented several security controls to enhance the network's security posture. Management want to ensure that these controls continue to function as intended. What is the BEST choice to meet this goal?
Routine audit
Your organization's security policy requires that personnel notify security administrators if an incident occurs. However, this is not occurring consistently. Which of the following could the organization implement to ensure security administrators are notified in a timely manner?
Routine auditing
Bart has read access to an accounting database and Lisa has both read and write access when Lisa is absent. What hype of access control system is in place?
Rule-BAC
An organization is hiring a security firm to perform vulnerability testing. What should it define before the testing?
Rules of engagement
Of the following choices, what can you use to encrypt e-mail?
S/MIME
Your organization recently made an agreement with third parties for the exchange of authentication and authorization information. The solution uses an XML-based open standard. Which of the following is the MOST likely solution being implemented?
SAML
Which of the following protocols operates on Layer 7 of the OSI model?
SCP
(20) Of the following choices, what provides the most secure method of transferring files between two computers on a network? FTP TFTP SFTP AES
SFTP
Which of the following protocols is a file transfer protocol using SSH?
SFTP
You need to send several large files containing proprietary data to a business partner. What is the BEST choice for this task?
SFTP
(81) A system administrator wants to create a unique identifier for an executable file. Of the following choices, what can be used? RC4 Public Key Private key SHA
SHA
What can you use to verify data integrity?
SHA
Lisa wants to manage and monitor the switches and routers in her network. What protocols would she use?
SNMP
What protocol is used to monitor and configure network devices?
SNMP
Your organization hosts a web site within a DMZ and the web site accesses a database server in the internal network. ACLs on firewalls prevent any connections to the database server except from the web server. Database server are encrypted and all data in transit between the web site server and the database server are encrypted. What represents the GREATEST risk to the data on the server?
SQL injection
(21) Of the following choices, what is most often used to remotely administer a UNIX or Linux system? Terminal services Remote desktop services SCP SSH
SSH
Your organization recently updated its security policy and indicated that Telnet should not be used within the network. Which of the following should be used instead of Telnet?
SSH
Which of the following lists of protocols use TCP port 22 by default?
SSH, SCP, SFTP
Your organization's security policy requires that PII data at rest and PII data in transit be encrypted. Of the following choices, what would the organization use to achieve these objectives? (Select TWO)
SSH; PGP/GPG
Management asks you if you can modify the wireless network to prevent users from easily discovering it. What would you modify to meet this goal?
SSID broadcast
Which two protocols provide strong security for the Internet with the use of certificates? (Choose TWO.)
SSL, TLS
A federated user database is used to provide central authentication via web portal. What service does this database provide?
SSO
When you log on to your online bank account, you are also able to access a partner's credit card site, check-ordering services, and a mortgage site without entering your credentials again. What does this describe?
SSO
Employees in your organization access web-based e-mail using cloud-based technologies. What type of technology is this?
SaaS
Management at your company recently decided to implement additional lighting and fencing around the property. Which security goal is you company MOST likely pursuing?
Safety
An application stores user passwords in a hashed format. What can decrease the likelihood that attackers can discover these passwords?
Salt
An organization is disposing of old hard drives. What should security personnel do to prevent data leakage?
Sanitize the drive using bit level overwrites
D
Sara: a company's security officer: often receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Sara should immediately implement which of the following? A. Acceptable Use Policy B. Physical security controls C. Technical controls D. Security awareness training
B
Sara: a security analyst: is trying to prove to management what costs they could incur if their customer database was breached. This database contains 250 records with PII. Studies show that the cost per record for a breach is $300. The likelihood that their database would be breached in the next year is only 5%. Which of the following is the ALE that Sara should report to management for a security breach? A. $1:500 B. $3:750 C. $15:000 D. $75:000
C
Sara: a security architect: has developed a framework in which several authentication servers work together to increase processing power for an application. Which of the following does this represent? A. Warm site B. Load balancing C. Clustering D. RAID
C
Sara: an employee: tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Sara is out at lunch her PC is compromised via the tethered connection and corporate data is stolen. Which of the following would BEST prevent this from occurring again? A. Disable the wireless access and implement strict router ACLs. B. Reduce restrictions on the corporate web security gateway. C. Security policy and threat awareness training. D. Perform user rights and permissions reviews.
D
Sara: the Chief Information Officer (CIO): has requested an audit take place to determine what services and operating systems are running on the corporate network. Which of the following should be used to complete this task? A. Fingerprinting and password crackers B. Fuzzing and a port scan C. Vulnerability scan and fuzzing D. Port scan and fingerprinting
B
Sara: the Chief Information Officer (CIO): has tasked the IT department with redesigning the network to rely less on perimeter firewalls: to implement a standard operating environment for client devices: and to disallow personally managed devices on the network. Which of the following is Sara's GREATEST concern? A. Malicious internal attacks B. Data exfiltration C. Audit findings D. Incident response
D
Sara: the Chief Security Officer (CSO): has had four security breaches during the past two years. Each breach has cost the company $3:000. A third party vendor has offered to repair the security hole in the system for $25:000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk? A. Accept the risk saving $10:000. B. Ignore the risk saving $5:000. C. Mitigate the risk saving $10:000. D. Transfer the risk saving $5:000.
Homer received an email advertising the newest version of a popular smartphone, which is not available elsewhere. It includes a malicious link. What principles is the email author using?
Sarcity
Homer wants to ensure that other people cannot view data on his mobile device if he leaves it unattended. What should he implement?
Screen lock
Key personnel in your organization have mobile devices, which store sensitive information. What can you implement to prevent data loss from these devices if a thief steals one?
Screen lock
A new mobile device security policy has authorized the use of employee-owned devices, but mandates additional security controls to protect them if devices are lost or stolen. Which meets this goal?
Screen locks and device encryption
What are valid security controls for mobile devices?
Screen locks, device encryption and remote wipe
You want to check a log to determine when a user logged on and off of a system. What log would you check?
Security
An organization wants to prevent unauthorized personnel from entering a secure workspace. Of the following choices, what can be used? (Choose two)
Security and Proximity card
What is the MOST likely negative result if administrators do not implement access controls correctly on an encrypted USB hard drive?
Security controls can be bypassed
Which of the follow is preventative control?
Security guard
Which of the following is a management Control?
Security policy
An organization recently completed a risk assessment. Who should be granted access to the report?
Security professionals and executive management
Of the following choices, what could you use to deploy baseline security configurations to muliple systems?
Security template
(41) What can an organization use to deploy systems in compliance with its strict security guidelines? Network access control Honeypots Change management Security templates
Security templates
(86) What type of key is used to sign an email message? Sender's public key Sender's private key Recipient's public key Recipient's private key
Sender's private key
A security auditor discovered that several employees in the Accounting department can print and sign checks. In her final report, she recommended restricting the number of people who can print checks and the number of people who can sign them. She also recommended that no one should be authorized to print and sign checks. What policy is she recommending?
Separation of duties
Security personnel recently identified potential fraud committed by a network administrator. Investigators discovered this administrator performs several job functions within the organization, including database administration and application development. What is the BEST solution to reduce risk associated with this activity?
Separation of duties
(94) An IT manager has assigned daily responsibility of managing the network-based firewall to one administrator, and daily responsibility of monitoring the network-based intrusion detection system (IDS) to another administrator. What policy is the manager trying to follow? Mandatory vacations policy Policy requiring administrators to use two accounts Job rotation policy Separation of duties policy
Separation of duties policy
A group of server administrators maintains serveral database servers, but they cannot access security logs on these servers. Security administrators can access the security logs, but they cannot access data within the databases. What policy is the company using?
Separation of duties policy
A web developer wants to reduce the chances of an attacker successfully launching XSRF attacks against a web site application. Which of the following provides the BEST protection?
Server-side input validation
You're asked to identify who is accessing a spreadsheet containing employee salary data. Detailed logging is configured correctly on this file. However, you are unable to identify a specific person who is accessing the file. What is the MOST likely reason?
Shared accounts are not prohibited
A person is trying to gain unauthorized information through casual observation. What type of attack is this?
Shoulder surfing
A security administrator at a shopping mall dis covered two wireless cameras pointing at an automatic teller machine. These cameras were not installed by mall personnel and are not authorized. What is the MOST likely goal of these cameras?
Shoulder surfing
A web application developer is suggesting using password masking in the application. What is the developer trying to prevent?
Shoulder surfing
A HIDS reported a vulnerability on a system using an assigned vulnerability identification number. After researching the number on the vendor's web site, you identify the recommended solution and begin applying it. What type of HIDS is in use?
Signature-based
(95) An organization is planning annual security awareness training. Of the following choices, what is likely to be combined with this training? Creation of a BIA Signing an acceptable use statement ALE analysis Publishing the CRL
Signing an acceptable use statement
An organization is not actively involved in business continuity planning. What is it likely to overlook until a disaster results in a major outage?
Single points of failure
(11) Users in your network are able to log onto their local system, and after logging on they are able to access encrypted files on a server without reentering their password. What is being used? Discretionary access control (DAC) Single sign-on Multifactor authentication Least privilege
Single sign-on
Your organization has implemented a system that stores user credentials in a central database. Users log on once with their credentials. They can then access other systems in the organization without logging on again. What does this describe?
