CISSP Flashcards
Morgan is a web developer responsible for implementing an authentication system. She knows that she should store hashed versions of passwords rather than the passwords themselves but chooses to use unsalted passwords. What type of attack does this make the application more susceptible to?
A. Rainbow table
B. Online brute force
C. Offline brute force
D. Collision
Correct Answer: A.
In a rainbow table attack, the attacker computes the hash values of common passwords and then searches the password file for those values. Adding a random salt to the password eliminates the performance benefit of this attack. Brute force attacks (online or offline) would not be more or less effective either way. The use of salting does not decrease the likelihood of a collision.
Kevin runs a vulnerability scan on a system on his network and identifies a SQL injection vulnerability. Which one of the following security controls is likely not present on the network?
A. DLP
B. TLS
C. WAF
D. IDS
Correct Answer: C.
A web application firewall (WAF), if present, would likely block SQL injection attack attempts, making SQL injection vulnerabilities invisible to a vulnerability scanner. A data loss prevention system (DLP) does not protect against web application vulnerabilities, such as SQL injection. An intrusion detection system (IDS) might identify a SQL injection exploit attempt but it is not able to block the attack. Transport layer security (TLS) encrypts web content but encryption would not prevent an attacker from engaging in SQL injection attacks.
Andy is developing requirements for a disaster recovery site and needs the ability to recover operations as quickly as possible. Which one of the following recovery site options provides the quickest activation time?
A. Warm site
B. Mobile site
C. Cold site
D. Hot site
Correct Answer: D.
Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware, and possible software, to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment’s notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan.
Ralph comes across a legacy infrastructure that uses telnet to create an administrative connection between a client and server. Even though this connection takes place over a private network link, Ralph would like to replace telnet with a secure protocol to prevent eavesdropping. What protocol would be the easiest drop-in replacement for telnet?
A. SSH
B. FTPS
C. TLS
D. SSL
Correct Answer: A.
The secure shell (SSH) functions in a manner that is functionally equivalent to telnet but adds encryption and other security features. SSL and TLS may be used to encrypt communications but they do not provide the connection features of SSH on their own. The file transfer protocol – secure (FTPS) is used for transferring files and does not allow interactive administrative sessions similar to the ones provided by telnet.
Tonya is analyzing host firewall logs in an effort to diagnose a service that is not responding to user requests. She finds entries in the host firewall logs indicating that the traffic was allowed. What is the most likely cause of the service not responding?
A. Application failure
B. Host firewall misconfiguration
C. Network IPS misconfiguration
D. Network firewall misconfiguration
Correct Answer: A.
The fact that the packets are reaching the host rules out a network firewall or IPS issue. The fact that the logs indicate that the traffic was allowed rules out a host firewall issue. Therefore, the most likely remaining cause is an issue with the application.
Carla is concerned about the exfiltration of sensitive information from her corporate network by employees. Which one of the following controls would be least effective at meeting this requirement?
A. Encrypting data in transit
B. Blocking the use of personal email accounts
C. Implementing data loss prevention systems
D. Building least privilege access controls
Correct Answer: A.
Carla should implement least privilege access controls to limit the amount of information available to any individual user. She can also use a data loss prevention (DLP) system to detect the exfiltration of sensitive information. Blocking the use of personal email accounts limits a common method for exfiltrating sensitive information. Adding encryption in transit is not likely to reduce the risk of internal theft, as employees may still access stored sensitive information.
Why should administrators only allow employees to download digitally signed applications to mobile devices?
A. Digitally signed applications are free of malware
B. Digitally signed applications are certified to function properly
C. Digitally signed applications come from trusted sources
D. Digitally signed applications are guaranteed by Apple
Correct Answer: C
Digital signatures validate that the application came from the entity that signed the application. Security professionals should not draw any other conclusions from the fact that an application is digitally signed.
Devin manages a shared computing environment for multiple customers and is worried about one of his customers accessing virtual machines owned by other customers. He would like to protect against these virtual machine escape attacks. What is the best control that he can implement?
A. Network firewall
B. Hypervisor patching
C. Port security
D. Input validation
Correct Answer: B Virtual machine (VM) escape attacks target vulnerabilities in the hypervisor supporting a virtualized environment. The strongest control to protect hypervisors against these attacks is to keep them patched. Network firewalls and port security are network security controls that occur outside of the virtualized environment and would not be effective in this case. Input validation is an application security control.
Carla is the firewall administrator for a large university. She has recently seen a flurry of activity from student networks sending spam print jobs to printers located in administrative offices. She would like to block printer traffic between network segments using the standard HP JetDirect port. What port should she block?
A. TCP port 9100
B. UDP port 9100
C. TCP port 8080
D. UDP port 8080
Correct Answer: A
HP JetDirect printer traffic uses TCP port 9100 to transfer data from clients to printers.
Ed is selecting a load balancing algorithm for use in his organization’s web environment. There are substantial differences between the performance characteristics of the servers in the web farm and there are also significant differences in the lengths of user connections. Which load balancing algorithm would produce the best results for Ed?
A. Least Connections
B. Round Robin
C. Weighted Round Robin
D. Weighted Least Connections
Correct Answer: D
The fact that the servers have different performance characteristics indicate that Ed should choose a weighted algorithm that allows him to specify that some servers should handle more load than others. The fact that users have sessions of differing length indicates that he should use a least connections approach that tracks the number of active sessions instead of a round robin approach that simply balances the number of assignments made. Therefore, Ed should choose the Weighted Least Connections algorithm.
Which one of the following technologies can be used to mitigate the effects of a denial of service attack on a local area network?
A. Split horizon
B. Flood guard
C. Loop prevention
D. Hold-down timers
Correct Answer: B
Flood guard prevents a single device from flooding the network with traffic, which may cause a denial of service. Loop prevention, hold-down timers, and split horizon routing are all used to detect and correct routing loops.
In a recent social engineering attack, the attacker found an employee of the target company at his gym and struck up a friendship there for several months before trying to slowly extract sensitive corporate information from the employee. What principle of social engineering is the attacker trying to exploit?
A. Urgency
B. Authority
C. Familiarity
D. Consensus
Correct Answer: C
This is a clear example of familiarity and liking. The attacker built up a relationship over time with the employee until they had a strong bond. He then leveraged that relationship to slowly extract information from the target.
Carla noticed unusual spikes in network activity and, upon further investigation, determined that there are an usually high number of outbound DNS query responses. She also noticed that the query responses are significantly larger than the queries themselves. What type of attack should Carla suspect?
A. Amplification
B. Cross-site scripting
C. DNS poisoning
D. Pass the hash
Correct Answer: A.
The fact that the traffic is exceeding normal baselines and that the responses are much larger than the queries indicates that a DNS amplification attack may be underway. In this type of attack, the attacker sends spoofed DNS queries asking for large amounts of information. The source address on those queries is the IP address of the target system, which then becomes overwhelmed by the response packets.
Which one of the following features is not typically supported by mobile device management (MDM) solutions?
A. Application management
B. Configuration management
C. Carrier unlocking
D. Remote wiping
Correct Answer: C.
Mobile device management products do typically support remote wiping, application management, and configuration management, among other features. They do not provide carrier unlocking functionality, as this may only be performed by the wireless carrier that activated the device.
Vincent is tasked with establishing a disaster recovery site but is charged with providing bare-bones functionality at minimal cost. Which option should he consider?
A. Warm site
B. Hot site
C. Cold site
D. Mobile site
Correct Answer: C.
Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware, and possible software, to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment’s notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan.
Which one of the following key lengths is not supported by the AES encryption algorithm?
A. 128 bits
B. 192 bits
C. 256 bits
D. 512 bits
Correct Answer: D
The Advanced Encryption Standard (AES) supports key sizes of 128, 192, and 256 bits. It does not support 512 bit keys.
Fred created a set of IP restrictions on his Cisco router using Cisco’s extended access control list (ACL) functionality. What type of access control model is Fred enforcing?
A. Role-based access control
B. Discretionary access control
C. Rule-based access control
D. Attribute-based access control
Correct Answer: C
Network access control lists are examples of rule-based access control because the router will make decisions based upon the rules that Fred provides. The router does not know the identity of the user, so it cannot perform role-based or attribute-based access control. Users have no authority to delegate access control decisions, so this is not an example of discretionary access control.
Greg is working with remote users to troubleshoot issues that they are experiencing with VPN connections when traveling to customer sites. He believes that customer firewalls are interfering with the VPN connection and is considering altering the VPN configuration to prevent this issue. What type of VPN connection is least susceptible to this problem?
A. IPsec
B. TLS
C. Split tunnel
D. Full tunnel
Correct Answer: B
TLS VPNs typically use port 443, the same port used for HTTPS web traffic. This port is commonly allowed full outbound access through firewalls. IPsec VPNs use UDP port 500 as well as IP protocols 50 and 51. It is much more likely that this traffic will be blocked at a firewall. It is irrelevant whether Greg uses a split tunnel or full tunnel policy in this case, as the policy will not help establish the connection through the firewall, it will only control what traffic is routed through the VPN connection once it is established.
Vince is investigating the compromise of a user’s account credentials. The user reports that, in addition to her corporate account, the passwords to many of her online banking and bill payment accounts were also compromised. Vince examines her computer and determines that there is an unusual piece of hardware connected between the keyboard and the computer. What type of attack has most likely taken place?
A. Spyware
B. Keylogger
C. Bot
D. Adware
Correct Answer: B
While any type of malware could be responsible for the symptoms described by the user, the compelling piece of evidence in this scenario is that Vince discovered an unusual hardware device attached to the keyboard. This is most likely a keylogger.
Chris is investigating a security incident at his organization where an attacker entered the building wearing a company uniform and demanded that the receptionist provide him access to a network closet. He told the receptionist that he needed to access the closet immediately to prevent a major network disaster. Which one of the following principles of social engineering did the attacker NOT exploit?
