CIS120B
Olivia wants to install a host-based security package that can detect attacks against the system coming from the network, but she does not want to take the risk of blocking the attacks since she fears that she might inadvertently block legitimate traffic. What type of tool could she install that will meet this requirement? A host firewall A host intrusion detection system A host intrusion prevention system A data loss prevention tool
A host intrusion detection system Olivia should install a host-based intrusion detection system. An IDS can detect and report on potential attacks but does not have the ability to stop them. A host-based IPS can be configured to report only on attacks, but it does have the built-in ability to be set up to block them. Firewalls can block known ports, protocols, or applications, but they do not detect attacks— although advanced modern firewalls blur the line between firewalls and other defensive tools. Finally, a data loss prevention tool focuses on preventing data exposures, not on stopping network attacks.
Bart knows that there are two common connection methods between Wi-Fi devices. Which of the following best describes ad hoc mode? A. Point-to-point B. NFC C. Point-to-multipoint D. RFID
A. Point-to-point Ad hoc networks work without an access point. Instead, devices directly connect to each other in a point-to-point fashion. Infrastructure mode Wi-Fi networks use a point-tomultipoint model.
Ben wants to observe malicious behavior targeted at multiple systems on a network. He sets up a variety of systems and instruments to allow him to capture copies of attack tools and to document all the attacks that are conducted. What has he set up? A. A honeypot B. A beartrap C. A honeynet D. A tarpit
C. A honeynet A honeynet is a group of systems that intentionally exposes vulnerabilities so that defenders can observe attacker behaviors, techniques, and tools to help them design better defenses.
Naomi has discovered the following TCP ports open on a system she wants to harden. Which ports are used for unsecure services and thus should be disabled to allow their secure equivalents to continue to be used? 21 - FTP 22 - SSH 23 - Telnet 80 - HTTP 443 - HTTPS 21, 22, and 80 21 and 80 21, 23, and 80 22 and 443
21, 23, and 80 The services listed are: 21 - FTP 22 - SSH 23 - Telnet 80 - HTTP 443 - HTTPS Of these services, SSH and HTTPS are secure options for remote shell access and HTTP. Although secure mode FTP (FTP/S) may run on TCP 21, there is not enough information to know for sure, and HTTPS can be used for secure file transfer if necessary. Thus, Naomi's best option is to disable all three likely unsecure protocols: FTP, Telnet, and HTTP.
Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
B. Risk avoidance Changing business processes or activities to eliminate a risk is an example of risk avoidance.
Joe is authoring a document that explains to system administrators one way in which they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing? A. Policy B. Guideline C. Procedure D. Standard
B. Guideline The key word in this scenario is "one way." This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.
What ISO standard provides guidance on privacy controls? A. 27002 B. 27001 C. 27701 D. 31000
C. 27701 The International Organization for Standardization (ISO) publishes ISO 27701, covering privacy controls. ISO 27001 and 27002 cover cybersecurity, and ISO 31000 covers risk management.
Gary wants to use secure protocols for email access for his end users. Which of the following groups of protocols should he implement to accomplish this task? A. DKIM, DMARC, HTTPS B. SPF, POPS, IMAPS C. POPS, IMAPS, HTTPS D. DMARC, DKIM, SPF
C. POPS, IMAPS, HTTPS End users may use secure POP (POPS), secure IMAP (IMAPS), and secure HTTP (HTTPS) to retrieve email. SPF, DKIM, and DMARC are used to identify and validate email servers, not to access email by end users.
The company that Hui works for has built a device based on an Arduino and wants to standardize its deployment across the entire organization. What type of device has Hui's organization deployed, and where should Hui place her focus on securing it? An FPGA, and on network security A microcontroller, and on physical security A GPU, and on network security An ICS, and on physical security
A microcontroller, and on physical security Arduinos are a form of microcontroller, and since Arduinos in their default form do not have wired or wireless networking built in, Hui should focus on the physical security of the device.
What phase in the incident response process leverages indicators of compromise and log analysis as part of a review of events? A. Preparation B. Containment C. Eradication D. Identification
D. Identification The identification phase focuses on using various techniques to analyze events to identify potential incidents. Preparation focuses on building tools, processes, and procedures to respond to incidents. Eradication involves the removal of artifacts related to the incident, and containment limits the scope and impact of the incident.
Bonita has discovered that her organization is running a service on TCP port 636. What secure protocol is most likely in use? A. LDAPS B. IMAPS C. SRTP D. SNMPv3
A. LDAPS The secure version of LDAP runs on TCP port 636. IMAPS runs on 993, SRTP runs on UDP 5004, and SNMPv3 runs on the standard UDP 161 and 162 ports used for all versions of the protocol.
Theresa has implemented a technology that keeps data for personal use separate from data for her company on mobile devices used by members of her staff. What is this concept called? A. Storage segmentation B. Multifactor storage C. Full-device encryption D. Geofencing
A. Storage segmentation Storage segmentation is the concept of splitting storage between functions or usage to ensure that information that fits a specific context is not shared or used by applications or services outside of that context. Full-device encryption encrypts the entire device, geofencing is used to determine geographic areas where actions or events may be taken by software, and multiactor storage was made up for this question.
Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation? A. NDA B. AUP C. Data ownership D. Data classification
B. AUP An organization's acceptable use policy (AUP) should contain information on what constitutes allowable and unallowable use of company resources. This policy should contain information to help guide Tonya's next steps.
Naomi is preparing to migrate her organization to a cloud service and wants to ensure that she has the appropriate contractual language in place. Which of the following is not a common item she should include? A. Right-to-audit clauses B. Right to forensic examination C. Choice of jurisdiction D. Data breach notification timeframe
B. Right to forensic examination Contracts commonly include right to audit, choice of jurisdiction, and data breach notification timeframe clauses, but a right to forensically examine a vendor's systems or devices is rarely included. Naomi may want to ask about their incident response process and for examples of previous breach notification and incident documentation shared with customers instead.
Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What should he adjust on his SIEM to reduce the false positive rate? A. Trend analysis B. Sensitivity C. Correlation rules D. Dashboard configuration
B. Sensitivity Ian's first step should be changing the sensitivity for his alerts. Adjusting the alerts to ignore safe or expected events can help reduce false positives. Correlation rules may then need to be adjusted if they are matching unrelated items. Dashboards are used to visualize data, not for alerting, and trend analysis is used to feed dashboards and reports.
Amanda wants to create a view of her buildings that shows WiFi signal strength and coverage. What is this type of view called? A. A channel overlay B. A PSK C. A heatmap D. A SSID chart
C. A heatmap Amanda wants to create a heatmap which shows the signal strength and coverage for each access point in a facility. Heatmaps can also be used to physically locate an access point by finding the approximate center of the signal. This can be useful to locate rogue access points and other unexpected or undesired wireless devices. PSK stands for preshared key, a channel overlay is not a commonly used term (although channel overlap is a concern for channels that share bandwidth), and SSID chart was made up for this question.
What law creates privacy obligations for those who handle the personal information of European Union residents? A. HIPAA B. FERPA C. GDPR D. PCI DSS
C. GDPR The General Data Protection Regulation (GDPR) implements privacy requirements for handling the personal information of EU residents. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Payment Card Industry Data Security Standard (PCI DSS) applies to credit and debit card information.
Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organizations does with a vendor. What type of agreement should Greg use? A. BPA B. MOU C. MSA D. SLA
C. MSA Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains projectspecific details and references the MSA.
What tool is specifically designed to support incident responders by allowing unified, automated responses across an organization? A. IPS B. COOP C. SOAR D. IRC
C. SOAR Security orchestration, automation, and response (SOAR) tools are designed to automate security responses, to allow centralized control of security settings and controls, and to provide strong incident response capabilities. IPS is an intrusion prevention system, COOP is the federal government's standards for continuity of operations, and Internet Relay Chat (IRC) is an online chat tool.
Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image? A. Run dd from within the running machine. B. Use FTK Imager from the virtual machine host. C. Use the VM host to create a snapshot. D. Use WinHex to create a copy from within the running machine.
C. Use the VM host to create a snapshot. Creating a snapshot will provide a complete copy of the system, including memory state that can then be analyzed for forensic purposes. Copying a running system from a program running within that system can be problematic, since the system itself will change while it is trying to copy itself. FTK Imager can copy drives and files, but it would not handle a running virtual machine.
Bart needs to assess whether a three-way TCP handshake is occurring between a Linux server and a Windows workstation. He believes that the workstation is sending a SYN but is not sure what is occurring next. If he wants to monitor the traffic, and he knows that the Linux system does not provide a GUI, what tool should he use to view that traffic? A. dd B. tcpreplay C. tcpdump D. Wireshark
C. tcpdump tcpdump is a command-line tool that will allow Bart to capture and analyze the traffic coming from the Windows workstation. If he does not see a three-way handshake, he will need to determine what is occurring with the traffic. Wireshark is a GUI (graphical) program, tcpreplay is used to replay traffic, and dd is used to clone drives.
As part of their yearly incident response preparations, Ben's organization goes through a sample incident step by step to validate what each person will do in the incident. What type of exercise is this? A. A checklist exercise B. A simulation C. A tabletop exercise D. A walk-through
D. A walk-through Ben's organization is conducting a walk-through exercise that reviews each step, thus ensuring that every team member knows what they would do and how they would do it. Checklist exercises are not a specific type of exercise. Tabletop exercises are conducted with more flexibility—team members are given a scenario and asked how they would respond and what they would do to accomplish tasks they believe would be relevant. A simulation exercise attempts to more fully re-create an actual incident to test responses.
The board of directors of Kate's company recently hired an independent firm to review the state of the organization's security controls and certify those results to the board. What term best describes this engagement? A. Assessment B. Control review C. Gap analysis D. Audit
D. Audit Any of these terms could reasonably be used to describe this engagement. However, the term audit best describes this effort because of the formal nature of the review and the fact that it was requested by the board.
Which one of the following is not a common use of the NIST Cybersecurity Framework? A. Describe the current cybersecurity posture of an organization. B. Describe the target future cybersecurity posture of an organization. C. Communicate with stakeholders about cybersecurity risk. D. Create specific technology requirements for an organization.
D. Create specific technology requirements for an organization. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.
Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
D. Risk transference Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.
Elaine wants to securely erase the contents of a tape used for backups in her organization's tape library. What is the fastest secure erase method available to her that will allow the tape to be reused? A. Use a degausser. B. Wipe the tape by writing a random pattern of 1s and 0s to it. C. Incinerate the tape. D. Wipe the tape by writing all 1s or all 0s to it.
Use a degausser A degausser is a quick and effective way to erase a tape before it is reused. Wiping a tape by writing 1s, 0s, or a pattern of 1s and 0s to it will typically be a slow operation and is not a common method of destroying data on a tape. Incinerating the tape won't allow it to be reused!
Daniel knows that WPA3 has added a method to ensure that brute-force attacks against weak preshared keys are less likely to succeed. What is this technology called? A. SAE B. CCMP C. PSK D. WPS
A. SAE Simultaneous Authentication of Equals (SAE) is used to establish a secure peering environment and to protect session traffic. Since the process requires additional cryptographic steps, it causes brute-force attacks to be much slower and thus less likely to succeed while also providing more security than WPA2's preshared key (PSK) mode. WPS is Wi-Fi Protected Setup, a quick setup capability; CCMP is the encryption mode used for WPA2 networks. WPA3 moves to 128-bit encryption for Personal mode and can support 192-bit encryption in Enterprise mode.
Alyssa wants to use her Android phone to store and manage cryptographic certificates. What type of solution could she choose to do this using secure hardware? A. SEAndroid B. A microSD HSM C. A wireless TPM D. MDM
B. A microSD HSM A hardware security module (HSM) in a microSD form factor allows a mobile device like an Android phone to securely store and manage certificates. Alyssa will also need an application to access and use the HSM, but she will have a complete, portable, and secure solution for her PKI needs. SEAndroid allows mandatory access control to be enforced on an Android device. TPMs are connected to systems and are often integrated into the motherboard or added as plug-in module, not a wireless component. MDM is not a secure hardware solution, but it is a software solution for managing mobile devices.
What legal concept determines the law enforcement agency or agencies that will be involved in a case based on location? A. Nexus B. Nonrepudiation C. Jurisdiction D. Admissibility
C. Jurisdiction Jurisdiction is the legal authority over an area or individuals based on laws that create the jurisdiction. Nexus defines whether a relationship or connection exists, such as a local branch or business location. Admissibility determines whether evidence can be used in court. Nonrepudiation ensures that evidence or materials can be connected to their originator.
Isabelle needs to select the EAP protocol that she will use with her wireless network. She wants to use a secure protocol that does not require client devices to have a certificate, but she does want to require mutual authentication. Which EAP protocol should she use? A. EAP-FAST B. EAP-TTLS C. PEAP D. EAP-TLS
C. PEAP Isabelle should select PEAP, which doesn't require client certificates but does provide TLS support. EAP-TTLS provides similar functionality but requires additional software to be installed on some devices. EAP-FAST focuses on quick reauthentication, and EAP-TLS requires certificates to be deployed to the endpoint devices.
What standard allows USB devices like cameras, keyboards and flash drives to be plugged into mobile devices and used as they normally would be? A. OG-USB B. USB-HSM C. USB-OTG D. RCS-USB
C. USB-OTG USB On-the-Go, or USB-OTG, is a standard that allows mobile devices to act as USB hosts, allowing cameras, keyboards, thumb drives, and other USB devices to be used. A USB HSM is a USB hardware security module, and both OGUSB and RCS-USB were made up.
Alyssa wants to prevent a known Microsoft Word file from being downloaded and accessed on devices she is responsible for. What type of tool can she use to prevent this? A. An allow list tool B. A COOP C. A SIEM D. A deny list tool
D. A deny list tool Alyssa's best option is to use a deny list tool that can recognize the file, by filename, content, or hash value. An allow list tool would be far more difficult to use as she would have to approve all the files that were allowed, which can be exceptionally difficult and time consuming. A SIEM is used to view and analyze data but does not directly block files or data from being used. COOP (Continuity of Operations Planning) is a federal guideline on how to complete DR and BCP plans.
What is the document that tracks the custody or control of a piece of evidence called? A. Evidence log B. Audit log C. Event report D. Chain of custody
D. Chain of custody Chain-of-custody documentation tracks evidence throughout its lifecycle, with information about who has custody or control and when transfers happened, and continues until the evidence is removed from the legal process and disposed of. The other terms are not used for this practice.
Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization? A. Policy B. Standard C. Procedure D. Guideline
D. Guideline Guidelines are the only element of the security policy framework that is optional. Compliance with policies, standards, and procedures is mandatory.
Randy wants to prevent DHCP attacks on his network. What secure protocol should he implement to have the greatest impact? A. ARPS B. LDAPS C. SDHCP D. None of the above
D. None of the above None of the protocols listed will accomplish Randy's task. In fact, there is no secure DHCP or ARP version, and secure LDAP does not impact DHCP services.
Chuck wants to provide route security for his organization, and he wants to secure the BGP traffic that his routers rely on for route information. What should Chuck do? A. Choose a TLS-enabled version of BGP B. Turn on BGP route protection C. Use signed BGP by adopting certificates for each BGP peer D. None of the above
D. None of the above Unfortunately, BGP does not have native security methods, and BGP hijacks continue to appear in the news. Two solutions, SIDR and RPLS, have not been broadly adopted.
Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk? A. Inherent risk B. Control risk C. Risk appetite D. Residual risk
D. Residual risk The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.
Randy wants to prevent DHCP attacks on his network. What secure protocol should he implement to have the greatest impact? ARPS LDAPS SDHCP None of the above
None of the above None of the protocols listed will accomplish Randy's task. In fact, there is no secure DHCP or ARP version, and secure LDAP does not impact DHCP services.
Amanda is assessing a vehicle's internal network. What type of bus is she most likely to discover connecting its internal sensors and controllers? Narrowband bus A Zigbee bus A CAN bus An SoC bus
A CAN bus A controller area network (CAN) is a vehicle-specific standard designed to allow microcontrollers, sensors, and other components of the vehicle to communicate. Zigbee, a wireless protocol used for home automation and similar short-ranged purposes, would be poorly suited to use in vehicles. Narrowband describes a channel, not a bus type, and an SoC bus was made up for this question.
What technique is used to ensure that DNSSEC-protected DNS information is trustworthy? A. It is digitally signed. B. It is sent via TLS. C. It is encrypted using AES256. D. It is sent via an IPSec VPN.
A. It is digitally signed. DNSSEC does not encrypt data but does rely on digital signatures to ensure that DNS information has not been modified and that it is coming from a server that the domain owner trusts. DNSSEC does not protect confidentiality, which is a key thing to remember when discussing it as a security option. TLS, an IPSec VPN, or encryption via AES are all potential solutions to protect the confidentiality of network data.
In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is being used in this situation? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
A. Risk acceptance When an organization decides to take no further action to address remaining risk, they are choosing a strategy of risk acceptance.
Darren is working with an independent auditor to produce an audit report that he will share with his customers under NDA to demonstrate that he has appropriate security controls in place. The auditor will not be assessing the effectiveness of those controls. What type of audit report should Darren expect? A. SOC 2 Type 1 B. SOC 2 Type 2 C. SOC 3 Type 1 D. SOC 3 Type 2
A. SOC 2 Type 1 The fact that the auditor will not be assessing the effectiveness of the controls means that this is a Type 1 report, not a Type 2 report. The fact that it will be shared only under NDA means that it is a SOC 2 assessment.
The organization that Lynn works for wants to deploy an embedded system that needs to process data as it comes in to the device without processing delays or other interruptions. What type of solution does Lynn's company need to deploy? An MFP A HIPS An SoC An RTOS
An RTOS A real-time operating system (RTOS) is an OS that is designed to handle data as it is fed to the operating system, rather than delaying handling it as other processes and programs are run. Real-time operating systems are used when processes or procedures are sensitive to delays that might occur if responses do not happen immediately. An MFP is a multifunction printer, a HIPS is a host intrusion prevention system, and an SoC is a system on a chip—which is hardware, which might run an RTOS, but the answer does not mention what type of OS the SoC is running.
Melissa wants to capture network traffic for forensic purposes. What tool should she use to capture it? A. A forensic suite B. Wireshark C. dd D. WinHex
B. Wireshark Even though Wireshark is not a dedicated network forensic tool, since network traffic is ephemeral, capturing it with a packet sniffer like Wireshark is Melissa's best option. Forensic suites are useful for analyzing captured images, not capturing network traffic, and dd and WinHex are both useful for packet capture, but not for network traffic analysis.
Henry wants to check to see if services were installed by an attacker. What commonly gathered organizational data can he use to see if a new service appeared on systems? A. Registry dumps from systems throughout his organization B. Firewall logs C. Vulnerability scans D. Flow logs
C. Vulnerability scans Vulnerability scans are the best way to find new services that are offered by systems. In fact, many vulnerability scanners will flag new services when they appear, allowing administrators to quickly notice unexpected new services. Registry information is not regularly dumped or collected in most organizations. Firewall logs and flow logs could show information about the services being used by systems whose traffic passes through them, but this is a less useful and accurate way of identifying new services and would work only if those services were also being used.
Susan has discovered that an incident took place on her network almost six months ago. As she prepares to identify useful data for the incident, which common policy is most likely to cause her difficulties during her investigation? A. Configuration standards B. Communication policies C. Incident response policies D. Retention policies
D. Retention policies Retention policies for many organizations mean that data is kept for only a limited period of time. Many organizations keep specific logs for as short a period as 30 or 45 days, with other data kept for longer periods of time. It is likely that Susan will not have all of the incident data she would have if she had discovered the incident within 30 days of it occurring. Configuration standards are not a policy; communication and incident response policies would both support her IR needs.
What is the primary concern with SFlow in a large, busy network? A. It may allow buffer overflow attacks against the collector host. B. SFlow is not designed for large or complex networks. C. SFlow puts extreme load on the flow collector host. D. SFlow samples only network traffic, meaning that some detail will be lost.
D. SFlow samples only network traffic, meaning that some detail will be lost. The primary concern for analysts who deploy SFlow is often that it samples only data, meaning some accuracy and nuance can be lost in the collection of flow data. Sampling, as well as the implementation methods for SFlow, means that it scales well to handle complex and busy networks. Although vulnerabilities may exist in SFlow collectors, a buffer overflow is not a primary concern for them.
Which of the following is not a common constraint of an embedded system? Compute Form factor Network Authentication
Form factor Embedded systems are available in a broad range of physical form factors, allowing them to be placed in many different types of systems and devices. Common constraints for embedded systems as described by the Security+ exam outline include power, compute, network, crypto, inability to patch, authentication, range, cost, and implied trust.
What scripting environment is native to Windows systems? Python PowerShell Bash CMD
PowerShell PowerShell is a native scripting environment for Windows systems. Although Python and Bash can be installed, they are not automatically part of the operating system. CMD.exe will start the command prompt, but it is not a scripting environment.
Brian has deployed a system that monitors sensors and uses that data to manage the power distribution for the power company that he works for. Which of the following terms is commonly used to describe this type of control and monitoring solution? SCADA AVAD SIM HVAC
SCADA SCADA (supervisory control and data acquisition) is a system architecture that combines data acquisition and control devices with communications methods and interfaces to oversee complex industrial and manufacturing processes, just like those used in utilities. A SIM (subscriber identity module) is the small card used to identify cell phones; HVAC stands for heating, ventilation, and air-conditioning; and AVAD was made up for this question.