Single sign-on
When users log on to their computers, they are required to enter a username, a password, and a PIN. What BEST describes this?
Single-factor authentication
Your organization issues laptops to mobile users. Administrators configured these laptops with full disk encryption, which requires users to enter a password when they first turn on the computer. After the operating system loads, users are required to log on with a username and password. Which of the following choices BEST describes this?
Single-factor authentication
Which of the following is an example of multifactor authentication?
Smart card and PIN
While surfing the internet, a user sees a message indicating a malware infection and offering free antivirus software. The user downloads the free antivirus software but realizes it infected this system. Which one of the following choices best explains what happened to the user?
Social engineering
Which of the following is a type of media that allows the mass distribution of personal comments to specific groups of people?
Social media
(97) Employees shares personal information, such as pictures and family updates, online. Of the following choices, what can an attacker use to gain this information? Company websites Email Mandatory vacation policy Social networking sites
Social networking sites
A
Some customers have reported receiving an untrusted certificate warning when visiting the company's website. The administrator ensures that the certificate is not expired and that customers have trusted the original issuer of the certificate. Which of the following could be causing the problem? A. The intermediate CA certificates were not installed on the server. B. The certificate is not the correct type for a virtual server. C. The encryption key used in the certificate is too short. D. The client's browser is trying to negotiate SSL instead of TLS.
(15) Users in your organization are issued proximity cards. What factor of authentication is being used? Something a user knows Something a user has Something a user is Something a user wants
Something a user has
(6) A user must use a thumbprint scanner to gain access to his laptop. What type of authentication is being used? Something the user knows Something the user has Something the user is CAC
Something the user is
Marge reports that she keeps receiving unwanted emails about personal loans. What does this describe?
Spam
What can you use to block unsolicited e-mail?
Spam filter
(55) Of the following choices, what best represents an attack designed to obtain information from a specific person? Spear phishing Tailgating Trojan Phishing
Spear phishing
Of the following choices, what best represents an attack against specific employees of a company?
Spear phishing
Of the following Malware types, Which one is MOST likely to monitor a user's computer?
Spyware
(84) A user discovered text in a document that is so small it looks like a dash. What best describes this? Steganography Elliptic curve cryptography CRL RIPEMD
Steganography
A user wants to hide confidential data within a .jpg file. Which of the following is the BEST choice to meet this need?
Steganography
A website includes graphic files. A security professional is comparing the hash of a graphic file captured last week with the hash of what appears to be the same graphic file today. What is the security professional looking for?
Steganography
(75) An organization stores backups on tapes. Of the following choices, what is an important step related to these tapes? Ensure tapes are not labeled Store the tapes with the servers Throw tapes away after usable service lifetime expires Store a copy of the backup off-site
Store a copy of the backup off-site
Of the following choices, What can help prevent SQL injection attacks?
Stored procedures
Which of the following is a symmetric encryption algorithm that encrypts data one bit at a time?
Stream cipher
Your organization was recently attacked, resulting in a data breach, and attackers captured customer data. Management wants to take steps to better protect customer data. Which of the following will BEST support this goal?
Stronger access controls and encryption
A network administrator needs to update the operating system on switches used within the network. Assuming the organization is following standard best practices, What should the administrator do first?
Submit a request using the change management process
You need to divide a single Class B IP address range into several ranges. What would you do?
Subnet the Class B IP address range
A BCP includes a char listing roles within the organization along with their matching responsibilities during a disaster. It also includes a chain of command. What is the purpose of this chart?
Succession planning
Monty Burns is the CEO of the Springfield Nuclear Power Plant. What would the company have in place in case something happens to him?
Succession planning
A company is creating a security awareness and training plan for employees. Of the following choices, what will affect its success the most?
Support from senior management
(82) Two entities share the same secret key. What type of encryption are they using? Asymmetric Symmetric Public key HMAC
Symmetric
What type of encryption does the RADIUS protocol use?
Symmetric
A
Symmetric encryption uses a single key to encrypt and decrypt while asymmetric encryption uses 2 keys, one for encryption and one for decryption. A. True B. False
(72) You want to check a log to determine when a service was stopped. What log would you check? System Application Firewall Security
System
Which one of the following AAA protocols uses multiple challenges and responses?
TACACS+
A network administrator needs to open a port on a firewall to support a VPN using PPTP. Which port should the administrator open?
TCP 1723
Bart wants to block access to all external web sites. Which port should he block at the firewall?
TCP 80
A heavily used application accesses a financial database on a server within your network. Due to recent data breaches, management wants to ensure transport encryption protects this data. What algorithms is the BEST choice to meet this goal?
TLS
Your organization is planning to establish a secure link between one of your mail servers and a business partner's mail server. The connection will use the Internet. What protocol is the BEST choices?
TLS
Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. What BEST meets this Requirement?
TOTP
Your organization is planning to implement stronger authentication for remote access users. An updated security policy mandates the use of token-based authentication with a password that changes every 30 seconds. Which of the following choices BEST meets this requirement?
TOTP
You are comparing different encryption methods. Which method includes a storage root key?
TPM
Your organization recently purchased several new laptop computers for employees. You're asked to encrypt the laptop's hard drives without purchasing any additional hardware. What would you use?
TPM
The BCP coordinator at your organization is leading a meeting on-site with key disaster recovery personnel. The purpose of the meeting is to perform a test. What type of test is this?
Tabletop exercise
(17) An attacker followed an authorized user into a secure area after the authorized user opened the door with an access card. What type of attack is this? Mantrap Fuzzing Tailgating ARP poisening
Tailgating
Bart is in a break area outside the office. He told Lisa that he forgot his badge inside and asked Lisa to let him follow her when she goes back inside . What does this describe?
Tailgating
Two employees have entered a secure datacenter. However, only one employee provides credentials. How did the other employee gain entry?
Tailgating
You are preparing to deploy a new application on a virtual server. The virtual server hosts another server application that employees routinely access. What is the BEST method to use when deploying the new application?
Take a snapshot of the VM before deploying the new application
After a recent incident, a forensic analyst was given several hard drives to analyze. What should the analyst do first?
Take hashes and capture system images
Of the following choices, what type of control is least privilege?
Technical
Which of the following accurately identifies the primary security control classifications?
Technical, Management, and operational
Your organization hosts serveral bays of servers within a server room. What environmental control within the datacenter requires a thermostat?
Temperature control
An organization is performing a disaster recovery exercise. Of the following choices, what is likely to be included?
Test server restoration
Lisa is a database administrator and received a phone call from someone identifying himself as a technician working with a known hardware vendor. The technician said he's aware of a problem with database servers they've sold, but it only affects certain operating system versions. He asks Lisa what operating system the company is running on it database servers. What is the BEST response from Lisa?
Thanks the caller and end the call, report the call to her supervisor, and independently check the vendor for issues.
C
The 4th layer of the OSI model, which holds the TCP protocol, is _____________? A. Data Link B. Network C. Transport D. Session
A user browses to a website and sees this message: "The site's certificate is not trusted." What is a likely reason?
The CA is not a trusted root CA
Homer wants to send a secure email to Marge so he decides to encrypt it. Homer wants to ensure that Marge can verify that he sent it. What does Marge need to verify the certificate that Homer used in this process is valid?
The CA's public key
B
The CIA Triad are 3 specific principles in security. It covers Confidentiality, Integrity, and __________? A. Accessibility B. Availability C. Auditing D. Authentication
B
The CRL contains a list of: A. private keys B. public keys C. root certificates D. valid certificates
A
The Chief Information Officer (CIO) has mandated web based Customer Relationship Management (CRM) business functions be moved offshore to reduce cost: reduce IT overheads: and improve availability. The Chief Risk Officer (CRO) has agreed with the CIO's direction but has mandated that key authentication systems be run within the organization's network. Which of the following would BEST meet the CIO and CRO's requirements? A. Software as a Service B. Infrastructure as a Service C. Platform as a Service D. Hosted virtualization service
C
The Chief Information Officer (CIO) wants to implement a redundant server location to which the production server images can be moved within 48 hours and services can be quickly restored: in case of a catastrophic failure of the primary datacenter's HVAC. Which of the following can be implemented? A. Cold site B. Load balancing C. Warm site D. Hot site
A
The Chief Information Officer (CIO) wants to implement widespread network and hardware changes within the organization. The CIO has adopted an aggressive deployment schedule and does not want to bother with documentation: because it will slow down the deployment. Which of the following are the risks associated with not documenting the changes? A. Undocumented networks might not be protected and can be used to support insider attacks B. Documenting a network hinders production because it is time consuming and ties up critical resources C. Documented networks provide a visual representation of the network for an attacker to exploit D. Undocumented networks ensure the confidentiality and secrecy of the network topology
D
The Chief Technical Officer (CTO) has tasked The Computer Emergency Response Team (CERT) to develop and update all Internal Operating Procedures and Standard Operating Procedures documentation in order to successfully respond to future incidents. Which of the following stages of the Incident Handling process is the team working on? A. Lessons Learned B. Eradication C. Recovery D. Preparation
Your organization is hosting a wireless network with an 802.1x server using PEAP. On Thursday, users report they can no longer access the wireless network. Administrators verified the network configuration matches the baseline, there aren't any hardware outages, and the wired network is operational. What is the MOST likely cause for this problem?
