Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

SEC + > CertMaster Learn Lessons > Flashcards

CertMaster Learn Lessons Flashcards

1
Q

_______ is a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim’s computer performs IP address resolution. This is illustrated in the bank customer scenario.

A

Pharming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

__________ can make a phishing or hoax email more convincing. Used offensively, ______ means adding text that appears to have been generated by the mail system.

A

Prepending

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does an encryption algorithm protect against birthday attacks?

A

Encryption algorithms add salt when computing password hashes

A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes of passwords by dramatically decreasing the probability of collision. This will protect against birthday attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

__________ obscures the presence of a message and can be used to encode messages within TCP packet data fields to create a covert message channel for data exfiltration.

A

Steganography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?

A

Public key cryptography and hashing

Public key cryptography (public and private keys) can be used to authenticate a sender. Combine this with a hash output of the message and a secret (or private) key to create a message authentication code (MAC) to validate the integrity of the message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

_________ mitigates the risks from RSA key exchanges through the use of ephemeral session keys to maintain confidentiality.

A

Perfect forward security (PFS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Compare and contrast the modes of operation for block ciphers. Which of the following statements is true?

ECB and CBC modes allow block ciphers to behave like stream ciphers.
CTM mode allows block ciphers to behave like stream ciphers.
ECB allows block ciphers to behave like stream ciphers.
CBC and CTM modes allow block ciphers to behave like stream ciphers.

A

CTM mode allows block ciphers to behave like stream ciphers.

Explanation - Counter Mode (CTM) combines each block with a counter value, allowing each block to be processed individually and in parallel, improving performance. This parallel processing is similar to how stream ciphers operate.

Tags - Lesson 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A _____ is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, _____ are often used to verify data integrity but are not relied upon to verify data authenticity

A

Checksums

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate’s issuer. Which of the following fields would not be included in a standard public certificate?

Extensions
Public key
Endorsement key
Subject

A

Endorsement Key

Explanation - An endorsement key is not required for a digital certificate. It is part of a Trusted Platform Module (TPM) and used to create subkeys for key storage, signature, and encryption operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access.

Valid from/to
Extended key usage
Serial number
Public key

A

Extended key usage

Explanation - Set the Extended Key Usage (EKU) field of a certificate to define its usage. Applications such as virtual private network (VPN) or email clients may require specific requirements for key usage configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys.

M=1 and N=5
M=3 and N=5
M=6 and N=5
M=0 and N=5

A

M=3 and N=5

Explanation - A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key’s life cycle?

Storage
Verification
Expiration and renewal
Revocation

A

Verification

Explanation - Verification is not a stage in a key’s life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and all subdomains (to a single level). This certificate is also known as which of the following?

SAN certificate
Wildcard certificate
Root certificate
Code signing certificate

A

Wildcard certificate

Explanation - A wildcard certificate with a field entry of a wildcard domain such as *.comptia.org, means that the certificate issued to the parent domain will be accepted as valid for all subdomains (to a single level).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate?

A

26 hours

Explanation - One or two hours over the publish period is considered normal thus making 26 hours within the window.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols’ authentication processes, select the true statements. (Select the best three choices.)

TACACS+ is open source and RADIUS is a proprietary protocol from Cisco.

RADIUS uses UDP by default and TACACS+ uses TCP.

TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.

RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

A

RADIUS uses UDP by default and TACACS+ uses TCP.

TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.

RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

**Explanation - **
RADIUS uses UDP by default over ports 1812 and 1813 and TACACS+ uses TCP on port 49.

TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5.

RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges.

P.S - RADIUS is open source and TACACS + is Cisco

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)?

HOTP is not configured with a shared secret.
The server is not configured with a counter in HOTP.
Only the HOTP server computes the hash.
Tokens can be allowed to continue without expiring in HOTP.

A

Tokens can be allowed to continue without expiring in HOTP.

**Explanation **- Tokens can persist unexpired in HOTP, increasing the risk of an attacker obtaining one and decrypting data in the future. TOTP addresses this by adding a value to the shared secret derived from the device’s and server’s local timestamp. TOTP automatically expires each token after a short window of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Regarding the various tools of biometric authentication and their capabilities/limitations, which statement is accurate?

Retinal scanning is less intrusive than iris scanning.

Fingerprint scanners are the most widely used biometric authentication method.

Fingerprint scanners are more expensive but use a straightforward process.

Sensor modules are the most preferred biometric authentication method.

A

Fingerprint scanners are the most widely used biometric authentication method.

Explanation - Regarding biometric authentication, Fingerprint scanning is the most widely implemented biometric authentication method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated?

