Chapter 2 Test
45. Farès has implemented a flood guard. What type of attack is this most likely to defend against? A. SYN attack B. DNS poisoning C. MAC spoofing D. ARP spoofing
A. A SYN attack is a type of flooding attack that is a denial of service. Flood guards are either stand-alone or, more often, part of a firewall, and they prevent flooding attacks. Option B is incorrect. DNS poisoning involves inserting fake entries into a DNS server; a flood guard will do nothing to prevent that. Option C is incorrect. Spoofing a MAC address does not involve any flooding. Option D is incorrect. Spoofing Address Resolution Protocol is a type of MAC spoofing and does not involve any flooding.
48. There has been a breach of the ACME network. John manages the SIEM at ACME. Part of the attack disrupted NTP; what SIEM issue would this most likely impact? A. Time synchronization B. Correlation C. Event duplication D. Events not being logged
A. If Network Time Protocol (NTP) is disrupted, then the various servers that forward logs to the SIEM might not have the same time. This could lead to events that actually took place at the same time appearing to have occurred at different times. Option B is incorrect. Event correlation is related to time synchronization, but that is a secondary effect. Option C is incorrect. NTP issues should not lead to any event duplication. Option D is incorrect. NTP issues should not lead to events failing to be logged.
79. Omar is responsible for wireless security in his company. He wants completely different WiFi access (i.e., a different SSID, different security levels, and different authentication methods) in different parts of the company. What would be the best choice for Omar to select in WAPs? A. Fat B. Thin C. Repeater D. Full
A. A fat wireless access point (WAP) is one that has all the functionality needed, such as; ability to traffic forwarded between wired interfaces like a layer 2 or layer 3 switch and MAC filtering, and no other servers or devices are required. In this case, since each WAP might have completely different needs, a fat WAP is preferred. Option B is incorrect. Thin WAPs require some server or device to offload some functionality to. Since each WAP has different needs, this would be difficult to implement with thin WAPs. Option C is incorrect. A repeater resends a signal. Option D is incorrect. Full is not a term used in the industry.
38. Denish is looking for a solution that will allow his network to retrieve information from a wide range of web resources, while all traffic passes through a proxy. What would be the best solution? A. Forward proxy B. Reverse proxy C. SPI D. Open proxy
A. A forward proxy is a single location that provides access to a wide range of web sources. Option B is incorrect. A reverse proxy is usually an internal-facing proxy used as a front end to control and protect access to a server on a private network. Option C is incorrect. Stateful packet inspection is a type of firewall. Option D is incorrect. Open proxies are usable by anyone on the Internet.
77. You are responsible for always-on VPN connectivity for your company. You have been told that you must use the most secure mode for IPSec that you can. Which of the following would be the best for you to select? A. Tunneling B. AH C. IKE D. Transport
A. A tunneling mode is the mode wherein IPSec encrypts the entire packet, header, and data. This prevents someone sniffing traffic from gathering metadata about the traffic. Option B is incorrect. Authentication Header (AH) provides authentication and integrity but no encryption, so it cannot be the most secure mode. Option C is incorrect. Internet Key Exchange (IKE) is used in setting up security associations in IPSec. Option D is incorrect. Transport mode encrypts only the data, not the header. This allows metadata about traffic to be sniffed by an attacker. Therefore, this cannot be the most secure mode.
44. Shelly is very concerned about unauthorized users connecting to the company routers. She would like to prevent spoofing. What is the most essential antispoofing technique for routers? A. ACL B. Logon C. NIPS D. NIDS
A. Access control lists are Cisco's primary recommendation to prevent spoofing on routers. ACLs limit access to the router and its functionality. Option B is incorrect. A login for accessing a router is often not practical because the router access may be needed when a user is not present to log on. Option C is incorrect. A network intrusion prevention system is a good idea, but it won't prevent spoofing. Option D is incorrect. A network intrusion detection system is a good idea, but it won't prevent spoofing.
40. Derrick is responsible for a web server cluster at his company. The cluster uses various load-balancing protocols. Derrick wants to ensure that clients connecting from Europe are directed to a specific server in the cluster. What would be the best solution to his problem? A. Affinity B. Binding C. Load balancing D. Round-robin
A. Affinity load balancing ties certain users or groups of users to a specific server so they will be routed to that server if possible. Option B is incorrect. Binding is not a term used in load balancing. Option C is incorrect. Yes, load balancing is needed, but the question asks what type of load balancing. Option D is incorrect. Round-robin simply goes to the next available server.
63. Elizabeth is responsible for SIEM systems in her company. She monitors the company's SIEM screens every day, checking every hour. What, if any, would be a better approach for her to keep up with issues that appear in the logs? A. Automatic alerts B. Having logs forwarded to her email C. Nothing, this is fine. D. Review SIEM logs primarily when an incident occurs.
A. An SIEM aggregates logs from multiple servers and devices. It is difficult to review so many logs, and of course issues could occur when Elizabeth is away from the SIEM management console. Having automatic alerts is the best way to be made aware of issues that require Elizabeth's attention. Option B is incorrect. Logs and events anomalies can be quite large, and having them forwarded to her email is unwieldy and does not solve the problem. Elizabeth will still need to read through them to be aware of any issues that require her attention. Option C is incorrect. This situation is not optimal. Option D is incorrect. Reviewing SIEM logs is one way that administrators become aware of issues. So reviewing them only when you are already aware of an issue is not a good use of SIEM.
70. Gerald is a network administrator for a small financial services company. He is responsible for controlling access to resources on his network. What mechanism is responsible for blocking access to a resource based on the requesting IP address? A. ACL B. NIPS C. HIPS D. Port blocking
A. An access control list (ACL) has a list of which requestors are allowed access to which resources. Using an IP address to block or allow requests is a common technique. Option B is incorrect. A network intrusion prevention system (NIPS) is not part of access control. Option C is incorrect. A network intrusion detection system (HIPS) is not part of access control. Option D is incorrect. Port blocking can be used to block a port on a router or switch, but it is not part of access control.
9. You are the network administrator for an e-commerce company. You are responsible for the web server cluster. You are concerned about not only failover, but also load-balancing and using all the servers in your cluster to accomplish load-balancing. What should you implement? A. Active-active B. Active-passive C. Affinity D. Round-robin
A. An active-active cluster has all servers working, rather than keeping a duplicate server in reserve. Option B is incorrect. An active-passive cluster has, for each pair of servers, one not functioning. It simply is used in case the primary server should fail. Options C and D are incorrect. These are means for a cluster deciding how to route traffic in the cluster.
29. Frank is a network administrator for a small college. The college has implemented a simple NIDS. However, the NIDS seems to only catch well-known attacks. What technology is this NIDS likely missing? A. Heuristic scanning B. Signature scanning C. Passive scanning D. Active scanning
A. Heuristic scanning involves scanning for anomalous behavior that might indicate an attack, even if there is no known attack signature. Option B is incorrect. Signature scanning can only detect known signatures, and that appears to be what the college is using now. Options C and D are incorrect. Neither is an IDS term.
46. Terrance is trying to get all of his users to connect to a certificate server on his network. However, some of the users are using machines that are incompatible with the certificate server, and changing those machines is not an option. Which of the following would be the best solution for Terrance? A. Use an application proxy for the certificate server. B. Use NAT with the certificate server. C. Change the server. D. Implement a protocol analyzer.
A. An application proxy server is often used when the client and the server are incompatible for direct connection with the server. Option B is incorrect. Network address translation involves translating a private IP address to a public IP address. Option C is incorrect. Changing the server is a drastic measure. It is assumed that this server is being used for some valid reason. Option D is incorrect. A protocol analyzer is essentially a packet sniffer.
