Percipio Sec+ SY0-601 PT

Your company has decided to deploy a new wireless network at a branch office. This branch office is located in a busy commercial district. Management has asked you to fully assess the external vulnerabilities of the wireless network before it is deployed. Which three conditions should you assess? (Choose three.) A) Antenna placement B) Number of users C) Access point strength D) Captive portals E) Antenna type F) Speed of connection

A) Antenna placement C) Access point strength E) Antenna type Explanation: Antenna type (such as the use of directional versus omnidirectional antennas) plays an important role in protecting a wireless network. Using a directional antenna can limit the area that is covered by the antenna. Antenna placement will also have an effect on the vulnerabilities of a wireless system. Antennas should be placed as far away from exterior walls as possible. Otherwise, the signal will go outside the building. This allows anyone outside the building to attach to your network. That is why RADIUS and other technologies are required for wireless networks. The strength of the access points should be adjusted to a level that is just strong enough for the operation of the network, but not so strong that signals escape to the outside of the building. You should reduce power levels for better security to ensure that the signal does not extend beyond its needed range

You are building a public-access Wi-Fi system for a new hotel. You want to require the users to accept a fair use policy before connecting to the Internet. Which of the following should you implement? A) Captive portal B) RADIUS federation C) 802.1x D) WPS

A) Captive portal Explanation: Captive portals are associated with public-access Wi-Fi networks. Once you select the network, you are directed to a web page. There, you typically have to sign on and agree to a policy such as an acceptable use or fair use policy. Once your agreement is accepted, you can use the network. These portals are typically found in a public place, such as a hotel, coffee shop, or airport. None of the other options would force users to accept a fair use policy before connecting to the Internet. Wi-Fi Protected Setup (WPS) allows a wireless access point to broadcast a PIN, which connecting devices use for authentication. It is not a difficult task to break the PIN using a packet sniffer. IEEE 802.1x is standard for network access control. It allows you to apply security to an individual port on a switch with the result of only allowing authenticated users access to that port. RADIUS Federation is a group of RADIUS servers that assist with network roaming and will validate the login credentials of a user belonging to another RADIUS server's network. For the Security+ exam, you also need to understand EAP-FAST, EAP-TLS, and EAP-TTLS. Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is used in wireless and point-to-point networks. EAP manages key transmissions, and FAST creates a TLS tunnel to be used in authentication through a protected access credential.

You are about to begin a forensic investigation. Which of the following is NOT part of the investigation? A) Follow the incident response plan. B) Capture a system image. C) Perform network traffic and log analysis. D) Capture video.

A) Follow the incident response plan. Explanation: Following an incident response plan is NOT part of an investigation. An incident response plan describes how to respond to various types of security incidents, but it is not part of the forensic investigation. All of the other options are part of an investigation. In summary, the rules for forensic investigation are: Follow order of volatility rules. Capture a system image. Get copies of both a network traffic capture and logs. Ensure that the correct record time offset is obtained to ensure that any recordings can be calibrated together. Takes hashes of all files and images. Record the appropriate screenshots. Record any witnesses, including contact information. Keep track of man hours and expense involved in the forensic process. Obtain and preserve any video capture that exists, including computer video and CCTV. Perform big data analysis.

To gain more insight into activities performed on your network hosts, you can enable and configure application monitoring through logging. Application logs are useful for forensics, activity auditing, and compliance. Which of the following application logs should you enable for forensics investigations on user workstations? (Choose all that apply.) A) HIPS B) DHCP C) SSH D) Antivirus E) Browser F) Database

A) HIPS D) Antivirus E) Browser Explanation: Analyzing the logs from your antivirus software can be incredibly helpful to identify situations when the antivirus detects a malicious presence but fails to clean it automatically. A characteristic log message is then generated by most mainstream antivirus vendor programs in these situations. This log may be the only indication that the host is infected with some sort of malware. These logs can also be useful for detecting the incidents where the malware tries to damage an antivirus tool or interfere with its update process, thereby preventing the virus signatures from being updated on the host. Browser logs can be helpful for auditing user behavior online. Especially for forensic investigations where understanding user actions and behavior is paramount, analyzing application logs pertaining to the browsers on the workstation is extremely important. A host-based intrusion prevention system (HIPS) is a system or program installed on a workstation or endpoint to protect crucial computer systems and data from malware and data exfiltration. HIPS is the same concept as its counterpart NIPS (network intrusion prevention system), except that a HIPS operates on the host level instead of on the entire network.

Given the following IP header in a Wireshark capture: 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 150 Identification: 0x6131 (24881) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x15cd [validation disabled] [Header checksum status: Unverified] Source: 192.168.1.14 Destination: 192.168.1.5 Which version of IP addressing is used by the packet? A) IPv4 B) UDP C) IPv6 D) TCP

A) IPv4 Explanation: The version of addressing used by the packet is IPv4. The version is specified explicitly in the header as the first four bits. The first four bits of an IP header identifies its version. Version 6 is represented in binary as 0110 while version 4 is 0100. The source and destination addresses are also in the dotted quad format associated with IPv4.

Management has decided to install a network-based intrusion detection system (NIDS). What is the primary advantage of using this device? A) It is low maintenance. B) It has a high throughput of the individual workstations on the network. C) It launches no counterattack on the intruder. D) It has the ability to analyze encrypted information.

A) It is low maintenance. Explanation: The primary advantage of an NIDS is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems. By contrast, host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets. Individual hosts do not need real-time monitoring because intrusion is monitored on the network segment on which the NIDS is placed, and not on individual workstations. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private Network tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS. The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors such as the processor speed, memory, and bandwidth allocated affect the throughput of workstations. The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers.

You are performing a comprehensive penetration test across a wide variety of network devices. Which tool provides an extensible range of automated exploits that can be used for any type of application? A) Metasploit Framework B) RainbowCrack C) OWASP ZAP D) Burpsuite

A) Metasploit Framework Explanation: The Metasploit Framework is a project developed and maintained by Rapid7, which is used by computer security experts to discover information about security vulnerabilities and aids in penetration testing and IDS signature development. It is used as a penetration testing platform that facilitates in the writing, testing, and executing of exploit code and known vulnerabilities. Using the Metaspolit program and its suite of tools, you are able to send exploits directly to a target machine to test vulnerabilities, enumerate networks, execute attacks easily, evade detection, along with much more.

You are investigating the email metadata associated with a phishing attempt. Which field in the email header is most likely to help locate where the email originated? A) Received B) From C) References D) Reply-to

A) Received Explanation: The Received field contains tracking information generated by mail servers that have handled the message and is most likely to provide clues to investigators from whence the email originated. The References indicates any messages related to this one, found in replies. The Reply-to field indicates the return email address when a reply is created on the receiver's end, which is most likely a false address. The From field is the author of the email, but this can be easily spoofed as well.

You are assessing whether your organization will need to comply with GDPR. Which of the following statements indicates compliance may be required? A) The organization collects or stores PII from citizens located within the EEA. B) The organization consumes or provides services with an organization located in the EEA. C) The organization requires regular reporting and disposal of financial information to the EEA. D) The organization anonymizes and generalizes any PHI of medical providers in the EEA.

A) The organization collects or stores PII from citizens located within the EEA. Explanation: GDPR is a European act that applies to any company that collects or processes personally identifiable information (PII) of the citizens of the EU. GDPR stands for the General Data Protection Regulation. The law also addresses the transfer of personal data outside of the EU and EEA areas. The GDPR applies to people outside of the EU, since it imposes responsibility onto organizations anywhere in the world, as long as they target or collect the data of people living in the EU. This is why people in the US and around the world have to learn about and study GDPR, since we often work with citizens of the EU for various reasons.

Which of the following transmit data via Wi-Fi or Bluetooth only to a host device and are vulnerable to data interception and attack? A) Wearable technology B) Personal vehicles C) UAV D) Medical devices

A) Wearable technology Explanation: Wearable technology transmits data via Wi-Fi or Bluetooth to a host device, and as such is subject to data interception and attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used by an attacker to gain information.

Your company has a website based on their domain name. In addition to the website, they also operate mail and FTP servers using the same domain name. Which of the following options would simplify certificate management? A) Wildcard certificates B) Code signing C) Self-signed certificates D) SAN

A) Wildcard certificates Explanation: Wildcard certificates allow you to create a certificate in a domain and use that same certificate for multiple subdomains. For example, if you had subdomains named mail.mysite.com, ftp.mysite.com, and www.mysite.com, you could issue a wildcard certificate for mysite.com and have it cover all the subdomains. Without the wildcard certificate, you would have to issue a certificate for each subdomain. The Subject Alternative Name (SAN) is a field in the certificate definition that allows you to stipulate additional information, such as an IP address or host name, associated with the certificate. It does not simplify certificate management.