Chris wants systems that connect to his network to report their boot processes to a server where they can be validated before being permitted to join the network. What technology should he use to do this on the workstations? UEFI/Trusted boot BIOS/Trusted boot UEFI/Measured boot BIOS/Measured boot
UEFI/Measured boot Chris knows that BIOS-based systems do not support either of these modes, and that trusted boot validates every component before loading it, whereas measured boot logs the boot process and sends it to a server that can validate it before permitting the system to connect to the network or perform other actions.
Which of the following is not a typical security concern with MFPs? Exposure of sensitive data from copies and scans Acting as a reflector for network attacks Acting as an amplifier for network attacks Use of weak encryption
Use of weak encryption MFPs, or multifunction printers, may contain sensitive data from copies or scans; some MFPs have built-in hard drives or other mass storage that can retain data for an extended period of time. They often have weak network security capabilities, making them useful as a reflector or amplifier in some network attacks. Fortunately, if a MFP supports protocols like TLS for web access, they support a reasonably secure implementation of the protocols needed to keep data transfers secure.
Jim configures a Windows machine with the built-in BitLocker full disk encryption tool. When is the machine least vulnerable to having data stolen from it? When the machine is off When the machine is booted and logged in but is locked When the machine is booted and logged in but is unlocked When the machine is booted and logged in but is asleep
When the machine is off Jim knows that once a BitLocker-enabled machine is booted, the drive is unlocked and could be accessed. He would be least worried if the machine were off and was stolen, or if the drive itself were stolen from the machine, since the data would not be accessible in either of those cases.
What is the exposure factor (EF)? A. 5% B. 20% C. 50% D. 100%
D. 100% The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.
Lucca is prototyping an embedded system and wants to use a device that can run a full Linux operating system so that he can install and use a firewall and other security software to protect a web service he will run on it. Which of the following solutions should he use? An Arduino An FPGA A Raspberry Pi None of the above
A Raspberry Pi A Raspberry Pi supports Linux natively and has the resources and hardware to run the operating system and services described. An Arduino is a microcontroller and is better suited to handling a limited set of sensors, actuators, or similar hardware. An FPGA is a specific type of integrated chip that can be programmed to handle specific tasks, but it is not a full computer.
What is the annualized rate of occurrence (ARO)? A. 0.05 B. 0.20 C. 2.00 D. 5.00
A. 0.05 Aziz's threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.
What type of NAC will provide Isaac with the greatest amount of information about the systems that are connecting while also giving him the most amount of control of systems and their potential impact on other systems that are connected to the network? A. Agent-based, pre-admission NAC B. Agentless, post-admission NAC C. Agent-based NAC, post-admission NAC D. Agent-based, post-admission NAC
A. Agent-based, pre-admission NAC Agent-based, pre-admission NAC will provide Isaac with the greatest amount of information about a machine and the most control about what connects to the network and what can impact other systems. Since systems will not be connected to the network, even to a quarantine or pre-admission zone, until they have been verified, Isaac will have greater control.
What does an SSL stripping attack look for to perform an onpath attack? A. An unencrypted HTTP connection B. A DNS query that is not protected by DNSSEC C. An unprotected ARP request D. All of the above
A. An unencrypted HTTP connection The original implementation of SSL stripping attacks relied heavily on unencrypted HTTP connections, and the updated version of SSL Strip+ continues to leverage HTTP connections, and then adds the ability to rewrite HTTPS links to HTTP links, allowing it even greater access to unencrypted links. DNSSEC and ARP are not involved in this technique.
Henry wants to use an open source forensic suite. Which of the following tools should he select? A. Autopsy B. EnCase C. FTK D. WinHex
A. Autopsy Autopsy is the only open source forensic suite on this list. Both EnCase and FTK are commercial tools, and WinHex is also a commercial tool but isn't a forensic suite.
What is the key difference between hashing and checksums? A. Both can validate integrity, but a hash also provides a unique digital fingerprint. B. A hash can be reversed, and a checksum cannot be. C. Checksums provide greater security than hashing. D. Checksums have fewer message collisions than a hash.
A. Both can validate integrity, but a hash also provides a unique digital fingerprint. Although both a checksum and a hash can be used to validate message integrity, a hash has fewer collisions than a checksum and will also provide a unique fingerprint for a file. Checksums are primarily used as a quick means of checking that that integrity is maintained, whereas hashes are used for many other purposes such as secure password validation without retaining the original password. A checksum would not be useful for proving a forensic image was identical, but it could be used to ensure that your work had not changed the contents of the drive.
Hitesh wants to keep a system online but limit the impact of the malware that was found on it while an investigation occurs. What method from the following list should he use? A. Containment B. Isolation C. Segmentation D. Black holing
A. Containment Containment activities focus on preventing further malicious actions or attacks. In this case, Hitesh might opt to prevent the malware from spreading but leave the system online due to a critical need or a desire to preserve memory and other artifacts for investigation. Isolation walls a system or systems off from the rest of the world, whereas segmentation is frequently used before incidents occur to create zones or segments of a network or system with different security levels and purposes.
Which one of the following statements is not true about compensating controls under PCI DSS? A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. B. Controls must meet the intent of the original requirement. C. Controls must meet the rigor of the original requirement. D. Compensating controls must provide a similar level of defense as the original requirement.
A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. PCI DSS compensating controls must be "above and beyond" other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.
Helen's organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen's organization? A. Data processor B. Data controller C. Data owner D. Data steward
A. Data processor In this case, the physicians maintain the data ownership role. They have chosen to outsource data processing to Helen's organization, making that organization a data processor.
Under the European Union's GDPR, what term is assigned to the individual who leads an organization's privacy efforts? A. Data protection officer B. Data controller C. Data steward D. Data processor
A. Data protection officer Under the GDPR, the data protection officer (DPO) is an individual assigned direct responsibility for carrying out an organization's privacy program.
James is concerned about preventing broadcast storms on his network. Which of the following solutions is not a useful method of preventing broadcast storms on his network? A. Disable ARP on all accessible ports B. Enable Spanning Tree Protocol C. Enable loop protect features on switches D. Limit the size of VLANs
A. Disable ARP on all accessible ports Broadcast storms occur when broadcast packets are received and retransmitted by switches in a network, amplifying the traffic and causing heavy traffic loads. Spanning Tree Protocol, loop prevention features, and limited VLAN sizes can all reduce the potential for a broadcast storm. Disabling ARP on a network is not a recommended solution for a TCP/IP network.
Elle is implementing a VoIP telephony system and wants to use secure protocols. If she has already implemented SIPS, which other protocol is she most likely to use? A. SRTP B. UDP/S C. S/MIME D. SFTP
A. SRTP The Secure Real-Time Transfer Protocol is used for media streaming in many VoIP implementations. UDP/S is not an actual protocol, S/MIME is used for email, and SFTP is a replacement for FTP and is not typically associated with VoIP systems.
Which one of the following data protection techniques is reversible when conducted properly? A. Tokenization B. Masking C. Hashing D. Shredding
A. Tokenization Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can't be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.
Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed? A. Use forensic memory acquisition techniques. B. Use disk forensic acquisition techniques. C. Remove the firmware chip from the system. D. Shut down the system and boot to the firmware to copy it to a removable device.
A. Use forensic memory acquisition techniques. Firmware can be challenging to access, but both memory forensic techniques and direct hardware interface access are viable means in some cases. Firmware is not typically stored on the disk and instead is stored in a BIOS or UEFI chip. Removing the chip from the system will leave it unable to run and thus this is not a preferred method. Also, many chips are not removable. Shutting down the device and booting it to the firmware does not provide a means of copying the firmware for most devices. Although the firmware is likely to allow updates, most do not allow downloads or copying.
