Set K: SYO-601

Answer: D. Change management Explanation:Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. This structured approach involves policies that should be in place and technological controls that should be enforced.

Developers currently have access to update production servers without going through an approval process. Which of the following strategies would BEST mitigate this risk? A. Incident management B. Clean desk policy C. Routine audits D. Change management

Answer: B. SSL Explanation:SSL (Secure Sockets Layer) is used for establishing an encrypted link between two computers, typically a web server and a browser. SSL is used to enable sensitive information such as login credentials and credit card numbers to be transmitted securely.

An achievement in providing worldwide Internet security was the signing of certificates associated with which of the following protocols? A. TCP/IP B. SSL C. SCP D. SSH

Answer: A. Smartcard Explanation:Smart cards are credit-card-sized IDs, badges, or security passes with an embedded integrated circuit chip that can include data regarding the authorized bearer. This data can then be used for identification and/or authentication purposes.

Employee badges are encoded with a private encryption key and specific personal information.The encoding is then used to provide access to the network. Which of the following describes this access control type? A. Smartcard B. Token C. Discretionary access control D. Mandatory access control

Answer: D. Degaussing Explanation:Degaussing is a form a data wiping that entails the use of magnets to alter the magnetic structure of the storage medium.

The act of magnetically erasing all of the data on a disk is known as: A. Wiping B. Dissolution C. Scrubbing D. Degaussing

C. 443

The finance department just procured a software application that needs to communicate back to the vendor server via SSL. Which of the following default ports on the firewall must the security engineer open to accomplish this task? A. 80 B. 130 C. 443 D. 3389

Answer: A. Full disk encryption Explanation:Full-disk encryption encrypts the data on the hard drive of the device or on a removable drive. This feature ensures that the data on the device or removable drive cannot be accessed in a useable form should it be stolen.

To protect corporate data on removable media, a security policy should mandate that all removable devices use which of the following? A. Full disk encryption B. Application isolation C. Digital rights management D. Data execution prevention

C. An external group providing operating systems installed on virtual servers with web applications

Which of the following BEST explains Platform as a Service? A. An external entity that provides a physical or virtual instance of an installed operating system B. A third party vendor supplying support services to maintain physical platforms and servers C. An external group providing operating systems installed on virtual servers with web applications D. An internal group providing physical server instances without installed operating systems or support

Answer: A. 20 B. 21 Explanation: FTP (File Transfer Protocol) makes use of ports 20 and 21

While securing a network it is decided to allow active FTP connections into the network. Which of the following ports MUST be configured to allow active FTP connections? (Select TWO). A. 20 B. 21 C. 22 D. 68 E. 69

Answer: A. Security policy violations. Explanation:The entire network is only as strong as the weakest host. Thus with the co-mingling of hosts with different security requirements would be risking security policy violations.

A major security risk with co-mingling of hosts with different security requirements is: A. Security policy violations. B. Zombie attacks. C. Password compromises. D. Privilege creep.

Answer: A SHA1 Explanation: The Secure Hash Algorithm (SHA) was designed to ensure the integrity of a message. SHA is a one-way hash that provides a hash value that can be used with an encryption protocol. This algorithm produces a 160-bit hash value. SHA (1 or 2) is preferred over Message Digest Algorithm.

Matt, a forensic analyst, wants to obtain the digital fingerprint for a given message. The message is 160-bits long. Which of the following hashing methods would Matt have to use to obtain this digital fingerprint? A. SHA1 B. MD2 C. MD4 D. MD5

Answer: A. SSH Explanation: Secure Shell (SSH) is a tunneling protocol originally designed for Unix systems. It uses encryption to establish a secure connection between two systems. SSH also provides alternative, security-equivalent programs for such Unix standards as Telnet, FTP, and many other communications-oriented applications. SSH is available for use on Windows systems as well. This makes it the preferred method of security for Telnet and other cleartext oriented programs in the Unix environment.

Which of the following would be used as a secure substitute for Telnet? A. SSH B. SFTP C. SSL D. HTTPS

Answer: D. A site survey was not conducted Explanation:To test the wireless AP placement, a site survey should be performed.

A company has recently implemented a high density wireless system by having a junior technician install two new access points for every access point already deployed. Users are now reporting random wireless disconnections and slow network connectivity. Which of the following is the MOST likely cause? A. The old APs use 802.11a B. Users did not enter the MAC of the new APs C. The new APs use MIMO D. A site survey was not conducted

Answer: A. Screen-lock Explanation:Explanation Screen-lock is a security feature that requires the user to enter a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications.

A small company has recently purchased cell phones for managers to use while working outside if the office.The company does not currently have a budget for mobile device management and is primarily concerned with deterring leaks if sensitive information obtained by unauthorized access to unattended phones. Which of the following would provide the solution BEST meets the company's requirements? A. Screen-lock B. Disable removable storage C. Full device encryption D. Remote wiping

Answer: D. IPv6 address Explanation: IPv6 addresses are 128-bits in length. An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by colons (:). The hexadecimal digits are case-insensitive, but IETF recommendations suggest the use of lower case letters. The full representation of eight 4-digit groups may be simplified by several techniques, eliminating parts of the representation.

A system administrator attempts to ping a hostname and the response is 2001:4860:0:2001::68.Which of the following replies has the administrator received? A. The loopback address B. The local MAC address C. IPv4 address D. IPv6 address

Answer: C. SHA D. MD5 Explanation: Hashing is used to prove the integrity of data to prove that it hasn't been modified. Hashing algorithms are used to derive a key mathematically from a message. The most common hashing standards for cryptographic applications are the SHA and MD algorithms.

