passCompTIA Security+ SY0-501 Question Set B
A user attempts to install new and relatively unknown software recommended by a colleague. The user is unable to install the program, despite having successfully installed other programs previously. Which of the following is MOST likely the cause for the user's inability to complete the installation? A. Application black listing B. Network Intrusion Prevention System C. Group policy D. Application white listing
Answer: A
In order to enter a high-security datacenter, users are required to speak the password into a voice recognition system. Ann a member if the sales department over hears the password and upon speaks it into the system. The system denies her entry and alerts the security team. Which of the following is the MOST likely reason for her failure to enter the data center? A. An authentication factor B. Discretionary access C. Time of day restrictions D. Least privilege restrictions
Answer: A
One of the findings of risk assessment is that many of the servers on the data center subnet contain data that is in scope for PCI compliance, Everyone in the company has access to these servers, regardless of their job function. Which of the following should the administrator do? A. Segment the network B. Use 802.1X C. Deploy a proxy sever D. Configure ACLs E. Write an acceptable use policy
Answer: A
Users are trying to communicate with a network but are unable to do so. A network administrator sees connection attempts on port 20 from outside IP addresses that are being blocked. How can the administrator resolve this? A. Enable stateful FTP on the firewall B. Enable inbound SSH connections C. Enable NETBIOS connections in the firewall D. Enable HTTPS on port 20
Answer: A
A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network? A. A CRL B. Make the RA available C. A verification authority D. A redundant CA
Answer: A Explanation: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked.
An administrator wants to ensure that the reclaimed space of a hard drive has been sanitized while the computer is in use. Which of the following can be implemented? A. Cluster tip wiping B. Individual file encryption C. Full disk encryption D. Storage retention
Answer: A Explanation: A computer hard disk is divided into small segments called clusters. A file usually spans several clusters but rarely fills the last cluster, which is called cluster tip. This cluster tip area may contain file data because the size of the file you are working with may grow or shrink and needs to be securely deleted.
Emily, a security manager, has decided to force expiration of all company passwords by the close of business day. Which of the following BEST supports this reasoning? A. A recent security breach in which passwords were cracked. B. Implementation of configuration management processes. C. Enforcement of password complexity requirements. D. Implementation of account lockout procedures.
Answer: A Explanation: A password only needs to be changed if it doesn't meet the compliance requirements of the company's password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system intrusion.
A network analyst received a number of reports that impersonation was taking place on the network. Session tokens were deployed to mitigate this issue and defend against which of the following attacks? A. Replay B. DDoS C. Smurf D. Ping of Death
Answer: A Explanation: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack). For example: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password (or hash) read from the last session, which Bob accepts thus granting access to Eve. Countermeasures: A way to avoid replay attacks is by using session tokens: Bob sends a onetime token to Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Eve has captured this value and tries to use it on another session; Bob sends a different session token, and when Eve replies with the captured value it will be different from Bob's computation. Session tokens should be chosen by a (pseudo-) random process. Otherwise Eve may be able to pose as Bob, presenting some predicted future token, and convince Alice to use that token in her transformation. Eve can then replay her reply at a later time (when the previously predicted token is actually presented by Bob), and Bob will accept the authentication. One-time passwords are similar to session tokens in that the password expires after it has been used or after a very short amount of time. They can be used to authenticate individual transactions in addition to sessions. The technique has been widely implemented in personal online banking systems. Bob can also send nonces but should then include a message authentication code (MAC), which Alice should check. Timestamping is another way of preventing a replay attack. Synchronization should be achieved using a secure protocol. For example Bob periodically broadcasts the time on his clock together with a MAC. When Alice wants to send Bob a message, she includes her best estimate of the time on his clock in her message, which is also authenticated. Bob only accepts messages for which the timestamp is within a reasonable tolerance. The advantage of this scheme is that Bob does not need to generate (pseudo-) random numbers, with the trade-off being that replay attacks, if they are performed quickly enough i.e. within that 'reasonable' limit, could succeed.
An administrator is concerned that a company's web server has not been patched. Which of the following would be the BEST assessment for the administrator to perform? A. Vulnerability scan B. Risk assessment C. Virus scan D. Network sniffer
Answer: A Explanation: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. Vulnerabilities include computer systems that do not have the latest security patches installed. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
Which of the following can be implemented with multiple bit strength? A. AES B. DES C. SHA-1 D. MD5 E. MD4
Answer: A Explanation: AES (a symmetric algorithm) uses key sizes of 128, 192, or 256 bits.
Which of the following controls mitigates the risk of Matt, an attacker, gaining access to a company network by using a former employee's credential? A. Account expiration B. Password complexity C. Account lockout D. Dual factor authentication
Answer: A Explanation: Account expiration is a secure feature to employ on user accounts for temporary workers, interns, or consultants. It automatically disables a user account or causes the account to expire at a specific time and on a specific day.
After a security incident involving a physical asset, which of the following should be done at the beginning? A. Record every person who was in possession of assets, continuing post-incident. B. Create working images of data in the following order: hard drive then RAM. C. Back up storage devices so work can be performed on the devices immediately. D. Write a report detailing the incident and mitigation suggestions.
Answer: A Explanation: Asset tracking is the process of maintaining oversight over inventory, and ensuring that a device is still in the possession of the assigned authorized user.
