EXAM A
A56. An organization is installing a UPS for their new data center. Which of the following would BEST describe this type of control? ❍ A. Compensating ❍ B. Preventive ❍ C. Administrative ❍ D. Detective
The Answer: A. Compensating A compensating security control doesn't prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage occurs.
A42. Sam has just replaced a broken wireless access point in a warehouse. With the new access point online, only a portion of the wireless devices are able to connect to the network. Other devices can see the access point, but they are not able to connect even when using the correct wireless settings. Which of the following security features did Sam MOST likely enable? ❍ A. MAC filtering ❍ B. SSID broadcast suppression ❍ C. 802.1X authentication ❍ D. Anti-spoofing ❍ E. LWAPP management
The Answer: A. MAC filtering Filtering addresses by MAC (Media Access Control) address will limit which devices can connect to the wireless network. If a device is filtered by MAC address, it will be able to see an access point but it will not be able to connect.
A64. Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance? ❍ A. Compare the production application to the sandbox ❍ B. Perform an integrity measurement ❍ C. Compare the production application to the previous version ❍ D. Perform QA testing on the application instance
The Answer: B. Perform an integrity measurement An integrity measurement is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions.
A43. A security administrator has gathered this information : Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 416 0 2601:4c3:4080:82.63976 yv-in-x5e.1e100..https CLOSE_WAIT tcp6 0 0 2601:4c3:4080:82.63908 atl14s80-in-x0a..https ESTABLISHED tcp6 0 0 fe80::4de1:1d4:8.36253 fe80::38b0:a2b1:.1025 ESTABLISHED tcp6 0 0 fe80::4de1:1d4:8.1024 fe80::38b0:a2b1:.1024 ESTABLISHED Which of the following is being used to create this information? ❍ A. tracert ❍ B. netstat ❍ C. dig ❍ D. nbtstat
The Answer: B. netstat The netstat command provides a list of network statistics, and the default view shows the traffic sessions between the local device and other devices on the network.
A77. An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? ❍ A. Data steward ❍ B. Data owner ❍ C. Privacy officer ❍ D. Data custodian
The Answer: D. Data custodian The data custodian manages access rights and sets security controls to the data
A89. A company is updating their VoIP handsets and would like to use SRTP for all phone calls. Which of these technologies would MOST commonly be used to implement this feature? ❍ A. AES ❍ B. TLS ❍ C. Asymmetric encryption ❍ D. SSH ❍ E. IPS
The Answer: A. AES The Advanced Encryption Standard (AES) cipher is used to encrypt traffic over SRTP (Secure Real-time Protocol) VoIP (Voice over IP) communication.
A12. Elizabeth, a security administrator, is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration? ❍ A. Create an operating system security policy to prevent the use of removable media ❍ B. Monitor removable media usage in host-based firewall logs ❍ C. Only whitelist applications that do not use removable media ❍ D. Define a removable media block rule in the UTM
The Answer: A. Create an operating system security policy to prevent the use of removable media Removable media uses hot-pluggable interfaces such as USB to connect storage drives. A security policy in the operating system can prevent any files from being written to a removable drive
A35. A user has saved a presentation file to a network drive, and the user has assigned individual rights and permissions to the file. Prior to the presentation date, the user adds three additional individuals to have readonly access to the file. Which of the following would describe this access control model? ❍ A. DAC ❍ B. MAC ❍ C. ABAC ❍ D. RBAC
The Answer: A. DAC DAC (Discretionary Access Control) is used in many operating systems, and this model allows the owner of the resource to control who has access.
A7. Which of these protocols use TLS to provide secure communication? (Select TWO) ❍ A. HTTPS ❍ B. SSH ❍ C. FTPS ❍ D. SNMPv2 ❍ E. DNSSEC ❍ F. SRTP
The Answer: A. HTTPS and C. FTPS TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication. HTTPS is the Hypertext Transfer Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.
A87. A company has just deployed a new application into their production environment. Unfortunately, a significant bug has been identified that must be quickly corrected. The operations team will not allow any incremental bug fixes to the production system, and instead require an entirely new application instance deployment for any updates. Which of the following would BEST describe this production system? ❍ A. Immutable ❍ B. Agile ❍ C. IAC ❍ D. Sandbox
The Answer: A. Immutable An immutable system cannot be changed once deployed. To update the application, a new iteration must be deployed
A47. Your CISO (Chief Information Security Officer) has contracted with a third-party to identify security vulnerabilities associated with all Internetfacing systems. This organization has identified a significant vulnerability in the newly-released firewall used in your DMZ. When you contact the firewall company, you find there are no plans to create a patch for this specific vulnerability. Which of the following would BEST describe this issue? ❍ A. Lack of vendor support ❍ B. Improper input handling ❍ C. Improper key management ❍ D. End-of-life
The Answer: A. Lack of vendor support Security issues can be identified in a system or application at any time, so it's important to have a vendor that can support their software and correct issues as they are discovered. If a vendor won't provide security patches, then you may be susceptible to security vulnerabilities.
