CompTIA Security+ Questions (Lesson 1-10)

Question 1

Consider the types of zones within a network’s topology and locate the zone considered semi-trusted and requires hosts to authenticate to join.

Private network
Extranet
Internet
Anonymous

Answer 1

Extranet

Question 2

Where should an administrator place an internet-facing host on the network?

DMZ
Bastion host
Extranet
Private network

Answer 2

DMZ

Question 3

There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone.

DMZ
Screened host
Wireless
Guest network

Answer 3

Screened host

Question 4

Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a security weakness.

A company has a single network channel.
A company has many different systems to operate one service.
A company has a habit of implementing quick fixes.
A company has a flat network architecture.

Answer 4

A company has a flat network architecture.

Question 5

Evaluate the following choices based on their potential to lead to a network breach. Select the choice that is NOT a network architecture weakness.

The network architecture is flat.
Services rely on the availability of several different systems.
The network relies on a single hardware server.
Not all hosts on the network can talk to one another.

Answer 5

Not all hosts on the network can talk to one another.

Question 6

Identify the attack that can launch by running software against the CAM table on the same switch as the target.

MAC flooding
MAC spoofing
ARP poisoning attack
LLMNR

Answer 6

MAC flooding

MAC flooding is a variation of an ARP poisoning attack. While ARP poisoning is directed at hosts, MAC flooding is used to attack a switch.

Question 7

Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue.

ICMP
L2TP
NTP
STP

Answer 7

STP

Question 8

Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.)

Visual inspection of ports and switches will prevent rogue devices from accessing the network.
Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume.
Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
Wireless monitoring can reveal whether there are unauthorized access points.

Answer 8

Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
Wireless monitoring can reveal whether there are unauthorized access points.

Question 9

An attacker tricks a host within a subnet into routing through an attacker’s machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario.

Route injection
Denial of service
ARP poisoning
Source routing

Answer 9

ARP poisoning

Question 10

Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.)

MAC filtering guards against MAC snooping.
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.
MAC filtering guards against MAC spoofing.
DAI guards against invalid MAC addresses

Answer 10

Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.
DAI guards against invalid MAC addresses

Question 11

Compare the characteristics of a rogue Access Point (AP) in wireless networks to determine which statements correctly summarize their attributes. (Select all that apply.)

An evil twin is a rogue AP, and an attacker can use a Denial of Service (DoS) to disconnect users from the legitimate AP and connect to the evil twin.
Sometimes referred to as an evil twin, a rogue AP masquerading as a legitimate AP, may have a similar name to a legitimate AP.
An attacker can set up a rogue AP with something as simple as a smartphone with tethering capabilities.
A Denial of Service (DoS) will bypass authentication security (enabled on the AP), so it is important to regularly scan for rogue APs on the network.

Answer 11

An evil twin is a rogue AP, and an attacker can use a Denial of Service (DoS) to disconnect users from the legitimate AP and connect to the evil twin.
Sometimes referred to as an evil twin, a rogue AP masquerading as a legitimate AP, may have a similar name to a legitimate AP.
An attacker can set up a rogue AP with something as simple as a smartphone with tethering capabilities.

Question 12

A network manager suspects that a wireless network is undergoing a deauthentication attack. Applying knowledge of wireless network attacks, which scenario best supports the network manager’s suspicion?

A. A network experiences radio interference, which causes connectivity issues for users. The users disconnect from the network, and upon reauthenticating, they log on to an evil twin Access Point (AP).
B. An attacker creates an Access Point (AP) using a similar name as a legitimate AP, in an attempt to have users authenticate through the rogue AP in order to gain authentication information.
C. A rogue Access Point (AP) captures user logon attempts. The attacker uses this information to authenticate to the system and obtain critical data.
D. A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.

Answer 12

D. A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.

Question 13

A systems administrator is building a wireless network using WPA3 technology. Which of the following would NOT be considered a main feature of WPA3?

Simultaneous authentication of equals
RC4 stream cipher with TKIP
Management protection frames
Enhanced open

Answer 13

RC4 stream cipher with TKIP

Question 14

A company is reviewing the options for installing a new wireless network. They have requested recommendations for utilizing WEP, WPA, or WPA2. Differentiate between Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). Determine which of the following statements accurately distinguishes between the options. (Select all that apply.)

WEP and WPA use RC4 with a Temporal Key Integrity Protocol (TKIP), while WPA2 uses a 24-bit Initialization Vector (IV). WPA2 combines the 24-bit IV with an Advanced Encryption Standard (AES) to add security.
WEP is the strongest encryption scheme, followed by WPA2, then WPA. WEP is difficult to crack when protected by a strong password, or if deploying enterprise authentication. WPA2 is more vulnerable to decryption due to replay attack possibilities.
WPA and WEP use RC4, while WEP uses a 24-bit Initialization Vector (IV). WPA uses a Temporal Key Integrity Protocol (TKIP), and WPA2 uses an Advanced Encryption Standard (AES) for encryption.
WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is more vulnerable to decryption due to replay attack possibilities.

Answer 14

WPA and WEP use RC4, while WEP uses a 24-bit Initialization Vector (IV). WPA uses a Temporal Key Integrity Protocol (TKIP), and WPA2 uses an Advanced Encryption Standard (AES) for encryption.
WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is more vulnerable to decryption due to replay attack possibilities.

Question 15

A hotel guest opens their computer and logs into the Wi-Fi without prompting the guest for a username and password. Upon opening an internet browser, a splash page appears that requests the guest’s room number and last name for authentication. Which type of authentication is the hotel utilizing?

Protected
Extensive
Group
Open

Answer 15

Open

Question 16

An Internet Service Provider’s (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision?

A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.
A blackhole makes the attack less damaging to the ISP’s other customers and continues to send legitimate traffic to the correct destination.
A blackhole routes traffic destined to the affected IP address to a different network. Here, the ISP can analyze and identify the source of the attack, to devise rules to filter it.
A blackhole is preferred, as it evaluates each packet in a multi-gigabit stream against an Access Control List (ACL) without overwhelming the processing resources.

Answer 16

A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.

Question 17

During the planning/scoping phase of the kill chain, an attacker decides that a Distributed Denial of Service (DDoS) attack would be the best way to disrupt the target website and remain anonymous. Evaluate the following explanations to determine the reason the attacker chose a DDoS attack.

A DDoS attack can launch via covert channels
DDoS attacks utilize botnets
A DDoS attack creates a backdoor to a website
DDoS attacks use impersonation

Answer 17

DDoS attacks utilize botnets

Question 18

Given knowledge of load balancing and clustering techniques, which configuration provides consistent performance and partial fault tolerance for applications like streaming audio and video services?

Active/Passive clustering
Active/Active clustering
First in, First out (FIFO) clustering
Fault tolerant clustering

Answer 18

Active/Passive clustering

Question 19

Which statement best describes the difference between session affinity and session persistence?