A company that purchased an HVAC system for the datacenter is MOST concerned with which of the following? A. Availability B. Integrity C. Confidentiality D. Fire suppression
Answer: A Explanation: Availability means simply to make sure that the data and systems are available for authorized users. Data backups, redundant systems, and disaster recovery plans all support availability; as does environmental support by means of HVAC.
Which of the following data security techniques will allow Matt, an IT security technician, to encrypt a system with speed as its primary consideration? A. Hard drive encryption B. Infrastructure as a service C. Software based encryption D. Data loss prevention
Answer: A Explanation: Disk and device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen. It should be implemented using a hardware-based solution for greater speed.
What is the term for the process of luring someone in (usually done by an enforcement officer or a government agent)? A. Enticement B. Entrapment C. Deceit D. Sting
Answer: A Explanation: Enticement is the process of luring someone into your plan or trap.
A security administrator examines a network session to a compromised database server with a packet analyzer. Within the session there is a repeated series of the hex character 90 (x90). Which of the following attack types has occurred? A. Buffer overflow B. Cross-site scripting C. XML injection D. SQL injection
Answer: A Explanation: Explanation The hex character 90 (x90) means NOP or No Op or No Operation. In a buffer overflow attack, the buffer can be filled and overflowed with No Op commands. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Which of the following controls would allow a company to reduce the exposure of sensitive systems from unmanaged devices on internal networks? A. 802.1x B. Data encryption C. Password strength D. BGP
Answer: A Explanation: IEEE 802.1X (also known as Dot1x) is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN -though the term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. An analogy to this is providing a valid visa at the airport's arrival immigration before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.
Which of the following access controls enforces permissions based on data labeling at specific levels? A. Mandatory access control B. Separation of duties access control C. Discretionary access control D. Role based access control
Answer: A Explanation: In a MAC environment everything is assigned a classification marker. Subjects are assigned a clearance level and objects are assigned a sensitivity label.
A set of standardized system images with a pre-defined set of applications is used to build end-user workstations. The security administrator has scanned every workstation to create a current inventory of all applications that are installed on active workstations and is documenting which applications are out-of-date and could be exploited. The security administrator is determining the: A. attack surface. B. application hardening effectiveness. C. application baseline. D. OS hardening effectiveness.
Answer: A Explanation: In this question, we have out-of-date applications that could be exploited. The out-of-date applications are security vulnerabilities. The combination of all vulnerabilities that could be exploited (or attacked) is known as the attack surface. The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. One approach to improving information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. By having less code available to unauthorized actors, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.
A network administrator is looking for a way to automatically update company browsers so they import a list of root certificates from an online source. This online source will then be responsible for tracking which certificates are to be trusted or not trusted. Which of the following BEST describes the service that should be implemented to meet these requirements? A. Trust model B. Key escrow C. OCSP D. PKI
Answer: A Explanation: In this scenario we can put a CA in the local network and use an online CA as root CA in a hierarchical trust model. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree.
Users are encouraged to click on a link in an email to obtain exclusive access to the newest version of a popular Smartphone. This is an example of. A. Scarcity B. Familiarity C. Intimidation D. Trust
Answer: A Explanation: Scarcity, in the area of social psychology, works much like scarcity in the area of economics. Simply put, humans place a higher value on an object that is scarce, and a lower value on those that are abundant. The thought that we, as humans, want something we cannot have drives us to desire the object even more. This idea is deeply embedded in the intensely popular, "Black Friday" shopping extravaganza that U.S. consumers participate in every year on the day after Thanksgiving. More than getting a bargain on a hot gift idea, shoppers thrive on the competition itself, in obtaining the scarce product. In this question, people want the brand new latest version of a smartphone. The temptation of being one of the first to get the new phone will tempt people into clicking the link in the email.
Which of the following ports should be used by a system administrator to securely manage a remote server? A. 22 B. 69 C. 137 D. 445
Answer: A Explanation: Secure Shell (SSH) is a more secure replacement for Telnet, rlogon, rsh, and rcp. SSH can be called a remote access or remote terminal solution. SSH offers a means by which a command-line, text-only interface connection with a server, router, switch, or similar device can be established over any distance. SSH makes use of TCP port 22.
An attacker crafts a message that appears to be from a trusted source, but in reality it redirects the recipient to a malicious site where information is harvested. The message is narrowly tailored so it is effective on only a small number of victims. This describes which of the following? A. Spear phishing B. Phishing C. Smurf attack D. Vishing
Answer: A Explanation: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority.
Several bins are located throughout a building for secure disposal of sensitive information. Which of the following does this prevent? A. Dumpster diving B. War driving C. Tailgating D. War chalking
Answer: A Explanation: The bins in this question will be secure bins designed to prevent someone accessing the 'rubbish' to learn sensitive information. Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.
A security specialist has been asked to evaluate a corporate network by performing a vulnerability assessment. Which of the following will MOST likely be performed? A. Identify vulnerabilities, check applicability of vulnerabilities by passively testing security controls. B. Verify vulnerabilities exist, bypass security controls and exploit the vulnerabilities. C. Exploit security controls to determine vulnerabilities and misconfigurations. D. Bypass security controls and identify applicability of vulnerabilities by passively testing security controls.
