TotalSems Sec+ P Tests objectives 1 2 6 4 3 5

Ace your homework & exams now with Quizwiz!

How many rounds does DES perform when it encrypts plaintext?

16

Which of the following are examples of insiders that an organization needs to be worried about from a security standpoint? (Select all that apply.) A. Employees B. Custodial crew C. Contractors D. Partners

A, B, C, and D are correct. All of these are examples of potential insider threats to an organization.

Remote access Trojans are characterized by which of the following? (Select all that apply.) A. They are deployed via malware. B. The give attackers the ability to connect to a machine. C. They can change files on the system. D. They can typically be detected by security controls.

All answers are correct.

Which of the following is an Internet standard for directory services? A. SOAP B. LDAP C. XML D. ActiveX

B is correct. Lightweight Directory Access Protocol is a standard for accessing directory services. A and C are acronyms for web standards. D is a Microsoft technology.

Which of the following is an Internet standard for directory services? A. SOAP B. LDAP C. XML D. ActiveX

B. B is correct. Lightweight Directory Access Protocol is a standard for accessing directory services. A and C are acronyms for web standards. D is a Microsoft technology.

Marisol needs to interconnect multiple VLANs in her production environment. Which of the following network devices would best address this issue? A. Layer 2 switch B. Layer 3 switch C. Router D. Firewall

B. The correct answer is B, Layer 3 switch. A layer 3 switch supports inter VLAN routing to interconnect disparate VLANs. A, C, and D are incorrect. A layer 2 switch could interconnect VLAN via trunk ports, but only to interconnect to other layer 2 switches. A router could interconnect two VLANs, but this would take substantial configuration. A firewall is not capable of interconnecting VLANs.

Which of the following is an example of a "trusted OS"? A. Windows 10 B. Ubuntu Linux C. Windows Server D. SELinux

D is correct. SELinux is the only example, from the answers given, of a trusted operating system. A, B, and C are incorrect. These operating systems are not considered trusted operating systems, although they can be hardened to varying degrees.

Which of the following security techniques should you implement to prevent users from downloading and executing malicious ActiveX controls? A. Use a content filter device. B. Disable all ActiveX controls. C. Use a web proxy server. D. Use a policy to configure high-security ActiveX settings.

D. D is correct. You should create a policy for all computers on your network to automatically set high-security settings in the client web browser for ActiveX controls. This ensures that only authenticated and safe ActiveX components are executed. A, B, and C are incorrect. A content filter device or a web proxy server will not prevent dangerous ActiveX components from being downloaded. Disabling ActiveX entirely may cause compatibility issues with many websites.

Three organizations require access to each other's shared resources. To enable access, the three groups decide to use a single sign-on database that all three agree will handle authentication. What form of trust relationship is this? A. Transitive trust B. Web of trust C. One-way trust D. Federated trust

D. The correct answer is D, Federated trust. A federated system involves the use of a common authentication system and credentials database that multiple entities use and share. A, B, and C are incorrect. A web of trust isnt a trust relationship, it is a method to handle trust for certificates. A one-way trust shows one party trusts another but not the reverse. A transitive trust is where if entity B trusts entity A and entity C trusts entity B than entity C trusts entity A.

Does IKE set up IPsec in tunnel mode or in transport mode?

Only in tunnel mode

Travis just got promoted to network administrator after the previous administrator left rather abruptly. There are three new hires that need onboarding with user accounts. When Travis looks at all the existing account names, he notices there is no common naming system. Where should he look to try to give the new hires user accounts with proper naming conventions? A. The company's account policy B. Microsoft best practices C. The Sarbanes-Oxley regulation D. The most pertiinent FIPS documentation

The correct answer is A, the company's account policy. B, C, and D are incorrect. Microsoft best practices as well as FIPS might give some good ideas, but there is no law (such as Sarbanes-Oxley) requiring a certian naming convention for user accounts.

If access point (AP) isolation mode is enabled,

Wi-Fi clients are placed on their own isolated network and have no network connection directly to one another.

The steps involved in an SSL transaction between a client and server are, in order: (5)

1. The client sends a request for a web page to the secure web site by using https:// in the URL. This makes a connection to port 443 by default. 2. The server sends the public key to the client. 3. The client validates the certificate and ensures it has not expired or been revoked. 4. The client creates a random symmetric key (known as a session key) used to encrypt the web page content, and then encrypts the symmetric key with the public key obtained from the web server. 5. The encrypted information is sent to the web server. The web server decrypts and obtains the symmetric key (session key). The web server uses the symmetric key to encrypt information between the client and the server.

Which of the following describe a false reject rate? (Choose two.) A. The error caused from rejecting someone who is in fact an authorized user B. Type I error C. The error caused when an unauthorized user is validated as authorized D. Type II error

A and B are correct. A false reject rate (FRR) is the error caused from rejecting an authorized user; it is also called a Type I error. C and D are incorrect. A false acceptance rate (FAR) is the error caused when an unauthorized user is validated as authorized, also referred to as a Type II error.

Which two of the following are related to computing security access control? A. Authentication B. Encryption C. Job rotation D. PII

A and B are correct. Authentication requires proof of identity before allowing access to resources. This proof could be in the form of a username/password combination, smartcard and PIN, or other combinations of variables in certain contexts. Encryption scrambles data such that only authorized parties can decrypt that data. Both of these relate to computer security access control. C and D are incorrect. These are security concepts, but they are not related to computing security access control.

Which of the following are considered benefits of server virtualization? (Choose two.) A. Efficient application of software updates B. Centralized data storage C. Faster network access D. Cheaper software licensing

A and B are correct. Because virtualized servers could be running on the same physical host, patch deployment is efficient. Virtualized servers often use shared disk storage, thus centralizing data and making backups quicker and easier. C and D are incorrect. Virtualized servers are not faster than physical servers, although their deployment often is. Virtual machine sprawl results from the ease of deploying virtual machines and forgetting about them over time as their use declines. Licensing for virtualized servers is normally not cheaper than with physical hosts.

How can cross-site request forgery be mitigated? (Choose two.) A. Disable JavaScript in the web browser. B. Do not allow web applications to save credentials. C. Developers can validate user input on web forms. D. Web server administrators can enable SSL.

A and B are correct. Cross-site request forgery attacks often use a client-side scripting language such as JavaScript to execute code that then sends data to a trusting web site without the user knowing, so disabling JavaScript reduces this likelihood; however, some web sites may not function properly as a result. Web sites that allow user credentials to be saved make it easier for attackers to exploit the trust a web site has for an authenticated user at any time. C and D are incorrect. Validating input on web forms can prevent cross-site scripting and SQL injection attacks, but not cross-site request forgeries. Enabling SSL on a web site encrypts traffic between the web browser and the web server. Cross-site request forgeries exploit user connections to trusted servers, which normally use SSL. SSL does nothing to prevent cross-site request forgeries.

What types of attacks cannot be mitigated by virus scanners? (Choose two.) A. DNS poisoning B. ARP cache poisoning C. Trojan D. Keylogging

A and B are correct. DNS and ARP poisoning are network-based attacks and not viruses. C and D are incorrect. They are both viruses and can be mitigated by virus scanners.

Your security architect is talking about using IKE in an upcoming deployment. What does IKE do? (Choose all that apply.) A. Provides automated key management B. Authenticates peers involved in Ipsec C. Handles all encryption for IPsec-based VPN D. Sets up IPsec in transport mode

A and B are correct. Internet Key Exchange (IKE) offers automated key management, authenticates each peer involved in IPsec, and negotiates the security policy, including the exchange of session keys. C is incorrect because IKE only handles key management, not the entire encryption process. D is incorrect because IKE sets up tunnel mode, not transport mode.

Which of the following are significant risks of allowing employees to bring their own mobile devices into the enterprise? (Choose all that apply.) A. Data loss due to hostile apps. B. Geo-tagging of devices allows tracking of users. C. Mobile devices have small screens, limiting data visualization. D. Mobile devices lack security features.

A and B are correct. Many mobile apps can steal contact data and other data from a mobile device, and geo-tagging can allow others to track a device, giving away personnel locations, routes, sales prospects, and more. C is true but is not a risk. D is partially true, but there are significant security capabilities available that can be employed.

Which of the following statements regarding capturing wireless network traffic with a packet sniffer are true? (Choose two.) A. Most wireless routers behave as hubs do; all wireless clients exist in a single collision domain. B. Wireless router administrative credentials sent over HTTP are vulnerable. C. All packets are encapsulated in 802.1x packets. D. Traffic can be captured prior to associating with the wireless router.

A and B are correct. Most wireless routers do not isolate wireless client connections; this means once you have connected to the wireless network and begun a network capture, you will see all wireless client traffic. Newer wireless routers support isolation mode, which behaves much like an Ethernet switch (each port is its own collision domain). Most wireless routers use HTTP to transmit administrative credentials. Capturing this traffic means the credentials can easily be learned; HTTPS should be configured so that administrative credentials are encrypted. C and D are incorrect. 802.1x is a network authentication mechanism by which clients must be authenticated (often using a PKI certificate) before gaining network access; it has nothing to do with packet encapsulation. Associating with a wireless router is the equivalent of plugging into a wired network switch; this must happen before you can capture network traffic.

Which of the following are true regarding virtual machines? (Choose two.) A. The MAC address for virtual network cards is configurable. B. Virtual machine network cards can be configured on their own virtual VLAN. C. Virtual machines must use shared disk storage. D. Compromised virtual machines imply a compromised physical host.

A and B are correct. The MAC (Media Access Control) address (for example, 00-26-B9-C5-2A-F1) for virtual network cards is configurable. Virtual network cards can be configured with a VLAN ID, which means they can communicate only with other virtual machine network cards configured with the same VLAN ID. C and D are incorrect. Shared disk storage is not a requirement for virtualization. A compromised virtual machine does not mean the underlying physical host has been compromised; virtual machine escape defines the rare cases where this could happen.

Which of the following are examples of weak security configurations? (Choose all that apply.) A. Allow users to use weak passwords B. Outdated or weak cipher suites C. Using a single vendor for critical hardware D. Poor inventory control over user software

A and B are correct. Weak passwords will lead to hacked systems. Outdated or weak cipher suites allow systems that have fallen to exploits to be freely exploited because they are unprotected. For example, all versions of SSL have been compromised, and only TLS should be considered to be secure. C and D are examples of poor defense in depth and security controls, not weak configurations.

What are the advantages of ad hoc networks? (Choose all that apply.) A. Easy to configure B. Simple method of communication C. Easy to apply security devices such as IDS D. Easy to monitor performance

A and B are correct. Without the need for access points, ad hoc networks provide an easy and cheap means of direct client-to-client communication. Ad hoc wireless networks can be easy to configure and provide a simple way to communicate with nearby devices when running cable is not an option. C and D are incorrect because the lack of central monitoring points makes applying security devices and monitoring performance difficult.

What can be done to harden a public web server? (Choose two.) A. Patch the operating system. B. Configure the web server to use TCP port 4634. C. Implement input validation for web forms. D. Name web pages with .HTML instead of .HTM.

A and C are correct. A hardened web server begins with a hardened (patched) operating system. Validating user-submitted data is a critical application developer responsibility—user-submitted data can compromise a web server or client web browsers visiting the web site. B and D are incorrect. A public web server should always use standard TCP ports such as 80 and 443. Naming a file with .HTML is no more secure than using .HTM.

You are designing the structure and layout of a data center. Which factors should you consider? (Choose two.) A. Cold aisles B. IP subnet addressing C. Backup power generator D. User account naming convention

A and C are correct. Cold aisles arrange equipment to allow optimal airflow in a data center to take warm air away from computing components while focusing cool air toward them. Backup power generators ensure uptime in the event of power failures. B and D are incorrect. IP addressing and the naming of user accounts are not considered when focusing on data center design and layout.

Which of the following are ways to mask PII (personally identifiable information)? (Choose two.) A. Anonymous proxy server B. Tattoo C. Gloves D. Fingerprint

A and C are correct. Personally identifiable information uniquely identifies a person and includes items such as a credit card number, e-mail address, signature, and so on. Anonymous proxy servers mask your IP address, and gloves prevent fingerprints being left behind—these both mask PII. B and D are incorrect. Tattoos and fingerprints are personally identifiable information.

How does jailbreaking a mobile device increase security risk? (Choose all that apply.) A. Bypassing of security controls B. Breaking warranty C. Allowing unauthorized software changes D. Increasing system memory

A and C are correct. Running a mobile device with an enhanced level of privilege obtained via jailbreaking can bypass built-in security controls and allow unauthorized software changes. B is incorrect because voiding a warranty is not a security risk. D is incorrect because jailbreaking does not typically increase memory, and wouldn't be a security risk if it did.

What are the standard protections built into enterprise switches? (Choose all that apply.) A. Loop prevention. B. Reverse proxy ability C. Flood guard D. Round-robin method

A and C are correct. Switches need loop prevention and flood guard protections. B is a separate security function, and D applies to load balancers.

In the near future your company will be using a PKI. As the IT security directory, you must decide where user PKI information will be stored. Which two from the following list are valid? A. File B. USB mouse C. Smartcard D. TPM

A and C are correct. User PKI information, potentially including the private key, could be stored in a password-protected file or written to the chip in a smartcard using the proper hardware. B and D are incorrect. USB mice cannot store data, although the use of wireless keyboards and mice should be limited to increase security. TPM chips store keys for encrypting hard disks, not PKI user information.

What can be done to harden a public e-commerce web server? (Choose two.) A. Install a PKI certificate and enable SSL. B. Install an SSL certificate and enable PKI. C. Do not use an administrative account to run the web server. D. Do not use TCP port 80 or 443.

A and C are correct. Web servers enable you to enable SSL, not PKI. Web servers run with a user account, and this should be a limited account with limited system privileges in case the web server is compromised by an attacker. B and D are incorrect. PKI is not a configurable web server option, but SSL is. A public web site should use common TCP ports; otherwise, users will have difficulty connecting, a bad idea for an e-commerce web site.

A server has TPM enabled. There are six physical hard disks, which are presented to the operating system as two logical disks. Which two of the following statements are true? A. Encryption keys will be stored in the TPM chip. B. Encryption keys are not stored in the TPM chip. C. The operating system boot disk cannot be encrypted with TPM. D. The operating system boot disk can be encrypted with TPM.

A and D are correct. Encryption keys in the TPM chip can decrypt any local storage device, including boot disks and removable flash drives. B and C are incorrect. Encryption keys can be stored in the TPM chip. Operating system and data disks can be encrypted with TPM.

IPsec can functionally alter which of the following protocols? (Choose all that apply.) A. ARP B. UDP C. BGP D. IEEE 802.3

A and D are correct. IPsec operates at layer 3, and can tunnel under lower layers, but carry intact higher layers. ARP and Ethernet operate at the data link layer (layer 2) and are thus obfuscated by IPsec. B and C are above layer 3 and thus are carried and correctly handled by IPsec.

Challenges that are inherent in alternative environments, such as SCADA systems, include which of the following? (Choose all that apply.) A. Infrequent updates/revisions B. Reduced capabilities C. Single control purpose D. Trusted network connections

A and D are correct. Infrequent updates and revisions means that when vulnerabilities are discovered, patching is unlikely. Many of these systems operate with trusted network connections to report back to the enterprise, and these connections can be exploited. B and C limit the typical attack surface and risk, so they are not an increased threat challenge.

While configuring IPSec to secure internal LAN traffic, you must specify an integrity algorithm. Which of the following would be valid choices? (Choose two.) A. SHA-1 B. 3DES C. RSA D. MD5

A and D are correct. Integrity algorithms are used to ensure that message came from who they say they came from and have not been tampered with. B and C are incorrect. They are both encryption algorithms.

Your company is donating old Windows XP computers to a local school. A junior technician has deleted company data stored on these computers and emptied the recycle bins. What is the problem with this situation? (Choose two.) A. You cannot let others use your Windows product keys. B. The hard disks should have been formatted. C. The hard disks should have been repartitioned. D. The hard disks should have been completely filled with random data.

A and D are correct. Licensed software should not be transferred to others. Deleted files are removed from file system indexes, but the data remains on disk and can be easily recovered with the appropriate tools. Formatted and partitioned hard disk data can also be recovered as long as the disk has not been filled with other data. There are tools designed to fill hard disks with random data over many passes to ensure that the original data is not recoverable. B and C are incorrect. Formatting and partitioning hard disks does not securely remove data.

You must harden six Linux computers on a small departmental network. What should you check for? (Choose two.) A. Enabled unneeded daemons B. Apache daemon C. SSH daemon D. Linux patches

A and D are correct. Linux operating systems must be patched to ensure they are secure. Running unnecessary daemons (services) increases the attack surface. B and C are incorrect. Apache (web server) and SSH remote administration may be required daemons and therefore may not have to be disabled.

A company server is used to store sensitive trade secrets and design plans. A port scan shows services listening on TCP ports 80 and 25. Server log files reveal no activity for these ports since the server upgrade project three years ago. What can you do to harden this server? (Choose two.) A. Apply operating system patches. B. Store sensitive files on a different server. C. Generate file hashes for the design plans. D. Disable the web and mail servers.

A and D are correct. Patching an OS is always a critical hardening procedure for devices and software that have not yet reached their end of life, although some embedded devices do not support firmware patching. Patches can be applied to individual devices or from a centralized configuration tool such as Microsoft System Center Configuration Manager (SCCM). Since the web server (port 80) and mail server (port 25) have not been used in three years, they should be disabled to reduce the attack surface. Data loss prevention (DLP) tools should be put in place to prevent the accidental or intentional leakage of corporate trade secrets (called data exfiltration) through removable USB media, social media, or e-mail. B and C are incorrect. There is no indication that any other server would be better suited to store sensitive data if the current server is hardened. File hashes reveal any file modifications but do not protect the confidentiality of the files.

Sylvain, a computer science student in Paris, connects to an Internet SMTP host using Telnet and issues the following commands: Helo smtp1.acme.ca Mail from:[email protected] Rcpt to:[email protected] Data:Subject:Linux versus Windows Hi Satya. The current state of the Windows operating system is a complete disaster! Please take note that open source software is set to achieve world dominance Thanks. - The Donald How can these two users prevent this type of attack? (Choose two.) A. Exchange public keys. B. Uninstall Telnet from all computers. C. Disable SMTP on smtp1.acme.ca. D. Digitally sign e-mails using private keys.

A and D are correct. Private keys are used by the sender to generate a unique signature for an e-mail message. The recipient uses the related sender public key to verify the validity of the signature. Spoofed SMTP messages cannot have a valid digital signature, since hackers (such as Sylvain) will not have access to the sender's private key. B and C are incorrect. There are other programs available to connect to SMTP hosts. If SMTP were disabled on smtp1.acme.ca, Sylvain would simply find another unsecure SMTP host on the Internet.

Risk assessment means evaluating which of the following elements? (Choose two.) A. Probability B. Threat C. Vulnerability D. Impact

A and D are correct. Probability and impact values are evaluated and assessed during a risk assessment. B and C are incorrect. Threats and vulnerabilities do not have defined values.

Which two methods are used to prevent loops on network devices? (Choose two.) A. TTL value B. OSPF C. VLANs D. STP

A and D are correct. Time-to-live (TTL) values in packets are used to control looping across routers and subnets. Spanning Tree Protocol (STP) is used to prevent looping on switched segments. B and C are incorrect. OSPF (Open Shortest Path First) is a routing protocol and does not necessarily control routing loops. VLANs are used on switches to segment broadcast and collision domains, as well as to logically separate network segments.

Your manager asks you to identify the amount of time and personnel required to address a worm virus infection on the corporate WAN. You estimate it would take six technicians two days to remove the infection, at a total cost of $2800. Which type of analysis would this dollar figure best relate to? A. Business impact analysis B. Quantitative risk analysis C. ALE analysis D. ARO analysis

A is correct. A business impact analysis studies the impact (financial in this case) that an incident presents to a business. B, C, and D are incorrect. Quantitative risk analysis uses ALE (annual loss expectancy) values to prioritize risks. The ALE is calculated by multiplying the ARO by the SLE value. The $2800 is an SLE value, but the scenario does not offer an ARO value; thus, B is incorrect. C and D are incorrect because there is no such thing as an ALE or ARO analysis; they are used to perform a risk analysis.

Which type of business continuity plan test involves distributing the BCP to the representative for each department to review and to verify that no major components of the BCP have been left out? A. Checklist review B. Structured walkthrough C. Simulation test D. Parallel test

A is correct. A checklist review is one type of test where the BCP is distributed to the representative for each department to individually review and to verify that no major components of the BCP have been left out. B, C, and D are incorrect. These are different types of BCP testing with varying degrees of depth. A structured walkthrough requires the BCP committee to get together and review the BCP as a group. A simulation test involves simulating small parts of the plan to see how the flow of the plan works. A parallel test involves ensuring that systems can function at the alternate site and that the alternate site is actually functional.

Which of the following is a Type I error? A. False rejection rate B. Crossover error rate C. False acceptance rate D. False negative

A is correct. A false rejection rate (FRR) is a Type I error in biometrics. This also equates to a false positive. B, C, and D are incorrect. A false acceptance rate (FAR) is a Type II error and referred to sometimes as a false negative. The crossover error rate (CER) is the point where the FRR and FAR are equal.

You have received reports that a number of hosts in your company's internal network are sluggish and unresponsive. After troubleshooting other items, you decide to use a sniffer to examine the network traffic coming into the host. You see that massive amounts of ICMP broadcasts are being sent on the network. The switch is having trouble processing all of this traffic, due to repeated ICMP replies, causing it to slow down. Which of the following is the most likely explanation for this? A. Flood attack B. Malware attack C. Man-in-the-middle attack D. Phishing attack

A is correct. A flood is a type of network attack based upon confusing a switch with ICMP traffic. B, C, and D are incorrect. Malware would not cause a large volume of ICMP segments to be sent to a host. A man-in-the-middle attack attempts to break into an existing communications session, and is not a denial-of service attack. A phishing attack is a form of social engineering attack using e-mail.

Your company has a salesperson who travels a lot and will be connecting to hotel networks. What security recommendation would you make for her laptop? A. Host-based firewall B. Unencrypted drive C. Null password D. FDE

A is correct. A host-based firewall should be used when connecting to untrusted networks, such as one in a hotel. B, C, and D are incorrect. Having an unencrypted drive and null password are not security recommendations. Although full disk encryption (FDE) can help if the laptop is lost or stolen, it will not help you in situations when you are making connections to an unknown and potentially unsecure network. You could potentially be infected with a virus by connecting to an unknown network without having a firewall enabled, or be vulnerable to an attack.

Which of the following is used to verify the integrity of the message? A. Message digest B. Digital certificate C. Digital signature D. Symmetric key

A is correct. A message digest, or hash, can be used to verify the integrity of a message by comparing the original hash to one generated after receipt of the message. If the two match, then integrity is assured. If they do not match, then the message was altered between transmission and receipt. B, C, and D are incorrect. Digital certificates contain public keys that are distributed to users. Digital signatures provide for authentication. Symmetric keys are not used to provide for integrity, but confidentiality.

Which of the following is used in Windows systems to identify a user account? A. Security identifier (SID) B. User identifier (UID) C. Group identifier (GID) D. Access control entry (ACE)

A is correct. A security identifier (SID) is an unique number assigned to each individual user account. It's never used, even when an account is deleted and re-created. B, C, and D are incorrect. Both a UID and GID refer to unique numbers in Linux and UNIX-based systems that identify users and groups. An access control entry (ACE) is a unique entry in an access control list (ACL) that describes a user's permissions for accessing objects.

Which of the following is a point-in-time backup of certain key configuration settings of a virtual machine, allowing the VM to be restored back to that point in time if it suffers a crash or other issue? A. Snapshot B. Differential backup C. Incremental backup D. System state backup

A is correct. A snapshot is a quick backup of critical configuration files, used by the hypervisor to restore the virtual machine back to its point-in-time status should it become unstable or suffer any other issues. B, C, and D are incorrect. Differential and incremental backups apply to entire systems and are used to back up only files that have changed since the last full backup. The system state backup is a Microsoft Windows type of backup that backs up critical files used by the operating system to restore it in the event of a system crash or other issue. Virtual machines can make use of all of these other types of backups, but they are not used by the hypervisor to restore the VM itself.

Alison, the senior security officer within your organization, has requested that you create a plan for a passive security test that identifies configuration mistakes with an asset. What type of test would you plan? A. Vulnerability scan B. Penetration test C. Risk assessment D. Code review

A is correct. A vulnerability scan is considered a passive test because it only involves reviewing the configuration of a system to determine if there are any vulnerabilities. B, C, and D are incorrect. A penetration test is considered an active test because you are actually interacting with the target system and trying to bypass the security controls. A risk assessment helps identify risks for each asset. A code review involves reviewing the code of an application to look for flaws.

You are a web developer for a company named Surf's Up Penguin Services. Some customers report links on your web pages to unrelated offerings of various products. As the web developer, you check your web site code and verify that these links are not coded into your web pages. What can you tell your customers? A. They are infected with adware. B. They are infected with a virus. C. They are infected with a worm. D. They are infected with a Trojan.

A is correct. Adware could add links to web pages you visit for products and services you may want based on your computer usage patterns. B, C, and D are incorrect. They would not cause the described problem.

You have to configure your web application servers so that they can operate in a high-availability mode. Which of the following is the best option? A. Affinity-based load balancing B. Round-robin load balancing C. Active-active scheme D. Active-passive scheme

A is correct. Affinity-based scheduling is driven by a desire to keep a host connected to the same server across a session. B is incorrect because round-robin schemes break sessions. C and D represent options for how to handle multiple load balancers.

Split tunnel has what advantage over full tunnel? A. Avoiding bottlenecks B. Protection against attacks C. Separates non-VPN and VPN traffic D. Increases complexity, making it harder to be attacked

A is correct. An advantage of split tunneling is the ability to avoid bottlenecks that occur in a full tunnel solution because all traffic has to be encrypted across the VPN. A split tunnel would allow a user private access to information from locations over the VPN and less secure access to information from other sites. B is incorrect because attacks over the non-VPN side can affect the VPN side in split tunneling. C is incorrect because the two traffic streams are not physically separated. D is a distractor that has no foundation in fact.

Which of the following statements best describes an algorithm? A. A mathematical operation that is performed on the data to convert the data from plain text to cipher text (or vice versa) B. A variable piece of information that is used by the encryption process to perform the encryption or decryption of the data C. A value indicating the time it would take to break the encryption D. A mathematical function that involves comparing two bits of text to produce a bit result

A is correct. An algorithm is a mathematical operation that is performed on the data to convert the data from plain text to cipher text (or vice versa). B, C, and D are incorrect. A key is a variable piece of information that is used by the encryption algorithm to perform the encryption or decryption of the data. Work factor refers to the value indicating the time it would take to break the encryption. An exclusive OR (XOR) is a mathematical function that involves comparing two bits of text to produce a bit result.

A junior developer creates a custom database application. During testing, she discovers that unexpected conditions cause her application to crash. What did she forget to implement? A. Error trapping B. Function parameters C. Input validation D. Variable declarations

A is correct. Application developers should employ error trapping to capture unanticipated behavior to prevent the application from crashing. B, C, and D are incorrect. Error trapping would capture the incorrect use of function parameters, input validation, or problems with variable declarations.

What is the function of application whitelisting? A. Verifies a file is authorized to run based on a hash B. Verifies that a file is safe to use based on which directory it is in C. Checks programs for completeness before use D. Prevents data theft by employees

A is correct. Application whitelisting is a technology that marks files as safe to run on a system based upon their hash values. This allows only specified binaries to be run on a system. For machines with a limited number of applications, this can be a powerful tool to combat many forms of malware. B is incorrect because directory location does not dictate file safety. C and D are nonsensical distractors with respect to the question.

Which of the following actions should you take if you discover a flaw within your web application that allows root access to the system through command injection? A. Resolve the issue and release a hotfix. B. Do not publish the issue but resolve it in next major version. C. Advise end users not to use command injection. D. Completely re-architect the application for the next major version.

A is correct. Because this is a serious security flaw, it should be resolved as soon as possible and a hotfix released to your customers to prevent them from being exploited by the flaw. B, C, and D are incorrect. B and D are incorrect because these actions leave your customers vulnerable to the security flaw for an extended period of time. C is incorrect because this course of action does not fix the issue but rather advertises the fact that there is a command injection flaw to both customers and hackers.

At what level of humidity is there a danger of experiencing an excessive amount of electrostatic discharge (ESD)? A. Below 40 percent B. Above 60 percent C. Between 40 and 60 percent D. 100 percent

A is correct. Below 40 percent, the air becomes very dry, and ESD is more prevalent. B, C, and D are incorrect. The desired range of humidity is between 40 and 60 percent. Anything above 60 percent humidity and the danger of electronic parts corroding, due to excessive moisture in the air, increases.

Which of the following wireless attacks specifically attempts to take control of or use Bluetooth-enabled cell phones to make unauthorized calls? A. Bluebugging B. Bluesnarfing C. Bluejacking D. Bluesniffing

A is correct. Bluebugging, the most serious of the various Bluetooth attacks, involves an attacker attempting to take control of or use a Bluetooth-enabled cell phone to place calls. B, C, and D are incorrect. Bluejacking is the act of sending unsolicited messages or files to a Bluetooth device. Bluesnarfing is a more serious attack than Bluejacking and involves unauthorized access to information on a Bluetooth-enabled device. Bluesniffing is a false, nonexistent term.

Determining the criticality of processes and systems, and the impact on them in a disaster, is known as? A. BIA B. DRP C. BCP D. Succession planning

A is correct. Business impact analysis identifies critical processes and systems, as well as the impact on the business if it loses them in a disaster. B, disaster recovery plan is related to recovering from disasters and is dependent upon a BIA. C, business continuity planning, is broader than and contains BIA. D is about people, not processes and systems.

You need to improve the redundancy of your file servers in your organization's network. Which of the following actions helps improve hardware redundancy on the file servers to prevent downtime because of hardware failures? A. Adding another power supply B. Adding a second ISP C. Using a backup tape system D. Installing cooling fans in the server cabinet

A is correct. By adding a second power supply, you ensure that the server will not power off if one of the power supplies fails. B, C, and D are incorrect. Adding another ISP for your organization only improves redundancy for your network communications, not your file server hardware. Using a backup tape system only provides redundancy and backup for your data, not your hardware. Cooling fans help regulate the temperature but do not provide any hardware redundancy.

To prevent issues related to tailgating and unauthorized access to users' computers when they are away from their desks, which of the following security control policies should you implement? A. Locking workstation after ten minutes of inactivity B. Password history and rotation C. Clean desk policy D. Screen privacy guard

A is correct. By implementing a policy where workstations are automatically locked after ten minutes, you ensure that users' computers are not accessible if they are away from them for a lengthy period of time. The users must authenticate to their computers to unlock the workstations. B, C, and D are incorrect. Password history (ensuring the same password is not used too often) and rotation (passwords are changed regularly) will not stop someone from tailgating onto a user's logged-in workstation when they are away from their desk. A clean desk policy is used to ensure that users do not leave important documentation, passwords, and mobile devices on their desks while they are away. A screen privacy guard is used to prevent shoulder surfing when a user is working at her workstation.

Backing up the current state of the system is a critical step to which of the following processes? A. Change management B. Forensics analysis C. Incident response D. Data classification

A is correct. Change management is a process that should be followed when performing any changes to systems on the network. One of the steps to making a change to a system is to back up the system before you implement the change so that if there is a problem, you can always revert to the state before the change was made. B, C, and D are incorrect. Forensics analysis is performed when there is a security incident that needs to be investigated. Incident response is the process followed when a security incident occurs. Data classification is a system used to identify different types of data on the network and a way to associate that data with security clearance levels.

Tanya is the network administrator for a midsize company and needs to apply updates to a number of mission-critical systems on the network. What mitigation technique should she use to reduce the risk to the systems? A. Change management B. Forensics analysis C. Incident response D. Data classification

A is correct. Change management is a process that should be followed when performing any changes to systems on the network. The change management process helps reduce risk against your assets because it involves having a plan for implementing changes. B, C, and D are incorrect. Forensics analysis is performed when there is a security incident that needs to be investigated. Incident response is the process followed when a security incident occurs. Data classification is a system used to identify different types of data on the network and a way to associate that data with security clearance levels.

Containerization is the process of virtualizing which of the following items? A. Operating system B. Virtual machine C. Hardware D. Interface

A is correct. Containerization is the process of virtualizing the operating system. Conatiners often use storage segmentation to separate senstitive and personal data. B, C, and D are incorrect. Virtual machines are not virtualized. Traditional virtualization, not containerization, virtualizes hardware; and while it can be argued that both traditional virtualization as well as containerization virtualize a sysytem's interface, that is not the best answer of the choices given.

What is the third step in the incident response life cycle? A. Containment, eradication, and recovery B. Preparation C. Post-incident activity D. Detection and analysis

A is correct. Containment, eradication, and recovery is the third step of the incident response lifecycle. B, C, and D are incorrect. In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

In many cases a load balancer uses which of the following on a client's browser to maintain session affinity? A. Cookies B. TLS C. Session lock D. Client-based code

A is correct. Cookies are saved and used by load balancers to maintain a connection between a specfic client and a specfic server, i.e. session affinity. B, C, and D are incorrect. TLS is an encryption method and session lock is an imaginary term. Client-based code could be used, but is not common.

What is the greatest challenge in logging? A. Determining what to log B. Searching logs C. Securing logs D. Controlling who has access to logs

A is correct. Determining what needs to be logged is a critical decision. If you don't log enough, you miss critical artifacts, but if you log too much, details can be lost in the data volumes. B is not challenging because it can be automated. C and D only matter once you have determined and collected the correct log data, thus they have no meaning until you choose the correct set of data to log.

Which of the following security techniques can help you configure document controls? A. Document classifications B. Anti-malware scanning C. Checksum hashes on outgoing attachments D. Caching proxy server

A is correct. Document classifications, such as "public," "classified," and "secret," can help you configure content controls to search for these classifications in documents being transmitted outside of your network. B, C, and D are incorrect. Anti-malware scanning does not provide any type of content control for files; it only checks for malware. Checksum hashes are only used to make sure your document is not altered from the original. A caching proxy server only caches content; it does not perform document content control.

You are creating a VPN for your organization so that users can access the network via the Internet when working remotely from home and when traveling. You should use _____ to encrypt VPN traffic. A. IPSec B. SSH C. SSL D. Kerberos

A is correct. IPSec provides encryption, integrity, and authentication for data tunneled over VPNs across public networks. B, C, and D are incorrect. SSH is an encrypted form of remote access, SSL provides secure communications, and Kerberos uses a special key ticket assigned to a client for authentication and identification to other clients on the network.

Which of the following is a key agreement protocol used in public key cryptography? A. ECDH B. RSA C. AES D. SHA-2

A is correct. Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to negotiate, agree upon, and establish a secure session between two parties. B, C, and D are incorrect. RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. It is used to generate a public and private key pair. AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is a symmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Which of the following is not true about embedded computer systems? A. Embedded systems are single-purpose systems with no additional functions or capabilities. B. Embedded systems can be updated. C. Embedded systems are found in medical devices. D. Embedded systems can be configured to work together in large, complex networks.

A is correct. Embedded systems can have "stripped" versions of Linux as a core OS, but still have Linux functions or application functionality that is not used, but present. This makes update testing a tougher regression testing problem than in a general-purpose situation. B, C, and D are all incorrect because they are true statements: embedded systems can be updated, they are in a wide range of devices, including medical devices, and they work in complex networks, each individual embedded system doing its own function.

You are developing a web application and are performing testing of the input fields for web forms. Which of the following techniques can you use to make sure that operating system commands cannot be inserted into your web forms and executed? A. Escaping B. Fuzzing C. Cross-site scripting D. Transitive access

A is correct. Escaping is a secure coding technique that ensures that any system commands are not processed and executed as actual commands; instead, they are only recognized as text. B, C, and D are incorrect. Fuzzing is used to test input validation, and cross-site scripting is a type of application attack. Transitive access is a security issue that allows user access to pass through unexpectedly from one software component to another without proper authorization or access permissions.

Which of the following techniques can you implement to prevent command injection? A. Escape command characters. B. Fuzz input. C. Disable cut-and-paste functionality. D. Use SQL injection.

A is correct. Escaping is a technique used when processing input fields to process command characters inserted into the input as text data to prevent commands from being run. B, C, and D are incorrect. Fuzzing is used to test input validation through the entry of random characters. Disabling cut-and-paste functionality on the input field will not prevent command injection. SQL injection is a similar type of command injection attack that is performed on SQL database servers.

What type of evidence in a computer forensics investigation, when found to prove a suspect's innocence, cannot be ignored, in the interest of impartiality? A. Exculpatory evidence B. Inculpatory evidence C. Demonstrative evidence D. Documentary evidence

A is correct. Exculpatory evidence proves innocence. B, C, and D are incorrect. Inculpatory evidence proves guilt. Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so forth, is used to help non-technical people, such as the members of a jury, understand an event. Documentary evidence directly supports or proves a definitive assertion.

From the initial first step, in the forensics process, the most important issue must always be which of the following?? A. Preservation of the data B. Document Chain of custody C. Documenting all actions taken D. Witness preparation

A is correct. Failure in preserving the data causes the most harm and cannot be alleviated by anyone or any later action. B and C are incorrect because a documentation failure represents risk, but does not actually affect the data, which in many cases can be shown via integrity checks to still be true. D is incorrect because it assumes you even get to the stage where witness statements are used, a low probability event.