76. Abigail is a security manager for a small company. Many employees want to use handheld devices, such as smartphones and tablets. The employees want to use these devices both for work and outside of work. Abigail is concerned about security issues. Which of the following would be the most secure solution? A. COPE B. CYOD C. Geotagging D. BYOD
A. Company-Provided Equipment provides the most security because the company owns and provides the equipment to employees. This allows the company to fully control security, such as preventing carrier unlocking, disable recording microphone, prevent WiFi direct and WiFi ad-hoc. Option B is incorrect. Choose Your Own Device (CYOD) would have the employees choose any device they wish from a set of options selected by the company. But these would still be employee-owned and -controlled devices. Option C is incorrect. Geotagging simply allows you to locate a device. Option D is incorrect. Bring Your Own Device (BYOD) allows employees to bring whatever device they have to work. This is a security concern.
34. Maria is a security engineer with a large bank. Her CIO has asked her to investigate the use of context-aware authentication for online banking. Which of the following best describes context-aware authentication? A. In addition to username and password, authentication is based on the entire context (location, time of day, action being attempted, etc.). B. Without a username or password, authentication is based on the entire context (location, time of day, action being attempted, etc.). C. Authentication that requires a username and password, but in the context of a token or digital certificate D. Authentication that requires a username and password, but not in the context of a token or digital certificate
A. Context-aware authentication does still require a username and password, but in addition to those criteria, it examines the user's location, time of day they are logging in, computer they are logging in from, what they are trying to do, and so forth. Option B is incorrect. Context-aware authentication still requires a username and password. Options C and D are incorrect. Context-aware authentication is not about digital certificates or tokens.
27. What technology was first introduced in Windows Vista and still exists in Windows that helps prevent malware by requiring user authorization to run executables? A. DEP B. DLP C. UTM D. ANT
A. Data Execution Prevention (DEP) requires the user to authorize any executable to execute. It should be noted that this is the definition Microsoft used for its functionality. A more technical definition is that Data Execution Prevention is preventing software from accessing restricted memory such as the operating system's memory. Option B is incorrect. Data Loss Prevention (DLP) is related to preventing exfiltration of data. Most DLP solutions have the capability to control removable medias such as USB devices. Option C is incorrect. Unified Threat Management (UTM) is the combining of security services such as antivirus, HIDS, log monitoring, firewall, and so forth in a single device. Option D is incorrect. ANT is a networking technology.
81. Edward is a security manager for a bank. He has recently been reading a great deal about malware that accesses system memory. He wants to find a solution that would stop programs from utilizing system memory. Which of the following would be the best solution? A. DEP B. FDE C. UTM D. IDS
A. Date Execution Prevention (DEP) specifically monitors programs accessing system memory and prevents that. Note that the Microsoft implementation of DEP simply requires the end user to authorize all program execution. Option B is incorrect. Full-disk encryption (FDE) is a good idea, but it will not prevent running programs from accessing system memory. Option C is incorrect. Unified threat management (UTM) is the combining of security services such as antivirus, HIDS, log monitoring, firewall, and so forth in a single device. Option D is incorrect. An intrusion detection system (IDS) monitors traffic on the network, not running programs on a machine.
65. You work at a defense contracting company. You are responsible for mobile device security. Some researchers in your company use company-issued tablets for work. These tablets may contain sensitive, even classified data. What is the most important security measure for you to implement? A. FDE B. GPS tagging C. Geofencing D. Content management
A. Full-disk encryption (FDE) is the best way to protect data on any device. In this scenario, the sensitive data on the tablets is the most important concern; therefore, securing that data with FDE is the most important security measure to take. Option B is incorrect. GPS tagging might be a good idea—it would help locate lost or stolen devices. However, it is less important than FDE. Option C is incorrect. Geofencing limits where a device can be used, and it does not address the issues presented in this scenario. Option D is incorrect. Content management is always a good idea. But in this case, it won't address the most important security concern.
66. When using any HIDS/HIPS or NIDS/NIPS, the output is specific to the vendor. However, what is the basic set of information that virtually all HIDSs/HIPSs or NIDSs/NIPSs provide? A. IP addresses (sender and receiver), ports (sender and receiver), and protocol B. IP addresses (sender and receiver), ports (sender and receiver), and attack type C. IP addresses (sender and receiver), ports (sender and receiver), usernames, and machine names D. Usernames, machine names, and attack type
A. HIDSs/HIPSs and NIDSs/NIPSs each have output that the vendor specifies. But all such devices will output what protocol the traffic was, the source and destination IP addresses, as well as the source and destination port. More information may be provided, but this is the essential basic information all IDSs/IPSs display. Option B is incorrect. Many of these devices won't display the suspected attack type. The person operating the device should recognize that a flood of SYN packets on a given port is a SYN flood. Option C is incorrect. Usernames and machine names may or may not be included, but IP addresses will be. Option D is incorrect. Usernames and machine names may or may not be included, but IP addresses will be.
69. Hector is responsible for NIDS/NIPS in his company. He is configuring a new NIPS solution. What part of the NIPS collects data? A. Sensor B. Data source C. Manager D. Analyzer
A. In any IDS (HIDS/HIPS; NIDS/NIPS), the sensors collect data from the network segment they are on and forward that information to the analyzer. Option B is incorrect. A data source is any source of information for the IDS. Option C is incorrect. The manager is the interface that a human operator uses to interact with the NIDS/NIPS or HIDS/HIPS. Option D is incorrect. The analyzer takes data sent to it from the sensors and analyzes the data looking for indicators of an attack.
84. Emiliano is a network administrator for a large web-hosting company. His company also issues digital certificates to web-hosting clients. He wants to ensure that a digital certificate will not be used once it has been revoked. He also wants to ensure that there will be no delay between when the certificate is revoked and when browsers are made aware that it is revoked. What solution would be best for this? A. OCSP B. X.509 C. CRL D. PKI
A. Online Certificate Status Protocol (OCSP) checks the status of a certificate in real time. So when the browser is about to download a certificate, it first gets a real-time update if the certificate is valid or not. Option B is incorrect. X.509 is the standard for certificates and does not determine when they are checked for status. Option C is incorrect. A certificate revocation list (CRL) does show the status of certificates, but they are not updated in real time. Option D is incorrect. The public key infrastructure (PKI) does not determine when certificate status is checked.
10. Donald is working as a network administrator. He is responsible for the database cluster. Connections are load-balanced in the cluster by each new connection being simply sent to the next server in the cluster. What type of load-balancing is this? A. Round-robin B. Affinity C. Weighted D. Rotating
A. Round-robin load balancing simply sends each new connection to the next server in the cluster. Option B is incorrect. Affinity load balancing ties specific users to specific servers in the cluster. Option C is incorrect. Weighted load balancing examines the bandwidth utilization for each server and sends the next connection to the server with the least current bandwidth utilization. Option D is incorrect. Rotating is not a term used in load balancing.
68. Teresa is responsible for incident response at ACME Company. There was a recent breach of the network. The breach was widespread and affected many computers. As part of the incident response process, Teresa will collect the logs from the SIEM, which aggregates logs from 20 servers. Which of the following should she do first? A. Event de-duplication B. Log forwarding C. Identify the nature of the attack D. Identify the source IP of the attack
A. Since 20 servers send logs to the SIEM, de-duplicating events will be important. Option B is incorrect. An SIEM is a log aggregation and analysis tool. Log forwarding was established before the incident. Option C is incorrect. This is certainly something to do at some point, but it won't be the first action. Option D is incorrect. This is certainly something to do at some point, but it won't be the first action.
37. Remote employees at your company frequently need to connect to both the secure company network via VPN and open public websites, simultaneously. What technology would best support this? A. Split tunnel B. IPSec C. Full tunnel D. TLS
A. Split tunneling allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time. Option B is incorrect. IPSec is the protocol for establishing and securing a VPN, rather than connecting to different resources. You can use IPSec in either a split or full tunnel. Option C is incorrect. A full tunnel is a dedicated tunnel to one single target. Option D is incorrect. TLS is a protocol that can be used for establishing and securing a VPN, rather than connecting to different resources. You can use TLS in either a split or full tunnel.
49. What command would produce the image shown here? A. ping -n 6 -l 100 192.168.1.1 B. ping 192.168.1.1 -n 6 -s 100 C. ping #6 s 100 192.168.1.1 D. ping -s 6 -w 100 192.168.1.1
A. The -n command is used to set the number of ping packets to send—in this case, 6— and -l sets the size—in this case, 100 bytes. Options B, C, and D are all incorrect. This is a ping command, but these options have incorrect flags.