Answer: A Explanation: We need to determine if vulnerabilities exist by passively testing security controls. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
Which of the following uses port 22 by default? (Select THREE). A. SSH B. SSL C. TLS D. SFTP E. SCP F. FTPS G. SMTP H. SNMP
Answer: A,D,E Explanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec, and slogin, also use TCP port 22.
A systems administrator has made several unauthorized changes to the server cluster that resulted in a major outage. This event has been brought to the attention of the Chief Information Office (CIO) and he has requested immediately implement a risk mitigation strategy to prevent this type of event from reoccurring. Which of the following would be the BEST risk mitigation strategy to implement in order to meet this request? A. Asset Management B. Change Management C. Configuration Management D. Incident Management
Answer: B
Which of the following is replayed during wireless authentication to exploit a weak key infrastructure? A. Preshared keys B. Ticket exchange C. Initialization vectors D. Certificate exchange
Answer: B
Which of the following is replayed during wireless authentication to exploit a weal key infrastructure? A. Preshared keys B. Ticket exchange C. Initialization vectors D. Certificate exchange
Answer: B
Maintenance workers find an active network switch hidden above a dropped-ceiling tile in the CEO's office with various connected cables from the office. Which of the following describes the type of attack that was occurring? A. Spear phishing B. Packet sniffing C. Impersonation D. MAC flooding
Answer: B Explanation: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing. However, packet sniffing requires a physical connection to the network. The switch hidden in the ceiling is used to provide the physical connection to the network. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal). A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks. Which of the following practices is being implemented? A. Mandatory vacations B. Job rotation C. Least privilege D. Separation of duties
Answer: B Explanation: A job rotation policy defines intervals at which employees must rotate through positions.
A system administrator has noticed that users change their password many times to cycle back to the original password when their passwords expire. Which of the following would BEST prevent this behavior? A. Assign users passwords based upon job role. B. Enforce a minimum password age policy. C. Prevent users from choosing their own passwords. D. Increase the password expiration time frame.
Answer: B Explanation: A minimum password age policy defines the period that a password must be used for before it can be changed.
Which of the following is where an unauthorized device is found allowing access to a network? A. Bluesnarfing B. Rogue access point C. Honeypot D. IV attack
Answer: B Explanation: A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network. To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.
A security analyst, Ann, is reviewing an IRC channel and notices that a malicious exploit has been created for a frequently used application. She notifies the software vendor and asks them for remediation steps, but is alarmed to find that no patches are available to mitigate this vulnerability. Which of the following BEST describes this exploit? A. Malicious insider threat B. Zero-day C. Client-side attack D. Malicious add-on
Answer: B Explanation: A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. In this question, there are no patches are available to mitigate the vulnerability. This is therefore a zero-day vulnerability.
Which of the following can Peter, a security administrator, use to distribute the processing effort when generating hashes for a password cracking program? A. RAID B. Clustering C. Redundancy D. Virtualization
Answer: B Explanation: Anytime you connect multiple computers to work/act together as a single server, it is known as clustering. Clustered systems utilize parallel processing (improving performance and availability) and add redundancy. Server clustering is used to provide failover capabilities / redundancy in addition to scalability as demand increases.
A hacker has discovered a simple way to disrupt business for the day in a small company which relies on staff working remotely. In a matter of minutes the hacker was able to deny remotely working staff access to company systems with a script. Which of the following security controls is the hacker exploiting? A. DoS B. Account lockout C. Password recovery D. Password complexity
Answer: B Explanation: B: Account lockout automatically disables an account due to repeated failed log on attempts. The hacker must have executed a script to repeatedly try logging on to the remote accounts, forcing the account lockout policy to activate.
Matt, an administrator, is concerned about the wireless network being discovered by war driving. Which of the following can be done to mitigate this? A. Enforce a policy for all users to authentic through a biometric device. B. Disable all SSID broadcasting. C. Ensure all access points are running the latest firmware. D. Move all access points into public access areas.
Answer: B Explanation: B: War driving is the act of using a detection tool to look for wireless networking signals. The setting making a wireless network closed (or at least hidden) is the disabling of service set identifier (SSID) broadcasting. Thus by disabling all SSID broadcasting you can mitigate the risk of war driving.
A company has two server administrators that work overnight to apply patches to minimize disruption to the company. With the limited working staff, a security engineer performs a risk assessment to ensure the protection controls are in place to monitor all assets including the administrators in case of an emergency. Which of the following should be in place? A. NIDS B. CCTV C. Firewall D. NIPS
Answer: B Explanation: CCTV are an excellent way to deter unwanted activity and it records the occurrence of the event, in case it does happen. Cameras can be placed to watch points of entry, to monitor activities around valuable assets as well as provide additional protection in areas such as parking areas and walkways.
Which of the following security concepts would Emily, the security administrator, use to mitigate the risk of data loss? A. Record time offset B. Clean desk policy C. Cloud computing D. Routine log review
Answer: B Explanation: Clean Desk Policy Information on a desk—in terms of printouts, pads of note paper, sticky notes, and the like—can be easily seen by prying eyes and taken by thieving hands. To protect data and your business, encourage employees to maintain clean desks and to leave out only those papers that are relevant to the project they are working on at that moment. All sensitive information should be put away when the employee is away from their desk. This will mitigate the risk of data loss when applied.
