Chapter 1-6 Practice Questions Flashcards

Question

Members of a project team chose to meet at a local library to complete some work on a key project. All of them are authorized to work from home using a VPN connection and have connected from home successfully. However, they found that they were unable to connect to the network using the VPN from the library and they could not access any of the project data. Which of the following choices is the MOST likely reason why they can't access this data? A. Role-based access control B. Time-of-day access control C. Location-based policy D. Discretionary access control

Answer 1

c. location-based Book: C. A location-based policy restricts access based on location, such as with an IP address, and this is the best possible answer to those given. The scenario indicates they could use the virtual private network (VPN) connection from home, but it was blocked when they tried to access it from the library. Time-of-day access control restricts access based on the time of day, but the scenario doesn’t indicate the time. Neither a discretionary access control model nor a role-based access control model restricts access based on location.

Answer 2

c. expiration date for the account Book: C. When creating temporary accounts, it’s best to configure expiration dates so that the system will automatically disable the accounts on the specified date. History, password expiration, and complexity all refer to password policy settings. However, it’s rare to configure a specific password policy on a single account.

Answer 3

c. craft a script to identify inactive accounts identify the former accounts to disable Book: C. Running a last logon script allows you to identify inactive accounts, such as accounts that haven’t been logged on to in the last 30 days. It’s appropriate to disable unused accounts, but it isn’t necessarily appropriate to disable all temporary accounts, because some might still be in use. If you disable the accounts you notice, you might disable accounts that some employees are still using, and you might miss some accounts that should be disabled. Setting expiration dates for newly created accounts is a good step, but it doesn’t address previously created accounts.

Answer 4

d. matrix with required privileges Book: D. A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for role-based access control (role- BAC) model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. MAC is effective at restricting access based on a need to know. The discretionary access control (DAC) model specifies that every object has an owner and it might identify owners in a list.

Answer 5

B. MAC "levels" Book: B. This is a mandatory access control (MAC) model. You can tell because it is using security labels. None of the other model's listed use labels. A discretionary access control (DAC) model has an owner, and the owner establishes access for the objects. A role-based access control (role-BAC) model uses roles or groups to assign rights and permissions. An attribute-based access control (ABAC) model uses attributes assigned to subjects and objects within a policy to grant access.

Answer 6

D. ABAC attributes based D. A software-defined network (SDN) typically uses an attribute-based access control (ABAC) model, which is based on attributes that identify subjects and objects within a policy. A discretionary access control (DAC) model has an owner, and the owner establishes access for the objects. A mandatory access control (MAC) model uses labels assigned to subjects and objects. A role-based access control (role-BAC) model uses roles or groups to assign rights and permissions.

Answer 7

B. SSH not file transfer, not mail Book: B. You can use Secure Shell (SSH) to encrypt Personally Identifiable Information (PII) data when transmitting it over the network (data-intransit). Secure File Transfer Protocol (SFTP) uses SSH to encrypt File Transfer Protocol (FTP) traffic. FTP, Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) transmit data in cleartext unless they are combined with an encryption protocol.

Answer 8

Book: C. Simple Network Management Protocol version 3 (SNMPv3) is a secure protocol that can monitor and collect information from network devices. It includes strong authentication mechanisms to protect the confidentiality of credentials. None of the other protocols listed are used to monitor network devices. Secure Shell (SSH) provides a secure method of connecting to devices but does not monitor them. File Transfer Protocol Secure (FTPS) is useful for encrypting large files in transit, using Transport Layer Security (TLS). TLS is commonly used to secure transmissions but doesn’t include methods to monitor devices.

Answer 9

B. time synch NTP - network time protocol Book: B. The Network Time Protocol (NTP) provides time synchronization services, so enabling NTP on servers would meet this use case. The Real-time Transport Protocol (RTP) delivers audio and video over IP networks and Secure RTP (SRTP) provides encryption, message authentication, and integrity for RTP. Protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol v3 (POP3), and Internet Message Access Protocol version 4 (IMAP4) is used for email. Encrypting data isn’t relevant to time synchronization services provided by NTP.

Answer 10

Book: D. The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for Voice over Internet Protocol(VoIP), video teleconferencing, and other streaming media applications. None of the other answers are directly related to VoIP or video teleconferencing. Simple Mail Transfer Protocol (SMTP) transfers email. The Transport Layer Security (TLS) protocol is used to encrypt data-in-transit but isn’t the best choice for streaming media. Secure File Transfer Protocol (SFTP) is a secure implementation of FTP to transfer files.