A technician wants to verify the authenticity of the system files of a potentially compromised system. Which of the following can the technician use to verify if a system file was compromised? (Select TWO). A. AES B. PGP C. SHA D. MD5 E. ECDHE

Answer: D. Ann's private key Explanation:The sender uses his private key, in this case Ann's private key, to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. The receiver uses a key provided by the sender—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit.

Ann wants to send a file to Peter using PKI. Which of the following should Ann use in order to sign the file? A. Peter's public key B. Peter's private key C. Ann's public key D. Ann's private key

Answer: C. Network Access Control Explanation: Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control.

An auditor is given access to a conference room to conduct an analysis. When they connect their laptop's Ethernet cable into the wall jack, they are not able to get a connection to the Internet but have a link light. Which of the following is MOST likely causing this issue? A. Ethernet cable is damaged B. The host firewall is set to disallow outbound connections C. Network Access Control D. The switch port is administratively shutdown

C. Account lockout

An incident occurred when an outside attacker was able to gain access to network resources. During the incident response, investigation security logs indicated multiple failed login attempts for a network administrator. Which of the following controls, if in place could have BEST prevented this successful attack? A. Password history B. Password complexity C. Account lockout D. Account expiration

Answer: C. Hash the credential fields and use encryption for the credit card field Explanation:Hashing refers to the hash algorithms used in cryptography. It is used to store data, such as hash tables. One main characteristic of hashing is that the algorithm must have few or no collisions - in hashing two different inputs does not give the same output. Thus the credential fields should be hashed because anyone customer will have a unique credit card number/identity and since they will use their credit cards for many different transactions, the credit card field should be encrypted only, not hashed.

An online store wants to protect user credentials and credit card information so that customers can store their credit card information and use their card for multiple separate transactions. Which of the following database designs provides the BEST security for the online store? A. Use encryption for the credential fields and hash the credit card field B. Encrypt the username and hash the password C. Hash the credential fields and use encryption for the credit card field D. Hash both the credential fields and the credit card field

Answer: A. Client authentication. D. Code signing. Explanation:Certificates are used in PKI to digitally sign data, information, files, email, code, etc. Certificates are also used in PKI for client authentication.

Certificates are used for: (Select TWO). A. Client authentication. B. WEP encryption. C. Access control lists. D. Code signing. E. Password hashing.

Answer: C. TCP 25 E. TCP 110 F. TCP 143 Explanation: Port 25 is used by Simple Mail Transfer Protocol (SMTP) for routing e-mail between mail servers. Port 110 is used for Post Office Protocol v3 (POP3), which is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. Port 143 is used by Internet Message Access Protocol (IMAP) for the management of email messages.

An organization recently switched from a cloud-based email solution to an in-house email server. The firewall needs to be modified to allow for sending and receiving email. Which of the following ports should be open on the firewall to allow for email traffic? (Select THREE). A. TCP 22 B. TCP 23 C. TCP 25 D. TCP 53 E. TCP 110 F. TCP 143 G. TCP 445

Answer: D. Disabling unnecessary services Explanation: Preventive controls are to stop something from happening. These can include locked doors that keep intruders out, user training on potential harm (to keep them vigilant and alert), or even biometric devices and guards that deny access until authentication has occurred. By disabling all unnecessary services you would be reducing the attack surface because then there is less opportunity for risk incidents to happen. There are many risks with having many services enabled since a service can provide an attack vector that someone could exploit against your system. It is thus best practice to enable only those services that are absolutely required.

Which of the following preventative controls would be appropriate for responding to a directive to reduce the attack surface of a specific host? A. Installing anti-malware B. Implementing an IDS C. Taking a baseline configuration D. Disabling unnecessary services

Answer: D. TLS Explanation: SSL establishes a session using asymmetric encryption and maintains the session using symmetric encryption.

Which of the following protocols uses an asymmetric key to open a session and then establishes a symmetric key for the remainder of the session? A. SFTP B. HTTPS C. TFTP D. TLS

Answer: D. Hardening Explanation: We can see a number of unsuccessful login attempts using a Remote Desktop Connection (using the RDP protocol) from a computer with the IP address 192.168.1.124. Someone successfully logged in locally. This is probably an authorized login (for example, Peter logging in). Hardening is the process of securing a system. We can harden (secure) the system by either disallowing remote desktop connections altogether or by restricting which IPs are allowed to initiate remote desktop connections.

Peter analyzed the following log and determined the security team should implement which of the following as a mitigation method against further attempts? Host 192.168.1.123 [00:00: 01]Successful Login: 015 192.168.1.123 : local [00:00: 03]Unsuccessful Login: 022 214.34.56.006 : RDP 192.168.1.124 [00:00: 04]UnSuccessful Login: 010 214.34.56.006 : RDP 192.168.1.124 [00:00: 07]UnSuccessful Login: 007 214.34.56.006 : RDP 192.168.1.124 [00:00: 08]UnSuccessful Login: 003 214.34.56.006 : RDP 192.168.1.124 A.Reporting B.IDS C.Monitor system logs D.Hardening

Answer: A. Certification authority Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.

Peter, an employee, needs a certificate to encrypt data. Which of the following would issue Peter a certificate? A. Certification authority B. Key escrow C. Certificate revocation list D. Registration authority

Answer: A. Succession planning Explanation: Succession planning outlines those internal to the organization who have the ability to step into positions when they open. By identifying key roles that cannot be left unfilled and associating internal employees who can step into these roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.

