Security Plus Continuation (B questions)
B87. If a person is entering a data center facility, they must check-in before they are allowed to move further into the building. People who are leaving must be formally checked-out before they are able to exit the building. Which of the following would BEST facilitate this process? ❍ A. Access control vestibule ❍ B. Air gap ❍ C. Faraday cage ❍ D. Protected distribution
A. Access control vestibule An access control vestibule is commonly used to control the flow of people through a particular area. Unlocking the one door of the vestibule commonly restricts the other door from opening, thereby preventing someone from walking through without stopping. It's common in large data centers to have a single room as the access control vestibule where users are checked in and out of the facility.
B28. A company has connected their wireless access points and have enabled WPS. Which of the following security issues would be associated with this configuration? ❍ A. Brute force ❍ B. Client hijacking ❍ C. Cryptographic vulnerability ❍ D. Spoofing
A. Brute force A WPS personal identification number (PIN) was designed to have only 11,000 possible iterations, making a brute force attack possible if the access point doesn't provide any protection against multiple guesses.
B63. A third-party vulnerability scan reports that a company's web server software version is susceptible to a memory leak vulnerability. Which of the following would be the expected result if this vulnerability was exploited? ❍ A. DDoS ❍ B. Data theft ❍ C. Unauthorized system access ❍ D. Rootkit installation
A. DDoS A DDoS (Distributed Denial of Service) can easily exploit a memory leak. Unused memory is not properly released, and eventually the leak uses all available memory. The system eventually crashes due to lack of resources.
B8. "the Vice President of Sales has asked the IT team to create daily backups of the sales data. "the Vice President is an example Of a: O A. Data owner O B. Data protection officer O C. Data steward C) D. Data processor
A. Data owner
B84. A financial services company is headquartered in an area with a high occurrence of tropical storms and hurricanes. Which of the following would be MOST important when restoring services disabled by a storm? ❍ A. Disaster recovery plan ❍ B. Stakeholder management ❍ C. Communication plan ❍ D. Retention policies
A. Disaster recovery plan A disaster recovery plan is a comprehensive set of processes to follow for large-scale outages that affect the organization. Natural disasters, technology failures, and human-created disasters would be reasons to implement a disaster recovery plan.
B79. An organization has identified a security breach and has removed the affected servers from the network. Which of the following is the NEXT step in the IR process? ❍ A. Eradication ❍ B. Preparation ❍ C. Recovery ❍ D. Identification ❍ E. Containment
A. Eradication The IR (Incident Response) process is preparation, identification, containment, eradication, recovery, and lessons learned. Once a system has been contained, any malware or breached user accounts should be removed from the system.
B72. A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO) ❍ A. HIPS ❍ B. UTM appliance logs ❍ C. Web application firewall events ❍ D. Host-based firewall logs ❍ E. Next-generation firewall logs
A. HIPS and D. Host-based firewall logs If the laptop is not communicating across the corporate network, then the only evidence of the traffic would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network.
B69. A security administrator is updating the network infrastructure to support 802.1X authentication. Which of the following would be the BEST choice for this configuration? ❍ A. LDAP ❍ B. HTTPS ❍ C. SNMPv3 ❍ D. MS-CHAP
A. LDAP LDAP (Lightweight Directory Access Protocol) is a common protocol to use for centralized authentication. Other protocols such as RADIUS, TACACS+, or Kerberos would also be valid options for 802.1X authentication.
B82. A security administrator would like to create an access control where each file or folder is assigned a security clearance level, such as "confidential" or "secret." The security administrator would then assign a maximum security level to each user. What type of access control would be used in this network? ❍ A. Mandatory ❍ B. Rule-based ❍ C. Discretionary ❍ D. Role-based
A. Mandatory Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level.
B43. Which of the following would limit the type of information a company can collect from their customers? ❍ A. Minimization ❍ B. Tokenization ❍ C. Anonymization ❍ D. Masking
A. Minimization Data minimization is a guideline that limits the amount of collected information to necessary data. This guideline is part of many data privacy regulations, including HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation).
B24. Which of the following would be considered multi-factor authentication? ❍ A. PIN and fingerprint ❍ B. USB token and smart card ❍ C. Username, password, and email address ❍ D. Face scan and voiceprint
A. PIN and fingerprint A PIN (Personal Identification Number) is something you know, and a fingerprint is something you are.
B36. Which of the following control types is associated with a bollard? ❍ A. Physical ❍ B. Corrective ❍ C. Detective ❍ D. Compensating
A. Physical A physical control includes real-world security features such as fences, locks, or bollards.
B71. Last month, a finance company disposed of seven-year-old printed customer account summaries that were no longer required for auditing purposes. A recent online search has now found that images of these documents are available as downloadable torrents. Which of the following would MOST likely have prevented this information breach? ❍ A. Pulping ❍ B. Degaussing ❍ C. NDA ❍ D. Fenced garbage disposal areas
A. Pulping Pulping places the papers into a large washing tank to remove the ink, and the paper is broken down into pulp and recycled. The information on the paper is not recoverable after pulping.
