Domain 2

Question 1

What is the MTD metric

Answer 1

Maximum tolerable downtime

Question 2

What is scalability

Answer 2

Capacity to increase resources to meet demand within similar cost ratios

Question 3

What are the two types of scalability

Answer 3

Scale out to add more resources in parallel
Scale up to increase power of existing resources

Question 4

What does elasticity refer to

Answer 4

The ability to handle scalability changes in real time

Question 5

A power distribution unit is like what?

Answer 5

Like a surge protector

Question 6

Raid 0

Answer 6

Striping performance gain no redundancy

Question 7

Raid 1

Answer 7

1 disk failure redundancy in 2 disk setup
Con is low storage efficiency 50%

Question 8

Raid 5

Answer 8

Min 3 disks
Striping with parity
One disk can fail

Question 9

Raid 6

Answer 9

Min 4 disk
Double parity
Min 4 disks
Can have 2 disks fail

Question 10

Raid 10 nested

Answer 10

Striped set of mirrored subgroups
Faster speeds
Each subgroup can have one failure disk

Question 11

Raid 50

Answer 11

Min 6 drives
Striped set of parity subgroups
Each subgroup can lose one disk

Question 12

Multipath provides what that raid doesn’t

Answer 12

Raid deals with drive failures
Multipath deals with storage path such as bus controllers and multiple network paths to storage devices

Question 13

Geographical dispersal

Answer 13

Data replicating hot and warm sites physically distant from each other

Question 14

3 2 1 backup rules

Answer 14

3 copies 2 different media 1 offline and 1 off-site

Question 15

What is a master image

Answer 15

Copy that has os up to date, all patches, and software installed

Question 16

What is automated build from template?

Answer 16

Build instructions for an instance

Question 17

What does layered security provide

Answer 17

Defense in depth

Question 18

What port does ldaps and ldap use?

Answer 18

Ldaps Port 636
Ldap port 389

Question 19

Why is snmp v1 and v2c not secure

Answer 19

Sends community string in plaintext

Question 20

What security benefit does snmp v3 provide

Answer 20

Supports encryption and strong user based authentication

Question 21

What does tls 1.3 remove which makes it now more secure

Answer 21

Ability to downgrade to lower SSL levels

Question 22

In Tpm can endorsement key be changed?

Answer 22

No it cannot be changed

Question 23

What is difference between measured boot and boot attestation

Answer 23

Measured boot measures boot process to report on any potential malware
Boot attestation sends a log signed by Tpm to report any issues like unsigned drivers

Question 24

In a cookie what does the httponly attribute do?

Answer 24

Prevents dom based attacks and client side scripting

Question 25

In a cookie what does the same site attribute do

Answer 25

Control from where cookie may be sent protecting against request forgery attacks

Question 26

What does hsts do in web browsers?

Answer 26

Prevents downgrading to http and sslstripping

Question 27

What does content security policy csp do?

Answer 27

Mitigates click jacking, script injection, and other client side attacks

Question 28

Why might you use cache control in a web app

Answer 28

Prevent caching attacks, make sure sensitive data isn’t stored

Question 29

What are the forms of execution control

Answer 29

Allow and block list

Question 30

What are the two available execution control options in Linux

Answer 30

Apparmor and selinux through Linux security modules

Question 31

What is a bastion host

Answer 31

In a dmz running minimal services to reduce attack service

Question 32

What is north south traffic

Answer 32

Refers to traffic coming in and out of data center

Question 33

What is east west

Answer 33

Traffic between devices in network like servers

Question 34

What does affinity and persistence do in load balancing

Answer 34

Keep connections connected to a specific web server
Affinity is layer 4 based on ip port
Persistence is based on cookie layer 7

Question 35

What is latency

Answer 35

Time it takes transmission to reach recipient measured in ms

Question 36

What is jitter

Answer 36

Variation in delay or inconsistent rate of packet delivery

Question 37

What is a forward proxy?

Answer 37

Provides for protocol specific outbound traffic

Question 38

Non transparent proxy

Answer 38

Client must be configured with proxy info to use

Question 39

Transparent proxy and where is it usually setup ?

Answer 39

Intercepts client traffic without client configuration. Usually setup on router, switch, or some other inline device

Question 40

Reverse proxy server

Answer 40

Protects servers from direct contact with client requests

Question 41

What is static dynamic source nat

Answer 41

1 to 1 translation public to private ip

Question 42

What is overloaded nat/napt/pat

Answer 42

Lots of private ips mapped to single public ip

Question 43

What is one of the core features of a hids?

Answer 43

Fim file integrity monitoring

Question 44

What does IPsec provide ?

Answer 44

Confidentiality by encrypting packets and integrity antireplay by signing each packet

Question 45

Why isn’t IPsec ah used that often ?

Answer 45

Doesn’t provide confidentiality since payload isn’t encrypted, also fails in nat environments due to ip header fields in icv

Question 46

What are features of IPsec esp

Answer 46

Provides confidentiality and integrity. Can be used to encrypt packet

Question 47

What two modes can IPsec be used in and what do they do?

Answer 47

Transport mode used to secure communications between hosts esp doesn’t encrypt ip header but ah can be used to do that
Tunnel mode used for communications between vpn gateways esp can encrypt whole packet

Question 48

What does ike do in ipsec

Answer 48

Handles authentication and key exchange referred to as security associations

Question 49

What is big difference between ike v1 and v2

Answer 49

Version 1 for clients you still had to use something like l2tp but version 2 has added features where you can just use it to gain access to internal network resources

Question 50

Each wap is identified by it’s Mac address which is also called what ?

Answer 50

Basic service set identifier

Question 51

What technology has replaced wps in wifi

Answer 51

Easy connect using keys and qr codes

Question 52

Eap defines framework for negotiating what

Answer 52

Authentication methods like smart cards

Question 53

What security feature does a docker namespace provide

Answer 53

Prevent one container from reading or writing processes in another container

Question 54

What security feature does a docker control group provide

Answer 54

Ensures one container can’t overwhelm others in an attack such as dos

Question 55

In the cloud what does a resource policy do?

Answer 55

Acts as ACL for an object

Question 56

What is a transit gateway in cloud computing ?

Answer 56

Allows vpc subnets and vpn gateways to talk to each other

Question 57

Which 3 ways can casbs be implemented ?

Answer 57

Forward proxy
Reverse proxy
API

Question 58

The comman name in certificate was replaced with what

Answer 58

San subject alternative name

Question 59

What are the two different types of validations for certificate requests

Answer 59

Domain and extended validation

Question 60

Extended validation doesn’t allow you to get what kind of certificate

Answer 60

Wildcard cert

Question 61

What is escrow key storage in pki

Answer 61

Third party storing those keys

Question 62

What is m of n control in pki

Answer 62

Means only m of the total n authorized users should be present to access the key

Question 63

What is ocsp stapling

Answer 63

Web server caches ocsp response and provides it to clients

Question 64

What is certificate pinning

Answer 64

A way for clients to bypass ca hierarchy and chain of trust to minimize mitm attacks when inspecting certificate

Question 65

What is a pkcs 12 file

Answer 65

Allows export of private key with cert. Can be protected with password and in a binary format like pfx

Question 66

What is the pkb 7 format in pki. Where is it usually used in?

Answer 66

Uses pkcs #7 allows to combine multiple certificate in a file such as chain. Usually used in s/mime to encrypt emails