Answer 11

D. RSTP Rapid Spanning Tree Protocol ensures a loop-free topology for Ethernet networks Flood guard - tools to prevent DoS attacks SNMPv3 - security model SRTP - Secure Real-time Transport protocol Book: D. Rapid STP (RSTP) prevents switching loop problems and should be enabled on the switches to meet this need. A flood guard on a switch helps prevent a media access control (MAC) flood attack. Simple Network Management Protocol version 3 (SNMPv3) is used to manage and monitor network devices. The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for video and voice data.

Answer 12

Book: D. Spanning Tree Protocol (STP) and Rapid STP (RSTP) both prevent switching loop problems. It’s rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each other, it creates a switching loop and effectively disables the switch. An intrusion detection system (IDS) will not prevent a switching loop. Layer 2 switches are susceptible to this problem. Administrators use Simple Network Management Protocol version 3 (SNMPv3) to manage and monitor devices, but it doesn’t prevent switching loops.

Answer 13

Book: B. The most likely problem of the available choices is that an access control list (ACL) is configured incorrectly. The server is in a demilitarized zone (DMZ) and the most likely problem is an incorrectly configured ACL on the border firewall. The service is operating when accessed from internal clients, so it isn’t likely that it is the problem. Also, the server works for internal systems indicating it is working correctly. There isn’t any indication a virtual local area network (VLAN) is in use.

Answer 14

Book: B. Iptables include settings used by the Linux Kernel firewall and can be used to replace a firewall. While it’s possible to implement iptables on a wireless access point (assuming it is Linux-based), iptables still function as a firewall, not a wireless access point. A Layer 2 switch routes traffic based on the destination media access control (MAC) address, but iptables focus on IP addresses. A network bridge connects multiple networks together.

Answer 15

Book: D. You would create rules to block all incoming traffic from private IP addresses. The border router is between the internal network and the Internet and any traffic coming from the Internet with a private IP address is a spoofed source IP address. All outgoing traffic will typically use a private IP address, so you shouldn’t block this outgoing traffic. A flood guard on a switch protects against media access control (MAC) flood attacks and is unrelated to this question. A web application firewall protects a web application and is unrelated to antispoofing.

Answer 16

Book: B. A stateful firewall filters traffic based on the state of the packet within a session. It would filter a packet that isn’t part of a TCP three-way handshake. A stateless firewall filters traffic based on the IP address, port, or protocol ID. While it’s appropriate to place a network firewall in a demilitarized zone (DMZ), a network firewall could be either a stateless firewall or a stateful firewall. An application-based firewall is typically only protecting a host, not a network.

Answer 17

Book: A. These are rules in an access control list (ACL) for a firewall. The first two rules indicate that traffic from any IP address, to any IP address, using ports 80 or 443 is permitted or allowed. The final rule is also known as an implicit deny rule and is placed last in the ACL. It ensures that all traffic that hasn’t been previously allowed is denied. Layer 2 switches do not use ACLs. A proxy server would not use an ACL, although it would use ports 80 and 443 for Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), respectively. A web server wouldn’t use an ACL, although it would also use ports 80 and 443.

Answer 18

Book: A. A demilitarized zone (DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server’s web-facing traffic from the internal network. You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created on switches in the internal network. A firewall does provide protection for the webserver but doesn’t necessarily separate the web-facing traffic from the internal network. A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic.

Answer 19

Book: C. A nontransparent proxy includes the ability to filter traffic based on the URL and is the best choice. A transparent proxy doesn’t modify or filter requests. A reverse proxy is used for incoming traffic to an internal firewall, not traffic going out of the network. Proxy servers are caching proxy servers, but won’t block outgoing traffic.

Answer 20

Book: C. You would most likely configure the Uniform Resource Locator (URL) filter on the unified threat management (UTM) security appliance. This would block access to the peer-to-peer sites based on their URL. Content inspection and malware inspection focus on inspecting the data as it passes through the UTM, but they do not block access to sites. A distributed denial-of-service (DDoS) mitigator will attempt to block incoming DDoS attack traffic.