A18. A system administrator, Daniel, is working on a contract that will specify a minimum required uptime for a set of Internet-facing firewalls. Daniel needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information? ❍ A. MTBF ❍ B. RTO ❍ C. MTTR ❍ D. MTTF
The Answer: A. MTBF The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail
A67. Rodney is a security administrator for a large manufacturing company. His company has just acquired a transportation company, and Rodney has connected the two networks together with an IPsec VPN. Rodney needs to allow access to the manufacturing company network for anyone who authenticates to the transportation company network. Which of these authentication methods BEST meets Rodney's requirements? ❍ A. One-way trust ❍ B. Mobile device location services ❍ C. Smartphone software tokens ❍ D. Two-factor authentication
The Answer: A. One-way trust A one-way trust would allow the manufacturing company to trust the transportation company, but there would not be a trust in the other direction.
A8. Which of these threat actors would be MOST likely to attack systems for direct financial gain? ❍ A. Organized crime ❍ B. Hacktivist ❍ C. Nation state ❍ D. Competitor
The Answer: A. Organized crime An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital.
A9. A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) ❍ A. Partition data ❍ B. Kernel statistics ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table
The Answer: A. Partition data and D. Temporary file systems Both temporary file system data and partition data are part of the file storage subsystem.
A27. Which of these would be MOST significant security concern for an insider threat? ❍ A. Passwords written on sticky notes ❍ B. An unpatched file server ❍ C. A VPN concentrator that uses an older encryption cipher ❍ D. Limited bandwidth available on the Internet link
The Answer: A. Passwords written on sticky notes A password written down and left in an open area can be used by any insider who happens to walk by
A68. A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup. Which of these keys should the organization place into escrow? ❍ A. Private ❍ B. CA ❍ C. Session ❍ D. Public
The Answer: A. Private With asymmetric encryption, the private key is used to decrypt information that has been encrypted with the public key. To ensure continued access to the encrypted data, the company must have a copy of each private key.
A72. A data center manager has built a Faraday cage in the data center. A set of application servers has been placed into racks inside the Faraday cage. Which of the following would be the MOST likely reason for the data center manager to install this configuration of equipment? ❍ A. Protect the servers against any unwanted electromagnetic fields ❍ B. Prevent physical access to the servers without the proper credentials ❍ C. Provide additional cooling to all devices in the cage ❍ D. Adds additional fire protection for the application servers
The Answer: A. Protect the servers against any unwanted electromagnetic fields A Faraday cage is a mesh of conductive material that will cancel electromagnetic fields.
A17. A group of universities sponsor a monthly speaking event that is attended by faculty from many different schools. Each month, a different university is selected to host the event. The IT staff for the event would like to allow access to the local wireless network using the faculty member's normal authentication credentials. These credentials should properly authenticate, even when the faculty member is not physically located at their home campus. Which of the following authentication methods would be the BEST choice for this requirement? ❍ A. RADIUS federation ❍ B. 802.1X ❍ C. PEAP ❍ D. EAP-FAST
The Answer: A. RADIUS federation RADIUS (Remote Authentication Dial-In User Service) with federation would allow members of one organization to authenticate using the credentials of another organization.
An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies: • Access records from all devices must be saved and archived • Any data access outside of normal working hours must be immediately reported • Data access must only occur inside of the country • Access logs and audit reports must be created from a single database Which of the following should be implemented by the security team to meet these requirements? (Select THREE) ❍ A. Restrict login access by IP address and GPS location ❍ B. Require government-issued identification during the onboarding process ❍ C. Add additional password complexity for accounts that access data ❍ D. Conduct monthly permission auditing ❍ E. Consolidate all logs on a SIEM ❍ F. Archive the encryption keys of all disabled accounts ❍ G. Enable time-of-day restrictions on the authentication server
The Answer: A. Restrict login access by IP address and GPS location, E. Consolidate all logs on a SIEM, and G. Enable time-of-day restrictions on the authentication server Adding location-based policies will prevent direct data access from outside of the country. Saving log information from all devices and creating audit reports from a single database can be implemented through the use of a SIEM (Security Information and Event Manager). Adding a check for the time-of-day will report any access that occurs during non-working hours.
A19. An attacker calls into a company's help desk and pretends to be the director of the company's manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. The help desk engineer requests the employee's ID number and sends a password reset validation code to the user's registered mobile device number. What kind of attack is the help desk engineer preventing by following these processes? ❍ A. Social engineering ❍ B. Tailgating ❍ C. Vishing ❍ D. Man-in-the-middl
The Answer: A. Social engineering A social engineering attack takes advantage of authority and urgency principles in an effort to convince someone else to circumvent normal security controls.
A32. A security administrator is reviewing a 30-day access report to determine if there are any unusual or unexpected authentications. After these reviews, the security administrator decides to add additional authentication controls to the existing infrastructure. Which of the following should be added by the security administrator? (Select TWO) ❍ A. TOTP ❍ B. Least privilege ❍ C. Role-based awareness training ❍ D. Separation of duties ❍ E. Job rotation ❍ F. Smart Card
The Answer: A. TOTP and F. Smart Card TOTP (Time-based One-Time Passwords) and smart cards are useful authentication controls when used in conjunction with other authentication factors.