With persistence, once a client device establishes a connection, it remains with the node that first accepted its request, while an application-layer load balancer uses session affinity to keep a client connected by setting up a cookie.
Session affinity makes node scheduling decisions based on health checks and processes incoming requests based on each node’s load. Session persistence makes scheduling decisions on a first in, first out (FIFO) basis.
With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.
Session persistence makes scheduling decisions based on traffic priority and bandwidth considerations, while session affinity makes scheduling decisions based on which node is available next.

Answer 19

With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.

Question 20

Analyze the following scenarios and determine which best simulates the use of a content filter. (Select all that apply.)

A system has broken down a packet containing malicious content, and erases the suspicious content, before rebuilding the packet.
A high school student is using the school library to do research for an assignment and cannot access certain websites due to the subject matter.
A system administrator builds a set of rules based on information found in the source IP address to allow access to an intranet.
A system administrator blocks access to social media sites after the CEO complains that work performance has decreased due to excessive social media usage at work.

Answer 20

A high school student is using the school library to do research for an assignment and cannot access certain websites due to the subject matter.
A system administrator blocks access to social media sites after the CEO complains that work performance has decreased due to excessive social media usage at work.

Question 21

Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.)

MAC filtering guards against MAC snooping.
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.
MAC filtering guards against MAC spoofing.
DAI guards against invalid MAC addresses

Answer 21

Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.
DAI guards against invalid MAC addresses - Dynamic Address resolution protocol Inspection (DAI)

Note:
DHCP snooping inspects traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address.
DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings.

Question 22

A networking administrator is reviewing available security products to further fine-tune the existing firewall and appliance settings. An administrator should analyze which system logs in order to tune firewall rulesets and remove or block suspect hosts and processes from the network?

Network-based intrusion detection system (NIDS)
Unified threat management (UTM) product
Network-based intrusion prevention system (IPS)
Network behavior and anomaly detection (NBAD) product

Answer 22

Network-based intrusion detection system (NIDS)

Analyzing NIDS logs allows an administrator to tune firewall rulesets, remove or block suspect hosts and processes from the network, or deploy additional security controls to mitigate any identified threats.

Question 23

Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet-filtering firewall.

An ACL only allows the minimum amount of traffic required for the operation of valid network services and no more
A firewall that maintains stateful information about the connection between two hosts
A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern
A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall

Answer 23

An ACL only allows the minimum amount of traffic required for the operation of valid network services and no more

Question 24

Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions?

Signature-based detection system
Secure web gateway (SWG)
Network-based intrusion prevention system (IPS)
Active or passive test access point (TAP)

Answer 24

Secure web gateway (SWG)

While complex NGFW and UTM solutions provide high confidentiality and integrity, lower throughput reduces availability. One solution to this is to treat security solutions for server traffic differently from that for user traffic. An SWG acts as a content filter, which applies user-focused filtering rules and also conducts threat analysis.

Question 25

A system administrator wants to install a mechanism to conceal the internal IP addresses of hosts on a private network. What tool can the administrator use to accomplish this security function?

NAT gateway
Reverse proxy server
Virtual firewall
Access Control List (ACL)

Answer 25

NAT gateway

Question 26

Which of the following are types of log collection for SIEM? (Select all that apply.)

Log aggregation
Firewall
Agent-based
Listener/Collector

Answer 26

Agent-based
Listener/Collector

??? Class Midterm exam
Log aggregation - RIGHT
Packet capture - RIGHT
Agent-based - RIGHT
Listener/Collector - RIGHT
OSINT - RIGHT
Agent-less based - WRONG

Question 27

A network administrator wants to use a proxy server to prevent external hosts from connecting directly with application servers. Which proxy server implementation will best fit this need?

Transparent proxy server
Non-transparent proxy server
Caching proxy server
Reverse proxy server

Answer 27

Reverse proxy server

Question 28

Compare and analyze the types of firewalls available to differentiate between them. Choose the answer with the most correct description.

Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3.
An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only.
A packet filtering firewall maintains stateful information about a connection between two hosts and implements an appliance firewall as a software application running on a single host.
An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

Answer 28

An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

Question 29

Evaluate the functions of a Network-Based Intrusion Detection System (NIDS) and conclude which statements are accurate. (Select all that apply.)

Training and tuning are fairly simple, and there is a low chance of false positives and false negatives.
A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action.
Training and tuning are complex, and there is a high chance of false positive and negative rates.
A NIDS will identify attacks and block the traffic to stop the attack. The administrator will be able to review the reports for future prevention.

Answer 29

A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action.
Training and tuning are complex, and there is a high chance of false positive and negative rates.

Question 30

Security information and event management (SIEM) collect data inputs from multiple sources. Which of the following is NOT one of the main types of log collection for SIEM?

Agent-based
Listener/collector
Sensor (sniffer)
Artificial intelligence (AI)

Answer 30

Artificial intelligence (AI)

Question 31

A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss?

A. Passive test access point (TAP)
B. Active test access point (TAP)
C, Aggregation test access point (TAP)
D. Switched port analyzer (SPAN)/mirror port

Answer 31

A. Passive test access point (TAP)

With a passive TAP, the monitor port receives every frame—corrupt, malformed, or not—and load does not affect copying.

Because it performs an active function, an active TAP becomes a point of failure for the links in the event of power loss. When deploying an active TAP, it is important to use a model with backup power options.

Question 32

Artificial intelligence (AI) and machine learning are especially important during which security information and event management (SIEM) task?

Packet capture
Analysis and report review
Data aggregation
Log collection

Answer 32

Analysis and report review

Note:
SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Many SIEM solutions use artificial intelligence (AI) and machine learning as the basis for automated analysis.

Question 33

Which of the following considerations is most important when employing a signature-based intrusion detection system?

The system may produce false positives and block legitimate activity.
The system must create a valid baseline signature of normal activity.
Signatures and rules must be kept up to date to protect against emerging threats.
Signatures and rules must be able to detect zero-day attacks.

Answer 33

Signatures and rules must be kept up to date to protect against emerging threats.

Question 34

Analyze each statement and determine which describes a fundamental improvement on traditional log management that security information and event management (SIEM) offers.

SIEM is completely automated; it requires no manual data preparation.
SIEM logs ensure non-repudiation, whereas other logs cannot link a specific user to an action.
SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise.
SIEM addresses the issue of sheer volume of alerts, using machine learning to facilitate threat hunting.

Answer 34

SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise.

Note:
SIEM correlates individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Correlation is the principal factor distinguishing it from basic log management.

Security orchestration, automation, and response (SOAR) is a solution to the problem of the volume of alerts overwhelming analysts’ ability to respond. A security engineer may implement SOAR as a standalone technology or integrate it with a SIEM, using machine/deep learning techniques to enrich data for use in incident response and threat hunting.