57. Omar is a network administrator for ACME Company. He is responsible for the certificate authorities within the corporate network. The CAs publish their CRLs once per week. What, if any, security issue might this present? A. Revoked certificates still being used B. Invalid certificates being issued C. No security issue D. Certificates with weak keys
A. The certificate revocation list designates certificates that have been revoked for some reason. Those certificates should no longer be used. But if the CRL is published only once per week, then a revoked certificate could potentially be used for up to a week after being revoked. Option B is incorrect. CRLs are not part of the certificate issuing process. Option C is incorrect. Yes, it would present a possible security issue. Option D is incorrect. Key generation for certificates is completely separate from CRLs.
2. You are responsible for network security at an insurance company. A lot of employees bring their own devices. You have security concerns about this. You have decided to implement a process whereby when users connect to your network, their devices are scanned. If a device does not meet your minimum security requirements, it is not allowed to connect. What best describes this? A. NAC B. SPI C. IDS D. BYOD
A. The correct answer is NAC, or Network Access Control. NAC is a network management solution that defines and implements a policy that enables only compliant and trusted endpoint devices to access network resources. Option B is incorrect. Stateful packet inspection (SPI) is a type of firewall. Option C is incorrect. IDS stands for intrusion detection system. Option D is incorrect. BYOD, or Bring Your Own Device, is the problem, but the solution described is Network Access Control (NAC).
22. John is concerned about the security of data on smartphones and tablets that his company issues to employees. Which of the following would be most effective in preventing data loss, should a device be stolen? A. Remote wipe B. Geolocation C. Strong PIN D. Limited data storage
A. The most effective protection against data loss is the ability to remotely wipe the phone. Option B is incorrect. Geolocation will allow you to locate the phone, but data may have already been exfiltrated. Option C is incorrect. A strong PIN is a good idea, but not as effective as remote wiping. Option D is incorrect. This only limits how much data could be on the device to be stolen.
87. Gabriel is using nmap to scan one of his servers whose IP address is 192.168.1.1. He wants to perform a ping scan, but the network blocks ICMP, so he will try a TCP ping scan and do so very slowly. Which of the following would accomplish that? A. nmap -O -PT -T1 192.168.1.1 B. nmap -O - T3 192.168.1.1 C. nmap -T -T1 192.168.1.1 D. nmap -PT -T5 192.168.1.1
A. The nmap -O flag indicates that you want to guess the operating system. The -PT scan means do a ping with TCP. The -T1 is a very slow scan. Options B, C, and D are all incorrect. The ping scan variations all start with -P (-PT TCP ping, -TS SYN ping, etc.), the -T is timing, and the options are T1 (slowest) to T5 (fastest).
83. What command would generate the output shown here? A. nslookup B. ipconfig C. netstat -a D. dig
A. The output shown is from nslookup, which is used to interact with the DNS server for your domain. Option A is incorrect. The ipconfig command will show the network configuration for your network cards. Option C is incorrect. The netstat -a command will show listening ports. Option D is incorrect. The dig command is a DNS-related utility, but the output shown is not from dig.
67. You are responsible for firewalls in your company. You are reviewing the output of the gateway firewall. What basic information would any firewall have in its logs? A. For all traffic: the source and destination IP and port, protocol, and whether it was allowed or denied B. For only blocked traffic: the source and destination IP and port as well as the reason for the traffic being denied/blocked C. For all traffic: the source and destination IP and port, whether it was allowed or denied, and the reason it was denied/blocked D. For only blocked traffic: the source and destination IP, protocol, and the reason it was denied/blocked
A. The standard items in any firewall log are the source and destination IP address and port of all traffic, the protocol the traffic is using, and whether that traffic was allowed or denied. Option B is incorrect. Firewall logs record both traffic that is allowed and traffic that is denied. Option C is incorrect. Many firewalls don't record a reason the traffic was denied, but all record the protocol used. Option D is incorrect. Firewall logs record both traffic that is allowed and traffic that is denied.
89. What command produced the output shown here? A. tracert -h 10 www.chuckeasttom.com B. tracert www.chuckeasttom.com C. netstat www.chuckeasttom.com D. nmap www.chuckeasttom.com
A. The tracert command is used to trace the route to a target (the equivalent command in Linux is traceroute). The -h command sets the maximum number of hops before giving up. Option B is incorrect. The image shows a maximum of 10 hops. Without specifying the maximum, tracert will perform 30 hops. Option C is incorrect. This is not the output of netstat. Option D is incorrect. This is not the output of nmap.
55. John has discovered that an attacker is trying to get network passwords by using software that attempts a number of passwords from a list of common passwords. What type of attack is this? A. Dictionary B. Rainbow table C. Brute force D. Session hijacking
A. This is an example of a dictionary attack. The attacker uses a list of words that are believed to be likely passwords. Option B is incorrect. A rainbow table is a precomputed table of hashes. Option C is incorrect. Brute force tries every possible random combination. Option D is incorrect. Session hijacking is when the attacker takes over an authenticated session.
39. Someone has been rummaging through your company's trash bins seeking to find documents, diagrams, or other sensitive information that has been thrown out. What is this called? A. Dumpster diving B. Trash diving C. Social engineering D. Trash engineering
A. This is the term for rummaging through the waste/trash. Options B and D are incorrect. These terms, while grammatically correct, are simply not the terms used in the industry. Option C is incorrect. Nothing in this scenario describes social engineering.
90. Daryll has been using a packet sniffer to observe traffic on his company's network. He has noticed that traffic between the web server and the database server is sent in clear text. He wants a solution that will not only encrypt that traffic, but also leverage the existing digital certificate infrastructure his company has. Which of the following would be the best solution for Daryll? A. TLS B. SSL C. IPSec D. WPA2
A. Transport Layer Security (TLS) can be used to secure any network communication (HTTP, LDAP, SMTP, etc.) and it uses digital certificates. Option B is incorrect. Secure Sockets Layer (SSL) is a much older technology that has been replaced by TLS. TLS was first released in 1999. Option C is incorrect. You could set up an IPSec VPN, but that would have more overhead than TLS, and it would not leverage the existing digital certificate infrastructure. Option D is incorrect. WPA2 is for security WiFi transmissions.
93. Sheila is responsible for data backups for all the company servers. She is concerned about frequency of backup and about security of the backup data. Which feature, found in some backup utility software, would be most important to her? A. Using data encryption B. Digitally signing the data C. Using automated backup scheduling D. Hashing the backup data
A. When backing up data, if you do not encrypt the data, then it would be possible for anyone to restore the backup and have access to all data you have backed up. Not all backup utilities include data encryption. Options B and D are incorrect. Both of these are very good ideas and ensure data integrity, but they were not mentioned as one of Sheila's concerns. Option C is incorrect. Although this is important, it is a feature that exists in all backup utilities.
50. You are a security officer for a large law firm. You are concerned about data loss prevention. You have limited the use of USBs and other portable media, you use an IDS to look for large volumes of outbound data, and a guard searches all personnel and bags before they leave the building. What is a key step in DLP that you have missed? A. Portable drives B. Email C. Bluetooth D. Optical media
B. An insider could send out data as an email attachment. Option A is incorrect. Portable devices usually connect via USB, which is blocked, and if they don't, they will likely be found on the exit search. Option C is incorrect. The range of Bluetooth is 10 meters. That makes it ineffective for data exfiltration. Option D is incorrect. Optical media is a type of portable media.
72. Mark is looking for a proxy server for his network. The purpose of the proxy server is to ensure that the web servers are hidden from outside clients. All of the different web servers should appear to the outside world as if they were the proxy server. What type of proxy server would be best for Mark to consider? A. Forward B. Reverse C. Transparent D. Firewall
B. A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. The sources appear to the client as if they came from the proxy server. In other words, the entire outside world appears as the proxy server to the client. Option A is incorrect. A forward proxy server acts as an intermediary for requests from clients seeking resources from other servers. Option C is incorrect. A transparent proxy is between clients and the Internet, and as the name suggests, the clients are unaware. Often these are co-located with the gateway. Option D is incorrect. Although firewalls and proxy servers can be co-located, they are two different technologies.