A. Intimidation
B. Urgency
C. Authority
D. Consensus
Correct Answer: D
The attacker entered the building wearing a uniform, which is a sign of authority. He threatened the receptionist (intimidation) with an impending network outage (urgency). There is no indication that he tried to build consensus.
Which one of the following security controls would be MOST effective in combatting buffer overflow attacks?
A. IDS
B. ASLR
C. VPN
D. DLP
Correct Answer: B
Address space layout randomization (ASLR) is a security technique that randomizes the location of objects in memory, making a buffer overflow attack less likely to succeed. Virtual private networks (VPN) provide transport encryption and data loss prevention (DLP) systems provide protection against data exfiltration. Neither would be effective against buffer overflow attacks. Intrusion detection systems (IDS) may identify a buffer overflow attack but would not prevent it from succeeding.
Harold is examining the web server logs after detecting unusual activity on the system. He finds the log excerpt shown below. What type of attack did someone attempt against this system based upon the data shown in these logs?
A. SQL injection
B. Cross-site scripting
C. Domain hijacking
D. Directory traversal
Correct Answer: A
The third log entry shows clear signs of a SQL injection attack. Notice that the parameters passed to the web page include an appended SQL command: UNION SELECT 1,2,3,4,5. This is designed to retrieve the first five columns from the database table and will likely succeed if the web application is not performing proper input validation.
Bill is securing a set of terminals used to access a highly sensitive web application. He would like to protect against a man-in-the-browser attack. Which one of the following actions would be most effective in meeting Bill’s goal?
A. Requiring multifactor authentication
B. Requiring TLS encryption
C. Disabling certificate pinning
D. Disabling browser extensions
Correct Answer: D
In a man-in-the-browser attack, the attacker manages to gain a foothold inside the user’s browser, normally by exploiting a browser extension. This gives him or her access to all information accessed with the browser, regardless of whether the site uses strong authentication or transport encryption (such as TLS). Certificate pinning is a technique used to protect against inauthentic digital certificates and would not protect against a man-in-the-browser attack.
Which one of the following attacks against Bluetooth technology is the attacker able to steal information from the device?
A. Bluesnarfing
B. Bluejacking
C. Blueballing
D. Bluefeeding
Correct Answer: A
In a bluesnarfing attack, the attacker establishes a Bluetooth connection to a target device and then retrieves information from that device. Bluejacking attacks only allow the attacker to display a message on the device. Blueballing attacks allow an attacker to break an existing Bluetooth connection between two devices. Bluefeeding attacks do not exist.
Rob is conducting a penetration test against a wireless network and would like to gather network traffic containing successful authentication attempts but the network is not heavily trafficked and he wants to speed up the information gathering process. What technique can he use?
A. Brute force
B. Rainbow table
C. Disassociation
D. Replay
Correct Answer: C
Disassociation attacks intentionally disconnect a wireless user from their access point to force a reauthentication that the attacker may collect with a wireless eavesdropping tool. Brute force attacks, rainbow table attacks and replay attacks do not gather network traffic and, therefore, would not be useful in this scenario.
What protocol is normally used for communication between an authenticator and authentication server on a network using 802.1x authentication?
A. RADIUS
B. TACACS
C. TACACS+
D. XTACACS
Correct Answer: A
In 802.1x authentication, the end user’s system contains a component called the supplicant that initiates the authentication process. The supplicant connects to the authenticator, normally a network switch or wireless access point, that then reaches out to an authentication server to confirm the user’s identity. The communication between the authenticator and authentication server normally takes place using the RADIUS and EAP protocols.
Gail is a software developer who recently completed the coding of a new module that will be incorporated into one of her organization’s products. Now that her work is complete, she is ready to request that the code be moved to the next environment. Where should the code go next?
A. Staging environment
B. Test environment
C. Production environment
D. Development environment
Correct Answer: B
Development environments are designed for active use by developers who are creating new code. These environments are the only location where code should be modified. Once code is ready for testing, it is released from the development environment into a test environment for software testing. After the completion of user acceptance testing, the code is moved from the test environment into a staging environment where it is prepared for final deployment into the production environment. Developers should never have permission to move code themselves but should only be able to move code between environments through the use of a managed change control system.
Roland’s company requires that supervisors approve payment requests entered by accounting clerks when the total amount of the payment is over $10,000. What type of control is this?
A. Least privilege
B. Separation of duties
C. Job rotation
D. Two-person control
Correct Answer: D
Two-person control requires the concurrence of two individuals for sensitive actions. That is the scenario described here. Separation of duties says that an individual should not have both permissions necessary to perform a sensitive action. This is a closely related, but distinct principle. There is no evidence given that supervisors do not have the ability to create payments, so separation of duties is not in play here.
Roger’s company did not have a strong disaster recovery plan and suffered a catastrophic data center outage. With no plan in place, what option likely allows them the quickest recovery at their primary site?
A. Mobile site
B. Hot site
C. Warm site
D. Cold site
Correct Answer: A
Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware, and possible software, to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment’s notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan. They would work well in this scenario because Roger could bring a mobile site to their primary facility and use it to recover operations during the restoration effort at the primary site.
In what type of attack does the attacker place malicious content on a website that is frequented by individuals in the target organization, in the hopes that one of those individuals will visit the site with a vulnerable system and become compromised?
A. Man-in-the-middle attack
B. Man-in-the-browser attack
C. Watering hole attack
D. DDoS attack
Correct Answer: C
Watering hole attacks take advantage of the fact that many people are predictable in their web surfing patterns. They place malicious content at a site likely to attract the target audience (the watering hole) and then wait for a compromise to occur.
In which one of the following types of penetration test does the attacker not have any access to any information about the target environment prior to beginning the attack?
A. White box
B. Red box
C. Black box
D. Grey box
Correct Answer: C
In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.
Which One Of The Following Statements About IPsec Protocols Is Correct?
A. AH supports authentication and integrity. ESP supports confidentiality, authentication, and integrity.
B. AH supports authentication, integrity and confidentiality. ESP supports confidentiality and integrity.
C. AH supports authentication and confidentiality. ESP supports integrity and authentication.
D. AH supports authentication, integrity and confidentiality. ESP supports confidentiality and authentication.
Correct Answer: A
The Authentication Headers (AH) protocol supports only authentication and integrity for IPsec connections. The Encapsulating Security Payload (ESP) protocol supports confidentiality, integrity, and authentication.
What common clause in software is used specifically for error handling?
A. For loop
B. Do…while
C. Try…catch
D. If…then
Correct Answer: C
While it is possible to perform error handling with a variety of constructs, the most appropriate tool is the use of the try…catch construct. In this approach, developers include the code that might generate an error in the try clause and then provide error handling code in the catch clause.
Molly’s organization has a shared account that they use to provide access to vendors. What is the primary security objective that is sacrificed using this model, assuming that the password is not shared with unauthorized individuals?
A. Integrity
B. Confidentiality
C. Least privilege
D. Accountability
Correct Answer: D
If the password remains known only to authorized individuals, this does not violate the principles of confidentiality or integrity. There is no indication from the scenario that the account has excess privileges, so least privilege is not violated. However, the use of a shared account prevents security staff from determining which individual performed an action, violating the principle of accountability.
Roger recently deployed an IDS on his organization’s network and tuned it to reduce the false positive rate. Which one of the following categories best describes this control?
A. Preventive
B. Detective
C. Corrective
D. Compensating
Correct Answer: B
An intrusion detection system (IDS) has the ability to identify suspicious network traffic but cannot take any preventive action to block the traffic. Therefore, it is best classified as a detective control.
Which one of the following types of access is necessary to engage in a pass-the-hash attack?
A. Access to a domain workstation
B. Access to a domain controller
C. Access to a network segment
D. Access to a public website
Correct Answer: A
In a pass-the-hash attack, the attacker must gain access to hashed Windows account passwords. This is possible by gaining access to a Windows workstation where the target user logs into his or her domain account. Access to a domain controller is not necessary. Access to a network segment or public website is not sufficient because hashed passwords are not generally found in those locations in unencrypted form.
Samantha is the administrator of her organization’s mobile devices and wants to ensure that users have current versions of operating system firmware. Which one of the following approaches will best meet this need?
A. Administrator installation
B. OTA upgrades
C. User installation
D. Sideloading
Correct Answer: B
Over-the-air (OTA) upgrades occur automatically and without user or administrator intervention, making them the best way to ensure that devices remain current. If Samantha wants to control when these updates occur, she can manage OTA updates through her mobile device management (MDM) platform. Manual installation or sideloading by users or administrators is not likely to keep devices consistently updated.
During a web application security review, Crystal discovered that one of her organization’s applications is vulnerable to SQL injection attacks. Where would be the best place for Crystal to address the root cause issue?
A. Database server configuration
B. Web application firewall
C. Web server configuration
D. Application code
Correct Answer: D
While it may be possible to mitigate this issue by adjusting settings on any of the devices mentioned here, the root cause of a SQL injection vulnerability is faulty input validation in the application’s source code. This root cause may only be addressed by modifying the application code.
Tim is choosing a card-based control system for physical access to his facility. His primary concern is the speed of authentication. Which type of card would be most appropriate for this situation?
A. Photo ID card
B. Magnetic stripe card
C. Smart card
D. Proximity card
Correct Answer: D
The proximity card provides the fastest scanning time, as the user simply needs to hold it near the reader. Smart cards and magnetic stripe cards require more time-consuming interaction with the reader. Photo ID cards require scrutiny by a human guard.
Melanie is the system administrator for a database containing sensitive information. She is responsible for implementing security controls to protect the contents of the database. Which term best describes her role?
A. Data custodian
B. Data owner
C. Data user
D. Data steward
Correct Answer: A
System administrators are examples of data custodians: individuals who are charged with the safekeeping of information under the guidance of the data owner.