Which of the following is an example of adhering to the concept of chain of custody when seizing computer equipment? A. Generating file hashes B. Applying operating system updates C. Encrypting external USB hard disk contents D. Emptying the Windows Recycle Bin

A is correct. File hashes are unique per file and are used to ensure that original data has not been modified; a modified file generates a different unique hash value. B, C, and D are incorrect. They modify seized computer data. Data should be examined or changed only on copies after file hashes have been generated.

What is the name of the access control model in which users will be granted permissions to objects in terms of the specific duties they must perform? A. RBAC—role-based access control B. MAC—mandatory access control C. DAC—discretionary access control D. RBAC—rule-based access control

A is correct. Granting permissions based on duties is role-based, so role-based access control is the correct model. B, C, and D are access control models but are not based on group roles.

What is the term generally used to refer to the act of exceeding one's authority in a system? A. Hacking B. Cracking C. Escalating D. Piggybacking

A is correct. Hacking is the term that is now generally accepted when referring to the act of exceeding one's authority in a system. B, C, and D are incorrect. At one time cracking was offered up as a term to describe gaining unauthorized access to systems, but it did not catch on and hacking is used by both the security community and the media for this as well. The act of gaining unauthorized access is also sometimes referred to as "privilege escalation," but hacking is the most general term used to describe this activity. Piggybacking is a type of physical security attack used to gain unauthorized access to a facility.

Which of the following can be used to secure all internal LAN traffic? A. IPSec B. SSL C. HTTPS D. Antivirus

A is correct. IPSec (Internet Protocol Security) can encrypt and digitally sign network traffic at OSI layer 4 (the Transport layer), which means it is not application-specific (unlike SSL). All network traffic can be encrypted with a single IPSec policy, which helps mitigate insider threats. B, C, and D are incorrect. SSL must be configured for each application requiring network encryption. HTTPS (Hypertext Transfer Protocol Secure) is HTTP traffic secured with SSL. Antivirus software does not encrypt network traffic.

When a user types his or her username into a logon screen, this is known as ___________? A. Identification B. Authorization C. Authentication D. Impersonation

A is correct. Identification is the first step in the process and involves the user presenting his or her credentials to the server. B, C, and D are incorrect. Authentication occurs after identification and involves the user's credentials being authenticated by the server. Authorization refers to granting an authenticated user the correct access to an object. Impersonation is an invalid term in this context.

All of the following are steps of a risk assessment EXCEPT: A. Identify recovery procedures. B. Identify risks or threats. C. Identify assets. D. Mitigate risks or threats.

A is correct. Identifying recovery procedures is a process that takes place when developing a disaster recovery plan, not a risk assessment. B, C, and D are incorrect. All of these steps are part of the risk assessment process. The basic steps of this process, in order, are to identify assets, identify threats (risks) against assets, prioritize threats, and mitigate threats.

Several users have received HTML-based e-mail messages that send them to a malicious website when they click any of the images or links in the message. Which of the following security techniques should you implement? A. Use a policy to disable HTML images in the e-mail client. B. Make sure client antivirus signatures are up to date. C. Use a web browser to read HTML messages. D. Use a web-caching proxy server.

A is correct. If the HTML images are not from a trusted source, you can set your e-mail clients to not load HTML images by default. Use a policy to enable this feature for all clients on your network. B, C, and D are incorrect. B is incorrect because the antivirus program will only scan downloaded files and will not prevent the user from visiting a malicious website. C is incorrect because the user will still be directed to the same website if they read the HTML message using a web browser. D is incorrect because a caching proxy server will not prevent the user from visiting the malicious website.

Several users have received HTML-based e-mail messages that send them to a malicious website when they click any the images or links in the messages. Which of the following security techniques should you implement? A. Use a policy to disable HTML images in the e-mail client. B. Make sure client antivirus signatures are up to date. C. Use a web browser to read HTML messages. D. Use a web caching proxy server.

A is correct. If the HTML images are not from a trusted source, you can set your e-mail clients to not load HTML images by default. Use a policy to enable this feature for all clients on your network. B, C, and D are incorrect. The antivirus program will only scan downloaded files and will not prevent users from visiting a malicious website. Users will still be directed to the same website if they read the HTML message with a web browser, and a caching proxy server will not prevent users from visiting the malicious website.

A remote worker has brought his laptop into the office from home because it is infected with a virus. As part of your security baselines, all user systems have antivirus applications installed. Which of the following is the most likely cause of the issue? A. Antivirus signature files are out of date. B. Host-based firewall is disabled. C. Scheduled antivirus scans are disabled. D. Virus was downloaded from the Internet.

A is correct. If the antivirus signatures are out of date, the virus may have been a very new virus that is resolved in a recent signature update that was not installed on the laptop. B, C, and D are incorrect. B is incorrect because the firewall prevents network attacks and will not prevent viruses. C is incorrect because even a scheduled scan will not detect the virus if there is no signature for it. D is incorrect because the downloaded virus may still be detected if the most recent signature update for the antivirus scanner is installed.

A member of your company's executive team has lost his company smartphone while traveling. Which of the following actions can you perform to prevent an unauthorized user from gaining access to its data? A. Remote wipe B. Screen lock password C. Disabling the smartphone SIM D. Calling the smartphone number

A is correct. If the phone has the capability, you can remotely wipe the phone to erase all its contents. The smartphone itself can probably never be recovered, but you have removed any critical and confidential data from the phone. B, C, and D are incorrect. A hacker may be able to bypass or guess the password on the phone and still read its contents. Disabling the smartphone SIM will only prevent the unauthorized user from making calls with the phone, and calling the phone to find out its location will not provide any protection for its data.

You are implementing smart card readers for physical access to high-security areas in your facility. Users will also require a PIN after they have inserted their smart card. Which of the following issues could allow a hacker to bypass these electronic locking systems? A. Power outage with "fail open" enabled B. Obtaining a stolen card C. Knowledge of the PIN D. Malfunction with "fail secure" enabled

A is correct. In the event of a power outage, "fail open" means that the doors will fail to an open, insecure state. Anyone would be able to enter or exit these secure areas during the outage. B, C, and D are incorrect. A stolen card or PIN discovered on their own would not be enough to obtain access. A malfunction with "fail secure" enabled would result in the door being locked in the event of an error with the access control unit.

Your company has decided to purchase six new computers with Windows 10 preinstalled. Shortly after the first new machine connects to the network, your NIDS reports unusual network traffic coming from fe80::2422:8c14:1e45:7ee8. What is the problem? A. There is no problem. B. This is a known worm source address. C. An ARP poisoning attack is occurring. D. This is a malformed multicast broadcast.

A is correct. Indeed there is no problem; fe80::2422:8c14:1e45:7ee8 is a self-assigned IPv6 address. Windows 10 has IPv6 automatically enabled, and all Windows 10 machines will have an address starting with fe80. B, C, and D are incorrect. The choices are untrue; fe80::2422:8c14:1e45:7ee8 is simply a self-assigned IPv6 address.

Which of the following measures will not improve the physical security of a server? A. Insuring the server B. Restricting physical access to the server C. Using a locking rack mount D. Using a high-security cable lock

A is correct. Insuring the server only provides a financial method of recovering from some aspect of loss; it does not improve the security posture. B, C, and D all improve the level of physical security.

Your Internet mail server resides in your DMZ. You must create one inbound perimeter firewall rule for your mail server to receive Internet mail. Which TCP port will your rule specify? A. 25 B. 80 C. 161 D. 110

A is correct. Internet mail servers receive mail from other Internet mail servers using the SMTP protocol, which uses TCP port 25. B, C, and D are incorrect. Web servers use port 80. SNMP (Simple Network Management Protocol) uses UDP port 161 to query network devices. TCP port 110 is used by POP3 (Post Office Protocol) clients retrieving mail from POP3 servers.

Which of the following is considered an intangible impact to an organization? A. Loss of customer confidence B. Loss of production C. Loss of revenue D. Employee safety

A is correct. It is difficult to place a value on or measure customer confidence in the business, so it is considered an intangible loss. B, C, and D are incorrect. Loss of production and revenue can be measured and assigned a dollar loss value. Employee safety can be measured in terms of time lost, cost of temporary replacement, medical costs, fines, and so forth.

Which of the following methods involves sending individual characters of the key through an algorithm and using a mathematical XOR function to change the output? A. Key streaming B. Key repetition C. Key exchange D. Key stretching

A is correct. Key streaming involves sending individual characters of the key through an algorithm and using a mathematical XOR function to change the output. B, C, and D are incorrect. Key repetition is not a valid answer or term. Key exchange involves generating and exchanging an asymmetric key used for a particular communications session, or exchanging public keys in order to use them for public key cryptography. Key stretching is a technique used to change a weak key to a stronger key by feeding it into an algorithm to produce an enhanced key.

Which of the following is not a valid filtering code when scanning? A. Locked B. Open C. Closed D. Filtered

A is correct. Locked is not a standard port condition per RFC 793. B, C, and D are incorrect because these are standard port conditions.

All of the following are potential application security issues requiring attention EXCEPT: A. Malware B. Cross-site scripting C. SQL injection D. Buffer overflows

A is correct. Malware is a security issue, but not specific to any applications. B, C, and D are incorrect. All of these are potential application security issues that could affect both web-based and client-server applications.

Which of the following access control models uses labels and security clearances to grant access to objects? A. Mandatory access control model B. Rule-based access control model C. Role-based access control model D. Discretionary access control model

A is correct. Mandatory access control models use labels and security clearances to grant access to objects. B, C, and D are incorrect. Rule-based access control models use a specific set of rules that control the interaction between users and objects. Role-based access control models use defined roles with specific rights and permissions assigned to those roles to control access to objects. Discretionary access control allows a user who has created or owns an object, such as a file or folder, the discretion to assign permissions for that object to anyone they choose.

You are reviewing your business contracts with third-party hardware service vendors and checking the estimated time for vendors to respond to service calls and replace failed hardware. Which of the following factors is the most important in these calculations? A. Mean time to restore (MTTR) B. Mean time between failures (MTBF) C. Recovery time objective (RTO) D. Recovery point objective (RPO)

A is correct. Mean time to restore (MTTR) is the average time from the moment a service fails until when the service is restored. For a failed server part, your service vendor may state that they can provide a new replacement part within four hours, but in other cases, this could be 24 to 48 hours. B, C, and D are incorrect. MTBF is the mean time between failures for a specific computer part. RTO is the maximum amount of time that is considered tolerable for a service or certain business function to be unavailable. RPO is the maximum accepted amount of lost data as a result of an outage or disaster.

Updating widely dispersed mobile devices that are interconnected only via the network is best accomplished via which of the following? A. Firmware OTA updates B. Update during annual inventory C. Delegate updating to the device holder D. USB OTG

A is correct. Mobile devices can be updated over the air (OTA). All major device manufacturers support this model. B is incorrect because the duration between updates would be too long. C is incorrect because delegation of this type of task leads to failure more often than not. D is incorrect because USB On-The-Go is not related to the problem at hand.

You have a set of DVDs that have backup files of customer data on them. What is the best method of disposing of them? A. Shredding B. Trashing C. Wiping D. Pulping

A is correct. Most shredders have a slot for CD/DVDs, and shredding the DVDs will destroy the customer data. B, C, and D are incorrect as they do not address disposal of the data content of the discs. Throwing the DVDs in the trash does not destroy the data, nor will wiping the DVDs (which is not really possible). Pulping only works on paper, not plastic.

Why would you recommend using NAT in an IPv6 network? A. To hide internal addressing structure from outside queries B. To expand the usable address space C. To improve local routing speeds D. To allow error messages to be used locally

A is correct. NAT hides internal structures by using unrouteable addresses, which IPv6 can't do. B is incorrect because IPv6 has a vast address space, much greater than can ever be created via NAT. C and D are incorrect because NAT has no effect on local transfer speeds or error message propagation.

A 4KB cluster holding a 2KB portion of a deleted file consists of what elements? A. Free space only B. Slack space only C. Free and slack space D. Allocated space and slack space

A is correct. Once the cluster is unallocated, the space at the end that was previously slack space is now free space. B, C, and D are incorrect because slack space only exists for allocated clusters.

SSL implies the use of what? A. PKI B. TLS C. IPSec D. VPN

A is correct. PKI is a collection of trusted x.509 certificates containing public and private keys (among other data) used to encrypt and decrypt network communications. SSL is application-specific encryption using one or more PKI certificates to secure communications. Downgrade attacks can occur by negotiation weaker algorithms or lesser cipher strengths. B, C, and D are incorrect. They are not directly related to SSL. TLS supersedes SSL but still implies the use of a PKI. IPSec can use PKI certificates but is not related to SSL; IPSec is not application-specific security as SSL is. VPNs can also use PKI certificates to establish an encrypted tunnel, but VPNs are not tied to SSL as the only solution.

All of the following are considered elements of a password policy EXCEPT: A. Password sharing B. Password history C. Password complexity D. Password aging

A is correct. Password sharing typically will be in the acceptable use policy (AUP), as a directive to users about what they can and cannot do. B, C, and D are incorrect. Password history, aging, and complexity will all typically be found in a password policy, as technical elements that describe how passwords should be constructed, implemented, and managed by administrators.

All of the following are browser security issues that can aid in an attack against your system EXCEPT: A. Phishing filters B. Mobile code C. Malicious add-ons D. Security zone trust

A is correct. Phishing filters are a protective measure, not a security issue. B, C, and D are incorrect. All of these are browser security issues. Untrusted mobile code can run in a user's browser and affect system security adversely. A malicious add-on is when your system downloads a piece of software used by the browser that slows the system down or exploits a vulnerability in the system. Security zone trusts can affect browser security if the zones are not configured properly.

Which key is used to encrypt a file in a PKI environment? A. Public key B. Private key C. Session key D. Random key

A is correct. Public keys are most often used to encrypt user files directly or to generate file encryption keys that then are used to encrypt files. The mathematically related private key is used to decrypt user files. The keys can be stored in a directory (such as Microsoft Active Directory), in a protected file on a disk, or on a smartcard. Storing private keys in unprotected files, such as those without password protection, is considered a poor key management practice. B, C, and D are incorrect. Private keys decrypt encrypted data. Session keys are generally symmetric; the same key is used for encryption and decryption. There is no such thing as a random key in a PKI.

Which of the following is a common use case for establishing tunnels? A. Remote access B. Extranet connections C. Internal connections carrying customer-sensitive data D. Connections to key services, such as DNS

A is correct. Remote access users use tunnels to provide confidentiality for their connections. This is especially important when traversing network segments that might not be secure. B is incorrect because extranet connections can use tunnels, but this is not a common use case. C and D are distractors created from concepts throughout the material, but not having any particular foundation or bearing. Both are internal connections at the base level and typically don't use tunnels internally.

The formula for risk is: A. Risk = probability × loss B. Risk = impact × loss C. Risk = threat + vulnerability D. Risk = SLE × ARO

A is correct. Risk is the probability times the loss (or impact). B, C, and D are incorrect. These are invalid calculations of risk. Single loss expectancy (SLE) × annual rate of occurrence (ARO) is equal to the annual loss expectancy (ALE).

Which network component can be configured as a NAT (network address translation) device? A. Router B. Proxy server C. Layer 2 Ethernet switch D. VPN concentrator

A is correct. Routers are OSI layer 3 (Network) devices that have at least two interfaces connecting to different networks. NAT runs on a router and allows internal TCP/IP devices to gain access to a public network using the NAT router's public IP address. Router ACL rules can be configured for antispoofing, which can, for example, prevent internal IP addressing from being allowed into a network through the router's public interface. B, C, and D are incorrect. Forward proxy servers already use a different network interface (and IP address) to retrieve user-requested content so they are not used to configure NAT; NAT requires IP routing to be enabled, and proxy servers should (and usually do) have IP routing disabled. Layer 2 Ethernet switches do not have routing (layer 3) capability; therefore, they cannot act as NAT devices. VPN concentrators cannot be configured as NAT devices; instead, they can allow users to connect securely over the Internet to a private network located elsewhere, or they can link network sites together over the Internet with a secure tunnel.

Which type of network intrusion detection system uses defined rule sets to determine when attacks may be occurring? A. Rule-based system B. Anomaly-based system C. Signature-based system D. Filter-based system

A is correct. Rule-based systems use predefined rule sets. B, C, and D are incorrect. An anomaly-based system detects unusual network traffic patterns based upon a baseline of normal network traffic. Signature-based systems use predefined traffic signatures, typically downloaded from a vendor. Filter-based systems, such as routers and firewalls, base detection on access control lists that specify traffic that is permitted and denied.

Which of the following types of injections use standardized database interfaces to attack a Web application? A. SQL injection B. MySQL injection C. Relational injection D. Hierarchical injection

A is correct. SQL injections inesrt unaticipated SQL commands to try to break the application. B, C, and D are incorrect. MySQL is one of many forms of SQL tools. Relational injection and Hierachal injection are nonsense terms.

SSL/TLS operates over which protocol? A. TCP only B. UDP only C. Either TCP or UDP D. ICMP

A is correct. SSL/TLS requires a connection-oriented connection such as TCP to function, hence it will not work over UDP. B, C, and D are incorrect. B and C are incorrect because UDP is a connectionless protocol. D is a simple distractor.

You are designing directory and file security for your marketing department. Each user will have a private and secure home directory as well as a shared group directory for sharing files. Your sales department would also like access to the shared marketing directory for retrieving product documents. Which of the following should be the initial default access level for the sales group? A. Sales has read-only access to the marketing shared directory. B. Sales has read and write access to the marketing shared directory. C. Marketing has read and write access to the sales shared directory. D. Marketing has write access to the sales users' home directories.

A is correct. Sales should have read-only access to the marketing shared directory to retrieve documents. These users should not be able to modify or save documents in the folder. B, C, and D are incorrect. B is incorrect because this allows sales to modify and save files in the marketing shared directory. C and D are incorrect because there is no requirement for marketing to have any access to the sales shared or home directories.

For a security policy to be effective, it must be understood by whom? A. All employees B. Senior management C. System administrators D. Security personnel

A is correct. Security is an all-hands effort; all employees must understand the effects of a security breach and the company policy associated with security. B, C, and D are subsets of "All employees," which is the best answer.

Which of the following protocols is used to manage network devices? A. SNMP B. SMTP C. SSL D. SSH

A is correct. Simple Network Management Protocol (SNMP) is used to monitor and manage network devices. B, C, and D are incorrect. SMTP is used to send mail. SSL and SSH are both used to secure communications sessions.

Which of the following is an advantage of symmetric over asymmetric encryption? A. Speed B. Encryption strength C. Key distribution D. Security achieved

A is correct. Speed and bulk encryption are the main advantages of symmetric algorithms over asymmetric algorithms. B is not just algorithm dependent, but also key length dependent. C is a weakness of symmetric algorithms. D is a function of encryption strength, which is dependent on both algorithm and keyspace.

What is the term used to describe taking a system past normal expected operating loads to see how it responds to overload conditions? A. Stress testing B. Load testing C. Fuzz testing D. Static code analysis

A is correct. Stress testing takes the system past normal expected operating loads to see how it responds to overload conditions. B involves running the system under a controlled speed environment. C is a brute force method of addressing input validation issues and vulnerabilities by applying large numbers of inputs to determine which ones cause faults and which ones might be vulnerable to exploitation. D is when the code is examined without being executed.

While discussing incident response policies during a meeting, your boss requests a dollar figure and the amount of downtime the company would suffer if a worm infected the corporate LAN. What type of study should you conduct? A. Business impact analysis B. Risk analysis C. Packet analysis D. Vulnerability analysis

A is correct. Studying the effect of unfavorable events (such as a computer worm) upon business operations is referred to as a business impact analysis. B, C, and D are incorrect. A risk analysis identifies items that must be protected from risks and then prioritizes those items. Packet analysis involves studying network traffic and is not tied to corporate downtime due to malicious code. A vulnerability analysis identifies security risks, but not their impact on business operations.

You have installed an e-mail server behind your firewall and need to configure your firewall access rules to allow mail delivery traffic through the firewall both to and from the Internet. To accomplish this, you need to allow which TCP port? A. 25 B. 110 C. 143 D. 443

A is correct. TCP port 25 is used by the Simple Mail Transport Protocol (SMTP) to connect to and deliver mail between e-mail servers. B, C, and D are incorrect. TCP port 110 and 143 are used by the Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) to allow clients to retrieve mail from an e-mail server. TCP port 443 is used by HTTP over SSL.

Which of the following is a feature on a Linux-based host that allows you to control access to different services running on the system such as Telnet, SSH, or FTP? A. TCP wrappers B. ifconfig C. dig D. VPN concentrator

A is correct. TCP wrappers allow you to control access to different services running on a Linux system and can be configured using the hosts.allow and hosts.deny files. B, C, and D are incorrect. ifconfig is the command to view your interface settings, while dig is a command to query DNS. Bastille is an older set of scripts used to harden a Linux host. It can be used to help a user configure TCP wrappers.

Which of the following zones has the most risk? A. DMZ B. Intranet C. Honeynet D. Extranet

A is correct. The DMZ is directly facing the Internet zone, where zero controls are in place. There are limited controls for entering the DMZ, and it as a zone provides the opportunity to separate the internal network from the Internet. B, C, and D all have limited footprints and access mechanisms, allowing greater control over who goes there and what they can do.

To ensure compatibility with an external system, you must export a host PKI certificate in binary form. Which file format should you use? A. DER B. PEM C. PFX D. CER E. P12 F. P7B

A is correct. The Distinguished Encoding Rules (DER) file format contains a PKI certificate in binary form. B, C, D, E, and F are incorrect. The Privacy Enhanced Mail (PEM) file format contains one or more certificates, including a certificate chain in base64-encoded text form. P7B format is a variation of PEM and is used to store root and intermediary certificate data; P7B and PEM files do not contain private keys. CER files store certificate information in either binary or base64-encoded format.

Which Boolean operator is most commonly used in cryptographic applications? A. XOR B. NOR C. OR D. NAND

A is correct. The Exclusive OR (XOR) is typically used to encrypt and decrypt data. B, C, and D are built from fictitious logical operators.

Which of the following is typically conducted as a first step in the overall business continuity/disaster recovery strategy? A. Business impact analysis B. Business continuity plan C. Disaster recovery plan D. System backup plan

A is correct. The business impact analysis (BIA) is a critical first step in developing the business continuity plan (BCP). It involves determining what risks are present and their effects on the business and its assets. B, C, and D are incorrect. The BCP is the overall and final product that the BIA contributes to. The BIA must be completed as one of the first steps, as it essentially is the risk assessment for the BCP. The disaster recovery plan (DRP) concerns itself with recovering the assets and operations of the business immediately following a disaster. A system backup plan is but one element of the DRP and may or may not be one of the first things accomplished for that plan.

SAML implementations have three basic roles: the ______, the identity provider, and the service provider. A. Identity B. Authentication provider C. Service validation D. Validation authority

A is correct. The three roles within an SAML implementation are the identity, the identity provider, and the service provider. B, C, and D are incorrect. These are not roles within an SAML implementation.

Leslie is projecting timelines to complete various analysis reports. Which list presents the correct order in which each analysis should be performed? A. Threat, risk B. Risk, threat C. Threat, vulnerability D. Business impact, risk

A is correct. Threat analysis identifies how vulnerable a party is to specific threats, the likelihood of those threats occurring, and their impact. Because a risk assessment relies on organizing threats to maximize potential opportunity, it cannot be conducted before a threat assessment. B, C, and D are incorrect. They do not reflect the correct order in which to perform the listed analyses.

All of the following components of risk can be reduced or lowered EXCEPT: A. Threats B. Vulnerabilities C. Exposure factor D. Impact

A is correct. Threats such as natural disasters, hackers, and so forth are typically not within the control of the organization and so cannot usually be lowered or eliminated. The risk posed by the threat can be reduced using mitigation techniques, but not the threat itself. The strategy is to try to limit the impact of the threat itself, or the damage it can do. B, C, and D are incorrect. Vulnerabilities for an asset can be reduced by implementing security controls. The exposure factor, or percentage of loss, can be reduced by reducing the vulnerability or increasing the protection of an asset. The impact on the organization can be reduced as well by reducing vulnerabilities, better protecting assets, increasing redundancy, and so forth.

Which of the following is the first step to complete when obtaining a digital certificate? A. Register and identify your organization with a certificate authority. B. Generate a certificate from your web server. C. No action is required because a client web browser generates its own certificate. D. Register and identify your organization with a domain registrar.

A is correct. To verify a user's identity, the CA requires identification for your organization. The CA then generates the keys and a certificate with the identification and public key information embedded within it for you to install on your web server. B, C, and D are incorrect. Although you can use a self-signed certificate from your own web server, it generates warnings in the client web browser and may seem untrustworthy. A web browser does not generate certificates, and you do not obtain certificates from domain registrars.

Which of the following is most appropriate if you have limited external public IP addresses available, but a requirement to share those IP addresses with internal hosts that must connect to the public Internet? A. NAT with a firewall B. Router C. DMZ D. DHCP server

A is correct. Using network address translation (NAT) in conjunction with a firewall enables you to share one external address with multiple internal hosts that require external addresses for their connectivity. B, C, and D are incorrect. A DMZ can contain servers behind a firewall, allowing public access, but it does not inherently offer NAT services. DHCP is used to allocate internal IP addresses, and a router still requires NAT to perform address translation.

All of the following are supporting elements of authorization, except: A. Credential validation B. Principle of least privilege C. Separation of duties D. Rights, permissions, and privileges

A is correct. Validating credentials is an important aspect of authentication, not authorization. B, C, and D are incorrect. All of these elements directly support authorization.

Which of the following is the best way to prevent cross-site scripting attacks? A. Validate the input into a web site for illegal characters in a particular field B. Block ports 443 and 80 on the firewall C. Require certificate-based authentication for web site access D. Restrict CGI script execution

A is correct. Validating the input into a web site form for illegal characters in a field is the best choice for preventing cross-site scripting (XSS) attacks. B, C, and D are incorrect. Blocking ports 443 and 80 will make the site unusable, as these are the typical ports used to access web sites. Requiring certificate-based authentication will not prevent cross-site scripting attacks and is an unnecessary measure. CGI is not a method used for cross-site scripting attacks.

Which of the following statements regarding server virtualization is not true? A. Running virtualized servers cannot be moved to other physical hosts. B. A compromised virtual machine does not translate to a compromised physical host. C. Virtual machines can read and write directly to raw disk partitions instead of virtual hard disks. D. Virtualized environments do not require a SAN.

A is correct. Virtualized servers running on a physical host can be moved to another physical host. This can happen with zero downtime if both physical hosts are clustered and are using shared storage. VMware calls this "VMotion," and Microsoft Hyper-V calls this "Live Migration." B, C, and D are incorrect. All of the statements are true.

You are performing a routine examination of your mail server log files. Which of the following log entries is the most cause for concern? A. Antivirus update process - cannot contact update server. Host timeout. B. Connection accepted on SMTP port 25 from 10.10.1.30 C. POP3 connect from client 10.1.10.213 D. Message blocked from 10.20.1.153 due to spam

A is correct. Your antivirus software that scans incoming e-mails cannot contact the signature update server. If the condition persists, your antivirus signatures will become out of date. B, C, and D are incorrect. It is normal activity to receive SMTP port 25 connections for mail delivery and to have mail clients connect using POP3 to retrieve mail. A spam message being blocked before it is delivered to the recipient is also proper secure behavior.

Over the weekend, you configure IPSec on your internal client workstations. On Monday morning, the help desk is flooded with trouble tickets stating that users can connect to some internal servers but not others. Which of the following is the most likely cause of the connectivity problems? A. Workstations are configured to require IPSec connectivity. B. DES was configured instead of 3DES. C. MD5 was configured instead of SHA-1. D. Workstations are configured with the incorrect pre-shared key.

A is correct. What likely happened is the client workstation IPSec configurations are set to require IPSec connectivity. This means they can communicate only with hosts configured with the appropriate IPSec settings (which in the question equates to some, but not all, internal servers). B, C, and D are incorrect. They would not cause the situation described. For example, configuring 3DES on one side of the IPSec connection and DES on the other will not work, just as MD5 and SHA-1 will not work together—both sides of an IPSec connection must be configured to use the same encryption and integrity algorithms.

See the steps below. Put the steps for a secure web-based transaction in the correct order. A. A digital certificate establishes the website identity to the browser. B. SSL is activated between the client and the server. C. The browser accepts the certificate from the web server. D. Banking transactions accepted. A. A, C, B, D B. A, B, C, D C. C, B, A, D D. D, B, C, A

A is correct. When a client connects to the secure HTTPS site, the web server sends a certificate to the web browser to establish its identity. If the browser accepts the certificate and finds no validation issues with the certificate, SSL is then activated between the server and client. B, C, and D are incorrect. No other communication can occur between the server and client until the certificate is validated and accepted.

The disclosure to the testing team of all design specifications and documentation for code, configuration files, and setup is done to facilitate what type of testing? A. White box testing B. Fuzzing C. Pen testing D. Black box testing

A is correct. White-box testing is the use of all specifications by the testing team to construct appropriate tests. B is the sending of random inputs to test for input validation issues. C is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. D is the withholding of all internal information from the testing team.

Which of the following is not typically part of a system hardening protocol? A. Whitelisting B. Patching the OS to the current level C. Running an antivirus/anti-spyware/anti-malware suite D. Patching applications to the current level

A is correct. Whitelisting is a powerful security tool, but it is dependent upon individual machine usage, so it is not typically part of a system hardening protocol. B, C, and D are all common steps in hardening a system.

Which of the following correctly defines RAID 0? A. Spreads data out to increase the speed of data access B. Spreads data across disks and adds parity C. Stripes data at the bit level D. An exact copy so that all data is mirrored on another drive

A is correct. With RAID 0, the data is split across all the drives, with no redundancy offered. B is RAID 5, C is RAID 2, and D is RAID 1.

Which type of scan sends a packet to each port with the PSH, URG, and FIN flags set? A. XMAS B. TCP C. SYN D. ACK

A is correct. XMAS scans set three of the six TCP flags: PSH, URG, and FIN. B, C, and D are incorrect. A TCP scan is a full scan that executes a full three-way handshake with the target system. This is the most accurate scan, but the one most likely to be detected (noisiest). A SYN scan is stealthy and sends only a SYN packet to each port. An ACK scan sets only the ACK flag. All of these scans are performed against a target host to elicit a response, which, based upon how the target reacts to each type of scan, can give the attacker valuable information about the target.

Several bandwidth reports have shown that many users are taking up valuable bandwidth by downloading very large files, such as movies, from the Internet. Which of the following security controls can help mitigate the issue? A. Web filter that blocks downloads greater than a specified size B. Proxy server that caches web content before it is sent to the client C. Load-balancing devices to distribute bandwidth usage D. Anti-spam filter that inspects all HTTP requests

A is correct. You can use a web-filtering appliance to block all large downloads, such as files greater than 1GB in size, to prevent users from downloading movies and other files that are not business related. B, C, and D are incorrect. The proxy server only caches the content; it doesn't inspect or filter it. The load-balancing device will not reduce usage, and an anti-spam filter is not designed to scan and filter web traffic.

You are the first responder to a security incident in which a virus is quickly spreading throughout your network from e-mails being sent internally from user accounts. Which of the following actions should you first take? A. Shut down mail delivery on the e-mail server to stop the virus from spreading. B. Run antivirus scans on each infected client computer. C. Escalate the issue to your manager. D. Restart the mail server.

A is correct. You should immediately initiate actions for damage and loss control. In this case, you can disable the sending of e-mails on the server to stop messages from being sent to other clients and infecting their computers. B, C, and D are incorrect. B is incorrect because the virus will continue to spread while you are running scans on each computer. C is incorrect because the virus will continue to spread, and your manager cannot provide any assistance. D is incorrect because restarting the e-mail server will only temporarily stop the spread of the virus.

You are the first responder to a security incident in which a web server has been hacked and has stopped operating. On the console screen is an error message that includes a message from the hacker. Which of the following actions should be performed to help preserve evidence of the incident? A. Take a screenshot of the error message. B. Restart the system to restore operations. C. Perform a backup of the web server. D. Restart the system and print out the error logs.

A is correct. You should immediately take a screenshot of the error and message on the screen because if you restart the server, you won't be able to see this message again. B, C, and D are incorrect. B and D are incorrect because you will have no evidence of the message if you restart the system. C is incorrect because backing up the web server will not preserve the error message on the screen.

You are assigning access control permissions for users and groups that reside in different geographical locations. Many users are part of the same departmental group, such as "Sales" or "Development," and share the same files, even though they reside in different locations. Which of the following access control models should you implement to most efficiently assign access permissions? A. Organization by department B. Organization by location C. No overall organization D. Organization by user role

A is correct. Your users are more easily grouped into departments if their geographical location is less important than what departmental group they belong to. For example, all users in the Sales group will have access to the same shared files regardless of location. B, C, and D are incorrect. In this case, the users' location or their specific job role is less important than which department they belong to. It is very difficult to assign permissions on an individual basis if there is no organizational model for your access controls.

Which of the following are components of a NIDS? (Choose all that apply.) A. Sensor B. Analysis engine C. Signature database D. Reporting/alerting

A, B, C, and D are all correct. A network-based intrusion detection system (NIDS) has a sensor (or traffic collector), an analysis engine, a signature database of known samples, and an alerting/reporting module.

Which of the following are ways to differentiate between threat actors? (Select all that apply.) A. Level of resources B. Intent C. Internal or external D. Level of sophistication

A, B, C, and D are correct. All of these are ways to differentiate threat actors.

Which of the following are characteristics of hashing? (Choose all that apply.) A. Hashes are cryptographic representations of plaintext. B. Hashes produce fixed-length digests for variable-length text. C. Hashing can be used to protect data integrity. D. Hashes are decrypted using the same algorithm and key that encrypted them.

A, B, and C are correct. All of these are characteristics of hashing. D is incorrect. Hashes are produced from one-way mathematical functions and cannot be decrypted.

When discussing code analysis, which of the following statements are true? (Choose all that apply.) A. The higher the level of development at which code analysis is performed, the greater the test space and more complex the analysis. B. Code analysis should be done at every level of development, because the sooner that weaknesses and vulnerabilities are discovered, the easier they are to fix. C. When the code analysis is done by a team of humans reading the code, typically at the smaller unit level, it is referred to as a code review. D. While code analysis should be done at every level of development, there is practically no difference in the cost to fix a discovered error no matter which level of development it was discovered at.

A, B, and C are correct. Code analysis can be performed at virtually any level of development, from unit level to subsystem to system to complete application. The higher the level, the greater the test space and more complex the analysis. When the analysis is done by a team of humans reading the code, typically at the smaller unit level, it is referred to as a code review. Code analysis should be done at every level of development, because the sooner that weaknesses and vulnerabilities are discovered, the easier they are to fix. D is incorrect because issues found in design are cheaper to fix than those found in coding, which are cheaper to fix than those found in final testing, and all of these are cheaper to fix than errors discovered after the software has been deployed.

DLP solutions can perform which of the following types of blocking? (Choose all that apply.) A. USB blocking B. Cloud blocking C. E-mail blocking D. Ransomware blocking

A, B, and C are correct. Data loss prevention (DLP) solutions exist for USB blocking, cloud storage blocking, and e-mail blocking. DLP solutions are available from a wide range of firms. D is incorrect because DLP solutions block data from leaving the enterprise, and ransomware typically doesn't attempt to remove the data.

Your company uses FTP servers to enable remote user access to sensitive corporate contracts. Which options will secure the FTP servers? (Choose three.) A. VPN B. SSL C. IPSec D. TPM

A, B, and C are correct. FTP (File Transfer Protocol) servers transmit data (including credentials) in clear text. Remote user access to the FTP servers would be secured through a VPN (virtual private network). Some FTP servers support SSL to encrypt FTP packets. IPSec can be used to secure any type of IP traffic, including FTP. IPSec tunnel mode is used to create a secured tunnel between two endpoints. IPSec transport mode is normally used between communicating stations where all data above the IP header is encrypted and replaced with an Encapsulation Security Payload (ESP) header. The Authentication Header (AH) doesn't encrypt data but is used to verify the integrity of the transmission. D is incorrect. Trusted Platform Module (TPM) has nothing to do with securing data transmissions; it refers to hard disk encryption.

Common personnel security issues include which of the following? (Choose all that apply.) A. Policy violations B. Insider threats C. Social media postings D. Gossip

A, B, and C are correct. Policies are intended to decrease risk to a system, so users who violate policies increase risk. Insider threats increase risk because, unlike outside threats, they begin as trusted users and already have system access. Social media postings can result in information leakage that may harm the organization. D is incorrect because gossip, while always an issue, does not (under most circumstances) lead to increased enterprise risk.

Certificates pass what information between parties? (Choose all that apply.) A. Public Key B. Public key owner C. Public key validity D. What the key is to be used for

A, B, and D are correct. A certificate contains a key, the issuer/owner of the key and what functions it is authorized for use. C is incorrect because the certificate itself cannot define validity. It must be checked against other items to determine if it is still valid.

Device risks for mobile devices include which of the following? (Choose all that apply.) A. Removable storage B. Service technicians C. Small screens D. Integrated networking

A, B, and D are correct. Removable storage allows data movement independent of the device. Service technicians will have passwords to fix devices, and can duplicate entire devices as well. Integrated networking means the device can connect to networks independently, allowing unauthorized channels of access. C is incorrect because small screens, while a limitation, are not a risk per se.