You have decided to attach a digital timestamp to a document that is shared on the network. Which attack does this prevent? A) a replay attack B) a known-plaintext attack C) a ciphertext-only attack D) a side channel attack

A) a replay attack Explanation: Digital timestamps prove helpful in preventing replay attacks. In a replay attack, the attacker monitors the traffic stream in a network. The attacker maliciously repeats or delays the transmission of valid data over the network. Setting a threshold time value on each system ensures that the computer only accepts packets within a specified time frame. A packet received after the specified time will indicate the chances of a replay attack. Digital timestamps are attached to a document at document creation.

You receive the following message in your e-mail message inbox: From: [email protected]: [email protected]: Virus Alert! Microsoft, Symantec and McAfee have issued an urgent virus warning. All Windows 10 Home Edition users should delete the following file from their computers: C:\Windows\explorer.exe This action should be taken as soon as possible to ensure that your computer does not become infected with the StealthExplorer virus. PLEASE FORWARD THIS MESSAGE TO EVERYONE IN YOUR ADDRESS BOOK ASAP! Which type of attack does the e-mail message represent? A) a social engineering attack B) a zombie C) a Trojan horse D) a worm

A) a social engineering attack Explanation: The e-mail in this scenario is an example of an email hoax, which is a type of social engineering attack. In this scenario, users should not follow the directions in this e-mail message because deleting the Explorer.exe file will damage their Windows 10 installations. An e-mail message hoax is concealed as an innocuous e-mail message that uses the names of reputable software vendors for credibility. The last line of the message urges users to send the message to everyone in their address books, which will cause the email hoax to replicate. E-mail hoaxes typically increase bandwidth use on a network because non-technical users typically forward hoaxes to others. Users should research the validity of virus warnings in e-mail messages before following the instructions contained in such messages. A zombie is a malicious program that can be installed on a computer and remotely triggered. A Trojan horse is a seemingly safe program that contains malicious code, which a hacker can use to gain access to a network or to destroy network resources. A worm is a program that is transmitted through network connections.

Your company has a Windows Active Directory domain that uses group policies to manage security settings. Which entities can group policies be used to manage? (Choose all that apply.) A) domain controllers B) server computers C) users D) client computers

A) domain controllers B) server computers C) users D) client computers Explanation: Group policies can be used to manage users, client computers, server computers, and domain controllers. Group policies are the most efficient way to manage a large number of users or computers. For example, you can configure a group policy that forces users to change their password at the next login.

Which events should be considered as part of the business continuity plan? (Choose all that apply.) A) hardware failure B) employee resignation C) non-emergency server relocation D) natural disaster

A) hardware failure D) natural disaster As part of the business continuity plan, natural disasters should be considered. Natural disasters include tornadoes, floods, hurricanes, and earthquakes. Continuity of operations should be a primary consideration when developing the business continuity plan. Hardware failure should also be considered. This hardware can be limited a single computer component but can include network link or communications line failures. The majority of the unplanned downtime experienced by a company is usually due to hardware failure. A business continuity plan is created to ensure that policies are in place to deal with long-term outages and disasters to sustain operations. Its primary goal is to ensure that the company maintains its long-term business goals both during and after the disruption, and mainly focuses on the continuity of the data, telecommunications, and information systems infrastructures. The business continuity plan should only include those events that interrupt services. Normally, server relocation is planned in such a way as to ensure either no interruption or minimal interruption of services. As such, it is usually not part of the business continuity plan. Employee resignation, even resignation of a high-level IT manager, should not be considered part of the business continuity plan. Employee resignation is a normal part of doing business. However, employee strikes and the actions of disgruntled employees should be considered as part of the business continuity plan. When a disaster occurs, emergency actions should be taken to prevent injuries and loss of life. You should attempt to diminish damage to corporate function to avoid the need for recovery.

You are describing how multiple techniques can be applied in a single attack. Which type of attack combines IP spoofing with the act of inserting malicious code in packets? A) man-in-the-middle B) brute force C) phishing D) smurf

A) man-in-the-middle Explanation: Man-in-the-middle (MITM) can be accomplished by a hacker assuming the network identity of the user by adopting his mac address or IP address. It is also typical to insert malicious packets to set up MITM and to steal data. A brute force attack is one in which every character combination is attempted in a password or encryption cracking attempt. Phishing is the use of deceptive emails that lead users to fake sites for the purpose of harvesting credentials. A smurf attack is a distributed denial-of-service (DDoS) attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic.

You install a type of monitoring that requires updates to be regularly obtained to ensure effectiveness. Which type of monitoring did you install? A) signature-based B) behavior-based C) anomaly-based D) network-based

A) signature-based Explanation: Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database. Network-based monitoring is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive responses include logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and deception. Anomaly-based monitoring detects activities that are unusual. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous activities. Sometimes the baseline is established through a manual process. Behavior-based monitoring looks for behavior that is not allowed and acts accordingly.

You are training several IT professionals on security and access control. You need to explain to the professionals the most common form of identification and authentication. What identification and authentication mechanism should you explain? A) user identification with reusable password B) biometrics C) smart cards D) two-factor authentication

A) user identification with reusable password Explanation: The most common form of identification and authentication is user identification with a reusable password. User identifications (IDs) and passwords are something a user knows. Biometrics, while not the most common form of identification and authentication, is more secure than using user identification and passwords. Biometrics is something you are. A fingerprint, for instance, would be more secure than a password, because your fingerprint will never change and no one else possesses it. Smart cards, which are something you have, are not commonly implemented because of the expense. However, they are more secure than using user identification and passwords. Smart cards are a Type 2 authentication factor. Common access cards are similar to smart cards and are used by the U.S. federal government for active-duty military personnel. Two-factor authentication must include two of the following three categories: something you know (Type I), some you have (Type II), or something you are (Type III). Two-factor authentication is not as common as using user identification and passwords. Two-factor authentication is sometimes referred to as multi-factor authentication. Multi-factor authentication will provide an additional layer of security when stored keys and passwords are not strong enough.

Management at your company has recently learned of brute force attacks that were experienced by competitors. They have asked you to make a presentation of these attacks. What is an example of a brute force attack? A) using a program to guess passwords from a SAM file B) searching through a company's trash C) sending multiple ICMP messages to a Web server D) gathering packets from a network connection

A) using a program to guess passwords from a SAM file Explanation: Using a program to guess passwords from a Security Account Manager (SAM) file is an example of a brute force attack. A SAM file, which is used on some Windows networks, contains encrypted passwords. A hacker can initiate a brute force attack in an attempt to decrypt passwords stored in a SAM file. You can defend against a brute force network attack by increasing the complexity and keyspace requirements of the password. Sending multiple Internet Control Message Protocol (ICMP) messages to a Web server is a type of denial-of-service (DoS) attack that is referred to as a ping of death. Searching through a company's trash to find sensitive information is a type of physical attack that is sometimes referred to as dumpster diving. Using a packet analyzer to gather packets from a network connection between two computers is a method that can be used to initiate a man in the middle (MITM) attack.

You are designing security for a new e-commerce web site. You know that you will use HTTPS as the browser protocol. The legal team has asked you to validate using the name of the responsible legal entity in the certificate, to supply other validation parameters, and to provide a higher level of trust than domain validation. Which certificate would you use? A) Root certificates B) Extended validation certificate C) Machine/computer certificates D) Email certificates

B) Extended validation certificate Explanation: Extended validation certificates, as the name suggests, provide additional validation for HTTPS web sites. The certificate provides the name of the legal entity responsible for the web site. These certificates require the most effort by the CA to validate and provide a higher level of trust than domain validation because they are validated using more than the domain information.

You are investigating a point-of-sale (POS) terminal to verify that financial information will be protected. Which one of the following signs indicates a potential skimmer is installed? A) The keypad does not use raised Braille text B) A bulky casing is installed over the card reader C) A nearby camera is pointing at the PIN keypad D) The screen requires heavy pressure to respond

B) A bulky casing is installed over the card reader Explanation: Skimming occurs when an attacker obtains personal information from a card with a magnetic stripe. Most often this is carried out by installing a fraudulent card reader over a legitimate one, such as at a gas pump payment terminal or at an ATM. Signs of skimming include a bulky looking attachment added onto the card reader. Credit card owners should keep an eye out for unauthorized financial transactions and identity theft. Most financial institution apps include an alert setting for new transactions so that the card owner is immediately notified of potentially suspicious activity. None of the other options indicate a potential skimmer is installed. A nearby camera could be a security measure taken by the company, or it could be a type of shoulder surfing attack. A keypad lacking signage in Braille is not a sign of a skimming attack. A screen requiring heavy pressure to respond just needs replacement and does not indicate that a skimmer has been installed.