The main corporate website has a service level agreement that requires availability 100% of the time, even in the case of a disaster. Which of the following would be required to meet this demand? A. Warm site implementation for the datacenter B. Geographically disparate site redundant datacenter C. Localized clustering of the datacenter D. Cold site implementation for the datacenter
Answer: B Explanation: Data backups, redundant systems, and disaster recovery plans all support availability. AN in this case a geographically disparate site redundant datacenter represents 100% availability regardless of whether a disaster event occurs.
During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware? A. Lessons Learned B. Preparation C. Eradication D. Identification
Answer: B Explanation: Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. It is important to stop malware before it ever gets hold of a system -thus you should know which malware is out there and take defensive measures - this means preparation to guard against malware infection should be done.
Peter, a network administrator, is capturing packets on the network and notices that a large amount of the traffic on the LAN is SIP and RTP protocols. Which of the following should he do to segment that traffic from the other traffic? A. Connect the WAP to a different switch. B. Create a voice VLAN. C. Create a DMZ. D. Set the switch ports to 802.1q mode.
Answer: B Explanation: It is a common and recommended practice to separate voice and data traffic by using VLANs. Separating voice and data traffic using VLANs provides a solid security boundary, preventing data applications from reaching the voice traffic. It also gives you a simpler method to deploy QoS, prioritizing the voice traffic over the data.
After entering the following information into a SOHO wireless router, a mobile device's user reports being unable to connect to the network: PERMIT 0A: D1: FA. B1: 03: 37 DENY 01: 33: 7F: AB: 10: AB Which of the following is preventing the device from connecting? A. WPA2-PSK requires a supplicant on the mobile device. B. Hardware address filtering is blocking the device. C. TCP/IP Port filtering has been implemented on the SOHO router. D. IP address filtering has disabled the device from connecting.
Answer: B Explanation: MAC filtering allows you to include or exclude computers and devices based on their MAC address.
Which of the following common access control models is commonly used on systems to ensure a "need to know" based on classification levels? A. Role Based Access Controls B. Mandatory Access Controls C. Discretionary Access Controls D. Access Control List
Answer: B Explanation: Mandatory Access Control allows access to be granted or restricted based on the rules of classification. MAC also includes the use of need to know. Need to know is a security restriction where some objects are restricted unless the subject has a need to know them.
Which of the following tools will allow a technician to detect security-related TCP connection anomalies? A. Logical token B. Performance monitor C. Public key infrastructure D. Trusted platform module
Answer: B Explanation: Performance Monitor in a Windows system can monitor many different 'counters'. For TCP network connections, you can monitor specific TCP related counters including the following: Connection Failures Connections Active Connections Established Connections Passive Connections Reset Segments Received/sec Segments Retransmitted/sec Segments Sent/sec Total Segments/sec By monitoring the counters listed above, you will be able to detect security-related TCP connection anomalies.
A recent vulnerability scan found that Telnet is enabled on all network devices. Which of the following protocols should be used instead of Telnet? A. SCP B. SSH C. SFTP D. SSL
Answer: B Explanation: SSH transmits both authentication traffic and data in a secured encrypted form, whereas Telnet transmits both authentication credentials and data in clear text.
Which of the following must a user implement if they want to send a secret message to a coworker by embedding it within an image? A. Transport encryption B. Steganography C. Hashing D. Digital signature
Answer: B Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.
A network consists of various remote sites that connect back to two main locations. Peter, the security administrator, needs to block TELNET access into the network. Which of the following, by default, would be the BEST choice to accomplish this goal? A. Block port 23 on the L2 switch at each remote site B. Block port 23 on the network firewall C. Block port 25 on the L2 switch at each remote site D. Block port 25 on the network firewall
Answer: B Explanation: Telnet is a terminal-emulation network application that supports remote connectivity for executing commands and running applications but doesn't support transfer of fi les. Telnet uses TCP port 23. Because it's a clear text protocol and service, it should be avoided and replaced with SSH.
Which of the following provides the strongest authentication security on a wireless network? A. MAC filter B. WPA2 C. WEP D. Disable SSID broadcast
Answer: B Explanation: The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication protocols were designed to address the core, easy-to-crack problems of WEP.
A trojan was recently discovered on a server. There are now concerns that there has been a security breach that allows unauthorized people to access data. The administrator should be looking for the presence of a/an: A. Logic bomb. B. Backdoor. C. Adware application. D. Rootkit.
Answer: B Explanation: There has been a security breach on a computer system. The security administrator should now check for the existence of a backdoor. A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit. A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. Although the number of backdoors in systems using proprietary software (software whose source code is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission. Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer (generally a PC on broadband running Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM measures—and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers.
Recent data loss on financial servers due to security breaches forced the system administrator to harden their systems. Which of the following algorithms with transport encryption would be implemented to provide the MOST secure web connections to manage and access these servers? A. SSL B. TLS C. HTTP D. FTP
Answer: B Explanation: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by default.
Connections using point-to-point protocol authenticate using which of the following? (Select TWO). A. RIPEMD B. PAP C. CHAP D. RC4 E. Kerberos
Answer: B,C Explanation: B: A password authentication protocol (PAP) is an authentication protocol that uses a password. PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. C: CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.