Which of the following are key functions of a SIEM solution? (Choose all that apply.) A. Aggregation B. Event deduplication C. Backup D. Correlation

A, B, and D are correct. Security Information and Event Management (SIEM) solutions aggregate and correlate data from a wide range of sources, and when duplicate data elements arise, deduplication can occur automatically. C is incorrect because SIEMs do not function as a backup for the data they have.

Which of the following are examples of Indicators of Compromises? (Select all that apply.) A. Unusual DNS activity B. Unexpected alterations to system files C. Failed login attempt D. Increase in outbound traffic

A, B, and D are correct. Unusual DNS activity and an increase in outbound traffic are both changes in system behavior that are not easily explained and thus indicators of compromise. Unexpected changes to system files is a clear indication of a compromise. C is incorrect because a failed login attempt, especially if followed by a correct login, is probably the result of a typo. Multiple repeated login failures in a short period of time would be an indication of compromise.

Which of the following are true regarding USB flash drive encryption? (Choose three.) A. Users could be prompted for a passphrase when the drive is plugged in. B. The USB flash drive cannot be formatted without knowledge of a passphrase. C. The USB flash drive can be formatted without knowledge of a passphrase. D. Users could be required to use a smartcard to decrypt the USB flash drive. E. Encrypted USB flash drives can be read from but not written to.

A, C, and D are correct. Depending on how encryption was configured, users might use a passphrase or smartcard to decrypt drive contents. Formatting an encrypted device does not require knowledge of a passphrase; accessing the data on the device might. B and E are incorrect. An encrypted USB flash drive can be formatted without knowledge of the encryption passphrase. Data can be written to encrypted USB flash drives once the passphrase has been supplied.

Which of the following functions do patch management tools typically handle? (Choose all that apply.) A. Provide notification of patch availability B. Write patches for scripts C. Provide patching status scorecard for management D. Apply patches to software

A, C, and D are correct. Patch management tools can alert admins to the availability of a patch, install the patch, and provide a management status scorecard. B is incorrect because writing patches for scripts is outside the scope of patch management software.

Which of the following could be the result of spyware? (Choose three.) A. Identity theft B. Reformatted hard disk C. Money stolen through online banking D. Slower computer

A, C, and D are correct. Spyware can track your computing habits, including web sites you visit, things you type in, programs you use, and so on. This can lead to identity theft and financial theft, and it can slow down your computer, since spyware is present and running all the time. B is incorrect. Spyware would not format your hard disk, although many viruses could do this.

What can be done to secure smart phones? (Choose three.) A. Configure a strong password. B. Enable push notification services. C. Enable screen lock. D. Install a virus scanner.

A, C, and D are correct. Strong passwords will frustrate many malicious hacking attempts if the device is stolen. Screen lock will prompt the user for a passcode or PIN before allowing access. With the proliferation of smart phone apps and Internet connectivity, virus scanners are more important than ever. Care should be taken to prevent rooting (Android) or jailbreaking (Apple iOS) since installed apps or malware could have full control of the device. B is incorrect. Push notification services are used to send messages to mobile devices. Although it may be required for some users, enabling it is not considered hardening.

Which of the following are security objectives that can be achieved through the application of security controls? (Choose all that apply.) A. Confidentiality B. Cryptography C. Integrity D. Availability

A, C, and D are correct. The primary attributes of security, confidentiality, integrity, and availability are achieved via the application of security controls. B is not a security objective.

In crafting your DRP, you outline the procedure in which PKI user-encrypted files for damaged user accounts can be decrypted. Which statement regarding this plan is correct? A. Restore user public keys from backup. B. Restore user private keys from backup. C. The files cannot be decrypted if the user account is damaged. D. The damaged user account should be re-created with the same name to decrypt the files. B is correct. In a PKI environment, users have a pair of mathematically related keys that can be stored in a certificate file, in a directory service, on a smart card, and so on. Private keys are used to decrypt files; the public key is used to encrypt.

A, C, and D are incorrect. Public keys do not decrypt encrypted files in a PKI environment. Files can be decrypted even when a user account is damaged, but access to the private key is required. Private keys are normally password- or PIN-protected. Re-creating a user account with the same name does not generate the same private key the user had before, so this method will not work. When user accounts are deleted, unneeded files should not only be deleted, but should be wiped in accordance with the organizational data sanitization policy.

At what level of humidity is there a danger of experiencing an excessive amount of electrostatic discharge (ESD)? A. Below 40 percent B. Above 60 percent C. Between 40 and 60 percent D. 100 percent

A. A is correct. Below 40 percent, the air becomes very dry, and ESD is more prevalent. B, C, and D are incorrect. The desired range of humidity is between 40 and 60 percent. Anything above 60 percent humidity and the danger of electronic parts corroding, due to excessive moisture in the air, increases.

When a user types his or her username into a logon screen, this is known as ___________? A. Identification B. Authorization C. Authentication D. Impersonation

A. Identification is the first step in the process and involves the user presenting his or her credentials to the server.

During which type of assessment would penetration testers not have any knowledge about the network, while defenders are aware of their presence? (Choose two.) A. Black box test B. Blind test C. Double-blind test D. Gray box test

AB. A is correct. In a black box test, the testers have no knowledge of details about the network configuration, but system defenders are aware of their presence. This type of test is also referred to as a blind test. C and D are incorrect. In a double-blind test, testers have no prior knowledge of the network they are testing, and network defenders also have no knowledge of the test and aren't aware of any attacks unless they can detect and defend against them. This test is designed to test the defenders' abilities to detect and respond to attacks, as much is it is to test and exploit vulnerabilities on the network. In a gray box test, the penetration tester may have some limited knowledge of the network or systems, gained from the organization that wants the test.

Which of the following can be established in a cloud environment through effective security controls and well-written service-level agreements? (Choose two.) A. Control B. Accountability C. Responsibility D. Availability

B and C are correct. Accountability and responsibility can be established through effective security controls and well-written service-level agreements. A and D are incorrect. Lack of control over data and the infrastructure is probably the greatest risk to cloud computing and cannot be completely managed through agreements. Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures.

You have approved ten new smart phones for your employees. The phones will also be used to run web mini-apps specific to your business. The mini-apps store data on the mobile device. What can be done to secure these devices? (Choose two.) A. Set the appropriate file permissions. B. Use mobile device encryption. C. Lock the screen. D. Enable SSL for the web mini-apps.

B and C are correct. Encrypting saved data on the mobile device will protect the data if the device is compromised, lost, or stolen. In the event of a lost mobile device, technicians can issue a remote wipe command to prevent unauthorized system and data access from the device. If the mobile device containerizes work information versus personal information (such as apps, data, and configuration), remote wipe can be applied only to work-related items. A screen lock requires a PIN to use the device. A and D are incorrect. File permissions do not apply to mobile devices. SSL will encrypt network transmissions but does nothing to secure locally stored data.

You are configuring a group of laptops for traveling executives. What should you do to prevent operating system passwords from being locally hacked? (Choose two.) A. Use strong user account passwords. B. Encrypt the hard disk. C. Disable booting from removable media and set a CMOS password. D. Enable the password protection feature.

B and C are correct. Given local physical access, an attacker can boot from removable media and use freely available tools to reset passwords if he can defeat the CMOS password. In case this happens, encrypting the hard disk will further protect its contents, including user account and password information. A and D are incorrect. Even strong passwords can be locally hacked by booting locally from removable media; however, strong passwords should always be used. There is no named password protection feature.

An attacker enters an office building and plugs his laptop into an unused network jack behind a plant in the reception area. He is then connected to the LAN, where he initiates an ARP poisoning attack. How could this have been prevented? (Choose two.) A. Update all virus scanners. B. Use a strict IPSec policy for all LAN computers. C. Disable unused switch ports. D. Use a strict firewall policy on the perimeter firewall.

B and C are correct. IPSec can be used to ensure that network traffic is accepted only from appropriate computers. For example, a LAN could use PKI certificates with IPSec—traffic from computers without a trusted PKI certificate would simply be dropped. Disabling unused switched ports prevents network communication through that port. A and D are incorrect. Virus scanners will not prevent ARP poisoning attacks. ARP poisoning exploits the nature of how IP addresses are resolved to MAC addresses. Perimeter firewall policies will do nothing to prevent this type of attack, since the attacker is directly connected to the internal LAN.

Mike has five Linux sysytems that need access to a shared folder with a Windows file server that's part of an Active Directory (AD) domain. What can he do to give these systems access to the shared resource? (Choose two.) A. Create user groups on all the Linux systems. B. Install and configure SAMBA on the Linux systems to access the AD. C. Configure access to the resource on the file server. D. Create new local users on the domain controller.

B and C are correct. Install and configure SAMBA on the Linux systems to access the AD and then set up access to the resources on the sharing sysytem (in this case the file server). A and D are incorrect. Linux user groups are useless for accessing Windows resources. One should rarely create local users on a Windows server.

Which of the following can be used to accomplish network segregation? (Choose all that apply.) A. Whitelisting B. MAC filtering C. VLANs D. Blacklisting

B and C are correct. MAC filtering and VLANs can segregate traffic at the network layer. A and D are incorrect because whitelisting and blacklisting control applications, not the network layer.

You are installing a wireless router on the first floor of a commercial building. What should you do to minimize the possibility of Wi-Fi users connecting from the street? (Choose two.) A. Set the SSID to "Floor 1." B. Place the wireless router in the center of the building. C. Disable DHCP on the wireless router. D. Disable DNS on the wireless router.

B and C are correct. Placing the wireless router in the center of the building reduces the signal strength outside of the building. Disabling DHCP (Dynamic Host Configuration Protocol) means connecting clients must manually configure an appropriate IP address, subnet mask, default gateway, and DNS server. A and D are incorrect. SSID broadcasting should be disabled, not set to something that implies a physical location. Disabling DNS is not normally done to harden a wireless network. If it is disabled, wireless clients must simply point to a different DNS server.

You are ordering new laptops for your law enforcement division. In the past, productivity has been hampered because of strict password requirements. You would like to continue with a secure computing environment while eliminating password problems. Which of the following are possible solutions? (Choose two.) A. Reducing password length to six characters B. Smartcard authentication C. Biometric authentication D. Security clearances

B and C are correct. Smartcard authentication requires a PIN to be entered along with inserting a card in a card reader. Biometric authentication for laptops normally means fingerprint authentication. Both of these are secure solutions that are easier to use than username and complex passwords. A and D are incorrect. Decreasing password length reduces security. Security clearances are used to allow access to specifically labeled data, but they do not specify how users authenticate.

A user disables cookies in her web browser to protect her computer. What type of attacks and malware might this prevent? (Choose two.) A. Worms B. Spyware C. Cross-site request forgery D. Web site directory traversal

B and C are correct. Spyware can exploit personal user data stored in web site session cookies such as account information. Cross-site request forgeries can hijack unexpired user session cookies and exploit the trusting web server. A and D are incorrect. Disabling web browser cookies will not prevent worms or web site traversal attacks. Up-to-date virus scanners and patched web servers can prevent these, but zero-day threat protection is implemented by monitoring for abnormal behavior on a host or network. Tools that combine more than a single method for detecting abnormalities and malware as well as blocking disallowed network traffic are considered unified threat management (UTM) solutions.

You are planning the configuration of a single 802.11n wireless access point with WPA2 PSK for students in a university cafeteria. What factors should you consider in your planning? (Choose two.) A. WPA2 will slow down the network speed compared to WPA. B. Older wireless cards may not support WPA2. C. Microwave ovens may interfere with Wi-Fi wireless signals. D. Toasters may interfere with Wi-Fi wireless signals.

B and C are correct. Students may have older wireless devices that support WEP and WPA but not WPA2. Microwave ovens operate at approximately 2.4 GHz, which could interfere with Wi-Fi signals if the wireless access point is placed near the microwave. A and D are incorrect. There is no noticeable speed difference between WPA and WPA2.

Which of the following statements regarding TPM disk encryption are true? (Choose two.) A. Disk contents are protected while the system is running. B. Disk contents are not protected while the system is running. C. Disk contents are protected when the system is shut down. D. Disk contents are not protected when the system is shut down.

B and C are correct. TPM is a firmware chip storing cryptographic keys used to encrypt and decrypt disk volume contents. Once the disk content is decrypted (for fixed disks this normally happens upon boot-up and can be configured to require an entered PIN code), the disk contents are no longer protected. Disk data is protected when the system is shut down, which protects data in case disks are physically stolen and used in other computers. Windows EFS (Encrypting File System) protects encrypted files and folders whether the machine is running or not. A and D are incorrect. TPM disk encryption protects disk contents when the system is not running.

What common security problem can go completely unnoticed? A. Malware B. Misconfigured security devices C. Policy violations D. Permissions issues

B is correct. A misconfigured security device may provide no information, giving the false sense of security that everything is OK. All the other options have indications of issue associated with them. A is incorrect because malware can be detected once it operates. C is incorrect because policy violations can be seen and reported. D is incorrect because permissions issues, when persistent, always generate help tickets.

A CA (certificate authority) is established and directly issues user and computer certificates that expire in ten years. The CA is then immediately brought offline. Which of the following statements are true? (Choose two.) A. Issued user and computer certificates can no longer be used despite the expiration date. B. Issued user and computer certificates can continue to be used until the expiration date. C. New user certificates cannot be issued. D. Expired user certificates can be renewed.

B and C are correct. The CA is required to create and manage issued certificates, but it is not required for normal certificate use. Existing certificates can continue to be used, but new certificates cannot be issued. A and D are incorrect. They are untrue.

You would like to ensure that an authentication server is always available. Two authentication servers are clustered together with the authentication data stored on shared disk storage. What must be done to eliminate any single points of failure? (Choose two.) A. Add a third server to the cluster. B. Enable a second NIC in each cluster node. C. Enable all CPU cores. D. Configure the shared disk storage with RAID 1.

B and D are correct. A second NIC (network interface card) ensures that network communication continues if one NIC fails. RAID level 1 is also called disk mirroring: data written to one disk is also written to a second disk for safety. A and C are incorrect. Having two servers in a cluster eliminates the server as being a single point of failure; a third server is not required. Enabling all CPU cores may improve performance or workload capacity, but it does not remove any single points of failure.

Which of the following are true regarding SSL? (Choose two.) A. It encrypts all network traffic regardless of which application is used. B. At least one PKI certificate is required. C. At least two PKI certificates are required. D. All PKI certificates will eventually expire.

B and D are correct. A single PKI certificate is required for secured communication, such as in online banking. The server PKI certificate contains, among other details, a public and private key pair. The public key can be safely transmitted to the connecting client so that the client can encrypt a client-generated session key. The server then decrypts the message with the related private key. The client station does not require a PKI certificate. PKI certificates have expiration dates set by the issuing authority, after which they are not usable. A and C are incorrect. SSL is application-specific. Requiring two PKI certificates (on each side of a connection) would be used in high-security environments.

Which of the following are benefits of server virtualization? (Choose two.) A. Increased security B. Less energy consumed C. Cheaper software licensing D. Lower hardware costs

B and D are correct. Multiple virtualized servers can run simultaneously on a single physical host, meaning less energy is consumed and hardware costs can be reduced. A and C are incorrect. Virtualized servers are no more secure or cheaper (in terms of software licensing) than their physical counterparts.

What potential benefits does a penetration test provide? (Choose two.) A. Reducing single points of failure B. Identifying vulnerabilities C. Identifying wasted IPv4 addresses D. Preventing financial loss

B and D are correct. Penetration tests are conducted to identify vulnerabilities and to prevent financial loss resulting from intrusions. For example, financial loss can be incurred through the theft of trade secrets or shattered public, investor, and customer faith. A and C are incorrect. They are not penetration testing considerations.

Which of the following are true regarding remote network appliance administration? (Choose two.) A. SSH encrypts traffic, but it can restrict connections only by username and password. B. SSH encrypts traffic and can restrict connections using public keys. C. SSH uses UDP port 22. D. SSH uses TCP port 22.

B and D are correct. SSH is not limited to restricting connections only by username and password. Public key authentication can be configured, which requires connecting users to possess a valid public and private key pair along with a passphrase. SSH uses TCP port 22. A and C are incorrect. SSH is not limited to restricting connections by username and password, and it does not use UDP port 22.

Which of the following statements regarding WPA PSK are true? (Choose two.) A. The PSK encrypts wireless network traffic. B. The PSK authenticates the client to the WAP. C. The WAP authenticates the client to the PSK. D. WPA PSK is more secure than WEP.

B and D are correct. The WPA PSK authenticates wireless clients to the WAP (wireless access point). WPA PSK exists because of security deficiencies associated with WEP (Wired Equivalent Privacy). A and C are incorrect. The PSK does not encrypt wireless traffic; it authenticates the wireless client to the WAP, and from there an algorithm such as TKIP (Temporal Key Integrity Protocol) produces the encryption key that secures the wireless traffic. The WAP does not authenticate the client to the PSK; rather, the PSK authenticates the client to the WAP.

Which of the following are true statements regarding the relationships of functionality, security, and available resources? (Choose two.) A. As functionality increases, security increases. B. As security increases, functionality decreases. C. As resources increase, security decreases but functionality decreases. D. As resources decrease, both functionality and security decrease.

B and D are correct. The relationship between security and functionality is inversely proportional. As one increases, the other decreases. The relationship between resources and both security and functionality is directly proportional. As resources increase, so do both functionality and security. If resources decrease, so do functionality and security. A and C are incorrect. If functionality increases, security generally decreases. If resources increase, both security and functionality increase as well.

You need to design an authentication system for physical access to a high-security government facility. Which of the following authentication technologies would provide the strongest security? A. Access card with PIN B. Fingerprint scan C. Swipe card with chip D. Photo security pass

B is correct. A biometric fingerprint scan would provide the strongest level of security for your facility because fingerprints are unique to an individual and cannot be stolen like an access card. A, C, and D are incorrect. Security access cards and swipe cards can be lost or stolen, and although adding a PIN or using a photo provides stronger security, they are still not as definitive as a biometric authentication system.

Which of the following types of sensors works by using an electrical circuit that, when broken, triggers the alarm? A. Photoelectric sensor B. Closed-circuit sensor C. Pressure mat sensor D. Proximity sensor

B is correct. A closed-circuit sensor works by using a closed electrical circuit. If the circuit is open or interrupted, this triggers the alarm. A, C, and D are incorrect. With the photoelectric sensor, a beam of light is emitted from a transmitter to a receiver. When an intruder breaks the beam of light, it trips the alarm. A pressure mat sensor is activated after working hours, so that if an intruder enters the facility and walks on the material, the alarm will go off. With a proximity sensor, the sensor emits a magnetic field that it monitors. When someone approaches, the motion of the intruder changes the field's frequency. The system detects this frequency change and sets off the alarm.

Which of the following is true regarding virtualized server security? A. A compromised host operating system means all guest virtual machines are compromised, but the reverse is not true, since each virtual machine is essentially sandboxed into its own local environment. B. A compromised host operating system could render all guest virtual machines unavailable. C. A compromised virtual guest operating system means the host operating system is compromised. D. A compromised virtual guest operating system means all other virtual guest operating systems are compromised.

B is correct. A compromised physical host means the attacker would have control of the machine and could turn off virtual machines or even crash the host operating system, thus making the virtual machines unavailable. A, C, and D are incorrect. They are untrue.

You need to set up security controls to help your company prevent data loss when customer credit card information is being sent outside of your network via e-mail. Which of the following technologies do you use? A. Anti-spam filter B. Content filter C. Caching proxy server D. Firewall

B is correct. A content filter can scan outbound messages for patterns that match credit numbers, and then block or quarantine these messages to prevent them from being sent outside of the company's network. A, C, and D are incorrect. Anti-spam filters, caching proxy servers, and firewalls are not appropriate technologies to filter messages for content. Anti-spam filters are used to prevent incoming e-mail spam messages. Caching proxy servers are used to store web data locally for quick retrieval, and firewalls are used to control inbound and outbound network traffic.

Which of the following terms describes a trust between two different CAs so that each CA trusts the certificates that have been generated by the other CA? A. Mesh B. Cross-certificate C. Hierarchical D. Subordinate

B is correct. A cross-certificate trust model is a reciprocal trust where each of two different root CAs trusts the certificates that have been generated by the other root CA. A, C, and D are incorrect. A mesh model trusts not only the other root CAs but also their subordinates or intermediate CAs. A hierarchical model has a root and subordinate CAs. A subordinate is a lower-level CA in a hierarchical model.

Which attack involves sending specially-crafted traffic to a wireless client and an access point? A. Spoofing attack B. Deauthentication attack C. Replay attack D. Initialization vector attack

B is correct. A deauthentication attack involves sending specially crafted traffic to a wireless client and an access point, in the hopes of causing them to deauthenticate with each other and disconnect. A, C, and D are incorrect. A spoofing attack involves impersonating a wireless client or access point through either its IP or its MAC address. A replay attack involves the reuse of intercepted non-secure credentials to gain access to a system or network. Initialization vector (IV) attacks involve attempting to break WEP keys by targeting their weak IVs.

Which of the following devices is intentionally left nonsecure, with the hopes of luring a hacker away from the network and observing them? A. Bastion host B. Honeypot C. IDS D. IPS

B is correct. A honeypot is a host that has been left with some vulnerabilities open to lure a hacker away from attacking the network and to observe his or her attack methods. A, C, and D are incorrect. A bastion host is a secure host outside the network. An intrusion detection system (IDS) is used to detect network attacks. An intrusion prevention system (IPS) is used to detect attacks and attempt to prevent them by rerouting traffic, blocking ports, etc.

You are performing business continuity and disaster recovery planning for your organization, which provides very time-critical financial customer services. In the event a disaster strikes your primary data center, which of the following should you implement? A. Remote backup B. Hot site C. Having spare routers and switches on hand D. Hot and cold aisles

B is correct. A hot site is a facility that's ready to be operational immediately when the primary site is unavailable. All the equipment and networking infrastructure the company requires is already in place and can be activated quickly. A, C, and D are incorrect. None of these options provides redundancy for your full primary site if a disaster strikes.

Which of the following is an application designed to create and initiate files on a host to provide a fully functional virtual machine? A. Host operating system B. Hypervisor C. Guest operating system D. Load balancer

B is correct. A hypervisor, also called a virtual machine monitor, is application software responsible for creating and managing virtual machines and their associated files on a host. A, C, and D are incorrect. The host operating system does not create or manage virtual machines; it merely shares resources with them. The guest operating system is the virtual machine itself and is managed by a hypervisor. A load balancer is other software or a hardware appliance responsible for balancing user requests and network traffic among several different physical or virtualized hosts.

Which of the following can cause a successful attack on a system when a user enters malicious code or characters into a form field on a Web application? A. Lack of restrictive permissions on the Web form B. Lack of input validation C. Lack of adequate memory in a buffer D. Lack of properly formatted HTML

B is correct. A lack of input validation in the Web form field may allow certain types of attacks to take place when a user enters malicious or incorrect characters in the form. A, C, and D are incorrect. Permissions do not affect the quality or type of input in the field, only who can access and perform actions on the form. Adequate memory in a buffer cannot perform input validation functions. Properly formatted HTML cannot perform input validation on a form field.

You receive a network alert about excessive TCP traffic to and from a specific host, ACME4567. What tool can help you determine what type of TCP traffic is consuming bandwidth? A. Vulnerability scanner B. Packet sniffer C. Port scanner D. HIDS

B is correct. A packet sniffer can filter traffic to or from a specific host. This would enable you to view the packet payload and the TCP header, which contains the source and destination ports. From this information you can determine the type of network traffic. For example, SMTP spam traffic leaving the host would have a source TCP port of 25. A, C, and D are incorrect. Vulnerability scanners such as nmap are used to map out networks and analyze hosts for weaknesses, as well as to detect rogue network devices. Port scanners identify listening network services, but the excessive traffic could be caused by malicious code that does not listen on a port. HIDSs (host intrusion detection systems) analyze host-specific activity and would not be best suited for this scenario.

You are planning construction of a new server room and need to select the details of your electrical power equipment. Your physical location has been known to suffer from inconsistent power, with occasional interference, surges, and sags. Which of the following power devices should you use to protect your server room equipment? A. Gas-powered generator B. Power conditioner C. UPS D. Power-surge protector

B is correct. A power conditioner plugs directly into the power supply outlet and ensures that the power that reaches the computer equipment is free of voltage fluctuations and interference. A, C, and D are incorrect. A gas-powered generator or UPS only provides power in the event of an extended outage; neither necessarily provides clean power. A power-surge protector only protects against sudden voltage spikes through the use of a fuse or breaker that disrupts power.

How does an RTOS differ from a standard Linux distro? A. An RTOS is better at multitasking. B. An RTOS has the ability to handle interrupts in a timely fashion. C. An RTOS has superior multithread execution ability. D. An RTOS can run on multiple hardware platforms.

B is correct. A real-time operating system must handle interrupts in a timely fashion because its primary purpose is to provide real-time responses. A is incorrect because, although an RTOS is capable of multitasking, it is not optimized for it. C is incorrect because, although an RTOS can use a multithread execution model, it tends to be focused on execution of a specific thread, not multiple apps. D is incorrect because an RTOS typically is system specific in its coding.

Which of the following represents an agreement between parties that specifies performance criteria? A. RTO B. SLA C. MTBF D. MTTR

B is correct. A service level agreement is an agreement between parties concerning performance expectations. A, recovery time objective, is a distractor term related to disaster recovery. C, mean time between failure, and D, mean time to repair, are technical terms related to failure analysis.

Which of the following attacks involves sending ICMP packets from a spoofed IP address to the network's broadcast address? A. RAT B. Smurf attack C. Botnet D. Watering hole attack

B is correct. A smurf attack is a type of ICMP attack where large amounts of ping packets are sent from a spoofed IP address on the network to the network broadcast address, causing many replies back to the victim and possibly bringing about a denial of service. A smurf attack is an example of a DDoS attack. A, C, and D are incorrect. A remote access Trojan (RAT) is malicious software that the user typically installs without knowing it, such as by installing a game from the Internet or by running a program that was e-mailed to them that is malicious software. The RAT program then opens a back door for the hacker to gain access to the system remotely at a later time. A botnet is a group of compromised systems that the hacker has control over and uses to attack a victim's system. A watering hole attack is when the hacker determines sites you may want to visit and then compromises those sites by planting viruses or malicious code on them. When you visit the site (which you trust), you are then infected with the virus.

Which type of assessment looks at events that could exploit vulnerabilities? A. Vulnerability assessment B. Threat assessment C. Risk assessment D. Penetration test

B is correct. A threat assessment looks at events that could exploit vulnerabilities. A, C, and D are incorrect. A vulnerability assessment looks for weaknesses in systems. A risk assessment is a combination of assessments and is designed to assess factors, including likelihood and impact that affect an asset. A penetration test attempts to exploit actual vulnerabilities found within the systems.

When the trust relationship is extended to additional domains that are trusted by the initial trusted domain, this is an example of? A. Identity federation. B. Transitive trust. C. Single sign-on. D. SAML.

B is correct. A transitive trust relationship means that the trust relationship extended to one domain will be extended to any other domain trusted by that domain. A is incorrect because identity federation, defines policies, protocols, and practices to manage identities across systems and organizations. C is incorrect because single sign-on is a form of authentication that involves the transferring of credentials between systems. D is incorrect because SAML is a security protocol, not an authentication mechanism.

Which of the following technologies is NOT typically used to design secure network architectures? A. DMZ B. Clustering C. VLAN D. VPN

B is correct. Although it is part of high availability design, clustering is not typically used in the design and implementation of a secure network architecture. A, C, and D are incorrect. DMZs are used as a security buffer zone to separate internal networks and resources from externally accessible ones. VLANs are used to segregate local networks, providing a secure internal infrastructure. VPNs provide for secure remote access solutions.

Which attack method targets weaknesses in WEP encryption keys? A. Birthday attack B. IV attack C. Plain text attack D. Brute-force attack

B is correct. An IV (initialization vector) attack takes advantage of the weak implementation of the 24-bit IVs in WEP, since it has a relatively small key space and repeats the IV periodically. A, C, and D are incorrect. Birthday and brute-force attacks are password attacks. A plain text attack can be used to compare known plain text with cipher text to decrypt data and is not used to crack WEP keys.

Chris, a network technician, identifies a new technique to gain administrative access remotely to a Linux host without knowing administrative credentials. What has Chris created? A. Virus B. Exploit C. Vulnerability D. Worm

B is correct. An exploit takes advantage of a vulnerability. A, C, and D are incorrect. A virus may contain an exploit, but it is not necessarily an exploit itself. Vulnerabilities are weaknesses, exploits take advantage of those weaknesses. Worms are pieces of self-replicating malicious code that may or may not be acting as a vehicle to deliver an exploit.

Your boss wants to restrict sales reps' access to systems to only the accounts they are working with. You could implement this with which of the following? A. HOTP B. ABAC C. MAC D. RBAC

B is correct. Attribute-based access control (ABAC) is a form of access control based on attributes. These attributes can be in a wide variety of forms, such as user attributes, resource or object attributes, and environmental attributes. For example, in the given scenario, access could be controlled based on an attribute named salesrep. A is a hash-based one-time password, which is not an access control system. C is mandatory access control, which would make management of the system nearly impossible. D is role-based access control or rule-based access control, neither of which would be easy to maintain for the case given.

Which the following is a recognized way of restricting access to applications? A. Whitelisting B. Blacklisting C. Graylisting D. Filtering

B is correct. Blacklisting is a technique that involves an administrator adding undesirable or restricted software or applications to a list on content filtering devices, in group policy, or through some other type of mechanism. This ensures that users are not allowed to download, install, or execute these particular applications. A, C, and D are incorrect. Whitelisting is the opposite of blacklisting; applications that users are allowed to download, install, and execute are added to a whitelist. There is no such term as graylisting. Filtering typically involves checking traffic on a network device based upon specific characteristics. The term normally does not apply to software or applications.

You have just discovered that several user accounts are still active from employees who have long since left the organization or were let go from the company. After changing the passwords and disabling the accounts, which of the following should you implement to prevent this security issue from recurring? A. Set account expiration dates. B. Conduct routine user account and permission reviews. C. Use password rotation. D. Change HR policy to notify you of any employee status changes.

B is correct. By regularly checking user accounts and permissions, you ensure that current users only have the rights and permissions required for their current positions. If you find accounts from users who have left the organization, you can disable those accounts. A, C, and D are incorrect. A is incorrect because only contracted employees should have expiration dates on their accounts for when their contract is completed. C is incorrect because password rotation does not ensure that user accounts are disabled if the user has left the company. D is incorrect because although this information is helpful, you must still perform regular reviews if you do not receive a notification from HR or the account management was never completed.

You need to prevent attacks on your wireless network by securing the access points from unauthorized remote access. Which of the following security techniques do you implement? A. Restrict remote access to direct wired connections. B. Enable authentication with strong passwords. C. Disable SSID broadcast. D. Disable mixed 802.11g/n mode.

B is correct. By using a strong authentication method, you reduce the risk that a malicious user can hack into the admin account on the access point. A, C, and D are incorrect. A hacker could still connect to the access point using a wired connection if he is in the facility. Disabling SSID broadcast or mixed mode does not protect against remote access attempts on the access point.

To help prevent security vulnerabilities, which of the following can you implement in the development cycle to improve the quality of the software code before it is tested? A. White box testing B. Peer code reviews C. Patching the server operating system D. Code fuzzing

B is correct. By using peer code reviews, you ensure that another developer will inspect the code written by the original developer. This allows you to discover quality issues and security vulnerabilities that might not have been noticed by the original developer. A, C, and D are incorrect. A is incorrect because white box testing is performed in the testing cycle after the code is generated. C is incorrect because patching the operating system on which the code is running will not prevent security bugs in the application code. D is incorrect because although code fuzzing shows the outcome that invalid inputs would have when introduced to a program (such as crashes or memory leaks), it is not as thorough as code review in finding vulnerabilities within the actual code.

What is the order of volatility associated with digital forensic elements, from most volatile to least? A. System storage (RAM), CPU storage (registers/cache), fixed media, removable media, output/hardcopy B. CPU storage (registers/cache), memory (RAM), fixed media, removable media, output/hardcopy C. System storage (RAM), CPU storage (registers/cache), removable media, fixed media, output/hardcopy D. CPU storage (registers/cache), memory (RAM), output/hardcopy, fixed media, removable media

B is correct. CPU storage is the most volatile; it can change independent of RAM. A and C are incorrect because CPU storage is more volatile than system storage; it can change independent of RAM. D is incorrect because hardcopy output is the least volatile.

Which of the following forms of authentication uses password hashes and challenge methods to authenticate to the system? A. PAP B. CHAP C. MS-CHAP D. EAP

B is correct. Challenge-Handshake Authentication Protocol (CHAP) uses password hashes and challenge methods to authenticate to the system. A, C, and D are incorrect. The Password Authentication Protocol (PAP) is an older authentication method that passes usernames and passwords in clear text. For this reason, it is no longer used. Passwords are not passed in clear text with this protocol. MS-CHAP (Microsoft CHAP) is a Microsoft proprietary version of CHAP, native to Windows systems. The Extensible Authentication Protocol (EAP) is a modern authentication framework that can use various authentication methods. It also does not pass user name and password information in clear text.

A small law firm with no technical staff is expanding and hires 20 paralegals in different cities. The firm would like reliable mail server access as well as the latest mail server software. Additional temporary employees may be hired from time to time. Which solution presents the best economical solution? A. Refurbished server and client hardware B. Cloud computing C. Custom-built web mail D. Upgrading to quad-core CPUs

B is correct. Cloud computing presents a hosted solution (a service subscription) for companies requiring reliable, up-to-date computing access while being flexible enough to grow or shrink with company needs. No up-front investment is required for hardware or technicians. Network configuration tasks that would otherwise require technical expertise are facilitated through software-defined networking (SDN), which makes firewalling and network segmentation easy. A, C, and D are incorrect. Employees in different cities require new or refurbished hardware, which means technical complexity, which equates to dollars. Custom-built web applications are expensive compared to hosted solutions.

DrumCo is a small musical instrument company specializing in traditional African percussion instruments and is based in Fargo, North Dakota. To minimize hardware and IT costs, DrumCo has decided to use e-mail and customer tracking hosted solutions. The hosted solution provider uses a data center in Germany to store customer data. DrumCo is concerned with legal issues arising from data being stored in a foreign country. What type of concern is this? A. Encryption B. Cloud computing C. Service-level agreement D. Virtualization

B is correct. Cloud computing refers to using hardware and software owned and maintained by a hosted solution provider. Companies such as DrumCo would only need client stations to connect to the hosted services, which are often provided through a web browser interface. A, C, and D are incorrect. Encryption secures data from unauthorized parties; only parties with the correct decryption key can access the data. Service-level agreements (SLAs) define the level of service that can be expected for a paid service. Virtualization is often used by the provider of cloud computing services, but the scenario does not specific whether virtualization is used or not.

What term refers to hosted hardware and software application solutions for which you pay a fee? A. Server virtualization B. Cloud computing C. Remote desktop services D. Web-based computing

B is correct. Cloud computing removes the hardware and software cost and maintenance in exchange for a fee. The use of physical server resources are provided by the cloud computing provider. A, C, and D are incorrect. Cloud computing uses server virtualization to host many cloud-based services, but virtualization alone does not define cloud computing. Virtual machines deployed by cloud customers run in physical hypervisor servers. Windows virtual machines can be remotely managed using Remote Desktop Protocol (RDP). Web-based computing refers to the use of a web browser as an application interface.

Which of the following is normally required to convert and read coded messages? A. Symmetric key B. Codebook C. Algorithm D. Asymmetric key

B is correct. Codes are representations of an entire phrase or sentence, where ciphers are encrypted on a character-by-character basis. A codebook is needed to translate coded phrases into their true plaintext meanings. A, C, and D are incorrect. A symmetric key is used to encrypt ciphers, not codes, as are algorithms and asymmetric keys.

Your organization is concerned that employees might e-mail proprietary information to themselves at their private addresses. Which of the following would be most effective at catching that particular effort? A. Antispam filter B. Content filter C. Caching proxy server D. Firewall

B is correct. Content filters can scan content as it leaves the network, checking for certain types of content that has been pre-specified within the software. A, C, and D are incorrect because those technologies will not content-filter messages. Antispam filters are used to catch and quarantine spam messages. Caching proxy servers are used to cache, or store, messages for speedy retrieval in the future. Firewalls help control and block (when necessary) network traffic at the ingress and egress points.

What measure can developers take to protect their web applications from cross-site scripting attacks? A. Apply operating system patches. B. Validate user input. C. Enable SSL. D. Enable TLS.

B is correct. Cross-site scripting attacks are executed by users submitting malicious code to a web site viewed by others. When others view the site, the malicious scripts execute on their stations. A, C, and D are incorrect. Patching and applying SSL or its successor, TLS, will harden the web site but not the application. User-submitted input needs to be validated.

A government official is granted an authorization level that allows her access to tax records for American citizens and other confidential data. Which term best describes this scenario? A. Least privilege B. Security clearance C. Authentication D. Confidentiality

B is correct. Data labeling such as "Confidential" or "Top Secret" requires that people have security clearances before accessing appropriately labeled data. A, C, and D are incorrect. Least privilege means having only the rights required to perform a duty. Authentication proves the identity of a user or computer to gain access to resources. Confidentiality restricts data only to authorized parties. None of these relates to the stated scenario.