What is the difference between a honeynet, honeypot, and honeytoken? A) A honeynet is a disruptive strategy that allows you to maximize the effectiveness of your decoys, a honeypot is an individual file or directory on a system, and a honeytoken is a dynamically generated decoy used to slow down scanning. B) A honeynet is a network of honeypots; a honeypot is a single system; and a honeytoken is an individual file or directory on a system. C) A honeynet is a network made up of only virtual machines, a honeypot is section of virtual machines on a network, and a honeytoken is mechanism used to access a virtual machine on the network. D) A honeynet is a collection of files on a specific attack strategy, a honeypot is a folder that stores all the permissions for the honeynet, and a honeytoken is a command used by the network admin to assign permissions to the honeynet files.

B) A honeynet is a network of honeypots; a honeypot is a single system; and a honeytoken is an individual file or directory on a system. Explanation: A honeynet is a network that is set up to attract potential attackers and distract them from your production network. A honeynet is a tightly controlled and highly monitored network of honeypots. A honeypot is a single system used to discover, deflect, or, in some manner, thwart attempts at unauthorized use of resources and data on the network. A honeytoken is a type of data that looks attractive to cyber criminals but, in reality, is useless to them as it is a decoy. It is usually some sort of file or directory that is designed to be intriguing to attackers.

Recently, your organization has experienced several password attacks. Management has asked you to provide additional security to ensure that this does not happen again. You decide to implement a key stretching function. Which of the following could you use? (Check all that apply.) A) 3DES B) Bcrypt C) RSA D) PBKDF2 E) DES

B) Bcrypt D) PBKDF2 Explanation: You could use Bcrypt or Password-Based Key Derivation Function 2 (PBKDF2). Both of these are key stretching functions and can be implemented to protect against brute force and rainbow attacks. None of the other options is a key stretching function. DES, 3DES, and RSA are cryptographic algorithms.

Which automation or scripting concept can reduce the risk that new equipment might not have all the same settings, applications, and drivers as your existing equipment without changing vital user settings? A) Continuous monitoring B) Configuration validation C) Templates D) Automated courses of action

B) Configuration validation Configuration validation through automation and scripting can ensure that new equipment has all the proper settings, applications, and drivers as existing equipment. Continuous monitoring can be employed to ensure that any device on the network cannot have their configuration settings changed, but it will not ensure the configurations match. Automated courses of action can be accomplished through scripting, so that certain events trigger a series of responses or actions. Automated courses of action can also be used to obtain updates and patches by scheduling the software to check for them at certain times. Automated courses of action usually cannot verify that equipment has the same settings, applications, and drivers as existing equipment. Templates provide standardized documentation for several issues. Such issues can include security analysis reporting, threat and vulnerability identification, and impact assessment, among others. Templates can also be used to configure operating systems (OSs) to ensure that certain settings are automatically configured. Templates are usually used as a first time configuration measure, but often cannot be reapplied because doing so would result in loss of any user changes that have been made.

Management asks you to implement an encryption standard that uses a single 56-bit encryption key to encrypt 64-bit blocks of data. Which encryption standard should you implement? A) TDES B) DES C) Blowfish D) SSL

B) DES Explanation: Data Encryption Standard (DES) is a block cipher encryption standard that uses a single 56-bit encryption key to encrypt 64-bit blocks of data. It is a symmetric or private key encryption algorithm. Triple Data Encryption Standard (TDES) uses multiple DES encryption and decryption processes to create an encryption scheme that is stronger than DES. Blowfish is a private key encryption algorithm, optimized for use on 32-bit processors, which supports encryption keys with a maximum length of 448 bits. Secure Sockets Layer (SSL) supports an encryption key length of 40 bits or 128 bits.

In which lower environment are the basic errors of an application detected and resolved? A) Staging B) Development C) Production D) Testing

B) Development Explanation: A development environment is used to build an application. It is a collection of hardware and software tools a system developer uses to build software systems. . In the development environment, the basic errors of the application are detected and resolved. A testing environment is used to test that an application meets the security requirements and stakeholder expectations. Typically, these tests are binary pass/fail decisions. If the code is rejected, then it is returned to the responsible developer. If the code is accepted, then it is built and integrated into the larger solution Staging is where the built application is deployed to a limited audience before it is rolled out to the general public, which is known as production.

Which type of state-sponsored attack targets another state's critical vulnerabilities in cyberspace, so as to weaken that state's governance or sow dissent throughout its populace? A) Whaling B) Hybrid warfare C) Social media D) Pharming

B) Hybrid warfare Explanation: Hybrid warfare is possible when the physical military is supplemented by a cyber warfare unit. These groups are what we call advanced persistent threats (APT) because they are well funded, patient, and highly skilled. One example is a disinformation campaign seeded through social media and posted by accounts that pretend to be citizens of the country targeted by the attack. A whaling attack is when a phishing email is directed to a person in a position of authority such has a CEO. A whaling attack does not require state sponsorship to be effective and is typically performed by a wide variety of threat actors, including script kiddies. A pharming attack is when DNS manipulation is used to direct a user to a fake website to harvest credentials. Like with phishing attacks, pharming does not require state sponsorship to be effective, and is relatively easy for any level of threat actor to perform. Social media is typically used in influence campaign designed to move public opinion. Influence campaigns usually involve state sponsorship as well.

As part of your company's comprehensive vulnerability scanning policy, you decide to perform a passive vulnerability scan on one of your company's subnetworks. Which statement is true of this scan? A) It allows a more in-depth analysis than other scan types. B) It impacts the hosts and network less than other scan types. C) It is limited to a particular operating system. D) It includes the appropriate permissions for the different data types.

B) It impacts the hosts and network less than other scan types. Explanation: A passive scan impacts the hosts and network less than other scan types. A passive scan is a non-intrusive scan, meaning you are probing for the weaknesses but not exploiting them. To perform a more in-depth analysis than other scan types, you would perform an active scan. An active scan is also considered an intrusive scan as it usually provides more meaningful results on the scan.

Your client's HR practices include promotion from within, and transferring people between offices on a regular basis. It seems like the most common question you hear when employees talk on the phone is "What office are you working at now and what are you doing?" What practice will ensure that a user's permissions are relevant and current? A) Federation B) Recertification C) Standard naming conventions D) Transitive trusts

B) Recertification Explanation: Recertification is the process of examining a user's permissions and determining if they still need access to what was previously granted. For example, if someone were transferred from the Chicago, IL office to the Charlotte, NC, it would be reasonable to revoke the user's Chicago permissions. Likewise, a promotion would most likely require new privileges, and it is important to examine whether the privileges from the old position are still necessary. Federation and federated identity is the ability of a user to use a single identity across multiple businesses or networks. It differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation would address enabling user's logon from office to office but would not address the issue of current and relevant permissions related to users' job roles. Creating a standard naming convention would resolve an issue relating to account names that identify job roles or locations. However, it would not address the issue of current and relevant permissions. Transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain, through a transitive relationship.

When a large data breach occurs, which impact to the business is difficult to measure in monetary terms but influences how customers perceive the brand in the marketplace? A) Security awareness B) Reputation loss C) Availability disruption D) Identity theft

B) Reputation loss Explanation: Reputation loss is intangible damage to the organization that occurs due to a company suffering a data breach.

When applying the NIST functions in the Cybersecurity Framework, which function includes incident analysis and mitigation activities? A) Protect B) Respond C) Recover D) Detect

B) Respond Explanation: The National Institute of Standards and Technology (NIST) develops standards and best practices for cybersecurity. There are two frameworks that NIST created and maintains. The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The Cybersecurity Framework (CSF) focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes. The 5 main functions of the Framework Core in the Cybersecurity Framework are identify, protect, detect, respond, and recover. The respond function includes incident analysis and mitigation activities. The respond category functions to develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

You have been asked to implement the encryption standard that is used in the Clipper Chip. Which encryption standard should you use? A) AES B) Skipjack C) Blowfish D) DES

B) Skipjack Explanation: Skipjack is a private key encryption standard that was developed by the U.S. government for the Clipper Chip. Skipjack uses an 80-bit key, which might soon be vulnerable to decryption by hackers. Advanced Encryption Standard (AES) is a newer encryption standard that uses the Rijndael algorithm with 128-bit, 192-bit, or 256-bit keys. AES256 is stronger than DES, 3DES, SHA, or RC4. Blowfish is a private key encryption algorithm that was developed for optimal performance on 32-bit central processing units (CPUs). Blowfish supports keys up to 448 bits in length. Data Encryption Standard (DES) is an older private key encryption algorithm that was developed by IBM in the 1970s. DES uses 56-bit encryption keys on 64-bit data blocks.