A74. A critical security patch has been rolled out on short notice to a large number of servers in a data center. IT management is requiring verification that this patch has been properly installed on all applicable servers. Which of the following would be the BEST way to verify the installation of this patch? ❍ A. Use a vulnerability scanner ❍ B. Examine IPS logs ❍ C. Use a data sanitization tool ❍ D. Monitor real-time traffic with a protocol analyzer
The Answer: A. Use a vulnerability scanner A vulnerability scanner can check the status of a vulnerability on a device and create a report of which devices may be susceptible to a particular vulnerability
A79. A corporate security team has performed a data center audit and found that most web servers store their certificates on the server itself. The security team would like to consolidate and protect the certificates across all of their web servers. Which of these would be the BEST way to securely store these certificates? ❍ A. Use an HSM ❍ B. Implement full disk encryption on the web servers ❍ C. Use a TPM ❍ D. Upgrade the web servers to use a UEFI BIOS
The Answer: A. Use an HSM An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices
A59. Samantha, a Linux administrator, is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value? ❍ A. Verifies that the file was not corrupted during the file transfer ❍ B. Provides a key for decrypting the ISO after download ❍ C. Authenticates the site as an official ISO distribution site ❍ D. Confirms that the file does not contain any malware
The Answer: A. Verifies that the file was not corrupted during the file transfer
A33. A network administrator would like to reconfigure the authentication process on the company's wireless network. Instead of using the same wireless password for all users, the administrator would like each user to authenticate with their personal username and password. Which of the following should the network administrator configure on the wireless access points? ❍ A. WPA2-PSK ❍ B. 802.1X ❍ C. WPS ❍ D. WPA2-AES
The Answer: B. 802.1X 802.1X uses a centralized authentication server, and all users can use their normal credentials to authenticate to an 802.1X network
A15. Rodney, a security engineer, is viewing this record from the firewall logs: UTC 04/05/2018 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked. Which of the following can be observed from this log information? ❍ A. The victim's IP address is 136.127.92.171 ❍ B. A download was blocked from a web server ❍ C. A botnet DDoS attack was blocked ❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked.
A21. Which of the following would be commonly provided by a CASB? (Select TWO) ❍ A. List of all internal Windows devices that have not installed the latest security patches ❍ B. List of applications in use ❍ C. Centralized log storage facility ❍ D. List of network outages for the previous month ❍ E. Verification of encrypted data transfers ❍ F. VPN connectivity for remote users
The Answer: B. A list of applications in use E. Verification of encrypted data transfers A CASB (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats.
A53. Sam is a user in the accounting department, and she uses the corporate accounting software to perform her daily job duties. Sam's organization uses a role-based access control model to assign permissions. Who is responsible for managing these roles and permissions? ❍ A. Data owners ❍ B. Administrators ❍ C. Users ❍ D. Application owners
The Answer: B. Administrators With RBAC (Role-based Access Control), administrators define the access that a particular role will have. As users are added to a role, they will gain the rights and permissions that have been defined for members of that role
A85. A security manager has created a report that shows intermittent network communication from external IP addresses to certain workstations on the internal network. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. ARP poisoning ❍ B. Backdoor ❍ C. Polymorphic virus ❍ D. Trojan horse
The Answer: B. Backdoor A backdoor would allow an attacker to access a system at any time without any user intervention. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for signs of a compromised system
A60. The security policy at a company requires that login access should only be available if a person is physically within the same building as the server. Which of the following would be the BEST way to provide this requirement? ❍ A. TOTP ❍ B. Biometric scanner ❍ C. PIN ❍ D. SMS
The Answer: B. Biometric scanner A biometric scanner would require a person to be physically present to verify authentication
A28. A security administrator would like to limit access from a user VLAN to the server VLAN. All traffic to the server VLAN communicates through the core router. Users should only be able to connect to servers using standard protocols. Which of the following options would be the BEST way to implement this security feature? ❍ A. Configure a reverse proxy ❍ B. Define an ACL on the core router ❍ C. Replace the core router with a layer 3 firewall ❍ D. Add a load balancer for each server cluster
The Answer: B. Define an ACL on the core router Configuring an ACL (Access Control List) is a feature already included with the router. The ACL will allow the filtering of traffic by IP address and port number.
A24. What kind of security control is associated with a login banner? ❍ A. Preventive ❍ B. Deterrent ❍ C. Corrective ❍ D. Detective ❍ E. Compensating ❍ F. Physical
The Answer: B. Deterrent A deterrent control does not directly stop an attack, but it may discourage an action.
A86. A company has installed a new set of switches in their data center. The security team would like to authenticate to the switch using the same credentials as their existing Windows Active Directory network. However, the switches do not support Kerberos as an authentication method. Which of the following would be the BEST option for the security team's authentication requirement? ❍ A. Local authentication ❍ B. LDAP ❍ C. Multi-factor authentication ❍ D. Captive portal
The Answer: B. LDAP LDAP (Lightweight Directory Access Protocol) is a common standard that works across many different operating systems. Microsoft Active Directory provides authentication using Kerberos, but it can also support LDAP.
A61. Your development team has installed a new application and database to a cloud service. After running a vulnerability scanner on the application instance, you find that the database is available for anyone to query without providing any authentication. Which of these vulnerabilities is MOST associated with this issue? ❍ A. Improper error handling ❍ B. Misconfiguration ❍ C. Race condition ❍ D. Memory leak
The Answer: B. Misconfiguration Just like your local systems, proper permissions and security controls are also required when information is added to a cloud-based system. If any of your systems leave an open door, your data may be accessible by anyone on the Internet.