Peter, the Chief Executive Officer (CEO) of a company, has increased his travel plans for the next two years to improve business relations. Which of the following would need to be in place in case something happens to Peter? A. Succession planning B. Disaster recovery C. Separation of duty D. Removing single loss expectancy

Answer: B. MD5 C. SHA Explanation:B: MD5 biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use. C: SHA-1 (also known as SHA) is being retired from most government uses; the U.S. National Institute of Standards and Technology said, "Federal agencies should stop using SHA-1 for...applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010", though that was later relaxed. Note: The hashing algorithm must have few or no collisions. This means that hashing two different inputs does not give the same output. Cryptographic hash functions are usually designed to be collision resistant. But many hash functions that were once thought to be collision resistant were later broken. MD5 and SHA-1 in particular both have published techniques more efficient than brute force for finding collisions.

Which of the following algorithms has well documented collisions? (Select TWO). A. AES B. MD5 C. SHA D. SHA-256 E. RSA

Answer: D. Cognitive passwords attacks Explanation:Social Networking Dangers are 'amplified' in that social media networks are designed to mass distribute personal messages. If an employee reveals too much personal information it would be easy for miscreants to use the messages containing the personal information to work out possible passwords.

The information security team does a presentation on social media and advises the participants not to provide too much personal information on social media web sites. This advice would BEST protect people from which of the following? A. Rainbow tables attacks B. Brute force attacks C. Birthday attacks D. Cognitive passwords attacks

Answer: C. Hardening Explanation:Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.

The process of making certain that an entity (operating system, application, etc.) is as secure as it can be is known as: A. Stabilizing B. Reinforcing C. Hardening D. Toughening

Answer: D. An unauthorized access point has been configured to operate on the same channel. Explanation:Wireless Access Points can be configured to use a channel. If you have multiple access points within range of each other, you should configure the access points to use different channels. Different channels use different frequencies. If you have two access points using the same channel, their Wi-Fi signals will interfere with each other. The question states that that many users are having difficulty connecting to the company's wireless network. This is probably due to the signal being weakened by interference from another access point using the same channel. When the administrator takes a new laptop and physically goes to the access point and connects with no problems, he is able to connect because he is near the access point and therefore has a strong signal.

The system administrator has been notified that many users are having difficulty connecting to the company's wireless network. They take a new laptop and physically go to the access point and connect with no problems. Which of the following would be the MOST likely cause? A. The certificate used to authenticate users has been compromised and revoked. B. Multiple war drivers in the parking lot have exhausted all available IPs from the pool to deny access. C. An attacker has gained access to the access point and has changed the encryption keys. D. An unauthorized access point has been configured to operate on the same channel.

Answer: B. Change management Explanation:Change Management is a risk mitigation approach and refers to the structured approach that is followed to secure a company's assets. In this case 'scheduled system patching'.

Which of the following MOST specifically defines the procedures to follow when scheduled system patching fails resulting in system outages? A. Risk transference B. Change management C. Configuration management D. Access control revalidation

Answer: D. Key escrow Explanation: Sensitive PKI data, such as private keys, can be put into key escrow data. The key escrow data can be kept at a trusted third party. Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third parties may include businesses, who may want access to employees' private communications, or governments, who may wish to be able to view the contents of encrypted communications.

Which of the following allows an organization to store a sensitive PKI component with a trusted third party? A. Trust model B. Public Key Infrastructure C. Private key D. Key escrow

Answer: B. Scanning of outbound IM (Instance Messaging). F. Scanning of HTTP user traffic. Explanation:DLP systems monitor the contents of systems (workstations, servers, networks) to make sure key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. Outbound IM and HTTP user traffic refers to data over a network which falls within the DLP strategy.

Which of the following are Data Loss Prevention (DLP) strategies that address data in transit issues? (Select TWO). A. Scanning printing of documents. B. Scanning of outbound IM (Instance Messaging). C. Scanning copying of documents to USB. D. Scanning of SharePoint document library. E. Scanning of shared drives. F. Scanning of HTTP user traffic.

Answer: A. Screen lock Explanation:Screen-lock is a security feature that requires the user to enter a PIN or a password after a short period of inactivity before they can access the system again. This feature ensures that if your device is left unattended or is lost or stolen, it will be difficult for anyone else to access your data or applications.

Which of the following can a security administrator implement on mobile devices that will help prevent unwanted people from viewing the data if the device is left unattended? A. Screen lock B. Voice encryption C. GPS tracking D. Device encryption

Answer: B. CA Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. In a simple trust model all parties must trust the CA. In a more complicated trust model all parties must trust the Root CA.

Which of the following components MUST be trusted by all parties in PKI? A. Key escrow B. CA C. Private key D. Recovery key

Answer: C. Disaster recovery planning Explanation:A disaster-recovery plan, or scheme, helps an organization respond effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses.

Which of the following concepts defines the requirement for data availability? A. Authentication to RADIUS B. Non-repudiation of email messages C. Disaster recovery planning D. Encryption of email messages

Answer: B. Hashing Explanation: Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit.

Which of the following concepts is used by digital signatures to ensure integrity of the data? A. Non-repudiation B. Hashing C. Transport encryption D. Key escrow

Answer: C. HTTPS://127.0.01 was used instead of HTTPS://localhost. Explanation: PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). Users, or their software on their behalf, check that the private key used to sign some certificate matches the public key in the CA's certificate. Since CA certificates are often signed by other, "higher-ranking," CAs, there must necessarily be a highest CA, which provides the ultimate in attestation authority in that particular PKI scheme. Localhost is a hostname that means this computer and may be used to access the computer's own network services via its loopback network interface. Using the loopback interface bypasses local network interface hardware. In this case the HTTPS://127.0.01 was used and not HTTPS//localhost

Which of the following could cause a browser to display the message below?"The security certificate presented by this website was issued for a different website's address." A. The website certificate was issued by a different CA than what the browser recognizes in its trusted CAs. B. The website is using a wildcard certificate issued for the company's domain. C. HTTPS://127.0.01 was used instead of HTTPS://localhost. D. The website is using an expired self signed certificate.