The RADIUS server certificate expired
B
The RAID controller on a server failed and was replaced with a different brand. Which of the following will be needed after the server has been rebuilt and joined to the domain? A. Vendor documentation B. Recent backups C. Physical IP address D. Physical network diagram
C
The ability to make access decisions based on an examination of Windows registry settings; antivirus software; and AD membership status is an example of which of the following NAC features? A. Quarantine network B. Persistent agents C. Posture assessment D. Non-persistent agents
An attacker was able to sneak into your building but was unable to open the server room door. He bashed the proximity badge reader with a portable fire extinguisher and the door opened. What is the MOST likely reason that the door opened?
The access system was designed to fail-open
D
The act of magnetically erasing all of the data on a disk is known as: A. Wiping B. Dissolution C. Scrubbing D. Degaussing
B
The annual loss expectancy can be calculated by: A. Dividing the annualized rate of return by single loss expectancy. B. Multiplying the annualized rate of return and the single loss expectancy. C. Subtracting the single loss expectancy from the annualized rate of return. D. Adding the single loss expectancy and the annualized rate of return.
Attackers have attacked an online web server using a SQL injection attack. What BEST describes this?
The attacker is attempting to pass commands to a back-end database server to access data
(88) A web browser indicates that the issuer of a certificate is not recognized. What is a likely reason? The certificate is a self-signed certificate The certificate does not include the private key The certificate does not include the public key The certificate is using weak encryption
The certificate is a self-signed certificate
A
The finance department works with a bank which has recently had a number of cyber attacks. The finance department is concerned that the banking website certificates have been compromised. Which of the following can the finance department check to see if any of the bank's certificates are still valid? A. Bank's CRL B. Bank's private key C. Bank's key escrow D. Bank's recovery agent
D
The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response? A. Recovery B. Follow-up C. Validation D. Identification E. Eradication F. Containment
Your organization is considering deploying multiple servers using a standardized image. Of the following choices, what best describes the security benefits of this plan?
The image can include mandated security configurations
B
The main corporate website has a service level agreement that requires availability 100% of the time: even in the case of a disaster. Which of the following would be required to meet this demand? A. Warm site implementation for the datacenter B. Geographically disparate site redundant datacenter C. Localized clustering of the datacenter D. Cold site implementation for the datacenter
A
The management team wants to set up a wireless network in their office but all of their phones operate at the 2.4 GHz frequency. They need a wireless network that would be able to operate at a higher frequency than their phones. Which of following standards should be used? A. 802.11a B. 802.11b C. 802.11g D. 802.1x
A E
The manager has a need to secure physical documents every night: since the company began enforcing the clean desk policy. The BEST solution would includE. (Select TWO). A. Fire- or water-proof safe. B. Department door locks. C. Proximity card. D. 24-hour security guard. E. Locking cabinets and drawers.
A manager is suspected of leaking trade secrets to a competitor. A security investigator is examining his laptop and notices a large volume of vacation pictures on the hard drive. Data on this laptop automatically uploads to a private cloud owned by the company once a week. The investigator noticed that the hashes of most of the pictures on the hard drive are different from the hashes of the pictures in the cloud location. What is the MOST likely explanation for this scenario?
The manager is leaking data using steganography methods
A
The method to provide end users of IT systems and applications with requirements related to acceptable use: privacy: new threats and trends: and use of social networking is: A. Security awareness training. B. BYOD security training. C. Role-based security training. D. Legal compliance training.
C
The network administrator has been tasked to rebuild a compromised web server. The administrator is to remove the malware and install all the necessary updates and patches. This represents which of the following stages of the Incident Handling Response? A. Lessons Learned B. Plan of action C. Eradication D. Reconstitution
A
The network install is failing redundancy testing at the MDF. The traffic being transported is a mixture of multicast and unicast signals. Which of the following would BEST handle the rerouting caused by the disruption of service? A. Layer 3 switch B. Proxy server C. Layer 2 switch D. Smart hub
Which of the following is the BEST description of why disabling SSID broadcast is not an effective security measure against attackers?
The network name is contained in wireless packets in plaintext.
Robert lets you know that he is using his username as his password since it's easier to remember. You decide to inform the user that this isn't a secure password. What explanation would you include?
The password is not complex
C
The process by which malicious software changes its underlying code in order to avoid detection is known as: A. Spoofing B. Pharming C. Polymorphism D. Fuzzing
B
The process of REPEATEDLY deleting and overwriting any traces of sensitive data on a device is known as: A. Data wiping B. Data sanitation C. Data formatting D. Data Locking
D
The recovery agent is used to recover the: A. Root certificate B. Key in escrow C. Public key D. Private key
B
The security administrator installed a newly generated SSL certificate onto the company web server. Due to a mis-configuration of the website: a downloadable file containing one of the pieces of the key was available to the public. It was verified that the disclosure did not require a reissue of the certificate. Which of the following was MOST likely compromised? A. The file containing the recovery agent's keys. B. The file containing the public key. C. The file containing the private key. D. The file containing the server's encrypted passwords.
A
The security consultant is assigned to test a client's new software for security: after logs show targeted attacks from the Internet. To determine the weaknesses: the consultant has no access to the application program interfaces: code: or data structures. This is an example of which of the following types of testing? A. Black box B. Penetration C. Gray box D. White box
A
The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation's hard drive. During the investigation: local law enforcement's criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved? A. Chain of custody B. System image C. Take hashes D. Order of volatility
B
The security officer is preparing a read-only USB stick with a document of important personal phone numbers: vendor contacts: an MD5 program: and other tools to provide to employees. At which of the following points in an incident should the officer instruct employees to use this information? A. Business Impact Analysis B. First Responder C. Damage and Loss Control D. Contingency Planning
C
The system administrator has deployed updated security controls for the network to limit risk of attack. The security manager is concerned that controls continue to function as intended to maintain appropriate security posture. Which of the following risk mitigation strategies is MOST important to the security manager? A. User permissions B. Policy enforcement C. Routine audits D. Change management
A user browsing the Internet notices erratic behavior right before the user's systems crashes. After rebooting, the system is slow, and the user detects hundreds of outbound connections. What likely occurred?
The system has joined a botnet
A
The use of social networking sites introduces the risk of: A. Disclosure of proprietary information. B. Data classification issues. C. Data availability issues. D. Broken chain of custody.
After downloading pirated software, a user notices the computer is running very slowly and antivirus software is detecting malware. What likely happened?
The user installed a Trojan
A
There are 3 states of Data; At Rest, In Use, and _____? A. In Transit B. In Retention C. In Storage D. In Validation
(57) Of the following choices, what provides the best testing for in-house developed applications? Internal black box testing Internal white box testing Third party black box testing Third party white box testing
Third party black box testing
B
This access control model uses an ACL (Access Control List) that will allow access to an object. A. RBAC B. DAC C. MAC D. CBAC
B
This device is used to handle a large number of tunnels for secure remote access. They are high performance and scalable. A. Load balancer B. VPN Concentrator C. Secure Gateway D. NAC
B
This device protects a system by blocking unwanted network traffic by using a rule set. A. Router B. Firewall C. Proxy Server D. Load balancer
D
This is a large compilation of updates that can even include functionality enhancements. A. Patch B. Hotfix C. Rollup D. Service Pack
C
This is a set of standards that secure data in transit. It supports authenticity and integrity, andt-replay, non-repudiation, and protection. A. ICMP B. iSCSI C. IPSec D. FCoE
D
This is a testing method that sends random or unusual input data to an application and notes any failures that may result. A. XSS B. SQL Injecting C. XSRF D. Fuzzing
C
This is a very precise direction antenna for wireless devices. While it has a large amount of gain, it is difficult to establish a connection with it since the cone is very small A. Yagi B. Backfire C. Parabolic D. Cantenna
A
This security method is accomplished by whitelisting a set of MAC addresses. Any MAC address not on the list cannot gain access to the device. A. MAC filtering B. MAC limiting C. MAC seperation D. Implicit Deny
D
This service runs on port 143 A. RDP B. FTP C. NetBIOS D. IMAP
B
This system scans, audits, and monitors traffic on a specific segment of the network. While it can send alerts about concerns, it cannot read encrypted data, since it has no ability to decrypt the packet. A. NIPS B. NIDS C. WIDS D. IPS
B
This translates all internal IP addresses to an external routeable IP address. A. NAC B. NAT C. CTI D. CCI
What is included in a risk assessment? (Choose three)
Threats, Vulnerabilities, and Asset values
Members of a project team came in on the weekend to complete some work on a key project. However, they found that they were unable to access any of the projects data. What is the MOST likely reason why they can't access this data?
Time-of-day access control
An organization supports remote access, allowing users to work from home. However, management wants to ensure that personnel cannot log on to work systems from home during weekends and holidays. Which of the following BEST supports this goal?
Time-of-day restrictions
A security analyst tagged a computer stating when he took possession of it. What is the BEST explanation for this?
To begin a chain of custody
Your organization includes a software development division within the IT department. One developer writes and maintains applications for the Sales and Marketing departments. A second develops writes and maintains applications for the payroll department. Once a year, they have to switch roles for at least a month. What is the purpose of this practice?