Pete is investigating a domain hijacking attack against his company that successfully redirected web traffic to a third party website. Which one of the following techniques is the most effective way to carry out a domain hijacking attack?
A. Network eavesdropping
B. DNS poisoning
C. ARP poisoning
D. Social engineering
Correct Answer: D
In a domain hijacking attack, the attacker changes the registration of a domain with the registrar. DNS and ARP poisoning attacks may redirect web traffic, but they would do so by providing bogus address information, not by hijacking the domain. Network eavesdropping could theoretically be used to steal credentials used to alter information with a registrar, but this is unlikely. The most likely source of a domain hijacking attack is using social engineering with the registrar to gain access to the account used to manage registration information.
Tom would like to deploy NAC technology that is capable of constantly monitoring the configuration of endpoint machines and quarantining machines that fail to meet a security baseline. Which technology would be most appropriate for Tom to deploy?
A. Agent-based NAC
B. Agentless NAC
C. Captive portal
D. Dissolvable NAC
Correct Answer: A
Tom should deploy an agent-based NAC solution or, more specifically, a permanent agent. This technology leaves software running on the endpoint that may remain in constant contact with the NAC solution. Agentless NAC, captive portal solutions, and dissolvable agents do not maintain a constant presence on the system and would not meet Tom’s requirements.
Katie is reviewing the security of a web server used by her organization. She discovers each of the items listed below. Which one of these items poses the greatest security risk and should be prioritized for remediation?
A. The server uses TLS 1.2.
B. The server supports access on port 80.
C. The server runs Apache and MySQL.
D. The server supports access on port 443.
Correct Answer: C
One of the basic server security principles is that each server should support only one primary function. Best practice dictates separating the web server (Apache) from the database server (MySQL). It is normal and standard for a web server to support both unencrypted access on port 80 and encrypted access on port 443. TLS 1.2 is a modern version of the protocol and is secure and acceptable for use.
Paula is reviewing her organization’s account management lifecycle. She is paying particular attention to the timeliness of account management activities and would like to prioritize areas that have the greatest risk. Which one of the following activities should be her highest priority?
A. Access modifications
B. Onboarding
C. Access reviews
D. Offboarding
Correct Answer: D
The offboarding process is the area of greatest risk to the organization because failure to execute deprovisioning activities in a prompt manner may mean that employees who have left the organization retain access to sensitive information or systems.
Which one of the following features is not typically supported by mobile device management (MDM) solutions?
A. Preparation
B. Recovery
C. Eradication
D. Containment
Correct Answer: D
After identifying an incident, the team should next move into the containment phase where they seek to limit the damage caused by the incident. Containment occurs prior to the eradication and recovery phases. The preparation phase occurs before incident identification.
Which one of the following security principles does NOT describe a standard best practice in cybersecurity?
A. Security through obscurity
B. Least privilege
C. Separation of duties
D. Defense in depth
Correct Answer: A
Security through obscurity is an outdated concept that says that the security of a control may depend upon the secrecy of the details of that control’s inner function. Security professionals should not use controls that rely upon security through obscurity. The principles of least privilege, separation of duties, and defense in depth are all sound security practices.
Bill suspects that an attacker is exploiting a zero-day vulnerability against his organization. Which one of the following attacker types is most likely to engage in this type of activity?
A. Hacktivist
B. White hat
C. Script kiddie
D. APT
Correct Answer: D
While it is possible that any type of attacker might engage in a zero-day attack, it is most likely to find these vulnerabilities exploited by an advanced persistent threat (APT). APT attackers are more likely to have the technical resources to discover and use zero-day vulnerabilities.
Ryan is experiencing interference on his WiFi network. Which one of the following options is not an effective solution to the problem?
A. Relocate access points
B. Relocate wireless clients
C. Change wireless channels
D. Increase bandwidth
Correct Answer: D
Moving the access point or the client may resolve the interference, as might changing the wireless channel/band in use. Increasing bandwidth will only provide more capacity. Additional capacity will not resolve interference.
What IPSec mode is most commonly used to create site-to-site VPNs between locations?
A. Internet key exchange mode
B. Tunnel mode
C. Transport mode
D. Security association mode
Correct Answer: B
Organizations deploying IPsec for site-to-site VPNs typically use tunnel mode to connect two VPN concentrators to each other and then route traffic through that tunnel in a manner that is transparent to the communicating devices. Transport mode is more commonly used for remote access VPNs. Internet key exchange (IKE) and security associations (SAs) are not modes of IPSec VPN operation.
Beth used the sign-in with Facebook feature to access a website hosted by The Washington Post. This feature uses SAML-based authentication. In this scenario, what is the role played by The Washington Post?
A. Certificate authority
B. Service provider
C. Identity provider
D. User agent
Correct Answer: B
In SAML authentication, the user agent is the web browser, application, or other technology used by the end user. The service provider is the service that the user would like to access. The identity provider is the organization providing the authentication mechanism. The certificate authority issues digital certificates required to secure the connections.
Which one of the following activities would not typically be a component of an employee onboarding process?
A. Deprovisioning accounts
B. Computer issuance
C. Credential generation
D. Security training
Correct Answer: A
During an employee onboarding process, the organization typically conducts a number of start-up activities for the new employee. These commonly include issuing a computer, generating account credentials, and conducting initial security training. Deprovisioning is the removal of user access and accounts and would occur during the offboarding process.
Dan recently received a digitally signed message and when he attempted to verify the digital signature received an error that the hash values did not match. What can Dan conclude from this error?
A. The message was altered by a malicious individual after being sent.
B. The message was accidentally corrupted in transit.
C. There was an error creating the digital signature.
D. Dan can’t draw one of these specific conclusions.
Correct Answer: D
Any one of these scenarios is a plausible reason that the digital signature would not verify. Dan cannot draw a specific conclusion other than that the message he received is not the message that was sent by the originator.
Tammy is running a set of three load balanced web servers for her domain. The first server is the primary server and handles requests until it reaches capacity, then new requests are assigned to the second server. The third server remains idle unless the other two servers are fully utilized. What IP address should Tammy use for the DNS entry for the domain?
A. Virtual IP
B. First server’s IP
C. Second server’s IP
D. Third server’s IP
Correct Answer: A
When registering DNS entries for a load balanced service, administrators should assign the entry to a virtual IP address that maps to the public interface of the load balancer.
Ron is concerned about the potential of attackers exploiting issues in the operating system supporting a virtualization hypervisor to gain access to information stored by guest operating systems. What type of hypervisor can he use to minimize this risk?
A. Type 1 hypervisor
B. Type 2 hypervisor
C. Type 3 hypervisor
D. Type 4 hypervisor
Correct Answer: A
In a type 1 hypervisor, the hypervisor runs directly on the system hardware, eliminating the need for an underlying operating system and reducing the environment’s attack surface. Type 2 hypervisors require the use of a host operating system. Type 3 and 4 hypervisors do not exist.
Which one of the following attacks is a critical threat that applies specifically to NTLM authentication?
A. Rainbow table
B. Man-in-the-middle
C. Pass-the-hash
D. Brute force
Correct Answer: C
All of these attacks are authentication attacks. Brute force and rainbow table attacks are generic attacks that may be used against any authentication system that stores hashed passwords. Man-in-the-middle attacks are generally used against web applications. Pass-the-hash attacks are specifically effective against NTLM authentication.
Donna was recently approached by the manager of a former employee who was seeking access to that employee’s email account. She believes there is a valid business need for the access but is unsure how to obtain approval. What type of control would assist Donna and others in her organization in making these decisions?
A. Service level agreement
B. Data classification policy
C. Data handling guidelines
D. Standard operating procedure
Correct Answer: D
Donna’s organization should consider implementing a standard operating procedure (SOP) for data access requests. This procedure could spell out the appropriate approval process for granting access to data stored in another user’s account. A guideline is not mandatory and would not be appropriate in this case. A data classification policy would generally not cover access request procedures, nor would a service level agreement.
ROT 13 is an example of what type of cipher?
A. Hashing
B. Transposition
C. Substitution
D. Cryptographically strong
Correct Answer: C
The ROT13 cipher exchanges each letter of a message for the letter that is 13 places ahead of it in the alphabet. This is an example of a substitution operation. Transposition ciphers rearrange the letters in a message, which is not occurring here. ROT13 is quite weak and would never be considered cryptographically strong. It also does not perform hashing of messages into message digests.
Julie is beginning a penetration test against a client and would like to begin with passive reconnaissance. Which one of the following tools may be used for passive reconnaissance?
A. Nessus
B. Metasploit
C. Nmap
D. Aircrack-ng
Correct Answer: D
Nmap, Nessus, and Metasploit are all active reconnaissance tools that interact with their target environments. Aircrack-ng may be used to passively gather information about a wireless network and crack a pre-shared key.
Rob is tracking down the unauthorized exfiltration of sensitive information from his organization and found suspicious emails sent by an employee to a Gmail address. The emails seem to only contain photos, but Rob suspects that the photos contain sensitive information. What technique might the employee have used to embed sensitive information within a photograph?
A. Steganography
B. Cartography
C. Psychology
D. Cryptography
Correct Answer: A
Steganography is a set of techniques used to hide information within other files, in plain sight. The most common application of steganography is hiding information within images.
Which one of the following terms best describes the level of firewall protection that is typically found in router access control lists?
A. Proxying
B. Stateless
C. Stateful
D. Next generation
Correct Answer: B
Router access control lists are only capable of performing stateless filtering, which does not take connection status into account. Other firewall technologies, including stateful inspection firewalls, next generation firewalls, and proxy firewalls, all track connection state and typically require dedicated firewall hardware.
Christina is building a new capability for her organization’s data centers that allows the automatic shifting of workloads to Amazon Web Services when the organization’s own resources are overwhelmed. What type of environment is Christina building?