A6. You've hired a third-party to gather information about your company's servers and data. The third-party will not have direct access to your internal network but can gather information from any other source. Which of the following would best describe this approach? ❍ A. Backdoor testing ❍ B. Passive reconnaissance ❍ C. OS fingerprinting ❍ D. Grey box penetration testing
The Answer: B. Passive reconnaissance Passive reconnaissance focuses on learning as much information from open sources such as social media, corporate websites, and business organizations.
A23. A recent audit has found that existing password policies do not include any restrictions on password attempts, and users are not required to periodically change their passwords. Which of the following would correct these policy issues? (Select TWO) ❍ A. Password complexity ❍ B. Password expiration ❍ C. Password history ❍ D. Password lockout ❍ E. Password recovery
The Answer: B. Password expiration and D. Password lockout Password expiration would require a new password after the expiration date. Password lockout would disable an account after a predefined number of unsuccessful login attempts.
A63. Which of these would best describe the use of a nonce? ❍ A. Information encrypted with a public key is decrypted with a private key ❍ B. Prevents replay attacks during authentication ❍ C. Information is hidden inside of an image ❍ D. The sender of an email can be verified
The Answer: B. Prevents replay attacks during authentication A nonce adds additional randomization to a cryptographic function. This means that an authentication hash sent across the network will be different for each authentication request
A88. A security administrator would like to increase the security of the company's email communication. The outgoing email server currently uses SMTP with no encryption. The security administrator would like to implement encryption between email clients without changing the existing server-to-server communication. Which of the following would be the BEST way to implement this requirement? ❍ A. Implement Secure IMAP ❍ B. Require the use of S/MIME ❍ C. Install an SSL certificate on the email server ❍ D. Use a VPN tunnel between email clients
The Answer: B. Require the use of S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way to integrate public key encryption and digital signatures into most modern email clients. This would encrypt all email information from client to client, regardless of the communication used between email servers
A81. Which of the following describes a monetary loss if one event occurs? ❍ A. ALE ❍ B. SLE ❍ C. RTO ❍ D. ARO
The Answer: B. SLE SLE (Single Loss Expectancy) describes the financial impact of a single event.
A26. The security team of a small manufacturing company is investigating a compromised server that resulted in a defaced internal website home page. The web server had been running for a year, but no security patches were ever applied. Logs from the web server show a large number of attacks containing well-known exploits occurred just before the server was defaced. Which of these would be the MOST likely source of this attack? ❍ A. Hacktivist ❍ B. Script kiddie ❍ C. Insider ❍ D. Nation state
The Answer: B. Script kiddie A script kiddie commonly runs pre-made scripts without any knowledge of what the script is actually doing. The script kiddie is simply hoping that at least one of the many exploit attempts will be successful.
A50. A system administrator uses an EV certificate for the corporate web server. Which of these would be the MOST likely reason for using this certificate type? ❍ A. Adds additional encryption features over a non-EV certificate ❍ B. Shows that additional checks have been made to validate the site owner ❍ C. Allows the certificate to support many different domains ❍ D. Shows that the owner of the certificate has control over a DNS domain
The Answer: B. Shows that additional checks have been made to validate the site owner An EV (Extended Validation) certificate is provided by a Certificate Authority after additional checks have been made to validate the certificate owner's identity. This may require additional documentation or validation requirements with the site owners.
A80. Jennifer is reviewing this security log from her IPS: ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b] Cross-Site Scripting in JSON Data 222.43.112.74:3332 -> 64.235.145.35:80 URL/index.html - Method POST - Query String "-" User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3 NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7 Detail: token="" Which of the following can be determined from this log information? (Select TWO) ❍ A. The alert was generated from a malformed User Agent header ❍ B. The alert was generated from an embedded script ❍ C. The attacker's IP address is 222.43.112.74 ❍ D. The attacker's IP address is 64.235.145.35 ❍ E. The alert was generated due to an invalid client port number
The Answer: B. The alert was generated from an embedded script and C. The attacker's IP address is 222.43.112.74
A57. Your security team has been tasked with completing a comprehensive study that will involve all devices in the corporate data center. Because of the sensitive nature of your business, all of the testing must be completed by internal team members. A requirement of the study is to identify any security weaknesses in the operating systems or applications running on data center hardware. There can be no downtime or data loss during the testing process. Which of the following would best describe this project? ❍ A. Threshold analysis ❍ B. Vulnerability scanning ❍ C. Fault tolerance ❍ D. Penetration testing
The Answer: B. Vulnerability scanning A vulnerability scan will examine devices for potential security holes, but it will stop short of actively exploiting a vulnerability. This process will minimize the potential for any downtime or data loss
A29. A file server has a full backup performed each Monday at 1 AM. Incremental backups are performed at 1 AM on Tuesday, Wednesday, Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery? ❍ A. 2 ❍ B. 3 ❍ C. 4 ❍ D. 1
The Answer: C. 4 Each incremental backup will archive all of the files that have changed since the last full or incremental backup. To complete this full restore, the administrator will need the full backup from Monday and the incremental backups from Tuesday, Wednesday, and Thursday
A41. A company hires a large number of seasonal employees, and those contracts commonly end after the beginning of the calendar year. All system access should be disabled when an employee leaves the company, and the security administrator would like to verify that their systems cannot be accessed by any of the former employee accounts. Which of the following would be the BEST way to provide this verification? (Select TWO) ❍ A. Confirm that no unauthorized accounts have administrator access ❍ B. Validate the account lockout policy ❍ C. Audit and verify the operational status of all accounts ❍ D. Create a report that shows all authentications for a 24-hour period ❍ E. Validate the processes and procedures for all outgoing employees ❍ F. Schedule a required password change for all accounts
The Answer: C. Audit and verify the operational status of all accounts, and E. Validate the processes and procedures for all outgoing employees The disabling of an employee account is commonly part of the offboarding process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees.