A printed e-mail would be considered which kind of evidence? A. Real evidence B. Documentary evidence C. Direct evidence D. Demonstrative evidence

B is correct. Documentary evidence is usually a printed form of evidence, a recording, or photograph. A, C, and D are incorrect. Real (or physical) evidence is a tangible object presented in court (such as a weapon). Direct evidence is testimony from someone who actually witnessed the event. Demonstrative evidence is presenting a physical object that displays the results of an event that occurred.

What type of testing is needed to detect a race condition? A. Static code analysis B. Dynamic analysis C. Formal methods D. Sandboxing

B is correct. Dynamic analysis is specialized instrumented running test to examine multiple threads and thread checking to catch errors such as race conditions. A examines items such as syntax without executing the code. C is an examination of the model of the program for correctness. D is used to isolate a program from the host OS.

What can be used to eliminate man-in-the-middle attacks targeted to e-mail messages? A. Anti-spam software B. E-mail digital signatures C. Antivirus software D. E-mail encryption

B is correct. E-mail digital signatures are created with the sender's private key. The e-mail message data is passed through a hashing algorithm, resulting in a unique hash value. The recipient uses the sender's public key to generate a unique hash value. Any change made to the e-mail message will result in a different hash value, thus indicating the message is not authentic and has been tampered with. The same concept applies to code signing by developers, which establishes trust and is used to detect tampering. A, C, and D are incorrect. Anti-spam and antivirus software is critical to weed out infected e-mail messages, but they do nothing to ensure a message is authentic. Encrypting e-mail messages protects the message from being viewed by unauthorized parties, but it does nothing to ensure the message is authentic.

Elite hackers are said to be responsible for at most what percentage of malicious Internet activity? A. Less than 1 percent B. 1-2 percent C. 3-5 percent D. 6-10 percent

B is correct. Elite hackers are responsible for, at most, only 1 to 2 percent of intrusive activity. A, C, and D are incorrect. Their values are simply wrong for this question.

What benefit does elliptic curve cryptography provide over RSA? A. Less security, larger key size B. Higher security, smaller key size C. Quicker calculation using larger key sizes D. Longer calculation using larger key sizes

B is correct. Elliptic curve cryptography (ECC) can provide more security per bit. For example, a 1024-bit RSA key is the security equivalent of a 163-bit ECC key. A, C, and D are incorrect. ECC keys are more secure than bit-equivalent RSA keys because of the implementation of the algorithm. Fewer bits require less calculation, which means quicker calculations without sacrificing security.

Proper humidity and temperature for information systems equipment is an example of what type of security? A. Perimeter security B. Physical security C. Administrative security D. Technical security

B is correct. Environmental controls are an example of physical security. A, C, and D are all common terms that are relevant to security but not to this question.

Evidence must meet all of the following requirements to be admissible in court EXCEPT: A. Sufficient B. Incriminating C. Competent D. Relevant

B is correct. Evidence does not have to necessarily incriminate. It can also be exculpatory (proving someone innocent). A, C, and D are incorrect. All of these conditions must be met for evidence to be admissible in court. For evidence to be considered sufficient it must provide a fact by itself, without the need for supporting evidence to prove the point. The evidence must also be competent evidence, which means that the evidence must have been legally obtained. If the evidence has been illegally obtained, it is inadmissible in court. Finally, the evidence must have relevance—meaning that the evidence must be related to and have meaning to the case.

Which widely used protocol is available to vendors to establish their own customized authentication system? A. ICMP B. EAP C. PPP D. PPTP

B is correct. Extensible Authentication Protocol (EAP) allows vendors to customize their own authentication system. A is not used in authentication. C and D are other protocols used in authentication, but not for customization.

You have created a web application that requires your customers to create an account and password for the system. Which of the following methods is the most secure way to deal with users who have forgotten their password? A. Retrieve the previous password. B. Generate a new secure password. C. Reset the password to the user's account name. D. Reset the password to a blank value.

B is correct. For the highest security, you should reset the user's password to a secure value. This ensures that the account is protected by a strong password. A, C, and D are incorrect. Using a previous password, the user's account name, or a blank password leaves the account with an insecure password that can be easily hacked.

Which of the following techniques involves sending unexpected or invalid data to an application to determine vulnerabilities? A. Cracking B. Fuzzing C. Scanning D. Spoofing

B is correct. Fuzzing is an application vulnerability testing technique that sends invalid or unexpected data to the application, with the intent to see if any security vulnerabilities exist. A, C, and D are incorrect. Cracking typically involves passwords, not applications. Scanning usually means network port or service scanning. Spoofing means to masquerade as another entity, usually by spoofing an IP address, MAC address, or user.

Assigning privileges to users is best accomplished using groups. When might it be useful to specify an individual user account in a permission list? A. To audit a single user B. To deny access to a single individual C. To disable a user account temporarily D. To test server security

B is correct. Granting access to resources is often done using user groups. Denying access to a single user that is a member of a group that was given permissions is best accomplished by adding that single user and denying access. A, C, and D are incorrect. Auditing configuration is not done in permission lists. Disabling user accounts and testing server security are not related to single users listed in permission lists as answer B is.

A Windows domain administrator wants to configure all domain controller servers to use complex password requirements. Which method is the most efficient way to do this? A. Write a PowerShell script and run the script on each server. B. Use Group Policy. C. Use a local security policy. D. Export the settings from one configured server and import them to the other servers.

B is correct. Group Policy enables the centralized configuration of operating system settings. A, C, and D are incorrect. Though they would work, they are not as efficient as Group Policy.

The web site administrator for your company asks you about an external device to handle all encryption and decryption processing to enhance server performance. What should you recommend? A. Trusted root certificate B. HSM C. TPM D. SSL

B is correct. HSMs (hardware security modules) are crypto-processor devices that offload processing work from hosts. A, C, and D are incorrect. Trusted root certificates are used to establish a chain of trust with PKI certificates, but they are not external crypto-processor devices. TPM chips store keys for encrypting and decrypting hard disks, but they are embedded on motherboards; they are not external devices. SSL is a cryptographic function handled by HSM, but SSL is not an external device.

You should be sure to use the ______ protocol when performing secure administration tasks on a router remotely through a web browser. A. Remote shell B. HTTPS C. Telnet D. HTTP

B is correct. HTTPS will provide an encrypted web connection to the router so that you can perform secure administrative tasks. A, C, and D are incorrect. None of these methods provides secure encrypted access.

A small office must house seven physical rack-mount servers in a small server room. You would like to control the temperature and humidity of the server room for optimal computing conditions. Which type of system do you need? A. Fire suppression B. HVAC C. HMAC D. Cold aisle

B is correct. HVAC (heating, ventilation, air conditioning) can control server room environments to ensure that servers operate properly and efficiently. Modern Internet of Things (IoT) solutions enable remote access and control of HVAC systems for residential and commercial use. A, C, and D are incorrect. Fire suppression does not directly control temperature and humidity; it reduces damage due to fire and smoke. HMAC is a fictitious acronym in the context of environmental control systems. Cold aisles optimize airflow such that cool air is fed to computing equipment while warm air is taken away.

Which of the following fire suppression chemicals was banned in 1987 and can no longer be used in data centers? A. Water B. Halon C. Carbon dioxide D. FM-200

B is correct. Halon is a dangerous chemical that was previously used in data centers to suppress fires. However, it was banned in 1987 because it is also dangerous to human beings. A, C, and D, are incorrect. Water is still used to combat certain classes of fires. Carbon dioxide is used to combat both liquid and electrical fires. FM-200 has generally replaced Halon in data center fire suppression systems.

The ____ component of the IPSec VPN encryption protocol is used to obtain a public key and authenticate a VPN endpoint with a digital certificate. A. SA (Security Association) B. IKE (Internet Key Exchange) C. AH (Authentication Header) D. ESP (Encapsulating Security Payload)

B is correct. IKE enables the receiver to obtain a public key and authenticate the sender using digital certificates. A, C, and D are incorrect. The SA is the establishment of a communications relationship between two or more entities. The AH works to ensure data origin authentication within packets. The ESP works to ensure that packets have authenticity of origin, integrity, and confidentiality.

Which of the following security measures for wireless networks helps prevent direct hacking attempts on your wireless access points? A. Enable UPnP on the access point. B. Use strong access point passwords. C. Enable SSID broadcast. D. Lower the power of wireless transmissions on the access points.

B is correct. If a hacker gains management access to the access point through a wired or wireless connection, he can apply brute-force attacks against the admin credentials of the device. Using strong passwords helps prevent these types of attacks. A, C, and D are incorrect. Encryption is important for the security of wireless communications, but it cannot stop a hacker if he connects directly to the device with a wired connection. Enabling SSID broadcast or lowering the power of transmissions will not prevent password attacks.

You are performing a risk analysis of the critical servers in your organization that accept, process, and store customer data. Which of the following risks can result in the biggest impact to customer data? A. Failed hard drive on a RAID system B. Virus attack that corrupts files on a server C. Theft of a network switch D. Hacking attempt on your firewall

B is correct. If a virus infects one of your servers that stores customer data, the files can be corrupted if you do not have a proper backup of the data. A, C, and D are incorrect. A is incorrect because if a hard drive fails on a RAID system, its native redundancy still preserves the integrity of data and the hard drive can be replaced. C and D are incorrect because a hacking or theft attempt on a network device will not harm stored customer data on a server.

Your manager has asked that you perform an assessment of user passwords on the servers but wants to ensure that when you test the passwords you do not lock the user accounts. Which type of password audit should you perform? A. Online password audit B. Offline password audit C. Account lockout audit D. White-box penetration test

B is correct. If the goal is to prevent user account lockout, then offline password auditing is the correct method. A, C, and D are incorrect. Online auditing would definitely lock out user accounts as soon as the account lockout threshold is reached. An account lockout audit is an invalid type of audit, and a white-box penetration test involves full system or network testing and is incorrect in this context.

Your e-mail server has been flagged by a third-party anti-spam service as a possible source of spam messages. Which of the following is most likely the issue? A. Using insecure versions of POP and IMAP for retrieving messages B. Open relay on SMTP port 25 C. Out-of-date anti-spam signatures D. Using TLS for SMTP connections

B is correct. If you allow SMTP relay on port 25, any mail client outside of your network can send mail through your server, and this is often exploited by spammers. A, C, and D are incorrect. POP and IMAP are used for retrieving, not sending, mail. Anti-spam software is used to control incoming spam and will not prevent spam due to an open SMTP relay. TLS, if enabled, can be initiated by the sender or receiver to start an encrypted message delivery and will not prevent spam.

A security incident has occurred where an unauthorized person using a stolen access card entered a server room and stole an expensive piece of network equipment. Which of the following actions can provide evidence of the unauthorized user's identity? A. Checking the access card log B. Checking video surveillance footage C. Checking firewall logs D. Checking man-trap logs

B is correct. If you have video surveillance of the server room, you will have video evidence of the unauthorized user entering the server room and taking the device. A, C, and D are incorrect. The access card is stolen and will only show the times when the unauthorized user entered the room, not the user's identity. Firewall logs will only show evidence of network intrusion, not a physical intrusion. A man-trap door system is not in use.

Which type of social engineering attack involves the attacker pretending to be an administrator, executive, or other key member of the organization? A. Pretext attack B. Impersonation C. Tailgating D. Whaling

B is correct. Impersonation is pretending to be someone else, usually someone important, to execute a social engineering attack. A, C, and D are incorrect. A pretext is simply an elaborate story, with believable detail and props added, that may be used to carry out any social engineering attack. Tailgating involves entering a restricted area by closely following behind someone after they have authenticated by using a badge or card. Whaling is a form of phishing attack, involving e-mail, where an important person is targeted but not impersonated.

You have been asked to configure and secure a wired network. You have linked three 24-port Ethernet switches together. Sixty workstations, one printer, one router, and one server have been plugged in. What should be done with the remaining switch ports? A. They should be associated with a specific MAC address. B. They should be disabled. C. They should be configured with their own VLAN. D. They should be configured to use full duplex.

B is correct. In the interest of security, unused switch ports should be disabled to prevent unauthorized network access. As an additional security and performance technique, the Spanning Tree Protocol (STP) should be enabled on switches to prevent bridging loops, which can bring down a network. In the event of a switch issue or malware outbreak, aggregated switches can be unplugged to prevent further issues to downstream switches. A, C, and D are incorrect. Used switch ports should be associated with MAC addresses to control which machines can plug into specific switch ports. Putting unused switch ports in a VLAN does isolate them from active switch ports, but disabling unused ports is a more secure solution. Full-duplex port operation improves network performance but does nothing to secure the network.

You are setting up an M of N control scheme to be able to recover your organization's private encryption key in the event it is lost. You have chosen five employees to act as key operators. Which of the following describes how M of N control works to recover a private key? A. All five key operators are required to recover the key. B. Three out of five key operators are required to recover the key. C. Any of the five key operators can retrieve the key from the key escrow company. D. All of the five key operators have a copy of the private key.

B is correct. In this case, at least three of the five key operators are required to be able to recover the private key. A, C, and D are incorrect. A is incorrect because it is difficult to bring all five operators together at the same time to recover the key. C and D are incorrect because one person alone should not be tasked with being able to recover the private key.

Departmental managers complain that they cannot quickly allocate more storage as their department needs dictate. Regulations require data to be store on premises. Which cloud service model and cloud type would address this scenario? A. SaaS, community B. IaaS, private C. PaaS, private D. SECaaS, public

B is correct. Infrastructure as a Service (IaaS) encompasses network and storage infrastructure. Private clouds run on premises. A, C, and D are incorrect. Software as a Service (SaaS) refers to productivity software of some kind without direct storage configuration options. Community clouds provide pooled resources for organizations with similar needs. Platform as a Service (PaaS) is often used by developers for coding and quickly deploying databases. Security as a Service (SECaaS) provides security solutions such as malware scanning in a cloud environment where the underlying hardware and availability is handled by the provider.

You are creating a disaster recovery plan for your organization and assigning probabilities to specific risks. Which of the following would be the highest probability risk for your server room? A. Fire B. Unauthorized access C. Low temperatures D. War driving

B is correct. It is most likely that unauthorized access to your secure server room is the biggest risk. Therefore, adequate access control security is required for the server room entrance. A, C, and D are incorrect. A is incorrect because although fire is possible, it is a rare event. C is incorrect because air conditioning to keep temperatures low is vital for keeping systems from overheating. D is incorrect because war driving would affect wireless access throughout your facility, not just the server room.

Through which process are performance and feature creep countered by the management team? A. Continuous integration B. Baselining C. Immutable system integration D. Security automation

B is correct. It is through baselining—the process of determining a standard set of functionality and performance—that performance and feature creep are countered by the management team. A is the DevOps manner of continually updating and improving the production code base. C is incorrect because an immutable system is never modified, patched, or upgraded after it is deployed. D is intended to allow fewer security resources to cover more environment in a more effective and efficient manner.

Which of the following ports would be most likely to allow secure remote access into a system within a data center? A. UDP port 53 B. TCP port 1701 C. UDP port 123 D. TCP port 443

B is correct. L2TP aligns to TCP port 1701, allowing secure remote access to a system through a VPN connection. A, C, and D are incorrect: UDP port 53 aligns to the Domain Name Service (DNS), UDP port 123 is used by Network Time Protocol (NTP) services, and TCP port 443 is used by HTTP over SSL.

A network consists of Windows, Mac, and Linux workstations. All regular network users must authenticate to the same source before accessing network resources. Which network service provides this functionality? A. DNS B. LDAP C. DHCP D. SSH

B is correct. LDAP is a standard authentication data source using TCP port 389 for clear-text transmissions and TCP port 636 for encrypted transmissions. Common directory services such as Novell eDirectory, Microsoft Active Directory, and Sun One Directory Server are all LDAP-compliant. A, C, and D are incorrect. They do not authenticate users. DNS most commonly resolves names such as www.disney.com to the corresponding IP address. DHCP pushes IP configuration parameters to clients when they request it. SSH (Secure Shell) allows administrators (and not regular users) to gain encrypted command line access to an SSH host.

A common technique used to increase system performance by using multiple resources is: A. Clustering B. Load balancing C. Data redundancy D. Creating backups

B is correct. Load balancing allows multiple systems to share the load in order to provide better performance. A refers to the grouping of systems to provide fault tolerance. C does not increase performance levels above a baseline. D does not increase performance levels.

Mobile device management is essential if employees are allowed to use their own devices. What is one risk associated with BYOD? A. The company becomes responsible for a wide array of devices. B. Lost devices can pose a network threat. C. Mobile devices can reduce productivity. D. Mobile devices are not reliable computing platforms.

B is correct. Lost or stolen mobile devices can be a threat to the network and data. For BYOD devices, the majority of the network access and corporate data usage will probably be in the background and invisible to the user. The user may not notify their management of personal device loss or theft in a timely manner, even if the device has work access. This leaves a device that is able to connect to the network that is outside of corporate control. A, C, and D are all easily manageable by policy and management.

All of the following are methods that can be used to detect unauthorized (rogue) hosts connected to the network, except: A. DHCP logs B. MAC filtering logs C. NAC device logs D. Switch logs

B is correct. MAC addresses can be spoofed, so examining MAC address on filtering logs may not provide any indication of whether a host is authorized or not. A, C, and D are incorrect. All of these are valid methods of detecting rogue hosts that connect to the network.

All of the following are items that should be configured in a system baseline EXCEPT: A. Protocol usage B. Memory usage C. Installed services D. Permissions

B is correct. Memory is a dynamic resource and usually can't be configured in terms of how it is used in any given moment. A, C, and D are incorrect. All of these configuration items can be standardized and included in the system's configuration baseline.

You are designing authentication services for a highly secure facility. Which of the following authentication models would provide the most security for physical access? A. PIN B. Multifactor authentication C. Single sign-on to a directory server D. Photo ID and security guard check

B is correct. Multifactor authentication is very secure and means that users must provide at least two unique identification factors, such as an access card, a PIN number, and a fingerprint scan. A, C, and D are incorrect. These authentication models do not provide as strong security as does multifactor authentication.

Bob logs on to the network and receives a message indicating that patches are not up to date and that he cannot be granted access to the network until patches are updated. What network feature is responsible for the message? A. NAT B. NAC C. VPN D. TPM

B is correct. Network access control (NAC) can be used to prevent hosts from connecting to the network unless they meet certain security requirements, such as patch level, up-to-date antivirus signatures, and so forth. A, C, and D are incorrect. None of these other technologies are concerned with enforcing host security requirements prior to connecting to the network.

Which of the following technologies typically use rule-based management? A. Operating systems B. Routers, firewalls, and proxy servers C. Databases D. Web servers

B is correct. Network and security devices use rules and rule sets to determine access to resources. A, C, and D are incorrect. None of these systems specifically use rule-based management.

The certificate for your organization's web server has been revoked. Which of the following actions must you take? A. The certificate must be renewed. B. A new key pair and new certificate need to be generated. C. Continue to use the certificate until you get a renewal. D. Use a self-signed certificate.

B is correct. New key pairs and a certificate need to be generated because the certificate can't be renewed after it has expired. A, C, and D are incorrect. A is incorrect because a certificate cannot be renewed after it has expired. C is incorrect because you cannot use the certificate after it has expired. D is incorrect because a self-signed certificate can be used but will generate errors in the client web browser and is not a replacement for a certificate from a trusted certificate authority.

You are planning to conduct a network vulnerability assessment for your company's central office. Which tool should you use? A. netcat B. nmap C. tcpdump D. netstat

B is correct. Nmap (network mapper) is a Linux and Windows tool used to scan a network for hosts and services for the purpose of detecting vulnerabilities. A, C, and D are incorrect. Netcat is a Linux tool used to create and test TCP and UDP connections. Tcpdump is a Linux utility used to capture network traffic. Netstat is a Windows command that shows the state of TCP and UDP connections.

All of the following are considered duties of a first responder to an incident, except: A. Securing the scene B. Notifying and coordinating with senior management and law enforcement officials C. Determining the initial scope and impact of the incident D. Notifying the incident response team

B is correct. Notifying and coordinating with senior management and law enforcement officials is normally the job of a senior leader within the incident response team. A, C, and D are incorrect. The primary job of a first responder is to secure the scene. They are also responsible for notifying the incident response team and initially determining the scope, seriousness, and impact of the incident.

Which of the following is normally the job of a senior leader within the incident response team? A. Securing the scene B. Notifying and coordinating with senior management and law enforcement officials C. Determining the initial scope and impact of the incident D. Notifying the incident response team

B is correct. Notifying and coordinating with senior management and law enforcement officials is normally the job of a senior leader within the incident response team. A, C, and D are incorrect. The primary job of a first responder is to secure the scene. They are also responsible for notifying the incident response team and initially determining the scope, seriousness, and impact of the incident.

Your manager is interested in implementing a strong authentication scheme. Which of the following is considered the strongest authentication? A. Username/password B. Iris scan C. PIN D. Fingerprint

B is correct. Out of the choices given, an iris scan is the strongest method of authentication, as these patterns are very unique to individuals. Of all of the biometric authentication methods, including voiceprint and fingerprints, iris scans are most accurate. A, C, and D are incorrect. Username and password combinations are not considered strong methods of authentication, as would be a PIN by itself. These are all considered single-factor forms of authentication. Fingerprints are not considered as strong a method of biometric authentication as iris scans.

What can be done to secure virtualized operating systems? A. Nothing. Virtualized operating systems are vulnerable. B. Patch the virtual machine OS. C. Use a virtual machine cluster. D. Use a private IP address range.

B is correct. Patching a virtual OS is just as important as patching the OS on the physical host. To attackers on a network, virtual hosts generally appear as physical hosts whether the OS is server-based, or in the case of Virtual Desktop Infrastructure (VDI), client-based. A, C, and D are incorrect. Virtual operating systems are no more vulnerable than physical host operating systems—they must be patched. Clustering increases availability but does not address security. Whether private IP address ranges (for example, 192.168.1.0/24) are used or not does nothing to secure hosts.

A mobile device management policy should do all of the following except: A. Address strong password locking B. Be identical to desktop policies C. Address remote wiping D. Specify encryption

B is correct. Policies should be consistent with desktop policies, but it is unrealistic to make them identical. A, C, and D are all issues that should be included in a mobile device management policy.

Which of the following types of public key cryptography uses a web of trust model? A. RSA B. PGP C. DHE D. AES

B is correct. Pretty good privacy, or PGP, is commonly used between individuals or small groups of people, and it normally does not require a public key infrastructure. It uses a web of trust model, which means that each individual has to be able to trust every other individual who uses PGP to encrypt and decrypt data sent and received by them. A, C, and D are incorrect. RSA is the de-facto key generation protocol used in public key cryptography, and it is normally used in a public key infrastructure type of environment. Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol that is used to exchange keys and establish a secure communications session. AES is a symmetric key protocol not used in public key cryptography.

A malicious user, Daniel, gains access to a corporate Wi-Fi network where two other users are exchanging data. Daniel captures network traffic between the two communicating victims, modifies it, and sends it back on the network. How can this type of attack be prevented? A. Jumbo frames B. Computer authentication using PKI C. Computer authentication using ARP D. Hard disk encryption

B is correct. Public Key Infrastructure (PKI) certificates from a trusted source could be configured on the two computers. Network traffic from hosts not using a trusted PKI certificate could then be ignored. A, C, and D are incorrect. Jumbo frames are oversized Ethernet packets (more than 1514 bytes) designed to transmit more data in a single transmission. This increases performance but not security. There is no such thing as ARP computer authentication. Hard disk encryption secures locally stored data but does nothing when transmitting data on a network.

Which cloud deployment model typically has the least protective set of security elements? A. Community B. Public C. Private D. Hybrid

B is correct. Public clouds can offer the smallest set of security elements because they cater to a less demanding clientele. A is incorrect because community clouds have a more limited set of clients than public clouds, and those clients typically have some common security concerns that lead to implementation of more security controls in the setup of the cloud. C is incorrect because private clouds have the greatest ability to secure as they can be tuned to a client's needs. D is incorrect because hybrid clouds fall in between private and public when examined with respect to security controls.

Which of the following encryption algorithms is considered the strongest? A. SHA-1 B. RSA 128-bit C. WEP 128-bit D. DES

B is correct. RSA (Rivest, Shamir, Adelman) 128-bit is a secure asymmetric encryption algorithm. A, C, and D are incorrect. SHA-1 is not an encryption algorithm; it is a hashing algorithm (Secure Hashing Algorithm) used to verify data integrity. Even though WEP (Wired Equivalent Privacy) has a cipher strength of 128 bits, its implementation is poor, thus making it vulnerable to initialization vector (IV) attacks. DES (Digital Encryption Standard) is an outdated 56-bit block cipher that is considered inferior to RSA.

Which is the most common public-private key generation algorithm used in public key cryptography? A. ECDH B. RSA C. AES D. SHA-2

B is correct. RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. It is used to generate a public and private key pair. A, C, and D are incorrect. Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to negotiate, agree upon, and establish a secure session between two parties. AES is the Advanced Encryption Standard, which is not used in public key cryptography; it is a symmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Which of the following is the best description of risk? A. The cost associated with a realized risk. B. The chance of something not working as planned. C. Damage that is the result of unmitigated risk. D. The level of concern one places for the well-being of people.

B is correct. Risk is the chance of something not working as planned. A is incorrect because the cost associated with a realized risk is impact. C is incorrect because the result of unmitigated risk is damage. D is incorrect because the level of concern one places for the well-being of people is safety.

You are configuring an enterprise wireless router. A wizard enables you to select user accounts from Microsoft Active Directory that should have administrative access to the wireless router. What type of security model is this? A. DAC B. RBAC C. MAC D. Least privilege

B is correct. Role-based access control (RBAC) assigned users to roles, thus granting them access to perform certain tasks such as wireless router administration. A, C, and D are incorrect. Discretionary access control (DAC) enables a resource owner (such as a file owner) to grant others access to that resource at her discretion. Operating system control of security allowances in accordance with company policies is referred to as mandatory access control (MAC). Least privilege ensures that users have only the rights needed to do their jobs.

Which of the following is centralized security based on typical job types? A. MAC B. RBAC C. Realm-based D. DAC

B is correct. Role-based access control (RBAC) grants access based on the type of work the user is granted. A is incorrect because mandatory access control (MAC) is based on data, not job types. C is incorrect because it is not based on job types. D is incorrect because discretionary access control (DAC) is based on data, not job types.

Which of the following access control models is best suited to ensure that access control is based on a user's job requirements and not on each individual user account? A. Rule-based access control B. Role-based access control C. Discretionary access control D. Mandatory access control

B is correct. Role-based access control allows access to be based on the role the user holds within an organization. Instead of giving access to individual users, you grant access control to groups of users who perform a common function. A, C, and D are incorrect. Rule-based access control requires complex access control list configurations for applications not necessarily specific to a user. Discretionary and mandatory access control methods use more strict methods of access permissions based on each individual user account.

Which of the following algorithms produces a 160-bit hash? A. MD5 B. SHA-1 C. AES D. RSA

B is correct. SHA-1 (Secure Hashing Algorithm 1) produces a 160-bit hash. A, C, and D are incorrect. MD5 (Message Digest version 5) produces a 128-bit hash. AES and RSA are not hashing algorithms, but are symmetric and asymmetric encryption algorithms, respectively.

As the network administrator, you are setting up a method to remotely access a management server from your home office for after-hours support. Which of the following remote access methods would provide the most security? A. Telnet B. SSH C. Modem dial-up D. Web application

B is correct. Secure Shell (SSH) provides an encrypted remote access channel to a host system. A, C, and D are incorrect. None of these methods provides encrypted remote access. A web management application can use HTTPS as a protocol, but allowing any web application access to the outside world for a critical management console is dangerous.

Your SMTP mail server does not currently encrypt transferred messages. You are reading the mail server platform documentation to determine how to encrypt transferred mail. Which topic should you search for? A. SRTP B. S/MIME C. LDAPS D. FTPS

B is correct. Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used to sign and encrypt messages. A, C, and D are incorrect. The Secure Real-Time Transfer Protocol (SRTP) provides encryption, integrity, and message authentication for RTP applications such as those related to Voice over IP (VoIP). Lightweight Directory Access Protocol Secure (LDAPS) uses a certificate to secure LDAP communication and uses TCP port 636 instead of 389. File Transfer Protocol Secure (FTPS) adds security to FTP using SSL/TLS.

You have been tasked with implementing a single sign-on capability between systems in the cloud. Several of your services support identity providers. Which of the following is the best solution? A. Secure token B. SAML C. RADIUS D. TACACS+

B is correct. Security Assertion Markup Language (SAML) is a single sign-on capability used for web applications to ensure user identities can be shared and are protected. It defines standards for exchanging authentication and authorization data between security domains. SAML is becoming increasingly important with cloud-based solutions and with Software-as-a-Service (SaaS) applications, as it ensures interoperability across identity providers (IdPs). A is a token-based solution that is not associated with identity providers. C and D are AAA schemes that are not associated with identity providers.

Chandra is a software developer. She has just completed a web application for a hardened e-commerce web site. What should be done before the application goes live? A. Testing the PKI code in the web application B. Security fuzzing C. Patching the web server D. Pinging the web site to ensure it is functional

B is correct. Security fuzzing is a process by which sample data is passed to the application to test its security and functionality. A, C, and D are incorrect. PKI is a function of the web server, not the web application. Patching is not required; the question states the web server is already hardened. Pinging the web site is relevant only when testing connectivity, not the actual application itself. Tracert takes Ping a step further by ensuring that all routers along the communication path respond.

Your small company has quickly grown into a mid-size company of approximately 200 users. You currently have assigned separate usernames and passwords for three different servers utilized by your users, but you will be adding several more servers to scale with your increased number of users. Which of the following authentication methods would be the most efficient to implement? A. Two-factor authentication B. Single sign-on to a directory server C. Three-factor authentication D. Group password policies

B is correct. Single sign-on means that users need to log in only once to access any resources they are authorized for on the network. A directory service such as LDAP provides the central database for their credentials instead of having separate usernames and passwords for each resource. A, C, and D are incorrect. Two- and three-factor authentication methods add steps to the login process and still require separate logins for each resource, whereas a password policy has no bearing on the authentication method used.

Gretchen uses her laptop to connect to many different web sites to download free software. Over time, her laptop slows down to the point where it is unusable. You verify that she has plenty of free hard disk space. What do you suspect is causing the slowdown? A. The disk is fragmented. B. Spyware is installed. C. The disk is storing too many web browser cookies. D. A rootkit is present.

B is correct. Spyware can be installed covertly when you install free software. The spyware then monitors your computer activity and may inventory what type of files or software you have installed. All of this can take a toll on performance over time. A, C, and D are incorrect. Disk fragmentation is not nearly as likely as spyware to slow down a system. Fragmentation occurs when data is copied to and deleted from disks. Empty disk space is used for new file blocks first, and then the oldest deleted file entries are overwritten, thus causing fragmentation. Defragmenting a hard disk attempts to put data blocks in adjacent sectors (ideally on the same cylinder when possible) to speed up file access. Web site cookies store information or preferences about the user accessing that web site, but this is not the cause of the problem, since there is plenty of disk space free. Rootkits give administrative access to a system while hiding their presence. This does not imply the system would slow down; answer B is more accurate.

Marcel, a security specialist, configures a network appliance to detect and impede suspicious network activity. What has Marcel configured? A. Signature-based NIDS B. Anomaly-based NIPS C. Signature-based NIPS D. Anomaly-based NIDS

B is correct. Suspicious network activity does not resemble a normal baseline of activity. This network deviation is referred to as an anomaly. NIPSs (network intrusion prevention systems) analyze suspicious activity and can be configured to prevent the activity from continuing. A, C, and D are incorrect. A signature-based analysis compares network activity against known existing network attacks, whereas anomaly-based analysis compares network activity against a known normal baseline, which is unique for each network. It is important to note that NIDSs (network intrusion detection systems) detect and report suspicious activity, but they do nothing to prevent it from continuing.

Which device, when implemented with VLANs, can help reduce both collision and broadcast domains? A. Router B. Switch C. Bridge D. Hub

B is correct. Switches natively help reduce collision domains and, when VLANs are implemented on them, help reduce broadcast domains. A, C, and D are incorrect. Routers can help reduce or eliminate broadcast domains, and bridges can help reduce collision domains, but neither of these devices use VLANs. Hubs do not reduce collision or broadcast domains.

What is the security term for disabling unnecessary services on a system and uninstalling unnecessary software? A. System reduction B. System hardening C. Network hardening D. Application restriction

B is correct. System hardening involves disabling unnecessary services and protocols on a host, as well as uninstalling software that is not needed. A, C, and D are incorrect. These are nonexistent terms used as distractors.

You have been asked to install a series of intrusion prevention network appliances. What type of security control is this? A. Management B. Technical C. Physical D. Operational

B is correct. Technical security controls affect access to resources on the network. A, C, and D are incorrect. Management controls are written policies. Physical controls, such as fences, control physical access to a facility. Operational controls, such as data backups, relate to the day-to-day successful operation of the business.

Which Windows account lockout policy setting allows the number of failed logon attempts to be zero after a specified duration? A. Account lockout duration B. Reset account lockout counter after C. Account lockout threshold D. Account expiration

B is correct. The "Reset account lockout counter after" policy setting specifies a duration after which the number of failed logon attempts will be reset to zero. A, C, and D are incorrect. "Account lockout duration" specifies how long to lock the account. The "Account lockout threshold" specifies how many failed logons can occur before the account is locked. "Account expiration" determines when the account will expire and not be usable, but is not part of the Windows account policy settings.

Which standard requires PKI computer authentication before allowing network access? A. SSL B. 802.1x C. TLS D. AES

B is correct. The 802.1x standard is used first to authenticate connecting computers using PKI (Public Key Infrastructure) certificates before allowing network access. Ethernet switches, wireless routers, and VPN concentrators are examples of devices that can forward 802.1x authentication requests to an authentication server. A, C, and D are incorrect. SSL (Secure Sockets Layer) is application-specific transmission encryption and requires at least one PKI certificate, but it does not control access to a network. TLS (Transport Layer Security) supersedes SSL and is considered more secure. AES (Advanced Encryption Standard) is a symmetric key encryption standard used to secure communication, but it does not control network access.

In which order should the following items be conducted? A. Risk analysis, ALE, business impact analysis B. ALE, risk analysis, business impact analysis C. Business impact analysis, ALE, risk analysis D. ALE, business analysis, risk analysis

B is correct. The ALE is a dollar figure used in quantitative risk analysis to prioritize risks; therefore, it cannot be calculated after a risk analysis. The business impact analysis can occur only after risks have been identified. A, C, and D are incorrect. There are dependencies that must be completed before the next item.

What size is the initialization vector (IV) for the Temporal Key Integrity Protocol (TKIP), used in the WPA standard? A. 24-bit B. 48-bit C. 64-bit D. 128-bit

B is correct. The IV size for TKIP is 48-bit. A, C, and D are incorrect. The only valid IV size for TKIP is 48-bit.

Which of the following methodologies is built around a 30-day release cycle? A. Waterfall B. Scrum C. Agile D. Extreme Programming (XP)

B is correct. The Scrum programming methodology is built around a 30-day release cycle. A is a development model based on simple manufacturing design. The work process begins with the requirements analysis phase and progresses through a series of four more phases, with each phase being completed before progressing to the next phase—without overlap. C is not a single development methodology, but a whole group of related methods. Designed to increase innovation and efficiency of small programming teams, Agile methods rely on quick turns involving small increases in functionality. D is a structured process that is built around user stories. These stories are used to architect requirements in an iterative process that uses acceptance testing to create incremental advances.

You are hardening all the network servers in your environment to make sure each server is running only the minimum services required for its task. Which of the following network services would you disable on your public web server? A. HTTP B. Telnet C. HTTPS D. TCP/IP

B is correct. The Telnet service provides remote access and should be disabled on this web server to prevent hackers from connecting to it. A, C, and D are incorrect. HTTP and HTTPS are required web services, whereas TCP/IP is the entire protocol stack used by all Internet network devices.

Sara, the IT manager within your organization, wants to place a VPN concentrator on the network to accept VPN traffic from clients on the Internet. Where should she place the VPN concentrator? A. Private network B. DMZ C. Public network D. Internet

B is correct. The VPN concentrator should be placed in the DMZ, with ports on the external firewall allowing VPN traffic to pass through it. A, C, and D are incorrect. The VPN concentrator should not be placed on the private network, public network, or Internet.

You are creating a business continuity and disaster recovery plan for your organization. Which of the following aspects of your plan examines your most critical business functions and how they will be affected during a disaster? A. Risk analysis B. Business impact analysis C. Contingency plan D. Escalation plan

B is correct. The business impact analysis will examine the loss of revenue, legal obligations, and customer service interruption that can arise as the result of a disaster. A, C, and D are incorrect. A risk analysis identifies specific aspects of your business operations that are vulnerable to specific types of risks. A contingency plan establishes the procedures that can quickly recover critical systems after a service disruption, and it defines and prioritizes specific tasks to aid in the recovery process. An escalation plan identifies which people to notify to escalate issues during a disaster.

Which of the following is the simplest form of disaster recovery exercise? A. Tabletop exercise B. Documentation review C. Full-scale test D. Walkthrough test

B is correct. The documentation review is the simplest form of test. In this type of test, the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. A, C, and D are incorrect. A tabletop exercise is a type of group review. In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently. In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an incident or disaster.