To enforce a job rotation policy
C
To ensure proper evidence collection: which of the following steps should be preformed FIRST? A. Take hashes from the live system B. Review logs C. Capture the system image D. Copy all compromised files
C
To help prevent unauthorized access to PCs: a security administrator implements screen savers that lock the PC after five minutes of inactivity. Which of the following controls is being described in this situation? A. Management B. Administrative C. Technical D. Operational
While reviewing logs on a firewall, you see several requests for the AAA record of gcgapremium.com What is the purpose of this request?
To identify the IPv6 address of gcgapremium.com
Why would an organization use information classification practices?
To protect sensitive data
A company provides employees with annual security awareness training. Of the following choices, what is the most likely reason the company is doing this?
To reinforce user compliance with security policies
You need to ensure data sent over an IP-based network remains confidential. Which of the following provides the BEST solution?
Transport encryption
What type of malware do users inadvertently install with USB thumb drives?
Trojans
Your organization has a password policy with a password history value of 12. What does this indicate?
Twelve different passwords must be used before reusing the same password
(8) What makes up a two-factor authentication system? Two distinct items, one from two of the authentication factors Two distinct items from any single authentication factor Two distinct items from each of the authentication factors One distinct item from each of the authentication factors
Two distinct items, one from two of the authentication factors
B
Two weeks after installation; a network technician is now unable to log onto any of the newly installed company switches. The technician suspects that a malicious user may have changed the switches' settings before they were installed in secure areas. Which of the following is the MOST likely way in which the malicious user gained access to the switches? A. Via SSH using the RADIUS shared secret B. Via HTTP using the default username and password C. Via console using the administrator's password D. Via SNMP using the default RO community
Security analysts recently discovered that users in your organization are inadvertently installing malware on their systems after visiting the comptai.org web site. Users have a legitimate requirement to visit the comptia.org web site. What is the MOST likely explanation for this activity?
Typo squatting
You need to prevent the use of TFTP through your firewall. Which port would you block?
UDP 69
(74) Commercial power provided to a remote location has problems with power fluctuations, resulting in occasional server crashes. What can the organization implement to protect against power fluctuations? UPS Generators HVAC system Hot and cold aisles
UPS
You need to configure a UTM security appliance to restrict access to peer-to-peer file sharing web sites. What are you MOST likely to configure?
URL filter
Your organization wants to prevent users from accessing file sharing web sites. What will meet this need?
URL filter
Management recently learned that several employees are using the company network to visit gambling and gaming web sites. They want to implement a security control to prevent this in the future. Which of the following choices would meet this need?
UTM
Your organization wants to combine some of the security controls used on the network. What could your organization implement to meet this goal?
UTM
A security tester is using fuzzing techniques to test a software application. which of the following does fuzzing use to test the application?
Unexpected input
(54) Of the following choices, what provides the best protection against malware for computers with internet access? Antivirus Software Anti-spam software Updated antivirus software Updated anti-spyware software
Updated antivirus software
How can a forensic analysis ensure the integrity of an image of a computer's memory?
Use SHA-256
(85) Sally sent an encrypted email with a digital signature to Joe. Joe wants to verify the email came from Sally. How can this be achieved? Use Sally's private key to verify the digital signature Use Sally's private key to decrypt the email Use Sally's public key to verify the digital signature Use Sally's public key to encrypt the email
Use Sally's public key to verify the digital signature
A user recently worked with classified data on an unclassified system. You need to sanitize all the reclaimed space on this system's hard drives while keeping the system operational. What methods will BEST meet this goal>
Use a cluster tip wiping tool
An administrator wants to prevent users from installing software. Of the following choices, what is the easiest way to accomplish this?
Use a security template
Your network includes a subnet that hosts accounting servers with sensitive data. You want to ensure that users in the Marketing Department (on a separate subnet) cannot access these servers. Of the following choices, what would be the easiest to achieve the goal?
Use an ACL
A file server within a network hosts files that employees throughout the company regularly access. Management wants to ensure that some personnel files on this server are not accessible by administrators. What provides the best protection?
Use file encryption
Interns from a local college frequently work at your company. Some interns work with the database developers, some interns work with the web application developers, and some interns work with both developers. Inters working with the database developers require specific privileges, and inters working with the web application developers require different privileges. What is the simplest method to meet these requirements?
Use group-based privileges
A web developer wants to prevent cross-site scripting. What should the developer do?
Use input validation to remove hypertext
Your organization has spent a significant amount of money on training employees on security awareness. Your organization wants to validate the success of this training. What is the BEST choice?
Use metrics
D
Use of group accounts should be minimized to ensure which of the following? A. Password security B. Regular auditing C. Baseline management D. Individual accountability
Someone stole an executive's smartphone, and the phone includes sensitive data. What should you do to prevent the thief from reading the data?
Use remote wipe.
You are configuring a file server used to share files and folders among employees within your organization. However, employees should not be able to access all folders on this server. Which of the following choices is the BEST method to manage security for these folders?
Use security groups with appropriate permissions.
Management wants to prevent users in the marketing department from logging onto network systems between 6pm and 5am. How can this be accomplished?
Use time-of-day restrictions
(4) What can you do to increase the key space of a password? Use only uppercase or lowercase letters Use uppercase, lowercase, numbers, and special characters Use password history with a minimum password age Ensure that passwords expire
Use uppercase, lowercase, numbers, and special characters
Bart copied an encrypted file from his desktop computer to his USB drive and discovered that the copied file isn't encrypted. He asks you what he can do to ensure files he's encrypted remain encrypted when he copies them to a USB drive. What would you recommend as the BEST solution to this problem?
Use whole disk encryption on the USB drive
D E
Used in conjunction: which of the following are PII? (Select TWO). A. Marital status B. Favorite movie C. Pet's name D. Birthday E. Full name
After a recent security incident, security administrator discovered someone used an enabled account of an ex-employee to access data in the Sales Department. What should be done to prevent this in the future?
User access review
Of the following choices, what is an example of a system audit?
User rights and permissions review
Your organization recently hired an outside security auditor to review internal processes. The auditor identified several employees who had permissions for previously held jobs within the company. What should the organization implement to prevent this in the future?
User rights and permissions reviews
Your organization's security policy states that administrators should follow the principle of least privilege. What can ensure that administrators are following the policy?
User rights and permissions reviews
(49) Your organization has a significant amount of research and development data it wants to protect against data leakage. Of the following choices what presents the greatest risks? Users copying the data to a USB flash drive Users sending encrypted backup tapes to an offsite location Users sending data over the network with IPsec Users transmitting data to an FTP server with FTPS
Users copying the data to a USB flash drive
A security expert is identifying and implementing several different physical deterrent controls to protect an organization's server room. What BEST meet this objective?
Using hardware locks
Your company is planning on implementing a policy for users so that they can connect their mobile devices to the network. However, management wants to restrict network access for these devices. They should have Internet access and be able to access some internal servers, but management wants to ensure that they do not have access to the primary network where company-owned devices operate. What will BEST meet this goal?
VLAN
What can mitigate ARP poisoning attacks in a network?
VLAN segregation
Your organization frequently has guests visiting in various conference rooms throughout the building. These guests need access to the Internet via wall jacks, but should not be able to access internal network resources. Employees need access to both the internal network and the Internet. What would BEST meet this need?
VLANs and 802.1x
What type of attack starts on a virtual system but can affect the physical host?
VM escape
Management within your organization wants some users to be able to access internal network resources from remote locations. Which of the following is the BEST choice to meet this need?
VPN
C
Validation of an entity with 2 or more authentication schemes is known as: A. Mutual Authentication B. Token Authentication C. Multi-Factor Authentication D. Smart Authentication
A
Various network outages have occurred recently due to unapproved changes to network and security devices. All changes were made using various system credentials. The security analyst has been tasked to update the security policy. Which of the following risk mitigation strategies would also need to be implemented to reduce the number of network outages due to unauthorized changes? A. User rights and permissions review B. Configuration management C. Incident management D. Implement security controls on Layer 3 devices
A network administrator needs to ensure the company's network is protected against smurf attacks. What should the network administrator do?
Verify border routers block directed broadcasts.
A user calls into the help desk and asks the help-desk professional to reset his password. What is the BEST choice for what the help-desk professional should do before resetting the password?
Verify the user's identity
(12) An organization suspects that equipment and confidential data is being removed from the organization. What could it use to provide verification that this is or isn't occurring? Video surveillance Spyware Regular user access review Change management
Video surveillance
(16) A datacenter includes servers with highly sensitive data, and management wants reliable proof to determine if specific individuals access the datacenter. What should be used? Security log Access list Mantrap Video surveillance
Video surveillance
(44) A security professional routinely researches security threats by releasing new versions of malware on a system and observing the activity. Of the following choices, what will provide the best protection to reduce risks to the production environment? HIDS NIDS NIPS Virtual System
Virtual System
A security professional routinely researches security threats by releasing new versions of malware on a system and observing the activity. Of the following choices what will provide the best protection to reduce risks to the production environment?
Virtual system
A company is implementing a feature that allows multiple servers to operate on a single physical server. What is this?
Virtualization
An IT department recently had its hardware budget reduced, but the organization still expects them to maintain availability of services. What would BEST help them maintain availability with a reduced budget?