A user accesses a system by having their face scanned.

A system administrator sets up a user account for a new employee after HR sends employment verification.

An administrator sends an initial password to a new telecommuting employee through a VPN.

A user is assigned an SID.

A

A user accesses a system by having their face scanned.

**Explanation **- A face scan is also known as biometrics, which is a “something you are” authentication. This is known as physiological biometric recognition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach?

False acceptance
False rejection
A low Crossover-Error-Rate (CER)
A low throughput

A

False acceptance

Explanation - Regarding biometric authentication, a false positive is where an unauthorized person is accepted, leading to possible security breaches. This is the False Acceptance Rate (FAR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that’s acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)

Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.

The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate.

The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.

The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.

A

Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.

The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.

Explanation -
Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS).

The AS can place trust when the user’s certificate is issued by a local or third-party root certification authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?

Fingerprint scan
Retinal scan
Facial recognition
Voice recognition

A

Retinal scan

Explanation - Biometric authentication based on a retinal scan is the hardest method to fool. Retinal scanning is used to identify the patterns of blood vessels with the eye, whereas an iris scan only uses the surface of the eye.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system.

An account is created that identifies a user on the network.
A user logs into a system using a control access card (CAC) and PIN number.
An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job.
A report is reviewed that shows every successful and unsuccessful login attempt on a server.

A

A user logs into a system using a control access card (CAC) and PIN number.

Explanation - Authentication proves that a subject is who or what it claims to be when it attempts to access the resource. A CAC and pin login are examples of authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.

A control is set to force a customer to log into their account prior to reviewing and editing orders.
A control is set to cancel automatic shipments for any customer that has an expired credit card on file.
A control is set to ensure that billing and primary delivery addresses are valid.
A control is set to record the date, time, IP address, customer account number, and order details for each order.

A

A control is set to ensure that billing and primary delivery addresses are valid

Explanation - Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses are real and valid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?