Nick wants to display the ARP cache for a Windows system. What command should he run to display the cache? A. arp /a B. arp -d C. showarp D. arpcache -show
A. arp /a The arp command will show the system's ARP cache using the /a flag on Windows systems. Other flags are /d to delete the cache or a single address if one is supplied, and /s , which will allow you to add an entry. In most cases, security professionals will use the /a flagmost frequently to see what exists in an ARP cache on a system.
Michelle wants to prevent unauthorized applications from being installed on a system. What type of tool can she use to allow only permitted applications to be installed? A hardening application An allow list application A deny list application A HIPS
An allow list application An allow list application will allow only specific permitted programs to be installed on a system. Deny list applications will prevent specified applications from being installed. Hardening applications are not a specific category of tool, although hardening scripts are in use, and a HIPS is a host intrusion prevention system.
The company that Theresa works for has deployed IoT sensors that have built-in cellular modems for communication back to a central server. What issue may occur if the devices can be accessed by attackers? A. Attackers may change the baseband frequency used by the devices, causing them to fail. B. Attackers may switch the devices to a narrowband radio mode that limits the range of the cellular modems. C. Attackers may steal the SIM cards from the devices and use them for their own purposes. D. Attackers may clone the SIM cards from the devices to conduct attacks against one-time password systems.
Attackers may steal the SIM cards from the devices and use them for their own purposes. Physical theft of SIM cards is a threat that cellular-connected devices may face. Using an integrated SIM rather than a removable SIM, or making the SIM difficult or impossible to access without significant effort, may help. Although cloning SIM cards to help defeat one-time password systems is an actual attack, IoT devices typically do not use a cellular connection to present a one-time password since no users are involved. Both the narrowband and baseband answers are not concerns in this scenario.
Which of the following is not a typical reason to use an IP addressing schema in an enterprise? Avoiding use of other organizations' IP addresses Avoiding IP address exhaustion in a subnet Asset and system inventory Consistency of practice with gateway and other IP addresses
Avoiding use of other organizations' IP addresses
What is the annualized loss expectancy (ALE)? A. $5,000 B. $25,000 C. $100,000 D. $500,000 E. Questions 8-11 refer to the following scenario: F. Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.
B. $25,000 We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.
Wayne is concerned that an on-path attack has been used against computers he is responsible for. What artifact is he most likely to find associated with this attack? A. A compromised router B. A browser plug-in C. A compromised server D. A modified hosts file
B. A browser plug-in Man-in-the-browser attacks take advantage of malicious browser plug-ins or proxies to modify traffic at the browser level. They do not involve compromised routers or servers, and a modified hosts file is more likely to be involved in a man-in-themiddle attack.
Madhuri is designing a load-balancing configuration for her company and wants to keep a single node from being overloaded. What type of design will meet this need? A. A daisy chain B. Active/active C. Duck-duck-goose D. Active/passive
B. Active/active Active/active designs spread traffic among active nodes, helping to ensure that a single node will not be overwhelmed. Active/passive designs are useful for disaster recovery and business continuity, but they do not directly address heavy load on a single node. There are many load-balancing schemes, but daisy chains and duck, duck, goose are not among them.
Gurvinder wants to select a mobile device deployment method that provides employees with devices that they can use as though they're personally owned to maximize flexibility and ease of use. Which deployment model should he select? A. CYOD B. COPE C. BYOD D. MOTD
B. COPE Gurvinder's requirements fit the COPE (corporate-owned, personally enabled) mobile device deployment model. Choose your own device (CYOD) allows users to choose a device but then centrally manages it. BYOD allows users to use their own device, rather than have the company provide it, and MOTD means message of the day, not a mobile device deployment scheme.
Megan's organization uses the Diamond Model of Intrusion Analysis as part of their incident response process. A user in Megan's organization has discovered a compromised system. What core feature would help her determine how the compromise occurred? A. Adversary B. Capability C. Infrastructure D. Victim
B. Capability Capability analysis is used to determine what an attacker can do and what the tools that are used in the attack may be capable of. Megan should analyze the capability of the adversary and tool, and then consider infrastructure and adversary information to enhance her threat model.
What organization is known for creating independent security benchmarks covering hardware and software platforms from many different vendors? A. Microsoft B. Center for Internet Security C. Cloud Security Alliance D. Cisco
B. Center for Internet Security All of these organizations produce security standards and benchmarks. However, only the Center for Internet Security (CIS) is known for producing independent benchmarks covering a wide variety of software and hardware.
Maria has acquired a disk image from a hard drive using dd, and she wants to ensure that her process is forensically sound. What should her next step be after completing the copy? A. Securely wipe the source drive. B. Compare the hashes of the source and target drive. C. Securely wipe the target drive. D. Update her chain-of-custody document.
B. Compare the hashes of the source and target drive. Once a copy is made, hashes for the original and target drive should be compared to ensure that the copy was successful. After that, the chain-of-custody document can be updated to note that a copy was made and will be tracked as it is analyzed while the original is preserved. Wiping either drive after a copy is not part of the process, although a target drive may be wiped after a case is complete.
Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework? A. Identify B. Contain C. Respond D. Recover
B. Contain The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.
What term is given to an individual or organization who determines the reasons for processing personal information? A. Data steward B. Data controller C. Data processor D. Data custodian
B. Data controller Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law, and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.
Selah is following the Cyber Kill Chain model and has completed the delivery phase. What step is next according to the Kill Chain? A. Weaponization B. Exploitation C. Installation D. Actions on Objective
B. Exploitation The Cyber Kill Chain describes the phase after delivery when a weapon is delivered to the target as exploitation. In this phase, the malware is triggered and it exploits vulnerabilities on the system to acquire access. Weaponization is the creation of tools to exploit vulnerabilities. Installation occurs when remote access tools are installed. Actions on Objective is the final phase in the Kill Chain when attackers take action to accomplish their goals.
Alex has been handed a flash media device that was quickformatted and has been asked to recover the data. What data will remain on the drive? A. No data will remain on the drive. B. Files will remain but file indexes will not. C. File indexes will remain, but the files will be gone. D. Files and file indexes will remain on the drive.
B. Files will remain but file indexes will not. Quick-formatting a drive removes the file indexes but leaves the file content on the drive. Recovery tools look for those files on the drive and piece them back together using metadata, headers, and other clues that help to recover the files.
Michelle has deployed iPads to her staff who work her company's factory floor. She wants to ensure that the devices work only in the factory and that if they are taken home they cannot access business data or services. What type of solution is best suited to her needs? A. Context-aware authentication B. Geofencing C. Geolocation D. Unified endpoint management (UEM)
B. Geofencing Geofencing will allow Michelle to determine what locations the device should work at. The device will then use geolocation to determine when it has moved and where it is. In this case, the correct answer is therefore geofencing—simply having geolocation capabilities would not provide the solution she needs. Context-aware authentication can help by preventing users from logging in when they aren't in the correct location, but a device that was logged in may not require reauthentication. Finally, UEM, much like mobile device management, can be used to enforce these policies, but the most correct answer is geofencing.