33. What is the purpose of screen locks on mobile devices? A. To encrypt the device B. To limit access to the device C. To load a specific user's apps D. To connect to WiFi
B. A screen lock limits access to users who know the code. Option A is incorrect. While device encryption is common, the screen lock code does not encrypt the device. Option C is incorrect. Unlike desktop operating systems, mobile devices are not designed to be used by multiple users. Option D is incorrect. The lock codes for screen locks have no relationship to connecting to WiFi.
53. Olivia has discovered steganography tools on an employee's computer. What is the greatest concern regarding employees having steganography tools? A. Password cracking B. Data exfiltration C. Hiding network traffic D. Malware
B. An employee could hide sensitive data in files using steganography and then exfiltrate that data. Option A is incorrect. Password crackers are a separate type of tool than steganography tools. Option C is incorrect. Very few steganography tools and methods allow you to hide network traffic. Option D is incorrect. Although it is possible to hide malware in a file via steganography, this is not the greatest or most common concern.
19. Employees in your company are allowed to use tablets. They can select a tablet from four different models approved by the company but purchased by the employee. What best describes this? A. BYOD B. CYOD C. COPE D. BYOE
B. Choose Your Own Device (CYOD) allows employees to bring their own devices to work, but only if they are chosen from a list of approved models. Option A is incorrect. Bring Your Own Device (BYOD) allows employees to bring whatever model device they happen to have. Option C is incorrect. Company-Owned Personally Enabled (COPE) equipment is provided by and owned by the company. Option D is incorrect. BYOE is not a term used in the industry.
24. What best describes mobile device content management? A. Limiting how much content can be stored. B. Limiting the type of content that can be stored. C. Blocking certain websites. D. Digitally signing authorized content.
B. Content management for a mobile device involves limiting what content can be placed on the phone. Option A is incorrect. Content management is not involved in limiting the amount of data. Option C is incorrect. In the context of a mobile device, this is not content management. Option D is incorrect. Digitally signing authorized content could be used in some content management systems, but this is not the best definition of content management.
12. Mohaned is an IT manager for a hotel. His hotel wants to put wireless access points on each floor. The specifications state that the wireless access points should have minimal functionality, with all the configuration, authentication, and other functionality centrally controlled. What type of wireless access points should Mohaned consider purchasing? A. Fat B. Controller-based C. Stand-alone D. 801.11i
B. Controller-based wireless access points have minimal functionality, with most functions centrally controlled. Option A is incorrect. A fat wireless access point has all necessary functionality contained in the WAP. Option C is incorrect. Stand-alone is synonymous with fat WAP. Option D is incorrect. 802.11i is the wireless security standard.
13. What IPSec protocol provides authentication and encryption? A. AH B. ESP C. IKE D. ISAKMP
B. Encapsulating Security Payload provides both integrity and encryption. Option A is incorrect. Authentication Header only provides integrity, not encryption. Option C is incorrect. Internet Key Exchange is used during the setup of IPSec to establish security associations. Option D is incorrect. The Internet Security Association and Key Management Protocol provides a framework for authentication and key exchange.
95. Mike is responsible for testing security at his company. He is using a tool that identifies vulnerabilities and provides mechanisms to test them by attempting to exploit them. What best describes this type of tool? A. Vulnerability scanner B. Exploit framework C. Metasploit D. Nessus
B. Exploit frameworks are tools that provide a framework for finding vulnerabilities and then attempting to exploit those vulnerabilities. These tools are an important part of network security testing. Option A is incorrect. A vulnerability scanner would only identify the vulnerabilities; it would not provide a means to use the vulnerability. Option C is incorrect. Metasploit is a popular exploit framework, but the question asked about the class of tools, not about identifying a specific tool. Option D is incorrect. Nessus is a well-known vulnerability scanner.
23. What does geofencing accomplish? A. Provides the location for a mobile device. B. Limits the range a mobile device can be used in. C. Determines WiFi coverage areas. D. Segments the WiFi.
B. Geofencing sets up geographic boundaries, beyond which a device won't work. Option A is incorrect. Geolocation provides geographic location, not geofencing. Options C and D are incorrect because geofencing is not related to WiFi.
82. Sarah is the CIO for a small company. She recently had the entire company's voice calls moved to VoIP. Her new VoIP system is using SIP with RTP. What might be the concern with this? A. SIP is not secure. B. RTP is not secure. C. RTP is too slow. D. SIP is too slow.
B. Real-time Transport Protocol (RTP) is used to transport VoIP and video signals, but it is not encrypted. Secure Real-time Transport Protocol (SRTP) should be used. Option A is incorrect. Session Initiation Protocol (SIP) is used to initiate a VoIP call but not to send the VoIP data. Option C is incorrect. The speed is not the issue. Option D is incorrect. The speed is not the issue.
16. You are responsible for email server security in your company. You want to implement encryption of all emails, using third-party authenticated certificates. What protocol should you implement? A. IMAP B. S/MIME C. PGP D. SMTP-S
B. Secure Multipurpose Internet Mail Extensions (S/MIME) encrypts email using X.509 certificates that are created and authenticated by a trusted third party. Option A is incorrect. The Internet Message Access Protocol is used for receiving email. It does not send email and is not natively encrypted. Option C is incorrect. PGP (Pretty Good Privacy) can be used to encrypt email, but it uses self-generated certificates that are not authenticated by a third party. Option D is incorrect. Simple Mail Transfer Protocol Secure is encrypted, but it is only for sending email, not receiving. It can also be done with S/MIME or PGP.
100. Francis is a security administrator at a large law firm. She is concerned that confidential documents, with proprietary information, might be leaked. The leaks could be intentional or accidental. She is looking for a solution that would embed some identifying information into documents in such a way that it would not be seen by the reader but could be extracted with the right software. What technology would best meet Francis's needs? A. Symmetric encryption B. Steganography C. Hashing D. Asymmetric encryption
B. Steganography allows you to embed data, messages, or entire files in other files. It is common to use this to embed some identifying mark that would track the owner of the document and perhaps its originating location. Steganography can track confidential documents. Options A and D are incorrect. Encryption of any type can be used to secure a document but won't help identify a document should it be leaked. Option C is incorrect. Hashes can be useful in detecting changes to a document but are less useful in identifying documents and their origin.
47. John is implementing virtual IP load-balancing. He thinks this might alleviate network slowdowns, and perhaps even mitigate some of the impact of a denial-of-service attack. What is the drawback of virtual IP load-balancing? A. It is resource-intensive. B. Most servers don't support it. C. It is connection-based, not load-based. D. It works only on Unix/Linux servers.
C. Virtual IP load balancing does not take the load of each interface into account and assumes all loads are essentially similar. Option A is incorrect. This load balancing is not resource intensive. Option B is incorrect. Most servers do support virtual IP load-balancing. Option D is incorrect. Windows will also support virtual IP load-balancing.
59. You are responsible for authentication methods at your company. You have implemented fingerprint scanners to enter server rooms. Frequently people are being denied access to the server room, even though they are authorized. What problem is this? A. FAR B. FRR C. CER D. EER
B. The false rejection rate (FRR) is the rate at which authentication attempts are rejected when they should have succeeded. When you are getting a high number of authorized individuals being denied access, that is due to an FRR that is too high. Option A is incorrect. The false acceptance rate (FAR) is the rate at which people who should not be authenticated are. This is certainly a concern but a different concern. Option C is incorrect. The crossover error rate (CER) is the rate at which FAR and FRR are equal. Option D is incorrect. Equal error rate (ERR) is another name for CER.
54. What command would generate the output shown here? A. netstat -a B. netstat -o C. arp -a D. arp -g
B. The netstat command displays all connections, and the -o flag shows the process that owns that connection. Option A is incorrect. The netstat -a command will show listening ports. Option C is incorrect. The arp -a command shows the current address routing protocol entries. Option D is incorrect. The arp -g command is identical to arp -a.