Accounting
Identification
Integrity
Authentication

A

Integrity

Explanation - Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity’s identity. The four processes include Authorization, Accounting, Identification, and Authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend? OU=Univ,DC=local,CN=user,CN=system1 CN=system1,CN=user,OU=Univ,DC=local CN=user,DC=local,OU=Univ,CN=system1 DC=system1,OU=Univ,CN=user,DC=local
CN=system1,CN=user,OU=Univ,DC=local **Explanation **- A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader.
26
A Windows systems administrator needs to grant the users in the finance department with read-only access to a folder named 'Invoices.' What would be the proper and most manageable way to go about granting this access? Add the security group 'Finance' to the NTFS permissions with 'Read' rights. Add each user account in the finance department to the NTFS permissions with 'Read' rights. Add the security group 'Finance' to the NTFS permissions with 'Modify' rights. Add each user account in the finance department to the NTFS permissions with 'Modify' rights.
Add the security group 'Finance' to the NTFS permissions with 'Read' rights. **Explanation** - Adding the security group 'Finance' with 'Read' permissions to the Invoice folder will allow any user that is added to the Finance group to access the folder with the proper read-only permissions.
27
Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.) SAML OAuth OpenID LDAP
SAML OAuth OpenID **Explanation - ** Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principal, the service provider, and the identity provider. Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol. OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service.
28
Examine the tradeoff between traditional password policy complexity requirements and updated practical suggestions from the National Institute of Standards and Technology (NIST) and select the statement that fits both practical password management and traditional complexity requirements. Passwords should be easy to remember and can include spaces and repetitive strings of numbers (like 987654). Passwords should be easy to remember, but should never use spaces. Passwords should be written in plain text in a common password repository held secure by an IT staff member. Passwords should not contain dictionary words or contextual information, such as a username or the company name.
Passwords should not contain dictionary words or contextual information, such as a username or the company name **Explanation **- Traditional password complexity rules (that is, no use of username within password and combination of at least eight upper/lower case alpha-numeric and non-alpha-numeric characters) often result in users writing down passwords. NIST recommends only blocking common passwords, such as dictionary words, repetitive strings (like 12345678), and contextual information.
29
Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE? The Network service account and the Local service account have the same privileges as the standard user account. Any process created using the system account will have full privileges over the local computer. The local service account creates the host processes and starts Windows before the user logs on. The Local Service account can only access network resources as an anonymous user.
The local service account creates the host processes and starts Windows before the user logs on. **Explanation** - The System account, not the Local Service account, creates the host processes that start Windows before the user logs on.
30
A senior administrator is teaching a new technician how to properly develop a standard naming convention in Active Directory (AD). Examine the following responses and determine which statements are sound advice for completing this task. (Select all that apply.) Create as many root-level containers and nest containers as deeply as needed Consider grouping Organizational Units (OU) by location or department Build groups based on department, and keep all accounts, both standard and administrative, in the same group Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects
Consider grouping Organizational Units (OU) by location or department Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects **Explanation **- Organizational Units (OUs) represent administrative boundaries. They allow the enterprise administrator to delegate administrative responsibility for users and resources in different locations or departments. An OU grouped by location will be sufficient if different IT departments are responsible for services in different geographic locations. An OU grouped by department is more applicable if different IT departments are responsible for supporting different business functions.
31
An Internet Service Provider's (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision? A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network. A blackhole makes the attack less damaging to the ISP's other customers and continues to send legitimate traffic to the correct destination. A blackhole routes traffic destined to the affected IP address to a different network. Here, the ISP can analyze and identify the source of the attack, to devise rules to filter it. A blackhole is preferred, as it evaluates each packet in a multi-gigabit stream against an Access Control List (ACL) without overwhelming the processing resources.
A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network. **Explanation** - A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network
32
There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone. DMZ Screened host Wireless Guest network
Screened host **Explanation** - A screened host is when a smaller network accesses the Internet using a dual-homed proxy/gateway servers.
33
Given knowledge of load balancing and clustering techniques, which configuration provides consistent performance and partial fault tolerance for applications like streaming audio and video services? Active/Passive clustering Active/Active clustering First in, First out (FIFO) clustering Fault tolerant clustering
Active/Passive clustering **Explanation **- In active/passive clustering, if the active node suffers a fault, the connection can failover to the passive node, without performance degradation.
34