Answer 21

Book: C. A distributed denial-of-service (DDoS) mitigator attempts to block DDoS attacks and should be placed at the border of the network, between the private network and the Internet. If the network includes a demilitarized zone (DMZ), the appliance should be placed at the border of the DMZ and the Internet. Placing it in the DMZ or the internal network doesn’t ensure it will block incoming traffic.

Answer 22

Book: C. A heuristic-based (also called anomaly-based or behavior-based) detection system compares current activity with a previously created baseline to detect any anomalies or changes. Flood guards help protect against flood attacks (such as a SYN flood attack). Signature-based systems (also called definition-based) use signatures of known attack patterns to detect attacks. A honeypot is a server designed to look valuable to an attacker and can divert attacks.

Answer 23

B. An in-band IPS Book: B. The best solution from the given choices is an in-band intrusion prevention system (IPS). Traffic goes through the IPS and the IPS has the best chance of preventing attacks from reaching internal systems. An IPS is in-band, not out-of-band. An intrusion detection system (IDS) is passive and not in-band, so it can only detect and react to the attacks, not block them.

Answer 24

Book: C. A network intrusion prevention system (NIPS) installed on the supervisory control and data acquisition (SCADA) network can intercept malicious traffic coming into the network and is the best choice of those given. The scenario states you cannot update the SCADA systems, so you cannot install a host-based IPS (HIPS) on any of them. A firewall provides a level of protection. However, it wouldn’t be able to differentiate between valid traffic sent by Lisa and malicious traffic sent by malware from Lisa’s system. A honeypot might be useful to observe malicious traffic but wouldn’t prevent it.

Answer 25

Book: D. If an intrusion detection system (IDS) does not detect and report a buffer overflow attack, it is a false negative. It is a false positive if the IDS falsely (incorrectly) indicates an attack occurred. If antivirus software indicates a valid application is malware, it is also a false positive. If a heuristic-based IDS accurately detects a previously unknown attack, it is working correctly.

Answer 26

Book: D. The centralized access point (AP) is a fat AP and it configures thin APs in the network. The fat AP could also be called a stand-alone, intelligent, or autonomous AP and it is used to configure thin APs, not fat APs. Thin APs do not configure other APs. Stand-alone APs are not configured by other APs.

Answer 27

Book: D. Using directional antennas on both access points (APs) is the best choice to meet this need because they have high gain with a very narrow radiation pattern. Omnidirectional antennas transmit the signal in all directions at the same time and are not a good choice when connecting networks between two buildings. Wider channels reduce the range of wireless transmissions and aren’t a good choice here. Because of 802.11ac uses only the 5 GHz frequency band, you can’t use 2.4 GHz.

Answer 28

Book: D. Wi-Fi Protected Access II (WPA2) with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) provides the strongest level of security of the given choices. Temporal Key Integrity Protocol (TKIP) is an older encryption protocol used with WPA and it isn’t as strong as CCMP. Disabling service set identifier (SSID) broadcast hides the network from casual users, but attackers can still discover it because the SSID is still included in some packets in plaintext. Attackers can bypass media access control (MAC) address filtering by spoofing authorized MAC addresses.

Answer 29

A Book: A. WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server. The network will likely have Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) services, but it isn’t necessary to install them on the authentication server. Wired Equivalent Privacy (WEP) provides poor security and is not compatible with WPA2 Enterprise.

Answer 30

C ``` Book: C. This is most likely a Wi-Fi Protected Setup (WPS) attack. Reaver is an automated program that will discover the WPS PIN and after it discovers the PIN, it can discover the passphrase or secret key used by the access point (AP). While an initialization vector (IV) attack can discover the passphrase in legacy wireless security protocols, Wi-Fi Protected Access II (WPA2) isn’t susceptible to an IV attack. A disassociation attack effectively removes a wireless client from a wireless network, but it doesn’t discover the passphrase. An evil twin attack uses a separate AP with the same name as an existing AP with the goal of tricking users into connecting to it. ```

Answer 31

A Book: A. The scenario indicates an evil twin attack is in progress. An attacker can easily discover the service set identifier (SSID) even with SSID broadcast disabled and can then create another access point with the same SSID. A disassociation attack disconnects wireless clients from the wireless network. A Wi-Fi Protected Setup (WPS) attack discovers the eight-digit PIN and then uses it to discover the passphrase. A jamming attack floods the frequency channel with noise to prevent connections.