43. When you are considering an NIDS or NIPS, what are your two most important concerns? A. Cost and false positives B. False positives and false negatives C. Power consumption and cost D. Management interface and cost
B. The total number of erroneous reports (i.e., false positives and false negatives) is the biggest concern because this determines effectiveness of the system. Option A is incorrect. Yes, cost is an issue, but effectiveness is the most important issue. Option C is incorrect. Yes, cost is an issue, but effectiveness is the most important issue and power consumption is a much less important concern. Option D is incorrect. Both the management interface and the cost are important but less important than efficacy.
52. Joanne has implemented TLS for communication with many of her networks servers. She wants to ensure that the traffic cannot be sniffed. However, users now complain that this is slowing down connectivity. Which of the following is the best solution? A. Increase RAM on servers. B. Change routers to give more bandwidth to traffic to these servers. C. Implement TLS accelerators. D. Place all servers in clusters with extensive load-balancing.
C. A TLS accelerator is a processor that handles processing, specifically processor-intensive public-key encryption for Transport Layer Security (TLS). This should significantly improve server responsiveness. Option A is incorrect. Increasing RAM will have only a minimal effect on network responsiveness. Option B is incorrect. From the question, there is no indication that the servers were not performing fine before TLS implementation, so addressing the TLS issues is the best solution. Option D is incorrect. Setting up clustering is a rather significant step, and not the first thing that should be considered. Implementation of TLS accelerators is a better option.
58. Hans is a network administrator for a large bank. He is concerned about employees violating software licenses. What would be the first step in addressing this issue? A. Performing software audits B. Scanning the network for installed applications C. Establishing clear policies D. Blocking the ability of users to install software
C. A clear security policy must be created that explains software licensing and the company processes for software licensing. Without clear policies, any other countermeasures will be less effective. Option A is incorrect. Although software audits are a good idea, meaningful audits can take place only after good policies are in place. Option B is incorrect. Scanning the network to see what is installed is a good idea, but policies must be established first. Option D is incorrect. This may, or may not, be a step the company wishes to take. But policies must be established first.
75. Mia is responsible for security devices at her company. She is concerned about detecting intrusions. She wants a solution that would work across entire network segments. However, she wants to ensure that false positives do not interrupt work flow. What would be the best solution for Mia to consider? A. HIDS B. HIPS C. NIDS D. NIPS
C. A network intrusion detection system (NIDS) will detect intrusions across a network segment, but it won't block the possible attacks, thus not disrupting work due to false positives. Option A is incorrect. A host intrusion detection system (HIDS) will only detect intrusions for a specific host. Option B is incorrect. A host intrusion prevention system (HIPS) will only detect intrusions for a specific host, and will block them, so it would disrupt work due to false positives. Option D is incorrect. A network intrusion prevention system (NIPS) will detect intrusions across a network segment, but it will also block them, possibly disrupting workflow.
74. Lars is responsible for incident response at ACME Company. He is particularly concerned about the network segment that hosts the corporate web servers. He wants a solution that will detect potential attacks and notify the administrator so the administrator can take whatever action he or she deems appropriate. Which of the following would be the best solution for Lars? A. HIDS B. HIPS C. NIDS D. NIPS
C. A network intrusion detection system (NIDS) will detect suspected attacks on a given network segment and notify the administrator. For example, in an anomaly detection, the administrator will be notified if there are any deviation from an expected pattern or behavior. Option A is incorrect. A host intrusion detection system (HIDS) only detects intrusions for a single host. Option B is incorrect. A host intrusion prevention system (HIPS) only detects intrusions on a single host, and it blocks suspected intrusions. Option D is incorrect. A network intrusion prevention system (NIPS) will check the entire network segment, but rather than simply notify the administrator for him or her to take action, the NIPS will block the suspected traffic.
7. ACME Company has several remote offices. The CIO wants to set up permanent secure connections between the remote offices and the central office. What would be the best solution for this? A. L2TP VPN B. IPSEC VPN C. Site-to-site VPN D. Remote-access VPN
C. A site-to-site VPN is a permanent VPN connection between sites. Connecting remote offices is a typical site-to-site VPN implementation. Option A is incorrect. L2TP is a protocol for VPN and could be used for either site-to-site or remote-access VPNs. Option B is incorrect. IPSec is a protocol for VPN and could be used for either site-to-site or remote-access VPNs. Option D is incorrect. A remote-access VPN is used by an individual to remotely access the corporate network.
6. Enrique is responsible for web application security at his company. He is concerned about attacks such as SQL injection. Which of the following devices would provide the best protection for web attacks on his web application server? A. ACL B. SPI C. WAF D. IDS
C. A web application firewall (WAF) is designed to provide firewall protection that also will protect against specific web attacks. Option A is incorrect. An access control list (ACL) is an important security measure but will not provide protection against web attacks. Option B is incorrect. A stateful packet inspector (SPI) is a robust firewall and will stop attacks such as SYN floods, but it won't provide the best protection against web attacks. Option D is incorrect. An IDS is a good security measure, but it won't provide the best protection against web attacks.
35. What does application management accomplish for mobile devices? A. Only allows applications from the iTunes store to be installed B. Ensures the company has a list of all applications on the devices C. Ensures only approved applications are installed on the devices D. Updates patches on all applications on mobile devices
C. Application management is primarily concerned with ensuring only authorized and approved applications are installed on mobile devices. Option A is incorrect. Not every app in the iTunes store is appropriate for business use, and the iTunes store only affects Apple devices. Option B is incorrect. Simply knowing what is installed is not the same thing as ensuring only authorized apps are installed. Option D is incorrect. Patch management can be a part of application management, but the primary goal is controlling what apps get installed on a device.
94. Frank is a web server administrator for a large e-commerce company. He is concerned about someone using netcat to connect to the company web server and retrieving detailed information about the server. What best describes his concern? A. Passive reconnaissance B. Active reconnaissance C. Banner grabbing D. Vulnerability scanning
C. Banner grabbing is a process whereby someone connects to a target web server and attempts to gather information, literally grabbing the web services "banner." This is often done by telnetting into the web server. It can also be done with netcat, using an HTTP request. Option A is incorrect. Passive reconnaissance would not involve active connections to the server. Option B is incorrect. Although this is active reconnaissance, it is more accurately described as banner grabbing. Option D is incorrect. This scenario is not describing vulnerability scanning.
73. Your company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this? A. A white-box test B. A gray-box test C. A credentialed scan D. A logged-in scan
C. By giving the tester logins, you are allowing him to conduct a privilege scan (i.e., a scan with some privileges). Options A and B are incorrect. They describe the level of knowledge the tester is given of the network. A privilege scan cannot be a black-box test, but it could be either white box or gray box. Option D is incorrect. Although this is grammatically correct, it is not the term used in the industry.
14. Terrance is implementing IPSec. He wants to ensure that the packets are encrypted, and that the packet and all headers are authenticated. What should he implement? A. AH B. ESP C. AH and ESP D. IKE
C. ESP provides encryption and AH provides complete authentication, including the header, so both are needed to meet the requirements. Option A is incorrect. Authentication Header will provide complete packet authentication, including the header, but it won't provide encryption. Option B is incorrect. Encapsulating Security Payload provides both integrity and encryption but only authenticates the data, not the header. Option D is incorrect. Internet Key Exchange is used during the setup of IPSec to establish security associations.
31. You have been asked to implement a secure protocol for transferring files that uses digital certificates. Which protocol would be the best choice? A. FTP B. SFTP C. FTPS D. SCP
C. FTPS is File Transfer Protocol with SSL/TLS and uses digital certificates to secure file transfer. Option A is incorrect. File Transfer Protocol is not secure. Option B is incorrect. SFTP is secure, but it uses SSH for security and does not use digital certificates. Option D is incorrect. Secure Copy is secure, but it uses SSH for security and does not use digital certificates.