Which statement best describes the difference between session affinity and session persistence? With persistence, once a client device establishes a connection, it remains with the node that first accepted its request, while an application-layer load balancer uses session affinity to keep a client connected by setting up a cookie. Session affinity makes node scheduling decisions based on health checks and processes incoming requests based on each node’s load. Session persistence makes scheduling decisions on a first in, first out (FIFO) basis. With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie. Session persistence makes scheduling decisions based on traffic priority and bandwidth considerations, while session affinity makes scheduling decisions based on which node is available next.
With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie. **Explanation **- Session affinity is a layer 4 approach to handling user sessions. When a client establishes a session, it stays with the node that first accepted the request.
35
Where should an administrator place an internet-facing host on the network? DMZ Bastion host Extranet Private network
DMZ **Explanation **- Internet-facing hosts reside in one or more Demilitarized Zones (DMZs), or perimeter networks. Traffic can not pass through a DMZ, but it enables external clients to access data on private systems, such as web servers, without compromising the security of the entire internal network.
36
An attacker tricks a host within a subnet into routing through an attacker's machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario. Route injection Denial of service ARP poisoning Source routing
ARP poisoning **Explanation **- ARP poisoning occurs by tricking hosts on the subnet into routing through the attacker's machine rather than the legitimate default gateway. This allows the attacker to eavesdrop on communications and perform replay or MitM attacks
37
Identify the attack that can launch by running software against the CAM table on the same switch as the target. MAC flooding MAC spoofing ARP poisoning attack LLMNR
MAC flooding **Explanation **- MAC flooding is a variation of an ARP poisoning attack. While ARP poisoning is directed at hosts, *MAC flooding is used to attack a switch.*
38
Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.) Visual inspection of ports and switches will prevent rogue devices from accessing the network. Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume. Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal whether there are unauthorized access points.
Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal whether there are unauthorized access points. **Explanation - ** Intrusion detection and NAC are security suites and appliances that can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations.
39
Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a security weakness. A company has a single network channel. A company has many different systems to operate one service. A company has a habit of implementing quick fixes. A company has a flat network architecture.
A company has a flat network architecture **Explanation **- Overdependence on perimeter security occurs when the network architecture is flat. If an attacker can penetrate the network edge, the attacker will then have freedom of movement throughout the entire network. Tags - Lesson 9
40
A hotel guest opens their computer and logs into the Wi-Fi without prompting the guest for a username and password. Upon opening an internet browser, a splash page appears that requests the guest's room number and last name for authentication. Which type of authentication is the hotel utilizing? Protected Extensive Group Open
Open **Explanation **- Mostly used on a public access point, open authentication does not require the client to authenticate, as it sends data over the link unencrypted. When combined with a secondary authentication mechanism, a browser can manage open authentication. The secondary authentication redirects the client to a captive portal or a splash page.
41
A network manager suspects that a wireless network is undergoing a deauthentication attack. Applying knowledge of wireless network attacks, which scenario best supports the network manager's suspicion? - A network experiences radio interference, which causes connectivity issues for users. The users disconnect from the network, and upon reauthenticating, they log on to an evil twin Access Point (AP). - An attacker creates an Access Point (AP) using a similar name as a legitimate AP, in an attempt to have users authenticate through the rogue AP in order to gain authentication information. - A rogue Access Point (AP) captures user logon attempts. The attacker uses this information to authenticate to the system and obtain critical data. - A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.
A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication. **Explanation** - A deauthentication attack, coupled with the use of a rogue AP, sends a stream of spoofed deauth frames to cause a client to deauthenticate from the AP. This may allow the attacker to interpose the rogue AP or to sniff information about the authentication process.
42
Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue. ICMP BPDU ARP STP
STP **Explanation** - STP (Spanning Tree Protocol) is a switching protocol that prevents network loops by dynamically disabling links as needed. Since layer 2 protocol has no concept of Time To Live, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely.
43
Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.) MAC filtering guards against MAC snooping. Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing. MAC filtering guards against MAC spoofing. DAI guards against invalid MAC addresses
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing. DAI guards against invalid MAC addresses **Explanation **- In MAC filtering, a switch will record the specified number of MACs allowed to connect to a port, but then drop any traffic from other MAC addresses. DHCP snooping inspects traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address.
44
A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss? Passive test access point (TAP) Active test access point (TAP) Aggregation test access point (TAP) Switched port analyzer (SPAN)/mirror port
Passive test access point (TAP) **Explanation **- With a passive TAP, the monitor port receives every frame—corrupt, malformed, or not—and load does not affect copying.
45
A ________ is a hardware device that copies network traffic between two endpoints in a network. __s are also known as Ethernet or Network _____
TAP aka Test Access Point
46
Security information and event management (SIEM) collect data inputs from multiple sources. Which of the following is NOT one of the main types of log collection for SIEM? Agent-based Listener/collector Sensor (sniffer) Artificial intelligence (AI)