Answer: A. SSL 3.0/TLS 1.0 Explanation: Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by default.

Which of the following cryptographic related browser settings allows an organization to communicate securely? A. SSL 3.0/TLS 1.0 B. 3DES C. Trusted Sites D. HMAC

Answer: D. Define responsibilities of each party Explanation:MOU or Memorandum of Understanding is a document outlining which party is responsible for what portion of the work.

Which of the following describes the purpose of an MOU? A. Define interoperability requirements B. Define data backup process C. Define onboard/offboard procedure D. Define responsibilities of each party

Answer: A. Proxies Explanation: A proxy is a device that acts on behalf of other(s). A commonly used proxy in computer networks is a web proxy. Web proxy functionality is often combined into a proxy firewall. A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all of the packets and reprocesses them for use internally. This process includes hiding IP addresses. The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed through the proxy. The proxy, in turn, repackages the request and sends it along, thereby isolating the user from the external network. The proxy can also offer caching, should the same request be made again, and it can increase the efficiency of data delivery.

Which of the following devices is used for the transparent security inspection of network traffic by redirecting user packets prior to sending the packets to the intended destination? A. Proxies B. Load balancers C. Protocol analyzer D. VPN concentrator

Answer: A. Vulnerability scanning Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.

Which of the following is BEST utilized to identify common misconfigurations throughout the enterprise? A. Vulnerability scanning B. Port scanning C. Penetration testing D. Black box

Answer: D. Endpoint protection Explanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. DLP systems share commonality with network intrusion prevention systems. Endpoint protection provides security and management over both physical and virtual environments.

Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securing data in use? A. Email scanning B. Content discovery C. Database fingerprinting D. Endpoint protection

Answer: D. Disable unused ports Explanation: Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access. All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.

Which of the following is a best practice when securing a switch from physical access? A. Disable unnecessary accounts B. Print baseline configuration C. Enable access lists D. Disable unused ports

Answer: A. Backfire E. Dish Explanation: Both the Backfire and the Dish antennae are high gain antenna types that transmit a narrow beam of signal. It can therefore be used as a point-to-point antenna over short distances, but as point-tomulti-point antenna over longer distances.

Which of the following is a directional antenna that can be used in point-to-point or point-to-multipoint WiFi communication systems? (Select TWO). A. Backfire B. Dipole C. Omni D. PTZ E. Dish

Answer: C. Key escrow Explanation: Key escrow is a database of stored keys that later can be retrieved. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

Which of the following is a requirement when implementing PKI if data loss is unacceptable? A. Web of trust B. Non-repudiation C. Key escrow D. Certificate revocation list

Answer: B. Longer MTBF of hardware due to lower operating temperatures Explanation: The mean time between failures (MTBF) is the measure of the anticipated incidence of failure for a system or component. This measurement determines the component's anticipated lifetime. If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year. If the system lasts longer than the MTBF, your organization receives a bonus. MTBF is helpful in evaluating a system's reliability and life expectancy. Thus longer MTBF due to lower operating temperatures is a definite advantage

Which of the following is a security benefit of providing additional HVAC capacity or increased tonnage in a datacenter? A. Increased availability of network services due to higher throughput B. Longer MTBF of hardware due to lower operating temperatures C. Higher data integrity due to more efficient SSD cooling D. Longer UPS run time due to increased airflow

Answer: C. Individually encrypted files will remain encrypted when copied to external media Explanation: With full disk encryption a file is encrypted as long as it remains on the disk. This is because the data on the disk is decrypted when the user logs on, thus the data is in a decrypted form when it is copied to another disk. Individually encrypted files on the other hand remain encrypted.

Which of the following is an advantage of implementing individual file encryption on a hard drive which already deploys full disk encryption? A. Reduces processing overhead required to access the encrypted files B. Double encryption causes the individually encrypted files to partially lose their properties C. Individually encrypted files will remain encrypted when copied to external media D. File level access control only apply to individually encrypted files in a fully encrypted drive

Answer: C. TACACS+ Explanation: TACACS+ is an authentication, authorization, and accounting (AAA) service that makes us of TCP only.

Which of the following is an authentication and accounting service that uses TCP for connecting to routers and switches? A. DIAMETER B. RADIUS C. TACACS+ D. Kerberos

Answer: C. Key length Explanation:Key length is the main issue of concern since the wireless network uses a shared password. With risks of shared passwords makes the length of the password a crucial factor to risk mitigation.

Which of the following is an important implementation consideration when deploying a wireless network that uses a shared password? A. Authentication server B. Server certificate C. Key length D. EAP method

Answer: C. Blue jacking Explanation: A bluejacking attack is where unsolicited messages are sent to mobile devices using Bluetooth. Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters. Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames.

Which of the following is characterized by an attack against a mobile device? A. Evil twin B. Header manipulation C. Blue jacking D. Rogue AP

Answer: B. To reduce organizational IT risk Explanation: Ideally, a security awareness training program for the entire organization should cover the following areas: Importance of security Responsibilities of people in the organization Policies and procedures Usage policies Account and password-selection criteria Social engineering prevention You can accomplish this training either by using internal staff or by hiring outside trainers. This type of training will significantly reduce the organizational IT risk.