Which of the following ports should be opened on a firewall to allow for NetBIOS communication? (Select TWO). A. 110 B. 137 C. 139 D. 143 E. 161 F. 443
Answer: B,C Explanation: NetBIOS provides four distinct services: Name service for name registration and resolution (port: 137/udp) Name service for name registration and resolution (port: 137/tcp) Datagram distribution service for connectionless communication (port: 138/udp) Session service for connection-oriented communication (port: 139/tcp)
Identifying residual is MOST important to which of the following concepts? A. Risk deterrence B. Risk acceptance C. Risk mitigation D. Risk avoidance
Answer: C
A company wants to ensure that its hot site is prepared and functioning. Which of the following would be the BEST process to verify the backup datacenter is prepared for such a scenario? A. Site visit to the backup data center B. Disaster recovery plan review C. Disaster recovery exercise D. Restore from backup
Answer: C Explanation: A hot site is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. Hot sites provide network connectivity, systems, and preconfigured software to meet the needs of an organization. This means that an actual exercise run would test the abilities of your hot site best.
The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible. Which of the following would be the BEST course of action? A. Create a single, shared user account for every system that is audited and logged based upon time of use. B. Implement a single sign-on application on equipment with sensitive data and high-profile shares. C. Enact a policy that employees must use their vacation time in a staggered schedule. D. Separate employees into teams led by a person who acts as a single point of contact for observation purposes.
Answer: C Explanation: A policy that states employees should use their vacation time in a staggered schedule is a way of employing mandatory vacations. A mandatory vacation policy requires all users to take time away from work while others step in and do the work of that employee on vacation. This will afford the CSO the opportunity to see who is using the company assets responsibly and who is abusing it.
Which of the following attacks could be used to initiate a subsequent man-in-the-middle attack? A. ARP poisoning B. DoS C. Replay D. Brute force
Answer: C Explanation: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack). For example: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password (or hash) read from the last session, which Bob accepts thus granting access to Eve. Countermeasures: A way to avoid replay attacks is by using session tokens: Bob sends a onetime token to Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Eve has captured this value and tries to use it on another session; Bob sends a different session token, and when Eve replies with the captured value it will be different from Bob's computation. Session tokens should be chosen by a (pseudo-) random process. Otherwise Eve may be able to pose as Bob, presenting some predicted future token, and convince Alice to use that token in her transformation. Eve can then replay her reply at a later time (when the previously predicted token is actually presented by Bob), and Bob will accept the authentication. One-time passwords are similar to session tokens in that the password expires after it has been used or after a very short amount of time. They can be used to authenticate individual transactions in addition to sessions. The technique has been widely implemented in personal online banking systems. Bob can also send nonces but should then include a message authentication code (MAC), which Alice should check. Timestamping is another way of preventing a replay attack. Synchronization should be achieved using a secure protocol. For example Bob periodically broadcasts the time on his clock together with a MAC. When Alice wants to send Bob a message, she includes her best estimate of the time on his clock in her message, which is also authenticated. Bob only accepts messages for which the timestamp is within a reasonable tolerance. The advantage of this scheme is that Bob does not need to generate (pseudo-) random numbers, with the trade-off being that replay attacks, if they are performed quickly enough i.e. within that 'reasonable' limit, could succeed.
A user ID and password together provide which of the following? A. Authorization B. Auditing C. Authentication D. Identification
Answer: C Explanation: Authentication generally requires one or more of the following: Something you know: a password, code, PIN, combination, or secret phrase. Something you have: a smart card, token device, or key. Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter. Somewhere you are: a physical or logical location. Something you do: typing rhythm, a secret handshake, or a private knock.
Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools? A. Identify user habits B. Disconnect system from network C. Capture system image D. Interview witnesses
Answer: C Explanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Very much as helpful in same way that a virus sample is kept in laboratories to study later after a breakout. Also you should act in the order of volatility which states that the system image capture is first on the list of a forensic analysis.
A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident? A. Eye Witness B. Data Analysis of the hard drive C. Chain of custody D. Expert Witness
Answer: C Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering.
The network administrator is responsible for promoting code to applications on a DMZ web server. Which of the following processes is being followed to ensure application integrity? A. Application hardening B. Application firewall review C. Application change management D. Application patch management
Answer: C Explanation: Change management is the structured approach that is followed to secure a company's assets. Promoting code to application on a SMZ web server would be change management.
Matt, a security analyst, needs to select an asymmetric encryption method that allows for the same level of encryption strength with a lower key length than is typically necessary. Which of the following encryption methods offers this capability? A. Twofish B. Diffie-Hellman C. ECC D. RSA
Answer: C Explanation: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits in comparison with non-ECC cryptography (with plain Galois fields as a basis) is the same level of security provided by keys of smaller size.
Which of the following is an attack vector that can cause extensive physical damage to a datacenter without physical access? A. CCTV system access B. Dial-up access C. Changing environmental controls D. Ping of death
Answer: C Explanation: Environmental systems include heating, air conditioning, humidity control, fire suppression, and power systems. All of these functions are critical to a well-designed physical plant. A computer room will typically require full-time environmental control. Changing any of these controls (when it was set to its optimum values) will result in damage.
Which of the following software allows a network administrator to inspect the protocol header in order to troubleshoot network issues? A. URL filter B. Spam filter C. Packet sniffer D. Switch
Answer: C Explanation: Every data packet transmitted across a network has a protocol header. To view a protocol header, you need to capture and view the contents of the packet with a packet sniffer. A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
Emily, a user, downloads a keygen to install pirated software. After running the keygen, system performance is extremely slow and numerous antivirus alerts are displayed. Which of the following BEST describes this type of malware? A. Logic bomb B. Worm C. Trojan D. Adware
Answer: C Explanation: In computers, a Trojan is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus.