B34. A security administrator is designing a storage array that would maintain an exact replica of all data without striping. The array needs to operate normally if a single drive was to fail. Which of the following would be the BEST choice for this storage system? ❍ A. RAID 1 ❍ B. RAID 5 ❍ C. RAID 0 ❍ D. RAID 10
A. RAID 1 RAID (Redundant Array of Independent Disks) type 1 maintains a mirror (or exact duplicate) of data across multiple drives. If a single drive was to fail, the mirror would continue to operate with the redundant data.
B75. A security administrator is researching an issue with conference room users at a remote site. When connected to the wireless network, users receive an IP address that is not part of the corporate addressing scheme. Communication over this network also appears to have slower performance than the wireless connections elsewhere in the building. Which of the following would be the MOST likely reason for these issues? ❍ A. Rogue access point ❍ B. Domain hijack ❍ C. DDoS ❍ D. MAC flooding
A. Rogue access point A rogue access point is an unauthorized access point added by a user or attacker. This access point may not necessarily be malicious, but it does create significant security concerns and unauthorized access to the corporate network.
B85. A user in the mail room has reported an overall slowdown of his shipping management software. An anti-virus scan did not identify any issues, but a more thorough malware scan identified a kernel driver that was not part of the original operating system installation. Which of the following malware was installed on this system? ❍ A. Rootkit ❍ B. RAT ❍ C. Bot ❍ D. Ransomware ❍ E. Keylogger
A. Rootkit A rootkit traditionally modifies core system files and becomes effectively invisible to the rest of the operating system. The modification of system files and specialized kernel-level drivers are common rootkit techniques.
B33. In the past, an organization has relied on the curated Apple App Store to avoid issues associated with malware and insecure applications. However, the IT department has discovered an iPhone in the shipping department that includes applications that are not available on the Apple App Store. How did the shipping department user install these apps on their mobile device? ❍ A. Sideloading ❍ B. MMS install ❍ C. OTA updates ❍ D. Tethering
A. Sideloading If Apple's iOS has been circumvented using jailbreaking, then apps can be installed without using the Apple App Store. This installation process that circumvents the App Store is called sideloading.
B32. A security administrator is viewing the logs on a laptop in the shipping and receiving department and identifies these events: - 8:55:30 am | D:Downloads\ChangeLog-5.0.4.scr | Quarantine Sucess - 9:22:54 | C:\Program Files\Photo Viewer \Vierwer\ViewerBase.dll | Quarantine Failure - 9:44:05 am | C:\Sales\Samle32.dat | Quarantine Success Which of the following would BEST describe the circumstances surrounding these events? ❍ A. The antivirus application identified three viruses and quarantined two viruses ❍ B. The host-based firewall blocked two traffic flows ❍ C. A host-based whitelist has blocked two applications from executing
A. The antivirus application identified three viruses and quarantined two viruses The logs are showing the name of files on the local device and a quarantine disposition, which indicates that two of the files were moved (quarantined) to a designated area of the drive. This will prevent the malicious files from executing and will safely store the files for any future investigation. The second file in the list failed the quarantine process, and was most likely because the library was already in use by the operating system and could not be moved.
B39. A transportation company headquarters is located in an area with frequent power surges and outages. The security administrator is concerned about the potential for downtime and hardware failures. Which of the following would provide the most protection against these issues? Select TWO. ❍ A. UPS ❍ B. NIC teaming ❍ C. Incremental backups ❍ D. Port aggregation ❍ E. Load balancing ❍ F. Dual power supplies
A. UPS and F. Dual power supplies A UPS (Uninterruptible Power Supply) can provide backup power when the main power source is unavailable, and dual power supplies can maintain uptime when power surges cause physical damage to one of the power supplies in a system.
B44. A security administrator has identified a DoS attack against the company's web server from an IPv4 address on the Internet. Which of the following security tools would provide additional details about the attacker's location? (Select TWO) ❍ A. tracert ❍ B. arp ❍ C. ping ❍ D. ipconfig ❍ E. dig ❍ F. netcat
A. tracert and E. dig Tracert (traceroute) provides a summary of hops between two devices. In this example, tracert can be used to determine the local ISP's IP addresses and more information about the physical location of the attacker. The dig (Domain Information Groper) command can be used to perform a reverse-lookup of the IPv4 address and determine the IP address block owner that may be responsible for this traffic.
B74. Which of the following would be a common result of a successful vulnerability scan? ❍ A. A list of usernames and password hashes from a server ❍ B. A list of Microsoft patches that have not been applied to a server ❍ C. A copy of image files from a private file share ❍ D. The BIOS configuration of a server
B. A list of Microsoft patches that have not been applied to a server A vulnerability scan will identify known vulnerabilities, but it will stop short of exploiting these vulnerabilities.
B29. An organization has traditionally purchased insurance to cover a ransomware attack, but the costs of maintaining the policy have increased above the acceptable budget. The company has now decided to cancel the insurance policies and deal with ransomware issues internally. Which of the following would best describe this action? ❍ A. Mitigation ❍ B. Acceptance ❍ C. Transference ❍ D. Risk-avoidance
B. Acceptance Risk acceptance is a business decision that places the responsibility of the risky activity on the organization itself.