A security administrator has been using EAP-FAST wireless authentication since the migration from WEP to WPA2. The company's network team now needs to support additional authentication protocols inside of an encrypted tunnel. Which of the following would meet the network team's requirements? ❍ A. EAP-TLS ❍ B. PEAP ❍ C. EAP-TTLS ❍ D. EAP-MSCHAPv2
The Answer: C. EAP-TTLS EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of multiple authentication protocols transported inside of an encrypted TLS (Transport Layer Security) tunnel. This allows the use of any authentication while maintaining confidentiality with TLS
A82. Jonas has an Internet connection at home that he accesses using a wireless network. He's noticed lately that his throughput has not been as fast as normal, and he suspects that his neighbors may be using his wireless connection. Jonas can view this list of connected wireless devices from his router configuration: Computer Name IP Address MAC Address unknown 10.1.1.7 a0-21-b7-63-40-40 unknown 10.1.2.2 0c-2a-69-09-11-33 unknown 10.1.1.12 7c-2e-0d-30-3d-38 unknown 10.1.10.2 00-26-55-dd-75-d0 unknown 10.1.1.22 d0-81-7a-3d-0f-5d Which of the following would be the NEXT step to identify any unwanted users on his wireless network? ❍ A. Disable the SSID broadcast on the wireless router ❍ B. Perform a port scan of each IP address connected to the router ❍ C. Enable MAC filtering and add Jonas' devices to the filter ❍ D. Connect a wired network device and perform a speed test
The Answer: C. Enable MAC filtering and add Jonas' devices to the filter We don't have enough information from the connected device list to know which devices may belong to Jonas and which devices may be unauthorized. To filter out unwanted users, Jonas should enable MAC address filtering and then add the MAC (Media Access Control) address of each wireless device to the router configuration.
A78. An organization's content management system (CMS) currently labels files and documents as "Unclassified" and "Restricted." On a recent updated to the CMS, a new classification type of "PII" was added. Which of the following would be the MOST likely reason for this addition? ❍ A. Healthcare system integration ❍ B. Simplified categorization ❍ C. Expanded privacy compliance ❍ D. Decreased search time
The Answer: C. Expanded privacy compliance The labeling of PII (Personally Identifiable Information) is often associated with privacy and compliance concerns.
A40. Which of these cloud deployment models would share resources between a private virtualized data center and externally available cloud services? ❍ A. SaaS ❍ B. Community ❍ C. Hybrid ❍ D. Containerization
The Answer: C. Hybrid A hybrid cloud model combines both private and public cloud infrastructures.
A69. Daniel, a security administrator, is designing an authentication process for a new remote site deployment. Daniel would like the users to provide their credentials when they authenticate in the morning, and he does not want any additional authentication requests to appear during the rest of the day. Which of the following should Daniel use to meet this requirement? ❍ A. TACACS+ ❍ B. LDAPS ❍ C. Kerberos ❍ D. 802.1X
The Answer: C. Kerberos Kerberos uses a ticket-based system to provide SSO (Single Sign-On) functionality. You only need to authenticate once with Kerberos to gain access to multiple resources.
A10. An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allows the device to be remotely controlled by a third-party. Which category would BEST describe these devices? ❍ A. IoT ❍ B. RTOS ❍ C. MFD ❍ D. SoC
The Answer: C. MFD An all-in-one printer that can print, scan, and fax is often categorized as an MFD (Multifunction Device).
A65. Which of the following would BEST describe a security feature based on administrative control diversity? ❍ A. Data center cameras ❍ B. Active directory authentication ❍ C. Off-boarding process ❍ D. Laptop full disk encryption
The Answer: C. Off-boarding process When a person leaves the organization, there needs to be a formal administrative policy on how to handle the hardware, software, and data associated with that person. These formal policies and procedures would be an important administrative control associated with defense-in-depth.
A84. A systems engineer in the sales department has left the organization for a position with another company. The engineer's accounts were disabled on his last day with the company, but security logs show that attempts were made to access email accounts after the account was disabled. Which of these security practices protected the organization from any unauthorized access? ❍ A. Least privilege ❍ B. Auditing ❍ C. Offboarding ❍ D. Location-based policies
The Answer: C. Offboarding The offboarding process is a pre-planned set of tasks that occur when someone leaves an organization. This plan documents the process of turning over company computers, how to maintain the user's data after their departure, and the automatic deactivation of any company accounts.
A76. Which of these would be commonly used during the authentication phase of the AAA framework? ❍ A. Username ❍ B. Login time ❍ C. Password ❍ D. Access to the /home directory
The Answer: C. Password The authentication portion of the AAA framework is used to prove that you are who you say you are. This would include passwords and other authentication factors.