A software development company has hired a programmer to develop a plug-in module to an existing proprietary application. After completing the module, the developer needs to test the entire application to ensure that the module did not introduce new vulnerabilities. Which of the following is the developer performing when testing the application? A. Black box testing B. White box testing C. Gray box testing D. Design review
Answer: C Explanation: In this question, we know the tester has some knowledge of the application because the tester developed a plug-in module for it. However, the tester does not have detailed information about the entire application. Therefore, this is a grey-box test. Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.
Requiring technicians to report spyware infections is a step in which of the following? A. Routine audits B. Change management C. Incident management D. Clean desk policy
Answer: C Explanation: Incident management refers to the steps followed when events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets).
Which of the following has serious security implications for large organizations and can potentially allow an attacker to capture conversations? A. Subnetting B. NAT C. Jabber D. DMZ
Answer: C Explanation: Jabber is a new unified communications application and could possible expose you to attackers that want to capture conversations because Jabber provides a single interface across presence, instant messaging, voice, video messaging, desktop sharing and conferencing.
Which of the following helps to establish an accurate timeline for a network intrusion? A. Hashing images of compromised systems B. Reviewing the date of the antivirus definition files C. Analyzing network traffic and device logs D. Enforcing DLP controls at the perimeter
Answer: C Explanation: Network activity as well as intrusion can be viewed on device logs and by analyzing the network traffic that passed through your network. Thus to establish an accurate timeline for a network intrusion you can look at and analyze the device logs and network traffic to yield the appropriate information.
Ann a technician received a spear-phishing email asking her to update her personal information by clicking the link within the body of the email. Which of the following type of training would prevent Ann and other employees from becoming victims to such attacks? A. User Awareness B. Acceptable Use Policy C. Personal Identifiable Information D. Information Sharing
Answer: C Explanation: Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. Employees should be made aware of this type of attack by means of training.
Ann is a member of the Sales group. She needs to collaborate with Peter, a member of the IT group, to edit a file. Currently, the file has the following permissions: Ann:read/write Sales Group:read IT Group:no access If a discretionary access control list is in place for the files owned by Ann, which of the following would be the BEST way to share the file with Peter? A. Add Peter to the Sales group. B. Have the system administrator give Peter full access to the file. C. Give Peter the appropriate access to the file directly. D. Remove Peter from the IT group and add him to the Sales group.
Answer: C Explanation: Peter needs access to only one file. He also needs to 'edit' that file. Editing a file requires Read and Write access to the file. The best way to provide Peter with the minimum required permissions to edit the file would be to give Peter the appropriate access to the file directly.
A security analyst is reviewing firewall logs while investigating a compromised web server. The following ports appear in the log: 22, 25, 445, 1433, 3128, 3389, 6667 Which of the following protocols was used to access the server remotely? A. LDAP B. HTTP C. RDP D. HTTPS
Answer: C Explanation: RDP uses TCP port 3389.
A security administrator is tasked with calculating the total ALE on servers. In a two year period of time, a company has to replace five servers. Each server replacement has cost the company $4,000 with downtime costing $3,000. Which of the following is the ALE for the company? A. $7,000 B. $10,000 C. $17,500 D. $35,000
Answer: C Explanation: SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence. SLE =($4000 + $3000) x 5 = $35000 ARO = 2 years Thus per year it would be 50% = 0,5 The ALE is thus $35000 x 0.5 = $17500
Visible security cameras are considered to be which of the following types of security controls? A. Technical B. Compensating C. Deterrent D. Administrative
Answer: C Explanation: Since a deterrent access control method is designed to discourage the violation of security policies, so a camera can be used to discourage individuals from taking unwanted action.
A company administrator has a firewall with an outside interface connected to the Internet and an inside interface connected to the corporate network. Which of the following should the administrator configure to redirect traffic destined for the default HTTP port on the outside interface to an internal server listening on port 8080? A. Create a dynamic PAT from port 80 on the outside interface to the internal interface on port B. Create a dynamic NAT from port 8080 on the outside interface to the server IP address on port C. Create a static PAT from port 80 on the outside interface to the internal interface on port 8080 D. Create a static PAT from port 8080 on the outside interface to the server IP address on port 80
Answer: C Explanation: Static PAT translations allow a specific UDP or TCP port on a global address to be translated to a specific port on a local address. In this case, the default HTTP port (80) is the global address to be translated, and port 8080 is the specific port on a local address. Incorrect Options: A: Dynamic PAT is not a valid type of PAT. B: Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The question also states that the internal server is listening on port 8080. D: The question states that the internal server is listening on port 8080.
A security analyst discovered data such as images and word documents hidden within different types of files. Which of the following cryptographic concepts describes what was discovered? A. Symmetric encryption B. Non-repudiation C. Steganography D. Hashing
Answer: C Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.
Users need to exchange a shared secret to begin communicating securely. Which of the following is another name for this symmetric key? A. Session Key B. Public Key C. Private Key D. Digital Signature
Answer: C Explanation: Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn't disclosed to people who aren't authorized to use the encryption system.