Mark unplugs the network connection from a system that is part of an incident and places tape over its Ethernet jack with a sign that says "Do not reconnect without approval from IR team." How is this method best described? A. Containment B. Isolation C. Segmentation D. Zoning
B. Isolation Mark has isolated the system by removing it from the network and ensuring that it cannot communicate with other systems. Containment would limit the impact of the incident and might leave the system connected but with restricted or protected access. Segmentation moves systems or groups of systems into zones that have similar purposes, data classification, or other restrictions on them.
Gabby wants to capture the pagefile for a system. Where will she find the pagefile stored? A. In memory B. On disk C. In a CPU register D. In device firmware
B. On disk The pagefile is disk space used to extend or expand memory. Thus, Gabby can find the pagefile on the disk and can capture it as she would other files on the disk.
Isaac is performing a forensic analysis on two systems that were compromised in the same event in the same facility. As he performs his analysis, he notices that the event appears to have happened almost exactly one hour earlier on one system than the other. What is the most likely issue he has encountered? A. The attacker took an hour to get to the second system. B. One system is set to an incorrect time zone. C. The attacker changed the system clock to throw off forensic practitioners. D. The forensic tool is reading the timestamps incorrectly.
B. One system is set to an incorrect time zone. The most common cause of an hour of difference between two systems in an environment is an incorrectly set time zone. Isaac should check the time zone settings, and then correct his findings based on the time zones set on the systems if necessary.
Tina works for a hospital system and manages the system's patient records. What category of personal information best describes the information that is likely to be found in those records? A. PCI B. PHI C. PFI D. PII
B. PHI This is a tricky question, as it is possible that all of these categories of information may be found in patient records. However, they are most likely to contain protected health information (PHI). PHI could also be described as a subcategory of personally identifiable information (PII), but PHI is a better description. It is also possible that the records might contain payment card information (PCI) or personal financial information (PFI), but that is less likely than PHI.
Laura wants to deploy a WPA2 secured wireless for her small business, but she doesn't have a RADIUS server set up. If she wants her Wi-Fi to be encrypted, what is her best option for wireless authentication? A. EAP B. PSK C. EAP-TLS D. Open Wi-Fi with a captive portal
B. PSK In small business and home environments, preshared keys (PSKs) allow encryption without enterprise authentication and a RADIUS server. Both EAP and EAP-TLS are used in enterprise authentication environments, and open Wi-Fi doesn't use encryption.
Susan wants to ensure that the threat of a lost phone creating a data breach is minimized. What two technologies should she implement to do this? A. Wi-Fi and NFC B. Remote wipe and FDE C. Containerization and NFC D. Geofencing and remote wipe
B. Remote wipe and FDE Susan's best options are to use a combination of full-device encryption (FDE) and remote wipe. If a device is stolen and continues to be connected to the cellular network, or reconnects at any point, the remote wipe will occur. If it does not, or if attackers attempt to get data from the device and it is locked, the encryption will significantly decrease the likelihood of the data being accessed. Of course, cracking a passcode, PIN, or password remains a potential threat. NFC and Wi-Fi are wireless connection methods and have no influence on data breaches due to loss of a device. Geofencing may be useful for some specific organizations that want to take action if devices leave designated areas, but it is not a general solution. Containerization may shield data, but use of containers does not immediately imply encryption or other protection of the data, simply that the environments are separated.
Which one of the following would not normally be found in an organization's information security policy? A. Statement of the importance of cybersecurity B. Requirement to use AES-256 encryption C. Delegation of authority D. Designation of responsible executive
B. Requirement to use AES-256 encryption Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.
Valerie wants to replace the telnet access that she found still in use in her organization. Which protocol should she use to replace it, and what port will it run on? A. SFTP, port 21 B. SSH, port 22 C. HTTPS, port 443 D. RDP, port 3389
B. SSH, port 22 Telnet provides remote command-line access but is not secure. SSH is the most common alternative to telnet, and it operates on port 22.
Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing? A. Policy B. Standard C. Guideline D. Procedure
B. Standard Standards describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.
Madhuri disables SMS, MMS, and RCS on phones in her organization. What has she prevented from being sent? A. Phone calls and texts B. Text messages and multimedia messages C. Text messages and firmware updates D. Phone calls and multimedia messages
B. Text messages and multimedia messages SMS (Short Message Service) is used to send text messages, and MMS and RCS provide additional multimedia features. Neither provides phone calls or firmware updates.
Chris has turned on logon auditing for a Windows system. Which log will show them? A. The Windows Application log B. The Windows Security log C. The Windows System log D. All of the above
B. The Windows Security log The Windows Security log records logon events when logon auditing is enabled. The Application and System logs do not contain these events.
What is the asset value (AV)? A. $5,000 B. $100,000 C. $500,000 D. $600,000
C. $500,000 The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.
What is the single loss expectancy (SLE)? A. $5,000 B. $100,000 C. $500,000 D. $600,000
C. $500,000 We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000.
Gwen is building her organization's documentation and processes and wants to create the plan for what the organization would do if her datacenter burned down. What type of plan would typically cover that type of scenario? A. An incident response plan B. A business continuity plan C. A disaster recovery plan D. A stakeholder management plan
C. A disaster recovery plan Disaster recovery plans describe what will occur if a natural or man-made disaster has a significant impact on an organization. Business continuity plans describe how the business will continue to operate. IR plans deal with incidents, and stakeholder management is part of many plans.
During a site survey, Chris discovers that there are more access points broadcasting his organization's SSID than he expects there to be. What type of wireless attack has he likely discovered? A. An identical twin B. An alternate access point C. An evil twin D. A split SSID
C. An evil twin Evil twins are access points configured to appear to be legitimate access points. In this case, Chris should determine where his access points are, and then use his wireless surveying tools to locate the potentially malicious access point. Although it is possible that a member of his organization's staff has configured their own access point, Chris needs to be sure that attackers have not attempted to infiltrate his network. Identical twin, alternate access point, and split SSD were made up for this question.
Gurvinder wants to follow the order of volatility to guide his forensic data acquisition. Which of the following is the least volatile? A. RAM B. Data on the hard drive C. Backups D. Remote logs
C. Backups Backups are the least volatile of these options according to the order of volatility. Backups will be kept until they are aged out, which may be days, weeks, or even months in some cases. From most to least volatile, these are RAM, data on the hard drive, remote logs, and then backups.
Octavia discovers that the contact list from her phone has been acquired via a wireless attack. Which of the following is the most likely culprit? A. Bluejacking B. An evil maid C. Bluesnarfing D. An evil twin
C. Bluesnarfing Bluesnarfing is the theft of information from a Bluetooth enabled device. If Octavia left Bluetooth on and has not properly secured her device, then an attacker may have been able to access her contact list and download its contents. A bluejacking attack occurs when unwanted messages are sent to a device via Bluetooth. Evil twins are malicious access points configured to appear to be legitimate access points, and an evil maid attack is an in-person attack where an attacker takes advantage of physical access to hardware to acquire information or to insert malicious software on a device.
Alaina has implemented WPA2 and uses enterprise authentication for access points in infrastructure mode. What encryption protocol is her network using? A. WEP B. TKIP C. CCMP D. IV
C. CCMP CCMP is the encryption protocol used for WPA2. A block cipher, CCMP provides confidentiality, authentication, and access control features. WEP is the protocol used before WPA, TKIP was used in WPA prior to the use of CCMP in WPA2, and IV is an initialization vector.