A digital certificate may contain all of the following pieces of information EXCEPT: A. Public key of the subject B. Private key of the issuer C. Serial number D. Algorithm

B is correct. The issuer's private key is used to digitally sign the certificate, assuring authenticity, but is not included in the certificate itself, as this would compromise the key. A, C, and D are incorrect. All of these pieces of information may be found in a digital certificate.

Which of the following daemons is used in Linux to assist in auditing security events? A. inetd B. syslogd C. named D. crond

B is correct. The syslog daemon (syslogd) works with the auditing daemon (auditd) to provide system and security event logging in Linux and Unix systems. A, C, and D are incorrect. These daemons are not used for auditing. The inetd daemon is used to control access to network services. The named daemon is used to manage the DNS service, and the crond daemon manages scheduled tasks.

While using the new corporate intranet employee site, you learn that entering a telephone number area code without parentheses causes the application to hang. Which secure coding guideline did the developers not adhere to? A. Least privilege B. Input validation C. Debugging D. SSL

B is correct. The telephone field should validate entered data to ensure it is correct and will not cause problems, just as software error conditions should be trapped properly to prevent a crash or sensitive information disclosure. A, C, and D are incorrect. They would not prevent the stated problem.

You find that you can unlock a friend's phone by placing your finger on the fingerprint scanner. This is an example of what in biometrics? A. False negative B. False positive C. False rejection rate D. Identity failure

B is correct. This is an example of a false positive, which occurs when a biometric is scanned and allows access to someone who is not authorized. A, C, and D are incorrect. A false negative would be your phone not letting you in with your fingerprint. An example of a false rejection rate would be your finger not working 20 percent of the time on your phone, when it should. Identity failure is a distractor.

What constitutes a reasonable password lockout policy? A. After 1 failure B. After 3 failures C. After 5 failures in 24 hours D. After 10 failures

B is correct. Three attempts allows a reasonable error rate and balances risk. A, C, and D are incorrect. Locking after a single failure will introduce too many locks requiring resets. Ten tries is a large number, larger than necessary.

Which of the following account security measures can protect against brute-force attacks on a backup administrator account? A. Set an account expiry date. B. Lock the account to disallow use. C. Set the maximum password length. D. Use your primary administrator account instead.

B is correct. To best protect this account, you should lock it so it cannot be used. A, C, and D are incorrect. A is incorrect because setting an expiry data will not prevent attacks against the account. C is incorrect because this will not prevent attacks against the account, and it is a best practice for security to increase the minimum length of password, not the maximum. D is incorrect because the primary administrator account should not be used for secondary role purposes that do not require full admin permissions.

To help secure production web servers, sample files should be: A. Set to read-only but left in place B. Removed from production servers C. Set to read-write and left in place D. Moved to a folder called /samples

B is correct. To help secure production web servers, sample files should be removed from all production servers. A, C, and D allow unneeded information to reside on production servers.

You are developing a web-based software application that utilizes user ID and password authentication mechanisms. Which of the following methods can you use to prevent session cookie hijacking where an unauthorized user can use a session cookie from another authenticated user to access the application? A. Refresh the web browser page after login. B. Regenerate session keys and IDs after a successful login. C. Disable cookies in the web browser. D. Disable cross-site scripting.

B is correct. To protect again session hijacking, web applications should regenerate session keys and IDs after a successful login so that a secondary attempt to use the same session credentials from a hijacked cookie will not work. A, C, and D are incorrect. Refreshing the web browser page will not stop session cookie hijacking. Disabling cookies will prevent the application from working properly. Cross-site scripting is a type of application attack and not a web browser setting.

A retail sales clerk does not have authorization to maintain related bookkeeping records for accounting purposes. Which security principle does this apply to? A. Due diligence B. Separation of duties C. Least privilege D. Job rotation

B is correct. To reduce the possibility of fraud, no single business task and its bookkeeping should be performed by a single person. A, C, and D are incorrect. These do not involve separating business tasks. Due diligence involves analyzing documentation prior to committing to a business or legal relationship. Least privilege ensures employees have only the rights needed to perform their job duties. Job rotation exposes employees to different facets of the business.

What is the purpose of the TLS protocol? A. It allows the enumeration and monitoring of network resources. B. It provides encryption for transport layer protocols across networks. C. It leverages encryption protections of SSH to secure FTP transfers. D. It enables origin authentication, authenticated denial of existence, and data integrity.

B is correct. Transport Layer Security (TLS) is the replacement for SSL, and can be used for more than just HTTPS. It can be used for encrypting TCP-based communications. A describes SNMP, and C and D are encryption tasks beyond that of just TLS.

Twofish was designed to replace which algorithm? A. Blowfish B. DES C. MD5 D. AES

B is correct. Twofish was a candidate to replace the Data Encryption Standard (DES) as part of the NIST Advanced Encryption Standard (AES) competition. A is a distractor. C is a hashing algorithm, not an encryption algorithm. D is the resultant Advanced Encryption Standard that Twofish was competing to become.

Which of the following algorithms was one of the five finalists for the U.S. government-sponsored competition to become the Advanced Encryption Standard (AES) competition, but did not win? A. Blowfish B. Twofish C. Rijindael D. RC4

B is correct. Twofish, a symmetric algorithm, was one of the five finalists for the competition, but it did not win. A, C, and D are incorrect. Rijindael was selected as the winner of the NIST competition and became the U.S. government's Advanced Encryption Standard (AES). Blowfish is also a symmetric algorithm, but it was not considered in the competition to be the AES. RC4 is a symmetric streaming cipher commonly seen in WEP and SSL implementations. It was not one of the finalists involved in the AES competition.

You are installing a VPN remote access solution for your users so that they can connect to the network from home or while traveling. Which of the following services can you use to provide centralized authentication so that your users do not require separate credentials for the VPN? A. Local username and password B. LDAP server C. Security token D. Call-back security

B is correct. Users only need to log in once through the VPN to access any resources they are authorized for on the network. A directory service such as LDAP provides the central database for their credentials instead of having separate usernames and passwords for each resource. A, C, and D are incorrect. None of these services provides a centralized authentication method.

You currently remotely administer your routers and switches using authenticated and encrypted HTTPS connections with a web browser. Which of the following security measures provides additional security for your remote access connection? A. Connect only from a firewall DMZ. B. Use IP address filtering. C. Enable NAT. D. Enable VLANs.

B is correct. Using IP address filtering, you ensure that remote administration connections to the routers and switches can only originate from the IP address you specify, which is typically your own management workstation. A, C, and D are incorrect. A is incorrect because connecting from a firewall DMZ does not offer any additional security benefits. C is incorrect because NAT is used to share public IP addresses with several internal private IP addresses. D is incorrect because VLANs are used to create virtual networks and do not provide additional security for your remote connection.

You have set up a special dial-in modem for your own purposes so that you can call from home to access a remote management server. Which of the following authentication services would provide the strongest security to identify you? A. Username and password on a dial-up modem B. Call-back authentication C. Single sign-on domain login D. Username and password on the management console

B is correct. Using call-back authentication, the modem will automatically dial back the number you've programmed as your home number. This ensures that no connection is allowed from a different number than your own. A, C, and D are incorrect. A hacker who finds your dial-up modem number can attempt to hack your login through brute-force or social engineering methods. Single sign-on domain logins and access to the management console are not valid in this scenario.

Which of the following security protections can you enable on your networking equipment to isolate routing issues? A. VLANs B. Loop protection C. MAC address filtering D. Firewall zones

B is correct. Using loop protection, a network device can detect loops where network packets are not being routed properly to their destination. The device can isolate the network segment where the looping is occurring to prevent excessive broadcasting to other networks. A, C, and D are incorrect. Using VLANs, MAC address filtering, and firewall zones will not prevent network looping issues.

Which of the following technologies would allow you to create communication boundaries by dividing your network into different broadcast domains without using multiple routers? A. Security zones B. VLANs C. Mutual authentication D. Firewalls

B is correct. Virtual LANs (VLANs) are used to segment hosts into logical networks and to create secure communication boundaries between them. VLANs are implemented on switches. A, C, and D are incorrect. Security zones such as extranets and DMZs are used to segregate networks to protect private networks from public ones such as the Internet. Mutual authentication requires that two hosts such as a client and server both confirm each other's identity. Firewalls are used to filter types of network traffic, but are typically not used to segregate networks into different broadcast domains.

Your manager has read a lot about server virtualization and is wondering if there are any security benefits to using server virtualization. How would you respond? A. Larger hardware footprint B. Fewer systems to physically secure C. Decentralized server security D. More work required to harden systems

B is correct. Virtualization results in fewer physical systems (and less hardware) that must be secured. A, C, and D are incorrect. None of these choices offer any benefits, security or otherwise, of virtualization.

The corporate acceptable use policy states that use of social networking web sites during work hours is forbidden. What type of device can enforce this policy? A. Network firewall B. Web application firewall C. NAT D. Social network firewall

B is correct. Web application firewalls can filter network access by specific web site addresses. A, C, and D are incorrect. Network firewalls can filter by IP and TCP/UDP port address among other variables, but they cannot filter out specific URLs. NAT does not examine packet content; it modifies IP address and TCP/UDP port data in packets to allow access to external networks using only a single public IP address. There is no such thing as a social network firewall.

Which type of certificate can be used for different host names in the same DNS subdomain? A. Domain validation B. Wildcard C. Extended validation D. SAN

B is correct. Wildcard certificates remove the need for individual PKI certificates for each host name. A, C, and D are incorrect. Domain validation ensures that an applicant's name matches the owner name for a DNS domain with a DNS registrar. Extended validation checks additional details such as business name and address. Subject Alternative Name (SAN) is used to protect multiple different DNS domains using a single certificate.

Which of the following security mitigation techniques is most useful for preventing zero-day attacks from malware, spyware, and viruses against your users? A. Antivirus software B. Awareness training C. Firewall D. Logging and auditing

B is correct. With awareness training, users can recognize the signs of suspicious messages, viruses, malware, and phishing links that should be brought to the attention of the administrator before they spread through the company's network. A, C, and D are incorrect. Antivirus software is not able to detect new viruses that do not have a pattern or signature defined. A firewall cannot block all threats, especially application-based malware threats, from the users. Logging and regularly auditing the logs is not a preventive measure for zero-day threats.

Which of the following types of key management and storage provides the greatest security and scalable management? A. Local storage B. Centralized key storage C. Decentralized key storage D. Third-party key escrow

B is correct. With centralized key storage, you use a central server or a third-party server to administer and manage your encryption keys. This provides the advantage of security, integrity, manageability, and scalability for a large number of users. A, C, and D are incorrect. Local or decentralized storage means that yourself or the customer will be responsible for key management and security. The disadvantages of decentralized storage are that security is much weaker and does not scale well for a large number of users. A key escrow company is a third-party that holds a special third key on top of the private and public key pair. The third key can be used to unlock the encrypted copy of the private key in case of loss or the theft of the original key.

An exported NFS folder named Toronto on a Linux system has the following permissions set: rwx - owner - root r-x - group - accounting The parent folder restricts access to only the root account. The root account is a member of the accounting group. User Sean is not given access to the root account, nor is he a member of the accounting group. Which of the following statements is true? A. Sean is explicitly denied access to the Toronto folder. B. Sean is implicitly denied access to the Toronto folder. C. The root account is implicitly allowed access to the Toronto folder. D. The root account has r-x to the Toronto folder.

B is correct. With implicit denial, the end result is that a subject is denied through indirect association. This applies not only to file system security but also firewall rule sets. Only user root has access to the parent folder; everybody else is implicitly denied access, including Sean. A, C, and D are incorrect. Sean is implicitly denied access, not explicitly denied. The root account (owner) is explicitly, not implicitly, granted rwx (read, write, execute) permissions to the Toronto folder, not r-x (read and execute) permissions.

You have discovered that many of your users have modified the default configuration of their web browser to bypass certain security measures, including bypassing the organization's web proxy and weakening the security configuration on downloadable JavaScript and ActiveX controls. Which of the following security measures should you implement? A. Use a caching web proxy. B. Apply a baseline policy and lock the web browser configuration. C. Use poisoned host files. D. Use a web content filter.

B is correct. You can create a secure, baseline configuration for the web browser and apply it as a policy that cannot be modified by the users. A, C, and D are incorrect. A is incorrect because a caching web proxy is used for efficient retrieval of commonly downloaded web content. C is incorrect because poisoning host files causes users to be misdirected to the wrong web domains. D is incorrect because a web content filter can only scan and filter downloaded content and does not affect the web browser configuration.

You have noticed a severe degradation in the spam capture rate of your anti-spam filter, and many spam messages seem to evade security controls and are passed to your users' inboxes. Which of the following issues could be the problem? A. Operating system requiring new software updates B. Spam mail accidently trained as legitimate mail C. Outbound content filter not configured properly D. Poisoned DNS server

B is correct. Your anti-spam filter is constantly training on spam and legitimate e-mail messages, and at some point, the training database was corrupted by spam that was trained as trusted, legitimate mail. A, C, and D are incorrect. Operating system updates, outbound content filtering, and DNS poisoning will not result in spam messages bypassing spam filters.

You have thoroughly researched and documented a disaster recovery plan for your organization. What should you do next as part of your business continuity and disaster recovery planning? A. Store the plan in a locked safe. B. Test your plan. C. Create offsite copies of the plan. D. Have the plan approved by the CEO of the company.

B is correct. Your disaster recovery plan must be tested to ensure that it properly meets your business continuity objectives during a real-life scenario. After testing your plan, you can revise it based on your testing results. A, C, and D are incorrect. The plan needs to be tested before you securely store it or create backup copies of it. Having the CEO approve the plan is the last step, after it's properly vetted and tested.

Which of the following are examples of defense-in-depth strategies? (Choose all that apply.) A. Following instructions in vendor-specific security guides B. Vendor diversity C. User training D. Control diversity using administrative and technical controls

B, C, and D are all correct. Vendor diversity involves using multiple vendors for each essential system component, so a failure in one does not cause complete failure. User training provides another security layer for multiple processes. Should an attacker be able to bypass one security measure, one of the overlapping controls can still catch and block the intrusion. Having overlapping controls from technical and administrative groups provides layers of defense. A provides the setup for the device, a single set of protections; the question is looking for multiple overlapping levels for defense in depth.

Which of the following types of governance are developed externally? (Choose all that apply.) A. Organizational governance B. Statutory governance C. Industry governance D. Vendor governance

B, C, and D are correct. All of these types of governance are developed externally and can encompass any number of laws, regulations, and best practices. A is incorrect. Organizational governance is developed internally and consists of policies, procedures, standards, and guidelines.

A Linux firewall administrator creates a rule allowing inbound packets from 148.34.99.17 destined for TCP port 22 on 206.2.4.45. Which of the following statements regarding this firewall rule are true? (Choose three.) A. The rule applies to layer 6 of the OSI model. B. The rule allows SSH administration of 206.2.4.45. C. Successful connections from 148.34.99.17 to 206.2.4.45 will be encrypted. D. The rule applies to layer 4 of the OSI model.

B, C, and D are correct. SSH uses TCP port 22 to allow encrypted connections for remote administration. Layer 4 (Transport) of the OSI model is concerned with port addresses. A is incorrect. The firewall access control list (ACL) rule does not apply to layer 6 (Presentation) of the OSI model. This layer is concerned with how data is presented (for example, between different character sets) to the next highest layer, layer 7 (Application).

Which of the following are examples of spyware? (Choose three.) A. Flooding a host with network traffic B. Gathering entered user keystrokes C. Manipulating search engine results D. Changing the web browser home page E. Broadcasting ARP cache updates to network hosts

B, C, and D are correct. Spyware can capture all entered keystrokes and send them to interested parties; search results can be manipulated to trick users into clicking links to certain advertisements, for example; and the web browser home page be changed, thus forcing the user to view a web page when she starts her web browser. In some cases, the home page cannot be easily changed. A and E are incorrect. Intentional network traffic flooding is considered a DoS (denial of service) attack denying legitimate access to a service, but this would not be spyware. Traffic floods can be mitigated with a flood guard, which comes in the form of a separate appliance or could be built into a network switch. ARP cache updates might indicate an ARP poisoning attack and might be discovered using the arp command to view the ARP cache, but this is not related to spyware.

Which Windows account lockout policy setting allows the number of failed logon attempts to be zero after a specified duration? A. Account lockout duration B. Reset account lockout counter after C. Account lockout threshold D. Account expiration

B. B is correct. The "Reset account lockout counter after" policy setting specifies a duration after which the number of failed logon attempts will be reset to zero. A, C, and D are incorrect. "Account lockout duration" specifies how long to lock the account. The "Account lockout threshold" specifies how many failed logons can occur before the account is locked. "Account expiration" determines when the account will expire and not be usable, but is not part of the Windows account policy settings.

A retail sales clerk does not have authorization to maintain related bookkeeping records for accounting purposes. Which security principle does this apply to? A. Due diligence B. Separation of duties C. Least privilege D. Job rotation

B. B is correct. To reduce the possibility of fraud, no single business task and its bookkeeping should be performed by a single person. A, C, and D are incorrect. These do not involve separating business tasks. Due diligence involves analyzing documentation prior to committing to a business or legal relationship. Least privilege ensures employees have only the rights needed to perform their job duties. Job rotation exposes employees to different facets of the business.

Which of the following is considered the best strategy for managing users with regard to security groups? A. Assign individual permissions to both user accounts and groups. B. Place the user accounts into groups, and then assign the groups the permissions to the resource. C. Assign only administrative users to groups. D. Place users who are denied access to certain resources into security groups.

B. B is correct. User accounts should be placed in security groups, which are then assigned permissions. This reduces the number of times you have to assign permissions, by assigning permissions only to one group versus many individual users. A, C, and D are incorrect. These are all poor security strategies with regard to assigning users, groups, and permissions.

Which of the following statements are correct with regard to the concepts of fail-secure and fail-safe? (Choose two.) A. A fail-secure device responds by not doing anything to cause harm when the failure occurs. B. A fail-safe device responds by making sure the device is using a secure state when a failure occurs. C. A fail-safe device responds by not doing anything to cause harm when the failure occurs. D. A fail-secure device responds by making sure the device is using a secure state when a failure occurs.

C and D are correct. A fail-safe device responds by not doing anything to cause harm when the failure occurs. A fail-secure device responds by making sure the device is using a secure state when a failure occurs. A and B are incorrect. A is the definition of fail-safe, and B is the definition of fail-secure, not the other way around.

Which of the following describes a false acceptance rate? (Choose two.) A. The error caused from rejecting someone who is in fact an authorized user B. Type I error C. The error caused when an unauthorized user is validated as authorized D. Type II error

C and D are correct. A false acceptance rate (FAR) is the error caused when an unauthorized user is validated as authorized; it is also referred to as a Type II error. A and B are incorrect. A false reject rate (FRR) is the error caused from rejecting an authorized user; it is also called a Type I error.

Which of the following is a cryptographic representation of text, but not the text itself? (Choose two.) A. Plaintext B. Ciphertext C. Hash D. Message digest

C and D are correct. A hash or message digest is a cryptographic representation of variable length text, but it is not the text itself. A and B are incorrect. Plaintext is unencrypted text. Ciphertext is a result of the encryption process and is encrypted text.

Which of the following are methods to implement 802.1X? (Choose two.) A. EAP-RC2 B. EAP-MD5 C. EAP-TTLS D. EAP-TLS

C and D are correct. Both are used in 802.1X. C is the use of tunneling and TLS together, while D is just TLS used alone. A and B are incorrect because RC2 is not a valid crypto scheme for 802.1X, and MD5 is used to hash, not to encrypt.

Which of the following tools should every security team have and use to monitor and administer the local network? (Choose all that apply.) A. Steganography tools B. Data sanitization tools C. Vulnerability scanner D. Backup utilities

C and D are correct. Vulnerability scanners and backup utilities directly address issues that would have resilience implications. A and B are distractors. Steganography tools are only useful when steganography is deployed, which is not a regular network issue. Data sanitization tools work to sanitize data, and do not impact normal operations.

Rebecca is the systems administrator for a small accounting firm and would like to ensure that wireless guests cannot access the company file servers. Her company has purchased a single router/switch/access point. What should she do to achieve these security goals? (Choose two.) A. Deny file server traffic on the WAN port B. Disable the file server ports C. Create a VLAN for the file servers D. Set the WPA2 key to a new value E. Configure an ACL on the router to allow access to the file server VLAN

C and E are correct. To control communication, you can place the servers in their own VLAN, which restricts communication by default. Then create an ACL on the router to allow authorized systems to communicate with the file server VLAN. A, B, and D are incorrect. Disabling file server traffic on the WAN port has nothing to do with the scenario and is incorrect because your goal is to control communication between the wireless guest and company file servers (the scenario does not deal with Internet WAN traffic). You cannot disable the ports the file servers are connected to because that will prevent everyone from being able to communicate with them. Changing the WPA2 key not help separate wireless guest traffic from the company file servers.

You are trying to determine the appropriate level of high availability for a server. The server must be available on a constant basis, and downtime in a given year cannot exceed 1 hour. It normally takes you about 45 minutes to bring down and restart the server for maintenance. Which of the following reflects the level of availability you require? A. 99.999 percent availability B. 99.9 percent availability C. 99.99 percent availability D. 99 percent availability

C is correct. 99.99 percent availability accounts for 52 minutes of downtime per year. A, B, and D are incorrect. 99.999 percent availability allows only 5.26 minutes of downtime per year, which may not be enough if the server requires almost an hour of maintenance time. 99.9 percent availability equates to more than 8 hours of downtime per year and exceeds the stated requirement. 99 percent availability is more than 3 days of downtime per year, far exceeding the requirement for no more than 1 hour of downtime.

Which of the following network devices provides centralized authentication services for secure remote access connections? A. Router B. Firewall C. VPN concentrator D. Proxy server

C is correct. A VPN concentrator serves as a centralized authentication point for virtual private network connections. A, B, and D are incorrect. None of these devices are used to provide centralized authentication services for secure remote access connections.

Which type of virus attacks the first sector on the disk that contains operating system loader code and overwrites that code? A. Executable B. Macro C. Boot sector D. Worm

C is correct. A boot sector virus is a harmful virus that attacks the boot sector code and overwrites it. The boot sector is the first sector on the disk and contains operating system loader code that starts the boot sequence. When a boot sector virus overwrites this sector, it prevents the system from booting from the infected disk. A, B, and D are incorrect. An executable virus is attached to an executable file, but is not activated until the file is run. A macro virus is written using a macro language that performs a malicious action such as deleting files or e-mailing everyone in your address book. The macro is usually created in a file and then triggered automatically when someone opens the file. A worm virus is able to replicate itself without needing a user to activate the virus and does not typically attack the boot sector of a disk.

Which type of study reveals the effect threats could have on the operation of a government agency? A. Risk analysis B. Incident response C. Business impact analysis D. Security audit

C is correct. A business impact analysis identifies how personnel, data systems, clients, and revenue will be affected if a threat occurs. A, B, and D are incorrect. Risk analysis is conducted before a business impact analysis; otherwise, the threats would not yet have been identified. Incident response defines what is to be done when a threat occurs, but it does not specify how regular business operations are affected. Security audits identify vulnerabilities and policy noncompliance.

All of the following are facility concerns when choosing a business location EXCEPT: A. Crime rate B. History of natural disasters in the area C. Business market D. Response time of emergency services

C is correct. A business market in the area may affect sales and profitability, but is not a specific environmental or facility-related concern. A, B, and D are incorrect. All of these are considerations when selecting a location for the business, as all of them could affect business continuity, disaster recovery, power and utilities, human-made threats, and so forth.

Which term describes a site with the basic environmental controls necessary to operate but few of the computing components necessary for processing, thus requiring possibly weeks to become operational? A. Recovery site B. DR site C. Cold site D. Warm site

C is correct. A cold site can take weeks to come online. A is the generic term encompassing cold, warm, and hot sites. B is a nontechnical, generic term with no specific meaning in the context of software security. D can take up to days to come online.

You have a high-security workstation that is used to monitor and manage the security systems and video surveillance for your entire facility. Which of the following security applications can you use to detect unauthorized access on this workstation? A. Anti-malware application B. Host-based firewall C. Host-based intrusion detection system D. Auditing application

C is correct. A host-based intrusion detection system (HIDS) monitors a specific host for suspicious behavior that could indicate someone is trying to break into the system. A, B, and D are incorrect. An anti-malware application only searches for malware on the host and doesn't detect intrusions and unauthorized users. A host-based firewall will not detect unauthorized intrusions physically accessing the management console, and an auditing application will only audit the logs and not actively detect immediate intrusions.

Password policies typically do not include which of the following? A. Password history B. Password strength rules C. Minimum password age D. Account disablement

C is correct. A minimum password age can cause issues if a password requires resetting. A, B, and D are important elements in a password policy.

As part of your quality assurance testing cycle, which of the following tools should you run to try to discover open services and ports on the system that are not required and could be exploited? A. Running the database server on a firewall DMZ B. SNMP monitoring C. Network mapper D. Protocol analyzer

C is correct. A network mapper utility scans a network or system and uses network IP packets to determine if hosts are available, what operating systems are running, and other types of information about a network host, including running services and open ports. A, B, and D are incorrect. Even though the server is behind the firewall, unless specific ports are blocked by the firewall, the open ports can still be exploited. SNMP provides information on hardware and application statistics and will not provide enough information on running services and open ports. A protocol analyzer can only monitor network traffic data and cannot identify open ports on a system.

You have discovered that many of your users have been downloading screensavers and other types of add-on software to their computers, much of which contains pop-up ads. Which of the following security tools can help mitigate security issues with a user's private data being transmitted outside of the network through adware? A. Caching proxy server B. Antivirus scanning C. Personal firewall monitoring outgoing connections D. Web authentication

C is correct. A personal firewall monitors all inbound and outbound connections and can notify the user when an application is trying to create an outbound connection. A, B, and D are incorrect. A caching proxy is used for saving web data locally for more efficient retrieval by clients. Many types of adware are not considered viruses or spyware. Web browser authentication will not prevent adware from transmitting data from a computer that is already authenticated by a user.

An individual or group of individuals within the organization who can decrypt information in the event of a termination or loss of keys is usually a(n): A. Administrator B. Manager C. Recovery agent D. Law enforcement officer

C is correct. A recovery agent is usually assigned the specific task of recovering keys to decrypt information if a user leaves or is terminated. A, B, and D are incorrect. Any of these roles could be assigned the task of a recovery agent, depending upon the circumstances, but it is not their primary role.

All of the following are considered potential cloud computing security issues EXCEPT: A. Security management B. Legal issues C. Hardware footprint D. Many customers sharing service

C is correct. A reduced hardware footprint is possible when using cloud computing, which can save equipment and operating costs. A, B, and D are incorrect. All of these are security issues that could cause potential problems when using cloud computing.

Wissa is updating a printer driver on a Windows system. She downloads the latest driver from the manufacturer's Web site. When installing the driver, Windows warns that the driver is unsigned. To which of the following threats is Wissa exposing her system? A. Man-in-the-middle B. Version control C. Refactoring D. Shimming

C is correct. A refactored driver will work correctly, but might also perform other, malicious actions. A, B, and D are incorrect. Man-in-the-middle might be a result of the refactor, but is not the threat itself. Version control refers to formally tracking different versions of the baseline configuration. Shimming is a library that responds to inputs that the original device driver isn't designed to handle and would require a separate file.

Which of the following PKI components is concerned with issuing certificates after being authorized by a higher-level CA? A. Root CA B. RA C. Subordinate CA D. CRL

C is correct. A subordinate CA (sometimes called an intermediate CA) is one that is authorized by the root CA to issue certificates. A, B, and D are incorrect. A root CA is the primary CA that authorizes all other subordinate CAs. A registration authority (RA) does not issue certificates. A certificate revocation list (CRL) provides information on invalid, or revoked, certificates.

A top-level CA exists in what type of PKI trust model? A. Tower architecture B. Mesh architecture C. Hierarchical architecture D. Web of trust

C is correct. A top-level certificate authority (CA) is necessary to establish a hierarchical trust model. A and B are nonsensical distractors. D is a flat model dependent upon trust with peers.

A transitive attack is one that preys upon which of the following? A. One-time password B. Temporary secret C. Chain of trust D. Encryption weakness

C is correct. A transitive attack attacks a chain of trust, so if B trusts A, and C trusts B, then breaking into A allows potential access to C. A is incorrect because a one-time password is used only a single time and is not involved in a transitive attack. B and D are distractors with no specific security meaning.

Using credentials stolen from one system to cross trust boundaries into other systems based on the original trust relationship is an example of which of the following? A. Spear phishing attack B. Pharming attack C. Transitive attack D. SPIM

C is correct. A transitive attack is one that attacks trust relationships. A is a form of phishing using personal information. B involves spoofing of websites. D is spam over instant messenger channels.

You have recently completed development on a new software application and have sent the first alpha version to quality assurance for testing. As part of the testing, you need to determine whether there are any known security issues due to the underlying operating system, network services, or development code. Which of the following testing methods can you use? A. Fuzzing B. Malware scanning C. Vulnerability scanning D. Penetration testing

C is correct. A vulnerability scanner is a software program specifically designed to scan a system via the network to determine what services the system is running and whether there are any unnecessary open network ports, unpatched operating systems, or unpatched applications. A, B, and D are incorrect. Fuzzing is a technique used to test input validation. Malware would be installed as a third-party application after the software is released, and would not be detected after the initial development stage, and penetration testing is a technique used to actively try to hack a system in a live situation.

In the context of network security, ACL is an acronym from which of the following? A. Access configuration list B. Approved computer listing C. Access control list D. Audit control list

C is correct. ACL stands for access control list. A, B, and D are unrelated technical terms and are nonsensical distractors.

Which of the following correctly describes ANT? A. Designed for industrial settings B. Can have interference problems with Wi-Fi C. Used to create PANs D. Is backed by an international standard

C is correct. ANT is a proprietary protocol designed for personal area networks, including sensors such as heart rate and fitness monitors. A is incorrect because ANT is design for personal, not industrial, systems. B is incorrect because ANT does not have issues with Wi-Fi; in fact it has good stability in crowded frequency bands. D is incorrect because ANT is a proprietary system.

You are asked to configure network security appliances to detect abnormal activity that could indicate a network attack or worm. What must you first do? A. Patch the network appliances. B. Patch the operating system. C. Establish a network baseline. D. Establish a configuration schedule.

C is correct. Abnormal network activity cannot accurately be determined if there is no baseline, or benchmark, of normal network activity on a particular network. A, B, and D are incorrect. Patching and scheduling configuration are important but are not the first things you should do, since capturing enough data to establish a "normal" baseline of a network could take some time.

Which type of restriction requires an account to become unusable after a certain period of time or a certain date? A. Time of day restriction B. Account lockout C. Account expiration D. Account disablement

C is correct. Account expiration is a restriction that forces an account to become unusable after a certain duration (after 90 days, for example) or after a certain date, and is typically used with temporary employees. A, B, and D are incorrect. A time of day restriction prevents users from logging in during certain hours, such as during off-work hours or weekends. Account lockout specifies a threshold for invalid attempts at logging in and will render the account unusable after that threshold has been reached. Disabling an account is typically at the discretion of management or an administrator and could happen anytime the user is seen as a security risk or does not require the account for an indefinite period.

Data sensitivity labeling allows an organization to determine what? A. Data retention policy: when can data be destroyed? B. Data storage policy: how should the data be stored? C. Data security policy: how much protection does the data need? D. Data duplication policy: how should the data be copied?

C is correct. Data sensitivity labeling is the cornerstone of determining what the security requirements are for the data. A, B, and D are not strictly determined by data sensitivity (classification).

A university campus consists of eight buildings located in the heart of a 200-acre rural property. A typical semester sees 3500 students. Multiple wireless access points have been purchased for the university. Convenient, simple wireless network access is required for students in each of the eight buildings. The university dean has emphasized the importance of ensuring that only students on campus use the wireless network. How can this be best accomplished? A. Enable MAC address filtering. B. Disable SSID broadcasting. C. Adjust WAP power levels. D. Configure WPA2 PSK.

C is correct. Adjust the WAP (wireless access point) power levels on each device such that connection attempts outside the heart of the property will be too weak and thus will fail. A, B, and D are incorrect. There are too many students (3500) to enable MAC filtering. Disabling SSID broadcasting or using WPA2 PSK does not make student connections to the wireless network simple or convenient due to the manual configuration required.

Which of the following aspects of your network or systems does not provide redundancy in the event of a failure? A. Redundant power supplies on a server B. RAID 5 hard drive systems on a server C. Redundant routers for the same ISP D. Dual fiber cabling for the network backbone

C is correct. Although you have redundancy at the router level, if your ISP communications fail, there are no backup communications. You should have at least one more communications line to a different ISP. A, B, and D are incorrect. Each of these solutions provides redundancy in the event of a failure.

Reviewing your firewall logs, you notice that someone is performing a network port scan and looking for listening TCP ports using many nonstandard TCP options. Which of the following is most likely the type of attack? A. SYN flood B. Spoof attack C. Xmas attack D. Man-in-the-middle attack

C is correct. An Xmas attack uses a port scan combined with several nonstandard TCP options enabled to try to discover open and listening TCP ports and details about the target system. A, B, and D are incorrect. A is incorrect because a SYN flood uses forged synchronization packets to attack a target system. B is incorrect because although the source address may be spoofed, it does not describe the actual attack method. D is incorrect because a man-in-the-middle attack intercepts network data between two devices.

Susan has received an e-mail message from her brother stating that if she forwards the e-mail to 10 different people that she will receive good fortune over the next three years. Susan forwards the e-mail. What policy has Susan violated in this example? A. Social engineering policy B. Least privilege policy C. Acceptable usage policy D. Need-to-know policy

C is correct. An acceptable use policy (AUP) defines what users may and may not do with regard to information systems, including e-mail. A, B, and D are incorrect. These policies apply to a wide range of security issues but do not define what actions users may perform on information systems.

You find a piece of code on a machine and your security team cannot examine the contents. This is an example of what type of malware? A. Kernel-level rootkit B. Polymorphic virus C. Armored virus D. Crypto-malware

C is correct. An armored virus is protected against reverse engineering using encryption and other obfuscation techniques. A is a standard form of malware that can be examined. B is a form of malware that changes its coding to evade signature-based detection. D is a form of malware that uses encryption to attack the target, not to hide.

You are designing and coding a new web application to replace a legacy web application that was recently removed because of excessive security vulnerabilities. Which of the following coding techniques is most helpful to prevent vulnerabilities in your application during the development stage? A. Design review B. Code review C. Keeping attack surfaces to a minimum D. Application documentation

C is correct. An attack surface is an aspect of your software application that is vulnerable for an attacker to exploit, such as an open port or running network service. Determine the minimum amount of acceptable attack surfaces required and keep to that framework throughout the entire development cycle of the product. A, B, and D are incorrect. Design and code reviews are helpful at catching coding errors and bugs, but are not as important as keeping the number of exploitable attack surfaces to a minimum. Application documentation is helpful to testers and code reviewers, but has no security impact.

For which of the following should employees receive training to establish how they are to treat information of differing sensitivity levels? A. Clean desk policies B. Protection of personally identifiable information on social media C. Information classification D. Data disposal

C is correct. An organization's information classification policy not only outlines what level of security protections certain data receives, but it also serves to instruct employees on how to treat sensitive data. A, B, and D are incorrect. Clean desk policies, which instruct employees to not leave sensitive data unattended, as well as data disposal policies, can be included in the information and data handling policies, but these are very specific instances and don't cover all information or all scenarios where an employee would be in a position to treat data with care. Protection of personally identifiable information on social media would be part of an organization's social media policy.

What type of file, often sent with an e-mail message, can contain malicious code that can be downloaded and executed on a client's computer? A. Cookie B. Locally shared object C. HTML attachment D. Cross-site script

C is correct. Any form of attachment is a risk. An HTML attachment is basically an HTML file that comes attached to an e-mail message. When a user clicks this attachment, it automatically spawns a browser session and could connect to a malicious Web site. Once the user is connected to the site, malicious code can be downloaded onto the user's browser. A, B, and D are incorrect. Neither cookies, locally shared objects, nor cross-site scripts are attached to e-mail messages.

Which of the following is not a classification of a security control type? A. Technical B. Managerial C. Auditable D. Operational

C is correct. Auditable is not a specific type of security control; it is a descriptive element. A, B, and D are all types of security controls.

Which of the following actions would be considered an active response in an IDS? A. Alerting the operator via the console B. Sending a text to a registered phone C. Automatically reconfiguring a router to block a particular IP address D. Logging the activity in a security log file

C is correct. Automatically reconfiguring a router would be an active response to a detected event. A and B are operator notifications, which would make the operator part of the loop. D is not an active response; it merely creates a record.

You have created and implemented a business continuity and disaster recovery plan for your organization. Which of the following information security concepts have you satisfied? A. Integrity B. Confidentiality C. Availability D. Redundancy

C is correct. Availability ensures that your systems and networks are always operational and providing service to users. Your organization's networks and data must be available to authorized users, as required, at all times without interruption. A, B, and D are incorrect. Integrity refers to data consistency and preventing data manipulation. Confidentiality refers to keeping data private. Redundancy refers to using redundant components or services for fault tolerance, which is only one aspect of availability.

Which of the following hardening techniques is most effective at preventing attacks on open network ports? A. Use a proxy server. B. Use HTTPS or SSH for remote administration. C. Disable unused network services. D. Move servers to the DMZ of a firewall.