Answer 32

A Book: A. A wireless jamming attack is a type of denial-of-service (DoS) attack that can cause wireless devices to lose their association with access points and disconnect them from the network. None of the other attacks are DoS attacks. An initialization vector (IV) attack attempts to discover the passphrase. A replay attack captures traffic with the goal of replaying it later to impersonate one of the parties in the original transmission. Bluesnarfing is a Bluetooth attack that attempts to access information on Bluetooth devices.

Answer 33

B Book: B. A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice. Network access control (NAC) methods can check VPN clients for health before allowing them access to the network, but it doesn’t directly provide access. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks, but do not control remote access.

Answer 34

Book: B. A full tunnel encrypts all traffic after a user has connected to a VPN using a tunnel. A split tunnel only encrypts traffic destined for the VPN’s private network. Traffic from the client directly to another Internet site is not encrypted. Internet Protocol security (IPsec) Tunnel mode encrypts the entire IP packet used in the internal network. It encrypts all traffic used within the VPN’s private network, but not all traffic from the VPN client. IPsec Transport mode only encrypts the payload and is used within private networks, not for VPN traffic.

Answer 35

Book: A, C. Remote Authentication Dial-in User Service (RADIUS) servers use shared secrets. You can configure them to interact with Lightweight Directory Access Protocol (LDAP)–based systems by entering the same shared secret on both a RADIUS server and an LDAP server. A shared secret is basically just an identical password on both systems. Kerberos uses tickets for authentication, not shared secrets. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is an authentication protocol that requires the use of certificates on both clients and servers, not shared secrets.

Answer 36

D Book: D. A dissolvable agent is often used on employee-owned devices and would be appropriate if an organization implemented a bring your own device (BYOD) policy. A permanent network access control (NAC) agent is installed on the device permanently, but this might cause problems for employee-owned devices. Any NAC agent is a health agent. Remote Authentication Dial-In User Service (RADIUS) is used for authentication, not to inspect clients.

Answer 37

A Book: A. Disabling unnecessary services is one of the elements of the principle of least functionality. Other elements include deploying the server with only the applications and protocols they need to meet their purpose. Installing up-to-date antivirus software is a valid preventive control, but it isn’t related to the least functionality. Identifying the baseline should be done after disabling unnecessary services. A network-based intrusion detection system (NIDS) helps protect the server, but it doesn’t implement least functionality.

Answer 38

Book: D. The master image is the baseline and the administrators performed integrity measurements to identify baseline deviations. By comparing the list of applications in the baseline with the applications running on the suspect computer, you can identify unauthorized applications. None of the other answers include the troubleshooting steps necessary to discover the problem. The master image would include only the applications, services, and protocols needed to meet the principle of least functionality. A sandbox is an isolated area of a system, typically used to test applications. A blacklist is a list of prohibited applications.

Answer 39

B Book: B. A change management policy helps reduce risk associated with making any changes to systems, including updating them. Patches should be tested and evaluated before implementing them and implementing them when they are released sometimes causes unintended consequences. The use of a trusted operating system or operating systems with secure configurations doesn’t address how they are updated.

Answer 40

B Book: B. Application whitelisting identifies authorized applications and prevents users from installing unauthorized software. Alternately, you can use a blacklist to identify specific applications that cannot be installed or run on a system. A master image provides a secure baseline, but it doesn’t prevent users from installing additional applications. Antimalware software and antivirus software can detect and block malware, but they don’t prevent users from installing unauthorized software.

Answer 41

C Book: C. A sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state. A baseline image is a starting point of a single environment. Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented.

Answer 42

C Book: C. A remote attestation process checks a computer during the boot cycle and sends a report to a remote system. The remote system attests, or confirms, that the computer is secure. None of the other answers sends data to a remote system. A Trusted Platform Module (TPM) is a hardware chip on a motherboard and provides a local secure boot process. A TPM includes an encryption key burned into the CPU, which provides a hardware root of trust. A trusted operating system meets a set of predetermined requirements typically enforced with the mandatory access control (MAC) model.

Answer 43

Book: C. This is a Software as a Service (SaaS) model. The software is the online application and the cloud provider (the Springfield Nuclear Power Plant in this example) maintains it. Infrastructure as a Service (IaaS) provides customers with the hardware via the cloud. Customers are responsible for installing the operating system and any applications. Platform as a Service (PaaS) is a computing platform. For example, a cloud provider can provide a server with a preconfigured operating system. Anyone can access a public cloud. However, the question states that only students and teachers can access it.