Which of the following protection methods applies to data in processing or in use? (Choose all that apply.) A) Backup management B) Physical protection C) Encryption D) Access control E) Fault tolerance F) Hashing

C) Encryption D) Access control F) Hashing Explanation: Encryption plays an important role in data protection and is a common tool for securing data both in transit and at rest. For securing data in use, enterprises often choose to encrypt the sensitive data prior to moving it or use encrypted connections to protect it. Access control methods can help secure the networks and routes used to transmit data against malware attacks or malicious intrusions. It is also important to hash sensitive and important data such as passwords to protect them from malicious actors and unwanted prying eyes. Physical protection, fault tolerance, and backup management are protection methods that apply to data at rest when stored on archive systems.

You work for a large healthcare company in the US that recently had a breach of over 52,000 medical records. The records contained securely encrypted payment data and plaintext patient and doctor names, and were intercepted through an insecure Wi-Fi connection. The board of directors initially chose not to disclose the breach to regulators or the public. However, after a third-party audit uncovered the breach, the board reported the incident according to the relevant laws, and also notified the media and affected patients. What is the MOST likely outcome in this scenario? A) The organization will face financial penalties and patients may find unauthorized charges on their credit cards. B) The organization will face financial penalties and may be subject to increased auditing. C) The organization will face financial penalties and insurance providers will drop it from their network due to liability concerns.

B) The organization will face financial penalties and may be subject to increased auditing. Explanation: The organization will face financial penalties and may be subject to increased future audits. Protected health information (PHI) is a highly regulated category of data that requires specific safeguards. PHI is considered any health record (written, electronic, or verbal) associated with an identifiable individual. A record linking a patient's name with a provider's name is considered PHI and therefore sensitive, even if no financial data was compromised.

You need to display the current protocol statistics and port connections for Windows and UNIX/Linux computers. Which command should you use? A) ping B) netstat C) tracert D) nbtstat

B) netstat Explanation: Netstat is a TCP/IP utility that you can use to determine the computer's inbound and outbound TCP/IP connections. It displays current connections and their listening ports. Ping is a Windows and UNIX/Linux command that is used to test a connection between two computers. Issuing nbtstat at a Windows command prompt will show NetBIOS information. Issuing tracert at a Windows command prompt will trace the route a packet takes from the source computer to the destination host.

Your company has recently implemented a content inspection application on a perimeter firewall. What is the purpose of content inspection? A) to distribute the workload across multiple devices B) to search for malicious code or behavior C) to identify and block unwanted messages D) to filter and forward Web content anonymously

B) to search for malicious code or behavior Explanation: The purpose of content inspection is to search for malicious code or suspicious behavior. The purpose of load balancing is to distribute the workload across multiple devices. Often DNS servers are load balanced to ensure that DNS clients can obtain DNS information as needed. Other services are load balanced as well. Load balancers optimize and distribute data workloads across multiple computers or networks. The purpose of an Internet or Web proxy is to filter and forward Web content anonymously. The purpose of a spam filter is to identify and block unwanted messages. Spam filters should be configured to prevent employees from receiving unsolicited e-mail messages.

You identify a security risk that you do not have in-house skills to address. You decide to procure contract resources. This contractor will be responsible for handling and managing this security risk. Which type of risk response strategy are you demonstrating? A) avoidance B) transference C) mitigation D) acceptance

B) transference Explanation: You are demonstrating a risk response strategy of transference. Transference involves transferring the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. Avoidance involves modifying security to eliminate the risk or its impact. Acceptance involves accepting the risk and leaving the security plan unchanged. Examples of acceptance would include taking no action at all or leaving the plan unchanged and developing a contingency or fallback plan. Mitigation involves reducing the probability or impact of a risk to an acceptable risk threshold. Examples of mitigation would include taking actions to minimize the probability of a risk.

You are performing user account reviews. You need to determine whether user accounts are active. Which property should you verify? A) whether a password is required B) when the last login occurred C) whether user accounts are disabled D) when the password was last configured

B) when the last login occurred Explanation: To determine whether user accounts are being actively used, you should verify when the last login occurred for every user account. If a user account has not been logged in recently, either the user is not logging out properly or the user account is no longer being used. It is a good policy to periodically perform user account reviews such as this to ensure that all accounts are valid. Continuous monitoring is essential to any organization. Account disablement is a policy enforcement tool that is often used when accounts are deemed inactive. By disabling the account instead of removing it, you ensure that any resources owned by the disabled account can still be managed.

How does using a syslog server make processing more efficient? A) A syslog server makes it easier to combine TCP/IP and FTP uploads B) A syslog server makes it easier to compare events and separate and send information into different logs C) A syslog server makes it easier to coordinate events and combine information into a single log D) A syslog server makes it efficient for the network administrator when tracking host information

C) A syslog server makes it easier to coordinate events and combine information into a single log Syslog stands for System Logging Protocol and is a standard computing protocol used to send system log or event messages to a specific server which is referred a syslog server. It is primarily used to collect and store a variety of device logs such as security and performance events from several different machines in a central location for monitoring and review purposes. Using a syslog server makes it much easier to coordinate events and combine information into a single comprehensive log. A syslog does provide the other features, but only because it coordinates events across multiple systems into a central log.

You are tasked with choosing a mail gateway for your organization. Which of the following is a consideration for this deployment? A) Encryption B) DLP C) All of these options D) Spam filter

C) All of these options Explanation: You should consider all of these requirements when choosing a mail gateway: spam filters, data loss prevention (DLP), and encryption. Spam filters trap undesirable email before it reaches the user's inbox. Such filters could include country of origin, key words in the subject line, specific IP addresses, or blacklisted mail domains. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company. DLP systems incorporate a number of data protection processes. These processes can include prevention from unauthorized access, protecting data from modification or destruction, or keeping data from leaving the network. Encryption can be a critical component and feature of a mail gateway. Encryption on a mail gateway would scramble the outgoing message, making it unreadable to someone who intercepts the message. For the Security+ exam, you should also understand the installation and configuration of media gateways, SSL/TLS accelerators, and SSL decryptors.

You suspect that several users are attempting to install unauthorized software. Upon researching, you discover that the attempts were unsuccessful. What tool did you implement that logged those attempts and identified the users? A) Removable media control B) File integrity checks C) Application whitelisting D) Patch management tools

C) Application whitelisting Explanation: Application whitelisting is the practice of denying all applications except for those that are approved. Those approved applications are designated as whitelisted. Several products are available that check for applications that are not on the whitelist, including attempts to install those applications. For example, the logs generated by the whitelisting product would tell you if someone had attempted to install a keylogger.

The company who just hired you provides a fixed amount to new employees so that the employee can purchase the laptop of their choice. After the purchase, the employee only needs to submit the receipt. What should you implement so that the company is able to better track the laptops? A) Baseline deviations B) License compliance C) Asset management D) Unauthorized software

C) Asset management Explanation: Asset management allows an organization to keep track of equipment and software. Laptops, tablets, servers, routers, and switches are among the assets that the company should track. Software asset management includes license control, version control, and knowing what software is installed on what equipment.

You are evaluating the possible vulnerabilities of mobile devices within your organizations BYOB policy. Which of the following short-range connection methods could allow a covert attacker to access contacts, emails, and text messages stored on a mobile device? A) NFC B) Infrared C) Bluetooth D) Cellular

C) Bluetooth Bluetooth connections can provide a covert attacker with access to a mobile device's contacts, email, and text messages. Bluetooth devices are a long-standing security concern because they are susceptible to bluejacking (sending unsolicited messages) and bluesnarfing (extracting data from the device). A new attack called BlueBorne can download viruses and malware to Bluetooth-enabled devices. Bluetooth is a wireless standard from the Bluetooth Special Interest Good (SIG), not a proprietary technology.