A. Community cloud
B. Private cloud
C. Public cloud
D. Hybrid cloud
Correct Answer: D
In a public cloud environment, providers offer services on the same shared computing platform to all customers. Customers do not necessarily have any relationship to, or knowledge of, each other. In a private cloud environment, an organization builds its own computing environment. In a hybrid cloud environment, an organization combines elements of public and private cloud computing. In a community cloud environment, a group of related organizations builds a shared cloud environment that is not open for general public use.
Flo is the administrator for a server that is using RAID 5 with a six-disk array. In this approach, what is the maximum number of disks that may fail without the permanent loss of data?
A. 2
B. 4
C. 1
D. 3
Correct Answer: C
In a RAID 5 array, all of the disks contain data except for the parity disk. Therefore, regardless of the number of disks in the array, only a single disk may fail before data is permanently lost.
Which one of the following categories of account should normally exist on a secured server?
A. Service account
B. Shared account
C. Generic account
D. Guest account
Correct Answer: A
Generic, shared, and guest accounts should not be used on secure servers due to their lack of accountability to an individual user. Service accounts normally exist on all servers and are required for routine operation of services.
Thomas is considering using guard dogs to patrol the fenced perimeter of his organization’s data processing facility. What category best describes this control?
A. Compensating
B. Preventive
C. Corrective
D. Deterrent
Correct Answer: D
Guard dogs may be described as either a deterrent or preventive control, depending upon the context. They do serve in a preventive role because they have the ability to corner a potential intruder. However, this is not their primary role. Their main function is to serve as a deterrent to intrusion attempts through their menacing appearance. When taking the exam, remember that you may face questions like this asking you to choose the BEST answer from among several correct possibilities.
Which one of the following keying options creates the most secure implementation of the 3DES encryption algorithm?
A. K1=K2, K2 is not equal to K3
B. K1, K2, and K3 are independent
C. K2=K3, K1 is not equal to K3
D. K1=K2=K3
Correct Answer: B
The most secure implementation of 3DES uses three independent keys. This approach creates a key with 168 (56×3) independent bits. When all three keys are the same, the key length is only 56 bits. When only two keys are independent, the key length is 112 bits.
Vivian is investigating a website outage that brought down her company’s ecommerce platform for several hours. During her investigation, she noticed that the logs are full of millions of connection attempts from systems around the world, but those attempts were never completed. What type of attack likely took place?
A. DoS
B. Cross-site request forgery
C. Cross-site scripting
D. DDoS
Correct Answer: D
This is a clear example of a distributed denial of service (DDoS) attack. The half-open connections indicate the use of a denial of service attack. The fact that the requests came from all over the world makes it clear that it is more than a standard denial of service attack. There is no indication that there was a web application flaw, such as cross-site request forgery or cross-site scripting.
Which one of the following firewall types is capable of monitoring connection status by tracking the stages of the TCP handshake and then using that information when deciding whether to allow future packets that are part of an active connection?
A. Router ACL
B. Packet filter
C. Stateful inspection
D. Stateless firewall
Correct Answer: C
Stateful inspection firewalls monitor connection status by tracking the TCP handshake. They maintain a table of active connections and automatically allow traffic that is part of an established connection without requiring the reevaluation of the ruleset for each packet. The other firewall types listed are more primitive and do not track connection status. They simply reevaluate every packet that they receive.
Katie is conducting testing of a new application and recently completed unit testing. She would now like to run a series of tests designed to confirm that the tested units will work together properly. What type of software testing should Katie run next?
A. Integration testing
B. Functional testing
C. Design testing
D. Acceptance testing
Correct Answer: A
Integration testing occurs after unit testing and is designed to confirm that units of code will work together properly. Functional testing takes place upon the conclusion of requirements development, while design testing occurs after the design is complete. Both functional and design testing should be completed before, not after, unit testing. Acceptance testing occurs as the next step after successful integration testing.
When using CHAP authentication, what does the server send to the client in the second step of the handshake?
A. Certificate
B. Password
C. Hash
D. Challenge
Correct Answer: D
In the Challenge Handshake Authentication Protocol (CHAP), the client makes an authentication request and the server responds with a challenge message. The client must then combine its password with the challenge message and hash it, providing this hashed response to the server.
Brenda is assisting a user who is traveling on business and is unable to access a critical system. Brenda is able to access the system herself and the user was able to access it last week from the office. The user connected to the VPN and is still having the same issue. What type of access restriction is most likely in place?
A. Time-based restriction
B. Role-based restriction
C. Content-based restriction
D. Location-based restriction
Correct Answer: D
The only factor that changed is the user’s location, making a location-based restriction the most likely culprit. This type of restriction can apply even when a user connects to a VPN. We know that it is not a content-based restriction or role-based restriction because the user was able to access the same system when in the office. We also can surmise that it is not likely a time-based restriction because Brenda is able to access the system at the same time.
What is the primary feature that distinguishes a smart card from other types of access card?
A. Presence of an integrated circuit
B. Presence of a magnetic stripe
C. Requirement to enter a PIN or password
D. Compatibility with biometric authentication
Correct Answer: A
Smart cards contain an integrated circuit that interactively authenticates with the reader. They do not necessarily contain a magnetic stripe. There is no requirement that a smart card be combined with a PIN/passcode or biometric authentication, although this is often done to achieve multifactor authentication.
Bob is performing regular backups of a system and is asked by his boss to create an emergency backup. Which one of the following backup types will consume the most disk space?
A. Full backup
B. Incremental backup
C. Differential backup
D. Transaction log backup
Correct Answer: A
Full backups always include all data stored on the backed up media and, therefore, are always at least as large as any other backup type. This system is being regularly backed up, so other backup types will be smaller than a full backup.
As you increase the length of a key by a single bit, how much more resilient does that key become against a brute force attack?
A. Four times stronger
B. Ten times stronger
C. One percent stronger
D. Twice as strong
Correct Answer: D
Adding a single bit to a cryptographic key doubles the number of possible keys, making the new key length twice as strong as the previous key length.
Shortly after Trish’s organization fired a software developer, code on a server activated that determined the developer was no longer employed and deleted the source code from her projects. What type of attack did Trish’s organization experience?
A. Logic bomb
B. Worm
C. RAT
D. Trojan horse
Correct Answer: A
This is an example of a logic bomb, code that remains dormant until certain logical conditions are met and then releases its payload. In this case, the logic bomb was configured to release if the developer was no longer employed by the organization.
What is the primary risk associated with using motion detectors to automatically unlock a data center door when a person is attempting to exit?
A. The motion detector may not sense some employees based upon their physical characteristics.
B. The motion detector may not work during a power failure.
C. An employee may exit the facility with unauthorized materials.
D. An intruder may attempt to trigger the motion detector from the outside to gain entry.
Correct Answer: D
The primary risk associated with automated exit motion detectors is that an intruder outside the facility may be able to gain access by triggering the motion detector. For example, if it is possible to slide a piece of paper under the door, it may be possible to forcefully push the paper through so it flies up in the air and triggers the detector.
Carla’s firm is preparing to deploy a large network of Internet of Things sensors. Which one of the following is the least common security concern with IoT deployments?
A. Patches to embedded operating systems
B. Network segmentation
C. Multifactor authentication
D. Data encryption
Correct Answer: C
Generally speaking, IoT deployments do not typically require multifactor authentication. They do, however, call for maintenance of the embedded operating systems, network segmentation, and the encryption of sensitive information.
Tina is deploying a NAC solution for a university network and she wishes to perform host health checking. The network has many unmanaged student machines and students do not want to have software installed on their systems that remains behind after they leave the network. Which one of the following approaches would be best for Tina to use?
A. Captive portal
B. Dissolvable NAC
C. Permanent NAC
D. Active Directory NAC
Correct Answer: B
Dissolvable NAC uses a temporary agent that is removed immediately after the health check completes. This would be the best solution for Tina to deploy. A captive portal solution does not necessarily have the ability to perform health checking unless it is combined with a dissolvable agent. Permanent NAC would install software that remains on the student computers. Active Directory NAC would not be appropriate because the systems are unmanaged and, therefore, not accessible through AD.
Which one of the following tools would be most helpful in detecting missing operating system patches?
A. Network vulnerability scanner
B. Configuration management tool
C. Port scanner
D. Documentation review
Correct Answer: B
All of these tools may be useful in detecting missing patches. However, the most useful tool is a configuration management system. These tools have the ability to directly query the operating system to obtain real-time information on their patch level.
Carl is selecting a computing environment for a machine learning workload. The nature of the workload is that it uses resources intensely for several hours each evening and does not need resources at other times during the day. What computing model would be most cost-effective for this type of workload?
A. On-premises computing
B. Remote data center
C. Colocation facility
D. Cloud computing
Correct Answer: D
Cloud computing environments provide on-demand computing and allow users to pay for resources on an as-needed basis. In that model, Carl can power down servers that are not needed and reduce his costs. Other computing models have high fixed costs that would not be as cost-effective for this type of bursty workload.
What standard is used to define the format of a digital certificate?
A. 802.1x
B. X.509
C. RFC 1918
D. RFC 783
Correct Answer: B
The digital certificate format is set out in the X.509 standard. RFC 1918 contains the standard for private IP addressing, while RFC 783 defines the TCP standard. IEEE 802.1x is a standard for wireless authentication.
Bruce would like to implement an authentication mechanism that requires that users connecting via mobile devices use a second authentication factor when they are connecting from an unfamiliar IP address. What term best describes this technique?
A. Role-based authentication
B. Rule-based authentication
C. Context-based authentication
D. Device-based authentication
Correct Answer: C
The use of different authentication requirements depending upon the circumstances of the user’s request is known as context-based authentication. In this scenario, authentication requirements are changing based upon the user’s IP address, making it an example of context-based authentication.
Brandy is using a computer at a hotel business center and she is concerned that the operating system on the device may be compromised. What is the best way for her to use this computer in a secure fashion?