28. John is responsible for security of his company's new e-commerce server. He wants to ensure that online transactions are secure. What technology should he use? A. L2TP B. IPSec C. SSL D. TLS
D. Transport Layer Security (TLS) is used to encrypt and secure web traffic. Options A and B are incorrect. L2TP and IPSec are VPN technologies and not appropriate for securing web traffic. Option C is incorrect. Secure Sockets Layer was the appropriate choice a long time ago, but TLS is the successor to SSL and was released in 1999.
97. You are responsible for firewalls in your organization. You are concerned about ensuring that all firewalls are properly configured. The gateway firewall is configured as follows: to only allow inbound traffic on a very few specific, required ports; all traffic (allowed or blocked) is logged and logs forwarded to the SIEM. What, if anything, is missing from this configuration? A. Nothing, it is a good configuration. B. Encrypting all traffic C. Outbound connection rules D. Digital certificate authentication for inbound traffic
C. Firewalls do block inbound traffic and can be configured to fine-tune that blocking. However, they can and should also be configured to handle outbound traffic. This can prevent data exfiltration and other breaches. Option A is incorrect. This configuration is missing outbound rules. Option B is incorrect. It is often a good idea to encrypt some traffic, but not all traffic can or should be encrypted. DNS requests, for example, are not usually encrypted. Option D is incorrect. Digital certificates can be a very good mechanism for authentication. However, not all traffic can be authenticated with a digital certificate.
56. Isabella has found netcat installed on an employee's computer. That employee is not authorized to have netcat. What security concern might this utility present? A. It is a password cracker. B. It is a packet sniffer. C. It is a network communication utility. D. It is a DoS tool.
C. Netcat is a tool widely used by network administrators to establish communication between two machines. Having netcat on a machine could indicate an intruder has compromised that machine and installed netcat as a backdoor, or that the employee is setting up covert communication channels. Option A is incorrect. Netcat is not a password cracker. Option B is incorrect. Netcat is not a packet sniffer. Option D is incorrect. Netcat is not a denial-of-service tool.
99. You are responsible for the security of web servers at your company. You are configuring the WAF and want to allow only encrypted traffic to and from the web server, including traffic from administrators using a command-line interface. What should you do? A. Open port 80 and 23, and block port 443. B. Open port 443 and 23, and block port 80. C. Open port 443 and 22, and block port 80 and 23. D. Open port 443, and block all other ports.
C. Port 443 is used for HTTPS, HTTP encrypted via TLS. Port 22 is used for secure shell (SSH), which is a secure, encrypted command-line interface often used by administrators. Port 80 is for unencrypted HTTP traffic. Port 23 is for telnet, an insecure command-line interface. Options A, B, and D are incorrect. These are not the proper ports to block or to open.
21. You have been assigned to select a backup communication method for your company to use in case of significant disasters that disrupt normal communication. Which option would provide the most reliability? A. Cellular B. WiFi C. SATCOM D. VoIP
C. Satellite communications are most resistant to disasters that disrupt communications. Option A is incorrect. While cellular is effective and reasonably resilient, it is not as resilient as SATCOM. Option B is incorrect. WiFi can fail for any number of reasons, and a disaster is very likely to affect it. Option D is incorrect. If there is any disruption to the network, then VoIP will not function.
32. Ahmed is responsible for VoIP at his company. He has been directed to ensure that all VoIP calls have the option to be encrypted. What protocol is best suited for security VoIP calls? A. SIP B. TLS C. SRTP D. SSH
C. Secure Real-Time Transport Protocol (SRTP) is used to encrypt and secure RTP. RTP is the protocol for transmitting VoIP. Option A is incorrect. Session Initiation Protocol is used to initiate a VoIP call but not to send the VoIP data. Option B is incorrect. TLS is used to secure data, but by itself it cannot secure VoIP. Option D is incorrect. Secure Shell SSH is for remote terminal connection and is not used in VoIP.
25. Frank believes there could be a problem accessing the DHCP server from a specific client. He wants to check by getting a new dynamic IP. What command will do this? A. ipconfig /request B. NETSTAT -renew C. ipconfig /renew D. NETSTAT /request
C. The ipconfig /renew command will request a new IP from the DHCP server. Option A is incorrect. There is no /request flag for ipconfig. Options B and D are incorrect. Netstat has nothing to do with getting a dynamic IP address. Also /request and -renew are not NETSTAT flags.
61. You are responsible for security at Acme Company. Recently, 20 new employee network accounts were created, with the default privileges for the network. You have discovered that eight of these have privileges that are not needed for their job tasks. Which security principle best describes how to avoid this problem in the future? A. Least privileges B. Separation of duties C. Implicit deny D. Weakest link
C. The security concept of implicit deny states that any new access account will by default be denied all access. When a request is made for specific privileges for that account, then the privileges are explicitly applied. This means that by default all privileges are implicitly denied. Option A is incorrect. Least privileges are what every account should have, but in this scenario the accounts were all given default privileges. The concept of implicit deny is a better answer. Option B is incorrect. Separation of duties is used to prevent any one person from executing any action that might have significant security ramifications for the company. Option D is incorrect. It is true that your network is only as secure as its weakest link, but that is not the best description of this scenario.
91. Jarod is concerned about DLP in his organization. Employees all have cloud-based solutions for data storage. What DLP-related security hazard, if any, might this create? A. No security hazard B. Malware from the cloud C. Data exfiltration through the cloud D. Security policies don't apply to the cloud.
C. Using cloud storage means that data is placed in the cloud, and can be accessed from outside the network. This presents a problem for data loss prevention (DLP) since it provides a convenient way to exfiltrate data from the network. Option A is incorrect. There is a security hazard for DLP. Option B is incorrect. Malware is unlikely from a cloud server, but it also is not a DLP concern. Option D is incorrect. Company security policies apply to any company asset, including cloud storage.
20. Mahmoud is considering moving all company desktops to a VDI deployment. Which of the following would be a security advantage of VDI? A. Employees can work from any computer in the company. B. VDI is more resistant to malware. C. Patch management is centrally controlled. D. It eliminates man-in-the-middle attacks.
C. Virtual Desktop Infrastructure does have all patch management centrally controlled. Option A is incorrect. This is a benefit of VDI but not a security benefit. Option B is incorrect. VDI is no more or less resistant to malware than physical desktops. Option D is incorrect. Some vendors claim VDI is less susceptible to man-in-the-middle attacks, but no one claims it is immune to them.
62. Mary is concerned that SIEM logs at her company are not being stored long enough, or securely enough. She is aware that it is possible a breach might not be discovered until long after it occurs. This would require the company to analyze older logs. It is important that Mary find an SIEM log backup solution that can a) handle all the aggregate logs of the SIEM, b) be maintained for a long period of time, and c) be secure. What solution would be best for her? A. Back up to large-capacity external drives. B. Back up to large-capacity backup tapes. C. Back up to WORM storage. D. Back up to tapes that will be stored off-site.
C. Write once, read many (WORM) storage is a type of high-capacity storage wherein once the data is written to the storage, it cannot be edited. It provides both high-capacity storage and secure storage, since the backups cannot be tampered with. Option A is incorrect. Large-capacity external drives would need to be stored in a secure place, and they can be edited and are thus not secure. You could secure one with encryption, but the question does not mention encrypted drives. Option B is incorrect. Backup tapes are older technology. Tapes frequently have issues, and data can become irretrievable. Answer D is incorrect. Backup media should always be stored off-site, but there is the issue that tapes can easily be damaged or corrupted, which is unacceptable for long-term storage.
98. Charles is responsible for security for web servers in his company. Some web servers are used for an internal intranet, and some for external websites. He has chosen to encrypt all web traffic, and he is using self-signed X.509 certificates. What, if anything, is wrong with this approach? A. He cannot encrypt all HTTP traffic. B. He should use PGP certificates. C. He should not use self-signed certificates. D. Nothing; this is an appropriate configuration.
C. X.509 is the most common standard for digital certificates. It is relatively easy to create your own self-signed certificate. However, if you use a self-signed certificate on a public website, everyone visiting the website will receive a security error message from their browser. Option A is incorrect. You can encrypt all web traffic, and it is usually done with TLS and X.509 certificates. Option B is incorrect. PGP certificates are usually for email and not used for websites. Option D is incorrect. This is not appropriate—he should not be using self-signed certificates.