Your network contains four segments. Which network devices can you use to connect two or more of the LAN segments together without collisions? (Choose three.) A) Multiplexer B) Repeater C) Bridge D) Router E) Switch F) Hub

C) Bridge D) Router E) Switch Explanation: Bridges, switches, and routers can be used to connect multiple LAN segments. Bridges and switches operate at the Data Link layer of the OSI model (Layer 2), using the Media Access Control (MAC) address to send packets to their destination. Switches can also operate at Layer 3. Routers operate at the Network layer (Layer 3) by using IP addresses to route packets to their destination along the most efficient path. Hubs act as a central connection point for network devices on one network segment. They work at the Physical layer (Layer 1). Using a hub would result in collisions.

You are configuring a wireless guest network, but you need to prevent guests from accessing the corporate intranet, while informing them of the acceptable use policy. Which access method should you use? A) WPA2-Enterprise B) WPS C) Captive portal D) WPA2-Personal

C) Captive portal Explanation: A captive portal is used to display a webpage to the user upon connection. It may or may not require authentication and may also post permissible activities.

Which Internet-based threat intelligence source is hidden from search engines and indexes and is used by privacy advocates and criminals alike? A) AIS B) Academic journals C) Dark web D) OSINT

C) Dark web Explanation: The dark web encompasses sites, content, and services accessible only over a dark net, which is a network established as an overlay for internet infrastructure by certain types of software such as TOR or Freenet. The dark net is utilized by both privacy advocates and criminals alike due to its anonymity.

Your organization is trying to decide whether to use RSA or ECC to encrypt cellular communications. What is an advantage of ECC over the RSA algorithm? A) ECC uses elliptic curves instead of keys to provide security. B) ECC does not deal with the intricacies of digital signatures. C) ECC requires fewer resources. D) ECC uses elliptic curves that improve its reliability.

C) ECC requires fewer resources. Explanation: The advantage of Elliptic Curve Cryptography (ECC) over the Rivest, Shamir, and Adleman (RSA) algorithm is that it is more efficient and requires fewer resources than RSA. ECC is a method used to implement public-key (asymmetric) cryptography. ECC serves as an alternative to the RSA algorithm and provides similar functionalities, but ECC has a higher strength per bit than RSA. ECC performs digital signature generation, secure key distribution, and encryption and decryption of data. Wireless devices, handheld computers, smart cards, and cellular telephones have limited processing power, storage, power, memory, and bandwidth compared to other systems. To ensure efficient use of resources, ECC provides encryption by using shorter key lengths. Shorter key lengths do not imply less secure systems. Therefore, ECC provides the same level of security as RSA by using a shorter key that enables easier processing by the resource-constrained devices. For example, a 224-bit ECC key provides the same level of security as the 2048-bit keys used by legacy schemes. A 3072-bit legacy key and a 256-bit ECC key provide equivalent security. This is an obvious advantage when the future lies in smaller devices and increased security.

You have implemented a backup plan that includes both full and incremental backups. What does an incremental backup do? A) It backs up all new files and any files that have changed since the last full backup without resetting the archive bit. B) It backs up all files. C) It backs up all new files and any files that have changed since the last full or incremental backup and resets the archive bit. D) It backs up all files in a compressed format.

C) It backs up all new files and any files that have changed since the last full or incremental backup and resets the archive bit. Explanation: An incremental backup backs up all new files and files that have changed since the last full or incremental backup, and also resets the archive bit. When restoring the data, the full backup must be restored first, followed by each incremental backup in order. Incremental backups build on each other; for example, the second incremental backup contains all of the changes made since the first incremental backup. A full backup backs up all files every time it runs. Because of the amount of data that is backed up, full backups can take a long time to complete. A full backup is used as the baseline for any backup strategy and most appropriate when using offsite archiving.

You need to ensure that backdoor applications are not installed on any devices in your network. Which tool is NOT a backdoor application? A) Masters Paradise B) NetBus C) Nessus D) Back Orifice

C) Nessus Nessus is NOT a backdoor application. It is a network vulnerability scanner. Back Orifice, NetBus, and Masters Paradise are all backdoor applications. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. Back Orifice is a famous rootkit that targets Windows systems and is sometimes used as a remote administration tool.

As your organization's security officer, you are currently completing audits to ensure that your security settings meet the established baselines. In which phase of the security management life cycle are you engaged? A) Monitor and Evaluate B) Implement C) Operate and Maintain D) Plan and Organize

C) Operate and Maintain Explanation: You are engaged in the Operate and Maintain phase of the security management life cycle. This phase includes the following components: Ensure that all baselines are met. Complete internal and external audits. Complete tasks outlined in the blueprints. Manage service level agreements as outlined in the blueprints. Completing audits is not part of any of the other phases. In secure staging deployment, you need to understand security baselines and integrity measurement. You determine a security baseline by documenting the minimum specifications for an application, system, or service that is considered secure. By establishing a security baseline, any change can be compared to the baseline to determine whether minimum security levels are maintained. Once the baseline is defined, you should monitor the application, system, or service to ensure that it complies with the security baseline. This monitoring process is called integrity measurement.

What type of data would be targeted by a malicious insider for the intent of corporate espionage? A) Confidential B) Private C) Proprietary D) Secret

C) Proprietary Explanation: Proprietary data is data that an organization owns that gives the organization a competitive advantage. This classification is used most in the private sector. Proprietary information are things like company secrets, like a famous recipe or a process that a company has developed and maintains on its own. It is information developed, created, conveyed to, or discovered by the organization, that has commercial value in the organization's business.

Which team is responsible for debriefing both attackers and defenders after an attack simulation? A) Blue team B) White team C) Purple team D) Red team

C) Purple team Explanation: The purple team is a combination of red team and blue team during a security exercise. The two teams are merged together to share information and findings in order to improve the organization's overall security. The white team is a group of unbiased referees that is more focused on compliance and enforcing the rules of the security exercise. They are the more non-technical team of them all, and their concentration is always on neutrality and helping the technical teams to communicate and work together for the benefit of the organization. Red team members are responsible for testing the defenses of an organization. They are usually hired independently of the company being tested. The red team consists of skilled ethical hackers whose goal is to identify and safely exploit vulnerabilities in the target's cybersecurity or physical perimeters. The blue team is the exact opposite of the red team and is usually the organization's internal security team that is tasked with network defense and fortification while also making sure to implement rapid incident response in the event of a breach.

Which of these options is particularly dangerous because it processes data with little or no latency? A) Home automation B) SoC C) RTOs D) Wearable technology

C) RTOs Explanation: Real Time Operating Systems (RTOs) are particularly dangerous because they process data with little or no latency. They are susceptible to code injection, exploiting shared memory, priority inversion, DoS attacks, and attacks on inter-process communication. While the other options are security risks, none processes data with little or no latency.

Which social engineering attack can be conducted without any prior knowledge of the target's habits, job, or personal information? A) Spear phishing B) Invoice scam C) Reconnaissance D) Whaling

C) Reconnaissance Explanation: Reconnaissance does not require prior knowledge of the target. It helps the attacker gather information for a later attack. Remember that reconnaissance can mean visiting a target to observe security controls in person, but it also can refer to digital and remote intelligence gathering techniques. Spear phishing is a type of phishing aimed at a specific user or group, and appears to come from a trusted source. Spear phishing requires some inside knowledge of the target, which the attacker can gather from reconnaissance, open-source intelligence (OSINT), or other social engineering attacks. Whaling is a type of spear phishing aimed at high-profile targets, such as board members and CEOs. An invoice scam involves sending a fake invoice (by mail or electronically) to an accounts payable department in the hopes that it will be paid without being verified. It requires knowledge of the target's email address or physical address.

Which of these options would be included in a scan to identify a common misconfiguration? A) Password policy B) Dictionary attack C) Router admin password D) Packet sniffing

C) Router admin password Explanation: A common misconfiguration is a router with a default password, which can be easily discovered by reviewing vendor documentation online or by looking at the router. When you attempt to identify common misconfigurations, you are looking for areas where out-of-the-box solutions were not configured to be secure before being placed in the network. A password policy is not a common misconfiguration. When you passively test security controls, you are performing a vulnerability scan to identify weakness, but not exploiting those weaknesses. Testing security controls usually includes testing the password policy. You would not perform a dictionary attack or packet sniffing to identify common misconfigurations. When you are scanning to identify a vulnerability (or several vulnerabilities), you are primarily looking for common misconfigurations and/or a lack of security controls. Once a vulnerability is discovered, a dictionary attack or packet sniffing attack may be possible. When you scan to identify lack of security controls, you are looking for things like appropriate access controls, authentication controls, input validation, and proper logging, among others. A false positive can occur when a vulnerability is identified that, in reality, is not a vulnerability.