C is correct. By disabling unused services, such as Telnet, HTTP, FTP, and SNMP, you reduce the number of open network ports running on your system that are waiting to respond to requests. Any services you do not require on that system should be disabled. A, B, and D are incorrect. A is incorrect because a proxy server only proxies connections; it will not protect against attacks on open network ports. B is incorrect because securing remote access administration does not prevent attacks against open network ports. D is incorrect because even though the system is on a more secure network, any open network ports can still be connected to and exploited unless they are explicitly blocked by the firewall.

You are helping users set up remote access connections from their home networks and for when they are traveling. Each one uses different methods to connect to an ISP, including dial-up, cable, and DSL connections. Which of the following remote access methods should you use to provide secure, efficient connections for accessing your organization's network over the Internet? A. Dedicated VPN concentrator B. HTTP web login C. SSL VPN over a web browser D. Modem dial-up to the company remote access server

C is correct. By using an SSL VPN over a web browser, users do not require additional hardware or software; they can safely connect to your organization's network through an encrypted VPN tunnel over the Internet. A, B, and D are incorrect. A is incorrect because it would be very inefficient and costly for each remote user to have his or her own dedicated VPN concentrator hardware device. B is incorrect because logging in to a network over HTTP is insecure because HTTP sends its data in clear text. D is incorrect because each user would require a hardware modem, and when traveling it can be costly to use phone lines to dial into the organization's network.

Which of the following methods will help improve SNMP security? A. Ensure the monitoring station is protected by a firewall. B. Close SNMP, TCP, and UDP port 161 on the client. C. Change the "public" community name. D. Disable ICMP.

C is correct. Changing the community name for SNMP is the single most important thing you can do to ensure that any user cannot access your SNMP device. A, B, and D are incorrect. A firewall will not help protect the clients. Disabling SNMP on the client will cripple the SNMP functionality, and ICMP is unrelated.

Which mobile device management deployment model uses corporate-owned devices where the corporation dictates the software installation and maintenance actions? A. BYOD B. CYOD C. COBO D. COPE

C is correct. Corporate-owned business only (COBO) devices are own by the corporation; all software on the device has to be approved and installed by the corporation. A, B, and D are incorrect. Bring your own device (BYOD) means the employee owns the device. Choose your own device (CYOD) means the organization retains ownership, but employeess may install personal apps on the device. Company-issued, personally-enabled (COPE) is similar to CYOD, but employees are limited to installing only white-listed apps.

What type of attack uses an application vulnerability in which a web page has code that references another site and the attack automatically uses the target's cookie data for authentication if the cookie is present and has not expired? A. Buffer overflow B. Cross-site scripting C. Cross-site request forgery D. SQL injection

C is correct. Cross-site request forgery (XSRF) is an attack that takes advantage of an application vulnerability in which a web page has code that references another site and automatically uses the target's cookie data for authentication if the cookie is present and has not expired. A, B, and D are incorrect. Buffer overflow attacks target memory usage in programs. Cross-site scripting attacks attempt to inject client-side code into a web page. SQL injection attempts to insert SQL commands into an input field to gain information from a database.

A network administrator discusses digitally signing client queries to resolve names to IP addresses. Which technology is he discussing? A. S/MIME B. HTTPS C. DNSSEC D. SRTP

C is correct. DNSSEC signs DNS zone records. Clients check DNS server responses to ensure that the responses have not been tampered with. Clients must first have connectivity to the DNS serve, which can be verified using the nslookup and dig commands. A, B, and D are incorrect. Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to sign and encrypt messages. Hypertext Transfer Protocol Secure (HTTPS) secures communications between web clients and web servers. The Secure Real-Time Transfer Protocol (SRTP) provides encryption, integrity, and message authentication for RTP applications such as those related to Voice over IP (VoIP).

After seeing a few news stories about employees taking copies of sensitive data from companies, your manager decides to prevent the use of USB drives. What security feature would you suggest? A. NAC B. CRL C. DLP D. TPM

C is correct. Data loss prevention (DLP) is a set of technologies that can be used to prevent data leakage outside your organization. A, B, and D are incorrect. NAC (network access control) is used to enforce that clients are of good health before they can connect to the network. A CRL (certificate revocation list) is a list of certificates that have been revoked. A TPM (Trusted Platform Module) is a chip that contains encryption keys.

Which security role addresses who controls access to data? A. Custodian B. Server administrator C. Data owner D. End user

C is correct. Data owners determine which access rights certain parties have to information. A, B, and D are incorrect. Custodians and server administrators are responsible for maintaining and protecting data. End users simply use data they have been given access to.

Which of the following methods of log management involves visiting each individual host to review its log files? A. Centralized B. SIEM C. Decentralized D. Syslog

C is correct. Decentralized log management means that logs are managed and reviewed on a host-by-host basis, rather than as a centralized, consolidated group. A, B, and D are incorrect. Centralized log management involves collecting logs from across the network into a system and reviewing then as a group. Security Information Event Management (SIEM) is a centralized method of obtaining logs and other data from disparate devices across a network. Syslog is a logging tool found in UNIX and Linux systems, which can be used either on a centralized or decentralized basis.

What type of evidence is generally in the form of charts, graphs, or drawings to help non-technical people? A. Exculpatory evidence B. Inculpatory evidence C. Demonstrative evidence D. Documentary evidence

C is correct. Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so forth, is used to help non-technical people, such as the members of a jury, understand an event. A, B, and D are incorrect. Exculpatory evidence proves innocence. Inculpatory evidence proves guilt. Documentary evidence directly supports or proves a definitive assertion.

You must ensure that the server's hard disk data is always protected. What should you do? A. Encrypt the entire hard disk. B. Configure a CMOS power-on password. C. Encrypt files and folders. D. Disable booting from removable media.

C is correct. Encrypting files and folders ensures that data is protected whether the server is turned on or off, and even if the hard disk is removed from the server. A, B, and D are incorrect. Encrypting the entire hard disk protects the data when the server is powered off; however, once the server is powered on and the disk is decrypted, the data is no longer protected by encryption. CMOS passwords and disabling removable media boot are useless if a hard disk is physically removed from the machine.

A Linux administrator enables hardware disk encryption for data drives used by a Linux server. The operating system disk is physically located in the Linux server but the data drives exist on a SAN (storage area network). Which of the following statements is true? A. The integrity of the data is being protected. B. Disk encryption is not possible for SAN disks. C. The confidentiality of the data is being protected. D. Linux cannot use SAN disks.

C is correct. Encryption protects data confidentially. Only authorized parties possessing the correct decryption keys can access encrypted data. A, B, and D are incorrect. File system data integrity would be provided by digital signing or file hashes, but not by encryption. Hardware disk encryption on a server is often done with TPM, which is a firmware chip storing cryptographic keys. SAN disks appear to the OS as local disks; Linux does support the use of SAN disks.

What key element in security policies must be present in order for them to be effective? A. Technical procedures B. Technology standards C. Management buy-in and enforcement D. Implementation guidelines

C is correct. For policies to be effective, management must approve and support them, including ensuring enforcement. A, B, and D are incorrect. Procedures, standards, and guidelines serve to support policies by describing the "how" and "to what degree" aspects of policy implementation.

Your company has issued smart phones to select employees. To protect employee privacy, you want to ensure that their location cannot be determined while they are taking photographs or using social media apps. Which term best describes your concern? A. Location tagging B. GPS C. Geotagging D. Triangulation

C is correct. Geotagging is used by media such as photographs or by specific apps to track the physical location of where a photo was taken or where a user happens to be. Technicians can also prevent certain apps from being installed from app stores or locally (sideloading). A, B, and D are incorrect. Location tagging, GPS, and triangulation use coordinates to pinpoint locations, but geotagging is the correct term in this scenario.

What type of organizations are the main users of an interconnection service agreement (ISA)? A. Telecommunication companies B. End users C. Government entities D. Satellite providers

C is correct. Government entities use ISAs as a more formal document than an MOU because contracts are not the primary method of agreements between entities of the same governement. Telecoms use Interconnection Agreements which are not ISAs.

As part of your business continuity planning, you need to consider how to achieve maximum availability of your network services. Which of the following can be implemented to improve availability of network servers and the services they provide? A. Cloud computing B. Virtualization C. Hardware redundancy D. Load balancing

C is correct. Hardware redundancy means that you always have spare servers or spare parts available in the event hardware fails. For example, a server may have redundant power supplies so that if one fails, the system continues to run. A, B and D are incorrect. Cloud computing and virtualization do not provide high-availability benefits. Load balancing spreads processing load between resources; it doesn't replace those resources if they fail.

Which device offloads cryptography processing from a server? A. TPM B. PKI C. HSM D. SSL

C is correct. Hardware security modules (HSMs) are specialized hardware cryptography devices that relieve this type of processing from other computing devices. A, B, and D are incorrect. They do not offload cryptography work from servers. TPM (Trusted Platform Module) firmware chips store encryption keys for disk encryption. A PKI is a trusted hierarchy of security certificates. SSL is an application-specific data transmission security solution.

You are a new sales agent for Acme Floor Store, Inc. When traveling on the road for business, you sign in to the company VPN using a PIN and a hardware device-generated unique code. What is this code generating device called? A. Code-generating device B. PIN aggregator C. Token D. PIN aggravator

C is correct. Hardware tokens provide a time-sensitive code used in conjunction with a PIN to authenticate to a computer system, or in this case, a VPN. A, B, and D are incorrect. Code-generating device, PIN aggregator, and PIN aggravator are not industry standard terms.

You are designing a new server room and are planning your environmental controls. Which of the following controls is most useful for improving air flow in your server room? A. Power conditioner B. Elevated cable trays C. Hot and cold aisles D. Humidity controls

C is correct. Hot and cold aisles create a constant flow of air circulation to prevent buildup of heat emanating from the back of the equipment racks and allow cool air to flow into the front of the equipment racks. A, B, and D are incorrect. A power conditioner only helps provide consistent and clean power. Elevated cable trays are used to keep network cabling off the ground, where they could be tripped over and pulled out of their connections. Humidity controls, although important, do not help with air flow issues in a server room.

Which of the following secure e-mail protocols is carried over an SSL or TLS connection and uses TCP port 993? A. SMTP B. POP3 C. IMAPS D. IMAP4

C is correct. IMAPS (secure IMAP) is a secure version of the IMAP4 protocol used over SSL or TLS connections to provide for client e-mail security. A, B, and D are incorrect. SMTP is a server-side e-mail protocol and is not used over SSL or TLS. SMTP uses TCP port 25. POP3 is a non-secure client-side e-mail protocol that uses TCP port 110. IMAP4 is a non-secure client-side e-mail protocol that uses TCP port 143.

Which of the following is NOT a type of address used in IPv6? A. Multicast B. Unicast C. Broadcast D. Anycast

C is correct. IPv4 networks use broadcast addresses and IPv6 networks do not. A, B, and D are incorrect. All of these are valid types of addresses in an IPv6 network.

Which of the following specifies best practices for information security management? A. HIPAA B. IEEE 802.11 C. ISO/IEC 27002 D. IEEE 802.1X

C is correct. ISO 17799, created by the International Standards Organization in 2000, specifies best practices for information security management. The ISO 17799 was updated and relabeled in 2007 to become ISO/IEC 27002. The purpose of the renumbering was to have the standard aligned with other standards in the ISO 27000 series. A, B, and D are incorrect. The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. standard that deals with healthcare record privacy. 802.11 and 802.1X are IEEE standards that deal with wireless networking and authentication, respectively.

Your company, Bolts R Us, manufactures bolts. A partner company, Nuts R Us, manufactures nuts. Nuts R Us requires access to your manufacturing data, which is available on your internal web server. What should you configure? A. Proxy server B. Router C. Identity federation D. SSL

C is correct. Identity federation uses security tokens generated by a trusted identity source to allow access to resources such as web sites. The federation trust between parties is established using PKI certificates. A, B, and D are incorrect. Proxy servers retrieve Internet content for users. Routers route network traffic between networks using the most efficient router. Secure Sockets Layer (SSL) secures communications (authentication and encryption) between two parties communicating over a network.

You order a fleet of ten new laptops with card readers and store user credentials on smartcards. What term best describes this? A. Authorization B. Administrative control C. Technical control D. Integrity

C is correct. Implementing access control using technology in adherence with a security policy is referred to as a technical control. A, B, and D are incorrect. Authorization grants access to a resource after successful authentication; the question relates to authentication. Administrative controls are set by management to comply with established policies, but they may not be technical in nature. Integrity verifies that data came from the correct party and has not been tampered with; smartcard authentication is not a match.

Which listed example describes implicit deny? A. Tabitha is added to a folder and denied read access. B. Tabitha is added to a group named Students and given read access. C. Tabitha is added to a group named Students and denied read access. D. Tabitha is added to a folder and given read access.

C is correct. Implicit denial means an entity (Tabitha in this case) is denied access indirectly (via the Students group in this case). A, B, and D are incorrect. Answer A describes explicit denial. Answers B and D do not relate to denial.

During which type of assessment would penetration testers not have any knowledge about the network and network defenders have no knowledge of the test itself? A. Black box test B. Blind test C. Double-blind test D. Gray box test

C is correct. In a double-blind test, testers have no prior knowledge of the network they are testing, and network defenders have no prior knowledge of the test and aren't aware of any attacks unless they can detect and defend against them. This test is designed to test the defenders' abilities to detect and respond to attacks and to test and exploit vulnerabilities on the network. A, B, and D are incorrect. In a black box test, only the testers have no knowledge of details about this network configuration. This type of test is also referred to as a blind test. In a gray box test, the penetration tester may have some limited knowledge of the network or systems, gained from the organization that wants the test.

Which of the following is the most comprehensive and expensive form of disaster recovery exercise? A. Tabletop exercise B. Documentation review C. Full-scale test D. Walkthrough test

C is correct. In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently. A, B, and D are incorrect. A tabletop exercise is a type of group review. The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster.

Which of the following statements does NOT accurately describe the characteristics of block and stream ciphers? A. A block cipher means the information is broken into fixed-length blocks (typically 64-bit chunks), and then each block is encrypted. B. A stream cipher encrypts the entire stream of text instead of breaking the data into blocks. C. In a block cipher the plain text bits are typically encrypted with the bits of a key by using an exclusive OR (XOR) function. D. In a stream cipher the plain text bits are typically encrypted with the bits of a key by using an exclusive OR (XOR) function.

C is correct. Stream ciphers use the XOR function, which is performed continuously on the plain text, rather than applied one block at a time. A, B, and D are incorrect. All of these statements accurately describe characteristics of block and stream ciphers.

During which stage of a secure development model would you normally find steps such as requirements gathering, analysis, and diagram development? A. Security testing B. Secure design C. Security requirements D. Secure implementation

C is correct. In the security requirements stage, requirements for different security functions are determined. Iterations of interviews and surveys might be developed and gathered and diagrams developed to show project milestones. A, B, and D are incorrect. During the secure testing phase of the secure software development model, software is measured or tested against security, functional, and performance requirements. This may include secure code review, application fuzzing, and vulnerability assessments, as well as penetration testing. In the secure design stage, different security functionality is designed into the application. During the secure implementation of software, security requirements are validated as implemented in the application.

Which of the following is the primary reason for using a third party to perform penetration testing on your networks instead of your internal network administrators? A. Auditing of current network administrators B. Attacks performed while the network is in live production C. No previous knowledge of system and unbiased D. Administrators on mandatory vacations

C is correct. It is useful to hire a third-party company to perform the penetration testing on your networks. This ensures you simulate a live attack by an unbiased user not familiar with the network. A, B, and D are incorrect. A and D are incorrect because the purpose of penetration testing is not to audit or investigate your administrators, but to use additional techniques to discover security issues in your network. B is incorrect because penetration testing is often performed during noncritical work hours so as not to disrupt live operations.

Which of the following methods of strengthening weak keys involves generating and exchanging asymmetric keys within a particular communication session? A. Key streaming B. Key repetition C. Key exchange D. Key stretching

C is correct. Key exchange involves generating and exchanging asymmetric keys used for a particular communication session, exchanging public keys in order to use them for public key cryptography. A, B, and D are incorrect. Key streaming involves sending individual characters of the key through an algorithm and using mathematical XOR function to change the output. Key repetition is not a valid answer or term. Key stretching is a technique used to change weak keys to stronger ones by feeding them into an algorithm to produce an enhanced key.

Which of the following authentication systems should you implement for your organization to provide secure, single sign-on directory services for several mixed operating system and domain types in your environment? A. NTLM B. Local login name and password C. LDAP D. 802.1X

C is correct. LDAP over SSL (LDAPS) is a protocol widely supported by different types of operating systems. By using an LDAPS-based server, you can provide secure and centralized directory services for your entire organization. A, B, and D are incorrect. NTLM is a legacy Windows authentication protocol. A local login name and password will only provide user authentication for the users' own individual systems and is not useful for a network. 802.1X is primarily used for port access and wireless authentication.

Which of the following protocols cannot traverse NAT? A. SMTP B. NTP C. L2TP D. FTP

C is correct. Layer 2 Tunneling Protocol (L2TP) cannot traverse Network Address Translation (NAT). One recommended option is to have the VPN terminate at the firewall instead of traversing it. A, B, and D are incorrect because SMTP, NTP, and FTP applications can communicate across NAT.

You are setting up security for several new mobile smartphones for your company's executive team. Which of the following security controls can you implement for Bluetooth communications to prevent bluesnarfing attacks against the devices? A. Call-back security B. Smartphone lock password C. Link-level security D. Bluejacking

C is correct. Link-level security authenticates the actual communications link before data transmission begins. Data encryption can also be performed in this mode after the link is authenticated. A, B, and D are incorrect. Bluetooth does not operate on the cell phone network. A password on the phone itself does not authenticate wireless Bluetooth connections, and bluejacking is a type of attack where an unauthorized user can send unwanted messages to another Bluetooth device.

What type of access control method does not let users configure resource access? A. Discretionary B. Role-based C. Mandatory D. Kernel

C is correct. Mandatory access control requires an authority such as an administrator or an operating system to set resource access in accordance with established security policies. Trusted operating systems can be whitelisted as bootable on UEFI systems with the secure boot option. A, B, and D are incorrect. Discretionary access control allows owning users to set access control permissions to resources. Role-based access control allows resource access based on role occupancy. Kernel is not an access control method.

Which authentication protocol uses Microsoft Point-to-Point Encryption (MPPE) protocol to encrypt all traffic from the client to the server? A. Kerberos B. CHAP C. MS-CHAP D. EAP

C is correct. Microsoft CHAP (MS-CHAP) uses Microsoft Point-to-Point Encryption (MPPE) protocol to encrypt all traffic from the client to the server. A, B, and D are incorrect. Neither EAP nor Kerberos uses MPPE. CHAP is the nonproprietary version and uses MD5 as its hashing algorithm.

A user's computer has been attacked over the network by a malware program that utilizes open Microsoft Windows networking ports to open a back door that can be accessed by a remote hacker. Which of the following ports should you block on your firewall? A. POP3 and SMTP ports TCP 110 and 25 B. SNMP TCP and UDP port 161 C. NetBIOS ports TCP 137, 138, and 139 D. Telnet port TCP 23

C is correct. Microsoft Windows utilizes NetBIOS ports TCP 137, 138, and 139 for networking services, and you should make sure these are blocked by your firewall, as they should only be used on the internal network. A, B, and D are incorrect. POP3 and SMTP are used by e-mail services. SNMP is a network management protocol. Telnet is used for remote access.

Which short-range payment method is commonly used with payment cards and mobile apps? A. RFID B. WPS C. NFC D. Rainbow table

C is correct. Near Field Communication (NFC) is commonly used as a short-range payment method (within a few centimeters). A, B, and D are incorrect. Radio frequency identifiers (RFIDs) are used for a variety of reasons including inventory control. Wi-Fi Protected Setup (WPS) uses either a PIN or physical push-button method (on the access point) to join devices easily to a network. WPS is not considered secure. Rainbow tables are lists of hashes that can be compared against another list of hashes to determine the originating data; this is used for password hash cracking.

Which of the following technologies allows devices to communicate with each other at very close range through radio signals by using a special chip implanted in the device, and may be vulnerable to eavesdropping and man-in-the-middle attacks? A. 802.11 wireless B. Bluetooth C. Near-field communication (NFC) D. Infrared

C is correct. Near-field communication is enables devices to send very low-power radio signals to each other by using a special chip implanted in the device. This technology requires that the devices be extremely close or even touching each other. This technology is used for a wide variety of applications, including payments through NFC-enabled smartphones. A, B, and D are incorrect. Neither 802.11 wireless nor Bluetooth technologies are used in this manner. Infrared does not use radio frequency technology; it enables communications between devices using a beam of light.

You are monitoring a high-volume database server using a performance monitor. Your typical average baseline is CPU usage at 40 percent, memory usage at 66 percent, and hard disk I/O at 36 percent. The current average measurements are CPU usage at 45 percent, memory usage at 63 percent, and hard disk I/O at 35 percent. What do these statistics indicate? A. The server is almost out of free memory. B. The CPU is underutilized. C. The system is running close to the baseline. D. The hard disk I/O overutilized.

C is correct. None of the average measurements indicate any abnormal activity for this server compared to its baseline. A, B, and D are incorrect. A is incorrect because there is still at least 1/3 memory usage remaining. B is incorrect because the CPU is running at almost half capacity and is not being underutilized. D is incorrect because the hard disk I/O is only using 1/3 of its capacity and is not overutilized.

Which of the following policy settings enforces the use of longer password lengths and character spaces to increase password strength? A. Password history B. Maximum password age C. Password complexity D. Minimum password age

C is correct. Password complexity enforces the use of longer password lengths and character spaces to increase password strength. A, B, and D are incorrect. Password history records previous passwords so they cannot be reused in the system. The maximum password age is used to expire a password after a certain time period. The minimum password age setting is used to force users to use a password for a minimum amount of time before they are allowed to change it. This prevents them from rapidly cycling through the password history in order to reuse an older password.

A disaster recovery plan should include all of the following EXCEPT: A. Location of software and CD keys B. Location of backup tapes C. Passwords D. Steps for rebuilding servers

C is correct. Passwords should not be included in the actual plan. The location of stored passwords for root accounts may be included, if necessary, but typically users with privileges to perform a certain action should be listed, and not any user account's passwords. A, B, and D are incorrect. All of these items should be included in the disaster recovery plan to ensure that resources such as software, CD keys, backup tapes, and procedures are readily available to facilitate rapid recovery.

Which of the following formal management efforts is designed to remediate security flaws discovered in applications and operating systems? A. Upgrade management B. Account management C. Patch management D. Change management

C is correct. Patch management is the formal effort designed to remediate vulnerabilities and other software flaws on a regular basis. A, B, and D are incorrect. Managing upgrades is part of a formal change and configuration management process. Account management is the process of provisioning and maintaining user accounts on the system. Change management is a formalized process that involves both long-term and short-term infrastructure changes, as well as configuration changes to hosts and networks.

Samantha's user account has been temporarily disabled while she is on maternity leave. Soon after, her account is mistakenly deleted. Six months later, Samantha returns and notifies the help desk that she is unable to log on to the network. Her home directory, however, still remains intact with her encrypted files. The help desk re-creates her account with the same username and a different password and then adds her to the appropriate groups. When Samantha attempts to access files from her home directory, she is denied access. What is the problem? A. Her password must be the same to decrypt the files. B. Her new account must use longer passwords. C. Her private key must be restored to decrypt the files. D. Her public key must be restored to decrypt the files.

C is correct. Private keys are used to decrypt data encrypted with the mathematically related public key. Simply re-creating a user account with the same name and password will not work. Some network systems generate public/private key pairs that are unique to the user account. A PKI certificate public key stored in a file or smartcard could also have been used to encrypt the files, so the related private key is required to decrypt them. A, B, and D are incorrect. Even if Samantha's password were set to what it last was when her files were encrypted, Windows uses the internal Security Identifier (SID) to identify users and groups; her newly created account is completely different from before. Public keys do not decrypt files; they encrypt them.

Which of the following versions of the Extensible Authentication Protocol (EAP) is used to encapsulate EAP messages over a secure tunnel that uses TLS? A. EAP-MD5 B. LEAP C. PEAP D. EAP-PSK

C is correct. Protected Extensible Authentication Protocol (PEAP) is used to encapsulate EAP messages over a secure tunnel that uses Transport Layer Security (TLS). A, B, and D are incorrect. None of these versions of EAP provide encapsulation over a TLS tunnel.

A router is configured to allow outbound TCP ports 80, 443, and 25. You would like to use the Remote Desktop Protocol to access a server at another location. Which of the following statements is correct? A. You will be able to RDP to the external server. B. You will not be able to RDP the external server because the router is explicitly denying RDP packets. C. You will not be able to RDP the external server because the router is implicitly denying RDP packets. D. You will not be able to RDP the external server because the router is implicitly allowing RDP packets.

C is correct. RDP (Remote Desktop Protocol) uses TCP port 3389, and this is implicitly denied because only ports 80, 443, and 25 allow traffic out. A, B, and D are incorrect. RDP will not work because it requires port 3389. There is no explicit denial of RDP traffic; the denial is implicit in this example. RDP traffic is not allowed.

Rachelle is a server administrator. During her required monthly server maintenance duties, Rachelle clears all server logs to increase usable disk space. Her job also requires her to create user accounts as well as grant permissions to network shared folders and printers. What is the security violation in this scenario? A. Least privilege B. Acceptable use C. Separation of duties D. Incident management

C is correct. Rachelle is a server administrator, and she has the ability to erase all server logs—the potential exists for Rachelle to abuse server administrative privileges and clear any audit trails. A, B, and D are incorrect. Least privilege ensures users have only the rights they need. Acceptable use policies state how employees are to use corporate assets properly. Incident management is a structured approach to handling incidents. None of these items is violated in the listed example.

Which of the following is an antivirus feature that scans any file that you access—as you access it? A. Deep scanning B. Scheduled scanning C. Real-time protection D. On-demand scanning

C is correct. Real-time protection is a feature of most antivirus programs that, if it is turned on, scans files for malware threats as they are accessed, in real time. A, B, and D are incorrect. Deep scanning is a level of scanning that some antivirus programs offer, but it is not done in "real time." Scheduled scanning is a feature that allows you to schedule a system scan for a certain time of day or night when the computer is not being used much. On-demand scanning allows you to scan a particular file or directory at will but before you use it. This is usually a manual process, and not an automatic one such as real-time protection.

Why would an administrator configure router ACLs (access control lists)? A. To restrict where the router can load its configuration from B. To restrict what files users can access on the file server C. To restrict or allow specific network traffic through the router D. To restrict or allow file security traffic through the router

C is correct. Router ACLs allow or deny network traffic through the router. The ACLs can look at IP addresses, protocol types, TCP and UDP port numbers, and so on. Devices such as routers should also be configured with a logon banner stating that the device can be used only for legitimate organizational activities. A, B, and D are incorrect. They are not related to configuring router ACLs.

Which of the following algorithms is the stronger hashing algorithm? A. 3DES B. MD5 C. SHA-1 D. AES-256

C is correct. SHA-1 (secure hashing algorithm) generates a 160-bit hash. A, B, and D are incorrect. MD5 is a hashing algorithm that generates a 128-bit hash, which is weaker than SHA-1. 3DES and AES-256 are symmetric encryption algorithms, not hashing algorithms.

Your firm creates web apps for business units and customers to view data from your databases. Which of the following is the greatest threat/attack vector if not specifically mitigated? A. Arithmetic over/underflow B. Buffer overflow C. SQL injection D. Cookie manipulation

C is correct. SQL injection involves manipulating input strings to poison SQL queries to the database to return unauthorized information. A is incorrect because there is no specific arithmetic issue in the problem. B is incorrect because buffer overflows are not as common as SQL injection issues for data-driven web apps. D is only an issue if cookies are misused, and they were not mentioned in the scenario.

The corporate IT manager wants you to implement a process that separates corporate apps from personal apps on mobile devices. Which of the following techniques will enable you to do this? A. Whitelisting B. Containerization C. Sandboxing D. Blacklisting

C is correct. Sandboxing separates applications from one another and does not allow them to share execution, user, or data space. A, B, and D are incorrect. Whitelisting enables an administrator to determine which applications and other software the user is allowed to install and execute. Containerization is a technique used to separate different sensitivities of data, such as corporate and personal data on a mobile device. Blacklisting is a method that enables administrators to restrict users from installing and executing certain applications.

Which of the following security techniques is best suited to prevent, detect, and mitigate physical theft of high-value corporate equipment? A. Security lighting B. Perimeter fencing C. Security guards D. Video surveillance

C is correct. Security guards will be able to regularly patrol the facility and can immediately be on hand to deal with security occurrences as they happen and prevent any equipment from leaving the building. A, B, and D are incorrect. A and B are incorrect because although security lighting and perimeter fencing are important security measures, they can be bypassed and cannot fully prevent theft. D is incorrect because video surveillance can only record a theft; it cannot prevent theft or catch the perpetrator in the act.

You are developing a mobile device security policy for your company. Some employees will be issued a smart phone that will also be used to store schematics related to a military government contract. Which item should you include in your mobile device security policy? A. HSM B. SSL C. Remote wipe D. TPM

C is correct. Should a smart phone be lost or stolen, remote wipe functionality enables administrators to revert the device back to factory settings. In bring your own device (BYOD) environments, technicians can partition work versus personal apps, data, and settings to facilitate the remote wiping of only work items. A, B, and D are incorrect. HSM, SSL, and TPM do not apply to smart phones.

Which of the following best describes cookies? A. HTTP request and response messages. B. An HTML file that comes attached to an e-mail. C. Small text files stored on a browser that contain information about the Web sites you visit. D. Objects that are particular to Web sites that use the Adobe Flash player for certain content.

C is correct. Small text files stored on a browser that contain information about the Web sites you visit are called cookies. In some cases, they are used to retain user preferences for the site, but they can contain sensitive information, such as user credentials or financial data (credit card information, for example) as well. A, B, and D are incorrect. HTTP request and response messages are sent back and forth between the Web application and the browser so the client can access content in the Web application. These HTTP requests and responses have headers that contain information such as commands, directives, and so on. An HTML file that comes attached to e-mail is an HTTP attachment. Locally shared objects (also called flash cookies) are objects that are particular to Web sites that use the Adobe Flash player for certain content.

Which of the following types of network-connected systems can manage heating, ventilation, and air-conditioning controls? A. Minicomputers B. Embedded hosts C. Supervisory control and data acquisition D. Mainframes

C is correct. Supervisory control and data acquisition (SCADA) systems are used to control and manage heating, ventilation, air-conditioning, and other types of industrial and environmental systems. A, B, and D are incorrect. Minicomputers are antiquated computers that performed advanced tasks in the place of mainframe systems and are no longer widely in use. Although some SCADA systems could be embedded, embedded hosts normally refer to systems that have operating systems burned into their computer chips. Mainframe systems normally do not control industrial types of systems, such as heating, ventilation, and air-conditioning.

An administrator uses SSH to administer a network device remotely. She then issues the command "show mac-address-table." What type of network device is she administering? A. Hub B. VPN appliance C. Switch D. Router

C is correct. Switches retain machine MAC addresses to physical switch port mappings in memory so that traffic destined to a particular host (MAC address) is sent to a single switch port. Viewing the switch MAC address table is done with the "show mac-address-table" command. A, B, and D are incorrect. Hubs, VPN appliances, and routers do not keep a MAC address table to track where local area network traffic should be sent.

You are organizing file and print permissions for your human resources (HR) department. The HR department file directories and printers are confidential, and no other group is allowed access to them. Which of the following permissions should you configure for the HR home directory and printers to maintain the strongest security? A. Write/Print for the HR group; only Read access for all other groups B. Read/Write/Print for the HR group; only Print access for other groups C. Read/Write/Print for the HR group; no access for other groups D. Read/Print for the HR group; Write access for other groups

C is correct. The HR group requires Read/Write/Print for the HR directory, while all other groups are given no access. A, B, and D are incorrect. Other groups should not have Read access to the HR directory, Print permission to HR printers, or Write permission to the HR directory.

WEP is a wireless encryption standard that is considered unsecure. What type of attack exploits WEP's weakness? A. ARP poisoning B. SSID poisoning C. IV attack D. VI attack

C is correct. The IV (initialization vector) is a 24-bit value, which means there are only 16,777,216 possible values. Given enough packets (as few as 5000), the IVs will repeat themselves. IVs are not encrypted; therefore, attackers can eventually crack the encryption key. A, B, and D are incorrect. ARP poisoning is not related to WEP. There is no such thing as SSID poisoning. There is no such thing as a VI attack.

You are performing a risk assessment for your organization's backup database server. The results of the risk assessment indicate that the cost of security countermeasures for the backup server is budgeted at $20,000. The total impact of a failure and loss of data for the backup server is $4,500. Which of the following solutions do you implement? A. Transfer the cost of the risk to the company's operations department. B. Use the security budget toward backup hardware and media to mitigate potential loss with the backup server. C. Use the budget toward protection of your primary database server instead. D. Purchase insurance against the loss of the backup database server.

C is correct. The amount of loss in the event of an issue with your backup database server is much less than the actual cost of the security countermeasures used to mitigate the risk. In this case, you could use the security budget for increased protection for your primary server instead. A, B, and D are incorrect. The cost of each of these solutions is more expensive than the cost of the risk.

What is described as the chief drawback to the security principle of separation of duties? A. It is often not well accepted by users. B. It disperses responsibilities, thus making it easier for insiders to take advantage of security holes. C. The cost required in terms of both time and money is too high. D. It is a difficult concept to understand and implement.

C is correct. The chief drawback with the principle of separation of duties is the perceived cost involved. A is incorrect because, while separation of duties may not be popular among users, this is not a chief drawback. B is incorrect because the principle doesn't make it easier for insiders to take advantage of security holes. D is incorrect because the principle is not hard to understand.

While you are on vacation, you would like your assistant, Claude, to manage existing user accounts. You grant Claude the ability to reset user passwords and modify group memberships. Which security principle have you observed? A. Authorization B. Authentication C. Least privilege D. Most privilege

C is correct. The concept of least privilege states that only needed rights to perform a certain task should be given and no more. A, B, and D are incorrect. Authorization and authentication are not related to resetting user passwords and group memberships. Most privilege is not a security principle.

The nature of your organization requires that you conform to government compliance concerning the integrity of customer data that you store at your facility. Which of the following cryptologic functions covers the information assurance objective of data integrity? A. Digital certificates B. Symmetric encryption C. Hashing D. Asymmetric encryption

C is correct. The cryptologic function of hashing is used to create signatures for files that indicate whether the file has been tampered with. If the hashed value does not match the original, then the file has been modified. A, B, and D are incorrect. Digital certificates perform the function of authentication, and encryption (symmetric or asymmetric) performs the function of data confidentiality.

You have just enabled SNMP on all your servers so that you can monitor them from a central monitoring station. Which of the following actions should be performed to increase security when using SNMP? A. Ensure the monitoring station is protected by a firewall. B. Close SNMP TCP and UDP port 161 on the client. C. Change the "public" community name. D. Disable ICMP.

C is correct. The default community name for SNMP, which is "public," acts as a password between the SNMP monitor and the device. If you do not change the default, any user with an SNMP monitor can access the device using the "public" community string. A, B, and D are incorrect. Putting the monitoring station behind a firewall will not provide any protection for the SNMP clients. Disabling SNMP on the client means that it cannot be monitored, while disabling ICMP will have no effect on SNMP functionality.

Which of the following steps in a Secure Sockets Layer transaction between a client and server occurs LAST? A. The server sends the public key to the client. B. The client creates a random symmetric key (known as a session key). C. The encrypted information is sent to the web server, which decrypts and obtains the symmetric key (session key). D. The client validates the certificate and ensures it has not expired or been revoked.

C is correct. The last step involves the client sending the session key, encrypted with the server's public key, to the server. A, B, and D are incorrect. The steps involved in an SSL transaction between a client and server are, in order: 1. The client sends a request for a web page to the secure web site by using https:// in the URL. This makes a connection to port 443 by default. 2. The server sends the public key to the client. 3. The client validates the certificate and ensures it has not expired or been revoked. 4. The client creates a random symmetric key (known as a session key) used to encrypt the web page content, and then encrypts the symmetric key with the public key obtained from the web server. 5. The encrypted information is sent to the web server. The web server decrypts and obtains the symmetric key (session key). The web server uses the symmetric key to encrypt information between the client and the server.

Which of the following steps in a Secure Sockets Layer transaction between a client and server occurs LAST? A. The server sends the public key to the client. B. The client creates a random symmetric key (known as a session key). C. The encrypted information is sent to the web server, which decrypts and obtains the symmetric key (session key). D. The client validates the certificate and ensures it has not expired or been revoked.

C is correct. The last step involves the client sending the session key, encrypted with the server's public key, to the server. A, B, and D are incorrect. The steps involved in an SSL transaction between a client and server are, in order: The client sends a request for a web page to the secure web site by using https:// in the URL. This makes a connection to port 443 by default. The server sends the public key to the client. The client validates the certificate and ensures it has not expired or been revoked. The client creates a random symmetric key (known as a session key) used to encrypt the web page content, and then encrypts the symmetric key with the public key obtained from the web server. The encrypted information is sent to the web server. The web server decrypts and obtains the symmetric key (session key). The web server uses the symmetric key to encrypt information between the client and the server.