Question 35

A team is building a wireless network, and the company has requested the team to use a Wired Equivalent Privacy (WEP) encryption scheme. The team has developed a recommendation to utilize a different encryption scheme based on the problems with WEP. Analyze the features of WEP to determine what problems to highlight in the recommendation.

WEP has the option to use either a 64-bit or a 128-bit key, which is not secure enough for the company. Packets use a checksum to verify integrity that is too difficult to compute.
WEP allows for a 256-bit key but is still not secure. The Initialization Vector (IV) is not sufficiently large, thus is not always generated using a sufficiently random algorithm.
WEP only allows the use of a 128-bit encryption key and is not secure. The Initialization Vector (IV) is too large to provide adequate security.
WEP only allows the use of a 64-bit key, which is not secure enough for the company. The Initialization Vector (IV) is often not generated using a sufficiently random algorithm.

Answer 35

WEP allows for a 256-bit key but is still not secure. The Initialization Vector (IV) is not sufficiently large, thus is not always generated using a sufficiently random algorithm.

Question 36

Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet filtering firewall.

A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall
A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern
An administrator configures an Access Control List (ACL) to deny access to IP addresses
A firewall that maintains stateful information about the connection

Answer 36

An administrator configures an Access Control List (ACL) to deny access to IP addresses

Question 37

Which security related phrase relates to the integrity of data?

Availability
Modification
Confidentiality
Risk

Answer 37

Modification

Question 38

An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the “detect” function, what does the engineer focus on?

Evaluate risks and threats
Install, operate, and decommission assets
Ongoing proactive monitoring
Restoration of systems and data

Answer 38

Ongoing proactive monitoring

Question 39

How might the goals of basic network management not align with the goals of security?

Management focuses on confidentiality and availability.
Management focuses on confidentiality over availability.
Management focuses on integrity and confidentiality.
Management focuses on availability over confidentiality.

Answer 39

Management focuses on availability over confidentiality.

Question 40

Any external responsibility for an organization’s security lies mainly with which individuals?

The senior executives
Tech staff
Managers
Public relations

Answer 40

The senior executives

Question 41

The National Institute of Standards and Technology (NIST) provides a framework that classifies security-related functions. Which description aligns with the “respond” function?

Evaluate risks, threats, and vulnerabilities.
Perform ongoing, proactive monitoring.
Implement resilience to restore systems.
Identify, analyze, and eradicate threats.

Answer 41

Identify, analyze, and eradicate threats.

Question 42

A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit.

Managerial
Technical
Physical
Compensating

Answer 42

Managerial

Question 43

The _____ requires federal agencies to develop security policies for computer systems that process confidential information.

Sarbanes-Oxley Act (SOX)
Computer Security Act
Federal information Security Management Act (FISMA)
Gramm-Leach-Bliley Act (GLBA)

Answer 43

Computer Security Act

Question 44

After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address?

Compensating
Deterrent
Corrective
Detective

Answer 44

Corrective

Question 45

The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. Which of the following ideas are consistent with industry definitions? (Select all that apply.)

A. Deploy a technical control to enforce network access policies.
B. Deploy an operational control to monitor compliance with external regulations.
C. Schedule quarterly security awareness workshops as a preventive control to mitigate social engineering attacks.
D. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.

Answer 45

A. Deploy a technical control to enforce network access policies.
C. Schedule quarterly security awareness workshops as a preventive control to mitigate social engineering attacks.
D. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.

Question 46

Which of the following has a cyber security framework (CSF) that focuses exclusively on IT security, rather than IT service provisioning?

A. National Institute of Standards and Technology (NIST)
B. International Organization for Standardization (ISO)
C. Control Objectives for Information and Related Technologies (COBIT)
D. Sherwood Applied Business Security Architecture (SABSA)

Answer 46

A. National Institute of Standards and Technology (NIST)

Question 47

A company technician goes on vacation. While the technician is away, a critical patch released for Windows servers is not applied. According to the National Institute of Standards and Technology (NIST), what does the delay in applying the patch create on the server?

Control
Risk
Threat
Vulnerability

Answer 47

Vulnerability

Question 48

A system analyst is tasked with searching the dark web for harvested customer data. Because these sites cannot be found in a standard website search, what must the analyst have in order to search for the harvested information?

The Onion Router (TOR)
Dark web search engine
Dark Website URL
Open Source Intelligence (OSINT)

Answer 48

Dark Website URL

Question 49

Which of the following can be a true insider threat? (Select all that apply.)

A. Former employee
B. Contractor
C. Customer
D. White hat hacker

Answer 49

Former employee
Contractor

Question 50

One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the most critical factors to profile? (Select all that apply.)

A. Education
B. Socioeconomic status
C. Intent
D. Motivation

Answer 50

C. Intent
D. Motivation

Question 51

An unknowing user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department’s sanction. Identify the type of threat that is a result of this user’s action.

A. Unintentional insider threat
B. Malicious insider threat
C. Intentional attack vector
D. External threat with insider knowledge

Answer 51

A. Unintentional insider threat

Question 52

A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company’s website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequently visit. The contractor visits the bar and learns details of the company’s security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice? (Select all that apply.)

Open Source Intelligence (OSINT)
Scanning
Social engineering
Persistence

Answer 52

Open Source Intelligence (OSINT)
Social engineering

Question 53

What is Open Source Intelligence (OSINT)?

A. Obtaining information, physical access to premises, or even access to a user account through the art of persuasion
B. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources
C. Using web search tools and social media to obtain information about the target
D. Using software tools to obtain information about a host or network topology

Answer 53

D. Using software tools to obtain information about a host or network topology

Question 54

A security engineer is investigating a potential system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector?

Threat
Vulnerability
Risk
Exploit

Answer 54

Threat

Question 55

An IT manager in the aviation sector checks the industry’s threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing?

Open Source Intelligence (OSINT)
An Information Sharing and Analysis Center (ISAC)
A vendor website, such as Microsoft’s Security Intelligence blog
A closed or proprietary threat intelligence platform

Answer 55

An Information Sharing and Analysis Center (ISAC)

Question 56

A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol?

Structured Threat Information eXpression (STIX)
Automated Indicator Sharing (AIS)
Trusted Automated eXchange of Indicator Information (TAXII)
A code repository protocol

Answer 56

Trusted Automated eXchange of Indicator Information (TAXII)

Question 57

Identify the command that can be used to detect the presence of a host on a particular IP address.

ipconfig
ifconfig
ip
ping

Answer 57

ping

Question 58

A network manager needs a map of the network’s topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology.

nmap -sn –ipconfig 192.168.1.1
nmap -sn –ifconfig 192.168.1.1
nmap -sn –traceroute 192.168.1.1
nmap -sn –nslookup 192.168.1.1

Answer 58

nmap -sn –traceroute 192.168.1.1

Question 59

A system administrator must scan the company’s web-based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line.

netstat -a
nmap -O
nmap -sS 10.1.0.0/24
netstat -n

Answer 59

nmap -O

Question 60

Select the appropriate methods for packet capture. (Select all that apply.)