Your company implements an Ethernet network. During a recent analysis, you discover that network throughput capacity has been wasted as a result of the lack of loop protection. What should you deploy to prevent this problem? A) TTL B) flood guards C) STP D) network separation

C) STP Explanation: You should deploy spanning tree protocol (STP). The primary loop protection on an Ethernet network is STP. The problem with looping is the waste of network throughput capacity. STP can help mitigate the risk of Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Loop protection is also referred to as loop prevention. Time To Live (TTL) is the primary loop protection on an IP network. Flood guards are devices that protect against denial-of-service (DoS) attacks. Network separation is a technique that is used to prevent network bridging. Network bridging can cause performance issues in the network. You can employ network separation by using routers or firewalls to implement IP subnets.

Using the NetFlow/IPFIX protocol, which of the following fields define a unique network flow? (Choose all that apply.) A) Source/Destination Encodings B) Source/Destination MAC Addresses C) Source/Destination IP Addresses D) Source/Destination Ports

C) Source/Destination IP Addresses D) Source/Destination Ports Explanation: NetFlow is a network program originally developed by Cisco for collecting IP traffic information and monitoring of network data. IPFIX stands for IP Flow Information Export and was designed as an open standard, more universal solution to collecting and analyzing vital network data. IPFIX is extremely similar to NetFlow, the main difference is that IPFIX is open standard and can work with many other networking vendors apart from Cisco. The source and destination IP addresses and the source and destination ports are the fields that define a unique network flow in the flow records generated by collecting data packets that flow through a device on the metered network.

Your users often forget their passwords and ask for assistance. You send a link to reset the password. You would like to incorporate a time limit for the user to respond to the link. Which would you incorporate? A) HOTP B) ABAC C) TOTP D) FRR

C) TOTP Explanation: Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. HOTP and TOTP are both types of one-time passwords, (i.e., they can only be used once). Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. They do not include a time limit for usage.

Which cipher uses a binary key and is often combined with or incorporated into a symmetric algorithm because it is not secure when used by itself? A) substitution B) RIPEMD C) XOR D) ROT13

C) XOR Explanation: EXclusive OR (XOR) uses a binary key to create a cipher text. By itself, XOR does not provide a high level of security. Consequently, it is used in combination with symmetric ciphers. RACE Integrity Primitives Evaluation Message Digest (RIPEMD) was based on MD4 and was replaced by RIPEMD-160 (160 bits). Newer versions are RIPEMD-256 and RIPEMD-320.ROTate 13 (ROT13) is a simple substitution cipher that replaces each letter with a letter 13 places further down the alphabet. For example, A becomes N, B becomes O, C becomes P, and so on. Substitution ciphers involve transposition (or substitution) of characters and are older methodologies. They are now easily broken by a computer.

Microsoft releases a notification to all users that a vulnerability has been recently discovered in SQL Server 2017 (version 14.0) that could allow an attacker to control your computer remotely. They are working on a fix, but do not have a workaround available. Which term best describes this risk? A) SQL Injection B) Botnet C) Zero-day vulnerability D) DDoS

C) Zero-day vulnerability Explanation: Zero-day vulnerabilities are often unknown or known only to an attacker who is able to exploit that vulnerability. Patches are not readily available until the manufacturer can develop a solution. A SQL injection describes an input validation issue in the front-end of an application that allows attackers to directly manipulate the underlying data source using structured query language (SQL). A distributed denial-of-service (DDoS) attack uses multiple sending devices to take a single host or group of hosts offline. The sending devices are typically a group of compromised devices, known as a botnet, that are controlled by central Command and Control (C&C) server.

The business continuity team is interviewing users to gather information about business units and their functions. Which part of the business continuity plan includes this analysis? A) disaster recovery plan B) contingency plan C) business impact analysis D) occupant emergency plan

C) business impact analysis Explanation: The business impact analysis (BIA) includes interviews to gather information about business units and their functions. A disaster recovery plan is created to ensure that your company is able to resume operation in a timely manner. Interviewing is not included as part of its development. A contingency plan is created to detail how all business functions will be carried out in the event of an outage or disaster. It should address residual risks. Interviewing is not included as part of its development. An occupant emergency plan (OEP) is created to ensure that injury and loss of life are minimized when an outage or disaster occurs. It also focuses on property damage. Interviewing is not included as part of its development. A BIA is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. It is a methodology commonly used in business continuity planning. Its primary goal is to help the business units understand how an event will impact corporate functions. The purpose of the BIA is to create a document to understand what impact a disruptive event would have on the business; it is not intended to recommend an appropriate solution.

Your company has deployed a firewall that includes two network interfaces. Which firewall architecture has been deployed? A) screened host B) bastion host C) dual-homed firewall D) screened subnet

C) dual-homed firewall Explanation: A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs. A bastion host is a computer that resides on a network that is locked down to provide maximum security. These types of hosts reside on the front line in a company's network security systems. The security configuration for this entity is important because it is exposed to un-trusted entities. Any server that resides in a demilitarized zone (DMZ) should be configured as a bastion host. A bastion host has firewall software installed, but can also provide other services. A screened host is a firewall that resides between the router that connects a network to the Internet and the private network. The router acts as a screening device, and the firewall is the screen host. Screened subnet is another term for a demilitarized zone (DMZ). Two firewalls are used in this configuration: one firewall resides between the public network and DMZ, and the other resides between the DMZ and private network.

Your company's security policy includes system testing and security awareness training guidelines. Which control type is this considered? A) detective technical control B) preventative technical control C) preventative administrative control D) detective administrative control

C) preventative administrative control Testing and training are considered preventative administrative controls. Administrative controls dictate how security policies are implemented to fulfill the company's security goals. Preventative controls are controls that are implemented to prevent security breaches. Preventative administrative controls place emphasis on soft mechanisms that are deployed to support the security objectives and include security policies, information classification, personnel procedures, testing, and security awareness training. Detective technical controls include audit logs and intrusion detection systems (IDSs). Detective administrative controls include monitoring and supervising, job rotation, and investigations. Preventative technical controls include access control lists (ACLs), routers, encryption, antivirus software, server images, smart cards, and call-back systems. The three access control categories provide seven different functionalities or types: preventative - A preventative control prevents security breaches. detective - A detective control detects security breaches as they occur. corrective - A corrective control attempts to correct any damage that has been inflicted during a security breach and restores control. deterrent - A deterrent control deters potential violations. recovery - A recovery control restores resources.

An attack occurred in which an attacker impersonated the identity of another host to gain access to privileged resources that are typically restricted. Which type of attack occurred? A) SYN flood B) teardrop C) spoofing D) spamming

C) spoofing Explanation: In a spoofing attack, also referred to as a masquerading attack, a person or program successfully pretends to be another person or program. The source IP address in the attacker's IP datagram is spoofed, or modified, to imitate the IP address of a packet originating from an authorized source. This results in the target computer communicating with the attacker's computer and providing access to restricted resources. A man-in-the-middle attack is an example of a spoofing as well as a session hijacking attack. Other types of spoofing attacks are e-mail spoofing and Web spoofing.

Your company has decided to implement a biometric system to ensure that only authorized personnel are able to access several secure areas at the facility. However, management is concerned that users will have privacy concerns when the biometric system is implemented. You have been asked to recommend the least intrusive biometric system of the listed options. Which option is considered the least intrusive? A) retinal scan B) fingerprint C) voice print D) iris scan

C) voice print Explanation: A voice print is considered less intrusive than the other options given. A voice recognition scanner is used to capture a voice print. Retinal scanners and iris scanners are used to scan the retina and iris, respectively. A fingerprint scanner is used to scan a fingerprint. Both an iris scan and a retinal scan are considered more intrusive because of the way in which the scan is completed. Most people are reluctant to have a scanner read any eye geometrics. A fingerprint scanner is used to scan a fingerprint. A fingerprint scan is more intrusive than a voice print. Most people are reluctant to give their fingerprints because fingerprints can be used by law enforcement. A voice print is very easy to obtain. Its primary purpose is to distinguish a person's manner of speaking and voice patterns. Voice print systems are easy to implement compared to some other biometric methods. Voice prints are usually reliable and flexible. A facial recognition scanner is used to scan facial characteristics. A facial scan is based on an individual's bone structure, nose ridge, eye width, forehead structure, and chin shape.