A system administrator has noticed vulnerability on a high impact production server. A recent update was made available by the vendor that addresses the vulnerability but requires a reboot of the system afterwards. Which of the following steps should the system administrator implement to address the vulnerability? A. Test the update in a lab environment, schedule downtime to install the patch, install the patch and reboot the server and monitor for any changes B. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the patch, and monitor for any changes C. Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the update, reboot the server, and monitor for any changes D. Backup the server, schedule downtime to install the patch, installs the patch and monitor for any changes
Answer: C Explanation: We have an update to apply to fix the vulnerability. The update should be tested first in a lab environment, not on the production server to ensure it doesn't cause any other problems with the server. After testing the update, we should backup the server to enable us to roll back any changes in the event of any unforeseen problems with the update. The question states that the server will require a reboot. This will result in downtime so you should schedule the downtime before installing the patch. After installing the update, you should monitor the server to ensure it is functioning correctly.
The security administrator runs an rpm verify command which records the MD5 sum, permissions, and timestamp of each file on the system. The administrator saves this information to a separate server. Which of the following describes the procedure the administrator has performed? A. Host software base-lining B. File snapshot collection C. TPM D. ROMDB verification
Answer: D
Which of the following incident response plan steps would MOST likely engaging business professionals with the security team to discuss changes to existing procedures? A. Recovery B. Incident identification C. Isolation / quarantine D. Lessons learned E. Reporting
Answer: D
Which of the following transportation encryption protocols should be used to ensure maximum security between a web browser and a web server? A. SSLv2 B. SSHv1 C. RSA D. TLS
Answer: D Explanation: * HTTP Secure HTTP Secure (HTTPS) is the protocol used for "secure" web pages that users should see when they must enter personal information such as credit card numbers, passwords, and other identifiers. It combines HTTP with SSL/TLS to provide encrypted communication. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL, and it is also referred to as SSL 3.1.
A security administrator needs a locally stored record to remove the certificates of a terminated employee. Which of the following describes a service that could meet these requirements? A. OCSP B. PKI C. CA D. CRL
Answer: D Explanation: A CRL is a locally stored record containing revoked certificates and revoked keys.
A company has recently allowed employees to take advantage of BYOD by installing WAPs throughout the corporate office. An employee, Peter, has recently begun to view inappropriate material at work using his personal laptop. When confronted, Peter indicated that he was never told that he could not view that type of material on his personal laptop. Which of the following should the company have employees acknowledge before allowing them to access the corporate WLAN with their personal devices? A. Privacy Policy B. Security Policy C. Consent to Monitoring Policy D. Acceptable Use Policy
Answer: D Explanation: Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.
Which of the following is the MOST specific plan for various problems that can arise within a system? A. Business Continuity Plan B. Continuity of Operation Plan C. Disaster Recovery Plan D. IT Contingency Plan
Answer: D Explanation: An IT contingency plan would focus on the IT aspect in particular to ensure business continuity.
Which of the following devices is BEST suited to protect an HTTP-based application that is susceptible to injection attacks? A. Protocol filter B. Load balancer C. NIDS D. Layer 7 firewall
Answer: D Explanation: An application-level gateway firewall filters traffic based on user access, group membership, the application or service used, or even the type of resources being transmitted. This type of firewall operates at the Application layer (Layer 7) of the OSI model.
A company has 5 users. Users 1, 2 and 3 need access to payroll and users 3, 4 and 5 need access to sales. Which of the following should be implemented to give the appropriate access while enforcing least privilege? A. Assign individual permissions to users 1 and 2 for payroll. Assign individual permissions to users 4 and 5 for sales. Make user 3 an administrator. B. Make all users administrators and then restrict users 1 and 2 from sales. Then restrict users 4 and 5 from payroll. C. Create two additional generic accounts, one for payroll and one for sales that users utilize. D. Create a sales group with users 3, 4 and 5. Create a payroll group with users 1, 2 and 3.
Answer: D Explanation: Assigning permissions to a group requires less effort than assigning permissions to individual users. When you have groups configured with the appropriate permissions, you can grant the permissions to individual users by adding the users to the groups. Users can be members of multiple groups and therefore have multiple sets of permissions assigned to them. In this answer, user 3 is a member of both groups which grants the user permission to both Sales and Payroll.
Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time. Which of the following does this illustrate? A. System image capture B. Record time offset C. Order of volatility D. Chain of custody
Answer: D Explanation: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.
A security administrator must implement a network authentication solution which will ensure encryption of user credentials when users enter their username and password to authenticate to the network. Which of the following should the administrator implement? A. WPA2 over EAP-TTLS B. WPA-PSK C. WPA2 with WPS D. WEP over EAP-PEAP
Answer: D Explanation: D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isn't considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP-PSK, EAPMD5, as well as LEAP and PEAP. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
A company is trying to limit the risk associated with the use of unapproved USB devices to copy documents. Which of the following would be the BEST technology control to use in this scenario? A. Content filtering B. IDS C. Audit logs D. DLP
Answer: D Explanation: Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
A system administrator needs to ensure that certain departments have more restrictive controls to their shared folders than other departments. Which of the following security controls would be implemented to restrict those departments? A. User assigned privileges B. Password disablement C. Multiple account creation D. Group based privileges
Answer: D Explanation: Group-based privileges assign privileges or access to a resource to all members of a group. Group-based access control grants every member of the group the same level of access to a specific object.