Wireshark
Packet analyzer
Packet injection
tcpdump

Answer 60

Wireshark
tcpdump

Question 61

Analyze and eliminate the item that is NOT an example of a reconnaissance technique.

Initial exploitation
Open Source Intelligence (OSINT)
Social engineering
Scanning

Answer 61

Initial exploitation

Question 62

Select the statement which best describes the difference between a zero-day vulnerability and a legacy platform vulnerability.

A legacy platform vulnerability is typically unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it.
A zero-day vulnerability is unpatchable, while a legacy platform vulnerability can always be patched, once detected.
A zero-day vulnerability can be mitigated by responsible patch management, while a legacy platform vulnerability cannot likely be patched.
A legacy platform vulnerability can always be mitigated by responsible patch management, while a zero-day vulnerability does not yet have a patch solution.

Answer 62

A legacy platform vulnerability is typically unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it.

Question 63

Examine each attack vector. Which is most vulnerable to escalation of privileges?

Software
Operating System (OS)
Applications
Ports

Answer 63

Operating System (OS)

Question 64

An outside security consultant updates a company’s network, including data cloud storage solutions. The consultant leaves the manufacturer’s default settings when installing network switches, assuming the vendor shipped the switches in a default-secure configuration. Examine the company’s network security posture and select the statements that describe key vulnerabilities in this network. (Select all that apply.)

A. The network is open to third-party risks from using an outside contractor to configure cloud storage settings.
B. The default settings in the network switches represent a weak configuration.
C. The use of network switches leaves numerous unused ports open.
D, The recommended settings in the network switches represent secured protocols.

Answer 64

A. The network is open to third-party risks from using an outside contractor to configure cloud storage settings.
B. The default settings in the network switches represent a weak configuration.

Question 65

Encryption vulnerabilities allow unauthorized access to protected data. Which component is subject to brute-force enumeration?

A. An unsecured protocol
B. A software vulnerability
C. A weak cipher
D. A lost decryption key

Answer 65

C. A weak cipher

Question 66

Following a data breach at a large retail company, their public relations team issues a statement emphasizing the company’s commitment to consumer privacy. Identify the true statements concerning this event. (Select all that apply.)

A. The data breach must be an intentional act of corporate sabotage.
B. The privacy breach may allow the threat actor to sell the data to other malicious actors.
C. The data breach can cause data to be exfiltrated.
D. The data breach event may compromise data integrity, but not information availability.

Answer 66

B. The privacy breach may allow the threat actor to sell the data to other malicious actors.
C. The data breach can cause data to be exfiltrated.

Question 67

Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options.

Vulnerability scanning is conducted by a “white hat” and penetration testing is carried out by a “black hat.”
Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active.
Penetration testing and vulnerability scanning are considered “black hat” practices.
Vulnerability scanning is part of network reconnaissance, but penetration testing is not.

Answer 67

Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active.

Question 68

An IT director reads about a new form of malware that targets a system widely utilized in the company’s network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best tool for the investigation.

Credentialed scan
Configuration review
Penetration testing
Threat hunting

Answer 68

Threat hunting

Question 69

A network administrator uses an automated vulnerability scanner. It regularly updates with the latest vulnerability feeds. If the system regularly performs active scans and returns the presence of vulnerabilities when they do not exist, what type of error is the system most likely making?

False positive
False negative
Validation error
Configuration error

Answer 69

False positive

Question 70

Which of the following statements summarizes a disadvantage to performing an active vulnerability scan? (Select all that apply.)

Active scanning consumes more network bandwidth.
Active scanning runs the risk of causing an outage.
Active scanning will identify all of a system’s known vulnerabilities.
Active scanning techniques do not use system login.

Answer 70

Active scanning consumes more network bandwidth.
Active scanning runs the risk of causing an outage.

Question 71

In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.)

When active scanning poses no risk to system stability
External assessments of a network perimeter
Detection of security setting misconfiguration
Web application scanning

Answer 71

External assessments of a network perimeter
Web application scanning

Question 72

A contractor has been hired to conduct penetration testing on a company’s network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select all that apply.)

Test security controls
Bypass security controls
Verify a threat exists
Exploit vulnerabilities

Answer 72

Test security controls
Exploit vulnerabilities

Question 73

A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company’s system. Which of the following penetration testing strategies is the manufacturing company requesting?

Black box
Sandbox
Gray box
White box

Answer 73

Black box

Question 74

A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as?

Weaponization
Persistence
Reconnaissance
Pivoting

Answer 74

Persistence

Question 75

Which statement best explains the differences between black box, white box, and gray box attack profiles used in penetration testing?

A. A black box pen tester acts as a privileged insider and must perform no reconnaissance. A white box pen tester has no access, and reconnaissance is necessary. A gray box actor is a third-party actor who mediates between a black box and white box pen tester.
B. A black box pen tester acts as the adversary in the test, while the white box pen tester acts in a defensive role. A gray box pen tester is a third-party actor who mediates between a black box pen tester and a white box pen tester.
C. In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.
D. In a white box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a black box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.

Answer 75

C. In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.

Question 76

During a penetration test, systems administrators for a large company are tasked to play on the white team for an affiliated company. Examine each of the following roles and determine which role the systems admins will fill.

A. The systems admins will arbitrate the exercise, setting rules of engagement and guidance.
B. The systems admins will try to infiltrate the target system.
C. The systems admins will operate monitoring and alerting controls to detect and prevent the infiltration.
D. The systems admins will collaborate with attackers and defenders to promote constructive developments.

Answer 76

A. The systems admins will arbitrate the exercise, setting rules of engagement and guidance.

Question 77

A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person’s hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred?

A. Familiarity/liking
B. Consensus/social proof
C. Authority and intimidation
D. Identity fraud

Answer 77

B. Consensus/social proof

Question 78

An employee is having coffee at an outdoor coffee shop and is not taking precautions against someone watching their screen while working on a company project. A person a few tables over watches the employee enter their credentials and then takes photos of the work they are completing with their smartphone. Which form of social engineering is being used in this situation?

Vishing
Lunchtime attack
Shoulder surfing
Man-in-the-middle attack

Answer 78

Shoulder surfing

Question 79

Which of the following depict ways a malicious attacker can gain access to a target’s network? (Select all that apply.)

Ethical hacking
Phishing
Shoulder surfing
Influence campaign

Answer 79

Phishing
Shoulder surfing

Question 80

Analyze the following attacks to determine which best illustrates a pharming attack.

A customer gets an email that appears to be from their insurance company. The email contains a link that takes the user to a fake site that looks just like the real insurance company site.
An employee gets a call from someone claiming to be in the IT department. The caller says there was a problem with the network, so they need the employee’s password in order to restore network privileges.
A company’s sales department often has after-hour training sessions, so they order dinner delivery online from the restaurant across the street. An attacker is able to access the company’s network by compromising the restaurant’s unsecure website.
A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.