26. Teresa is responsible for network administration at a health club chain. She is trying for find a communication technology that uses low power and can spend long periods in low-power sleep modes. Which of the following technologies would be the best fit? A. WiFi B. Cellular C. Bluetooth D. ANT
D. ANT is a proprietary wireless network technology that provides low-power modes and is used in WiFi settings. It has been used in sports-related technologies. Option A is incorrect. WiFi uses power constantly, whether users connect or not. Option B is incorrect. Cellular consumes too much power. Option C is incorrect. The range of Bluetooth is too short.
3. Ahmed is responsible for VPN connections at his company. His company uses IPSec exclusively. He has decided to implement IPSec in a mode that encrypts the data of only the packet, not the headers. What is this called? A. Tunneling B. IKE C. ESP D. Transport
D. Transport mode is the mode wherein IPSec encrypts the data, but not the packet header. Option A is incorrect. Tunneling mode does encrypt the header as well as the packet data. Option B is incorrect. Internet Key Exchange (IKE) is used in setting up security associations in IPSec. Option C is incorrect. Encapsulating Security Payload (ESP) is used for authentication and encryption in IPSec, whether tunneling or transport mode is used.
78. Debra is the network administrator for her company. Her company's web servers are all in a cluster. Her concern is this: if one of the servers in the cluster fails, will the backup server be capable of running for a significant amount of time? She wants to make sure that the backup won't soon fail. What would be her best choice in clustering? A. Active-active B. Round-robin C. Affinity D. Active-passive
D. An active-passive cluster has backup servers that are not handling any workload. They are brought into action if the primary server fails. This means the backup server will not have been subjected to any workload and is effectively a new machine. Option A is incorrect. An active-active cluster has all servers working, with the load balanced between them. Should a primary server fail, there is some chance the backup might fail in the near future. Options B and C are incorrect. Round-robin and affinity describe how connections are routed in the cluster, not how failover functions.
36. Dominick is responsible for security at a medium-sized insurance company. He is very concerned about detecting intrusions. The IDS he has purchased states that he must have an IDS on each network segment. What type of IDS is this? A. Active B. IPS C. Passive D. Inline
D. An inline IDS is actually in the traffic line (i.e., on the network segment where traffic is). Option A is incorrect. An active IDS refers to one that takes action against suspected attack traffic—it has nothing to do with where it is placed. Option B is incorrect. IPS is another name for active IDS. Option C is incorrect. Passive refers to whether or not the system acts against suspected traffic, not the location of the IDS.
8. Mary is responsible for network security at a medium-sized insurance company. She is concerned that the offices are too open to public traffic and someone could simply connect a laptop to an open RJ45 jack and access the network. Which of the following would best address this concern? A. ACL B. IDS C. VLAN D. Port security
D. By mapping network jacks to specific MAC addresses of machines, you can prevent a rogue machine from being connected. Option A is incorrect. Access control lists won't prevent a rogue device from being connected to a port. Option B is incorrect. Intrusion detection systems won't prevent a rogue device from being connected to a port. Option C is incorrect. If that specific jack is part of a VLAN, it would limit the attacker to only that VLAN, but that is certainly not as reliable or as robust a security measure as port security.
42. Juan is responsible for the SIEM in his company. The SIEM aggregates logs from 12 servers. In the event that a breach is discovered, which of the following would be Juan's most important concern? A. Event duplication B. Time synchronization C. Impact assessment D. Correlation
D. Correlating the events from the servers related to the breach would be the most important issue to address for the SIEM manager. Option A is incorrect. Event duplication is an issue that needs to be addressed, but it is far less important than correlation. Option B is incorrect. Time synchronization will be important, but it is either done before an incident, during setup and maintenance of the servers, or after correlation, when correlated events need to have their time synchronized. Option C is incorrect. Impact assessment is important, but is not part of SIEM management.
18. You are responsible for network management at your company. You have been using SNMP for many years. You are currently using SNMP v2. A colleague has recently suggested you upgrade to SNMP v3. What is the primary benefit of SNMP v3? A. It is much faster. B. It integrates with SIEM. C. It uses CHAP authentication. D. It is encrypted.
D. Earlier versions of SNMP sent all traffic in clear text. SNMP v3 sends all data encrypted. Options A, B, and C are incorrect. They are not features of SNMP v3.
86. Victor is concerned about data security on BYOD and COPE. He is concerned specifically about data exposure should the device become lost or stolen. Which of the following would be most effective in countering this concern? A. Geofencing B. Screen lock C. GPS tagging D. Device encryption
D. Encrypting a mobile device is the best way to ensure the data on the device is secure. If the device is stolen or simply misplaced, then the data cannot be retrieved. Option A is incorrect. Geofencing limits the operational area of a device. But even a device that is not operating can have data accessed. Option B is incorrect. A screen lock is always a good idea; however, that is not as effective as device encryption. Option C is incorrect. GPS tagging could be used to locate the device, but it won't prevent data from being copied off the device.
30. You are concerned about an attacker enumerating all of your network. What protocol might help at least mitigate this issue? A. HTTPS B. TLS C. IPSec D. LDAPS
D. Lightweight Directory Access Protocol Secure (LDAPS) would at least mitigate the risk. LDAP is a directory of the network (computers, users, etc.). Securing that would help mitigate network enumeration. Option A is incorrect. HTTPS is for secure web pages. Option B is incorrect. TLS will help only if applied to a directory protocol, as it is in LDAPS. Option C is incorrect. A VPN won't solve this issue.
51. Which of the following email security measures would have the most impact on phishing emails? A. Email encryption B. Hardening the email server C. Digitally signing email D. Spam filter
D. Phishing emails are often sent out to masses of people and a spam filter would block at least some of that, thus reducing the phishing email attacks. Option A is incorrect. Although email encryption is a good idea, it will do nothing to stop phishing. Option B is incorrect. Hardening all servers is a good security practice, but it has no impact on phishing emails. Option C is incorrect. Although digitally signing email is a good idea, it cannot stop phishing or even reduce it significantly. It might mitigate phishing emails that claim to come from a company employee, but it won't impact other phishing emails.
41. Teresa is responsible for WiFi security in her company. Her main concern is that there are many other offices in the building her company occupies and that someone could easily attempt to breach their WiFi from one of these locations. What technique would be best in alleviating her concern? A. Using thin WAPs B. Geofencing C. Securing the Admin screen D. WAP placement
D. Placing the WAPs carefully so as to provide the best coverage for the company, with minimum overlap outside the company, will be the best way to keep those in adjacent offices from attempting to breach the WiFi. When placing WAPs for the best coverage, one needs to focus on signal strength to ensure there is no gaps between WPAs. Option A is incorrect. Thin versus fat WAP refers to the functionality in the WAP and won't have any effect on the ability of nearby people to breach the WAP. Option B is incorrect. Geofencing is used to limit the area in which a mobile device can be used. Option C is incorrect. Securing the admin screen is a great idea and should be done, but it won't address the issue of nearby tenants attempting to breach the WiFi.
80. Lilly is a network administrator for a medium-sized financial services company. She wants to implement company-wide encryption and digital signing of emails. But she is concerned about cost, since there is a very limited budget for this. What would be her best choice? A. SMTPS B. S/MIME C. IMAPS D. PGP
D. Pretty Good Privacy (PGP) is very appropriate for email security. It provides self-signed certificates for email signing and encrypting. It is also very low cost. Option A is incorrect. Simple Mail Transfer Protocol Secure (SMTPS) is encrypted, but it is only for sending email, not receiving. It also can be done with S/MIME or PGP. Option B is incorrect. Secure/Multi-Purpose Internet Mail Extensions (S/MIME) uses X.509 certificates, which are issued by a third party, and this has a cost associated with it. Option C is incorrect. Internet Message Access Protocol (IMAP) is for receiving email. It does not send email; therefore, IMAP would not provide a full solution.