Review the following diagram depicting communication between PC1 and PC2 on each side of a router. Analyze the network traffic logs which show communication between the two computers as captured by the computer with IP 10.2.2.10. DIAGRAM PC1 PC2 [192.168.1.30][INSIDE 192.168.1.1 router OUTSIDE 10.2.2.1][10.2.2.10] LOGS 10:30:22, SRC 10.2.2.1:3030, DST 10.2.2.10:80, SYN 10:30:23, SRC 10.2.2.10:80, DST 10.2.2.1:3030, SYN/ACK 10:30:24, SRC 10.2.2.1:3030, DST 10.2.2.10:80, ACK Given the above information, which of the following can be inferred about the above environment? A. 192.168.1.30 is a web server. B. The web server listens on a non-standard port. C. The router filters port 80 traffic. D. The router implements NAT.
Answer: D Explanation: Network address translation (NAT) allows you to share a connection to the public Internet via a single interface with a single public IP address. NAT maps the private addresses to the public address. In a typical configuration, a local network uses one of the designated "private" IP address subnets. A router on that network has a private address (192.168.1.1) in that address space, and is also connected to the Internet with a "public" address (10.2.2.1) assigned by an Internet service provider.
The IT department has installed new wireless access points but discovers that the signal extends far into the parking lot. Which of the following actions should be taken to correct this? A. Disable the SSID broadcasting B. Configure the access points so that MAC filtering is not used C. Implement WEP encryption on the access points D. Lower the power for office coverage only
Answer: D Explanation: On the chance that the signal is actually traveling too far, some access points include power level controls, which allow you to reduce the amount of output provided.
Which of the following provides data the best fault tolerance at the LOWEST cost? A. Load balancing B. Clustering C. Server virtualization D. RAID 6
Answer: D Explanation: RAID, or redundant array of independent disks (RAID). RAID allows your existing servers to have more than one hard drive so that if the main hard drive fails, the system keeps functioning. RAID can achieve fault tolerance using software which can be done using the existing hardware and software thus representing the lowest cost option.
A company recently experienced data loss when a server crashed due to a midday power outage. Which of the following should be used to prevent this from occurring again? A. Recovery procedures B. EMI shielding C. Environmental monitoring D. Redundancy
Answer: D Explanation: Redundancy refers to systems that either are duplicated or fail over to other systems in the event of a malfunction (in this case a power outage). Failover refers to the process of reconstructing a system or switching over to other systems when a failure is detected. In the case of a server, the server switches to a redundant server when a fault is detected. This strategy allows service to continue uninterrupted until the primary server can be restored.
Which of the following will allow Peter, a security analyst, to trigger a security alert because of a tracking cookie? A. Network based firewall B. Anti-spam software C. Host based firewall D. Anti-spyware software
Answer: D Explanation: Spyware monitors a user's activity and uses network protocols to reports it to a third party without the user's knowledge. This is usually accomplished using a tracking cookie.
Which of the following protocols uses TCP instead of UDP and is incompatible with all previous versions? A. TACACS B. XTACACS C. RADIUS D. TACACS+
Answer: D Explanation: TACACS+ is not compatible with TACACS and XTACACS, and makes use of TCP.
When an order was submitted via the corporate website, an administrator noted special characters (e.g., ";-" and "or 1=1 -") were input instead of the expected letters and numbers. Which of the following is the MOST likely reason for the unusual results? A. The user is attempting to highjack the web server session using an open-source browser. B. The user has been compromised by a cross-site scripting attack (XSS) and is part of a botnet performing DDoS attacks. C. The user is attempting to fuzz the web server by entering foreign language characters which are incompatible with the website. D. The user is sending malicious SQL injection strings in order to extract sensitive company or customer data via the website.
Answer: D Explanation: The code in the question is an example of a SQL Injection attack. The code '1=1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
A company hosts its public websites internally. The administrator would like to make some changes to the architecture. The three goals are: 1. reduce the number of public IP addresses in use by the web servers 2. drive all the web traffic through a central point of control 3. mitigate automated attacks that are based on IP address scanning Which of the following would meet all three goals? A. Firewall B. Load balancer C. URL filter D. Reverse proxy
Answer: D Explanation: The purpose of a proxy server is to serve as a proxy or middle man between clients and servers. Using a reverse proxy you will be able to meet the three stated goals.
Peter, a security engineer, is trying to inventory all servers in a rack. The engineer launches RDP sessions to five different PCs and notices that the hardware properties are similar. Additionally, the MAC addresses of all five servers appear on the same switch port. Which of the following is MOST likely the cause? A. The system is running 802.1x. B. The system is using NAC. C. The system is in active-standby mode. D. The system is virtualized.
Answer: D Explanation: Virtualization allows a single set of hardware to host multiple virtual machines.
Which of the following solutions provides the most flexibility when testing new security controls prior to implementation? A. Trusted OS B. Host software baselining C. OS hardening D. Virtualization
Answer: D Explanation: Virtualization is used to host one or more operating systems in the memory of a single host computer and allows multiple operating systems to run simultaneously on the same hardware. Virtualization offers the flexibility of quickly and easily making backups of entire virtual systems, and quickly recovering the virtual system when errors occur. Furthermore, malicious code compromises of virtual systems rarely affect the host system, which allows for safer testing and experimentation.