Answer 44

D Book: D. A network intrusion prevention system (NIPS) is the most relevant security control of those listed to ensure the availability of the supervisory control and data acquisition (SCADA) system. Data loss prevention (DLP) system helps prevent loss of data, but wouldn’t protect a SCADA system from potential attacks. A Trusted Platform Module (TPM) is a hardware chip on a computer’s motherboard that stores cryptographic keys used for encryption. An electromagnetic pulse (EMP) is a short burst of electromagnetic energy and unrelated to a SCADA system.

Answer 45

Book: B. Storage segmentation creates separate storage areas in mobile devices and can be used with a choose your own device (CYOD) mobile device deployment model. None of the other answers are directly related to mobile devices. A supervisory control and data acquisition (SCADA) system control an industrial control system (ICS), such as those used in nuclear power plants or water treatment facilities, and it should be isolated. Database security includes the use of permissions and encryption to protect data in a database. Some embedded systems use a real-time operating system (RTOS) when the system must react within a specific time.

Answer 46

C Book: C. Screen locks provide protection for lost devices by making it more difficult for someone to access the device. Device encryption protects the confidentiality of the data. Global Positioning System (GPS) tagging includes location information on pictures and other files but won’t help protect a lost or stolen device. Patch management keeps devices up to date and change management helps prevent outages from unauthorized changes. Infrastructure as a Service (IaaS) is a cloud computing option.

Answer 47

A Book: A. Geofencing can be used to create a virtual fence or geographic boundary, outlining the company’s property. Geofencing will use geolocation to identify the mobile device’s location, but geolocation without geofencing won’t detect if a user is on the company’s property. Global Positioning System (GPS) tagging adds geographic data (such as latitude and longitude data) to files and is unrelated to this question. Containerization runs applications in a container to isolate them.

Answer 48

D Book: D. Context-aware authentication can authenticate a user and a mobile device using multiple elements, including identity, geolocation, time of day, and type of device. None of the other answers meets all the requirements of the question. A geofence creates a virtual fence, or geographic boundary, and can be used with context-aware authentication. Containerization isolates an application, protecting it and its data. Tethering allows one device to share its Internet connection with other devices.

Answer 49

A Book: A. The system administrator should modify permissions with the chmod (short for change mode) command. Remote wipe sends a remote signal to a mobile device to wipe or erase all the data and is unrelated to this question. Push notification services send messages to users but don’t change permissions. The chroot command is used to create a sandbox for testing an application.

Answer 50

Book: A. A data loss prevention (DLP) solution can prevent users from copying documents to a USB drive. None of the other answers control USB drives. A hardware security module (HSM) is an external security device used to manage, generate, and securely store cryptographic keys. COPE (corporate-owned, personally enabled) is a mobile device deployment model. A self-encrypting drive (SED) includes the hardware and software to encrypt all data on the drive and securely store the encryption keys.

Answer 51

Book: C. Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don’t need to be encrypted. Full database encryption and whole disk encryption aren’t appropriate because everything doesn’t need to be encrypted to protect the credit card data. File-level encryption isn’t appropriate on a database and will often make it inaccessible to the database application.

Answer 52

A Book: A. This attack was most likely launched by an organized crime group because their motivation is primarily money. While the scenario describes ransomware, ransomware is the malware, not the threat actor. Competitors often want to obtain proprietary information and it would be very rare for a hospital competitor to extort money from another hospital. A hacktivist typically launches attacks to further a cause, not to extort money.

Answer 53

A Book: A. A logic bomb is a code that executes in response to an event. In this scenario, the logic bomb executes when it discovers the account is disabled (indicating Dr. Bob Terwilliger is no longer employed at the company). In this scenario, the logic bomb is creating a backdoor. A rootkit includes hidden processes, but it does not activate in response to an event. Spyware is software installed on user systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Ransomware demands payment as ransom.

Answer 54

C Book: C. A backdoor provides someone an alternative way of accessing a system or application, which is exactly what Lisa created in this scenario. It might seem as though she’s doing so with good intentions, but if attackers discover a backdoor, they can exploit it. A virus is a malicious code that attaches itself to an application and executes when the application runs, not code that is purposely written into the application. A worm is a self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. A Trojan is a software that looks like it has a beneficial purpose but includes a malicious component.