Which of the following is the BEST reason to provide user awareness and training programs for organizational staff? A. To ensure proper use of social media B. To reduce organizational IT risk C. To detail business impact analyses D. To train staff on zero-days

Answer: B. FTPS Explanation: FTPS refers to FTP Secure, or FTP SSL. It is a secure variation of File Transfer Protocol (FTP).

Which of the following is the MOST secure protocol to transfer files? A. FTP B. FTPS C. SSH D. TELNET

Answer: B. Input validation Explanation: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

Which of the following is the below pseudo-code an example of?IF VARIABLE (CONTAINS NUMBERS = TRUE) THEN EXIT A. Buffer overflow prevention B. Input validation C. CSRF prevention D. Cross-site scripting prevention

Answer: B. Patch Explanation: Patch management is the process of maintaining the latest source code for applications and operating systems by applying the latest vendor updates. This helps protect a systems from newly discovered attacks and vulnerabilities.

Which of the following is the term for a fix for a known software problem? A. Skiff B. Patch C. Slipstream D. Upgrade

Answer: A. It can decrypt messages of users who lost their private key. Explanation:A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.

Which of the following is true about the recovery agent? A. It can decrypt messages of users who lost their private key. B. It can recover both the private and public key of federated users. C. It can recover and provide users with their lost or private key. D. It can recover and provide users with their lost public key.

Answer: B. Sender's public key Explanation: When the sender wants to send a message to the receiver. It's important that this message not be altered. The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The recipient uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. Thus the recipient uses the sender's public key to verify the sender's identity.

Which of the following is used by the recipient of a digitally signed email to verify the identity of the sender? A. Recipient's private key B. Sender's public key C. Recipient's public key D. Sender's private key

Answer: B. Mytr@in!! Explanation:Password policies often enforce a minimum of three out of four standard character types, which includes uppercase and lowercase letters, numbers, and symbols. Although this option includes three of the four character types, it does not include numbers, which makes it less complex than the other options.

Which of the following passwords is the LEAST complex? A. MyTrain!45 B. Mytr@in!! C. MyTr@in12 D. MyTr@in#8

Answer: D. 22/TCP Explanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22.

Which of the following ports and protocol types must be opened on a host with a host-based firewall to allow incoming SFTP connections? A. 21/UDP B. 21/TCP C. 22/UDP D. 22/TCP

Answer: A Virtualization Explanation: Because Virtualization allows a single set of hardware to host multiple virtual machines, it requires less hardware to maintain the current scenario.

Due to limited resources, a company must reduce their hardware budget while still maintaining availability. Which of the following would MOST likely help them achieve their objectives? A. Virtualization B. Remote access C. Network access control D. Blade servers

Answer: D. Prevents data from being accessed following theft of physical equipment Explanation:Data encryption allows data that has been stolen to remain out of the eyes of the intruders who took it as long as they do not have the proper passwords.

Encryption of data at rest is important for sensitive information because of which of the following? A. Facilitates tier 2 support, by preventing users from changing the OS B. Renders the recovery of data harder in the event of user password loss C. Allows the remote removal of data following eDiscovery requests D. Prevents data from being accessed following theft of physical equipment

Answer: B. Electrostatic charge D. Condensation Explanation: Humidity control prevents the buildup of static electricity in the environment. If the humidity drops much below 50 percent, electronic components are extremely vulnerable to damage from electrostatic shock. Most environmental systems also regulate humidity; however, a malfunctioning system can cause the humidity to be almost entirely extracted from a room. Make sure that environmental systems are regularly serviced. Electrostatic damage can occur when humidity levels get too low. Condensation is a direct result from failed humidity levels.

Which of the following results in datacenters with failed humidity controls? (Select TWO). A. Excessive EMI B. Electrostatic charge C. Improper ventilation D. Condensation E. Irregular temperature

Answer: C. Containment strategies Explanation: Containment strategies is used to limit damages, contain a loss so that it may be controlled, much like quarantine, and loss incident isolation.

Which of the following security strategies allows a company to limit damage to internal systems and provides loss control? A. Restoration and recovery strategies B. Deterrent strategies C. Containment strategies D. Detection strategies

Answer: C. Quality of service Explanation: Quality of Service (QoS) facilitates the deployment of media-rich applications, such as video conferencing and Internet Protocol (IP) telephony, without adversely affecting network throughput.

Which of the following should be performed to increase the availability of IP telephony by prioritizing traffic? A. Subnetting B. NAT C. Quality of service D. NAC

D. Lessons learned

Which of the following steps of incident response does a team analyze the incident and determine steps to prevent a future occurrence? A. Mitigation B. Identification C. Preparation D. Lessons learned

Answer: C. Protocol analyzer Explanation:A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. By capturing and analyzing the packets sent between the systems on the network, Ann would be able to quantify the amount of traffic on the network. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

Which of the following tools would allow Ann, the security administrator, to be able to BEST quantify all traffic on her network? A. Honeypot B. Port scanner C. Protocol analyzer D. Vulnerability scanner

Answer: D. Certificate revocation list Explanation:If we put the root certificate of the comprised CA in the CRL, users will know that this CA (and the certificates that it has issued) no longer can be trusted. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

A CA is compromised and attacks start distributing maliciously signed software updates. Which of the following can be used to warn users about the malicious activity? A. Key escrow B. Private key verification C. Public key verification D. Certificate revocation list

Answer: C. USB token and PIN Explanation: Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors ("things only the user knows"), such as passwords possession factors ("things only the user has"), such as ATM cards inherence factors ("things only the user is"), such as biometrics In this question, a USB token is a possession factor (something the user has) and a PIN is a knowledge factor (something the user knows).