You are performing a risk assessment for your organization's networks and systems. Which of the following risk assessment concepts is the primary factor in deciding how to budget for appropriate security controls? A. Asset identification B. Threat of natural disasters C. Risk likelihood and impact D. Qualitative costs

C is correct. The likelihood and impact of the risk has direct bearing on how much you want to budget for appropriate security controls to prevent the risk from occurring. A, B, and D are incorrect. A is incorrect because asset identification does not include any cost analysis. B and D are incorrect because although the threat of natural disasters and qualitative costs of a risk occurring are important, their likelihood and impact are more accurate in determining the actual costs of a solution.

Which of the following terms is most accurately defined by the amount of time a business can survive without a particular function? A. Mean time between failures (MTBF) B. Recovery point objective (RPO) C. Maximum tolerable downtime (MTD) D. Recovery time objective (RTO)

C is correct. The maximum tolerable downtime (MTD) indicates how long an asset may be down or offline without seriously impacting the organization. A, B, and D are incorrect. The mean time between failures is an estimate of how long a piece of equipment will perform before failure. The recovery point objective and recovery time objective refer to how much data may be lost during a failure or disaster and the maximum amount of time it must take to recover the system or data, respectively, before the organization is seriously impacted.

When requesting a certificate for a web site that you wish to secure, what is the name of the entity that validates your request and who you are? A. Issuing authority B. Certificate authority C. Registration authority D. Identification authority

C is correct. The registration authority (RA) is the entity responsible for validating an applicant's identity and his or her request and passes the request on to a certificate authority once validated. A, B, and D are incorrect. The terms issuing and identification authorities are false choices and do not exist in this context. A certificate authority (CA) issues certificates after the request has been vetted and validated by a registration authority.

Which of the following concepts should be the most important consideration when determining how to budget properly for security controls? A. Asset identification B. Threat of natural disasters C. Risk likelihood and impact D. Qualitative costs

C is correct. The risk likelihood and impact should directly determine how much you budget for controls to prevent the occurrence of risk. A is incorrect, because asset identification does not require analysis of cost. B and D are incorrect because risk likelihood and impact are more accurate in determining how much a solution will actually cost.

A server was recently stolen from the floor of your manufacturing facility. Which of the following security controls can you use to help mitigate the issue and prevent theft of important server equipment? A. Login and password required on management console screen B. Fastened with a cable lock to a desk C. Locked in a server cabinet in a secure server room D. Video recordings sent to a remote server

C is correct. The server should be stored in a locked cabinet within a secure server room with access controls. A, B, and D are incorrect. A is incorrect because requiring a login and password on management console screen does not prevent physical theft of the device. B is incorrect because the cable lock could be easily cut by someone. D is incorrect because although video surveillance will provide evidence of the theft, it will not prevent it from occurring.

Who is responsible for access control on objects in the mandatory access control (MAC) model? A. Owner of the object B. Creator of the object C. System administrator D. Security officer

C is correct. The system administrator is responsible for MAC model implementation on the system. A and B are incorrect because owners and creators can only administer discretionary access control (DAC) systems. D is a simple distractor.

Your customer support group is experiencing a high number of support calls because users who access your organization's web application are receiving certificate errors in their web browser. Which of the following is the most likely issue? A. The domain name has expired. B. SSL is not properly configured on the client web browser. C. The certificate has expired. D. Users have forgotten their password.

C is correct. The users are receiving warnings that the certificate for the website they are accessing is expired. They can still access the website, but the errors will state that they could be accessing an untrusted website. A, B, and D are incorrect. A is incorrect because if the domain name has expired, the users would not be able to contact the site. B is incorrect because SSL requires no additional configuration on the web browser. D is incorrect because the users are receiving the errors before they are prompted for authentication, and it is unlikely that multiple users have forgotten their password.

You wish to employ a RADIUS-based solution for remote authentication services. Which of the following is not one of the steps used in RADIUS authentication? A. A user initiates PPP authentication. B. The NAS prompts for either a username and password or a challenge. C. The server responds with authentication complete. D. The server responds with Access-Accept.

C is correct. This is a TACACS+ response, not RADIUS. A, B, and D are all steps in the RADIUS authentication process.

Which term is defined as the possibility of suffering harm or loss? A. Impact B. Vulnerability C. Risk D. Threat

C is correct. This is the definition of risk. A is the loss suffered. B is a weakness that is exploited by a threat. D is a circumstance or event with the potential to cause harm.

Your manager would like you to ensure that employees are not able to access the accounting systems. What action would you take? A. Configure a WAP. B. Disable ports for the accounting systems. C. Place the accounting systems in their own VLAN. D. Set the WPA2 key to a new value.

C is correct. To control communication, you can place the accounting systems in a different VLAN than the rest of the network. A, B, and D are incorrect. You would not configure a WAP because you are not trying to give wireless access. You cannot disable the ports the accounting systems are connected to because that will prevent everyone from being able to communicate with them. Changing the WPA2 key will not help because this is not a wireless scenario.

Which of the following actions should you perform first if responding to an attack on your network firewall? A. Reboot the device to restore normal operation. B. Escalate the issue to your manager. C. Make a copy of the firewall logs and error messages. D. Reinstall the operating system.

C is correct. To preserve forensic evidence of the attack, you should make a copy of the firewall's log files before performing any other action that could destroy the evidence. A, B, and D are incorrect. A and D are incorrect because either rebooting the firewall or reinstalling the operating system can erase any error messages or log files you may require as forensic evidence. B is incorrect because although escalating the issue to your manager is important, as the first responder, your primary goal is to perform damage control and collect evidence.

Your organization must comply with data loss prevention regulations concerning your customers' data transactions. You must ensure that any outbound e-mail messages containing customer Social Security numbers cannot be viewed while in transit. Which of the following security controls can provide this functionality? A. Antivirus scanning of all outbound e-mail messages with an SSN B. Web proxy server that quarantines outbound mail containing an SSN C. Content filter that encrypts outbound mail containing an SSN D. Anti-spam filter that blocks outbound mail containing an SSN

C is correct. To protect your clients' SSN numbers in transit, you should use a content filter to analyze outbound mail and encrypt any messages that contain an SSN. A, B, and D are incorrect. Antivirus scanning, anti-spam scanning, and a web proxy server will not detect an SSN number in a message.

An end user was using your web application when it suddenly crashed and allowed the user access to a command-line prompt with administrator access to the system. Which of the following is the security issue with your application? A. Buffer overflow B. Command injection C. Transitive access D. Fuzzing

C is correct. Transitive access occurs when a user is inadvertently given advanced access to another part of the application or the system on which it is hosted. You must ensure that your application does not allow transitive access in the event of a crash or malfunction. A, B, and D are incorrect. A buffer overflow occurs when user input is greater than what the input field allows. The user did not perform a command injection into the application; it simply crashed and presented the user with a command prompt. Fuzzing is used to test input validation through the entry of random characters.

Your large organization employs five network administrators. Which of the following is the most secure and efficient best practice to follow when using administrative permissions? A. All users should use the same "administrator" account. B. Grant specific administrator privileges to each individual user account depending on the operation to be performed. C. Use an "administrator" group and add each user's account to the group. D. Only the primary administrator has full administrative rights to perform requests.

C is correct. Use a group with administrative permissions, and then simply add the user to the group to inherit those permissions. This is the most efficient method and ensures admin users use their own account name for auditing and tracking purposes. A, B, and D are incorrect. There is no way to track which administrator performed an operation, as it will only appear in the logs as the "administrator" account. Granting specific administrator privileges to each individual user account depending on operation to be performed is very inefficient and can lead to confusion as to which account has which privileges. Giving only the primary administrator full administrative rights to perform requests is inefficient because the other network administrators need the ability to perform as a full administrator if the primary administrator is unavailable.

You have several remote salespeople who access your networks remotely while at home and while traveling. Which of the following services could you use to provide a central web-based application and database that can store and serve their shared data over the Internet? A. NAC B. Virtualization C. Cloud computing D. Subnetting

C is correct. Using a cloud-based service, your users can perform their work using a web browser that connects to the cloud service, giving them instant access to the application and the data without having to keep the only copy of the data on their laptop. A, B, and D are incorrect. Virtualization allows several virtual computers to run on the same hardware, while subnetting and Network Access Control (NAC) are network security concepts that do not provide the required services.

You are running several web servers for different client websites, and you want to consolidate some services to improve resource usage on your underutilized server hardware. You also want to make sure that security issues with one client web service will not affect the web service of other clients. Which of the following technologies should you implement? A. Use shared RAID disk services. B. Cluster the web services. C. Run each client web service in a virtual machine. D. Create a VLAN for each web service.

C is correct. Using virtualization, you can run each client's website on a separate virtual machine running on the same hardware platform. This allows you to run several virtual machines on one system, and each virtual machine is isolated from the others, thus preventing security issues from affecting other client web services. A, B, and D are incorrect. A is incorrect because using RAID disk systems alone still requires separate servers to run each client web service. B is incorrect because clustered web services provide redundancy and protection for a single web service and will not prevent security issues between different client web services. D is incorrect because VLANs will not reduce the amount of hardware you need to use.

VLANs are an example of what? A. Physical segmentation B. Network security function C. Logical segmentation D. Traffic shaping

C is correct. VLANs are logical segmentation devices. They have no effect on the physical separation of traffic. A is incorrect because VLANs have no physical segmentation ability. B is incorrect because VLANs provide no real security functionality, as they are easy to spoof and bypass. D is incorrect because traffic shaping does not involve VLANs.

You would like to further secure your VPN infrastructure. Users currently use VPN client software and supply a username and password to authenticate. What can further secure VPN access? A. VPN accelerator B. 64-bit VPN client software C. Hardware token D. Faster network card

C is correct. VPN hardware tokens display a code for a short period of time that the user enters along with their credentials to authenticate to the VPN. The VPN appliance uses the same code for the same period of time. Software token apps are also available for mobile device users. A, B, and D are incorrect. They have nothing to do with security.

Which is the most important security function associated with a mobile device? A. Encryption B. Remote wiping C. Password/screen lock code D. Mobile device management (MDM)

C is correct. Without a screen lock code/password, anyone would be able to access a mobile device simply by obtaining it. A, B, and D are important and useful security elements, but if there is no password, then they can by and large be bypassed before anyone could block or wipe the device.

You are expanding your 802.11a wireless network to other parts of your organization's building. Which of the following security controls helps prevent wardriving attacks on your wireless network? A. Use the 802.11b standard B. Firewall C. Encryption D. War chalking

C is correct. You can protect your network from unauthorized users who try to connect to your wireless network from outside your building by encrypting wireless traffic. A, B, and D are incorrect. 802.11b does not support WPA/WPA2, and a firewall will not control your wireless connections. War chalking identifies areas where open and insecure wireless access points exist.

Which of the following security measures should you implement to prevent issues related to router administrative access? A. Using audit logging B. Using HTTPS remote access C. Using strong passwords D. Backing up the router configuration

C is correct. You should ensure that all your network devices use very strong passwords to prevent basic hacking attempts on the administrator account. A, B, and D are incorrect. A is incorrect because audit logging will not prevent unauthorized access to the router. B is incorrect because the hacker can also use HTTPS to connect to the router and guess a weak password. D is incorrect because although having a backup of the configuration is important for recovering from an attack, it will not prevent hacking attempts on the router.

You have been performing remote administration from your workstation web browser on a critical server located in the server room. You need to go to the physical location of the server to perform a command on the console and reboot the system. Which of the following actions should you perform? A. Write down the admin account and password for reference. B. Close your web browser. C. Lock your desktop workstation. D. Write your name in the server room access log.

C is correct. You should never leave administrative sessions open and unattended on your workstation. If you leave, you should log out of your session or lock your workstation. A, B, and D are incorrect. A is incorrect because you should never write down account credentials. B is incorrect because a user could reopen your web browser and search your history for the administrative page where you are still logged in. D is incorrect because your administrative session is still open on your computer, and anyone can access the remote console of the server in the server room.

You notice excessive network traffic when client stations connect to Windows Update to download patches and hotfixes. You would like to minimize network use. What should you do? A. Use full duplex. B. Disable SSL. C. Configure an internal patch update server. D. Disable Windows Update on all client stations.

C.

Which of the following is a port-based authentication method? A. WPA2 B. WEP C. WPA D. 802.1X

D is correct. 802.1X is a port-based authentication method, not a wireless encryption protocol. A, B, and C are incorrect. WPA2 is an advanced encryption protocol, which uses AES. WEP is a legacy wireless encryption protocol, which has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks. WPA was an interim protocol used to correct some of WEP's weaknesses. It uses the TKIP protocol.

For security reasons, you want to enable port security for your network switches to allow only certain clients to connect to specific switches. Which of the following is the best authentication service to implement? A. Local username and password B. LDAP C. RADIUS D. 802.1X

D is correct. 802.1X is implemented on network devices such as switches to provide access control by authenticating connecting clients based on the user or system identity. You can then allow or block network connectivity and apply network access policies based on this authentication. A, B, and C are incorrect. A is incorrect because using local authentication on the switch is too cumbersome to manage and will not scale for many clients. B and C are incorrect because these authentication services are not specific to port security but can be used in conjunction with 802.1X for centralized authentication.

An Ethernet switch at a private school has been configured with two VLANs called Classroom A and Classroom B. Stations on the Classroom A VLAN cannot contact stations on the Classroom B VLAN. Refer to the following configuration from a computer on the Classroom A VLAN to identify the problem. Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.0.0.72 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : A. A DNS suffix must be configured. B. The IP address is invalid. C. The subnet mask is invalid. D. The default gateway must be configured.

D is correct. A TCP/IP VLAN (virtual local area network) must have a default gateway (IP address of router) configured to contact other VLANs. In some cases, VLAN isolation is desired, such as when embedded medical or robotic machinery needs a dedicated network. A, B, and C are incorrect. DNS suffixes are not required to interconnect VLANs. The IP address is valid. Zeroes are allowed for host IP addresses as long as all the host bits (binary) are not set to binary zeroes or ones. The subnet mask is valid even though the IP address is a Class A address usually having a subnet mask of 255.0.0.0.

A key element in using PKI certificate-based security is the use of which of the following? A. Encryption B. Web of trust C. RA D. CRL

D is correct. The Certificate Revocation List (CRL) determines whether the issuer has revoked the certificate. A, B, and C are incorrect. A is not involved in certificates. B and C are not involved in the use of PKI certificates for trust decisions—the word "using" in the question eliminates this answer.

Which of the following attacks is NOT typically attempted by a rogue access point on a wireless network? A. Interference B. Evil twin C. Spoofing D. Brute force

D is correct. A brute-force attack is typically a password attack. It may be used separately to break wireless passwords but is not unique to wireless attacks. A, B, and C are incorrect. All of these are attack methods that a rogue access point could attempt to engage in, resulting in a denial-of-service condition on the wireless network (as in the case of intentional interference), or by spoofing valid access points to entice an unsuspecting client to connect to it.

Which of the following plans mainly emphasizes the operation of the critical systems that an organization needs to function during periods of crisis? A. DRP B. IRP C. SLA D. BCP

D is correct. A business continuity plan is based on the understanding of system criticality and data criticality in conjunction with required business processes. A, disaster recovery plan, B, incident response plan, and C, service level agreement, are not associated with business continuity plans or operations and are frequently suspended during bcp operations.

What type of control assists and mitigates the risk an existing control is unable to mitigate? A. Preventative control B. Corrective control C. Deterrent control D. Compensating control

D is correct. A compensating control assists and mitigates the risk an existing control is unable to mitigate. A, B, and C are incorrect. The difference between a deterrent control and a preventive control is that it is necessary to have knowledge of the deterrent control for it to work. Users do not need to have knowledge of a preventative control for it to function. A corrective control is used to correct a condition when there is either no control at all, or the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place. A deterrent control keeps someone from performing a malicious act, provided that they know the control is there and are aware of the consequences for violating it.

Which attack is used to inject commands inside an HTTP message with the goal of navigating to the operating system and executing system commands? A. Cross-site scripting B. XML injection C. SQL injection D. Directory traversal/command injection

D is correct. A directory traversal/command injection attack enables a malicious user to inject commands inside the HTTP message in order to travel through the directory structure of the web server. After navigating backward in the directory structure, the hacker then moves forward into the operating system directory and tries to run operating system commands. A, B, and C are incorrect. Cross-site scripting is a popular form of attack that involves the hacker inserting script code into a form on a web page and submitting the script code to the server, so that it will then be sent to other clients. An XML injection attack is similar to an SQL injection, except that the hacker is inserting XML code into the application. In SQL injection attacks the hacker uses the SQL commands that are executing behind the scene in order to manipulate the data in the database.

What is the lowest threat category that can be said to be characterized by a significant amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders? A. Highly structured threat B. Unstructured threat C. Advanced persistent threat D. Structured threat

D is correct. A greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders can be part of both structured and highly structured threats. Since structured threats are a lower category of threat than highly structured threats, it is the correct answer for this question. A is incorrect because it uses the greatest level of the listed resources. B is incorrect because it does not use those levels of resources. C is incorrect because it does not typically involve corruption or collusion.

Which of the following terms is commonly used to describe a device that displays a random number on it for 30 to 60 seconds, which is used along with a username and password in order to log on? A. Smart token B. Logical token C. Windows token D. Hardware token

D is correct. A hardware token is a physical device that displays a random number for 30 to 60 seconds. The user enters that random number along with their username and password in order to log on. A, B, and C are incorrect. Smart tokens and Windows tokens do not exist in this context. Logical tokens are generated at logon and contain the user SID, group SIDs, and the privileges of the user. A logical token is presented to any resource to determine if access to the resource should be granted.

Which type of intrusion detection system identifies suspicious activity by monitoring log files on the system? A. NIDS B. NIPS C. ACL D. HIDS

D is correct. A host-based intrusion detection system (HIDS) monitors local system activity and logs for indications of an attack. A, B, and C are incorrect. A NIDS is a network-based intrusion detection system and does not monitor host log files. A NIPS is a network-based intrusion prevention system and works on the network instead of the host. An ACL is an access control list and is used to allow or deny traffic through a router or grant/deny permissions to resources.

Which of the following describes an alternate processing site that is instantly available in the event of a disaster? A. Reciprocal site B. Cold site C. Warm site D. Hot site

D is correct. A hot site is an alternate processing site that can function almost immediately after a disaster and has equipment and data prepositioned, as well as full utilities. A, B, and C are incorrect. Cold sites have only space and utilities available and take longer to activate. Warm sites have space, utilities, and possibly some equipment and furniture, but still need equipment, personnel, and data transferred, so they cannot be activated instantly. Reciprocal sites are alternate locations provided by and in agreement with another organization and are typically co-located with that organization.

Which of the following cannot identify patterns alone and requires other data and event sources to identify trends and patterns? A. Trend analysis B. Qualitative analysis C. Quantitative analysis D. Log analysis

D is correct. A log analysis can't identify patterns alone and requires other data and event sources to identify trends and patterns. A, B, and C are incorrect. Trend analysis involves looking at data from various sources, including device logs, to identify patterns over a period of time. Both qualitative and quantitative analyses are risk assessment techniques.

Several of your users have reported a virus attack on their workstations, and their home data directories have been deleted. Comparing the log files from the workstations, you realize the attacks all occurred at the exact same time. Which of the following malware types could be the issue? A. Back door B. Rootkit C. Macro virus D. Logic bomb

D is correct. A logic bomb program will not activate until a specific trigger is set off (for example, reaching a specific time or date or starting a program a specific number of times). A, B, and C are incorrect. A back door or rootkit provides unauthorized access for a remote user. A macro virus would not activate on several computers simultaneously.

You are setting up a remote access connection to a nearby branch office so that you can perform administration on their network without having to physically be at the branch office. Which of the following is the best deterrent for man-in-the-middle network attacks on your remote access connection? A. Authenticate to a local credentials database. B. Log the messages from console access at the branch office. C. Authenticate to a centralized LDAP server. D. Encrypt the connection.

D is correct. A man-in-the-middle attack is performed by a hacker who uses a protocol analyzer to intercept network packets before they reach their destination. Use encryption to make sure that the hacker cannot read the intercepted packets. A, B, and C are incorrect. None of these methods will stop the hacker from reading intercepted network packets.

Which of the following is a non-contractual agreement between two parties that indicates the intended approach of both parties with respect to an issue? A. BPA B. ISA C. SLA D. MOU

D is correct. A memorandum of understanding (MOU) is a legal document used to describe a bilateral agreement between parties. A is a business partnership agreement, a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners. B is an interconnection security agreement, a specialized agreement between organizations that have connected IT systems. C is a service level agreement, a negotiated agreement between parties detailing the expectations between them regarding the service provided.

All of the following are security measures designed to prevent data loss through removable media EXCEPT: A. Encryption B. Policies C. Operating system restrictions D. Protocol analysis

D is correct. A protocol analyzer captures and analyzes network traffic and cannot provide security for data on removable media. A, B, and C are incorrect. All of these measures are used to minimize data loss from removable media. Policies state under what circumstances, if any, removable media can be used. Encryption is used to protect data on removable media, and operating system restrictions may disable writing to or prevent the use entirely of removable media.

Which type of cloud service is usually operated by a third-party provider that sells or rents "pieces" of the cloud to different entities, such as small businesses or large corporations, to use as they need? A. External B. Private C. Community D. Public

D is correct. A public cloud is operated by a third-party provider who leases space in the cloud to anyone who needs it. A, B, and C are incorrect. An external cloud is not a valid type of cloud and could be a public, private, or community cloud. A private cloud is for use only by one organization and is usually hosted by that organization's infrastructure. A community cloud is for use by similar organizations or communities, such as universities or hospitals, that need to share common data.

Which of the following statements best describes a quantitative risk assessment? A. An assessment that assigns arbitrary weighted factors to threats, vulnerabilities, and exposures B. An assessment that uses statistical probabilities to calculate likelihood of risk C. An assessment that uses subjective probability and impact values, such as high, medium, and low D. An assessment that uses dollar figures and calculates risk in terms of loss

D is correct. A quantitative risk assessment examines risk in terms of dollar loss to an organization. A, B, and C are incorrect. A qualitative risk assessment is one that uses subjective probability and impact values, such as high, medium, and low. Assessments that use weighted factors or statistical probabilities are not valid choices in this context.

Which of the following terms is defined as something that can cause harm to an asset? A. Risk B. Vulnerability C. Loss D. Threat

D is correct. A threat is defined as an entity or event that has the potential to cause harm or damage to an asset. A threat could cause the organization to suffer a financial loss. A, B, and C are incorrect. Risk is the possibility that a threat could harm an asset. A vulnerability is a weakness in the system. A loss is what damage occurs when a vulnerability is exploited by a threat.

A policy is which type of security control? A. Operational B. Physical C. Logical D. Administrative

D is correct. Administrative controls (also called managerial controls) include security policies. A, B, and C are incorrect. Operational and physical controls are sometimes referred to together and may cover items such as backups, physical access, environmental controls, and so on. Logical controls, also called technical controls, cover security measures such as firewalls, permissions, and so forth.

Which encryption algorithm can have key sizes of 128, 192, and 256 bits, with the key size affecting the number of rounds used in the algorithm? A. IDEA B. PGP C. Blowfish D. AES

D is correct. Advanced Encryption Standard has 128-, 192-, and 256-bit keys; the key length dictates the number of rounds the algorithm uses for encryption. A, International Data Encryption Algorithm, uses 128-bit keys. B, Pretty Good Privacy, uses IDEA. C uses a variable key length, up to 448 bits.

Which of the following statements best describes an XML injection attack? A. An attack that exceeds the memory allocated to an application for a particular function, causing it to crash. B. An attack that uses unexpected numerical results from a mathematical operation to overflow a buffer. C. An attack on a database through vulnerabilities in the Web application, usually in user input fields. D. An attack that involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing.

D is correct. An XML injection attack involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing. A, B, and C are incorrect. A buffer overflow attack exceeds the memory allocated to an application for a particular function, causing it to crash. Although similar to a buffer overflow attack, answer B describes an integer overflow attack, which uses unexpected numerical results from a mathematical operation to overflow a buffer. A SQL injection attacks a database through vulnerabilities in the Web application, usually in user input fields.

Which of the following security measures do you implement to protect sensitive health data when using e-mail to transfer it outside of your organization? A. Use HTTPS. B. Use an inbound e-mail content filter. C. Hash e-mail messages and attachments. D. Use encryption.

D is correct. Any e-mail messages containing sensitive data must be encrypted when sent outside of the organization to protect the confidentiality of the data. A, B, and C are incorrect. HTTPS is used to encrypt web sessions. An e-mail content filter is used to filter inbound e-mail, but you require encryption controls on outbound messages. Hashing protects only the integrity of the messages, not the confidentiality.

Which type of log would list failed logon attempts? A. Access log B. Event log C. Application log D. Audit log

D is correct. Audit logs record security-related activity such as logon attempts or file access. A, B, and C are incorrect. They would not contain failed logon attempts.

Permission auditing is not useful for which of the following? A. Following the "trust but verify" philosophy B. Helping to ensure that users have been granted the correct privileges and rights required to perform their assigned duties C. Large corporations or positions with a high rate of turnover or employee movement D. Identifying users with evil intentions

D is correct. Audits cannot determine user intentions; they can only determine what permissions the users should have based on logical factors. A, B, and C are all advantages of privilege auditing.

Which of the following is the process in which users verify their identity to a system, typically at logon? A. Recognition B. Authorization C. Identification D. Authentication

D is correct. Authentication is the process of users proving their identity to a system. A is a distractor. B is the step after authentication. C is the one-time process used to establish credentials on a system.

Which of the following desired attributes would make an organization most likely to move to a cloud provider? A. Control B. Accountability C. Responsibility D. Availability

D is correct. Availability is the most likely attribute gained through potential redundancy and continuity of operations planning that's (hopefully) inherent within the cloud environment. Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures. A, B, and C are incorrect. Accountability and responsibility can be established through effective security controls and well-written service-level agreements. Users lose a large measure of control by moving to the cloud.

You are modifying the backup schedule for the thirteen Windows and seven UNIX servers in your server room. Full backups will occur Saturdays at 9:00 A.M. and incremental backups will occur every weekday starting at 7:00 P.M. Each server contains an average of 400GB of data. Backup tapes are stored in a safe down the hall in the IT manager's office. What problems exist with this scenario? A. Incremental backups must be used with differential backups. B. There is not enough time to perform incremental backups if the start time is 7:00 P.M. C. Differential backups can be used only with full backups. D. Backup tapes should be stored offsite.

D is correct. Backup tapes (or a verified copy of them) must be stored at an alternate location in case of fire or flood damage, to name just a few possibilities. Organizational data files as well as virtual machine snapshots are often stored on backup media, including in the cloud. A, B, and C are incorrect. Incremental backups work with full backups just as differential backups do, but they should not be used together. In the scenario we are not given specifics as to backup speeds, but given that incremental backups are being used for a relatively small amount of data, there should be plenty of time for the backups to complete.

You have recently had several instances of macro viruses within word processing documents infecting users' computers. Which of the following can you implement to help mitigate future instances of this issue from occurring? A. Host-based firewall B. Anti-spam software scanning of inbound e-mail messages C. Regular full-computer virus scanning D. Application baseline with macros disabled

D is correct. By installing your word processing applications with a baseline that prohibits the use of macros, you ensure that whenever users receive a document with a macro, it will be prevented from running. A, B, and C are incorrect. A host-based firewall will not prevent a macro virus from being run, and anti-spam software will not detect macro viruses in e-mail attachments. Also, even though the user's computer is clean, she can receive a macro virus from another user before the next scheduled scan and that macro virus might evade live scanning services.

The policies and procedures associated with reducing the risk of unauthorized changes to production systems are referred collectively as? A. Security controls B. Incident management C. Least privilege D. Change management

D is correct. Change management comprises the policies and procedures associated with reducing the risk of unauthorized changes to production systems. Organizations commonly have a change control board (CCB) to approve all production changes and ensure the change management procedures are followed before changes are introduced to a system. A is the generic name for all controls associated with reducing risk, not just those associated with unauthorized changes to production. B is about dealing with systems that are not operating correctly (regardless of cause), not about unauthorized changes to production systems. C is about limiting a user to the least amount of privilege they need to perform their job.

Which of the following formal management efforts is a formalized process that involves both long-term and short-term infrastructure changes? A. Upgrade management B. Account management C. Patch management D. Change management

D is correct. Change management is a formalized process that involves both long-term and short-term infrastructure changes, as well as configuration changes to hosts and networks. A, B, and C are incorrect. Managing upgrades is part of a formal change and configuration management process. Account management is the process of provisioning and maintaining user accounts on the system. Patch management is the formal effort designed to remediate vulnerabilities and other software flaws on a regular basis.

For centralized authentication services, you want to use an encrypted authentication service to securely authenticate remote access users who connect to your office via a VPN. Which of the following authentication services do you use? A. Local username and password B. LDAP C. PAP D. LDAPS

D is correct. LDAPS uses SSL to encrypt authentication communications. This ensures that client credentials, such as usernames and passwords, are not sent in clear text over the network. A, B, and C are incorrect. These methods do not use secure encrypted channels.

Your company allows a number of employees to telecommute, and others travel extensively. You have been tasked with finding a centralized solution that will allow access to shared data over the Internet. Which of the following is best? A. NAT B. Virtualization C. Subnetting D. Cloud services

D is correct. Cloud services can enable users to perform their work via a browser, from anywhere they have Internet connectivity. This can be configured either to allow a local copy along with the cloud copy of the data, or the data can be edited directly within the cloud. A, B, and C are incorrect. Virtualization allows multiple virtual machines to run on the same piece of hardware. Subnetting and network address translation (NAT) are important, but incorrect, security concepts.

Which of the following techniques is effective at determining vulnerabilities before code is released to testing and production? A. Fuzzing B. Determining attack surfaces C. Secure Development Lifecycles D. Code reviews

D is correct. Code reviews, both manual and automated, can occur early in the development process and find errors before code is shipped to testing. A is a testing technique. B is incorrect because attack surfaces are a metric. C is a process.

You are developing a web application that requires strong security controls. Which of the following secure coding practices helps prevent cross-site request forgery (XSRF) attacks? A. Cookie privacy B. Fuzzing C. Input validation D. Session cookie authentication

D is correct. Cross-site request forgery (XSRF) is a type of attack that tricks a user into navigating to a website that contains malicious code. To prevent XSRF attacks, a web application must verify that a request came from an authorized user. Web applications can require a second identifying value saved in a cookie that is compared with every single request to the website. A, B, and C are incorrect. Fuzzing is a method of testing input validation, whereas cookie privacy controls will not help prevent a cross-site request forgery attack. Input validation checks the input into a form meets requirements and does not allow XSS or other attacks from a malicious input.

Which type of attack exploits an authenticated connection a user has to a web site? A. DoS B. Cross-site scripting C. Directory traversal D. Cross-site request forgery

D is correct. Cross-site request forgery attacks work by submitting data to a web site (for example, by manipulating a URL) from an authenticated trusted user without that user's knowledge. The malicious code that performs this attack could be executed by tricking the user into clicking a link in an e-mail message or on a web site. A, B, and C are incorrect. DoS attacks render a host unusable for legitimate users, often by flooding a host with useless data or making a large number of half-open requests. Cross-site scripting attacks occur when malicious users embed malicious code in a web site that accepts user input. Other users viewing content on that web site (for example, a discussion group forum) will see what appears to be a valid hyperlink that is in fact malicious code.

Which measure should be in place to prevent cross-site scripting attacks? A. Enable personal host-based firewalls. B. Update virus scanners. C. Disable registry editing tools to prevent cookie theft. D. Web sites should validate user input before allowing submissions.

D is correct. Cross-site scripting attacks involve an attacker injecting malicious code to a web site that others then visit. The malicious code could then possibly run on a victim's computer. Web site developers must validate submitted user data to ensure that malicious code is not being uploaded to the web site. A, B, and C are incorrect. Host-based firewalls, virus scanners, and registry editing tools will not mitigate cross-site scripting attacks.

Which of the following is the best method to mitigate DNS attacks? A. Encrypting host files B. Using reverse DNS resolution C. Encrypting DNS lookups D. Secure authenticated zone transfers

D is correct. DNS poisoning attacks can be mitigated by ensuring that your DNS server updates its information only from authoritative sources by proper authentication or the use of secure communications. A, B, and C are incorrect. Encrypting host files or DNS lookups would have no effect on DNS server poisoning. Reverse DNS resolution is a normal practice to resolve IP addresses to host names and would not prevent DNS poisoning.

For which of the following should employees receive training to establish how to handle end-of-life and unnecessary data? A. Clean desk policies B. Protection of personally identifiable information on social media C. Information classification D. Data disposal

D is correct. Data disposal guidelines explain how different classifications of data should be properly disposed of to ensure that data is not later pieced together or recovered and exploited. A, B, and C are incorrect. Clean desk policies often dictate how sensitive information should be stored after hours and while uncleared visitors are near the area. Protection of personally identifiable information on social media would be part of an organization's social media policy. An organization's information classification policy not only outlines what level of security protections certain data receives, but it also serves to instruct employees on how to treat sensitive data.

PaintCo is a company specializing in outdoor industrial paint services with headquarters in Pittsburgh and branch offices in Detroit and Los Angeles. Detroit users in the Sales and Marketing departments require read access to current industry trend documentation on a server in Pittsburgh. Detroit Sales users require read/write access to a sales database in Los Angeles. Which method best accomplishes this task? A. Add the Sales and Marketing users to the Administrators group. Grant the Administrators group read permissions to the documentation and sales database. B. Add Sales users to a Sales group, add Marketing users to a Marketing group. Grant the Sales and Marketing groups read permissions to the documentation and sales database. C. Sales and Marketing users in Detroit already have read access to the documentation. Sales users already have read and write access to the sales database. D. Add Detroit Sales users to a Detroit_Sales group; add Detroit Marketing users to a Detroit_Marketing group. Grant the Detroit_Sales and Detroit_Marketing groups read access to the documentation in Pittsburgh. Grant the Detroit_Sales group read and write access to the sales database in Los Angeles.

D is correct. Detroit Sales and Marketing users should be in their own groups, since Sales users must have read/write access to the sales database and both Sales and Marketing users require read access to documentation. Each group can then be granted the appropriate permissions to the appropriate resources. A, B, and C are incorrect. They do not represent the best strategy for assigning group permissions.

Your users have home directories on server ALPHA. You have set the security such that users have full control over file permissions in their own home directories. Which term best describes this configuration? A. Mandatory access control B. Role-based access control C. User access control D. Discretionary access control

D is correct. Discretionary access control (DAC) gives the resource owner (the user owns their home directory and its contents) control of assigning permissions to that resource. A, B, and C are incorrect. Mandatory access control (MAC) is a model whereby administrators or computer operating systems determine what permissions are granted in accordance with established policies. Role-based access control (RBAC) assigns permissions to a role. The occupant of that role inherits those permissions. User access control is a Windows Vista, Windows 7, and Windows Server 2008 mechanism that requires administrator approval to modify operating system configurations.

What type of evidence in a computer forensics investigation directly supports a particular assertion? A. Exculpatory evidence B. Inculpatory evidence C. Demonstrative evidence D. Documentary evidence

D is correct. Documentary evidence directly supports or proves a definitive assertion. A, B, and C are incorrect. Exculpatory evidence proves innocence. Inculpatory evidence proves guilt. Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so forth, is used to help nontechnical people, such as the members of a jury, understand an event.

Which technique can reveal internal business procedures and computing configurations? A. Tailgating B. Shoulder surfing C. Phishing D. Dumpster diving

D is correct. Dumpster diving involves analyzing discarded documentation to learn of a company's operations, employee names, e-mail addresses, and so on. A, B, and C are incorrect. Tailgating refers to an unauthorized person following an authorized person to gain access to restricted areas. Shoulder surfing refers to observing somebody as she enters secure access codes or usernames. Phishing refers to tricking people into revealing personal information. Phishing scams often manifest themselves as links in e-mail messages that take users to what appears to be a legitimate web site asking for personal codes or information.

A technician wants to employ the existing PKI infrastructure with the new wireless network. Which wireless security options require the use of PKI certificates? A. WEP B. WPA PSK C. WPA2 PSK D. EAP-TLS

D is correct. EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) can use PKI certificates to secure communications. A, B, and C are incorrect. WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) with pre-shared keys (PSKs) do not use PKI; the pre-shared key is a passphrase.

What is the biggest difference between EAP-TLS and EAP-TTLS? A. EAP-TTLS needs server and client certifcates; EAP-TLS only needs server certifcates. B. EAP-TTLS can use unsigned certifcates; EAP-TLS must have third-party signed certificates. C. EAP-TLS can use unsigned certifcates; EAP-TTLS must have third-party signed certificates. D. EAP-TLS needs server and client certifcates; EAP-TTLS only needs server certifcates.

D is correct. EAP-TLS needs server and client certificates; EAP-TTLS only needs server certificates. A, B, and C are incorrect. The EAP standard does not define the use of signed or unsigned certificates, although most implementations require signed certificates.

ECC is particularly suited for use in securing what? A. Mainframes B. Digital contract signatures C. Passwords D. Mobile devices

D is correct. ECC calculations require relatively less power, making ECC ideal for low-power devices, such as mobile devices. A, B, and C are incorrect. Although used on mainframes, ECC is primarily designed and used in low-power situations where transmission errors may occur, as in mobile devices. Elliptic curve cryptography (ECC) is not used for passwords as it is not a hashing function, and also not part of any digital signature methodology, hence B is also incorrect.

NAC can include all of the following except: A. Agentless B. Dissolvable agents C. Host health checks D. Encryption agents

D is correct. Encryption agents is a distractor created form relevant terms. NAC can involve agent/agentless deployments, can use dissolvable or permanent agents, and can employ system/host health checks. A, B, and C are incorrect because these are all NAC factors.