Artificial intelligence (AI) **Explanation** - AI and machine learning can drive correlation efforts for automated analysis.
46
Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet-filtering firewall. A firewall's ACL only allows the minimum amount of traffic required for the operation of valid network services and no more A firewall that maintains stateful information about the connection between two hosts A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall
A firewall's ACL only allows the minimum amount of traffic required for the operation of valid network services and no more **Explanation **- An administrator configures a packet-filtering firewall by specifying a group of rules called an Access Control List (ACL). Each rule defines a specific type of data packet and the appropriate action to take when a packet matches the rule.
47
GUESS..THAT..FIREWALL A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
Packet Filtering Firewall
48
GUESS..THAT..FIREWALL A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls. Each packet is analyzed independently, with no record of previously processed packets.
Stateless firewall
49
GUESS..THAT..FIREWALL A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.
Stateful inspection
50
GUESS..THAT..FIREWALL A Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.
Application aware firewalls
51
GUESS..THAT..FIREWALL A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance's firmware.
Appliance Firewall
52
GUESS..THAT..FIREWALL A software application running on a single host and designed to protect only that host.
Host-Based Firewall
53
GUESS..THAT..FIREWALL Software designed to run on a server to protect a particular application such as a web server or SQL server.
Application Firewall
54
GUESS..THAT..FIREWALL A software-based firewall running on a network server OS, such as Windows or Linux, so that the server can function as a gateway or proxy for a network segment.
Network operating system (NOS) firewall
55
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
Transparent Proxy Server
56
A server that redirects requests and responses for clients configured with the proxy address and port.
Non-transparent Proxy server
57
Maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications.
PAT aka Port Address Translation
58
Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions? Signature-based detection system Active or passive test access point (TAP) Secure web gateway (SWG) Network-based intrusion prevention system (IPS)
Active or passive test access point (TAP) A TAP is a hardware device that allows you to access and monitor data flowing across a computer network. In an active setup, it can redirect traffic if the security appliance fails, thereby ensuring data availability. In a passive setup, it can continue to pass network traffic even if the security tool fails, also contributing to data availability.
59
Compare and analyze the types of firewalls available to differentiate between them. Choose the answer with the most correct description. Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3. An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only. A packet filtering firewall maintains stateful information about a connection between two hosts and implements an appliance firewall as a software application running on a single host. An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.
An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment. **Explanation **- An application firewall can inspect the contents of packets at the application layer and can analyze the HTTP headers. It also analyzes the HTML code present in HTTP packets, to try to identify code that matches a pattern in its threat database.
60
Which of the following are types of log collection for SIEM? (Select all that apply.) Log aggregation Firewall Agent-based Listener/Collector
Agent-based Listener/Collector
61
Which of the following considerations is most important when employing a signature-based intrusion detection system? The system may produce false positives and block legitimate activity. The system must create a valid baseline signature of normal activity. Signatures and rules must be kept up to date to protect against emerging threats. Signatures and rules must be able to detect zero-day attacks.
Signatures and rules must be kept up to date to protect against emerging threats. Explanation - Network behavior and anomaly detection (NBAD) engines use heuristics to generate a statistical model of baseline normal traffic. The system generates false positives and false negatives until, over time, it improves its statistical model of normal activity. A false positive is where legitimate behavior generates an alert.
62
Which of the following would be the BEST way to monitor a cloud-based microservice architecture? SNMP traps API inspection IPS IPsec
API Inspection API testing is a type of software testing that analyzes an application program interface (API) to verify that it meets expected functionality, security, performance, and reliability.
63
Which of the following would be the BEST method of sending data to a specific port number on a remote device? netcat dig route traceroute
netcat The netcat command, also known as nc, is a command-line utility that allows users to read and write data over a network connection nc -l -p 1234 >output.txt
64
Which security framework is mandatory for US federal agencies and includes a six step process? SSAE SOC 2 Type I/II CIS CSC CSA CCM NIST RMF
NIST RMF The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 6-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk
65
Which of these features is available when using MAM? FDE Automated failover Encrypted tunnels Multiple authentication factors Enterprise app catalog
Enterprise App Catalog
66
A system administrator would like to identify all known vulnerabilities on a remote device. Which of the following would be the BEST choice for this task? Nessus dnsenum theHarvester scanless Cuckoo
Nessus
67
While you can use tools such as dig and whois to query name records and hosting details and to check that external DNS services are not leaking too much information, a tool such as _______ packages a number of tests into a single query
dnsenum
68
Utility that runs port scans through third-party websites to evade detection.
Scanless
68
Utility for command-line manipulation of URL-based protocol requests.
curl
69
Utility for gathering results from open source intelligence queries.
theHarvester
70
A command-line packet sniffing utility. - for linux
tcpdump
71
_________ is an open-source spoofing tool that provides a penetration tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs.
hping
72