Answer 80

A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.

Question 81

An individual receives a text message that appears to be a warning from a well-known order fulfillment company, informing them that the carrier has tried to deliver his package twice, and that if the individual does not contact them to claim it, the package will not be delivered. Analyze the scenario and select the social engineering technique being used.

SMiShing
Phishing
Vishing
Prepending

Answer 81

SMiShing

Question 82

Which situation would require keyboard encryption software be installed on a computer?

To set up single sign-on privileges
To comply with input validation practices
For the purpose of key management
To protect against spyware

Answer 82

To protect against spyware

Question 83

A malicious party adds malware to a popular video game and offers free copies to users. The party’s objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and may hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which may be used. (Select all that apply)

Spyware
Keylogger
Rootkit
Trojan

Answer 83

Rootkit
Trojan

Question 84

A hacker is able to install a keylogger on a user’s computer. What is the hacker attempting to do in this situation?

Key management
Encryption
Obfuscation
Steal confidential information

Answer 84

Steal confidential information

Question 85

A user’s PC is infected with a virus that appears to be memory resident and loads anytime it is booted from an external universal serial bus (USB) thumb drive. Examine the following options and determine which describes the infection type.

Script virus
Boot virus
Worm
Spyware

Answer 85

Boot virus

Question 86

An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.)

Boot sector
Macro
Script
Non-resident

Answer 86

Macro
Script

Question 87

Which of the following is NOT a use of cryptography?

Non-repudiation
Obfuscation
Security through obscurity
Resiliency

Answer 87

Security through obscurity

Question 88

Evaluate the differences between stream and block ciphers and select the true statement.

A block cipher is suitable for communication applications.
A stream cipher is subjected to complex transposition and substitution operations, based on the value of the key used.
A block cipher is padded to the correct size if there is not enough data in the plaintext.
A stream cipher’s plaintext is divided into equal-sized blocks.

Answer 88

A block cipher is padded to the correct size if there is not enough data in the plaintext.

Question 89

Which statement best describes key differences between symmetric and asymmetric cryptographic ciphers?

A. Symmetric encryption is used for confidentiality, and uses the same key for encryption and decryption.
B. Asymmetric encryption is primarily used for confidentiality, and uses different keys for encryption and decryption.
C. Symmetric encryption is used for authentication, and is the most efficient method of encryption for large data transfers.
D. Asymmetric encryption is used for non-repudiation and is the most efficient method of encryption for large data transfers.

Answer 89

A. Symmetric encryption is used for confidentiality, and uses the same key for encryption and decryption.

Question 90

A security technician needs to transfer a large file to another user in a data center. Which statement best illustrates what type of encryption the technician should use to perform the task?

A. The technician should use symmetric encryption for authentication and data transfer.
B. The technician should use asymmetric encryption to verify the data center user’s identity and agree on a symmetric encryption algorithm for the data transfer.
C. The technician should use asymmetric encryption for authentication and data transfer.
D. The technician should use symmetric encryption to verify the data center user’s identity and agree on an asymmetric encryption algorithm for the data transfer.

Answer 90

B. The technician should use asymmetric encryption to verify the data center user’s identity and agree on a symmetric encryption algorithm for the data transfer.

Question 91

Which of the following statements best describes the trade-off when considering which type of encryption cipher to use?

A. Asymmetric encryption is the strongest hashing algorithm, which produces longer and more secure digests than symmetric encryption.

B. Asymmetric encryption requires substantially more overhead computing power than symmetric encryption. Asymmetric encryption is inefficient when transferring or encrypting large amounts of data.

C. Symmetric encryption requires substantially more overhead computing power than asymmetric encryption. Symmetric encryption is inefficient when transferring or encrypting large amounts of data.

D. Symmetric encryption is not considered as safe as asymmetric encryption, but it might be required for compatibility between security products.

Answer 91

B. Asymmetric encryption requires substantially more overhead computing power than symmetric encryption. Asymmetric encryption is inefficient when transferring or encrypting large amounts of data.

Question 92

Compare and contrast the modes of operation for block ciphers. Which of the following statements is true?

A. ECB and CBC modes allow block ciphers to behave like stream ciphers.
B. CTM mode allows block ciphers to behave like stream ciphers.
C. ECB allows block ciphers to behave like stream ciphers.
D. CBC and CTM modes allow block ciphers to behave like stream ciphers.

Answer 92

B. CTM mode allows block ciphers to behave like stream ciphers.

Question 93

An employee works on a small team that shares critical information about the company’s network. When sending emails that have this information, what would be used to provide the identity of the sender and prove that the information has not been tampered with?

A. Private key
B. Digital signature
C. Public key
D. RSA algorithm

Answer 93

B. Digital signature

Question 94

Which of the following utilizes both symmetric and asymmetric encryption?

A. Digital envelope
B. Digital certificate
C. Digital evidence
D. Digital signature

Answer 94

A. Digital envelope

Question 95

When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest–Shamir–Adleman (RSA) algorithm, and by what means?

A. Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server’s private key.
B. The Cipher Block Chaining (CBC) key agreement mode uses an initialization vector (IV) to create ephemeral session keys without using the server’s private key.
C. Counter mode in key agreement makes the advanced encryption standard (AES) algorithm work as a stream cipher, by applying an initialization vector to issue a security certificate.
D. A certificate authority (CA) validates the public key’s owner and creates an initialization vector to protect the exchange from snooping.

Answer 95

A. Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server’s private key.

Question 96

Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?

A. Hashing and symmetric encryption
B. Public key cryptography and digital enveloping
C. Hashing and digital enveloping
D. Public key cryptography and hashing

Answer 96

D. Public key cryptography and hashing

Question 97

A system administrator downloads and installs software from a vendor website. Soon after installing the software, the administrator’s computer is taken over remotely. After closer investigation, the software package was modified, probably while it was downloading. What action could have prevented this incident from occurring?

Validate the software using a checksum
Validate the software using a private certificate
Validate the software using a key signing key
Validate the software using Kerberos

Answer 97

Validate the software using a checksum

Question 98

A security team is in the process of selecting a cryptographic suite for their company. Analyze cryptographic implementations and determine which of the following performance factors is most critical to this selection process if users primarily access systems on mobile devices.

Speed
Latency
Computational overhead
Cost

Answer 98

Computational overhead

Question 99

Which statement best illustrates the importance of a strong true random number generator (TRNG) or pseudo-random number generator (PRNG) in a cryptographic implementation?

A weak number generator leads to many published keys sharing a common factor.
A weak number generator creates numbers that are never reused.
A strong number generator creates numbers that are never reused.
A strong number generator adds salt to encryption values.

Answer 99

A weak number generator leads to many published keys sharing a common factor.

Question 100

A client contacts a server for a data transfer. Instead of requesting TLS1.3 authentication, the client claims legacy systems require the use of SSL. What type of attack might a data transfer using this protocol facilitate?