B54. A security administrator has found a keylogger installed alongside an update of accounting software. Which of the following would prevent the transmission of the collected logs? ❍ A. Prevent the installation of all software ❍ B. Block all unknown outbound network traffic at the Internet firewall ❍ C. Install host-based anti-virus software ❍ D. Scan all incoming email attachments at the email gateway
B. Block all unknown outbound network traffic at the Internet firewall Keylogging software has two major functions; record keystrokes, and transmit those keystrokes to a remote location. Local file scanning and software best-practices can help prevent the initial installation, and controlling outbound network traffic can block unauthorized file transfers.
B35. A transportation company has moved their reservation system to a cloud-based infrastructure. The security manager would like to monitor data transfers, identify potential threats, and ensure that all data transfers are encrypted. Which of the following would be the BEST choice for these requirements? ❍ A. VPN ❍ B. CASB ❍ C. NGFW ❍ D. DLP
B. CASB A CASB (Cloud Access Security Broker) is used to implement and manage security policies when working in a cloud-based environment.
B64. Which of the following would be the BEST way to determine if files have been modified after the forensics data acquisition process has occurred? ❍ A. Use a tamper seal on all storage devices ❍ B. Create a hash of the data ❍ C. Create an image of each storage device for future comparison ❍ D. Take screenshots of file directories with file sizes
B. Create a hash of the data A hash will create a unique value that can be quickly validated at any time in the future. If the hash value changes, then the data must have also changed.
B37. Jack, a hacker, has identified a number of devices on a corporate network that use the username of "admin" and the password of "admin." Which vulnerability describes this situation? ❍ A. Improper error handling ❍ B. Default configuration ❍ C. Weak cipher suite ❍ D. NULL pointer dereference
B. Default configuration When a device is first installed, it will often have a default set of credentials, such as admin/password or admin/admin. Many times, these default credentials are never changed and can allow access by anyone who knows the default configuration.
B73. An application developer is creating a mobile device app that will include extensive encryption and decryption. Which of the following technologies would be the BEST choice for this app? ❍ A. AES ❍ B. Elliptic curve ❍ C. Diffie-Hellman ❍ D. PGP
B. Elliptic curve ECC (Elliptic Curve Cryptography) uses smaller keys than non-ECC encryption and has smaller storage and transmission requirements. These characteristics make it an efficient option for mobile devices.
B68. Daniel, a system administrator, believes that certain configuration files on a Linux server have been modified from their original state. Daniel has reverted the configurations to their original state, but he would like to be notified if they are changed again. Which of the following would be the BEST way to provide this functionality? ❍ A. HIPS ❍ B. File integrity check ❍ C. Application allow list ❍ D. WAF
B. File integrity check A file integrity check (i.e., Tripwire, System File Checker, etc.) can be used to monitor and alert if there are any changes to a file.
B21. A technician at an MSP has been asked to manage devices on third-party private network. The technician needs command line access to internal routers, switches, and firewalls. Which of the following would provide the necessary access? ❍ A. HSM ❍ B. Jump server ❍ C. NAC ❍ D. Air gap
B. Jump server A jump server is a highly secured device commonly used to access secure areas of another network. The technician would first connect to the jump server using SSH or a VPN tunnel, and then "jump" from the jump server to other devices on the inside of the protected network. This would allow technicians at an MSP (Managed Service Provider) to securely access devices on their customer's network.
B40. An organization has developed an in-house mobile device app for order processing. The developers would like the app to identify revoked server certificates without sending any traffic over the corporate Internet connection. Which of the following MUST be configured to allow this functionality? ❍ A. CSR ❍ B. OCSP stapling ❍ C. Key escrow ❍ D. Hierarchical CA
B. OCSP stapling The use of OCSP (Online Certificate Status Protocol) requires communication between the client and the CA that issued a certificate. If the CA is an external organization, then validation checks will communicate across the Internet. The certificate holder can verify their own status and avoid client Internet traffic by storing the status information on an internal server and "stapling" the OCSP status into the SSL/TLS handshake.
B61. Which of the following BEST describes the modification of application source code that removes white space, shortens variable names, and rearranges the text into a compact format? ❍ A. Confusion ❍ B. Obfuscation ❍ C. Encryption ❍ D. Diffusion
B. Obfuscation Obfuscation is the process of taking something that is normally understandable and making it very difficult to understand. Many developers will obfuscate their source code to prevent others from following the logic used in the application.
B25. Sam, a security administrator, is configuring the authentication process used by technicians when logging into a router. Instead of using accounts that are local to the router, Sam would like to pass all login requests to a centralized database. Which of the following would be the BEST way to implement this requirement? ❍ A. PAP ❍ B. RADIUS ❍ C. IPsec ❍ D. MS-CHAP
B. RADIUS The RADIUS (Remote Authentication Dial-In User Service) protocol is a common method of centralizing authentication for users. Instead of having separate local accounts on different devices, users can authenticate with account information that is maintained in a centralized database.