Which of the following would attempt to exploit a vulnerability associated with a specific application? ❍ A. Vulnerability scan ❍ B. Active reconnaissance ❍ C. Penetration test ❍ D. Port scan
The Answer: C. Penetration test A penetration test is used to determine if a system or application can be exploited. This process actively attempts to break into a system as part of the testing
A83. Sam, the manager of the accounting department, has opened a helpdesk ticket complaining of poor system performance and excessive pop up messages. Her cursor is also moving without anyone touching the mouse. This issue began after Sam opened a spreadsheet from a vendor containing part numbers and pricing information. Sam recalls clicking through a number of warning messages before the spreadsheet would open. Which of the following is MOST likely the cause of Sam's issues? ❍ A. Man-in-the-middle ❍ B. Worm ❍ C. RAT ❍ D. Logic bomb
The Answer: C. RAT A RAT (Remote Access Trojan) is malware that can control a computer using desktop sharing and other administrative functions. Because the installation program is often disguised as something else, the victim often doesn't realize they're installing malware. Once the RAT is installed, the attacker can control the desktop, capture screenshots, reboot the computer, and many other administrative functions.
A22. The embedded OS in a company's time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. This loop continues until the time clock is powered down. Which of the following BEST describes this issue? ❍ A. DLL injection ❍ B. Resource exhaustion ❍ C. Race condition ❍ D. Weak configuration
The Answer: C. Race condition A race condition occurs when two processes occur at similar times, usually with unexpected results. The file system problem is usually fixed before a reboot, but a reboot is occurring before the fix can be applied. This has created a race condition that results in constant reboots.
A45. A data breach has occurred in a large insurance company. A security administrator is building new servers and security systems to get all of the financial systems back online. Which part of the incident response process would BEST describe these actions? ❍ A. Lessons learned ❍ B. Isolation and containment ❍ C. Reconstitution ❍ D. Precursors
The Answer: C. Reconstitution The recovery after a breach can be a phased approach that may take months to complete
A49. Which of the following would be the MOST secure hashing method? ❍ A. RIPEMD ❍ B. AES ❍ C. SHA-2 ❍ D. MD5
The Answer: C. SHA-2 Of the available options, SHA-2 (Secure Hash Algorithm 2) is the only hashing algorithm listed that does not currently have a collision attack vector
A16. Richard, an engineer, has been posting pictures of a not-yet-released company product on an online forum. Richard believed the forum was limited to a small group, but his pictures were actually posted on a publicly accessible area of the site. Which of the following company policies should be discussed with Richard? ❍ A. Personal email ❍ B. Unauthorized software ❍ C. Social media ❍ D. Certificate issues
The Answer: C. Social media Most organizations have formal policies on managing social media engagements, and those policies would most likely prevent someone from disclosing any pre-release information to the public.
A25. Your security team has been provided with an uncredentialed vulnerability scan report created by a third-party. Which of the following would you expect to see on this report? ❍ A. A summary of all files with invalid group assignments ❍ B. A list of all unpatched operating system files ❍ C. The version of web server software in use ❍ D. A list of local user accounts
The Answer: C. The version of web server software in use A scanner like Nmap can query services and determine version numbers without any special rights or permissions, which makes it well suited for non-credentialed scans
A52. A server team has just installed a new web service in the DMZ, and has added firewall rules to allow web browser access to the service from the Internet. After the server is active, the security team captures this network traffic between the Internet and the server: Accept-Encoding: gzip, deflate\r\n Accept-Language: en-US,en;q=0.8\r\n Cookie: _fzvid=l=PM&rv=55f9b606bb547e235476e660; __VerificationToken=g4-iTGqsT5BA5zqYiR0FIRf29rtG8-M59Lq5Y Cookie pair: _fzvid=l=9/16/2015 6:33:42 PM&rv=55f9b606bb547e235 Cookie pair: __VerificationToken=g4-iTGqsT69Qo87MjixNqTBDT-x8FA Cookie pair: __fzg=g=5993ad10bb547e238cca3ff5&l Cookie pair: _ga=GA1.2.924799034.1442428422 Cookie pair: _gid=GA1.2.110485488.1502030607 Cookie pair: __fz55facc21bb547f0ec82ad5a7=l Which of these should the security team be MOST concerned about this server implementation? ❍ A. Unauthorized software ❍ B. Data exfiltration ❍ C. Unencrypted traffic ❍ D. Access violations
The Answer: C. Unencrypted traffic Attackers can easily gather information sent across the network in the clear, and cookie information may contain valuable information that could be used in a replay attack.
A55. A company is deploying a new mobile application to all of its employees in the field. Some of the problems associated with this rollout include: • The company does not have a way to manage the mobile devices in the field • Company data on mobile devices in the field introduces additional risk • Team members have many different kinds of mobile devices Which of the following deployment models would address these concerns? ❍ A. Corporate-owned ❍ B. COPE ❍ C. VMI ❍ D. BYOD
The Answer: C. VMI A VMI (Virtual Mobile Infrastructure) would allow the field teams to access their applications from many different types of devices without the requirement of a mobile device management or concern about corporate data on the devices.
A54. Which of these best describes two-factor authentication? ❍ A. A printer that uses a password and a PIN ❍ B. The door to a building that requires a fingerprint scan ❍ C. An application that checks your GPS coordinates ❍ D. A Windows Domain that requires a username, password, and smart card
The Answer: D. A Windows Domain that requires a username, password, and smart card
A34. Which of the following technologies use a challenge message during the authentication process? ❍ A. TLS ❍ B. TACACS+ ❍ C. Kerberos ❍ D. CHAP
The Answer: D. CHAP CHAP (Challenge-Handshake Authentication Protocol) combines a server's challenge message with the client's password hash during the authentication process.