A Chief Information Security Officer (CISO) wants to implement two-factor authentication within the company. Which of the following would fulfill the CISO's requirements? A. Username and password B. Retina scan and fingerprint scan C. USB token and PIN D. Proximity badge and token

Answer: D. 802.1x Explanation:IEEE 802.1x is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism to wireless devices connecting to a LAN or WLAN.

A company determines a need for additional protection from rogue devices plugging into physical ports around the building.Which of the following provides the highest degree of protection from unauthorized wired network access? A. Intrusion Prevention Systems B. MAC filtering C. Flood guards D. 802.1x

Answer: D. A system image should have been created and stored Explanation: A system image is a snapshot of what it and if a system image of the compromised system was created and stored, it is a useful tool when the authorities want to revisit the issue to investigate the incident.

A company executive's laptop was compromised, leading to a security breach. The laptop was placed into storage by a junior system administrator and was subsequently wiped and re-imaged. When it was determined that the authorities would need to be involved, there was little evidence to present to the investigators. Which of the following procedures could have been implemented to aid the authorities in their investigation? A. A comparison should have been created from the original system's file hashes B. Witness testimony should have been taken by the administrator C. The company should have established a chain of custody tracking the laptop D. A system image should have been created and stored

Answer: D. Business impact analysis Explanation: Business impact analysis (BIA) is the process of evaluating all of the critical systems in an organization to define impact and recovery plans. BIA isn't concerned with external threats or vulnerabilities; the analysis focuses on the impact a loss would have on the organization. A BIA comprises the following: identifying critical functions, prioritizing critical business functions, calculating a timeframe for critical systems loss, and estimating the tangible impact on the organization.

A company's chief information officer (CIO) has analyzed the financial loss associated with the company's database breach. They calculated that one single breach could cost the company $1,000,000 at a minimum. Which of the following documents is the CIO MOST likely updating? A. Succession plan B. Continuity of operation plan C. Disaster recovery plan D. Business impact analysis

A. Protocol analyzer

A corporation has experienced several media leaks of proprietary data on various web forums. The posts were made during business hours and it is believed that the culprit is posting during work hours from a corporate machine. The Chief Information Officer (CIO) wants to scan internet traffic and keep records for later use in legal proceedings once the culprit is found. Which of the following provides the BEST solution? A. Protocol analyzer B. NIPS C. Proxy server D. HIDS

Answer: B. SFTP Explanation: SFTP encrypts authentication and data traffic between the client and server by making use of SSH to provide secure FTP communications. As a result, SFTP offers protection for both the authentication traffic and the data transfer taking place between a client and server.

A network administrator is asked to send a large file containing PII to a business associate.Which of the following protocols is the BEST choice to use? A. SSH B. SFTP C. SMTP D. FTP

Answer: A. Change the firewall default settings so that it implements an implicit deny F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53 Explanation: Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. Implicit deny is the default response when an explicit allow or deny isn't present. DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.

A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface. PERMIT TCP ANY ANY 80 PERMIT TCP ANY ANY 443 Which of the following rules would accomplish this task? (Select TWO). A. Change the firewall default settings so that it implements an implicit deny B. Apply the current ACL to all interfaces of the firewall C. Remove the current ACL D. Add the following ACL at the top of the current ACL DENY TCP ANY ANY 53 E. Add the following ACL at the bottom of the current ACL DENY ICMP ANY ANY 53 F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53

Answer: B. HTTP Explanation:* HTTP uses port 80. HTTP does not provide encrypted communications. Port 443 is used by HTTPS which provides secure encrypted communications. Port 3389 is used by RDP (Remote Desktop Protocol) which does provide encrypted communications.

A new web server has been provisioned at a third party hosting provider for processing credit card transactions. The security administrator runs the netstat command on the server and notices that ports 80, 443, and 3389 are in a `listening' state. No other ports are open. Which of the following services should be disabled to ensure secure communications? A. HTTPS B. HTTP C. RDP D. TELNET

B. Change management procedures

A resent OS patch caused an extended outage. It took the IT department several hours to uncover the cause of the issue due to the system owner who installed the patch being out of the office. Which of the following could help reduce the likelihood of this situation occurring in the future? A. Separation of duties B. Change management procedures C. Incident management procedures D. User rights audits and reviews

Answer: B. Change the encryption used so that the encryption protocol is CCMP-based. Explanation: CCMP is the standard encryption protocol for use with the WPA2 standard and is much more secure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security services: Data confidentiality; ensures only authorized parties can access the information Authentication; provides proof of genuineness of the user Access control in conjunction with layer management

A retail store uses a wireless network for its employees to access inventory from anywhere in the store. Due to concerns regarding the aging wireless network, the store manager has brought in a consultant to harden the network. During the site survey, the consultant discovers that the network was using WEP encryption. Which of the following would be the BEST course of action for the consultant to recommend? A. Replace the unidirectional antenna at the front of the store with an omni-directional antenna. B. Change the encryption used so that the encryption protocol is CCMP-based. C. Disable the network's SSID and configure the router to only access store devices based on MAC addresses. D. Increase the access point's encryption from WEP to WPA TKIP.

C. Notification D. Quarantine

A security Operations Center was scanning a subnet for infections and found a contaminated machine. One of the administrators disabled the switch port that the machine was connected to, and informed a local technician of the infection. Which of the following steps did the administrator perform? (Select all that apply) A. Escalation B. Identification C. Notification D. Quarantine E. Preparation

Answer: D. DMZ Explanation:A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.