A. Use live boot media
B. Run a malware scan
C. Connect to a VPN
D. Only access secure websites
Correct Answer: A
If Brandy’s major concern is a compromised operating system, she can bypass the operating system on the device by booting it from live boot media and running her own operating system on the hardware. Running a malware scan may provide her with some information but may not detect all compromises and Brandy likely does not have the necessary permissions to correct any issues. Using a VPN or accessing secure sites would not protect her against a compromised operating system, as the operating system would be able to view the contents of her communication prior to encryption.
In a data center using the hot aisle/cold aisle approach, where should air conditioner vents be positioned to distribute cold air?
A. At the back of racks
B. At the front and back of racks
C. Above racks
D. At the front of racks
Correct Answer: D
In a hot aisle/cold aisle layout, cold air should be distributed at floor level in the front of racks (cold aisle) so that it is pulled into the front of equipment and vented out the back into the hot aisle.
Matt is ranking systems in his organization in order of priority for disaster recovery. Which one of the following systems should have the highest impact rating?
A. Routing and switching
B. Fire suppression
C. Enterprise resource planning
D. Customer relationship management
Correct Answer: B
Life safety systems should always have a higher impact rating than other systems. Therefore, Matt should prioritize the fire suppression system over other restoration efforts.
Which one of the following security vulnerabilities is NOT a common result of improper input handling?
A. SQL injection
B. Cross-site scripting
C. Buffer overflow
D. Distributed denial of service
Correct Answer: D
SQL injection, cross-site scripting, and buffer overflow attacks all occur when applications do not properly screen user-provided input for potentially malicious content. Distributed denial of service attacks use botnets of compromised systems to conduct a brute force resource exhaustion attack against a common target.
Wendy is deploying mobile devices to field workers who must travel in rural areas and require constant data service availability. Which one of the following technologies can provide that access?
A. Cellular
B. SATCOM
C. WiFi
D. Bluetooth
Correct Answer: B
Satellite communications (SATCOM) have the widest availability, as they may be used from any region of the world with satellite coverage. For large satellite networks, this covers the entire planet. Cellular signals do travel long distances but may not have constant availability in rural areas. WiFi and Bluetooth are only useful over short distances and would not be appropriate for this scenario.
What software security technique can be added to a Secure DevOps approach to automate the evaluation of how software will respond to mutated input?
A. Fuzz testing
B. Penetration testing
C. Vulnerability scanning
D. Decompilation
Correct Answer: A
Fuzz testing specifically evaluates the performance of applications in response to mutated input combinations. Penetration testing is a manual, not automated, process. Vulnerability scanning may be automated but does not necessarily include the use of mutated input. Decompilation attempts to reverse engineer code.
Bob is performing regular backups of a system and is asked by his boss to create an emergency backup. Which one of the following backup types will consume the most disk space?
A. Differential backup
B. Full backup
C. Incremental backup
D. Transaction log backup
Correct Answer: B
Full backups always include all data stored on the backed up media and, therefore, are always at least as large as any other backup type. This system is being regularly backed up, so other backup types will be smaller than a full backup.
Gary is configuring a wireless access point that supports the WPS service. What risk exists in all implementations of WPS that he should consider?
A. Weak encryption
B. Offline brute force attack
C. Impossible to disable WPS
D. Physical access to the device
Correct Answer: D
Several vulnerabilities exist in different implementations of WPS. Some allow an offline brute force attack known as Pixie Dusk. Others may make it impossible for device administrators to disable WPS. Other may use weak encryption. The risk that applies to all WPS devices is the risk of physical access. If an attacker gains physical access to the device, he or she can join the network.
Which one of the following categories of information is explicitly governed by HIPAA’s security and privacy rules?
A. PHI
B. PCI
C. PII
D. PDI
Correct Answer: A
The Health Insurance Portability and Accountability Act (HIPAA) contains security and privacy provisions covering protected health information (PHI). It does not apply to more general personally identifiable information (PII) or payment card information (PCI). PDI is not a common category of information.
Norma has held several positions in her company and is still able to carry out system actions that were granted to her based upon her previous roles. She no longer has a job-based requirement to perform those activities. What term describes what has happened here?
A. Least privilege
B. Privileged account
C. Privilege creep
D. Privilege migration
Correct Answer: C
Privilege creep is the term used to describe the situation where a user moves through various job roles and accumulates permissions over time without having unnecessary permissions revoked. Privilege creep is a violation of the principle of least privilege.
Ken would like to configure his organization’s password security policy to be in line with current NIST guidelines. What is the minimum password length that Ken should require to be consistent with those guidelines?
A. 6 characters
B. 8 characters
C. 12 characters
D. No minimum
Correct Answer: B
NIST’s digital identity security guidelines suggest that organizations set a minimum password length of 8 characters for passwords that are memorized by the user. (NIST SP 800-63B)
Christina is building a new capability for her organization’s data centers that allows the automatic shifting of workloads to Amazon Web Services when the organization’s own resources are overwhelmed. What type of environment is Christina building?
A. Public cloud
B. Private cloud
C. Community cloud
D. Hybrid cloud
Correct Answer: D
In a public cloud environment, providers offer services on the same shared computing platform to all customers. Customers do not necessarily have any relationship to, or knowledge of, each other. In a private cloud environment, an organization builds its own computing environment. In a hybrid cloud environment, an organization combines elements of public and private cloud computing. In a community cloud environment, a group of related organizations builds a shared cloud environment that is not open for general public use.
Which one of the following mobile device deployment models allows employees to select the device they would like to use from a list of approved corporate-owned models?
A. COPE
B. BYOD
C. Corporate-owned
D. CYOD
Correct Answer: D
In a choose-your-own-device (CYOD) model, the employee is permitted to choose from a selection of approved devices. The company owns the device. In a bring-your-own-device (BYOD) model, the employee owns the device. In corporate-owned, personally-enabled (COPE) and corporate-owned models, the company owns the device but the employee does not necessarily have the ability to choose the device.
Paul is helping to develop the security controls for a new high security facility. The requirements specify that some equipment must be housed in a Faraday cage. What is the primary purpose of this control?
A. Block physical access to equipment
B. Block electromagnetic radiation
C. Prevent tailgating attacks
D. Prevent theft of equipment
Correct Answer: B
Faraday cages are enclosures designed to prevent electromagnetic radiation from entering or leaving an area. They are used to shield very sensitive equipment and to prevent electromagnetic signals that might be intercepted from leaving a facility.
When designing a security awareness program for employees, which one of the following groups would generally receive the most technical security training?
A. Users
B. Data owners
C. System administrators
D. Executives
Correct Answer: C
All employees should receive security awareness training that is tailored to their role in the organization. System administrators are the most technical employees mentioned here, so they should receive the most technical training.
Which one of the following statements about the Blowfish algorithm is incorrect?
A. The algorithm is covered by a patent.
B. The algorithm uses a 64-bit block size.
C. The algorithm allows the use of any length key between 32 and 448 bits.
D. The developer of the algorithm does not recommend it for use today.
Correct Answer: A
Bruce Schneier designed the Blowfish algorithm as an open-source alternative to other patented encryption algorithms. The algorithm does support a 64-bit block size and variable length keys between 32-448 bits. Schneier does not recommend that people use Blowfish today, instead recommending the Twofish algorithm.
What is the purpose of a DNS amplification attack?
A. Host redirection
B. Record poisoning
C. Man-in-the-middle
D. Resource exhaustion
Correct Answer: D
DNS amplification is a denial of service technique that sends small queries with spoofed source addresses to DNS servers, generating much larger, amplified, responses back to the spoofed address. The purpose is to consume all of the bandwidth available to the target system, resulting in a resource exhaustion denial of service attack.
Charlie received an alert from file integrity monitoring software running on a server in his organization. Which one of the following is NOT a likely reason for this alert?
A. Operating system update
B. CPU failure
C. Application update
D. Security incident
Correct Answer: B
Operating system updates and application updates frequently trigger file integrity alerts, as do system compromises. A CPU failure would result in a system crash, rather than a file integrity alert.
Which one of the following assertions can NOT be made by validating the card authentication certificate on a US government PIV card?
A. The card is not expired.
B. The card has not been revoked.
C. The holder of the credential is the same individual the card was issued to.
D. The card was issued by an authorized entity.
Correct Answer: C
PIVs contain four digital certificates. The card authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, and has not been revoked. The PIV authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, has not been revoked, and holder of the credential (YOU) is the same individual it was issued to. The digital signature certificate allows the user to digitally sign a document or email, providing both integrity and non-repudiation. The encryption certificate allows the user to digitally encrypt documents or email.
Jena would like to configure her organization’s switches so that they do not allow systems connected to a switch to spoof MAC addresses. Which one of the following features would be helpful in this configuration?
A. Loop protection
B. Port security
C. Flood guard
D. Traffic encryption
Correct Answer: B
Port security restricts the number of unique MAC addresses that may originate from a single switch port. It is commonly used to prevent someone from unplugging an authorized device from the network and connecting an unauthorized device but may also be used to prevent existing devices from spoofing MAC addresses of other devices.
What term is used to describe a network of decoy systems used to attract and study the activity of intruders?
A. Honeynet
B. Honeypot
C. Darknet
D. Darkpot
Correct Answer: A
Honeynets are networks of decoy systems designed to attract intruders so that security analysts may study their activity. Honeypots are single systems designed for the same purpose. Darknets are unused portions of IP address space designed to detect scanning activity when a scanner attempts to access those unused addresses. Darkpots are what occur when I attempt to cook and leave a pot unattended on the stove for too long.
Gavin is managing the access control system for his organization. Users often change jobs and he would like to select an approach that will make it easy to reassign permissions when users move around the organization. Which access control model is best suited for his needs?
A. ABAC
B. DAC
C. MAC
D. RBAC
Correct Answer: D
This situation calls for role-based access control, where authorizations are assigned based upon a user’s role in the organization. This approach would allow Gavin to simply change a user’s role when they switch jobs and then the permissions would automatically update based upon the user’s new role.