a framework designed for penetration test reporting and evidence gathering. It can integrate with other tools such as Metasploit and Nikto to run automated suites of tests. Results can be displayed as web reports.
Sn1per
73
A host or network account that is designed to run a background service, rather than to log on interactively.
service account
74
An account with no credential (guest) or one where the credential is known to multiple persons.
shared account
75
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
Application Programming Interface (API)
76
The value assigned to an account by Windows and that is used by the operating system to identify that account.
Security Identifier (SID)
77
An attacker has circumvented a security control by modifying their MAC address. Which of the following would describe this attack type? Malicious script Denial of service Rogue access point Cloning Jamming
Cloning
78
A data center optimizes the cooling process by specifying the orientation of equipment during installation. Which of the following would describe this technique? Air gap Hot and cold aisles Faraday cage Dual power supplies USB data blocker
Hot and cold aisles
79
A security engineer would like to connect a private cloud subnet to other cloud services. Which of the following would be the BEST choice? SSL VPN Container WPA3 VPC gateway Default route
VPC gateway A VPC (Virtual Private Cloud) gateway is a service that allows communication between instances in a VPC and the internet. A VPC gateway endpoint is a gateway that is a target for a specified route in the route table,
80
Which of the following would be MOST associated with AIS? 0-day attacks Encrypted tunnel Syslog Data exfiltration STIX and TAXII
STIX and TAXII
81
A database has been modified so that every person listed in the database has been replaced with a completely different first and last name. Which of the following would BEST describe this modification? OSINT Pseudonymization Intelligence fusion Proxy Fake telemetry
Pseudonymization Anonymization takes PII and makes it so it can't be used to identify anyone, while Pseudonymization replaces information with a pseudonym as if it were a CIA spy. Tokenization is like pseudonymization on steroids, encrypting your PII and replacing your pseudonym with an unrecognizable token.
82
A user inputs a PIN during the login process. Which of the following would describe this authentication method? TOTP Push notification Static code Attestation Federation
Static code
83
Which of these best describes authentication that is genuine with high confidence? Counterintelligence Non-repudiation Integrity E-discovery Hashing
Non-repudiation
84
Which of the following would be the BEST example of a detective security control? Backup IPS Security policy Hot site Fence
IPS
85
Which of these would BEST describe a ZIP bomb? Directory traversal NULL pointer dereference API attack Resource exhaustion Memory leak
Resource exhaustion A zip bomb is a malicious archive file that can crash or disable a program or system when unpacked. It's also known as a decompression bomb, compression bomb, archive bomb, or zip of death
86
Which of the following would be the best way to prevent a worm entering the network through a USB flash drive? Screened subnet SIEM DLP NGFW DNS sinkhole
DLP DLP stands for Data Loss Prevention. DLP is a cybersecurity solution that prevents data breaches by blocking the extraction of sensitive data. DLP can also be used for internal security and regulatory compliance. USB blocking is a data loss prevention technique that helps to ensure the security of data.
87
Which of the following is commonly used to verify device drivers during Windows startup? 802.1X TPM ELAM HSM RBAC
ELAM Early Launch Anti-Malware (ELAM) is a Windows 8 security technology that evaluates non-Microsoft Windows boot time device/application drivers for malicious code.
88
A pentester is gathering OSINT prior to a scheduled test. Which of the following would be the BEST choice for this task? Nmap curl Nessus theHarvester Cuckoo
theHarvester
89
A prospective employee was dropped from a job consideration after receiving the results of a background check. Which of the following describes this process? Offboarding NDA PII Adverse action Contingency planning
Adverse action
90
Which of the following would use rules to limit API communication? TLS VPN WAF SSH NAT
WAF A web application firewall (WAF) is a type of firewall that protects web applications by filtering and monitoring HTTP traffic between a web application and the internet. WAFs can protect web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.
91
Which of the following allows the browser to check for certificate revocation? CA TLS CN CSR OCSP
OCSP OCSP or Online Certificate Status Protocol is an internet protocol that checks the validity status of a certificate in real-time. It is an alternative to CRL or Certificate Revocation Lists.
92
Which of the following provides a knowledge base of adversary tactics and techniques? MITRE ATT&CK framework SSAE SOC 2 ISO 31000 EAP-TTLS Diamond model
MITRE ATT&CK framework
93
Which security control would be MOST associated with a backup generator? Compensating Detective Physical Managerial Preventive
Compensating
94
Which of the following would be the BEST way to randomize multiple hashes of the same data? VPN SDN Salt FDE Key exchange
Salt
95
Which of the following would determine which laws would apply to stored data? Diffusion Data-at-rest Sovereignty Masking Information Rights Management
Sovereignty
96
Which of the following would be the MOST secure way of viewing traffic statistics from a router? SMB RDP Telnet FTPS SNMPv3
SNMPv3 Unlike SNMPv1 and SNMPv2c, SNMP version 3 supports authentication and encryption. This means that SNMP data cannot be read after capture, and only authorized users can access specific object identifiers. However, the additional security methods make SNMPv3 more complex and challenging to configure
97
A security administrator would like to restrict application use to a predefined set of apps. Which of the following would BEST describe this security type? Deny list DLP Quarantine Approved list Segmentation
Approved list
98
A company has determined that laptops valued at $50,000 have been stolen over the last calendar year. Which of the following would describe this value? Inherent risk SLE ARO Risk appetite ALE
ALE
99
An EAP method developed by Cisco as a replacement for LEAP. ______ does not require a certificate authority while aiming to provide a higher level of security. The problem with _____ is in distributing (provisioning) the PAC securely to each user requiring access
EAP-FAST
100