Credential harvesting
Key stretching
Phishing
Man-in-the-middle

Answer 100

Man-in-the-middle

Question 101

Which statement describes the mechanism by which encryption algorithms help protect against birthday attacks?

A. Encryption algorithms utilize key stretching.
B. Encryption algorithms use secure authentication of public keys.
C. Encryption algorithms add salt when computing password hashes.
D. Encryption algorithms must utilize a blockchain.

Answer 101

C. Encryption algorithms add salt when computing password hashes.

Question 102

An attacker uses a cryptographic technology to create a covert message channel in transmission control protocol (TCP) packet data fields. What cryptographic technique does this attack strategy employ?

Homomorphic encryption
Blockchain
Steganography
Key stretching

Answer 102

Steganography

Question 103

Examine each statement and determine which most accurately describes a major limitation of quantum computing technology.

Presently, quantum computers do not have the capacity to run useful applications.
Quantum computing is not yet sufficiently secure to run current cryptographic ciphers.
Quantum computing is not sufficiently agile to update the range of security products it most frequently uses.
Attackers may exploit a crucial vulnerability in quantum computing to covertly exfiltrate data.

Answer 103

Presently, quantum computers do not have the capacity to run useful applications.

Question 104

Which statement most accurately describes the mechanisms by which blockchain ensures information integrity and availability?

A. Blockchain ensures availability by cryptographically linking blocks of information, and integrity through decentralization.
B. Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping.
C. Blockchain ensures availability through cryptographic hashing and timestamping, and integrity through decentralization.
D. Blockchain ensures both availability and integrity through decentralization and peer-to-peer (P2P) networking.

Answer 104

B. Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping.

Question 105

A hospital must balance the need to keep patient privacy information secure and the desire to analyze the contents of patient records for a scientific study. What cryptographic technology can best support the hospital’s needs?

Blockchain
Quantum computing
Perfect forward security (PFS)
Homomorphic encryption

Answer 105

Homomorphic encryption

Question 106

During a penetration test, an adversary operator sends an encrypted message embedded in an attached image. Analyze the scenario to determine what techniques the operator is relying on to hide the message. (Select all that apply.)

Security by obscurity
Integrity
Prepending
Confidentiality

Answer 106

Security by obscurity
Confidentiality

Question 107

Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key’s life cycle?

Storage
Verification
Expiration and renewal
Revocation

Answer 107

Verification

Question 108

A web administrator visits a website after installing its certificate to test the SSL binding. The administrator’s client computer did not trust the website’s certificate. The administrator views the website’s certificate from the browser to determine which certificate authority (CA) generated the certificate. Which certificate field would assist with the troubleshooting process?

Subject alternative name
Signature algorithm
Issuer
Subject

Answer 108

Issuer

Question 109

An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access.

Valid from/to
Extended key usage
Serial number
Public key

Answer 109

Extended key usage

Question 110

A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and all subdomains (to a single level). This certificate is also known as which of the following?

SAN certificate
Wildcard certificate
Root certificate
Code signing certificate

Answer 110

Wildcard certificate

Question 111

Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate’s issuer. Which of the following fields would not be included in a standard public certificate?

Extensions
Public key
Endorsement key
Subject

Answer 111

Endorsement key

Question 112

What is the purpose of a web server certificate?

Sign and encrypt email messages.
Guarantee the validity of a browser plug-in.
Provide identification of the certificate authority.
Guarantee the identity of a website.

Answer 112

Guarantee the identity of a website.

Question 113

If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Select all that apply.)

A. If a key used for signing and encryption is compromised, it can be easily destroyed with a new key issued.
B. It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key.
C. If a private key, or secret key, is not backed up, the storage system represents a single point of failure.
D. A compromised private key that encrypts data is of no concern if the same key signs documents.

Answer 113

B. It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key.
C. If a private key, or secret key, is not backed up, the storage system represents a single point of failure

Question 114

An employee handles key management and has learned that a user has used the same key pair for encrypting documents and digitally signing emails. Prioritize all actions that should be taken and determine the first action that the employee should take.

Revoke the keys.
Recover the encrypted data.
Generate a new key pair.
Generate a new certificate.

Answer 114

Recover the encrypted data.

Question 115

An employee handling key management discovers that a private key has been compromised. Evaluate the stages of a key’s life cycle and determine which stage the employee initiates upon learning of the compromise.

Certificate generation
Key generation
Expiration and renewal
Revocation

Answer 115

Revocation

Question 116

A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys.

M=1 and N=5
M=3 and N=5
M=6 and N=5
M=0 and N=5

Answer 116

M=3 and N=5

Question 117

A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate?

26 hours
1 hour
23 hours
72 hours

Answer 117

26 hours

Question 118

Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system.

An account is created that identifies a user on the network.
A user logs into a system using a control access card (CAC) and PIN number.
An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job.
A report is reviewed that shows every successful and unsuccessful login attempt on a server.

Answer 118

A user logs into a system using a control access card (CAC) and PIN number.

Question 119

Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.

A control is set to force a customer to log into their account prior to reviewing and editing orders.
A control is set to cancel automatic shipments for any customer that has an expired credit card on file.
A control is set to ensure that billing and primary delivery addresses are valid.
A control is set to record the date, time, IP address, customer account number, and order details for each order.

Answer 119

A control is set to ensure that billing and primary delivery addresses are valid.

Question 120

An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?

Accounting
Identification
Integrity
Authentication

Answer 120

Integrity

Question 121

Which of the following options represents Two-Factor Authentication (2FA)?

A user logs in using a password and a PIN.
A user logs in using a password and a smart card.
A user logs in using a fingerprint and retina scanner.
A user logs in using a smart card and a key fob.

Answer 121

A user logs in using a password and a smart card.

Question 122

Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated?

A user accesses a system by having their face scanned.
A system administrator sets up a user account for a new employee after HR sends employment verification.
An administrator sends an initial password to a new telecommuting employee through a VPN.
A user is assigned an SID.

Answer 122

A user accesses a system by having their face scanned.

Question 123

Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack.

An attacker guesses the password using software that enumerates values in the dictionary
An attacker uses a precomputed lookup table of all possible passwords and their matching hashes
An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash
An attacker tests dictionary words and names in combination with several numeric prefixes

Answer 123

An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash

Question 124

Which of the following password cracker attacks are combined to create a typical hybrid password attack? (Select all that apply.)

Brute force
Dictionary
Salt
PTH

Answer 124

Brute force
Dictionary

Question 125

A company receives a massive flood of requests which throttles their network traffic to the internet. How would restricting the number of connections be categorized as a vulnerability?

The user is exposed to a replay attack.
The user is exposed to a brute force attack.
The user is exposed to a DoS attack.
The user is exposed to an offline attack.

Answer 125

The user is exposed to a DoS attack.

Question 126

Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.)