You implement network segmentation, airgaps, multiple firewalls, and virtualization on your company's network. Of what are these examples? A) Control diversity B) None of the above C) Vendor diversity D) Defense-in-depth

D) Defense-in-depth Explanation: Network segmentation, air gaps, multiple firewalls, and virtualization are all examples of defense-in-depth, also referred to as layered security. Generally, defense-in-depth/layered security means that someone would have to breach multiple safeguards to have access to the entire network.

Your employees are allowed to use personal fitness monitors and other wearable devices inside your facility. You are concerned about proprietary communication with these devices because of eavesdropping. Which of these technologies is the wireless communication with which you should be concerned? A) Infrared B) NFC C) Bluetooth D) ANT

D) ANT Explanation: You should be concerned with ANT, which is a proprietary technology developed by Garmin. It is mostly used in wearable devices, like fitness sensors. It is a low-power wireless technology with a range of about 30 meters. ANT is susceptible to eavesdropping, interception, and impersonation. Near field communications (NFC) connects devices automatically when they are in range. NFC is often used with mobile payment systems on smartphones. Security issues arise if someone loses a phone, if the phone is stolen, or if the phone is compromised in some other. One example would be if the user's swipe pattern is ascertained. NFC is an ISO/IEC standard, not a proprietary technology. Bluetooth devices are a long-standing security concern because they are susceptible to bluejacking (sending unsolicited messages) and bluesnarfing (extracting data from the device). A new attack called BlueBorne can download viruses and malware to Bluetooth-enabled devices. Bluetooth is a wireless standard from the Bluetooth Special Interest Good (SIG), not a proprietary technology. Infrared requires line-of-sight communication. While it is still used in some TV remote controls, it has largely been replaced by Bluetooth and Wi-Fi. Infrared is a standard from ANSI and other organizations, not a proprietary technology. Other mobile device security concerns include DoS, Wi-Fi, SATCOM, and USB.

Your company deploys several LDAP servers, which is used to allow users to locate resources. What contains LDAP entries? A) X.500 B) TLS C) LDIF D) DIT

D) DIT Explanation: Lightweight Directory Access Protocol (LDAP) entries are contained in a directory information tree (DIT), which is a hierarchical structure that can be searched for directory information. The start of the LDAP tree is called the root. LDAP is a directory service that enables users to find resources on a network, and it operates on well-known port 389. LDAP with SSL uses port 636. The purpose of LDAP authentication services is to provide a single point of user management. LDAP Data Interchange Format (LDIF) enables LDAP servers to exchange directory information. LDAP can use Transport Layer Security (TLS) to secure LDAP transmissions. LDAP over TLS operates on well-known port 636. X.500 is a directory service specification on which LDAP is based. By default, LDAP communications between client and server applications are not encrypted, meaning that it would be possible to use a network monitoring device to view the communications traveling between LDAP computers. LDAP over Secure Sockets Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS or Secure LDAP, will encrypt communications.

You are performing a qualitative risk analysis by having experts fill out anonymous questionnaires. Which method are you using? A)Monte Carlo B) Pareto principle C) Decision tree D) Delphi technique

D) Delphi technique Explanation: In the Delphi technique, experts fill out anonymous questionnaires, which keeps one or more experts from dominating the discussion. The Pareto principle is not a method. It is a principle that states that 80% of consequences come from 20% of the causes. Monte Carlo analysis is a risk management technique, which project managers use to estimate the impacts of various risks on the project cost and project timeline. It does not have experts fill out anonymous questionnaires. A decision tree is a decision support tool that uses a tree-like model of decisions and their possible consequences. It does not involve experts filling out anonymous questionnaires.

Which of the following mitigation techniques would help contain the spread of a worm throughout the network with minimal disruption? A) Executing an anti-malware scan on each host in the network B) Reimaging all infected hosts from a clean backup C) Removing all infected hosts from production D) Isolating hosts on separate network segments

D) Isolating hosts on separate network segments Explanation: Isolation is a proactive response to prevent a problem before they occur. The process of isolation prevents the mixing of information or disclosure of information. Isolation sets boundaries that a process must run in. This process ensures that only the memory and the resources within the isolated process are affected. Isolation protects the operating system, the kernel of the OS, and any other applications. The first step in removing a computer worm is to isolate the infected computer by taking it off the local network. This ensures that the worm cannot spread through the network connection, or hijack email, messaging, or file-sharing programs and proliferate to other devices.

To justify the expenses of the forensic investigation, what is one thing that you should closely document? A) Screenshots B) Chain of custody C) Network traffic and logs D) Man-hours

D) Man-hours Explanation: To justify the expenses of the forensic investigation, you should track man-hours. From security guards to overtime used by staff, to the hours spent by experts in evidence examination, man-hours should be tracked. Careful documentation may be required by accounting, human resource, the courts, or insurance companies. Capturing screenshots is an important part of forensic investigation.

Which research source can help in discovering new vulnerabilities and potential threats in existing Internet standards? A) TTPs B) STIX C) TAXII D) RFCs

D) RFCs Explanation: A Request for Comments (RFC) is a numbered document, which includes appraisals, descriptions, and definitions of online protocols, concepts, methods, and programs. RFCs are administered by the IETF (Internet Engineering Task Force). RFCs occur when a new technology is accepted as a web standard, which become useful when discovering new vulnerabilities and potential threats in existing internet standards.

You have a cloud-based application that associates encryption keys with each logged in user. Which cloud mechanism should you use to secure the encryption keys? A) Resource policies B) Availability zones C) Container security D) Secrets management

D) Secrets management Explanation: Cloud providers use secrets management to manage digital authentication credentials. Suppose a web application needs a service password, connection string to connect to a database, or other secret configuration values to access other resources. You do not want to store those credentials in clear text or in a stored file. Storing and retrieving secrets is always risky, and every access introduces the possibility of leakage. Examples of this process include Microsoft Azure, where you can use the e Key Vault to securely store and control access to tokens, passwords, certificates, API keys, and other secrets. The Azure Key Vault is the Key Management solution for the Azure cloud. Azure Key Vault enables your web app to access secret configuration values easily and securely without needing to store any secrets in your source control or configuration. Container security refers to the controls that apply to applications deployed to lightweight OS containers. You can use resource-based policies to provide access control where the user in a different cloud can be granted access to a resource in your account Availability zones are used in load balancing and high performance scenarios to provide redundancy.

Which of the following sources would provide a threat hunter with the most recent software and other security vulnerabilities discovered over the past week? A) FBI InfraGard Portal B) DHS Automated Indicator Sharing Database C) Microsoft Security Response Center Blog D) US CERT Bulletin

D) US CERT Bulletin Explanation: US CERT Bulletin is a major threat feed used in the security world. Created and maintained by CISA, they use weekly bulletins to provide summaries of new vulnerabilities and possible patch options if and when they become available. None of the other options provides the most recent software and other security vulnerabilities discovered over the past week. The Department of Homeland Security (DHS) maintains the free Automated Indicator Sharing (AIS) program that allows organizations to share and obtain machine-comprehensible defensive measures and cyber threat indicators, allowing monitoring and defense of their networks against known threats. The FBI InfraGard is a partnership between the FBI and members of the private sector in the shared concern for the protection of U.S. Critical Infrastructure. Through unified collaboration, InfraGard unites owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats that are developing within the US, and round the world. The Microsoft Security Response Center Blog is created and maintained by Microsoft to help keep up with the ever-evolving threats and better safeguard customers against malicious attacks through timely security updates and authoritative assistance.

Your organization has discovered the cost savings associated with virtual machines and is encouraging rapid adoption. Which concept should you implement before things get out of control? A) Cloud access security broker B) VM escape protection C) Cloud storage D) VM sprawl avoidance

D) VM sprawl avoidance Explanation: You should implement VM sprawl avoidance before things get out of control. VM sprawl avoidance can be accomplished by planning and managing the growth in VM usage. If an organization only focuses on the cost savings, managing the users, administrators and licenses can quickly get out of hand.