A58. Jack is a member of the incident response team at his company. Jack has been asked to respond to a potential security breach of the company's databases, and he needs to gather the most volatile data before powering down the database servers. In which order should Jack collect this information? ❍ A. CPU registers, temporary files, memory, remote monitoring data ❍ B. Memory, CPU registers, remote monitoring data, temporary files ❍ C. Memory, CPU registers, temporary files, remote monitoring data ❍ D. CPU registers, memory, temporary files, remote monitoring data
The Answer: D. CPU registers, memory, temporary files, remote monitoring data
A73. A security administrator is evaluating a monthly vulnerability report associated with web servers in the data center. The report shows the return of a vulnerability that was previously patched four months ago. The report shows that the vulnerability has been active on the web servers for three weeks. After researching this issue, the security team has found that a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future? ❍ A. Templates ❍ B. Elasticity ❍ C. Master image ❍ D. Continuous monitoring
The Answer: D. Continuous monitoring It's common for organizations to continually monitor services for any changes or issues. A nightly vulnerability scan across important servers would identify issues like this one.
A70. A manufacturing company would like to use an existing router to separate a corporate network and the manufacturing floor. The corporate network and manufacturing floor currently operate on the same subnet and the same physical switch. The company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation? ❍ A. Connect the corporate network and the manufacturing floor with a VPN ❍ B. Build an air gapped manufacturing floor network ❍ C. Use personal firewalls on each device ❍ D. Create separate VLANs for the corporate network and the manufacturing floor
The Answer: D. Create separate VLANs for the corporate network and the manufacturing floor Creating VLANs (Virtual Local Area Networks) will segment a network without requiring additional switches.
A75. Which cryptographic method is used to add trust to a digital certificate? ❍ A. X.509 ❍ B. Hash ❍ C. Symmetric encryption ❍ D. Digital signature
The Answer: D. Digital signature A certificate authority will digitally sign a certificate to add trust. If you trust the certificate authority, you can then trust the certificate.
A44. An attacker has discovered a way to disable a server by sending a specially crafted packet to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this situation? ❍ A. Privilege escalation ❍ B. Spoofing ❍ C. Replay attack ❍ D. DoS
The Answer: D. DoS A DoS (Denial of Service) is an attack that overwhelms or disables a service to prevent the service from operating normally. A packet that disables a server would be an example of a DoS attack
A31. Jack, a security engineer, runs a monthly vulnerability scan and creates a report with the results. The latest report doesn't list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. The vulnerability scanner is running the latest set of signatures. Which of the following best describes this result? ❍ A. Exploit ❍ B. False positive ❍ C. Zero-day attack ❍ D. False negative
The Answer: D. False negative A false negative is a result that fails to detect an issue when one actually exists.
A39. Before an application is moved into production, a company's development team runs a static code analyzer to identify any security vulnerabilities. In the latest scan, the analyzer has identified seven security issues. After reviewing the code, the development team finds that only five of the reported vulnerabilities are actual security problems. Which of the following would BEST describe the two incorrect vulnerability reports? ❍ A. Normalization ❍ B. Fuzzing ❍ C. Obfuscation ❍ D. False positive
The Answer: D. False positive A false positive is the report of an issue where no issue actually exists. In this example, two of the seven reported security issues were false positives
A36. The network administrator for an organization is building a security strategy that can continually monitor the network and systems for threats. This strategy focuses on protecting the automated creation of cloud-based services, the teardown process of cloud-based services, and the rollback of cloud-based services from one version to another. Which of the following BEST describes the environment that the network administrator will secure? ❍ A. Redundant ❍ B. Highly-available ❍ C. Fault-tolerant ❍ D. Non-persistent
The Answer: D. Non-persistent A non-persistent environment is always in motion, and application instances can be created, changed, or removed at any time.
A90. A company has just purchased a new application server, and the security director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to your users until the rollout to production next week. Which of the following would be the BEST way to determine if any part of the system can be exploited? ❍ A. Tabletop exercise ❍ B. Vulnerability scanner ❍ C. Password cracker ❍ D. Penetration test
The Answer: D. Penetration test A penetration test can be used to actively exploit potential vulnerabilities in a system or application. This could cause a denial of service or loss of data, so the best practice is to perform the penetration test during nonproduction hours or in a test environment.
A46. A service technician would like to protect some private information sent over email. This information should only be viewable by the recipient. Which of these cryptographic algorithms would be the BEST choice? ❍ A. MD5 ❍ B. HMAC ❍ C. SHA-2 ❍ D. RC4
The Answer: D. RC4 RC4 (Rivest Cipher 4) is the only encryption cipher in the list. All of the other algorithms are used for hashing
A62. One of the computers in the shipping department is showing signs of a malware infection. Which of the following would be the BEST next step to completely remove the malware? ❍ A. Run a virus scan ❍ B. Degauss the hard drive ❍ C. Format the system partition ❍ D. Reimage the computer
The Answer: D. Reimage the computer Completely wiping the drive with a new image is an effective way to completely remove any malware from a computer
A51. How can a company ensure that all data on a mobile device is unrecoverable if the device is lost or stolen? ❍ A. Storage segmentation ❍ B. Geofencing ❍ C. Screen locks ❍ D. Remote wipe
The Answer: D. Remote wipe Most organizations will use a mobile device manager (MDM) to manage mobile phones and tablets. Using the MDM, specific security policies can be created for each mobile device, including the ability to remotely send a remote wipe command that will erase all data on a mobile device.