Virtualization
You want to test new security controls before deploying them. What technologies provided the MOST flexibility to meet this goal?
Virtualization technologies
A software vendor recently developed a patch for one of its applications. Before releasing the patch to customers, the vendor needs to test it in different environments. Which of the following solutions provides the BEST method to test the patch in different environments?
Virtualized sandbox
(53) Of the following choices, what can antivirus software detect? (Choose all that apply) Pharming Virus Worm Trojan Horse
Virus Worm Trojan Horse
Bob reported receiving a message from his bank prompting him to call back about a credit card. When he called back, an automated recording prompted him to provide personal information to verifty his identity and then provide details about his bank and credit card accounts. What type of attack is this?
Vishing
D
Visitors entering a building are required to close the back door before the front door of the same entry room is open. Which of the following is being described? A. Tailgating B. Fencing C. Screening D. Mantrap
Which of the following is behavioral biometic authentication model?
Voice recognition
(66) An organization wants to assess security on its network during normal business hours without affecting users. Why type assessment should it use? Penetration test Protocol analysis Vulnerability scan Black box
Vulnerability scan
A security administrator used a tool to discover security issues but did not exploit them. What best describes this action?
Vulnerability scan
A security expert is running tests to identify the security posture of a network. However, these tests are not exploiting any weaknesses. Which of the following types of test is the security expert performing?
Vulnerability scan
Which of the following tools is the LEAST invasive and can verify if security controls are in place?
Vulnerability scan
Which of the following tools would a security administrator use to identify misconfigured systems within a network?
Vulnerability scan
You need to ensure that several systems have all appropriate security controls and patches. However, your supervisor specifically told you not to attack or compromise any of these systems. What is the BEST choices to meet these goals?
Vulnerability scan
You need to perform tests on your network to identify missing security controls. However, you want to have the least impact on systems that users are accessing. What tools is the best to meet this need?
Vulnerability scan
You suspect that a database server used by a web application does not have current patches. What is the BEST action to take to verify the server has up-to-date patches?
Vulnerability scan
(65) A security administrator is using a tool in a passive attempt to identify weaknesses. What type of tool is this? Penetration test Fuzz tester Vulnerability scanner IDS
Vulnerability scanner
A security administrator wants to scan the network for a wide range of potential security and configuration issues. What tool provides this service?
Vulnerability scanner
An administrator needs to test the security of a network without affecting normal operations. What can the administrator use?
Vulnerability scanner
You are trying to determine what systems on your network are most susceptible to an attack. What tool would you use?
Vulnerability scanner
Which of the following operates on the HIGHEST layer of the OSI model, and is the most effective at blocking application attacks?
WAF
Your organization wants to protect its web server from cross-site scripting attacks. Which of the following choices provides the BEST protection?
WAF
A war driver is capturing traffic from a wireless network. When an authorized client connects, the attacker is able to implement a brute force attack to discover the encryption key. What type of attack did this war driver use?
WPA
(35) An organization wants to implement a wireless network using the strongest encryption and authorization methods possible. Of the following choices, what provides the best solution? WEP with RADIUS WPA2 Personal WPA Enterprise WPA2 with CCMP
WPA Enterprise
You are assisting a user in the implementation of a wireless network in this home. The wireless hardware he has requires the RC4 protocol. What type of security is BEST for this network?
WPA-TKIP
You are planning to deploy a WLAN and you want to ensure it is secure. What provides the BEST security?
WPA2 CCMP
You are planning a wireless network for a business. A core requirement is to ensure that the solution encrypts user credentials when users enter their usernames and passwords. What BEST meets this requirement?
WPA2 over EAP-TTLS
(77) An organization maintains an off-site location as a contingency for a disaster at the main site. The location includes all the necessary servers to support the critical functions, but it does not have up-to-date data. What type of site is this? Hot site Cold site Warm site HSM site
Warm site
An organization is considering an atlternate location as part of its buisness continuity plan. It wants to identify a solution that provides a balance between cost and recovery time. What will it choose?
Warm site
A web developer is using methods to validate user input in a web site application. This ensures the application isn't vulnerable to all of the following attacks except one. What attacks is NOT prevented by validating user input?
Whaling
Attackers are targeting C-level executives in your organization. Which type of attack is this?
Whaling
Attackers sent a targeted e-mail attack to the president of a company. What best describes this attack?
Whaling
C
What are the three primary goals of Information Security? A. Confidentiality, Integrity, and Availability B. Accounting, Auditing, and Access Control C. Prevention, Detection, and Recovery D. Risk, Threat, and Vulnerability Detection
D
What are the two major categories of encryption ciphers? A. Symmetric and Asymmetric B. Encryption and Decryption C. Message and Digest D. Stream and Block
A
What is the definition of a risk? A. An exposure to the chance of damage or loss B. A potential violation of a security policy or procedure C. A condition that leaves a system open to attack D. the exploit of a flaw in a system or software package.
B
What is the definition of a threat? A. An exposure to the chance of damage or loss B. A potential violation of a security policy or procedure C. A condition that leaves a system open to attack D. the exploit of a flaw in a system or software package.
C
What is the definition of a vulnerability? A. An exposure to the chance of damage or loss B. A potential violation of a security policy or procedure C. A condition that leaves a system open to attack D. the exploit of a flaw in a system or software package.
D
What platforms should a Security Baseline be ran on? A. Domain Controllers B. Application Servers C. Client machines D. All of the above
B
When a client calls and describes a problem with a computer not being able to reach the Internet; in which of the following places of the OSI model would a technician begin troubleshooting? A. Transport layer B. Physical layer C. Network layer D. Session layer
A B
When a communications plan is developed for disaster recovery and business continuity plans: the MOST relevant items to include would be. (Select TWO). A. Methods and templates to respond to press requests: institutional and regulatory reporting requirements. B. Methods to exchange essential information to and from all response team members: employees: suppliers: and customers. C. Developed recovery strategies: test plans: post-test evaluation and update processes. D. Defined scenarios by type and scope of impact and dependencies: with quantification of loss potential. E. Methods to review and report on system logs: incident response: and incident handling.
B
When a new network drop was installed: the cable was run across several fluorescent lights. The users of the new network drop experience intermittent connectivity. Which of the following environmental controls was MOST likely overlooked during installation? A. Humidity sensors B. EMI shielding C. Channel interference D. Cable kinking
C
When an attacker accesses a system without authorization, this is referred to as what? A. Attack B. Threat C. Intrusion D. Exploit
D
When configuring a new server; a technician requests that an MX record be created in DNS for the new server; but the record was not entered properly. Which of the following was MOST likely installed that required an MX record to function properly? A. Load balancer B. FTP server C. Firewall DMZ D. Mail server
C
When convergence on a routed network occurs; which of the following is true? A. All routers are using hop count as the metric B. All routers have the same routing table C. All routers learn the route to all connected networks D. All routers use route summarization
B
When designing secure LDAP compliant applications: null passwords should NOT be allowed because: A. null password can be changed by all users on a network B. a null password is a successful anonymous bind C. null passwords can only be changed by the administrator D. LDAP passwords are one-way encrypted
C
When employees that use certificates leave the company they should be added to which of the following? A. PKI B. CA C. CRL D. TKIP
B
When implementing fire suppression controls in a datacenter it is important to: A. Select a fire suppression system which protects equipment but may harm technicians. B. Ensure proper placement of sprinkler lines to avoid accidental leakage onto servers. C. Integrate maintenance procedures to include regularly discharging the system. D. Use a system with audible alarms to ensure technicians have 20 minutes to evacuate.
C
When reviewing a digital certificate for accuracy: which of the following would Matt: a security administrator: focus on to determine who affirms the identity of the certificate owner? A. Trust models B. CRL C. CA D. Recovery agent
A;E
When troubleshooting a network problem; browsing through the log of a switch; it is discovered that multiple frames contain errors. In which of the following layers does the problem reside? (Select TWO). A. Layer 2 B. Layer 3 C. Layer 5 D. Transport layer E. Data link F. Physical layer
C
When two or more links need to pass traffic as if they were one physical link; which of the following would be used to satisfy the requirement? A. Port mirroring B. 802.1w C. LACP D. VTP
C
When validating data on a web server, which is the best validation scheme to use? A. Client side validation B. Server side validation C. Client and Server Side validation D. Doesnt matter.