What type of security policy often serves as a backstop for issues not addressed in other policies? A. Account management B. Data ownership C. Code of conduct D. Continuous monitoring
C. Code of conduct The code of conduct is often used as a backstop for employee behavior issues that are not addressed directly by another policy.
Theresa's organization has received a legal hold notice for their files and documents. Which of the following is not an action she needs to take? A. Ensure that changes to existing documents related to the case are tracked and that originals can be provided. B. Preserve all existing documents relevant to the case. C. Delete all sensitive documents related to the case. D. Prevent backups that contain files related to the case from being overwritten on their normal schedule.
C. Delete all sensitive documents related to the case. Removing information relevant to a legal hold is exactly what the hold is intended to prevent. Theresa's organization could be in serious legal trouble if they were to intentionally purge or change related information.
What are the two most commonly deployed biometric authentication solutions for mobile devices? A. Voice recognition and face recognition B. Fingerprint recognition and gait recognition C. Face recognition and fingerprint recognition D. Voice recognition and fingerprint recognition
C. Face recognition and fingerprint recognition Current mobile device implementations have focused heavily on facial recognition via services like Apple's FaceID and fingerprint recognition like Android's fingerprint scanning and Apple's TouchID. Gait recognition is not a widely deployed biometric technology and would be difficult for most mobile device users to use. Voice recognition as a biometric authenticator has not been broadly deployed for mobile devices, whereas voice-activated services are in wide usage.
Which of the following statements about the security implications of IPv6 is not true? A. Rules based on static IP addresses may not work. B. IPv6 reputation services may not be mature and useful. C. IPv6's NAT implementation is insecure. D. IPv6 traffic may bypass existing security controls.
C. IPv6's NAT implementation is insecure. IPv6 does not include network address translation (NAT) because there are so many IP addresses available. That means that there is not a NAT implementation, and thus, IPv6 can't have an insecure version. Rules based on static IPv6 addresses may not work since dynamic addresses are heavily used in IPv6 networks, reputation services remain relatively rare and less useful for IPv6 traffic, and IPv6 traffic may bypass many existing IPv4 security tools.
Madhuri wants to check a PNG-formatted photo for GPS coordinates. Where can she find that information if it exists in the photo? A. In the location.txt file appended to the PNG B. On the original camera C. In the photo's metadata D. In the photo as a steganographically embedded data field
C. In the photo's metadata If the photo includes GPS data, it will be included in the photo's metadata. Madhuri can use a tool like ExifTool to review the metadata for useful information. None of the other answers are places where data is stored for a PNG image as a normal practice.
Charles needs to know about actions an individual performed on a PC. What is the best starting point to help him identify those actions? A. Review the system log. B. Review the event log. C. Interview the individual. D. Analyze the system's keystroke log.
C. Interview the individual. Although it may be tempting to use a technical answer, interviewing the individual involved is the best starting point when a person performed actions that need to be reviewed. Charles can interview the staff member, and then move on to technical means to validate their responses. System and event logs may have some clues to what occurred, but normal systems do not maintain a keystroke log. In fact, the closest normal element is the command log used by both Windows and Linux to allow command-line input to be recalled as needed.
Which team member acts as a primary conduit to senior management on an IR team? A. Communications and public relations B. Information security C. Management D. Technical expert
C. Management Members of management or organizational leadership act as a primary conduit to senior leadership for most incident response teams. They also ensure that difficult or urgent decisions can be made without needing escalated authority. Communications and PR staff focus on internal and external communications but are typically not the direct conduit to leadership. Technical and information security experts do most of the incident response work itself.
Cynthia wants to make an exact copy of a drive using a Linux command-line tool. What command should she use? A. df B. cp C. dd D. ln
C. dd dd is a copying and conversion command for Linux and can be used to create a forensic image that can be validated using an MD5sum or SHA1 hash. The other commands are df for disk usage, cp for copying files, and ln to link files.
Fred wants to ensure that the administrative interfaces for the switches and routers are protected so that they cannot be accessed by attackers. Which of the following solutions should he recommend as part of his organization's network design? A. NAC B. Trunking C. Out-of-band management D. Port security
C. Out-of-band managemen Out-of-band management places the administrative interface of a switch, router, or other device on a separate network or requires direct connectivity to the device to access and manage it. This ensures that an attacker who has access to the network cannot make changes to the network devices. NAC and port security help protect the network itself, whereas trunking is used to combine multiple interfaces, VLANs, or ports together.
What is the most frequent concern that leads to GPS tagging being disabled by some companies via an MDM tool? A. Chain of custody B. The ability to support geofencing C. Privacy D. Context-aware authentication
C. Privacy Geotagging places a location stamp in documents and pictures that can include position, time, and date. This can be a serious privacy issue when pictures or other information are posted, and many individuals and organizations disable GPS tagging. Organizations may want to enforce GPS tagging for some work products, meaning that the ability to enable or disable it in an MDM tool is quite useful. Chain of custody is a forensic concept, the ability to support geofencing does not require GPS tagging, and context-aware authentication may need geolocation but not GPS tagging.
Which one of the following items is not normally included in a request for an exception to security policy? A. Description of a compensating control B. Description of the risks associated with the exception C. Proposed revision to the security policy D. Business justification for the exception
C. Proposed revision to the security policy Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.
Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated? A. Data minimization B. Data retention C. Purpose limitation D. Data sovereignty
C. Purpose limitation Organizations should only use data for the purposes disclosed during the collection of that data. In this case, the organization collected data for technical support purposes and is now using it for marketing purposes. That violates the principle of purpose limitation.
Gene recently conducted an assessment and determined that his organization can be without its main transaction database for a maximum of two hours before unacceptable damage occurs to the business. What metric has Gene identified? A. MTBF B. MTTR C. RTO D. RPO
C. RTO The Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. That is the metric that Gene has identified in this scenario.
You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk? A. Reduced the magnitude B. Eliminated the vulnerability C. Reduced the probability D. Eliminated the threat E. Questions 3-7 refer to the following scenario: F. Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. G. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
C. Reduced the probability Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.
Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done? A. Removed the threat B. Reduced the threat C. Removed the vulnerability D. Reduced the vulnerability
C. Removed the vulnerability By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.
Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
C. Risk mitigation Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.
Which one of the following U.S. government classification levels requires the highest degree of security control? A. Secret B. Confidential C. Top Secret D. Unclassified
C. Top Secret Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.
Greg wants to use a tool that can directly edit disks for forensic purposes. What commercial tool could he select from this list? A. dd B. memdump C. WinHex D. df
C. WinHex WinHex is a commercial disk editor that provides a number of useful forensic tools that can help with investigations and data recovery. The other tools are open source tools.
Danielle wants to capture traffic from a network so that she can analyze a VoIP conversation. Which of the following tools will allow her to review the conversation most effectively? A. A network SIPper B. tcpdump C. Wireshark D. netcat
C. Wireshark Although tcpdump can be used to view packets sent as part of a VoIP connection, Wireshark has built-in VoIP analysis and protocol-specific tools. Danielle will have greater success using those built-in tools. A network SIPper is a made-up tool, and netcat is not a packet sniffer.
Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs? A. logger B. syslog-ng C. journalctl D. tail
C. journalctl CentOS and Red Hat Enterprise Linux both use journalctl to view journal logs that contain application information. Jim should use journalctl to review the logs for the information he needs. The tool also provides functionality that replicates what head and tail can do for logs. Syslog-ng is a logging infrastructure, and though logs may be sent via syslog-ng, it is not mentioned here. logger is a logging utility used to make entries in the system log.