Answer 55

Book: A. The code is creating a new account that Dr. Terwilliger can use to access as a backdoor. He is creating this with a logic bomb, but a logic bomb is the malware type, not the type of account that he created. Rootkits include hidden processes, but they do not activate in response to events. Ransomware demands payment to release a user’s computer or data.

Answer 56

C Book: C. The scenario describes a remote access Trojan (RAT), which is a type of malware that allows attackers to take control of systems from remote locations. While the threat actor may be a member of an advanced persistent threat (APT) or an organized crime group, these are threat actor types, not types of malware. Crypto-malware is a type of ransomware that encrypts data, but there isn’t an indication that the data is being encrypted in this scenario.

Answer 57

A Book: A. A rootkit typically runs processes that are hidden and it also attempts to connect to computers via the Internet. Although an attacker might have used a backdoor to gain access to the user’s computer and install the rootkit, backdoors don’t run hidden processes. Spam is unwanted email and is unrelated to this question. A Trojan is a malware that looks like it’s beneficial but is malicious.

Answer 58

B Book: B. This sounds like a social engineering attack where the caller is attempting to get information on the servers, so it’s appropriate to end the call, report the call to a supervisor, and independently check the vendor for potential issues. It is not appropriate to give external personnel information on internal systems from a single phone call. It isn’t necessary to ask for a phone number because you wouldn’t call back and give information on the servers. The caller has not committed a crime by asking questions, so it is not appropriate to contact law enforcement personnel.

Answer 59

D Book: D. Tailgating is the practice of following closely behind someone else without using credentials. In this scenario, Bart might be an employee who forgot his badge, or he might be a social engineer trying to get in by tailgating. Spear phishing and whaling are two types of phishing with email. Mantraps prevent tailgating.

Answer 60

B Book: B. Dumpster divers look through trash or recycling containers for valuable paperwork, such as documents that include Personally Identifiable Information (PII). Instead, paperwork should be shredded or incinerated. Vishing is a form of phishing that uses the phone. Shoulder surfers attempt to view monitors or screens, not papers thrown into the trash or recycling containers. Tailgating is the practice of following closely behind someone else, without using proper credentials.

Answer 61

B Book: B. A zero-day exploit is one that isn’t known by trusted sources such as antivirus vendors or operating system vendors. Phishing is malicious spam and it can include malware, but there isn’t an indication this loss was from an email. Attackers use open-source intelligence to identify a target. Some typical sources are social media sites and news outlets. A hoax is not a specific attack. It is a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist.

Answer 62

B Book: B. Shoulder surfing is the practice of viewing data by looking over someone’s shoulder and it includes looking at computer monitors. Positioning monitors so that they cannot be viewed through a window and/or placing screen filters over the monitors reduces this threat. Phishing is an email attack. Dumpster diving is the practice of looking through dumpsters. Social engineers often try to impersonate others to trick them.

Answer 63

D Book: D. Whaling is a type of phishing that targets high-level executives, such as chief financial officers (CFOs) or chief executive officers (CEOs) and this scenario describes an attack targeting the CFO. Because whaling is more specific than phishing, phishing isn’t the best answer. Spam is unwanted email, but spam isn’t necessarily malicious. While the infected Portable Document File (PDF) might include a Trojan, the scenario doesn’t describe the type of malware within the PDF.

Answer 64

A Book: A. A digital signature provides assurances of who sent an email and meets the goal of this scenario. Although a spam filter might filter a spear phishing attack, it does not provide assurances about who sent an email. A training program would help educate employees about attacks and would help prevent the success of these attacks, but it doesn’t provide assurances about who sent an email. Some antivirus software includes heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have virus signatures.

Answer 65

B Book: B. Of the given choices, an untrained user is the most likely vulnerability in this scenario. A trained user would be less likely to click on a malicious link received in an email. While the attack describes ransomware, ransomware isn’t a vulnerability. A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack often results in resource exhaustion, but that is the result of an attack, not a vulnerability. An insider threat implies a malicious insider, but there isn’t any indication that the new employee was malicious.

Answer 66

D Book: D. The sender is using the social engineering principle of authority in this scenario. A chief executive officer (CEO) would respect legal authorities and might be more inclined to open an attachment from such an authority. While the scenario describes whaling, a specific type of phishing attack, whaling and phishing are attacks, not social engineering principles. The social engineering principle of consensus attempts to show that other people like a product, but this is unrelated to this scenario.