B67. Which of the following would be the MOST likely result of plaintext application communication? ❍ A. Buffer overflow ❍ B. Replay attack ❍ C. Resource exhaustion ❍ D. Directory traversal
B. Replay attack To perform a replay attack, the attacker needs to capture the original non-encrypted content. If an application is not using encrypted communication, the data capture process is a simple process for the attacker.
B42. A Linux administrator has received a ticket complaining of response issues with a database server. After connecting to the server, the administrator views this information: Filesystem Size Used Sz Mounted on /dev/xvdal 158G 158G 0 100 / Which of the following would BEST describe this information? ❍ A. Buffer overflow ❍ B. Resource exhaustion ❍ C. SQL injection ❍ D. Race condition
B. Resource exhaustion The available storage on the local filesystem has been depleted, and the information shows 0 bytes available. More drive space would need to be available for the server to return to normal response times.
B53. A government transport service has installed access points that support WPA3. Which of the following technologies would provide enhanced security for PSK while using WPA3? ❍ A. 802.1X ❍ B. SAE ❍ C. WEP ❍ D. WPS
B. SAE WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key) authentication process by privately deriving session keys instead of sending the key hashes across the network.
B78. A new malware variant takes advantage of a vulnerability in a popular email client. Once installed, the malware forwards all email attachments containing credit card information to an external email address. Which of the following would limit the scope of this attack? ❍ A. Enable MFA on the email client ❍ B. Scan outgoing traffic with DLP ❍ C. Require users to enable the VPN when using email ❍ D. Update the list of malicious URLs in the firewall
B. Scan outgoing traffic with DLP DLP (Data Loss Prevention) systems are designed to identify sensitive data transfers. If the DLP finds a data transfer with financial details, personal information, or other private information, the DLP can block the data transfer.
B88. A security administrator has discovered that an employee has been exfiltrating confidential company information by embedding the data within image files and emailing the images to a third-party. Which of the following would best describe this activity? ❍ A. Digital signatures ❍ B. Steganography ❍ C. Block cipher ❍ D. Perfect forward secrecy
B. Steganography Steganography is the process of hiding information within another document. For example, one common method of steganography will embed data or documents within image files.
B49. A company has signed an SLA with an Internet service provider. Which of the following would BEST describe the content of this SLA? ❍ A. The customer will connect to partner locations over an IPsec tunnel ❍ B. The service provider will provide 99.999% uptime ❍ C. The customer applications use HTTPS over tcp/443 ❍ D. Customer application use will be busiest on the 15th of each month
B. The service provider will provide 99.999% uptime An SLA (Service Level Agreement) is a contract that specifies the minimum terms for provided services. It's common to include uptime, response times, and other service metrics in an SLA.
B57. Jack, a security administrator, has been tasked with hardening all of the internal web servers to prevent on-path attacks and to protect the application traffic from protocol analysis. These requirements should be implemented without changing the configuration on the client systems. Which of the following should Jack include in his project plan? (Select TWO) ❍ A. Add DNSSEC records on the internal DNS servers ❍ B. Use HTTPS over port 443 for all server communication ❍ C. Use IPsec for client connections ❍ D. Create a web server certificate and sign it with the internal CA ❍ E. Require FTPS for all file transfers
B. Use HTTPS over port 443 for all server communication, and D. Create a web server certificate and sign it with the internal CA Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol will ensure that all network communication is protected between the web server and the client devices. If someone manages to capture the network traffic, they would be viewing encrypted data. A signed certificate from a trusted internal CA (Certificate Authority) allows web browsers to trust that the web server is the legitimate server endpoint. If someone attempts an on-path attack, the certificate presented will not validate and a warning message will appear in the browser.
B81. Which of the following would be the MAIN reasons why a system administrator would use a TPM when configuring full disk encryption? (Select TWO) ❍ A. Allows the encryption of multiple volumes ❍ B. Uses burned-in cryptographic keys ❍ C. Stores certificates in a hardware security module ❍ D. Protects against EMI leakage ❍ E. Includes built-in protections against brute-force attacks
B. Uses burned-in cryptographic keys and E. Includes built-in protections against brute-force attacks A TPM (Trusted Platform Module) is hardware that is part of a computer's motherboard, and it's specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burned-in TPM keys to verify that the local device hasn't changed, and there are security features in the TPM that will prevent brute-force or dictionary attacks against the full disk encryption login credentials.
B90. Which of the following would be the best way to describe the estimated number of laptops that might be stolen in a fiscal year? ❍ A. ALE ❍ B. SLE ❍ C. ARO ❍ D. MTTR
C. ARO The ARO (Annualized Rate of Occurrence) describes the number of instances that an event would occur in a year. For example, if the organization expect to lose seven laptops to theft in a year, the ARO for laptop theft is seven.
B14. A company is launching a new internal application that will not start until a username and password is entered and a smart card is plugged into the computer. Which of the following BEST describes this process? ❍ A. Federation ❍ B. Accounting ❍ C. Authentication ❍ D. Authorization
C. Authentication The process of proving who you say you are is authentication. In this example, the password and smart card are two factors of authentication, and both reasonably prove that the person logging in is authentic.
B58. A security administrator has identified the installation of a RAT on a database server and has quarantined the system. Which of the following should be followed to ensure that the integrity of the evidence is maintained? ❍ A. Perfect forward secrecy ❍ B. Non-repudiation ❍ C. Chain of custody ❍ D. Legal hold
C. Chain of custody A chain of custody is a documented record of the evidence. The chain of custody also documents the interactions of every person who comes into contact with the evidence.
B89. A security engineer is running a vulnerability scan on their own workstation. The scanning software is using the engineers account access to perform all scans. What type of scan is running? ❍ A. Unknown environment ❍ B. Passive ❍ C. Credentialed ❍ D. Agile
C. Credentialed A credentialed scan uses valid access rights to perform the scanning functions. This type of scan is designed to show what someone on the inside with these rights would be able to exploit.
B52. The network design of an online women's apparel company includes a primary data center in the United States and secondary data centers in London and Tokyo. Customers place orders online via HTTPS to servers at the closest data center, and these orders and customer profiles are then centrally stored in the United States data center. The connections between all data centers use Internet links with IPsec tunnels. Fulfillment requests are sent from the United States data center to shipping locations in the customer's country. Which of the following should be the CIO's MOST significant security concern with this existing network design? ❍ A. IPsec connects data centers over public Internet links ❍ B. Fulfillment requests are shipped within the customer's country ❍ C. Customer information is transferred between countries ❍ D. The data centers are located geographically distant from each other
C. Customer information is transferred between countries Data sovereignty laws can mandate how data is handled. Data that resides in a country is usually subject to the laws of that country, and compliance regulations may not allow the data to be moved outside of the country.
B86. A virus scanner has identified a macro virus in a word processing file attached to an email. Which of the following information could be obtained from the metadata of this file? ❍ A. IPS signature name and number ❍ B. Operating system version ❍ C. Date and time when the file was created ❍ D. Alert disposition
C. Date and time when the file was created The data and time the file was created is commonly found in the metadata of a file.
B66. Which of the following applies scientific principles to provide a post-event analysis of an intrusion? ❍ A. MITRE ATT&CK framework ❍ B. ISO 27701 ❍ C. Diamond model ❍ D. NIST RMF
C. Diamond model The diamond model was created by the United State intelligence community as a way to standardize the attack reporting and the analysis of the intrusions.
B41. Sam, a security administrator, is configuring an IPsec tunnel to a remote site. Which protocol should she enable to protect all of the data traversing the VPN tunnel? ❍ A. AH ❍ B. Diffie-Hellman ❍ C. ESP ❍ D. SHA-2
C. ESP The ESP (Encapsulation Security Payload) protocol encrypts the data that traverses the VPN.
B23. A security administrator has been asked to create a policy that would prevent access to a secure area of the network. All users who are not physically located in the corporate headquarters building would be prevented from accessing this area. Which of these should the administrator use? ❍ A. WAF ❍ B. VPN ❍ C. Geofencing ❍ D. Proxy
C. Geofencing Geofencing uses location information from GPS (Global Positioning System), 802.11 wireless, and other methods to use as an access control method.
B30. Which of these threat actors would be the MOST likely to deface a website to promote a political agenda? ❍ A. Organized crime ❍ B. Nation state ❍ C. Hacktivist ❍ D. Competitor
C. Hacktivist A hacktivist often has a political statement to make, and their hacking efforts would commonly result in a public display of that information.
B50. An attacker has created many social media accounts and is posting information in an attempt to get the attention of the media. Which of the following would BEST describe this attack? ❍ A. On-path ❍ B. Watering hole ❍ C. Influence campaign ❍ D. Phishing
C. Influence campaign Influence campaigns are carefully crafted attacks that exploit social media and traditional media.
B27. A recent security audit has discovered email addresses and passwords located in a packet capture. Which of the following did the audit identify? ❍ A. Weak encryption ❍ B. Improper patch management ❍ C. Insecure protocols ❍ D. Open ports
C. Insecure protocols An insecure protocol will transmit information "in the clear," or without any type of encryption or protection.
B11. A user in the accounting department has received an email from the CEO requesting payment for a recently purchased tablet. However, there doesn't appear to be a purchase order associated with this request. Which of the following would be the MOST likely attack associated with this email? ❍ A. Spear phishing ❍ B. Watering hole attack ❍ C. Invoice scam ❍ D. Credential harvesting
C. Invoice scam Invoice scams attempt to take advantage of the miscommunication between different parts of the organization. Fake invoices are submitted by the attacker, and these invoices can sometimes be incorrectly paid without going through the expected verification process.
B26. A recent audit has determined that many IT department accounts have been granted Administrator access. The audit recommends replacing these permissions with limited access rights. Which of the following would BEST describe this policy? ❍ A. Separation of duties ❍ B. Offboarding ❍ C. Least privilege ❍ D. Discretionary Access Control
C. Least privilege The policy of least privilege limits the rights and permissions of a user account to only the access required to accomplish their objectives. This policy would limit the scope of an attack originating from a user in the IT department.