Greg believes that a recently departed employee is likely to sue the company for employment law violations because the employee threatened to do so during an exit interview. When should the company issue a legal hold to preserve evidence?
A. When a lawsuit is filed
B. Immediately
C. When they receive a subpoena
D. When the employee issues a formal notice of intent to sue
Correct Answer: B
Which one of the following would not be considered an OSINT tool?
A. WHOIS lookups
B. Google searches
C. Website perusal
D. Vulnerability scans
Correct Answer: D
Open source intelligence (OSINT) includes the use of any publicly available information. This would include domain registration records found in WHOIS entries, the contents of public websites, and the use of Google searches. Vulnerability scans are an active reconnaissance technique and would not be considered OSINT.
Rudy is configuring a router that sits at the connection between his organization’s network and the Internet. He is concerned about spoofed packets and would like to configure the router to perform anti-spoofing filtering. Which one of the following source IP addresses should be blocked at the router for inbound traffic?
A. 12.168.1.100
B. 278.168.1.100
C. 192.168.1.100
D. 129.168.1.100
Correct Answer: C
12.168.1.100 and 129.168.1.100 are valid public IP addresses and should be permitted as inbound source addresses. 278.168.1.100 is not a valid IP address because the first octet is greater than 255. It does not need to be blocked because it is not possible. This leaves 192.168.1.100. This address is a private address and should never be seen as a source address on packets crossing an external network connection.
Frank would like to set his organization’s password length requirements to align with industry best practices. What should he set as the maximum password length?
A. No maximum
B. 8 characters
C. 16 characters
D. 255 characters
Correct Answer: A
The best source for guidance on passwords and other authentication techniques is NIST Special Publication 800-63B: Digital Identity Guidelines. In the most recent revision of this document, NIST states that users should not be subjected to a maximum password length requirement and should be allowed to choose passwords as lengthy as they would like.
Under GDPR, which individual bears responsibility for ensuring that the company understands its privacy responsibilities and serves as the primary liaison to the supervising authority?
A. Chief executive officer
B. Data protection officer
C. Chief information officer
D. Chief information security officer
Correct Answer: B
The data protection officer (DPO) is a formal designation under GDPR and the individual designated as DPO bears significant responsibilities for GDPR compliance.
What type of scan can best help identify cases of system sprawl in an organization?
A. Discovery scan
B. Web application scan
C. Detailed scan
D. Database scan
Correct Answer: A
Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.
What technology does the PEAP protocol combine with EAP to provide secure communication of authentication credentials?
A. SSL
B. LEAP
C. TLS
D. IDEA
Correct Answer: C
The Protected Extensible Authentication Protocol (PEAP) runs the standard EAP protocol within a TLS session to provide secure communications.
Which one of the following features is not typically supported by mobile device management (MDM) solutions?
A. Application management
B. Configuration management
C. Carrier unlocking
D. Remote wiping
Correct Answer: C.
Mobile device management products do typically support remote wiping, application management, and configuration management, among other features. They do not provide carrier unlocking functionality, as this may only be performed by the wireless carrier that activated the device.
Barry is configuring 802.1x authentication for his wireless network. In a typical wireless authentication scenario, what device would act as the 802.1x client?
A. Mobile devices connecting to the network
B. Router
C. Wireless access point
D. Back-end authentication server
Correct Answer: C
In an 802.1x wireless network, the wireless access point or wireless controller typically serves as the 802.1x client, sending authentication requests to a back-end authentication server.
Jake is helping his organization move out of an office complex they are leaving and has a large quantity of sensitive paper records to dispose. Which one of the following destruction methods would not be appropriate to sufficiently destroy the information?
A. Degaussing
B. Burning
C. Pulping
D. Shredding
Correct Answer: A
Burning, shredding, and pulping are all acceptable ways to destroy paper records. Degaussing is a magnetic destruction technique that is only appropriate for digital records.
What do most physical security professionals consider the minimum fence height to slow down a determined intruder?
A. 4 feet
B. 8 feet
C. 6 feet
D. 12 feet
Correct Answer: B
Most security professionals consider eight feet to be the minimum height for a fence protecting critical assets. It is trivial for an intruder to climb a fence of six feet or less. A fence that stands twelve feet high is likely unnecessary and aesthetically unpleasant. For added security, organizations may add barbed wire to the top of the fence.
Donna is looking for a secure way to transfer files between systems. The systems in question are already configured for SSH connections. What file transfer method could she use that would leverage the SSH protocol?
A. FTPS
B. Dropbox
C. HTTPS
D. SFTP
Correct Answer: D
The Secure File Transfer Protocol (SFTP) provides a file transfer capability through a Secure Shell (SSH) connection. The File Transfer Protocol Secure (FTPS) also provides secure file transfers, but does so through a modified version of the FTP protocol and does not use SSH. Dropbox is a proprietary file sharing service that does not use SSH. The HyperText Transfer Protocol Secure (HTTPS) is a secure web protocol that may be used for file transfers but does not leverage SSH.
Fran is investigating an attack that took place against a website operated by her organization. When she looked at the authentication log entries, she saw that the attacker attempted to log into thousands of different accounts using a series of common passwords before eventually finding a combination that worked. What term best describes this attack?
A. Credential stuffing
B. Brute force
C. Password spraying
D. Rainbow table
Correct Answer: A
Answering this question is a little tricky because it depends upon you not only recognizing that each of these options are indeed password attacks but also knowing the details of how each one of them works. Let’s start by knocking off two of the more clearly incorrect answers. First, this is not a brute force attack. A brute force attack attempts every possible password against an account and in this case we have a series of common passwords being used against a lot of accounts. Second, it is not a rainbow table attack. That type of attack requires that the attacker have access to a file containing hashed passwords, which is not the case here. That leaves us with password spraying and credential stuffing: two similar attack types. Password spraying attacks take username and password combinations that were compromised on other sites and use them to attempt logging into the target site, based on the presumption that people will reuse passwords from site to site. Credential stuffing attacks use a series of commonly chosen passwords to attempt to log into a series of accounts. That’s what happened in this scenario.
Tim’s organization is planning the future of their data center infrastructure and has decided that they would like to move to a cloud service model. They have already embraced virtualization but would like to gain the management benefits of a cloud offering. They are working with a service provider who will provision hardware for their exclusive use. That equipment will reside in a data center that serves many customers. What type of cloud deployment model is Tim’s organization considering?
A. Public
B. Hybrid
C. Community
D. Private
Correct Answer: D
This is an example of a private cloud deployment, where the service provider is dedicating hardware to this specific customer. Private clouds may operate in data centers that are dedicated to that single customer or, as in this case, they may operate in shared data centers. The difference is that each customer’s equipment is segregated and customers do not share hardware. That shared hardware approach is the hallmark of public and community cloud models. Hybrid cloud models mix elements of public and private clouds. There is no indication that Tim’s organization intends to do this.
Rob’s organization uses a variety of different cloud vendors. He is looking for a security solution that would allow him to enforce security policies consistently across those different vendors. Which one of the following technologies would best meet his needs?
A. CASB
B. SIEM
C. VDI
D. SOAR
Correct Answer: A
Cloud access security brokers (CASB) are designed to enforce security policies across cloud services. Security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms are designed to aggregate, analyze, and react to security events. Virtual desktop infrastructure (VDI) offers desktop computing to end users in a virtualized manner.
Barry was reviewing his organization’s perimeter firewall ruleset and determined that it contains rules that allow unnecessary access. What type of control flaw has Barry discovered?
A. Corrective
B. Detective
C. Preventive
D. Deterrent
Correct Answer: C
Firewalls serve to block attempted access to the organization’s networks and systems. Therefore, they are best described as preventative controls. The purpose of a detective control is to identify attacks that are currently taken place or have taken place in the past. The purpose of a deterrent control is to discourage an attacker from attempting to undermine security. The purpose of a corrective control is to help the organization recover after a security incident.
Harold is investigating a security incident where the victim was visiting a message board and viewed a message containing malicious code. He had another tab open in his browser that was logged into a popular shopping website. The malicious code on the message board made a purchase on the shopping website without his knowledge and shipped the merchandise to an overseas address. What type of attack likely took place?
A. Server-side request forgery
B. Cross-site scripting
C. Cross-site request forgery
D. Phishing
Correct Answer: C
In this case, the attack depended upon the fact that the victim was already logged into the shopping website. The attacker knew that some portion of the visitors to the message board would be logged into that site and took advantage of that trust relationship to send commands through the user’s browser to the shopping site. That’s an example of a cross-site request forgery attack. Cross-site scripting attacks work in a similar manner but they do not leverage those trust relationships. Server-side request forgery attacks target the web server itself rather than the end user. Phishing attacks attempt to trick the user into sharing sensitive information, but this attack took place without the victim’s knowledge.
Brynn is concerned about the risks associated with web application attacks and wishes to perform input validation. What is the best place to perform this task?
A. In the user’s browser via HTML
B. On the web server
C. In the user’s browser via JavaScript
D. On the database server
Correct Answer: B
Input validation should always be performed on the web server. Database servers do not see the full input provided by the user and are not well-situated to perform input validation. Input validation should never be performed at the web browser because a malicious user can disable that validation code.
Jessica is creating a virtual private cloud (VPC) with a private subnet in her IaaS environment. Which one of the following IP address ranges would not be appropriate for this subnet?
A. 172.16.0.0/16
B. 10.16.0.0/16
C. 192.168.0.0/16
D. 181.10.0.0/16
Correct Answer: D
The following address ranges are available for use on private networks and subnets: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255. Three of the subnets presented in this question fall into these ranges while the fourth, 181.10.0.0/16 does not. That subnet is a public address range assigned to a particular user and should not be used on a private subnet.
Henry would like to capture network packets from the command line. What command would best meet his needs?