A. The AS responds with a TGT containing information about the client, including their name and IP address, timestamp, and validity period. The TGT is encrypted with the secret key of the Authentication Server (AS).
B. The TGT is a credential that the client issues to authenticate to the AS, and it contains a session key that is shared only between the client and the TGS.
C. The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user’s password hash as the key.
D. The TGT responds with a service session key for use between the client and the application server.

Answer 126

A. The AS responds with a TGT containing information about the client, including their name and IP address, timestamp, and validity period. The TGT is encrypted with the secret key of the Authentication Server (AS).
B. The TGT is a credential that the client issues to authenticate to the AS, and it contains a session key that is shared only between the client and the TGS.

Question 127

Based on the known facts of password attacks, critique the susceptibility of the password “DogHouse23” to an attack.

A. This is a sufficient password. It is ten characters and contains uppercase characters, lowercase characters, and numbers.
B. This is an insufficient password. There are not enough uppercase characters within the password.
C. This is a sufficient password. The password is easy for the user to remember yet long enough to meet character requirements.
D. This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters.

Answer 127

D. This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters.

Question 128

A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that’s acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)

A. Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.
B. The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate.
C. The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.
D. The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.

Answer 128

A. Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.
C. The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.

Question 129

Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)?

A. HOTP is not configured with a shared secret.
B. The server is not configured with a counter in HOTP.
C. Only the HOTP server computes the hash.
D. Tokens can be allowed to continue without expiring in HOTP.

Answer 129

D. Tokens can be allowed to continue without expiring in HOTP.

Question 130

Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols’ authentication processes, select the true statements. (Select all that apply.)

A. TACACS+ is open source and RADIUS is a proprietary protocol from Cisco.
B. RADIUS uses TCP or UDP by default and TACACS+ uses TCP.
C. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.
D. RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

Answer 130

B. RADIUS uses TCP or UDP by default and TACACS+ uses TCP.
C. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.
D. RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

??? Class Midterm Exam:
TACACS+ is open source and RADIUS is a proprietary protocol from Cisco. RIGHT
TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. WRONG
RADIUS uses UDP and TACACS+ uses TCP. WRONG
RADIUS is primarily used for network access and TACACS+ is primarily used for device administration. RIGHT

Question 131

When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control standard restricts local traffic to authentication data when a client connects over a Virtual Private Network (VPN) gateway

IEEE 802.1X
Kerberos
Terminal Access Controller Access-Control System Plus (TACACS+)
Remote Authentication Dial-in User Service (RADIUS)

Answer 131

IEEE 802.1X

Question 132

Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach?

False positive
False negative
A low Crossover-Error-Rate (CER)
A low throughput

Answer 132

False positive

Question 133

Regarding the various tools of biometric authentication and their capabilities/limitations, which statement is accurate?

Retinal scanning is less intrusive than iris scanning.
Fingerprint scanners are the most widely used biometric authentication method.
Fingerprint scanners are more expensive but use a straightforward process.
Sensor modules are the most preferred biometric authentication method.

Answer 133

Fingerprint scanners are the most widely used biometric authentication method.

Question 134

Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.)

A. Behavioral technologies are cheap to implement, but have a higher error rate than other technologies.
B. Signature recognition is popular within this technology because everyone has a unique signature that is difficult to replicate.
C. Obtaining a voice recognition template for behavioral technologies is rather easy and can be obtained quickly.
D. Behavior technologies may use typing as a template, which matches the speed and pattern of a user’s input of a passphrase.

Answer 134

A. Behavioral technologies are cheap to implement, but have a higher error rate than other technologies.
D. Behavior technologies may use typing as a template, which matches the speed and pattern of a user’s input of a passphrase.

Question 135

Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?

Fingerprint scan
Retinal scan
Facial recognition
Voice recognition

Answer 135

Retinal scan

Question 136

A security team has just added iris scanners to two access control points in a secure facility. They are in the process of making adjustments to ensure authorized users have access, while unauthorized users cannot get through. Analyze the scenario and determine what metric the team is in the process of fine-tuning.

Crossover error rate (CER)
False rejection rate (FRR)
False acceptance rate (FAR)
Type II error

Answer 136

Crossover error rate (CER)

Question 137

Consider the challenges with providing privileged management and authorization on an enterprise network. Which of the following would the network system administrator NOT be concerned with when configuring directory services?

A. Confidentiality
B. Integrity
C. Non-repudiation
D. DoS

Answer 137

D. DoS

Question 138

An employee has arrived to work and logged into the network with their smart card. This employee now has access to the company databases, email, and shared network resources. Evaluate all of the basic authorization policies and determine the policy best illustrated in this scenario.

Least privilege
Implicit deny
Single Sign-On (SSO)
Access key

Answer 138

Single Sign-On (SSO)

Question 139

Compare all of the functions within directory services and determine which statement accurately reflects the function of group memberships.

A. The key provided at authentication lists a user’s group memberships, which in turn allows certain access to resources on the network.
B. The system compares group memberships with the user’s logon credentials to determine if the user has access to the network resources.
C. Group memberships contain entries for all usernames and groups that have permission to use the resource.
D. Group memberships are like a database, where an object is similar to a record, and the attributes known about the object are similar to the fields.

Answer 139

A. The key provided at authentication lists a user’s group memberships, which in turn allows certain access to resources on the network.

Question 140

What are the most common baseline account and password policies that system administrators implement? (Select all that apply.)

A. Use upper- and lower-case letters, numbers, and special characters for passwords.
B. Set a lockout duration period.
C. Disable enforcement of a password history policy for unique passwords.
D. Use a shared account for administrative work on the network.

Answer 140

A. Use upper- and lower-case letters, numbers, and special characters for passwords.
B. Set a lockout duration period.

Question 141

Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE?

The Network service account and the Local service account have the same privileges as the standard user account.
Any process created using the system account will have full privileges over the local computer.
The local service account creates the host processes and starts Windows before the user logs on.
The Local Service account can only access network resources as an anonymous user.

Answer 141

The local service account creates the host processes and starts Windows before the user logs on.

Question 142

A network administrator regularly reviews group membership and access control lists for each resource. The administrator also looks for unnecessary accounts to disable. What is the administrator executing in this situation?

Recertification
Logging
Permission auditing
Usage auditing

Answer 142

Permission auditing

Question 143

A system administrator has configured a security log to record unexpected behavior and review the logs for suspicious activity. Consider various types of audits to determine which type aligns with this activity.

Permission auditing
Usage auditing
Information security audit
Compliance audit

Answer 143

Usage auditing

Question 144

Analyze the following scenarios and determine which cases call for account disablement over account lockout. (Select all that apply.)

Audit logs reveal suspicious activity on a privileged user’s account.
A user’s company laptop and key fob are stolen at an airport.
A user enters an incorrect password multiple times.
A privileged user attempts to log onto a company server outside of authorized hours.

Answer 144

Audit logs reveal suspicious activity on a privileged user’s account.
A user’s company laptop and key fob are stolen at an airport.