Which phase of the incident response process involves removing the problem, which in today's complex system environment may mean rebuilding a clean machine? A. Containment B. Recovery C. Mitigation D. Eradication

D is correct. Eradication involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine. A involves preventing the issue from spreading to other machines or accounts. B includes the steps necessary to return the systems and applications to operational status. C is not a phase in the incident response process.

After a crash of your web application, the end user sees a detailed error message including a directory path to the configuration files for the application. Which of the following security techniques should you implement to further protect your application? A. Input validation B. Fuzzing C. Escaping D. Error and exception handling

D is correct. Error messages must be informative to the user, but system details should never be revealed. Error and exception handling should be improved in the event of a crash or malfunction. A, B, and C are incorrect. Input validation makes sure that users can't enter illegal characters into application input fields. Fuzzing is used to test input validation through the entry of random characters. Escaping is a technique used when processing input fields to process command characters inserted into the input as text data to prevent commands from being run.

All of the following are advantages to using NAT, EXCEPT: A. Internal network addresses are hidden from the public. B. Specific network traffic can be sent to a particular internal address and port. C. Public IP addresses can be more effectively used by the organization. D. Firewalls and other security devices are not required.

D is correct. Even when using NAT, firewalls and security devices are required on a network boundary. A, B, and C are incorrect. All of these are advantages to using NAT.

You have a small office consisting of about 25 users. You need to utilize mail encryption to allow specific users to encrypt outbound e-mail messages, but you do not need an expensive onsite encryption server. Which of the following applications can you implement? A. HTTPS B. POP/IMAP C. WPA2 D. PGP/GPG

D is correct. Pretty Good Privacy or GNU Privacy Guard provides a low-cost or open-source alternative for allowing users to encrypt their e-mail messages. A, B, and C are incorrect. HTTPS provides encryption for web communications. POP/IMAP are mail client access protocols that are not encrypted, and WPA2 (Wi-Fi Protected Access version 2) provides encryption for wireless networks.

Which procedure ensures that evidence is collected and protected properly to avoid tampering? A. Due diligence B. Order of volatility C. Incident response D. Chain of custody

D is correct. Evidence must be collected in a strict and orderly manner from initial acquisition to storage and analysis. This is referred to as chain of custody and serves to ensure that evidence is authentic and legitimate. A, B, and C are incorrect. The study of relevant data before committing to a business or legal contract is referred to as due diligence, but there is no correlation to the collection of evidence. The order of volatility requires that the most volatile evidence be gathered first—for example, the contents of electronic memory (RAM) versus hard disk data. The orderly management of security breaches is referred to as incident response. This does not imply the gathering of evidence.

Which of the following fire suppression chemicals widely replaced halon in data center fire suppression systems? A. Water B. Shalon C. Carbon dioxide D. FM-200

D is correct. FM-200 generally replaced halon in data center fire suppression systems. A, B, and C are incorrect. Water is still used to combat certain classes of fires, but it did not replace halon. Shalon doesn't exist. Carbon dioxide is used to combat both liquid and electrical fires, but it did not replace halon.

What is a common security implication for many alternative environments? A. They are seldom encountered. B. Their unique nature makes them difficult to hack. C. Failures are hard to detect. D. Failures can affect lives and property.

D is correct. Failures in transportation systems (cars, aircraft), medical devices, and many cyberphysical systems can result in damage to property or people. A is incorrect because there are lots of these systems all around us—we just don't necessarily notice them. B is incorrect because many of them are based on stripped Linux systems. C is incorrect because the failures can be seen most times in the malfunction of the device under control

Proper environmental controls for server rooms include, but are not limited to, which of the following? A. Fire suppression, and temperature, humidity, and noise controls B. Fire suppression, HVAC system, and multiple ISP connections C. Security guards, and temperature, humidity, and noise controls D. Fire suppression, temperature and humidity controls, physical security controls

D is correct. Fire suppression, temperature and humidity controls, and physical security controls all provide protection to the equipment. A is incorrect because noise controls are not necessary for the equipment. B is incorrect because multiple ISPs are not considered part of the environment. C is incorrect because noise controls are not necessary parts of the environment.

As the company's technical executive, you are researching risk management strategies and have come up with several security-related issues that need to be communicated with the organization. Which of the following mediums should you use to ensure these policies are followed? A. Social media posting B. Hard-copy rulebook available from human resources C. Company-wide memo via e-mail D. Organizational policies and training

D is correct. For the most effective risk management and training, organizational policies must be created, distributed, and used to educate your employees on how to conduct their day-to-day activities while being vigilant about security. A, B, and C are incorrect. These methods don't ensure that the policies will be read, understood, or implemented.

You are developing a web application that contains a web form with many input fields that are filled out by the end user. Which of the following methods can you use to make sure your input validation for the web form is secure? A. Escaping B. XML injection C. SQL injection D. Fuzzing

D is correct. Fuzzing is a testing technique used to test input validation by entering random, unexpected data into application fields to see how the software program reacts. A, B, and C are incorrect. These are actual application attacks and not testing techniques. SQL and XML injection refer to entering into input forms SQL and XML commands, respectively, that are erroneously executed by the application. Escaping refers to operating system commands entered into text fields that are processed as commands and not text.

Your web application has crashed after a user accidently cut and pasted a large paragraph of text into a small text field within the application. The _____ technique would help ensure that these types of input validation errors do not occur. A. Escaping B. Command injection C. Transitive access D. Fuzzing

D is correct. Fuzzing is used to test input validation through the entry of random and unexpected characters in all the input fields in your application. This ensures that all types of text are entered and tested to make sure they don't crash the application. A, B, and C are incorrect. Escaping recognizes specific types of command characters that have been inserted into input fields and parses them as simple text data, thus preventing the commands from executing. Command injection attacks work to execute malicious commands through vulnerable applications. Transitive access occurs when a user is inadvertently given advanced access to another part of the application or the system on which it is hosted. You must ensure that your application does not allow transitive access in the event of a crash or malfunction.

Lars is a member of two groups: Mechanics and San_Diego. The following NTFS permissions are set on a folder called "Flight Data": Mechanics - Modify San_Diego - Read, List Folder Contents Everyone - Read What permissions will Lars have to the contents of the Flight Data folder? A. Modify B. Read, List Folder Contents C. Read D. All listed permissions

D is correct. Group privileges are simply combined when a user is a member of multiple groups. On Windows systems, if any group were listed with a Deny access, this would take precedence. A, B, and C are incorrect. Group privileges are combined—members get the highest privilege.

Which of the following regulations would guide a healthcare organization to protect the confidentiality of stored patient data adequately? A. RMF B. Sarbanes-Oxley C. PCI D. HIPAA

D is correct. HIPAA regulates the protection of patient data in the healthcare and health insurance industry. A, B, and C are incorrect because RMF covers the risk management of U.S. Department of Defense systems; Sarbanes-Oxley and PCI are involved with financial data.

Which of the following documents is used to determine your most critical business functions and is used to help build your DRP? A. Business continuity plan B. Backup recovery plan C. Business function assessment D. Business impact analysis

D is correct. The BIA outlines what the loss of any of your critical functions will mean to the organization and is used in the development of the disaster recovery plan (DRP). A is a high-level document. B is a nonsensical distractor. C does not directly address the question.

A technician is researching new rack mount servers to determine the maximum BTU value of all servers in the server room. Which related item should the technician consider? A. Required server processing speed B. Network bandwidth requirements C. Fire suppression D. HVAC

D is correct. HVAC (heating, ventilation, air conditioning) must be considered when discussing server BTUs (British thermal units). BTUs measure thermal energy (heat), and your server room air conditioning must be able to displace the BTUs generated by your computing equipment; otherwise, the server room will be much too warm for your equipment. A, B, and C are incorrect. BTUs are not related to the network or server processing speed. Fire suppression systems are critical to minimize fire and smoke damage, but BTUs are directly related to climate control (HVAC).

Which of the following protocols would you use to encrypt VPN traffic? A. S/MIME B. SSH C. MD5 D. Ipsec

D is correct. IPsec provides encryption, integrity, and authentication for data tunneled over VPNs across public networks. A, B, and C are incorrect. S/MIME is used for encrypting e-mail, SSH allows secure remote access, and MD5 facilitates hashes to allow for integrity.

You need to encrypt the sensitive data on a database server. After you enable encryption on the database server, which of the following actions should you perform next? A. Create a hash of the database files. B. Encrypt SQL injection commands. C. Store the encryption key in the database. D. Encrypt the nightly backup of the database server.

D is correct. If a hacker were to gain access to your backup media, the data there would also be encrypted. You must protect both the primary data storage and its backup with encryption. A, B, and C are incorrect. There is no need to hash the database files unless you need to protect their integrity during transmission. SQL injection is a type of attack against database servers that injects database commands into queries. The encryption key would not be stored within the database itself.

You have discovered that one of your internal file servers has been breached. According to the access logs and the time of the incident, it appears that the attack has come from an employee internal to the organization. Which of the following actions should you perform? A. Inspect the suspect user's e-mail messages. B. Inspect the suspect user's files in his home directory. C. Confront the user. D. Contact human resources.

D is correct. If the suspect is an internal employee, the human resources department should be contacted immediately as part of the incident response policy to decide whether to keep the organization's investigation internal or to contact the authorities and any other outside agencies to aid in the investigation. A, B, and C are incorrect. A and B are incorrect because you should not inspect another employee's e-mail or files without proper authorization from human resources. C is incorrect because the issue must be escalated to human resources before any sort of confrontation with the suspect user that may jeopardize your legal case against him.

Which term describes a fully configured environment, similar to the normal operating environment, that can be operational immediately or within a few hours depending on its configuration and the needs of the organization? A. Parallel site B. Warm site C. Cold site D. Hot site

D is correct. Immediate operational capability is associated with a hot site. A is a nontechnical term with no specific meaning in systems security. B can take up to days to come online. C can take weeks to come online.

Which of the following requires team members to go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster? A. Tabletop exercise B. Documentation review C. Full-scale test D. Walkthrough test

D is correct. In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster. A, B, and C are incorrect. A tabletop exercise is a type of group review. The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently.

If a system has 10,000 users with 10,000 distinct passwords, the __________ scenario shows why a lower than expected number of attempts will be needed to breach the system. A. Hybrid attack B. Transitive attack C. Brute-force attack D. Birthday attack

D is correct. In the birthday attack scenario, any match will do, so the attacker doesn't care which account matches. This cuts the number of attempts needed to achieve success. A, B, and C are all attacks, but not directly related to reducing the attack space for this type of attack.

All of the following are steps in collecting digital evidence EXCEPT: A. Seize the evidence. B. Acquire the evidence. C. Verify the evidence. D. Judge the evidence.

D is correct. Judging the evidence is not the job of the computer forensics examiner, and this is not a step involved in collecting the digital evidence. A, B, and C are incorrect. All of these are valid steps in collecting digital evidence. The major steps are to seize evidence from the scene, acquire it using forensically proven processes, verify that the acquired evidence is identical to the original through hashing tools, analyze the evidence, and report the findings.

After a recent hacking attack on a web server, you have discovered that the hacker exploited a security flaw with the underlying operating system running on the server. Which of the following actions should you take? A. Upgrade to the latest major version of the OS when it is released. B. Use your firewall to block port access to the exploit. C. Update the web application software to resolve the issue. D. Apply an OS patch to resolve the issue.

D is correct. Keep your operating system up to date with the latest software updates or patches. If a security flaw is discovered, the OS vendor will release a patch as quickly as possible to resolve the issue. A, B, and C are incorrect. A is incorrect because the flaw will remain open for exploitation until you upgrade. B is incorrect because the underlying flaw still exists and could be exploited by bypassing the firewall. C is incorrect because the security issue is with the operating system of the server, not the web application.

Kerberos is used to perform what function in a system? A. Mandatory access control (MAC) B. Single sign-on (SSO) C. Biometrics D. Authentication

D is correct. Kerberos is a system designed to provide authentication and authorization services in an enterprise. Although A, B, and C may be involved with Kerberos, they are not exclusive to Kerberos.

Your company must have the ability to examine outbound Internet traffic to ensure attempts to access inappropriate web sites are blocked. What should you configure? A. Layer 2 firewall B. Layer 3 firewall C. Layer 4 firewall D. Layer 7 firewall

D is correct. Layer 7 (Application) of the OSI model refers to application-specific functionality, such as a web browser connecting to a specific URL. A, B, and C are incorrect. Layer 2 (Data Link) deals with packet headers such as the Ethernet header, which contains source and destination MAC addresses primarily. Layer 3 (Network) deals with IP addresses and routing, but not specific URLs for inappropriate web sites. Layer 4 (Transport) deals with TCP and UDP details including port numbers, but not URLs.

Which security principle allows the discovery of potentially inappropriate or fraudulent activity committed by employees? A. Job rotation B. Data loss prevention C. Separation of duties D. Mandatory vacations

D is correct. Mandatory vacations allow the potential discovery of irregularities in a job role by whoever fills that role while an employee is on vacation. A, B, and C are incorrect. Job rotation exposes employees to the overall operations of a business, thus making them more knowledgeable. Data loss prevention (DLP) protects sensitive data such as medical or financial information by preventing its dissemination. Separation of duties ensures that no single employee is responsible for a complete transaction (including the related accounting entries).

Which of the following protocols is used with PPTP to provide encryption services? A. SSH B. SSL C. IPSec D. MPPE

D is correct. Microsoft Point-to-Point Encryption (MPPE) protocol is used to provide encryption services for Point-to-Point Tunneling Protocol (PPTP), which is used in VPN implementations. A, B, and C are incorrect. SSH and SSL are not used in PPTP or VPN implementations. IPSec is used as the encryption protocol in L2TP VPNs, but not with PPTP.

To increase response time to your public web site, you decide to purchase three network load-balancing appliances to match your three web servers. Your web site is registered with the name www.faroutwidets.com using IP address 216.76.0.55. What IP addresses should the public interface of each load balancer assume? A. 216.76.0.56, 216.76.0.57, 216.76.0.58 B. 216.76.0.52, 216.76.0.53, 216.76.0.54 C. 216.76.0.55, 216.76.0.56, 216.76.0.57 D. 216.76.0.55, 216.76.0.55, 216.76.0.55

D is correct. Network load balancers (NLBs) should accept client requests to the requested service (216.76.0.55); thus, they must all be configured to listen on the same virtual IP address. Incoming client requests are then distributed to the least busy back-end web servers. When multiple load balancers are used, active/active configurations mean all load balancers are active simultaneously. Active/passive means only one load balancer is active; the passive node becomes active when the active node goes down. A, B, and C are incorrect. These addresses should not be used; 216.76.0.55 should be used for all three NLB public interfaces.

Which OCSP feature caches validated certificates and uses this for client queries? A. Pinning B. Trust model C. Self-signing D. Stapling

D is correct. OCSP stapling is initiated by a certificate holder to the CA and the response is cached and then provided to client queries. A, B, and C are incorrect. Pinning is a technique used to associate hosts with their public keys. This can be done by client-side applications. The PKI trust model is a hierarchy of certificates that share a common trusted certificate authority (CA) root certificate. Self-signed certificates are not generated by a third-party CA.

Which of the following is a key difference between WPA and WPA2? A. PSK and enterprise implementation B. Ability to use EAP C. Improved security over WEP D. Use of AES encryption

D is correct. One of the key differences between WPA and WPA2 is that WPA uses TKIP, while WPA2 uses AES to encrypt wireless traffic. A, B, and C are incorrect. Both WPA and WPA2 support the use of both preshared keys and enterprise authentication with EAP (using 802.1X), as well as strong encryption, making them both a security improvement over WEP.

You have organizational policies designed for management of user account permissions and access rights, but you have discovered that they are rarely followed and that many users have improper user and group permissions assigned. Which of the following activities can you perform on a regular basis to make sure your policies and procedures are being adhered to? A. User training B. Penetration testing C. Job rotation D. Regular audits

D is correct. Only by performing regular audits and reviews of user permissions can you be sure that your organizational policies are being adhered to. Regular audits ensure that any security lapses in account management are quickly resolved. A, B, and C are incorrect. Training, penetration testing, and job rotation will not reveal where organizational policies are not being adhered to.

All of the following are steps in creating and maintaining a business continuity plan (BCP) EXCEPT: A. Project initiation B. Business impact assessment C. Test the plan D. Develop policies

D is correct. Policies are usually developed when the business begins and are updated and maintained as the business environment changes. Policies can indirectly affect BCPs, but are not a specific step in the process of developing them. A, B, and C are incorrect. All of these are steps in developing a business continuity plan. The major steps are project initiation, business impact assessment, develop the plan, test the plan, and maintain the plan.

You are running a port scanner on your Apache web server and you find the following ports open and accepting connections: 80, 443, 22, and 23. Which of these ports is not required on the web server and should be disabled to prevent hacking attempts? A. 443 B. 22 C. 80 D. 23

D is correct. Port 23 is used by Telnet, which is a very insecure remote access utility that sends its data in clear text. It is not required on the web server and should be disabled to prevent Telnet hacking attempts. A, B, and C are incorrect. A is incorrect because port 443 is used by HTTPS for secure web communications. B is incorrect because port 22 is used for SSH, a secure version of Telnet. C is incorrect because port 80 is used by HTTP for web communications.

You are the security administrator for a small business. You want to provide your users with the ability to encrypt outbound e-mail messages, but the company cannot afford an expensive encryption solution. Which of the following is the best option? A. HTTPS B. POP/IMAP C. WPA2 D. PGP/GPG

D is correct. Pretty Good Privacy (or GNU Privacy Guard) is a low-cost solution that enables encrypted e-mail messages. A, B, and C are incorrect. HTTPS provides encryption for Web communications, not e-mail. POP/IMAP are unencrypted mail client access protocols. WPA2 provides encryption for wireless networks, not e-mail.

What type of server provides centralized authentication services for devices such as Ethernet switches and wireless routers? A. DNS B. LDAP C. HTTP D. RADIUS

D is correct. RADIUS (Remote Authentication Dial-In User Service) servers provide centralized authentication. RADIUS clients such as wireless routers and Ethernet switches forward client requests to a RADIUS server for authentication before allowing network access. This type of authentication is a variation of network access control (NAC). Checking requesting clients for other items such as applied updates, up-to-date virus signature databases, and so on, requires a client agent. A, B, and C are incorrect. DNS servers generally resolve FQDNs (fully qualified domain names) to IP addresses. LDAP (Lightweight Directory Access Protocol) servers are network repositories of network configuration information such as user accounts, groups, and so on. LDAP servers can also be RADIUS servers, but this is not implied automatically. HTTP (Hypertext Transfer Protocol) web servers do not centrally authenticate users or computers.

All of the following are characteristics of the RADIUS authentication protocol, EXCEPT: A. RADIUS encrypts user passwords during the authentication process. B. RADIUS accepts earlier forms of authentication protocols, such as PAP. C. RADIUS uses UDP port 1812. D. RADIUS uses TCP port 1812.

D is correct. RADIUS does not use TCP. A, B, and C are incorrect. All of these are characteristics of the RADIUS protocol.

Which of the following identifies a security reason to perform a site survey to identify rogue access points? A. Signal propagation B. Interference C. Frequency overlap D. Bypass security controls

D is correct. Rogue wireless routers could be used by unauthorized individuals to access the network and bypass security controls such as firewalls. A, B, and C are incorrect. These issues may affect performance and can be important to security, but do not have a direct impact on securing the wireless network.

Administrators who grant access to resources by placing users in groups are using which type of access control model? A. Discretionary access control B. Mandatory access control C. Rule-based access control D. Role-based access control

D is correct. Role-based access control grants access to groups performing specific functions, or roles, but not to individuals. A, B, and C are incorrect. Discretionary access control allows data owners/creators to grant access to individuals or groups. Mandatory access control permits only administrators to grant access, based upon security labels. Rule-based access control grants access to resources based upon specific rules associated with the resource.

Which of the following is an access control model based upon various access control rules that apply to users, objects, and actions? A. Access approval list B. Access control list C. Metadata table D. Rule-based access control

D is correct. Rule-based access control is an access control model based upon various access control rules that apply to users, objects, and actions. A, B, and C are incorrect. An access control list (ACL) is a physical or logical list that details specific access levels individuals have to access objects. It is also used on network devices to determine which traffic from various users can enter and exit network devices and access internal hosts. Access approval lists and metadata tables are distractors and are not valid terms.

You are capturing network traffic to test connectivity to the corporate SSL-enabled web mail server. Your colleague Guido states that capturing the traffic is useless, since the entire packet is encrypted. Which of the following regarding SSL transmissions are true? A. The Ethernet header is encrypted. B. The IP header is encrypted. C. The UDP header is encrypted. D. The HTTP payload is encrypted.

D is correct. SSL can be used to encrypt the payload of web traffic. A, B, and C are incorrect. None of these headers is encrypted.

The Chief Information Security Officer (CISO) for your company has asked that you look into potential cloud providers that your company can subscribe to for anti-malware protection and anti-spam functionality. What type of cloud solution is this? A. Software as a Service B. Platform as a Service C. Infrastructure as a Service D. Security as a Service

D is correct. Security as a Service (SaaS) is a cloud solution that involves the cloud provider offering security solutions such as anti-malware, anti-spam, intrusion detection services, and penetration testing services. A, B, and C are incorrect. Software as a Service (SaaS) is when an application is provided by the cloud provider, such as Office 365 or Gmail. Platform as a Service (PaaS) provides the computing platform for a solution, such as a development platform or database server. Infrastructure as a Service (IaaS) involves the cloud provider providing virtualization solutions to its customers.

Which of the following is not a characteristic of effective signage? A. Signage should follow national and international standards for symbols and colors. B. Signage should be placed in well-lit areas and not obstructed by large objects. C. Signage should warn intruders away from restricted areas. D. Signage should indicate security checkpoints to report to in the event of an emergency requiring evacuation.

D is correct. Signage should indicate the location and route to emergency evacuation exits, not security checkpoints, in the event of an emergency requiring evacuation. A, B, and C are incorrect. All of these are valid characteristics of good signage.

What type of system is used for monitoring and notification of real-time data at a manufacturing site? A. SNMP B. Cloud computing C. Virtualization D. SCADA

D is correct. Supervisory Control and Data Acquisition (SCADA) consists of hardware and software components to acquire data, monitor equipment, and notify of any hazardous conditions that may exist. The data is gathered and manipulated in real-time. SCADA is often used in industrial control system (ICS) environments. A, B, and C are incorrect. Simple Network Management Protocol (SNMP) is used to monitor specific values, or counters, for network devices. Cloud computing offers IT services over a network. These services can be rapidly provisioned and deprovisioned from a self-service web portal, and usage is metered. Virtualizing enables multiple operating systems to run concurrently on a single set of computing hardware.

Which of the following is a logging facility found in UNIX and Linux systems? A. Centralized B. SIEM C. Decentralized D. Syslog

D is correct. Syslog is a logging facility found in UNIX and Linux systems, which can be used on either a centralized or decentralized basis. A, B, and C are incorrect. Centralized log management involves collecting logs from across the network into on system and being able to review them as a group. Security Information Event Management (SIEM) is a centralized method of obtaining logs and other data from disparate devices across the network. Decentralized log management means that logs are managed and reviewed on a host-by-host basis, rather than as a centralized, consolidated group.

Which of the following statements best defines the recovery point objective (RPO)? A. The RPO is the minimum amount of data the organization is expected to lose during a disaster or an incident. B. The RPO is the maximum amount of time the organization can afford to be down from normal processing. C. The RPO is the maximum allowable amount of data (measured in gigabytes) that the organization can afford to lose during a disaster or an incident. D. The RPO is the maximum allowable amount of data (measured in terms of time) that the organization can afford to lose during a disaster or an incident.

D is correct. The RPO is the maximum allowable amount of data (measured in terms of time) that the organization can afford to lose during a disaster or an incident. A, B, and C are incorrect. The RPO is the maximum amount of data, not the minimum, that can be lost during a disaster or an incident. RPO refers to data that can be lost, not time itself. RPO is measured in time, not gigabytes.

Which of the following is not typically found on a chain of custody form? A. An enumeration of who has handled the item B. Hash values of the material C. A description of the item D. An enumeration of items found during examination

D is correct. The chain of custody is used to document the handling of an item, not the findings. A, B, and C are all items on a chain of custody form.

Which key recovery concept requires a minimum number of personnel to facilitate a key recovery? A. Separation of duties B. Recovery agent C. Escrow D. M of N control

D is correct. The concept of M of N control requires a minimum number of personnel to participate in a key recovery. For example, you may require 2 out of 3 authorized persons to perform key recovery. A, B, and C are incorrect. Separation of duties applies to all privileged functions, not to key control. A recovery agent, typically used in Windows' EFS implementations, is used to recover a key if an individual leaves an organization. Typically only one person is required for key recovery using this method. Escrow is a term used to describe a third party that holds keys for the organization.

Which of the following security measures should you implement to protect wireless clients from network attacks while they are connecting remotely? A. Enable encryption when working in the office. B. Set the clients to use only the 802.11n standard. C. Use wireless client authentication. D. Install a host-based firewall.

D is correct. The host-based firewall software can be used to protect a user's confidential local data against many types of possible attacks for both incoming and outgoing connections on both wireless and wired networks when she is away from the office. A, B, and C are incorrect. A is incorrect because encrypting wireless data when in the office will not protect users from attacks when they at home or traveling. B is incorrect because the clients will be insecure no matter which wireless standard they are using. C is incorrect because authentication only ensures that the specific user is authorized to use the wireless network and does not protect her from network attacks.

The LAST step of the penetration test methodology is to: A. Profile B. Gain access C. Scan and enumerate D. Cover tracks

D is correct. The last step in actually performing a penetration test is to cover your tracks. This is done to avoid detection, as well as to maintain any access you have obtained in the system. A, B, and C are incorrect. Profiling, scanning and enumeration, gaining access, and maintaining access are all steps that happen during the penetration test before covering your tracks.

All of the following are valid methods to secure static hosts in an organization, except: A. Layered security B. Network segmentation C. Application level firewalls D. User-dependent security

D is correct. The organization should not depend solely upon the users to manage security and static devices, because these devices can be managed just as traditional hosts and network devices are. A, B, and C are incorrect. These are all valid methods of securing static hosts in an organization.

When comparing two different implementations of the same algorithm for cryptographic strength, what is the best guide? A. Government recommendation B. Algorithm manufacturer's website C. Age of algorithm D. Key length in bits

D is correct. The strength of an implementation is directly related to keyspace (number of potential keys). A, B, and C are all distractors.

All of the following are valid types of Windows event logs EXCEPT: A. System B. Application C. Security D. Process

D is correct. There is no specific process type of log, although processes can be logged in Windows and usually appear in one of the other log types. A, B, and C are incorrect. All three choices are basic types of Windows event logs.

Instead of allowing an application to crash, error and exception handling uses a technique to intercept the errors and to display friendly warning messages, which is known as: A. Injection B. Input validation C. Tunneling D. Trapping

D is correct. Trapping an error means that instead of the error actually happening, the programmer intercepts the error and displays a friendly warning message. A, B, and C are incorrect. Injection is a type of attack usually seen in SQL, XML, and other types of data. Input validation is the process of ensuring that inputs to a web form, for example, are valid and within bounds. Tunneling is a method of securing data by encrypting it with one protocol and sending it over another.

You are responsible for two servers, Apollo and Zeus. Both Apollo and Zeus have TPM chips that are fully configured for all server hard disks. The power supplies in Apollo fail, so you remove the hard disk and place it in Zeus. How can you access this replaced hard disk? A. You cannot access it because it was encrypted with Apollo's TPM chip. B. You must place Apollo's TPM chip in Zeus. C. You must place Zeus's TPM chip in Apollo. D. You must supply a separate recovery key.

D is correct. Trusted Platform Module (TPM) is a motherboard chip that stores keys to encrypt and decrypt hard disks. Diligent administrators will have a recovery key stored elsewhere in case the motherboard or some other aspect of the machine fails. A, B, and C are incorrect. TPM chips do not encrypt hard drives; they store keys used for encryption and decryption. These chips are embedded on the motherboard and cannot be moved.

You are setting up your network, which spans several different floors of an office building. You want to subdivide the network using logical methods to prevent cross-network chatter and improve access security, but several departments have employees on different floors and sections of the building. Which of the following techniques should you implement? A. Protocol-based VLAN B. Subnetting C. Firewall zones D. Port-based VLAN

D is correct. Using a port-based VLAN, you can assign specific router and switch ports to different VLANs, which allows you to assign any network segment on any floor of your office to a specific VLAN. This provides flexibility so that the user's location does not limit his network access. A, B, and C are incorrect. A is incorrect because a protocol-based VLAN subdivides networks into logical networks using specific network protocols and is not based on client location. B is incorrect because subnetting on its own will not provide the same access to clients in different physical locations. C is incorrect because firewall zones are used at a higher level of the network to divide and secure networks behind the firewall.

You must determine which TCP port a custom seismic activity application uses in order to configure a firewall rule allowing access to the program. The application is running on a host named ROVER that also runs other custom network applications. How can you find out which TCP port it uses? A. Run a port scan against the host. B. Run the NETSTAT -P TCP command. C. Ping ROVER. D. Generate activity to the seismic activity app and capture the traffic.

D is correct. Using a protocol analyzer (packet sniffer) such as Wireshark or the Linux tcpdump command to capture the relevant network traffic will reveal the TCP port being used by examining the TCP packet header. This allows technicians to use the port number to configure application or network-based firewall rules correctly. In a switched environment, port mirroring must be configured for the analysis port to ensure all traffic is viewed. A, B, and C are incorrect. If you run a port scan, issue the NETSTAT command, or Ping the host, how will you know which custom application occupies which TCP port? Even though port scanning and NETSTAT can display TCP port usage, a packet capture better identifies exactly which TCP port the application is using. Scanning is a form of active network reconnaissance, while network traffic monitoring is considered passive reconnaissance.

A virtual LAN (VLAN) does NOT offer which of the following security controls? A. Allows logical segmentation of hosts by IP subnet B. Creates broadcast domains C. Allows different security policies to be applied to different hosts D. Allows physical segmentation of hosts by IP subnet

D is correct. VLANS do not physically segment hosts; they logically segment them, and they allow different segments to receive different security policies. A, B, and C are incorrect. VLANS do not physically segment hosts; they logically segment them. VLANs help eliminate broadcast domains, not create them. VLANS allow different segments to receive different security policies.

Your quality assurance team is testing a new web application and requires several servers to properly test the application on different operating systems. Due to budget and resource constraints, you do not have enough physical servers to cover the testing requirements and provide adequate security for each system. Which of the following technologies could you implement? A. Cloud computing B. Web-caching proxy C. Firewall DMZ D. Virtualization

D is correct. Virtualization allows you to run several operating system instances on a single hardware device. Each virtual machine is run in its own CPU and memory environment and is secure from the other virtual machines running on the same system. A, B, and C are incorrect. A is incorrect because cloud computing is where shared resources are provided on demand through the Internet. B is incorrect, as a web-caching proxy is only used to cache web-browsing data. C is incorrect because a firewall DMZ provides a method of splitting networks into different security zones.

What size WEP key did the original IEEE 802.11b specification use? A. 512-bit B. 256-bit C. 128-bit D. 64-bit

D is correct. WEP key sizes are 64-bits (40-bit key and 24-bit initialization vector) or 128-bit (104-bit key and 24-bit initialization vector). The 802.11b standard called for a 64-bit key. A, B, and C are incorrect. Neither 512-bit nor 256-bit are valid WEP key sizes. The original 802.11b standard called for a 64-bit key; the 128-bit key was developed after this standard was issued.

Which of the following terms describes someone who hacks into systems, with permission of the system's owner, to discover exploitable vulnerabilities and help secure the system? A. Gray hat hacker B. Black box tester C. Black hat hacker D. White hat hacker

D is correct. White hat hackers use their skills to assist in securing systems. They are usually penetration testing professionals or ethical hackers. A, B, and C are incorrect. A gray hat hacker uses his or her skills for both good and evil purposes. A black box tester tests a system without any prior knowledge of the network or infrastructure. A black hat hacker uses his or her skills for malicious purposes.

Which of the following answers best describes the one major advantage of XTACACS over RADIUS? A. Kerberos is a proprietary standard, making it less safe. B. XTACACS is an open standard, making it more safe. C. XTACACS uses RC4 encryption. D. XTACACS is completely encrypted.

D is correct. XTACACS encrypts everything between all connection points. A, B, and C are incorrect. Kerberos is an open standard as is XTACACS. Open standards are consided more safe than proprietary. XTACACS doesn't define what encryption to use, but RC4 is dated and insecure.

A sales engineer for your company is traveling with his laptop computer. The contents of his laptop contain highly confidential technical information regarding the internal details of a software application. Which of the following techniques can be implemented to provide the strongest protection of the data on the laptop? A. Use of a virtual machine B. BIOS password C. Cloud-based data retrieval D. Use of an on-board TPM

D is correct. You can encrypt the contents of the laptop's hard drive and have the trusted platform module (TPM) on the laptop's motherboard store the encryption key. Only the sales engineer's password can allow access to the data. A, B, and C are incorrect. None of these methods protects the confidentiality of the data on the laptop.

You are configuring laptops for your sales engineers, who will be visiting customer sites to perform technical integration and troubleshooting for your products installed there. The laptops contain several proprietary applications that should not be distributed outside of your organization. Which of the following actions should you take to help secure the contents of the laptops? A. Provide a hardware locking cable. B. Enable a BIOS password. C. Enable a screensaver password. D. Encrypt the hard drive.

D is correct. You can encrypt the contents of the laptops' hard drives so that they can't be accessed without a passphrase entered by the sales engineers. A, B, and C are incorrect. A is incorrect because a hardware locking cable will only provide physical security for the laptops. B and C are incorrect because although the passwords secure access to the laptops, they do not secure the contents.

You are connecting to a secure website using HTTPS, but before the website loads, your web browser displays an error that the site certificate is invalid and the site is not trusted. Which of the following is the most likely issue? A. A web proxy is blocking the connection. B. You need to clear your web browser cache and retry the connection. C. The web browser requires a software update. D. The server is using a self-signed certificate.

D is correct. You can use a self-signed certificate for web server SSL connections, but most web browsers will display an error before allowing you to connect because it is not signed by a trusted source. You can continue by confirming that you still want to temporarily trust and connect to the website. A, B, and C are incorrect. A web proxy will not typically be configured to block HTTPS sessions, and clearing the cache or updating the software will not resolve the certificate error.

A user downloads free software from a web site. Upon installation, the free software takes advantage of an operating system weakness that allows remote administrative control for which there is currently no solution. What term best describe this type of software? A. Worm B. DoS C. Zero-day vulnerability D. Zero-day exploit

D is correct. Zero-day exploits take advantage of a vulnerability for which there is no current remedy. The vendor may not know about the vulnerability that the hacker has discovered. A, B, and C are incorrect. Worms are malicious programs that replicate themselves. DoS attacks render a service unusable for legitimate use but can be mitigated in various ways. "Zero-day vulnerability" is not an industry-standard term.

Which statement is true regarding a behavior-based NIPS? (Choose the best answer.) A. The default gateway setting must be configured. B. Host log files can be analyzed for suspicious activity. C. Network traffic is analyzed and compared to a database of known attacks. D. Network traffic is analyzed and compared to a previously created network baseline.

D is the best answer. Behavior-based network intrusion prevention systems (NIPS) analyze network traffic and compare it to a previously established network baseline of normal activity for the specific network. If a baseline is not established, the NIPS cannot determine what is abnormal on this particular network. A, B, and C are incorrect. Configuring a default gateway setting is necessary for a device only to transmit data outside the local LAN; this is not required here. Host log files are analyzed by HIDSs (host intrusion detection systems) or HIPSs (host intrusion prevention systems) but not NIPSs. Comparing network traffic to known attack patterns is referred to as heuristic NIPS.

What purpose does data labeling serve in a computing environment? A. It makes audit logs easier to read. B. It makes finding spare hardware easier. C. It allows for quick retrieval of documents from filing cabinets. D. It identifies the sensitivity level of digital data.

D. D is correct. Data labeling identifies the sensitivity of digital data (the question asks about computing environments). A, B, and C are incorrect. Data labeling in computing environments does not make audit logs easy to read, nor does it make spare hardware easier to find or documents quick to retrieve from filing cabinets.

In which category of threats belong attacks that are conducted over short periods of time, do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders? A. APT B. Simplified threat C. Covert channel attack D. Unstructured threat

D. D is correct. Unstructured threats are those without resources or a specific objective or plan. A, B, and C are incorrect. APTs are typically high resource attacks over significant periods of time. Simplified threat is a nonsense distractor. Covert channel attacks use undetectable channels to attack.

Which items are at risk from spyware? A. Web browser cookies B. Files on the hard disk C. Keystrokes D. Web browser home page E. All of the above F. None of the above

E is correct. Spyware can analyze web browser cookies, files, user keystrokes, and browser home pages to determine user habits and steal personal user information. This data can be sold to marketing firms or used to display relevant ads. All of this is done either without user knowledge or with user consent in exchange for the use of "free" software. A, B, C, D, and F are incorrect. A through E are each only part of the answer. F is incorrect because all listed items are at risk from spyware.


Related study sets

Principles of Business Document Production and Information Management

View Set

3D Printing: What You Need to Know

View Set