A. dd
B. tcpdump
C. FTK
D. Wireshark
Correct Answer: B
Tcpdump is a command-line packet capture utility. Wireshark is also a packet capture utility but it is designed for interactive use through a GUI. FTK and dd are forensic utilities used to capture disk images, not network packets.
Susan is looking for a security solution that is capable of reacting automatically to security information and performing a variety of tasks across other security solutions. Which one of the following technologies would best meet her needs?
A. CASB
B. SIEM
C. SOAR
D. IPS
Correct Answer: C
Security orchestration, automation, and response (SOAR) platforms are specifically designed to react to security information and perform workflows across a variety of other systems, which would make it the best choice. Security information and event management (SIEM) platforms are capable of doing this to some degree, but they are not as well suited to the task as SOAR platforms, so while SIEM might be a good answer, it’s not the best possible answer. When you take a security certification exam, it’s very important to remember that questions may have one or more possible answers. You always want to choose the best of those choices. That’s why it’s very important to read the entire question carefully!
Bernard is considering using a new cloud service where the vendor offers a managed environment for the execution of customer-supplied code. What term best describes this service?
A. IaaS
B. PaaS
C. SaaS
D. XaaS
Correct Answer: B
This environment, where customers supply code and vendors supply managed infrastructure, is known as platform as a service (PaaS) computing. In infrastructure as a service (IaaS) computing, the vendor offers access to the basic building blocks of a computing infrastructure, such as servers, storage, and networking and the customer assembles those building blocks to create their own solutions. In the software as a service (SaaS) model, the vendor provides a fully functional application to the customer. Anything as a service (XaaS) is a term describing the fact that virtually any computing service may be delivered in a cloud model and it is not a good description of this specific scenario.
Jake would like to find a security solution that protects users from malicious content hosted on websites that they visit and allows him to perform content filtering according to his company’s policy. Which one of the following solutions would best meet his needs?
A. SWG
B. NGFW
C. CASB
D. IPS
Correct Answer: A
It is possible that an intrusion prevention system (IPS) or next generation firewall (NGFW) could provide this functionality. However, a secure web gateway (SWG) is purpose-built for filtering user web traffic and, therefore, would be the best solution in this scenario. Cloud access security brokers (CASB) do not perform web content filtering.
In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item’s classification
B. The item’s classification and category set
C. The item’s category
D. The item’s need to know
Answer: B
Explanation: The following is the correct answer: the item’s classification and category set.
A Sensitivity label must contain at least one classification and one category set.
Category set and Compartment set are synonyms, they mean the same thing. The sensitivity label
must contain at least one Classification and at least one Category. It is common in some
environments for a single item to belong to multiple categories. The list of all the categories to
which an item belongs is called a compartment set or category set.
Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.
Answer: C
Explanation: Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party
authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered
open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The
password is used to encrypt and decrypt the keys.
What is Kerberos?
A. A three-headed dog from the Egyptian mythology.
B. A trusted third-party authentication protocol.
C. A security model.
D. A remote authentication dial in user server.
Answer: B
Explanation: Is correct because that is exactly what Kerberos is.
The
Kerberos depends upon what encryption method? A. Public Key cryptography. B. Secret Key cryptography. C. El Gamal cryptography. D. Blowfish cryptography.
Answer: B
Explanation: Kerberos depends on Secret Keys or Symmetric Key cryptography. Kerberos a third party authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The password is used to encrypt and decrypt the keys.
Who developed one of the first mathematical models of a multilevel-security computer system? A. Diffie and Hellman. B. Clark and Wilson. C. Bell and LaPadula. D. Gasser and Lipner.
Answer: C
Explanation: In 1973 Bell and LaPadula created the first mathematical model of a multi-level
security system.
What physical characteristic does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The pattern of light receptors at the back of the eye
D. The pattern of blood vessels at the back of the eye
Answer: D
Explanation: The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the
eye which senses light and transmits impulses through the optic nerve to the brain - the equivalent
of film in a camera. Blood vessels used for biometric identification are located along the neural
retina, the outermost of retina’s four cell layers.
Which of the following is the most reliable authentication method for remote access? A. Variable callback system B. Synchronous token C. Fixed callback system D. Combination of callback and caller ID
Answer: B
Explanation: A Synchronous token generates a one-time password that is only valid for a short
period of time. Once the password is used it is no longer valid, and it expires if not entered in the
acceptable time frame.
The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization
Answer: C
Explanation: non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it
does not help with non-repudiation
There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI).
When we compare them side by side, Kerberos tickets correspond most closely to which of the
following?
A. public keys
B. private keys
C. public-key certificates
D. private-key certificates
Answer: C
Explanation: A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure
that includes the service encryption key. In that sense it is similar to a public-key certificate.
However, the ticket is not the key.
In which of the following security models is the subject’s clearance compared to the object’s
classification such that specific rules can be applied to control how the subject-to-object
interactions take place?
A. Bell-LaPadula model
B. Biba model
C. Access Matrix model
D. Take-Grant model
Answer: A
Explanation: Details:
The Answer: Bell-LaPadula model
The Bell-LAPadula model is also called a multilevel security system because users with different
clearances use the system and the system processes data with different classifications.
Developed by the US Military in the 1970s.
Which of the following was developed to address some of the weaknesses in Kerberos and uses
public key cryptography for the distribution of secret keys and provides additional access control
support?
A. SESAME
B. RADIUS
C. KryptoKnight
D. TACACS+
Answer: A
Explanation: Secure European System for Applications in a Multi-vendor Environment (SESAME)
was developed to address some of the weaknesses in Kerberos and uses public key cryptography
for the distribution of secret keys and provides additional access control support.
Reference:
What kind of certificate is used to validate a user identity? A. Public key certificate B. Attribute certificate C. Root certificate D. Code signing certificate
Answer: A
Explanation: In cryptography, a public key certificate (or identity certificate) is an electronic
document which incorporates a digital signature to bind together a public key with an identity —
information such as the name of a person or an organization, their address, and so forth. The
certificate can be used to verify that a public key belongs to an individual.
In biometric identification systems, at the beginning, it was soon apparent that truly positive
identification could only be based on physical attributes of a person. This raised the necessity of
answering 2 questions :
A. what was the sex of a person and his age
B. what part of body to be used and how to accomplish identification that is viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits
Answer: B
Explanation: Today implementation of fast, accurate reliable and user-acceptable biometric
identification systems is already taking place. Unique physical attributes or behavior of a person
are used for that purpose.
Which of the following control pairings include: organizational policies and procedures, preemployment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing
Which of the following type of traffic can easily be filtered with a stateful packet filter by enforcing the context or state of the request? A. ICMP B. TCP C. UDP D. IP
Answer: B
Explanation: The question is explict in asking easily. With TCP connection establishment there is a distinct state or sequence that can be expected. Consult the references for further details
When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the proper term to refer to a single unit of TCP data at the transport layer? A. TCP segment. B. TCP datagram. C. TCP frame. D. TCP packet.
Answer: A
Explanation: A TCP Segment is the group of TCP data transmitted at the Transport Layer. TCP is segment based network technology. The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is now a segment. If the message is being transmitted over TCP, it is referred to as a “segment.”
ICMP and IGMP belong to which layer of the OSI model? A. Datagram Layer. B. Network Layer. C. Transport Layer. D. Data Link Layer.
Answer: B
Explanation: The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP)
What is a limitation of TCP Wrappers?
A. It cannot control access to running UDP services.
B. It stops packets before they reach the application layer, thus confusing some proxy servers.
C. The hosts.* access control system requires a complicated directory tree.
D. They are too expensive.
Answer: A
Explanation: TCP Wrappers can control when a UDP server starts but has little control afterwards because UDP packets can be sent randomly.
The IP header contains a protocol field. If this field contains the value of 1, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP.
Answer: B
Explanation: If the protocol field has a value of 1 then it would indicate it was ICMP.
The IP header contains a protocol field. If this field contains the value of 2, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP.
Answer: D
Explanation: If the protocol field has a value of 2 then it would indicate it was IGMP.
What is the proper term to refer to a single unit of IP data? A. IP segment. B. IP datagram. C. IP frame. D. IP fragment.
Answer: B
Explanation: IP is a datagram based technology
A packet containing a long string of NOP’s followed by a command is usually indicative of what?
A. A syn scan.
B. A half-port scan.
C. A buffer overflow attack.
D. A packet destined for the network’s broadcast address.
Answer: C
Explanation: A series of the same control, hexidecimal, characters imbedded in the string is
usually an indicator of a buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal equivalent is 0x90)
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class C network?
A. The first bit of the IP address would be set to zero.
B. The first bit of the IP address would be set to one and the second bit set to zero.
C. The first two bits of the IP address would be set to one, and the third bit set to zero.
D. The first three bits of the IP address would be set to one.
Answer: C
Explanation: Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer in a network. Within which OSI/ISO layer is RPC implemented? A. Session layer B. Transport layer C. Data link layer D. Network layer
Answer: A
Transport layer: The Transport layer handles computer-to computer communications, rather than application-to-application communications like RPC. Data link Layer: The Data Link layer protocols can be divided into either Logical Link Control (LLC) or Media Access Control (MAC) sublayers. Protocols like SLIP, PPP, RARP and L2TP are at this layer. An application-to-application protocol like RPC would not be addressed at this layer. Network layer: The Network Layer is mostly concerned with routing and addressing of information,
not application-to-application communication calls such as an RPC call.
Frame relay and X.25 networks are part of which of the following? A. Circuit-switched services B. Cell-switched services C. Packet-switched services D. Dedicated digital services
Answer: C
Explanation: Frame relay and X.25 are both examples of packet-switching technologies. In packet-switched networks there are no dedicated connections between endpoints, and data is divided into packets and reassembled on the receiving end
Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided? A. Data Link B. Transport C. Presentation D. Application
Answer: A
Explanation: RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point
Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over pointto-
point links. PPP is comprised of three main components:
1 A method for encapsulating multi-protocol datagrams.
2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.