You need to implement an authentication system that verifies the identity of the users. Which type of authentication should you implement? A) a security token B) a smart card C) a password D) a retinal scan

D) a retinal scan Explanation: You should implement a retinal scan. A retinal scan views the pattern of the blood vessels in a user's retina to authenticate the user on a network. A retinal scan is a biometric authentication that can determine the identity of a user. Biometric authentication methods scan unique physical attributes to identify the user. All biometric methods, including retinal scans and fingerprint scans, are something that a user is. A security token, a smart card, or a password cannot be used to guarantee the identity of the user who is using the authentication method. A security token is a small device that generates single-use, time-sensitive passwords. A smart card is a small plastic card that contains authentication information. A smart card or proximity card is something that a user has. A Common Access Card (CAC) is a Department of Defense smart card used by active-duty military personnel. Passwords are another method for authenticating users. Passwords allow access to resources. A password or security token is something that a user knows. An authentication system that uses physical security methods, biometric security methods, and knowledge-based security methods is known as a multi-factor authentication system. For the Security+ exam, you must understand the following authentication factors: something you are, something you have, and something you know. You also need to understand the following attributes: somewhere you are, something you exhibit, someone you know, and something you do

You have been hired as a security administrator for a large business. The previous security administrator left behind documentation on the security policies and measures that the company implements. The network includes several security devices, including a honeypot. Which active response to a hacker attack describes this device? A) network reconfiguration B) termination of a process C) termination of a connection D) deception

D) deception Explanation: A honeypot is a deception method of active response to a hacker attack. In a deception response, a hacker is led to believe that he or she has infiltrated a network while information is being gathered about the attack. A honeypot is a computer on a network that is configured to lure hacker attacks so that the attacks can be studied, and the intruder can be caught. Another term that you need to understand is a honeynet. A honeynet is a network that is configured to lure hackers so that attacks can be studied. Honeynets usually contain honeypots.

What concept is being illustrated when user accounts are created by one employee and user permissions are configured by another employee? A) collusion B) rotation of duties C) two-man control D) separation of duties

D) separation of duties Explanation: Separation of duties is employed when user accounts are created by one employee and user permissions are configured be another employee. An administrator who is responsible for creating a user account should not have the authorization to configure the permissions associated with the account. Therefore, duties should be separated. Separation of duties requires more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system, and it is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can initiate as well as authorize transactions. Collusion is the involvement of more than one person in fraudulent activity. Separation of duties drastically reduces the chances of collusion and helps prevent fraud. A two-man control implies that two operators review and approve each other's work. A two-man control acts as a crosscheck and reduces chances of fraud, minimizing the risks associated with operations involving highly sensitive information. Rotation of duties or job rotation implies the ability of an employee to carry out tasks of another employee within the organization. In an environment using job rotation, an individual can perform the tasks of more than one role in the organization. This maintains a check on other employees' activities, provides a backup resource, and acts as a deterrent for possible fraud.

Which protocol is used to consolidate event information from multiple devices on a network into a single storage location? A) SIP B) secure-Authentication C) cron D) syslog

D) syslog Explanation: Syslog is a protocol that is used to consolidate event information from multiple devices on a network into a single storage location. Syslog works on an extremely wide variety of different types of devices and applications, allowing them to send text-formatted log messages to a central server known as a syslog server. The syslog service itself relies greatly upon having a syslog server of some kind to receive, store, and interpret syslog messages. This is a necessity because a device or application being able to send log event messages is of little use if there's nothing in place to receive and view them.

You have deployed several different network types and technologies. Match the descriptions on the left with the network technologies on the right that it BEST matches.

DMZ - A network that is isolated from other networks using a firewall VLAN - A network that is isolated from other networks using a switch NAT - A transparent firewall solution between networks that allows multiple internal computers to share a single Internet interface and IP address NAC - A network server that ensures that all network devices comply with an organization's security policy

You need to apply a physical security control so that no electrical signals can escape the room. Which control should you apply? A) Protected cable distribution B) USB data blocker C) Faraday cage D) Air gap

Explanation: A faraday cage can prevent the leaking of electromagnetic transmissions. Creating an air gap is the process of disconnecting the device from any network. A protected cable distribution is one in which all cables are enclosed and protected from eavesdropping. A USN data blocker is used to prevent data transfer through the port while still allowing for power charging using the port.

Your company decides to implement a wireless network. You have been asked to assess which wireless encryption protocol to implement on the wireless network. Match the descriptions on the left with the Wireless Encryption Protocols on the right.

Explanation: The Wireless Encryption Protocols should be matched with the descriptions in the following way: WEP - Uses a 40-bit or 104-bit key WPA/WPA2 Personal - Uses a 256-bit pre-shared key WPA/WPA2 Enterprise - Requires a RADIUS server

You are providing a report to management on the types of controls that your company uses for security and the objects those controls protect. Match the controls on the left with the object given on the right. Each control will go with only one object. Use the controls where they are the most effective.

Explanation: The controls and the object they use should be matched in the following manner: Host-based firewall - Web server GPS tracking - Mobile device Biometrics - Data center Sandboxing - Applications Mobile devices need GPS tracking so that they can be located if lost or stolen. Servers and clients can be protected using host-based firewalls to ensure that only certain communication is allowed with the host. Data centers can be protected using biometric readers to ensure that only users with the appropriate clearance are allowed entry. Applications can use sandboxing to protect the rest of the system and its applications if a security flaw exists.

You are responsible for managing the security for a network that supports multiple protocols. You need to understand the purpose of each of the protocols that are implemented on the network. Match each description with the protocol that it BEST fits.

Explanation: The protocols should be matched with the descriptions in the following manner: SSH - A protocol that uses a secure channel to connect a server and a client SSL - A protocol that secures messages between the Application and Transport layer SCP - A protocol that allows files to be copied over a secure connection ICMP - A protocol used to test and report on path information between network devices

You must deploy the appropriate control to a section of the network shown in the exhibit. Because of budget constraints, you can only deploy one of each of the following controls: Proximity badges Device encryption Safe CCTV You need to deploy each of these controls to a single area on the diagram. The controls may be used to protect either the entire section or a single component within that section. Match the appropriate control to the best deployment location on the network exhibit. All four locations require a control. Each control should be used only once.

Explanation: The proximity badges will control access to the data center and limit access to approved employees. The safe will provide a location in the office to store the laptops and tablets when they are not in use. The CCTV will provide a means to monitor activity in the customer wireless network lounge. Device encryption will ensure that the data on the laptops cannot be accessed by attackers while the sales reps are in the field.

Match each Linux command (with its default parameters) to its purpose.

Explanation: The tail command displays the last ten lines of a file, by default, or the number of lines specified by the -n parameter. The top command displays currently running processes on a Linux system. The grep command searches a file patterns that match a regular expression or a text string. The dd command lets you create an image of a disk for forensic purposes.

There are a lot of different scans, including how you are doing these scans and the target company's level of awareness. Match the tests on the left with the descriptions given on the right.

Explanation: The tests and their descriptions should be matched in the following manner: Penetration test - a test carried out by internal staff that discovers weaknesses in systems to be improved or repaired before a breach occurs Vulnerability scan - an activity performed using an automated tool by a trained security team rather than internal security staff Unknown environment test - a test conducted with the assessor having no knowledge about the systems being tested (formerly referred to as a black-box test) Known environment test - a test conducted with the assessor having all of the knowledge about the systems being tested (formerly referred to as a white-box test) Partially known environment test - a test conducted with the assessor having a little of the knowledge about the systems being tested (formerly referred to as a grey-box test)

You must prepare a presentation that describes different security attacks against your wireless network. Match the attacks on the left with the descriptions given on the right.

Explanation: The tests and their descriptions should be matched in the following manner: Wireless jamming - an attack that causes all mobile devices to lose their association with corporate access points while the attack is underway War driving - the act of discovering unprotected wireless network by using a laptop outside an office building Bluejacking - an attack that sends unsolicited messages over a Bluetooth connection Bluesnarfing - the act of gaining unauthorized access to a device (and the network it is connected to) through its Bluetooth connection

Your organization has decided to implement a PKI to provide better security. Match the PKI component on the left with the descriptions given on the right.

Explanation: The tools and their descriptions should be matched in the following manner: Wildcard - Reduces the certificate management burden by allowing one certificate to be used for multiple subdomains OCSP - Checks online certificate status in real time CSR - Messages sent from a user or application to a CA to apply for a digital certificate CRL - Contains a list of certificates that have been issued and subsequently rescinded by a given CA Keep in mind that OCSP is used to validate whether trust is in place and accurate by returning responses of good, unknown, or revoked.

You have access to several tools as part of your IT technician job. You need to understand what the tools are used for. Match the tools on the left with the descriptions given on the right.

Explanation: The tools and their descriptions should be matched in the following manner: Wireshark - Network protocol analyzer Nessus - Vulnerability scanner Snort - Network intrusion detection system Cain and Abel - Password recovery tool There are many tools that can be used to manage security and network components. You should familiarize yourself with the function that the tools provide. A good place to start is with the reference provided in the References section of this question.