Michael wants to log directly to a database while also using TCP and TLS to protect his log information and to ensure it is received. What tool should he use? A. syslog B. rsyslog C. syslog-ng D. journalctl
C. syslog-ng Syslog-ng allows logging directly to common databases, uses TCP, and supports TLS, making it a secure and reliable option. Rsyslog does not allow direct logging to a database, and syslog itself does not provide these functions by default.
Jerome wants to allow guests to use his organization's wireless network, but he does not want to provide a preshared key. What solution can he deploy to gather information such as email addresses or other contact information before allowing users to access his open network? A. WPS capture mode B. Kerberos C. WPA2 D. A captive portal
D. A captive portal Jerome should deploy a captive portal that requires users to provide information before being moved to a network segment that allows Internet access. WPS capture mode was made up for this question, Kerberos is used for enterprise authentication, and WPA2 supports open, enterprise, or PSK modes but does not provide the capability Jerome needs by itself.
Fred's company issues devices in a BYOD model. That means that Fred wants to ensure that corporate data and applications are kept separate from personal applications on the devices. What technology is best suited to meet this need? A. Biometrics B. Full-device encryption C. Context-aware authentication D. Containerization
D. Containerization Using a containerization system can allow Fred's users to run corporate applications and to use corporate data in a secure environment that cannot be accessed by other applications outside of the container on the device. Containerization schemes for mobile devices typically use encryption and other isolation techniques to ensure that data and applications do not cross over. Biometrics and context-aware authentication are useful for ensuring that the right user is using a device but don't provide this separation. Full-device encryption helps reduce the risk of theft or loss of a device resulting in a data breach.
Which one of the following policies would typically answer questions about when an organization should destroy records? A. Data ownership policy B. Account management policy C. Password policy D. Data retention policy
D. Data retention policy The data retention policy outlines what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.
Which of the following is not one of the four phases in COOP? A. Readiness and preparedness B. Activation and relocation C. Continuity of operations D. Documentation and reporting
D. Documentation and reporting The fourth phase of COOP is Reconstitution, which restores systems and services to operation. Documentation and reporting is not a phase in COOP, although it is likely to occur in multiple phases.
Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need? A. Separation of duties B. Least privilege C. Dual control D. Mandatory vacations
D. Mandatory vacations Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.
Alaina wants to maintain chain of custody documentation and has created a form. Which of the following is not a common element on a chain of custody form? A. Item identifier number B. Signature of the person transferring the item C. Signature of the person receiving the item D. Method of transport
D. Method of transport Chain of custody tracks who has an item, how it is collected, where it is stored and how, how it is secured or protected, who collected it, and transfers, but it does not typically include how the items were transported because that is not relevant if the other data is provided.
What compliance obligation applies to merchants and service providers who work with credit card information? A. FERPA B. SOX C. HIPAA D. PCI DSS
D. PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.
Which one of the following documents must normally be approved by the CEO or similarly high-level executive? A. Standard B. Procedure C. Guideline D. Policy
D. Policy Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.
(REVIEW PAGE 726/995) The following figure shows the Security+ incident response cycle. What item is missing? A. Planning B. Reporting C. Monitoring D. Preparation
D. Preparation The first item in the incident response cycle used by the Security+ exam is preparation.
Which wireless technology is frequently used for door access cards? A. Wi-Fi B. Infrared C. Cellular D. RFID
D. RFID Radio frequency identification (RFID) is commonly used for entry access cards. Wi-Fi, infrared, and cellular are not typically used for this purpose, but NFC may be.
What protocol is used to securely wrap many otherwise insecure protocols? A. ISAKMP B. SSL C. IKE D. TLS
D. TLS Transport Layer Security (TLS) is commonly used to wrap (protect) otherwise insecure protocols. In fact, many of the secure protocols simply add TLS to protect them. ISAKMP and IKE are both used for IPSec and can be used to wrap insecure protocols, but they aren't used alone. SSL is no longer used; TLS has almost entirely replaced it, although SSL is still often casually referred to as TLS.
Which of the following is a memory forensics toolkit that includes memdump? A. FTK Imager B. WinHex C. dd D. Volatility
D. Volatility The Volatility Framework is a memory forensics toolkit that includes memdump. FTK Imager does contain a capture memory function, WinHex can dump memory, and dd can be used in a limited fashion to capture memory, but none of these tools builds in a function called memdump.
Frank is concerned about the admissibility of his forensic data. Which of the following is not an element he should be concerned about? A. Whether the forensic source data has remained unaltered B. Whether the practices and procedures would survive review by experts C. Whether the evidence is relevant to the case D. Whether the forensic information includes a timestamp
D. Whether the forensic information includes a timestamp Forensic information does not have to include a timestamp to be admissible, but timestamps can help build a case that shows when events occurred. Files without a timestamp may still show other information that is useful to the case or may have other artifacts associated with them that can provide context about the time and date.
Connor believes that there is an issue between his organization's network and a remote web server, and he wants to verify this by checking each hop along the route. Which tool should he use if he is testing from a Windows 10 system? A. tracert B. route C. traceroute D. pathping
D. pathping The Windows pathping tool is specifically designed to show the network latency and loss at each step along a route. The tracert tool identifies the path to a remote system, and the route command can be used to view, add, and delete routes. traceroute is used in Linux, not Windows.
What term is used to describe tools focused on detecting and responding to suspicious activities occurring on endpoints like desktops, laptops, and mobile devices? EDR IAM FDE ESC
EDR Endpoint detection and response (EDR) systems provide monitoring, detection, and response capabilities for systems. EDR systems capture data from endpoints and send it to a central repository, where it can be analyzed for issues and indicators of compromise or used for incident response activities. IAM is identity and access management, FDE is fulldisk encryption, and ESC is not a commonly used security acronym.
Frank's organization is preparing to deploy a data loss prevention (DLP) system. What key process should they undertake before they deploy it? Define data lifecycles for all nonsensitive data. Encrypt all sensitive data. Implement and use a data classification scheme. Tag all data with the name of the creator or owner.
Implement and use a data classification scheme. Protecting data using a DLP requires data classification so that the DLP knows which data should be protected and what policies to apply to it. Defining data lifecycles can help prevent data from being kept longer than it should be and improves data security by limiting the data that needs to be secured, but it isn't necessary as part of a DLP deployment. Encrypting all sensitive data may mean the DLP cannot recognize it and may not be appropriate for how it is used. Tagging all data with a creator or owner can be useful but is not required for a DLP rollout— instead, knowing the classification of the data is more important.
Which of the following is not typically part of a SoC? A CPU A display Memory I/O
Memory A system on a chip (SoC) is a chip that has most of the functions of a complete computer built into it. In fact, most SoCs have a CPU, memory, input/output, and storage as part of the chip. Adding a display to the chip is unlikely, but adding a display that the SoC can access and display to is very common in things like smartphones, smart watches, and other devices.
Charles wants to monitor changes to a log file via a command line in real time. Which of the following command-line Linux tools will let him see the last lines of a log file as they change? logger tail chmod head
tail The Linux tail command with the -f flag will follow a file as it changes, showing the last 10 lines by default. Charles can use this to monitor a log file as it changes. logger adds text to the syslog file, chmod changes permissions, and head shows the first 10 lines of a file, which will typically be the oldest entries in a log file on a Linux system.