71. Elizabeth is responsible for secure communications at her company. She wants to give administrators the option to log in remotely and to execute command-line functions, but she wants this to only be possible via a secure, encrypted connection. What action should she take on the firewall? A. Block port 23 and allow ports 20 and 21. B. Block port 22 and allow ports 20 and 21. C. Block port 22 and allow port 23. D. Block port 23 and allow port 22.
D. Secure Shell (SSH) uses port 22 and provides a secure, encrypted command-line interface. Telnet uses port 23 and is not secure. Option A is incorrect. Telnet uses port 23 and is not secure, but ports 20 and 21 are for File Transfer Protocol (FTP). Option B is incorrect. Ports 20 and 21 are for File Transfer Protocol (FTP). Port 22, SSH, is what you should open. Option C is incorrect. This is the opposite of the correct answer. You should block 23 and allow port 22.
17. Joanne is responsible for all remote connectivity to her company's network. She knows that administrators frequently log in to servers remotely to execute command-line commands and Linux shell commands. She wants to make sure this can only be done if the transmission is encrypted. What protocol should she use? A. HTTPS B. RDP C. Telnet D. SSH
D. Secure Shell gives a remote command-line interface that is encrypted. Option A is incorrect. HyperText Transport Protocol Secure is for encrypting web traffic. Option B is incorrect. Windows Remote Desktop Protocol is not encrypted. Option C is incorrect. Telnet is not encrypted.
5. Juanita is a network administrator for a large university. The university has numerous systems, each with logs she must monitor and analyze. What would be the best approach for her to view and analyze logs from a central server? A. NAC B. Port forwarding C. IDS D. SIEM
D. Security Information and Event Management (SIEM) systems are designed specifically for log aggregation and analysis. Option A is incorrect. Network Access Control (NAC) scans devices to ensure they meet minimum network security requirements. Option B is incorrect. Port forwarding could be used, in conjunction with other steps, to aggregate logs, but it would not be the best approach. Option C is incorrect. An intrusion detection system (IDS) won't aggregate other systems logs.
88. Mary is a network administrator for ACME Company. She sometimes needs to run a packet sniffer so that she can view the network traffic. She wants to find a well-known packet sniffer that works on Linux. Which of the following would be her best choice? A. Ophcrack B. Nmap C. Wireshark D. Tcpdump
D. Tcpdump is a widely used packet sniffer, made for Linux but ported to Windows. It works from the shell in Linux (the command line in Windows) and allows the user to dump current network traffic. Option A is incorrect. Ophcrack is a Windows password-cracking tool. Option B is incorrect. Nmap is a port scanner, rogue system detection, and network mapping tool. Option C is incorrect. Wireshark is a network traffic scanner, and wireless scanner but it is for Windows or Macintosh.
64. You are responsible for network security at a university. Faculty members are issued laptops. However, many of the faculty members leave the laptops in their offices most of the time (sometimes even for weeks). You are concerned about theft of laptops. In this scenario, what would be the most cost-effective method of securing the laptops? A. FDE B. GPS tagging C. Geofencing D. Tethering
D. Tethering is usually inexpensive, and simply tethering a portable device to a desk makes it difficult to steal the device. No antitheft method is foolproof, but tethering is simple, cost effective, and reasonably effective. Option A is incorrect. Full-disk encryption (FDE) can be a good idea and will protect the data on the laptop. However, the laptop can still be stolen, the drive wiped, and the laptop reused or sold. Option B is incorrect. GPS tagging may allow you to locate a stolen laptop, but it is usually more expensive than tethering. Option C is incorrect. Geofencing just limits where the device will work—it does not prevent theft of the device.
92. Derrick is a network administrator for a large company. The company network is segmented into zones of high security, medium security, low security, and the DMZ. He is concerned about external intruders and wishes to install a honeypot. Which is the most important zone to put the honeypot in? A. High security B. Medium security C. Low security D. DMZ
D. The DMZ is the best location for a honeypot, if the concern is outside intruders. An intruder is likely to first breach the outer firewall of the DMZ. A honeypot could conceivably catch the intruder there and prevent him or her from going further into the network. Options A, B, and C are incorrect. Certainly, you can put a honeypot anywhere, but the most important area is in the DMZ.
1. John is looking for a new firewall for a small company. He is concerned about DoS attacks, particularly the SYN flood. Which type of firewall would give the best protection against the SYN flood? A. Packet filter B. Application gateway C. Bastion D. SPI
D. The correct answer is stateful packet inspection (SPI). SPI looks at the entire context of the conversation and will stop SYN floods. Option A is incorrect. A packet filter examines each packet in isolation and won't stop the SYN flood. A packet filter is stateless and won't deter the SYN flood. Option B is incorrect. An application gateway may have SPI functionality, but its primary benefit is to protect against a specific application attack, such as web attacks. Option C is incorrect. Bastion is another name for a border firewall and does not indicate the process it uses.
11. Gerald is setting up new wireless access points throughout his company's building. The wireless access points have just the radio transceiver, with no additional functionality. What best describes these wireless access points? A. Fat B. Repeater C. Thick D. Thin
D. The term for this is thin wireless access point. Option A is incorrect. Fat wireless access points have all the functionality and features the wireless network needs. Option B is incorrect. A repeater resends a signal. Option C is incorrect. Thick is another term for fat access point.
96. William is a security officer for a large bank. When executives' laptops are decommissioned, he wants to ensure that the data on those laptops is completely wiped so that it cannot be recovered, even using forensic tools. How many times should William wipe a hard drive? A. 1 B. 3 C. 5 D. 7
D. US DoD data sanitization standard DoD 5220.22-M recommends an average of 7 complete wipes to wipe data. The standard has a matrix wherein you match the sensitivity of the data to a specific number of wipes, but the general rule is 7. Options A, B, and C are all incorrect. Less than 7 wipes are considered inadequate to prevent data recovery tools from recovering the data.
15. You are responsible for security at your company. One of management's biggest concerns is that employees might exfiltrate sensitive data. Which of the following would you implement first? A. IPS B. Routine audits of user machines C. VLAN D. USB blocking
D. USB blocking will prevent anyone from plugging in a USB and taking out data. Option A is incorrect. An IPS would only stop exfiltration of data if it was sent over the network and appeared as an attack. It would not stop hand carrying out of data. Option B is incorrect. This is a more time-consuming option and would not be the first thing you implement. Option C is incorrect. Virtual local area networks (VLANs) won't help with this issue.
60. John is responsible for network security at a very small company. Due to both budget constraints and space constraints, John can select only one security device. What should he select? A. Firewall B. Antivirus C. IDS D. UTM
D. Unified threat management (UTM) combines multiple security services into one device. It is common for a UTM to have firewall, antivirus, and IDS services all in one device. Options A, B, and C are incorrect. These are all good devices, but the UTM is a better choice.
4. Maria is responsible for monitoring IDS activity on her company's network. Twice in the past month there has been activity reported on the IDS that investigation has shown was legitimate traffic. What best describes this? A. False negative B. Passive C. Active D. False positive
D. When an IDS (or any security device) labels legitimate traffic as an attack, that is called a false positive. Option A is incorrect. A false negative is when an attack is mislabeled as legitimate. Option B is incorrect. Passive refers to how the IDS responds to suspicious activity. The question does not tell you if this is passive or active. Option C is incorrect. Active refers to how the IDS responds to suspicious activity. The question does not tell you if this is passive or active.
85. Elizabeth is responsible for security at a defense contracting company. She is concerned about users within her network exfiltrating data by attaching sensitive documents to emails. What solution would best address this concern? A. Email encryption B. USB blocking C. NIPS D. Content filtering
D. While most people think of content filtering in regard to filtering content you view, it can also be thought of in terms of content that is sent out. Implementing content filtering ensures that the problem of data exfiltration via email will be mitigated. Option A is incorrect. Email encryption would actually make it easier to exfiltrate data, since the data would be hidden from any analysis. Option B is incorrect. USB blocking won't affect email filtration. Option C is incorrect. A network-based intrusion prevention system (NIPS) cannot stop email attachments.