An EAP method that enables a client and server to establish a secure connection without mandating a client-side certificate uses a server-side certificate to establish a protected tunnel through which the user's authentication credentials can be transmitted to the authentication server..
EAP-Tunneled TLS (EAP-TTLS)
101
EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method. an encrypted tunnel is established between the supplicant and authentication server, but ______ only requires a server-side public key certificate.
Protected Extensible Authentication Protocol (PEAP)
102
A ____________ occurs when two processes occur at similar times, usually with unexpected results. The file system problem is usually fixed before a reboot, but a reboot is occurring before the fix can be applied. This has created a race condition that results in constant reboots.
Race Condition
103
A ______ exercise usually consists of a meeting where members of a recovery team or disaster recovery talk through a disaster scenario.
tabletop
104
Mobile device ______ allows an organization to securely separate user data from company data on a mobile device. Implementing this strategy usually requires a mobile device manager (MDM), and ______ alone won’t address all of the required security policies.
Containerization
105
is a technique that uses a misspelling of a domain name to convince victims they are visiting a legitimate website.
Typosquatting
106
A ________ is used to manage compliance with security policies when using cloud-based applications.
CASB
107
Means that the manufacturer no longer supports hardware. ____ equipment may still receive some level of support from the manufacturer.
EOL
108
Means that software will no longer receive updates from the manufacturer. ____ software will not be supported or serviced, and will not receive security updates.
EOS
109
A _____ file contains the contents of system memory. In Windows, this file can be created from the Task Manager
Dump
110
________ logs will document web pages that were accessed, but it doesn't show what information may be contained in the system RAM.
Web Server
111
_______ server logs can show which domain names were accessed by internal systems, and this information can help identify systems that may be infected. However, the ____ log doesn't include any information about the memory contents of a server.
DNS (Domain Name System)
112
Which part of the PC startup process verifies the digital signature of the OS kernel? ❍ A. Measured Boot ❍ B. Trusted Boot ❍ C. Secure Boot ❍ D. POST
Trusted Boot The Trusted Boot portion of the startup process verifies the operating system kernel signature and starts the ELAM (Early Launch Anti-Malware) process.
113
Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance? ❍ A. Compare the production application to the sandbox ❍ B. Perform an integrity measurement ❍ C. Compare the production application to the previous version ❍ D. Perform QA testing on the application instance
Perform an integrity measurement An integrity measurement is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions.
114
A member of the accounting team was out of the office for two weeks, and an important financial transfer was delayed until they returned. Which of the following would have prevented this delay? ❍ A. Split knowledge ❍ B. Least privilege ❍ C. Job rotation ❍ D. Dual control
Job rotation Job rotation moves employees through different job roles as part of their normal work environment. This policy limits the potential for fraud and
115
A security analyst has identified a number of sessions from a single IP address with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has a destination of your DMZ server. Which of the following BEST describes this log information? ❍ A. Someone is performing a vulnerability scan against the firewall and DMZ server ❍ B. Users are performing DNS lookups ❍ C. A remote user is grabbing banners of the firewall and DMZ server ❍ D. Someone is performing a traceroute to the DMZ server
Someone is performing a traceroute to the DMZ server A traceroute maps each hop by slowly incrementing the TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drops the packet and sends an ICMP (Internet Control Message Protocol) TTL Exceeded message back to the original station.
116
A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup. Which of these keys should the organization place into escrow? ❍ A. Private ❍ B. CA ❍ C. Session ❍ D. Public
Private With asymmetric encryption, the private key is used to decrypt information that has been encrypted with the public key. To ensure continued access to the encrypted data, the company must have a copy of each private key.
117
A manufacturing company would like to use an existing router to separate a corporate network and a manufacturing floor that use the same physical switch. The company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation? ❍ A. Connect the corporate network and the manufacturing floor with a VPN ❍ B. Build an air gapped manufacturing floor network ❍ C. Use personal firewalls on each device ❍ D. Create separate
Create separate VLANs for the corporate network and the manufacturing floor Creating VLANs (Virtual Local Area Networks) will segment a network without requiring additional switches.
118
When a home user connects to the corporate VPN, they are no longer able to print to their local network printer. Once the user disconnects from the VPN, the printer works normally. Which of the following would be the MOST likely reason for this issue? ❍ A. The VPN uses IPSec instead of SSL ❍ B. Printer traffic is filtered by the VPN client ❍ C. The VPN is stateful ❍ D. The VPN tunnel is configured for full tunnel
The VPN tunnel is configured for full tunnel A split tunnel is a VPN (Virtual Private Network) configuration that only sends a portion of the traffic through the encrypted tunnel. A split tunnel would allow work-related traffic to securely traverse the VPN, and all other traffic would use the non-tunneled option. In this example, the printer traffic is being redirected through the VPN instead of the local home network because of the non-split/full tunnel.
119
The _____ manages the operational use of the data, but not the rights and permissions to the information.
data processor
120
The __________ manages access rights and sets security controls to the data.
Data Custodian
121
A ______ sets privacy policies and implements privacy processes and procedures.
Privacy officer
122
A corporate security team would like to consolidate and protect the private keys across all of their web servers. Which of these would be the BEST way to securely store these keys? ❍ A. Use an HSM ❍ B. Implement full disk encryption on the web servers ❍ C. Use a TPM ❍ D. Upgrade the web servers to use a UEFI BIOS