B80. A manager of the accounting department would like to minimize the opportunity for embezzlement and fraud from any of the current accounting team employees. Which of these policies should the manager use to avoid these issues? ❍ A. Background checks ❍ B. Clean desk policy ❍ C. Mandatory vacations ❍ D. Acceptable use policy
C. Mandatory vacations It's difficult to maintain fraudulent activities if the person executing the fraud is out of the office. In financial environments, it's not uncommon to require at least a week of consecutive vacation time at some point during the year.
B47. A security administrator would like to test a server to see if a specific vulnerability exists. Which of the following would be the BEST choice for this task? ❍ A. FTK Imager ❍ B. Autopsy ❍ C. Metasploit ❍ D. Netcat
C. Metasploit Metasploit is an exploitation framework that can use known vulnerabilities to gain access to remote systems. Metasploit performs penetration tests and can verify the existence of a vulnerability.
B76. A company has identified a compromised server, and the security team would like to know if an attacker has used this device to move between systems. Which of the following would be the BEST way to provide this information? ❍ A. DNS server logs ❍ B. Penetration test ❍ C. NetFlow logs ❍ D. Email header
C. NetFlow logs NetFlow information can provide a summary of network traffic, application usage, and details of network conversations. The NetFlow logs will show all conversations from this device to any others in the network.
B15. An online retailer is planning a penetration test as part of their PCI DSS validation. A third-party organization will be performing the test, and the online retailer has provided the Internet-facing IP addresses for their public web servers but no other details. What penetration testing methodology is the online retailer using? ❍ A. Known environment ❍ B. Passive footprinting ❍ C. Partially known environment ❍ D. Ping scan
C. Partially known environment A partially known environment test is performed when the attacker knows some information about the victim, but not all information is available.
B60. To process the company payroll, a manager logs into a third-party browser-based application and enters the hours worked for each employee. The financial transfers and physical check mailings are all provided by the third-party company. The manager does not maintain any servers or virtual machines within his company. Which of the following would BEST describe this application model? ❍ A. PaaS ❍ B. Private ❍ C. SaaS ❍ D. IaaS
C. SaaS The SaaS (Software as a Service) model generally has no local application installation, no ongoing maintenance tasks, and no local infrastructure requirements. A third-party provides the application and the support, and the user simply logs in, uses the service, and logs out.
B77. A system administrator has protected a set of system backups with an encryption key. The system administrator used the same key when restoring files from this backup. Which of the following would BEST describe this encryption type? ❍ A. Asymmetric ❍ B. Key escrow ❍ C. Symmetric ❍ D. Out-of-band key exchange
C. Symmetric Symmetric encryption uses the same key for both encryption and decryption.
B51. Which of the following would be the BEST way to protect credit card account information when performing real-time purchase authorizations? ❍ A. Masking ❍ B. DLP ❍ C. Tokenization ❍ D. NGFW
C. Tokenization Tokenization is a technique that replaces user data with a non-sensitive placeholder, or token. Tokenization is commonly used on mobile devices to purchase using a credit card without transmitting the credit card number.
B20. A system administrator would like to segment the network to give the marketing, accounting, and manufacturing departments their own private network. The network communication between departments would be restricted for additional security. Which of the following should be configured on this network? ❍ A. VPN ❍ B. RBAC ❍ C. VLAN ❍ D. NAT
C. VLAN A VLAN (Virtual Local Area Network) is a common method of logically segmenting a network. The devices in each segmented VLAN can only communicate with other devices in the same VLAN. A router is used to connect VLANs, and this router can often be used to control traffic flows between VLANs.
B7. A shipping company stores information in small regional warehouses around the country. The company keeps an IPS online at each warehouse to watch for suspicious traffic patterns. Which of the following would BEST describe the security control used at the warehouse? O A. Administrative O B. Compensating O C. Physical O D. Detective
D - Detective
B83. Cameron, a security administrator, is reviewing a report that shows a number of devices on internal networks attempting to connect with servers in the data center network. Which of the following security controls should Cameron add to prevent internal systems from accessing data center devices? ❍ A. VPN ❍ B. IPS ❍ C. NAT ❍ D. ACL
D. ACL An ACL (Access Control List) is a security control commonly implemented on routers to allow or restrict traffic flows through the network.
B59. Which of the following would be the BEST option for application testing in an environment that is completely separated from the production network? ❍ A. Virtualization ❍ B. VLANs ❍ C. Cloud computing ❍ D. Air gap
D. Air gap An air gapped network removes all connectivity between components and ensures that there would be no possible communication path between the test network and the production network.
B65. A system administrator is implementing a password policy that would require letters, numbers, and special characters to be included in every password. Which of the following controls MUST be in place to enforce this password policy? ❍ A. Length ❍ B. Lockout ❍ C. Reuse ❍ D. Complexity
D. Complexity Adding different types of characters to a password requires technical controls that increase password complexity.
B13. While working from home, users are attending a project meeting over a web conference. When typing in the meeting link, the browser is unexpectedly directed to a different website than the web conference. Users in the office do not have any issues accessing the conference site. Which of the following would be the MOST likely reason for this issue? ❍ A. Bluejacking ❍ B. Wireless disassociation ❍ C. DDoS ❍ D. DNS poisoning
D. DNS poisoning An attacker that gains access to a DNS (Domain Name System) server can modify the configuration files and redirect users to a different website. Anyone using a different DNS server may not see any problems with connectivity to the original site.