B
When you perform an "ipconfig" and notice you have a 169.254.255.254 address, what address do you have? A. DHCP B. APIPA C. IEEE D. Ipv6
C
When you want to make part of your private network available for public use, you can plcae it between 2 firewalls. This is known as: A. the NAC B. A VLAN C. The DMZ D. A Subnet
C
Which Encryption platform is used for Data At Rest? A. IPSec B. VPN C. BitLocker D. ACL
C
Which following port ranges would give a technician the MOST comprehensive port scan of a server? A. 1024-15000 B. 0-99999 C. 0-65535 D. 0-1024
D
Which of the following BEST describes both change and incident management? A. Incident management is not a valid term in IT: however change management is B. Change management is not a valid term in IT: however incident management is C. Incident management and change management are interchangeable terms meaning the same thing D. Incident management is for unexpected consequences: change management is for planned work
D
Which of the following BEST describes part of the PKI process? A. User1 decrypts data with User2's private key B. User1 hashes data with User2's public key C. User1 hashes data with User2's private key D. User1 encrypts data with User2's public key
C
Which of the following BEST represents the goal of a vulnerability assessment? A. To test how a system reacts to known threats B. To reduce the likelihood of exploitation C. To determine the system's security posture D. To analyze risk mitigation strategies
C
Which of the following MUST be updated immediately when an employee is terminated to prevent unauthorized access? A. Registration B. CA C. CRL D. Recovery agent
D
Which of the following PDUs is used by a connectionless protocol? A. Frames B. Segments C. Streams D. Datagram
B
Which of the following WAN technologies is associated with high latency? A. T1 B. Satellite C. Cable D. OCx
D
Which of the following account policy controls requires a user to enter a 15 character alpha-numerical password? A. Disablement B. Length C. Expiration D. Password complexity
A
Which of the following allows a company to maintain access to encrypted resources when employee turnover is high? A. Recovery agent B. Certificate authority C. Trust model D. Key escrow
D
Which of the following allows an organization to store a sensitive PKI component with a trusted third party? A. Trust model B. Public Key Infrastructure C. Private key D. Key escrow
A
Which of the following allows for multiple operating systems to run on a single piece of hardware? A. Virtualization B. Port security C. Remote access D. DMZ
A
Which of the following allows lower level domains to access resources in a separate Public Key Infrastructure? A. Trust Model B. Recovery Agent C. Public Key D. Private Key
A
Which of the following answers refers to a technique used by certain types of malware to cause an error in a program and make it easier to run malicious code? A. Buffer overflow B. Vulnerability scan C. Bluejacking D. Smurf attack
D
Which of the following answers refers to an undocumented (and often legitimate) way of gaining access to a program, online service or an entire computer system? A. Spyware B. Trojan Horse C. Rootkit D. Backdoor
D
Which of the following application attacks is used against a corporate directory service where there are unknown servers on the network? A. Rogue access point B. Zero day attack C. Packet sniffing D. LDAP injection
D
Which of the following are types of attacks? A. Network based attacks B. Social Engineering attacks C. Physical Security Attacks D. All of the above E. None of the above.
B E
Which of the following are used to implement VPNs? (Select TWO). A. SFTP B. IPSec C. HTTPS D. SNMP E. SSL
D
Which of the following assessment techniques would a security administrator implement to ensure that systems and software are developed properly? A. Baseline reporting B. Input validation C. Determine attack surface D. Design reviews
B
Which of the following assessments would Pete: the security administrator: use to actively test that an application's security controls are in place? A. Code review B. Penetration test C. Protocol analyzer D. Vulnerability scan
B
Which of the following authentication services should be replaced with a more secure alternative? A. RADIUS B. TACACS C. TACACS+ D. XTACACS
D
Which of the following authentication services uses a ticket granting system to provide access? A. RADIUS B. LDAP C. TACACS+ D. Kerberos
D
Which of the following can Joe: a security administrator: implement on his network to capture attack details that are occurring while also protecting his production network? A. Security logs B. Protocol analyzer C. Audit logs D. Honeypot
B
Which of the following can Pete: a security administrator: use to distribute the processing effort when generating hashes for a password cracking program? A. RAID B. Clustering C. Redundancy D. Virtualization
D
Which of the following can be performed when an element of the company policy cannot be enforced by technical means? A. Develop a set of standards B. Separation of duties C. Develop a privacy policy D. User training
C
Which of the following can be used by a security administrator to successfully recover a user's forgotten password on a password protected file? A. Cognitive password B. Password sniffing C. Brute force D. Social engineering
D
Which of the following can be utilized in order to provide temporary IT support during a disaster: where the organization sets aside funds for contingencies: but does not necessarily have a dedicated site to restore those services? A. Hot site B. Warm site C. Cold site D. Mobile site
A
Which of the following communication technologies would MOST likely be used to increase bandwidth over an existing fiber optic network by combining multiple signals at different wavelengths? A. DWDM B. SONET C. ADSL D. LACP
B
Which of the following components MUST be trusted by all parties in PKI? A. Key escrow B. CA C. Private key D. Recovery key
A
Which of the following concepts allows an organization to group large numbers of servers together in order to deliver a common service? A. Clustering B. RAID C. Backup Redundancy D. Cold site
A; C
Which of the following concepts are MOST important for a company's long term health in the event of a disaster? (Select TWO). A. Redundancy B. Implementing acceptable use policy C. Offsite backups D. Uninterruptable power supplies E. Vulnerability scanning
C
Which of the following concepts defines the requirement for data availability? A. Authentication to RADIUS B. Non-repudiation of email messages C. Disaster recovery planning D. Encryption of email messages
D
Which of the following concepts is BEST described as developing a new chain of command in the event of a contingency? A. Business continuity planning B. Continuity of operations C. Business impact analysis D. Succession planning
B
Which of the following concepts is a term that directly relates to customer privacy considerations? A. Data handling policies B. Personally identifiable information C. Information classification D. Clean desk policies
B
Which of the following concepts is used by digital signatures to ensure integrity of the data? A. Non-repudiation B. Hashing C. Transport encryption D. Key escrow
B
Which of the following connection types is used to terminate DS3 connections in a telecommunications facility? A. 66 block B. BNC C. F-connector D. RJ-11
B
Which of the following consists of peer assessments that help identify security threats and vulnerabilities? A. Risk assessment B. Code reviews C. Baseline reporting D. Alarms
A
Which of the following could mitigate shoulder surfing? A. Privacy screens B. Hashing C. Man traps D. Screen locks
C
Which of the following defines a business goal for system restoration and acceptable data loss? A. MTTR B. MTBF C. RPO D. Warm site
A
Which of the following describes a smurf attack? A. Attack on a target using spoofed ICMP packets to flood it B. Intercepting traffic intended for a target and redirecting it to another C. Spoofed VLAN tags used to bypass authentication D. Forging tags to bypass QoS policies in order to steal bandwidth
B
Which of the following describes an IPv6 address of :1? A. Broadcast B. Loopback C. Classless D. Multicast
B
Which of the following describes an area containing a rack that is used to connect customer equipment to a service provider? A. 110 block B. MDF C. DSU D. CSU
C
Which of the following devices implements CSMA/CA virtually through the RTS/CTS protocols? A. Firewall B. Router C. 802.11 AP D. Switch
D
Which of the following digital certificate management practices will ensure that a lost certificate is not compromised? A. Key escrow B. Non-repudiation C. Recovery agent D. CRL
B
Which of the following disaster recovery strategies has the highest cost and shortest recovery time? A. Warm site B. Hot site C. Cold site D. Co-location site
D
Which of the following does a network technician need to implement if a change is unsuccessful within the approved maintenance window? A. Configuration procedures B. Stakeholder notification C. Impact analysis D. Rollback procedure
A
Which of the following fire suppression systems is MOST likely used in a datacenter? A. FM-200 B. Dry-pipe C. Wet-pipe D. Vacuum
D
Which of the following helps prevent routing loops? A. Routing table B. Default gateway C. Route summarization D. Split horizon
A
Which of the following identifies certificates that have been compromised or suspected of being compromised? A. Certificate revocation list B. Access control list C. Key escrow registry D. Certificate authority
D
Which of the following information types would be considered personally identifiable information? A. First name and home address B. Social security number C. Date of birth D. Full name: date of birth and address
D
Which of the following is BEST carried out immediately after a security breach is discovered? A. Risk transference B. Access control revalidation C. Change management D. Incident management
A
Which of the following is BEST utilized to identify common misconfigurations throughout the enterprise? A. Vulnerability scanning B. Port scanning C. Penetration testing D. Black box
C
Which of the following is LEAST likely to have a legitimate business purpose? A. Metasploit B. Vulnerability scanner C. Steganography D. Port scanner
C
Which of the following is MOST likely to use an RJ-11 connector to connect a computer to an ISP using a POTS line? A. Multilayer switch B. Access point C. Analog modem D. DOCSIS modem
C
Which of the following is a best practice when a mistake is made during a forensics examination? A. The examiner should verify the tools before: during: and after an examination. B. The examiner should attempt to hide the mistake during cross-examination. C. The examiner should document the mistake and workaround the problem. D. The examiner should disclose the mistake and assess another area of the disc.
B
Which of the following is a management control? A. Logon banners B. Written security policy C. SYN attack prevention D. Access Control List (ACL)
C
Which of the following is a requirement when implementing PKI if data loss is unacceptable? A. Web of trust B. Non-repudiation C. Key escrow D. Certificate revocation list
B
Which of the following is a security benefit gained from setting up a guest wireless network? A. Optimized device bandwidth B. Isolated corporate resources C. Smaller ACL changes D. Reduced password resets
B
Which of the following is a security benefit of providing additional HVAC capacity or increased tonnage in a datacenter? A. Increased availability of network services due to higher throughput B. Longer MTBF of hardware due to lower operating temperatures C. Higher data integrity due to more efficient SSD cooling D. Longer UPS run time due to increased airflow
D
Which of the following is a vulnerability associated with disabling pop-up blockers? A. An alert message from the administrator may not be visible B. A form submitted by the user may not open C. The help window may not be displayed D. Another browser instance may execute malicious code
A
Which of the following is a way to implement a technical control to mitigate data loss in case of a mobile device theft? A. Disk encryption B. Encryption policy C. Solid state drive D. Mobile device policy
C
Which of the following is an authentication and accounting service that uses TCP for connecting to routers and switches? A. DIAMETER B. RADIUS C. TACACS+ D. Kerberos
B
Which of the following is an authentication method that can be secured by using SSL? A. RADIUS B. LDAP C. TACACS+ D. Kerberos
D
Which of the following is an authentication service that uses UDP as a transport medium? A. TACACS+ B. LDAP C. Kerberos D. RADIUS
D
Which of the following is an effective way to ensure the BEST temperature for all equipment within a datacenter? A. Fire suppression B. Raised floor implementation C. EMI shielding D. Hot or cool aisle containment
A
Which of the following is an example of a false positive? A. Anti-virus identifies a benign application as malware. B. A biometric iris scanner rejects an authorized user wearing a new contact lens. C. A user account is locked out after the user mistypes the password too many times. D. The IDS does not identify a buffer overflow.