A security administrator is segregating all web-facing server traffic from the internal network and restricting it to a single interface on a firewall. Which of the following BEST describes this new network? A. VLAN B. Subnet C. VPN D. DMZ

Answer: D. Security Explanation: The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.

A security administrator needs to determine which system a particular user is trying to login to at various times of the day. Which of the following log types would the administrator check? A. Firewall B. Application C. IDS D. Security

Answer: B. Phishing Explanation: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Phishing email will direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website, however, is bogus and set up only to steal the information the user enters on the page. Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of people, the "phisher" counts on the email being read by a percentage of people who actually have an account with the legitimate company being spoofed in the email and corresponding webpage. Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.

A security administrator notices large amounts of traffic within the network heading out to an external website. The website seems to be a fake bank site with a phone number that when called, asks for sensitive information. After further investigation, the security administrator notices that a fake link was sent to several users. This is an example of which of the following attacks? A. Vishing B. Phishing C. Whaling D. SPAM E. SPIM

Answer: C. Process sandboxing Explanation: Sandboxing involves running applications in restricted memory areas. It limits the possibility of an application crash, allowing a user to access another application or the data associated with it.

A security administrator wants to implement a solution which will allow some applications to run under the user's home directory and only have access to files stored within the same user's folder, while other applications have access to shared folders. Which of the following BEST addresses these requirements if the environment is concurrently shared by multiple users? A. OS Virtualization B. Trusted OS C. Process sandboxing D. File permission

Answer: C. TCP 53 E. UDP 53 Explanation:DNS uses TCP and UDP port 53. TCP port 53 is used for zone transfers, whereas UDP port 53 is used for queries.

A security technician needs to open ports on a firewall to allow for domain name resolution.Which of the following ports should be opened? (Select TWO). A. TCP 21 B. TCP 23 C. TCP 53 D. UDP 23 E. UDP 53

Answer: B. Buffer overflow Explanation: This question describes a buffer overflow attack. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

A server administrator notes that a legacy application often stops running due to a memory error. When reviewing the debugging logs, they notice code being run calling an internal process to exploit the machine. Which of the following attacks does this describe? A. Zero-day B. Buffer overflow C. Cross site scripting D. Malicious add-on

Answer: D. Web-based form that identifies customer by another mechanism, sets a temporary password and forces a password change upon first login. Explanation:People tend to forget their passwords, thus you should have a password recovery system for them that will not increase risk exposure. Setting a temporary password will restrict the time that the password is valid and thus decrease risk; and in addition forcing the customer to change it upon first login will make the password more secure for the customer.

A small company has a website that provides online customer support. The company requires an account recovery process so that customers who forget their passwords can regain access.Which of the following is the BEST approach to implement this process? A. Replace passwords with hardware tokens which provide two-factor authentication to the online customer support site. B. Require the customer to physically come into the company's main office so that the customer can be authenticated prior to their password being reset. C. Web-based form that identifies customer by another mechanism and then emails the customer their forgotten password. D. Web-based form that identifies customer by another mechanism, sets a temporary password and forces a password change upon first login.

Answer: B. Pharming Explanation: We can see in this question that a fraudulent entry has been added to the user's hosts file. This will point the URL: www.comptia.com to 5.5.5.5 instead of the correct IP address. Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server (or hosts file) by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.

A user has unknowingly gone to a fraudulent site. The security analyst notices the following system change on the user's host:Old `hosts' file:127.0.0.1 localhostNew `hosts' file:127.0.0.1 localhost5.5.5.5 www.comptia.comWhich of the following attacks has taken place? A. Spear phishing B. Pharming C. Phishing D. Vishing

Answer: D. Separation of duties Explanation:Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that there is differentiation between users, employees and duties per se which form part of best practices.

A user in the company is in charge of various financial roles but needs to prepare for an upcoming audit. They use the same account to access each financial system. Which of the following security controls will MOST likely be implemented within the company? A. Account lockout policy B. Account password enforcement C. Password complexity enabled D. Separation of duties

Answer: B. Advanced persistent threat Explanation: Definitions of precisely what an APT is can vary widely, but can best be summarized by their named requirements: Advanced - Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly "advanced" (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target. Persistent - Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. Threat - means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminal operators have a specific objective and are skilled, motivated, organized and well funded.

After analyzing and correlating activity from multiple sensors, the security administrator has determined that a group of very well organized individuals from an enemy country is responsible for various attempts to breach the company network, through the use of very sophisticated and targeted attacks. Which of the following is this an example of? A. Privilege escalation B. Advanced persistent threat C. Malicious insider threat D. Spear phishing

Answer: B. Enable MAC filtering Explanation:MAC addresses are also known as an Ethernet hardware address (EHA), hardware address or physical address. Enabling MAC filtering would allow for a WAP to restrict or allow access based on the hardware address of the device.

An administrator needs to secure a wireless network and restrict access based on the hardware address of the device. Which of the following solutions should be implemented? A. Use a stateful firewall B. Enable MAC filtering C. Upgrade to WPA2 encryption D. Force the WAP to use channel 1

Answer: D. Run a last logon script to look for inactive accounts. Explanation: You can run a script to return a list of all accounts that haven't been used for a number of days, for example 30 days. If an account hasn't been logged into for 30 days, it's a safe bet that the user the account belonged to is no longer with the company. You can then disable all the accounts that the script returns. A disabled account cannot be used to log in to a system. This is a good security measure. As soon as an employee leaves the company, the employees account should always be disabled.