Question 145

An employee recently retired, and the employee received an exit interview, returned a company-issued laptop, and had company-specific programs and applications removed from a personal PC. Evaluate this employee’s offboarding process and determine what, if anything, remains to be done.

The offboarding process is complete; no further action is necessary.
IT needs to disable the employee’s user account and privileges.
IT needs to delete any company data encrypted with the employee’s key.
The employee must sign a nondisclosure agreement (NDA).

Answer 145

IT needs to disable the employee’s user account and privileges.

Question 146

Examine the tradeoff between traditional password policy complexity requirements and updated practical suggestions from the National Institute of Standards and Technology (NIST) and select the statement that fits both practical password management and traditional complexity requirements.

Passwords should be easy to remember and can include spaces and repetitive strings of numbers (like 987654).
Passwords should be easy to remember, but should never use spaces.
Passwords should be written in plain text in a common password repository held secure by an IT staff member.
Passwords should not contain dictionary words or contextual information, such as a username or the company name.

Answer 146

Passwords should not contain dictionary words or contextual information, such as a username or the company name.

Question 147

Many Internet companies, such as Google and Facebook, allow users to share a single set of credentials between multiple services providers. For example, a user could login to Amazon using their Facebook credentials. Which term correctly defines this example?

Federation
Single sign-on
Permission
Access control

Answer 147

Federation

Question 148

Which of the following methods allows subjects to determine who has access to their objects?

RBAC
DAC
MAC
ABAC

Answer 148

DAC

Question 149

Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.)

SAML
OAuth
OpenID
LDAP

Answer 149

SAML
OAuth
OpenID

Question 150

An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend?

OU=Univ,DC=local,CN=user,CN=system1
CN=system1,CN=user,OU=Univ,DC=local
CN=user,DC=local,OU=Univ,CN=system1
DC=system1,OU=Univ,CN=user,DC=local

Answer 150

CN=system1,CN=user,OU=Univ,DC=local

Question 151

A senior administrator is teaching a new technician how to properly develop a standard naming convention in Active Directory (AD). Examine the following responses and determine which statements are sound advice for completing this task. (Select all that apply.)

Create as many root-level containers and nest containers as deeply as needed
Consider grouping Organizational Units (OU) by location or department
Build groups based on department, and keep all accounts, both standard and administrative, in the same group
Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects

Answer 151

Consider grouping Organizational Units (OU) by location or department
Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects

Question 152

A company is instituting role-based training. Which type of training will the company require the data owner to most likely complete?

Expert knowledge of IT security and network design
Training to ensure technical understanding of access controls
Training on data management and PII plus regulatory and compliance frameworks
Training on compliance issues and data classification systems

Answer 152

Training on compliance issues and data classification systems

Question 153

A member of the IT team at a company launches a simulated phishing attack email to users across the organization. Which of these statements most accurately describes the purpose of such an attack?

The attack simulated an insider attack and alerted other members of the IT team to the presence of an attack.
The attack is a bug bounty, which identifies individuals in the organization who recognize the attack, who then make attempts to enhance security.
The attack identifies those users who respond to the phishing attempt as individuals who may require more training.
The attack prepares users for upcoming training, with users who respond appropriately, designated as teachers.

Answer 153

The attack identifies those users who respond to the phishing attempt as individuals who may require more training.

Question 154

Which statement best describes the purpose of an acceptable use policy (AUP)?

An AUP governs how employees may use company equipment and internet services.
An AUP establishes ethical standards for employee behavior.
An AUP communicates a company’s values and expectations to its employees and customers.
An AUP defines security roles and training requirements for different types of employees.

Answer 154

An AUP governs how employees may use company equipment and internet services.

Question 155

Which type of employee training utilizes gaming and/or scenario-based techniques to emphasize training objectives? (Select all that apply.)

Capture the flag (CTF)
Computer-based training (CBT)
Penetration Testing audit
Role-based training

Answer 155

Capture the flag (CTF)
Computer-based training (CBT)

Question 156

A company’s clean desk policy will most likely feature which of the following clauses?

Employees must not use multiple tabs in a browser window.
Employees must keep their workplace tidy and professional in appearance.
Employees may not use personally-owned electronic devices in the office.
Employees must not leave documents unattended in their workspace.

Answer 156

Employees must not leave documents unattended in their workspace.

Question 157

Analyze and compare the access control models in terms of how Access Control Lists (ACL) are written and determine which statement accurately explains the Discretionary Access Control (DAC) model.

A. A DAC model is the most flexible and weakest access control model. Administrative accounts have control of the resource and grants rights to others.
B. A DAC model is the least flexible and strongest access control model. The owner has full control over the resource and grants rights to others.
C. A DAC model is the least flexible and strongest access control model. Administrative accounts have control of the resource and grant rights to others.
D. A DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others.

Answer 157

D. A DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others.

Question 158

Considering how to mitigate password cracking attacks, how would restricting the number of failed logon attempts be categorized as a vulnerability?

The user is exposed to a replay attack
The user is exposed to a brute force attack.
The user is exposed to a DoS attack.
The user is exposed to an offline attack.

Answer 158

The user is exposed to a DoS attack.

Question 159

What is the purpose of a server certificate?

What is the purpose of a server certificate?
Provide identification for the certificate authority.
Guarantee the validity of a browser plug-in or software application.
Guarantee the identity of e-commerce sites and other websites that gather and store confidential information.

Answer 159

Guarantee the identity of e-commerce sites and other websites that gather and store confidential information.

Question 160

Compare X.509 certificates with Pretty Good Privacy (PGP) certificates and identify which of the following is NOT true.

X.509 links the identity of a user to a public key, while PGP links that identity to a private key.
X.509 and PGP are both implementations of the PKI Trust Model.
X.509 operates under a hierarchical trust model, where PGP uses a web of trust.
X.509 certificates are signed by a single Certificate Authority, where PGPs are signed by multiple users.

Answer 160

X.509 links the identity of a user to a public key, while PGP links that identity to a private key.

Question 161

Consider the process of obtaining a digital certificate and determine which of the following statements is incorrect.

When a subject wants to obtain a certificate, it completes a CSR.
Registration is the process where end users create an account with the domain administrator.
CAs ensure the validity of certificates and the identity of those applying for them.
The registration function may be delegated by the CA to one or more RAs.

Answer 161

Registration is the process where end users create an account with the domain administrator.

Question 162

Consider the Public Key Infrastructure (PKI) Trust Model. In which of the following is the root NOT the single point of failure?

Intermediate CA
Single CA
Self-signed CA
Root CA
Offline CA

Answer 162

Offline CA

Question 163

What is Open Source Intelligence (OSINT)?

A. Obtaining information, physical access to premises, or even access to a user account through the art of persuasion.
B. Using software tools to obtain information about a host or network topology.
C. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources.
D. Using web search tools and social media to obtain information about the target.

Answer 163

D. Using web search tools and social media to obtain information about the target.