D
Which of the following is another name for a CAC? A. Token B. RFID C. MAC D. PIV
D
Which of the following is being utilized when the BIOS and operating system's responsibility is platform integrity? A. SSL B. USB encryption C. Data loss prevention D. TPM
D
Which of the following is mainly used for remote access into the network? A. XTACACS B. TACACS+ C. Kerberos D. RADIUS
A
Which of the following is synonymous with a server's certificate? A. Public key B. CRL C. Private key D. Recovery agent
B
Which of the following is the BEST approach to perform risk mitigation of user access control rights? A. Conduct surveys and rank the results. B. Perform routine user permission reviews. C. Implement periodic vulnerability scanning. D. Disable user accounts that have not been used within the last two weeks.
C
Which of the following is the BEST choice in regards to training staff members on dealing with PII? A. PII requires public access but must be flagged as confidential B. PII data breaches are always the result of negligent staff and punishable by law C. PII must be handled properly in order to minimize security breaches and mishandling D. PII must be stored in an encrypted fashion and only printed on shared printers
D
Which of the following is the BEST concept to maintain required but non-critical server availability? A. SaaS site B. Cold site C. Hot site D. Warm site
B
Which of the following is the BEST reason to provide user awareness and training programs for organizational staff? A. To ensure proper use of social media B. To reduce organizational IT risk C. To detail business impact analyses D. To train staff on zero-days
D
Which of the following is the LEAST volatile when performing incident response procedures? A. Registers B. RAID cache C. RAM D. Hard drive
B
Which of the following is the MOST important step for preserving evidence during forensic procedures? A. Involve law enforcement B. Chain of custody C. Record the time of the incident D. Report within one hour of discovery
D
Which of the following is the MOST intrusive type of testing against a production system? A. White box testing B. War dialing C. Vulnerability testing D. Penetration testing
D
Which of the following is the MOST specific plan for various problems that can arise within a system? A. Business Continuity Plan B. Continuity of Operation Plan C. Disaster Recovery Plan D. IT Contingency Plan
B
Which of the following is the main difference between TCP and UDP? A. TCP data flows in two directions; while UDP data flows from server to client. B. The TCP header implements flags; while the UDP header does not. C. The TCP header implements checksum; while the UDP header does not. D. TCP connections can be secured by stateful firewalls; while UDP connections cannot.
D E
Which of the following is true about PKI? (Select TWO). A. When encrypting a message with the public key: only the public key can decrypt it. B. When encrypting a message with the private key: only the private key can decrypt it. C. When encrypting a message with the public key: only the CA can decrypt it. D. When encrypting a message with the public key: only the private key can decrypt it. E. When encrypting a message with the private key: only the public key can decrypt it.
B
Which of the following is true about an email that was signed by User A and sent to User B? A. User A signed with User B's private key and User B verified with their own public key. B. User A signed with their own private key and User B verified with User A's public key. C. User A signed with User B's public key and User B verified with their own private key. D. User A signed with their own public key and User B verified with User A's private key.
A
Which of the following is true about the CRL? A. It should be kept public B. It signs other keys C. It must be kept secret D. It must be encrypted
A
Which of the following is true about the main difference between a web session that uses port 80 and one that uses port 443? A. Port 80 web sessions often use application-level encryption; while port 443 sessions often use transport-level encryption. B. Port 80 web session cannot use encryption; while port 443 sessions are encrypted using web certificates. C. Port 80 web sessions can use web application proxies; while port 443 sessions cannot traverse web application proxies. D. Port 80 web sessions are prone to man-in-the-middle attacks; while port 443 sessions are immune from man-in-the-middle attacks.
A
Which of the following is true about the recovery agent? A. It can decrypt messages of users who lost their private key. B. It can recover both the private and public key of federated users. C. It can recover and provide users with their lost or private key. D. It can recover and provide users with their lost public key.
A
Which of the following is used by Matt: a security administrator: to lower the risks associated with electrostatic discharge: corrosion: and thermal breakdown? A. Temperature and humidity controls B. Routine audits C. Fire suppression and EMI shielding D. Hot and cold aisles
D; E
Which of the following is used to authenticate remote workers who connect from offsite? (Select TWO). A. OSPF B. VTP trunking C. Virtual PBX D. RADIUS E. 802.1x
A
Which of the following is used to certify intermediate authorities in a large PKI deployment? A. Root CA B. Recovery agent C. Root user D. Key escrow
A
Which of the following is used to define how much bandwidth can be used by various protocols on the network? A. Traffic shaping B. High availability C. Load balancing D. Fault tolerance
B
Which of the following may significantly reduce data loss if multiple drives fail at the same time? A. Virtualization B. RAID C. Load balancing D. Server clustering
D
Which of the following must be kept secret for a public key infrastructure to remain secure? A. Certificate Authority B. Certificate revocation list C. Public key ring D. Private key
D
Which of the following network devices is used to analyze traffic between various network interfaces? A. Proxies B. Firewalls C. Content inspection D. Sniffers
B
Which of the following network devices use ACLs to prevent unauthorized access into company systems? A. IDS B. Firewall C. Content filter D. Load balancer
B
Which of the following network elements enables unified communication devices to connect to and traverse traffic onto the PSTN? A. Access switch B. UC gateway C. UC server D. Edge router
A
Which of the following network infrastructure implementations would be used to support files being transferred between Bluetooth-enabled smartphones? A. PAN B. LAN C. WLAN D. MAN
B
Which of the following network topologies has a central; single point of failure? A. Ring B. Star C. Hybrid D. Mesh
B
Which of the following offers the LEAST secure encryption capabilities? A. TwoFish B. PAP C. NTLM D. CHAP
B
Which of the following passwords exemplifies the STRONGEST complexity? a) Passw0rd b) P@ssw0rd c) Passwrd d) passwordpassword
A
Which of the following passwords is the MOST complex? A. 5@rAru99 B. CarL8241g C. j1l!1b5 D. l@ur0
B
Which of the following physical security controls prevents an attacker from gaining access to a network closet? A. CCTVs B. Proximity readers C. Motion sensors D. IP cameras
B
Which of the following policies could be implemented to help prevent users from displaying their login credentials in open view for everyone to see? A. Privacy B. Clean desk C. Job rotation D. Password complexity
A
Which of the following policies is implemented in order to minimize data loss or theft? A. PII handling B. Password policy C. Chain of custody D. Zero day exploits
D
Which of the following practices reduces the management burden of access management? A. Password complexity policies B. User account audit C. Log analysis and review D. Group based privileges
A
Which of the following protocols is defined in RFC 1157 as utilizing UDP ports 161 and 162? A. SNMP B. IPSec C. SSL D. TLS
A
Which of the following protocols must be implemented in order for two switches to share VLAN information? A. VTP B. MPLS C. STP D. PPTP
D
Which of the following protocols uses TCP instead of UDP and is incompatible with all previous versions? A. TACACS B. XTACACS C. RADIUS D. TACACS+
D
Which of the following protocols uses label-switching routers and label-edge routers to forward traffic? A. BGP B. OSPF C. IS-IS D. MPLS
C
Which of the following provides a static record of all certificates that are no longer valid? A. Private key B. Recovery agent C. CRLs D. CA
C
Which of the following provides accounting; authorization; and authentication via a centralized privileged database; as well as; challenge/response and password encryption? A. Multifactor authentication B. ISAKMP C. TACACS+ D. Network access control
D
Which of the following provides data the best fault tolerance at the LOWEST cost? A. Load balancing B. Clustering C. Server virtualization D. RAID 6
B
Which of the following provides the BEST application availability and is easily expanded as demand grows? A. Server virtualization B. Load balancing C. Active-Passive Cluster D. RAID 6
C
Which of the following provides the BEST explanation regarding why an organization needs to implement IT security policies? A. To ensure that false positives are identified B. To ensure that staff conform to the policy C. To reduce the organizational risk D. To require acceptable usage of IT systems
A
Which of the following provides the LEAST availability? A. RAID 0 B. RAID 1 C. RAID 3 D. RAID 5
A
Which of the following refers to a network that spans several buildings that are within walking distance of each other? A. CAN B. WAN C. PAN D. MAN
A
Which of the following relies on the use of shared secrets to protect communication? A. RADIUS B. Kerberos C. PKI D. LDAP
B
Which of the following requires the network administrator to schedule a maintenance window? A. When a company-wide email notification must be sent. B. A minor release upgrade of a production router. C. When the network administrator's laptop must be rebooted. D. A major release upgrade of a core switch in a test lab.