B31. An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which of the following would be the NEXT step in the incident response process? ❍ A. Check the IPS logs for any other potential attacks ❍ B. Create a plan for removing malware from the web servers ❍ C. Disable any breached user accounts ❍ D. Disconnect the web servers from the network
D. Disconnect the web servers from the network The unusual log entries on the web server indicate that the system may have been exploited. In that situation, the servers should be isolated to prevent access to or from those systems.
B17. A company is designing an application that will have a high demand and will require significant computing resources during the summer. During the winter, there will be little to no application use and resource use should be minimal. Which of these characteristics BEST describe this application requirement? ❍ A. Availability ❍ B. Orchestration ❍ C. Imaging ❍ D. Elasticity
D. Elasticity Elasticity is the process of providing resources when demand increases and scaling down when the demand is low.
B70. Your company owns a purpose-built appliance that doesn't provide any access to the operating system and doesn't provide a method to upgrade the firmware. Which of the following describes this appliance? ❍ A. End-of-life ❍ B. Weak configuration ❍ C. Improper input handling ❍ D. Embedded system
D. Embedded system An embedded system usually does not provide access to the OS and may not even provide a method of upgrading the system firmware.
B19. A user in the accounting department would like to send a spreadsheet with sensitive information to a list of third-party vendors. Which of the following could be used to transfer this spreadsheet to the vendors? ❍ A. SNMPv3 ❍ B. SRTP ❍ C. DNSSEC ❍ D. FTPS
D. FTPS FTPS (File Transfer Protocol Secure) provides mechanisms for transferring files using encrypted communication.
B62. Which of the following vulnerabilities would be the MOST significant security concern when protecting against a competitor? ❍ A. Data center access with only one authentication method ❍ B. Spoofing of internal IP addresses when accessing an intranet server ❍ C. Employee VPN access uses a weak encryption cipher ❍ D. Lack of patch updates on an Internet-facing database server
D. Lack of patch updates on an Internet-facing database server One of the easiest ways for a competitor to obtain information is through an existing Internet connection. An unpatched server could be exploited to obtain customer data that would not normally be available otherwise.
B22. A transportation company is installing new wireless access points in their corporate offices. The manufacturer estimates that the access points will operate an average of 100,000 hours before a hardware-related outage. Which of the following describes this estimate? ❍ A. MTTR ❍ B. RPO ❍ C. RTO ❍ D. MTBF
D. MTBF The MTBF (Mean Time Between Failures) is the average time expected between outages. This is usually an estimation based on the internal device components and their expected operational lifetime.
B45. A hacker is planning an attack on a large corporation. Which of the following would provide the attacker with details about the company's domain names and IP addresses? ❍ A. Information sharing center ❍ B. Vulnerability databases ❍ C. Automated indicator sharing ❍ D. Open-source intelligence
D. Open-source intelligence Open-source intelligence, or OSINT, describes reconnaissance gathering from publicly available sources. In this example, information about domain names and IP address would be easily retrieved from a query to a public DNS (Domain Name System) server.
B46. A security administrator is designing a network to be PCI DSS compliant. Which of the following would be the BEST choice to provide this compliance? ❍ A. Implement RAID for all storage systems ❍ B. Connect a UPS to all servers ❍ C. DNS should be available on redundant servers ❍ D. Perform regular audits and vulnerability scans
D. Perform regular audits and vulnerability scans A focus of PCI DSS (Payment Card Industry Data Security Standard) is to keep credit card information private. The only option
B16. A manufacturing company makes radar used by commercial and military organizations. A recently proposed policy change would allow the use of mobile devices inside the facility. Which of the following would be the MOST significant security issue associated with this change in policy? ❍ A. Unauthorized software on rooted devices ❍ B. Remote access clients on the mobile devices ❍ C. Out of date mobile operating systems ❍ D. Photo and video use
D. Photo and video use The exfiltration of company confidential information is relatively simple with an easily transportable camera or video recorder. Organizations associated with sensitive products or services must always be aware of the potential for information leaks using photos or video.
B48. A company has rolled out a new application that requires the use of a hardware-based token generator. Which of the following would be the BEST description of this access feature? ❍ A. Something you know ❍ B. Something you do ❍ C. Something you are ❍ D. Something you have
D. Something you have The use of the hardware token generator requires that the user be in possession of the device during the login process.
B56. A security administrator has created a new policy that prohibits the use of MD5 hashes due to collision problems. Which of the following describes the reason for this new policy? ❍ A. Two different messages have different hashes ❍ B. The original message can be derived from the hash ❍ C. Two identical messages have the same hash ❍ D. Two different messages share the same hash
D. Two different messages share the same hash A well-designed hashing algorithm will create a unique hash value for every possible input. If two different inputs create the same hash, the hash algorithm has created a collision.