An administrator notices that former temporary employees' accounts are still active on a domain.Which of the following can be implemented to increase security and prevent this from happening? A. Implement a password expiration policy. B. Implement an account expiration date for permanent employees. C. Implement time of day restrictions for all temporary employees. D. Run a last logon script to look for inactive accounts.

Answer: A. Centralized management. Explanation: Virtualization consists of allowing one set of hardware to host multiple virtual Machines and in the case of software and applications; one host is all that is required. This makes centralized management a better prospect.

An advantage of virtualizing servers, databases, and office applications is: A. Centralized management. B. Providing greater resources to users. C. Stronger access control. D. Decentralized management.

Answer: A. Set up a honeypot and place false project documentation on an unsecure share. Explanation:In this scenario, we would use a honeypot as a 'trap' to catch unauthorized employees who are accessing critical project information. A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers. There are two main types of honeypots: Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research - A research honeypot add value to research in computer security by providing a platform to study the threat.

Based on information leaked to industry websites, business management is concerned that unauthorized employees are accessing critical project information for a major, well-known new product. To identify any such users, the security administrator could: A. Set up a honeypot and place false project documentation on an unsecure share. B. Block access to the project documentation using a firewall. C. Increase antivirus coverage of the project servers. D. Apply security updates and harden the OS on all project servers.

Answer: D. Anomaly based Explanation:Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity - or signature - for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known methods of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures. Any organization wanting to implement a more thorough - and hence safer - solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization's web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server. There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware - for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.

Four weeks ago, a network administrator applied a new IDS and allowed it to gather baseline data. As rumors of a layoff began to spread, the IDS alerted the network administrator that access to sensitive client files had risen far above normal. Which of the following kind of IDS is in use? A. Protocol based B. Heuristic based C. Signature based D. Anomaly based

Answer: A. Transitive trust Explanation: In transitive trusts, trust between a first party and a third party flows through a second party that is trusted by both the first party and the third party.

If Organization A trusts Organization B and Organization B trusts Organization C, then Organization A trusts Organization C. Which of the following PKI concepts is this describing? A. Transitive trust B. Public key trust C. Certificate authority trust D. Domain level trust

Answer: A. Integrity Explanation:Integrity means that the messages/ data is not altered. PII is personally identifiable information that can be used to uniquely identify an individual. PII can be used to ensure the integrity of data/messages.

It is important to staff who use email messaging to provide PII to others on a regular basis to have confidence that their messages are not intercepted or altered during transmission. They are concerned about which of the following types of security control? A. Integrity B. Safety C. Availability D. Confidentiality

Answer: D. Vishing Explanation: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone. The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur." If the attack is carried out by telephone, caller ID spoofing can cause the victim's set to indicate a legitimate source, such as a bank or a government agency. Vishing is difficult for authorities to trace, particularly when conducted using VoIP. Furthermore, like many legitimate customer services, vishing scams are often outsourced to other countries, which may render sovereign law enforcement powerless. Consumers can protect themselves by suspecting any unsolicited message that suggests they are targets of illegal activity, no matter what the medium or apparent source. Rather than calling a number given in any unsolicited message, a consumer should directly call the institution named, using a number that is known to be valid, to verify all recent activity and to ensure that the account information has not been tampered with.

Jane, an individual, has recently been calling various financial offices pretending to be another person to gain financial information. Which of the following attacks is being described? A. Phishing B. Tailgating C. Pharming D. Vishing

Answer: C. Whole disk encryption with two-factor authentication Explanation:Whole-disk encryption only provides reasonable protection when the system is fully powered off. to make the most of the defensive strength of whole-disk encryption, a long, complex passphrase should be used to unlock the system on bootup. Combining whole-disk encryption with two factor authentication would further increase protection.

One of the most basic ways to protect the confidentiality of data on a laptop in the event the device is physically stolen is to implement which of the following? A. File level encryption with alphanumeric passwords B. Biometric authentication and cloud storage C. Whole disk encryption with two-factor authentication D. BIOS passwords and two-factor authentication

Answer: A. XSS attack Explanation:The tags indicate that script is being inserted. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

Peter, the security administrator, has been notified by the IDS that the company website is under attack. Analysis of the web logs show the following string, indicating a user is trying to post a comment on the public bulletin board.INSERT INTO message `This is an example of which of the following? A. XSS attack B. XML injection attack C. Buffer overflow attack D. SQL injection attack

Answer: C. The picture uploaded to the social media site was geo-tagged by the mobile phone. Explanation:Geo-tagging is the process of embedding the GPS coordinates in image files and images taken using a smartphone or a digital camera. The geotagged information accompanying the image allows anyone to discover the precise location where the image was taken.

Prior to leaving for an extended vacation, Peter uses his mobile phone to take a picture of his family in the house living room. Peter posts the picture on a popular social media site together with the message: "Heading to our two weeks vacation to Italy." Upon returning home, Peter discovers that the house was burglarized. Which of the following is the MOST likely reason the house was burglarized if nobody knew Peter's home address? A. Peter has enabled the device access control feature on his mobile phone. B. Peter's home address can be easily found using the TRACEROUTE command. C. The picture uploaded to the social media site was geo-tagged by the mobile phone. D. The message posted on the social media site informs everyone the house will be empty.

Answer: A. SQL injection Explanation:To access information in databases, you use SQL. To gain unauthorized information from databases, a SQL Injection attack is used. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Which of the following types of application attacks would be used to specifically gain unauthorized information from databases that did not have any input validation implemented? A. SQL injection B. Session hijacking and XML injection C. Cookies and attachments D. Buffer overflow and XSS