A37. A department store offers gift certificates that can be used to purchase merchandise. The store policy requires that a floor manager approves each transaction when a gift certificate is used for payment. The security team has found that some of these transactions have been processed without the approval of a manager. Which of the following would provide a separation of duties to enforce this store policy? ❍ A. Use a WAF to monitor all gift certificate transactions ❍ B. Disable all gift certificate transactions for cashiers ❍ C. Implement a discretionary access control policy ❍ D. Require an approval PIN for the cashier and a separate approval PIN for the manager
The Answer: D. Require an approval PIN for the cashier and a separate approval PIN for the manager This separation of duties would be categorized as dual control, where two people must be present to perform the business function. In this example, the dual control is managed by using two separate PINs (Personal Identification Numbers) that would not be shared among individuals.
A66. An analyst is examining the traffic logs to a server in the DMZ. The analyst has identified a number of sessions from a single IP address that appear to be received with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has a destination of your DMZ server. Which of the following BEST describes this log information? ❍ A. Someone is performing a vulnerability scan against your firewall and DMZ server ❍ B. Your users are performing DNS lookups ❍ C. A remote user is grabbing banners of your firewall and DMZ server ❍ D. Someone is performing a traceroute to the DMZ server
The Answer: D. Someone is performing a traceroute to the DMZ server A traceroute maps each hop by slowly incrementing the TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drops the packet and sends an ICMP (Internet Control Message Protocol) TTL Exceeded message back to the original station
A48. A company has decided to perform a disaster recovery exercise during an annual meeting. This exercise will include the IT directors and senior directors. A simulated disaster will be presented, and the participants will discuss the logistics and processes requires to resolve the disaster. Which of the following would BEST describe this exercise? ❍ A. After-action report ❍ B. Business impact analysis ❍ C. Alternate business practice ❍ D. Tabletop exercise
The Answer: D. Tabletop exercise A tabletop exercise allows a disaster recovery team to evaluate and plan disaster recovery processes without performing a full-scale drill.
A71. Hank, a security administrator, has received an email from an employee regarding their VPN connection from home. When this user connects to the corporate VPN, they are no longer able to print to their network printer at home. Once the user disconnects from the VPN, the printer works normally. Which of the following would be the MOST likely reason for this issue? ❍ A. The VPN uses IPSec instead of SSL ❍ B. Printer traffic is filtered by the VPN client ❍ C. The VPN is stateful ❍ D. The VPN tunnel is configured for full tunnel
The Answer: D. The VPN tunnel is configured for full tunnel A split tunnel is a VPN (Virtual Private Network) configuration that only sends a portion of the traffic through the encrypted tunnel. A split tunnel would allow work-related traffic to securely traverse the VPN, and all other traffic would use the non-tunneled option. In this example, the printer traffic is being redirected through the VPN instead of the local home network because of the non-split/full tunnel.
A13. Tayla is a help desk administrator for a major transportation company. Her help desk has suddenly been overwhelmed by phone calls from customers. The customers are complaining that their browser is giving a message that the company's website is untrusted. Which of the following would be the MOST likely reason for this issue? ❍ A. The web server is not running the latest version of software ❍ B. The corporate firewall is misconfigured ❍ C. A content filter is blocking web server traffic ❍ D. The web server has a certificate issue
The Answer: D. The web server has a certificate issue Any web server issues relating to trust are generally associated with the status of the web server certificate. If a certificate has expired or the fullyqualified domain name on the certificate does not match the name of the web server, the end users will see errors in their browser
A30. A company is creating a security policy that will protect all corporate mobile devices: • All mobile devices must be automatically locked after a predefined time period. • Some mobile devices will be used by the remote sales teams, so the location of each device needs to be traceable. • The mobile devices should not be operable outside of the country. • All of the user's information should be completely separated from company data. Which of the following would be the BEST way to establish these security policy rules? ❍ A. Containerization strategy ❍ B. Biometrics ❍ C. COPE ❍ D. VDI ❍ E. Geofencing ❍ F. MDM
The Answer: F. MDM An MDM (Mobile Device Manager) provides a centralized management system for all mobile devices. From this central console, security administrators can set policies for many different types of mobile devices.
A38. Which of the following is true of a rainbow table? (Select TWO) ❍ A. The rainbow table is built in real-time during the attack ❍ B. Rainbow tables are the most effective online attack type ❍ C. Rainbow tables require significant CPU cycles at attack time ❍ D. Different tables are required for different hashing methods ❍ E. A rainbow table won't be useful if the passwords are salted
The Answers: D. Different tables are required for different hashing methods, and E. A rainbow table won't be useful if the passwords are salted A rainbow table is built prior to an attack to match a specific password hashing technique. If a different hashing technique is used, a completely different rainbow table must be built. The use of a salt will modify the expected results of a hash. Since a salted hash will not be predictable, the rainbow table can't be built for these hashes.