B D
Which of the following results in datacenters with failed humidity controls? (Select TWO). A. Excessive EMI B. Electrostatic charge C. Improper ventilation D. Condensation E. Irregular temperature
A
Which of the following risk mitigation strategies will allow Ann: a security analyst: to enforce least privilege principles? A. User rights reviews B. Incident management C. Risk based controls D. Annual loss expectancy
C
Which of the following risks could IT management be mitigating by removing an all-in-one device? A. Continuity of operations B. Input validation C. Single point of failure D. Single sign on
A
Which of the following security benefits would be gained by disabling a terminated user account rather than deleting it? A. Retention of user keys B. Increased logging on access attempts C. Retention of user directories and files D. Access to quarantined files
B
Which of the following security concepts would Sara: the security administrator: use to mitigate the risk of data loss? A. Record time offset B. Clean desk policy C. Cloud computing D. Routine log review
C
Which of the following security strategies allows a company to limit damage to internal systems and provides loss control? A. Restoration and recovery strategies B. Deterrent strategies C. Containment strategies D. Detection strategies
A
Which of the following services are used to support authentication services for several local devices from a central location without the use of tokens? A. TACACS+ B. Smartcards C. Biometrics D. Kerberos
C
Which of the following should Jane: a security administrator: perform before a hard drive is analyzed with forensics tools? A. Identify user habits B. Disconnect system from network C. Capture system image D. Interview witnesses
C
Which of the following should a security technician implement to identify untrusted certificates? A. CA B. PKI C. CRL D. Recovery agent
B
Which of the following should an administrator implement to research current attack methodologies? A. Design reviews B. Honeypot C. Vulnerability scanner D. Code reviews
C
Which of the following should be connected to the fire alarm system in order to help prevent the spread of a fire in a server room without data loss to assist in an FM-200 deployment? A. Water base sprinkler system B. Electrical C. HVAC D. Video surveillance
D
Which of the following should be considered to mitigate data theft when using CAT5 wiring? A. CCTV B. Environmental monitoring C. Multimode fiber D. EMI shielding
C
Which of the following should be implemented to stop an attacker from mapping out addresses and/or devices on a network? A. Single sign on B. IPv6 C. Secure zone transfers D. VoIP
C
Which of the following software allows a network administrator to inspect the protocol header in order to troubleshoot network issues? A. URL filter B. Spam filter C. Packet sniffer D. Switch
C
Which of the following systems offers Trusted OS capabilities by default? A. Windows Vista B. Windows 7 C. SE Linux D. Backtrack
D
Which of the following technical controls helps to prevent Smartphones from connecting to a corporate network? A. Application white listing B. Remote wiping C. Acceptable use policy D. Mobile device management
B
Which of the following techniques enables a highly secured organization to assess security weaknesses in real time? A. Access control lists B. Continuous monitoring C. Video surveillance D. Baseline reporting
A
Which of the following technologies is designed to keep systems uptime running in the event of a disaster? A. High availability B. Load balancing C. Quality of service D. Caching engines
B
Which of the following technologies uses multiple devices to share work? A. Switching B. Load balancing C. RAID D. VPN concentrator
D
Which of the following terms refers to a computer security vulnerability allowing attackers to insert malicious code into a trusted website? A. Site survey B. Malicious insider threat C. URL hijacking D. Cross-site scripting
A
Which of the following tests a number of security controls in the least invasive manner? A. Vulnerability scan B. Threat assessment C. Penetration test D. Ping sweep
D
Which of the following types of authentication solutions use tickets to provide access to various resources from a central location? A. Biometrics B. PKI C. ACLs D. Kerberos
C
Which of the following types of network would be set up in an office so that customers could access the Internet but not be given access to internal resources such as printers and servers? A. Quarantine network B. Core network C. Guest network D. Wireless network
C
Which of the following types of security services are used to support authentication for remote users and devices? A. Biometrics B. HSM C. RADIUS D. TACACS
D
Which of the following types of trust models is used by a PKI? A. Transitive B. Open source C. Decentralized D. Centralized
B
Which of the following will help prevent smurf attacks? A. Allowing necessary UDP packets in and out of the network B. Disabling directed broadcast on border routers C. Disabling unused services on the gateway firewall D. Flash the BIOS with the latest firmware
A
Which of the following will negotiate standoff timers to allow multiple devices to communicate on congested network segments? A. CSMA/CD B. OSPF C. DOCSIS D. BGP
B C
Which of the following would BEST be used to calculate the expected loss of an event: if the likelihood of an event occurring is known? (Select TWO). A. DAC B. ALE C. SLE D. ARO E. ROI
C
Which of the following would a security administrator implement in order to discover comprehensive security threats on a network? A. Design reviews B. Baseline reporting C. Vulnerability scan D. Code review
B
Which of the following would be the result of a user physically unplugging a VoIP phone and connecting it into another interface with switch port security enabled as the default setting? A. The VoIP phone would request a new phone number from the unified communications server. B. The VoIP phone would cause the switch interface; that the user plugged into; to shutdown. C. The VoIP phone would be able to receive incoming calls but will not be able to make outgoing calls. D. The VoIP phone would request a different configuration from the unified communications server.
D; E
Which of the following would be used in an IP-based video conferencing deployment? (Select TWO). A. RS-232 B. 56k modem C. Bluetooth D. Codec E. SIP
C
Which of the following would be used to identify the security posture of a network without actually exploiting any weaknesses? A. Penetration test B. Code review C. Vulnerability scan D. Brute Force scan
B
Which of the following would verify that a threat does exist and security controls can easily be bypassed without actively testing an application? A. Protocol analyzer B. Vulnerability scan C. Penetration test D. Port scanner
C
Which statement is TRUE about the operation of a packet sniffer? A. It can only have one interface on a management network. B. They are required for firewall operation and stateful inspection. C. The Ethernet card must be placed in promiscuous mode. D. It must be placed on a single virtual LAN interface.
C
While troubleshooting a connectivity issue; a network technician determines the IP address of a number of workstations is 169.254.0.0/16 and the workstations cannot access the Internet. Which of the following should the technician check to resolve the problem? A. Default gateway address B. Misconfigured DNS C. DHCP server D. NIC failure
D
While troubleshooting a network outage; a technician finds a 100-meter fiber cable with a small service loop and suspects it might be the cause of the outage. Which of the following is MOST likely the issue? A. Maximum cable length exceeded B. Dirty connectors C. RF interference caused by impedance mismatch D. Bend radius exceeded
Testers are analyzing a web application your organization is planning to deploy. They have full access to product documentation, including the code and data structures used by the application. What type of test will they MOST likely perform?
White box
Testers have access to product documentation and source code for an application that they are using in a vulnerability test. What type of test is this?
White box
An updated security policy defines what applications users can install and run on company-issued mobile devices. What technical controls will enforce this policy?
Whitelisting
An updated security policy identifies authorized applications for company-issued mobile devices. Which of the following would prevent users from installing other applications on these devices?
Whitelisting
C
Who should be contacted FIRST in the event of a security breach? A. Forensics analysis team B. Internal auditors C. Incident response team D. Software vendors
Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but on other days they don't have any problems. Which of the following types of attacks could cause this?
Wireless jamming
How can an organization validate a BCP?
With testing
Homer recently received an email thanking him for a purchase that he did not make. He asked an administrator about it and the administrator noticed a pop-up window, which included the following code: <body onload="document.get ElementByID('myform').submit()> <form id="myForm" action="gcgapremium.com/purchase.php" method="post" <input name="Buy Now" Value="Buy Now"/> </form> </body> What is the MOST likely explanation?
XSRF
While creating a web application, a developer adds code to limit data provided by users. The code prevents users from entering special characters. What attacks will this code MOST likely prevent?
XSS
D
XYZ Corporation is about to purchase another company to expand its operations. The CEO is concerned about information leaking out: especially with the cleaning crew that comes in at night. The CEO would like to ensure no paper files are leaked. Which of the following is the BEST policy to implement? A. Social media policy B. Data retention policy C. CCTV policy D. Clean desk policy
You need to provide connectivity between two buildings without running any cables. You decide to use two WAPs and a high-gain directional antenna. What antennas is BEST choice to meet this need?
Yagi
Sally encrypted a project file with her public key. Later, an administrator accidentally delected her account that had exclusive access to her private key. Can this project file be retrieved?
Yes, if the organization uses a recovery agent.
Security personnel recently noticed a successful exploit against an application used by many employees at their company. They notified the company that sold them the software and asked for a patch. However, they discovered that a patch wasn't available. What BEST describes this scenario?
Zero-day
Your network IDS recently detected an attack on a server. Upon investigation, you discover that the IDS does not have a signature on this attack. Instead, the IDS detected it using a heuristic analysis. What is the MOST likely category of this attack?
Zero-day
Your organization recently suffered a loss from malware that wasn't previously known by any trusted sources. Which type of attack is this?
Zero-day
An attacker recently attacked a web server hosted by your company. After investigation, security professionals determined that the attacker used previously unknown application exploit. What BEST identifies this attack?
Zero-day attack