3 A family of Network Control Protocols (NCPs) for establishing and configuring different networklayer
protocols.
In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided? A. Transport B. Network C. Presentation D. Application
Answer: A
Explanation: The following answers are incorrect:
Network. The Network layer moves information between hosts that are not physically connected. It
deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do
not reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard
presentation such as
ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.
Application. The Application Layer is a service for applications and Operating Systems data
transmission, for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7
Application Layer in the OSI Reference Model.
Which of the following are suitable protocols for securing VPN connections at the lower layers of the OSI model? A. S/MIME and SSH B. TLS and SSL C. IPsec and L2TP D. PKCS#10 and X.509
Answer: C
What is NOT an authentication method within IKE and IPSec? A. CHAP B. Pre shared key C. certificate based authentication D. Public key authentication
Answer: A
Explanation: CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by
Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically
verifies the identity of the client by using a three-way handshake. This happens at the time of
establishing the initial link (LCP), and may happen again at any time afterwards. The verification is
based on a shared secret (such as the client user’s password).
After the completion of the link establishment phase, the authenticator sends a “challenge”
message to the peer.
The peer responds with a value calculated using a one-way hash function on the challenge and
the secret combined.
The authenticator checks the response against its own calculation of the expected hash value. If
the values match, the authenticator acknowledges the authentication; otherwise it should
terminate the connection.
At random intervals the authenticator sends a new challenge to the peer and repeats steps 1
through 3.
What is NOT true with pre shared key authentication within IKE / IPsec protocol?
A. Pre shared key authentication is normally based on simple passwords
B. Needs a Public Key Infrastructure (PKI) to work
C. IKE is used to setup Security Associations
D. IKE builds upon the Oakley protocol and the ISAKMP protocol.
Answer: B
Explanation: Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security
association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.
IKE uses X.509 certificates for authentication which are either pre-shared or distributed using DNS
(preferably with DNSSEC) and a Diffie–Hellman key exchange to set up a shared session secret
from which cryptographic keys are derived.
Internet Key Exchange (IKE) Internet key exchange allows communicating partners to prove their
identity to each other and establish a secure communication channel, and is applied as an
authentication component of IPSec.
In SSL/TLS protocol, what kind of authentication is supported when you establish a secure
session between a client and a server?
A. Peer-to-peer authentication
B. Only server authentication (optional)
C. Server authentication (mandatory) and client authentication (optional)
D. Role based authentication scheme
Answer: C
What kind of encryption is realized in the S/MIME-standard?
A. Asymmetric encryption scheme
B. Password based encryption scheme
C. Public key based, hybrid encryption scheme
D. Elliptic curve based encryption
Answer: C
Explanation: S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security
process used for e-mail exchanges that makes it possible to guarantee the confidentiality and nonrepudiation
of electronic messages.
S/MIME is based on the MIME standard, the goal of which is to let users attach files other than
ASCII text files to electronic messages. The MIME standard therefore makes it possible to attach
all types of files to e-mails.
S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the
IETF, S/MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633.
Which of the following best describes signature-based detection?
A. Compare source code, looking for events or sets of events that could cause damage to a system or network.
B. Compare system activity for the behavior patterns of new attacks.
C. Compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack.
D. Compare network nodes looking for objects or sets of objects that match a predefined pattern of objects that may describe a known attack.
Answer: C
Explanation: Misuse detectors compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. As the patterns corresponding to known attacks are called signatures, misuse detection is sometimes called “signature-based detection.”
Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model? A. Bridge B. Repeater C. Router D. Gateway
Answer: D
Explanation: A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack.
What is called an attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets? A. SYN Flood attack B. Smurf attack C. Ping of Death attack D. Denial of Service (DOS) attack
Answer: B
Explanation: Although it may cause a denial of service to the victim’s system, this type of attack is a Smurf attack. A SYN Flood attack uses up all of a system’s resources by setting up a number of bogus communication sockets on the victim’s system. A Ping of Death attack is done by sending IP packets that exceed the maximum legal length (65535 octets).
Jan Is Working As A Team Member During A Cybersecurity Exercise. As Part Of Her Work, She Is Researching And Testing Different Tactics That Her Team Might Use To Gain Access To Target Systems. What Team Is Jan Most Likely A Member Of? A. Blue team B. Purple team C. Red team D. White team
Correct Answer: C
Jan is helping her team research tactics to attack systems, which is an example of an offensive operation. During a cybersecurity exercise, the red team is responsible for conducting offensive operations, while the blue team conducts defensive operations. The white team consists of the officials who moderate the exercise and arbitrate rules disputes. Purple teaming occurs after the exercise when the red and blue teams come together to discuss tactics and lessons learned.
One of the following assertions is NOT a characteristic of Internet Protocol Security (IPsec)
A. Data cannot be read by unauthorized parties
B. The identity of all IPsec endpoints are confirmed by other endpoints
C. Data is delivered in the exact order in which it is sent
D. The number of packets being exchanged can be counted.
Answer: C
Explanation: IPSec provide replay protection that ensures data is not delivered multiple times, however IPsec does not ensure that data is delivered in the exact order in which it is sent. IPSEC uses TCP and packets may be delivered out of order to the receiving side depending which route was taken by the packet.
One of the following statements about the differences between PPTP and L2TP is NOT true
A. PPTP can run only on top of IP networks.
B. PPTP is an encryption protocol and L2TP is not.
C. L2TP works well with all firewalls and network devices that perform NAT.
D. L2TP supports AAA servers
Answer: C
Explanation: L2TP is affected by packet header modification and cannot cope with firewalls and network devices that perform NAT. “PPTP can run only on top of IP networks.” is correct as PPTP encapsulates datagrams into an IP packet, allowing PPTP to route many network protocols across an IP network.
“PPTP is an encryption protocol and L2TP is not.” is correct. When using PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MSCHAP or EAP-TLS. “L2TP supports AAA servers” is correct as L2TP supports TACACS+ and RADIUS.
You have been tasked to develop an effective information classification program. Which one of the following steps should be performed first?
A. Establish procedures for periodically reviewing the classification and ownership
B. Specify the security controls required for each classification level
C. Identify the data custodian who will be responsible for maintaining the security level of data
D. Specify the criteria that will determine how data is classified
Answer: D
Explanation: According to the AIO 3rd edition, these are the necessary steps for a proper classification program:
1. Define classification levels.
2. Specify the criteria that will determine how data is classified.
3. Have the data owner indicate the classification of the data she is responsible for.
4. Identify the data custodian who will be responsible for maintaining data and its security level.
5. Indicate the security controls, or protection mechanisms, that are required for each classification
level.
6. Document any exceptions to the previous classification issues.
7. Indicate the methods that can be used to transfer custody of the information to a different data
owner.
8. Create a procedure to periodically review the classification and ownership. Communicate any
changes to the data custodian.
9. Indicate termination procedures for declassifying the data.
10. Integrate these issues into the security-awareness program so that all employees understand
how to handle data at different classification levels.
Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets? A. UDP B. SNMP V1 C. SNMP V3 D. SNMP V2
Answer: C
Explanation: Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF).
SNMP V3
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology. SNMPv3 primarily added security and remote configuration enhancements to SNMP. Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP
Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security
model being used.
You have been approached by one of your clients . They are interested in doing some security reengineering
. The client is looking at various information security models. It is a highly secure
environment where data at high classifications cannot be leaked to subjects at lower
classifications . Of primary concern to them, is the identification of potential covert channel. As an
Information Security Professional , which model would you recommend to the client?
A. Information Flow Model combined with Bell Lapadula
B. Bell Lapadula
C. Biba
D. Information Flow Model
Answer: A
Explanation: Securing the data manipulated by computing systems has been a challenge in the
past years. Several methods to limit the information disclosure exist today, such as access control lists, firewalls, and cryptography. However, although these methods do impose limits on the information that is released by a system, they provide no guarantees about information propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to
exchange information privately across a non-secure channel, but no guarantees about the confidentiality of the data are given once it is decrypted. In low level information flow analysis, each variable is usually assigned a security level. The basic model comprises two distinct levels: low and high, meaning, respectively, publicly observable information, and secret information. To ensure confidentiality, flowing information from high to low variables should not be allowed. On the other hand, to ensure integrity, flows to high variables should be restricted. More generally, the security levels can be viewed as a lattice with information flowing only upwards in the lattice.
Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port?
A. Allow the packet to be processed by the network and record the event
B. Record selected information about the packets and drop the packets
C. Resolve the destination address and process the packet
D. Translate the source address and resend the packet
Answer: B
Explanation: This question refers specifically to the LAND Attack. This question is testing your ability to recognize common attacks such as the Land Attack and also your understanding of what would be an acceptable action taken by your Intrusion Detection System. You must remember what is a LAND ATTACK for the purpose of the exam. You must also remember that an IDS is not only a passive device. In the context of the exam it is considered an active device that is MOSTLY passive. It can take some blocking actions such as changing a rule on a router or firewall for example. In the case of the Land Attack and this specific question. It must be understand that most Operating System TCP/IP stack today would not be vulnerable to such attack. Many of the common firewall could also drop any traffic with same Source IP/Port as the Destination IP/Port as well. So there is multiple layers where such an attack could be stopped. The downfall of IDS compared with IPS is the fact they are usually reacting after the packets have been sent over the network. A single packet attack should as the Land Attack could be detected but would still complete and affect the destination target. This is where IPS could come into play and stop the attack before it completes.
You are a security consultant who is required to perform penetration testing on a client's network. During penetration testing, you are required to use a compromised system to attack other systems on the network to avoid network restrictions like firewalls. Which method would you use in this scenario: A. Black box Method B. Pivoting method C. White Box Method. D. Grey Box Method
Answer: B
Explanation: Pivoting refers to method used by penetration testers that uses compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multilayered attacks. Pivoting is also known as island hopping.