B12. A company has been informed of a hypervisor vulnerability that could allow users on one virtual machine to access resources on another virtual machine. Which of the following would BEST describe this vulnerability? ❍ A. Containerization ❍ B. Service integration ❍ C. SDN ❍ D. VM escape
D. VM escape A VM (Virtual Machine) escape is a vulnerability that allows communication between separate VMs.
B38. A security administrator attends an annual industry convention with other security professionals from around the world. Which of the following attacks would be MOST likely in this situation? ❍ A. Smishing ❍ B. Supply chain ❍ C. Impersonation ❍ D. Watering hole
D. Watering hole A watering hole attack infects a third-party visited by the intended victims. An industry convention would be a perfect location to attack security professionals.
B18. Vala, a security analyst, has received an alert from her IPS regarding active exploit attempts from the Internet. Which of the following would provide detailed information about these exploit attempts? ❍ A. Netstat ❍ B. Nmap ❍ C. Nessus ❍ D. Wireshark
D. Wireshark Wireshark is a protocol analyzer, and it can provide information about every frame that traverses the network. From a security perspective, the protocol decode can show the exploitation process and details about the payloads used during the attempt.
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) All weekly backup tapes are transported to an offsite storage facility
Data at rest
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) _____ A company stores customer purchase information in a MySQL database
Data at rest
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) All user speadsheets are stored on a cloud-based file sharing service
Data at-rest
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) An automatic teller machine validates a user's PIN before allowing a deposit
Data in use
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) _____ An application decrypts credit card numbers and expiration dates to validate for approval
Data in use
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) ________An Authentication program performs a hash of all passwords
Data in use
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) _____ sales information is uploaded daily from a remote site using a satellite network
Data in-transit
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) _____An IPS identifies a SQL injection attack and removes the attack frames from the network
Data in-transit
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) Each time a spreadsheet is updated, all of the cells containing formulas are automatically updated
Data in-use
B4. Match the security technology to the implementation Hashing Digital Signature Encryption Key escrow Certificate Authority Perfect Forward Secrecy Verify a sender's identify
Digital signature
B55. A user in the marketing department is unable to connect to the wireless network. After authenticating with a username and password, the use receives this message: _________________________________________________________________ The connection attempt could not be completed. The credentials provided by the server could not be validated. Radius Server: radius.example.com Root CA: Examples.com Internal CA Root Certificate The AP is configured with WPA3 encryption and 802.1X authentication. Which of the following is the MOST likely reason for this login issue? ❍ A. The user's computer is in the incorrect VLAN ❍ B. The RADIUS server is not responding ❍ C. The user's computer does not support WPA3 encryption ❍ D. The user is in a location with an insufficient wireless signal ❍ E. The client computer does not have the proper certificate installed ____________________________________________________________________
E. The client computer does not have the proper certificate installed The error message states that the server credentials could not be validated. This indicates that the certificate authority that signed the server's certificate is either different than the CA certificate installed on the client's workstation, or the client workstation does not have an installed copy of the CA's certificate. This validation process ensures that the client is communicating to a trusted server and there are no man-in-the-middle
B4. Match the security technology to the implementation Hashing, Digital Signature, Encryption ,Key escrow Certificate Authority ,Perfect Forward Secrecy Protect private information sent over an insecure channel
Encryption
B4. Match the security technology to the implementation Hashing Digital Signature Encryption Key escrow Certificate Authority Perfect Forward Secrecy 1. Storage a password on an authentication server
Hashing
B10. A company would like to automate their response when a virus is detected on company devices. Which of the following would be the BEST way to implement this function? ❍ A. Active footprinting ❍ B. IaaS ❍ C. Vulnerability scan ❍ D. SOAR
SOAR (Security Orchestration, Automation, and Response) provides security teams with integration and automation of processes and procedures.
B88. A security administrator has discovered that an employee has been exfiltrating confidential company information by embedding the data within image files and emailing the images to a third-party. Which of the following would best describe this activity? ❍ A. Digital signatures ❍ B. Steganography ❍ C. Block cipher ❍ D. Perfect forward secrecy
The Answer: B. B. Steganography Steganography is the process of hiding information within another document. For example, one common method Of steganography will embed data or documents within image files.
B4. Match the security technology to the implementation Hashing Digital Signature Encryption Key escrow Certificate Authority Perfect Forward Secrecy Trust a website without prior contact with the site owner
certificate authority
B5. Multiple choice: - data in transit (moving across the network) - data at rest (rest is located on a storage device) - data in use (memory of a device) ______ All switches in a data center are connected with an 802.1q trunk.
data in transit
B4. Match the security technology to the implementation Hashing Digital Signature Encryption Key escrow Certificate Authority Perfect Forward Secrecy Use a secondary decryption key
key escrow
B6. A security administrator has performed an audit of the organization's production web servers, and the results have identified banner information leakage, web services running from a privileged account, and inconsistencies with SSL certificates. Which of the following would be the BEST way to resolve these issues? O A. Server hardening O B. Multi-factor authentication O C. Enable HTTPS O D. Run operating system updates 135
the Answer: A. Server hardening Many applications and services include secure configuration guides that can assist in hardening the system. These hardening steps will make the system as secure as possible while simultaneously allowing the application to run efficiently.