Use an HSM An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices.
123
A80. Jennifer is reviewing this security log from her IPS: ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b] Cross-Site Scripting in JSON Data 222.43.112.74:3332 -> 64.235.145.35:80 URL/index.html - Method POST - Query String "-" User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3 NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7 Detail: token="" Which of the following can be determined from this log information? (Select TWO) ❍ A. The alert was generated from a malformed User Agent header ❍ B. The alert was generated from an embedded script ❍ C. The attacker’s IP address is 222.43.112.74 ❍ D. The attacker’s IP address is 64.235.145.35 ❍ E. The alert was generated due to an invalid client port number
B. The alert was generated from an embedded script and C. The attacker’s IP address is 222.43.112.74 The details of the IPS (Intrusion Prevention System) alert show a script value embedded into JSON (JavaScript Object Notation) data. The IPS log also shows the flow of the attack with an arrow in the middle. The attacker was IP address 222.43.112.74
124
A user has opened a helpdesk ticket complaining of poor system performance, excessive pop up messages, and the cursor moving without anyone touching the mouse. This issue began after they opened a spreadsheet from a vendor containing part numbers and pricing information. Which of the following is MOST likely the cause of this user's issues? ❍ A. On-path ❍ B. Worm ❍ C. RAT ❍ D. Logic bomb
C. RAT A RAT (Remote Access Trojan) is malware that can control a computer using desktop sharing and other administrative functions. Because the installation program is often disguised as something else, the victim often doesn’t realize they’re installing malware. Once the RAT is installed, the attacker can control the desktop, capture screenshots, reboot the computer, and many other administrative functions.
125
A company's outgoing email server currently uses SMTP with no encryption. The security administrator would like to implement encryption between email clients without changing the existing server-to-server communication. Which of the following would be the BEST way to implement this requirement? ❍ A. Implement Secure IMAP ❍ B. Require the use of S/MIME ❍ C. Install an SSL certificate on the email server ❍ D. Use a VPN tunnel between email clients
Require the use of S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way to integrate public key encryption and digital signatures into most modern email clients. This would encrypt all email information from client to client, regardless of the communication used between email servers.
126
A company would like to securely deploy applications without the overhead of installing a virtual machine for each system. Which of the following would be the BEST way to deploy these applications? ❍ A. Containerization ❍ B. IaaS ❍ C. Proxies ❍ D. CASB
Containerization Application containerization uses a single virtual machine to use as a foundation for separate application "containers." These containers are implemented as isolated instances, and an application in one container is not inherently accessible from other containers on the system.
127
If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator’s needs? Secure/Multipurpose Internet Mail Extensions (S/MIME) Secure Post Office Protocol v3 (POP3S) Internet Message Access Protocol v4 (IMAP4) Simple Mail Transfer Protocol (SMTP)
Secure/Multipurpose Internet Mail Extensions (S/MIME) One means of applying authentication and confidentiality on a per-message basis is an email encryption standard called Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME adds digital signatures and public key cryptography to mail communications. To use S/MIME, a sender and receiver exchange digital certificates signed by a certification authority (CA).
128
An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause? A server host has a poisoned arp cache. Some user systems have invalid hosts file entries. An attacker masquerades as an authoritative name server. The domain servers have been hijacked.
An attacker masquerades as an authoritative name server. DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information.
129
A security engineer encrypted traffic between a client and a server. Which security protocol is the best for the engineer to configure if an ephemeral key agreement is used? AES 256 TLS 1.2 TLS 1.3 SHA 384
TLS 1.3 Only ephemeral key agreement is supported in TLS 1.3. The signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384).
130
A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation. Tunnel mode because the whole IP packet is encrypted, and a new IP header is added. Transport mode because the whole IP packet is encrypted, and a new IP header is added. Tunnel mode because the payload is encrypted. Transport mode because the payload is encrypted.
Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.
131
An attacker modifies the HOSTS file on a workstation to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred. DNS server cache poisoning DNS spoofing DNS client cache poisoning Typosquatting
DNS client cache poisoning The HOSTS file is checked before using Domain Name System (DNS). Its contents are loaded into a cache of known names and the client only contacts a DNS server if the name is not cached. If an attacker can place a false name, then the attacker will be able to direct traffic.
132
An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation. Domain Name System (DNS) DNS Security Extension DNS Footprinting Dynamic Host Configuration Protocol (DHCP)
DNS Security Extension A DNS Security Extension (DNSSEC) transaction is being simulated. This consists of the authoritative server for the zone creating a package of resource records (RRset) signed with a private key (Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can verify the signature.
133
A technician is working with a user on methods to authenticate their device to the SSH server. Knowing that there are various methods, what can NOT be enabled or disabled when using the /etc/ssh/sshd_config file? Public key authentication Kerberos Username/password Host key
Host key The server's host key is used to set up a secure channel to use for the client to submit authentication credentials but is not enabled or disabled when using the /etc/ssh/sshd_config file.

SEC + (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions