End of Chapter Questions

Question 1

Matt is updating the organization’s threat assessment process. What category of control is Matt implementing?
a. Operational
b. Technical
c. Corrective
d. Managerial

Answer 1

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Threat assessment is an example of one of these activities.

Question 2

Jade’s organization recently suffered a security breach that affected stored credit card data. Jade’s primary concern is the fact that the organization is subject to sanctions for violating the provisions of the Payment Card Industry Data Security Standard. What category of risk is concerning Jade?
a. Strategic
b. Compliance
c. Operational
d. Financial

Answer 2

B. The breach of credit card information may cause many different impacts on the organization, including compliance, operational, and financial risks. However, in this scenario, Jade’s primary concern is violating PCI DSS, making his concern a compliance risk.

Question 3

Chris is responding to a security incident that compromised one of his organization’s web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate?
a. Confidentiality
b. Nonrepudiation
c. Integrity
d. Availability

Answer 3

C. The defacement of a website alters content without authorization and is, therefore, a violation of the integrity objective. The attackers may also have breached the confidentiality or availability of the website, but the scenario does not provide us with enough information to draw those conclusions.

Question 4

Gwen is exploring a customer transaction reporting system and discovers the table shown here. What type of data minimization has most likely been used on this table?
a. Destruction
b. Masking
c. Tokenization
d. Hashing

Answer 4

B. In this case, the first 12 digits of the credit card have been removed and replaced with asterisks. This is an example of data masking.

Question 5

Tonya is concerned about the risk that an attacker will attempt to gain access to her organization’s database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement?
a. Preventive
b. Detective
c. Corrective
d. Deterrent

Answer 5

D. Deterrent controls are designed to prevent an attacker from attempting to violate security policies in the first place. Preventive controls would attempt to block an attack that was about to take place. Corrective controls would remediate the issues that arose during an attack.

Question 6

Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal?
A. Watermarking
B. Pattern recognition
C. Host-based
D. Network-based

Answer 6

D. In this case, Greg must use a network-based DLP system. Host-based DLP requires the use of agents, which would not be installed on guest systems. Greg may use watermarking and/or pattern recognition to identify the sensitive information but he must use network-based DLP to meet his goal.

Question 7

What term best describes data that is being sent between two systems over a network connection?
A. Data at rest
B. Data in motion
C. Data in processing
D. Data in use

Answer 7

B. Data being sent over a network is data in motion. Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. Data in processing, or data in use, is data that is actively in use by a computer system.

Question 8

Tina is tuning her organization’s intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing?
A. Technical control
B. Physical control
C. Managerial control
D. Operational control

Answer 8

A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Question 9

Which one of the following is not a common goal of a cybersecurity attacker?
A. Disclosure
B. Denial
C. Alteration
D. Allocation

Answer 9

D. The three primary goals of cybersecurity attackers are disclosure, alteration, and denial. These map directly to the three objectives of cybersecurity professionals: confidentiality, integrity, and availability

Question 10

Tony is reviewing the status of his organization’s defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering?
A. Strategic
B. Reputational
C. Financial
D. Operational

Answer 10

A. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.

Question 11

Which one of the following data elements is not commonly associated with identity theft?
A. Social Security number
B. Driver’s license number
C. Frequent flyer number
D. Passport number

Answer 11

C. Although it is possible that a frequent flyer account number, or any other account number for that matter, could be used in identity theft, it is far more likely that identity thieves would use core identity documents. These include drivers’ licenses, passports, and Social Security numbers.

Question 12

What term best describes an organization’s desired security state?
A. Control objectives
B. Security priorities
C. Strategic goals
D. Best practices

Answer 12

A. As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state.

Question 13

Lou mounted the sign below on the fence surrounding his organization’s datacenter. What control type best describes this control?

A. Compensating
B. Detective
C. Physical
D. Deterrent

Answer 13

D. This question is a little tricky. The use of an actual guard dog could be considered a deterrent, physical, or detective control. It could even be a compensating control in some circumstances. However, the question asks about the presence of a sign and does not state that an actual dog is used. The sign only has value as a deterrent control. Be careful when facing exam questions like this to read the details of the question.

Question 14

What technology uses mathematical algorithms to render information unreadable to those lacking the required key?
A. Data loss prevention
B. Data obfuscation
C. Data minimization
D. Data encryption

Answer 14

D. Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means

Question 15

Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?
A. Detective
B. Corrective
C. Deterrent
D. Preventive

Answer 15

D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

Question 16

What compliance regulation most directly affects the operations of a healthcare provider?
A. HIPAA
B. PCI DSS
C. GLBA
D. SOX

Answer 16

A. Although a health-care provider may be impacted by any of these regulations, the Health Insurance Portability and Accountability Act (HIPAA) provides direct regulations for the security and privacy of protected health information and would have the most direct impact on a health-care provider.

Question 17

Nolan is writing an after action report on a security breach that took place in his organization. The attackers stole thousands of customer records from the organization’s database. What cybersecurity principle was most impacted in this breach?
A. Availability
B. Nonrepudiation
C. Confidentiality
D. Integrity

Answer 17

C. The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality.

Question 18

Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?
A. Integrity
B. Nonrepudiation
C. Availability
D. Confidentiality

Answer 18

B. The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Question 19

Which one of the following data protection techniques is reversible when conducted properly?
A. Tokenization
B. Masking
C. Hashing
D. Shredding

Answer 19

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Question 20

Which one of the following statements is not true about compensating controls under PCI DSS?
A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.
B. Controls must meet the intent of the original requirement.
C. Controls must meet the rigor of the original requirement.
D. Compensating controls must provide a similar level of defense as the original requirement.

Answer 20

A. PCI DSS compensating controls must be “above and beyond” other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

Question 21

Which of the following measures is not commonly used to assess threat intelligence?
A. Timeliness
B. Detail
C. Accuracy
D. Relevance

Answer 21

B. Although higher levels of detail can be useful, they aren’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

Question 22

What language is STIX based on?
A. PHP
B. HTML
C. XML
D. Python

Answer 22

C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools.

Question 23

Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin’s work?
A. White hat
B. Gray hat
C. Green hat
D. Black hat

Answer 23

A. Attacks that are conducted as part of an authorized penetration test are white-hat hacking attacks, regardless of whether they are conducted by internal employees or an external firm. Kolin is, therefore, engaged in white-hat hacking. If he were acting on his own, without authorization, his status would depend on his intent. If he had manicous intent, his activity would be considered black-hat hacking. If he simply intended to report vulnerabilities to the hospital, his attack would be considered gray hat. Green hat is not a commonly used category of attacker.

Question 24

Which one of the following attackers is most likely to be associated with an APT?
A. Nation-state actor
B. Hacktivist
C. Script kiddie
D. Insider

Answer 24

A. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. It is unlikely that an APT group would leverage the unsophisticated services of a script kiddie. It is also unlikely that a hacktivist would have access to APT resources. Although APTs may take advantage of insider access, they are most commonly associated with nation-state actors.

Question 25

What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?
A. DHS
B. SANS
C. CERTS
D. ISACs

Answer 25

D. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and provide tools and assistance to their members.

Question 26

Which of the following threat actors typically has the greatest access to resources?
A. Nation-state actors
B. Organized crime
C. Hacktivists
D. Insider threats

Answer 26

A. Nation-state actors are government sponsored, and they typically have the greatest access to resources, including tools, money, and talent.

Question 27

Of the threat vectors listed here, which one is most commonly exploited by attackers who are at a distant location?
A. Email
B. Direct access
C. Wireless
D. Removable media

Answer 27

A. Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here, direct access, wireless, and removable media, all require physical proximity to an organization and are not easily executed from a remote location.

Question 28

Which one of the following is the best example of a hacktivist group?
A. Chinese military
B. U.S. government
C. Russian mafia
D. Anonymous

Answer 28

D. The Chinese military and U.S. government are examples of nation-state actors and advanced persistent threats (APTs). The Russian mafia is an example of a criminal syndicate. Anonymous is the world’s most prominent hacktivist group.

Question 29

What type of assessment is particularly useful for identifying insider threats?
A. Behavioral
B. Instinctual
C. Habitual
D. IOCs

Answer 29

A. Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, the context of the actions performed—such as after-hours logins, misuse of credentials, logins from abnormal locations, or abnormal patterns—and other behavioral indicators are often used.

Question 30

Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyber threat information. What should she choose?
A. STIX 1.0
B. OpenIOC
C. STIX 2.0
D. TAXII

Answer 30

D. TAXII, the Trusted Automated eXchange of Indicator Information protocol, is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language.

Question 31

Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack?
A. Supply chain
B. Removable media
C. Cloud
D. Direct access

Answer 31

A. Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Security+ questions often use this type of misdirection.

Question 32

Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol’s technical specification. What resource would best meet his needs?
A. Academic journal
B. Internet RFCs
C. Subject matter experts
D. Textbooks

Answer 32

B. All of these resources might contain information about the technical details of TLS, but Internet Request for Comments (RFC) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken’s best option.

Question 33

Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository?
A. Product manuals
B. Source code
C. API keys
D. Open source data

Answer 33

C. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.

Question 34

Which one of the following threat research tools is used to visually display information about the location of threat actors?
A. Threat map
B. Predictive analysis
C. Vulnerability feed
D. STIX

Answer 34

A. Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.

Question 35

Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?
A. Vulnerability feed
B. IoC
C. TTP
D. RFC

Answer 35

B. Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Question 36

Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organization. What term best describes this use of technology?
A. Shadow IT
B. System integration
C. Vendor management
D. Data exfiltration

Answer 36

A. The developers in question are using unapproved technology for business purposes. This is the classic definition of shadow IT. It is possible to describe this as data exfiltration, but there is no indication that the data security has been compromised, so shadow IT is a better description here. Remember, you will often be asked to choose the best answer from multiple correct answers on the exam.

Question 37

Tom’s organization recently learned that the vendor is discontinuing support for their customer relationship management (CRM) system. What should concern Tom the most from a security perspective?
A. Unavailability of future patches
B. Lack of technical support
C. Theft of customer information
D. Increased costs

Answer 37

A. Tom’s greatest concern should be that running unsupported software exposes his organization to the risk of new, unpatchable vulnerabilities. It is certainly true that they will no longer receive technical support, but this is a less important issue from a security perspective. There is no indication in the scenario that discontinuing the product will result in the theft of customer information or increased costs.

Question 38

Which one of the following information sources would not be considered an OSINT source?
A. DNS lookup
B. Search engine research
C. Port scans
D. WHOIS queries

Answer 38

C. Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.

Question 39

Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden’s activities? (Choose two.)
A. Insider
B. State actor
C. Hacktivist
D. APT
E. Organized crime

Answer 39

A, C. As a government contractor, Snowden had authorized access to classified information and exploited this access to make an unauthorized disclosure of that information. This clearly makes him fit into the category of an insider. He did so with political motivations, making him fit the category of hacktivist as well.

Question 40

Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son’s school and she visits the site. She notices that the URL for the site looks like this:
https://www.myschool.edu/grades.php&studentID=1023425
She realizes that 1023425 is her son’s student ID number and she then attempts to access the following similar URLs:
https://www.myschool.edu/grades.php&studentID=1023423
https://www.myschool.edu/grades.php&studentID=1023424
https://www.myschool.edu/grades.php&studentID=1023426
https://www.myschool.edu/grades.php&studentID=1023427

When she does so, she accesses the records of other students. She closes the records and immediately informs the school principal of the vulnerability. What term best describes Renee’s work?

A. White-hat hacking
B. Green-hat hacking
C. Gray-hat hacking
D. Black-hat hacking

Answer 40

C. Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.

Question 41

Gurvinder has been asked to assist a company that recently fired one of their developers. After the developer was terminated, the critical application that they had written for the organization stopped working and now displays a message reading “You shouldn’t have fired me!” If the developer’s access was terminated and the organization does not believe that they would have had access to any systems or code after they left the organization, what type of malware should Gurvinder look for?
A. A RAT
B. A PUP
C. A logic bomb
D. A keylogger

Answer 41

C. A logic bomb is a type of malware that activates after specific conditions are met. Here, the developer no longer showing up in payroll, not entering a specific input, or another activation scheme could have been used. A RAT is a remote access Trojan, a PUP is a potentially unwanted program, and a keylogger steals user input.

Question 42

Naomi believes that an attacker has compromised a Windows workstation using a fileless malware package. What Windows scripting tool was most likely used to download and execute the malware?
A. VBScript
B. Python
C. Bash
D. PowerShell

Answer 42

D. PowerShell is the most likely tool for this type of exploit. VBScript would be used inside an application, and both Bash and Python are more likely to exist on a Linux system.

Question 43

Scott notices that one of the systems on his network contacted a number of systems via encrypted web traffic, downloaded a handful of files, and then uploaded a large amount of data to a remote system. What type of infection should he look for?
A. A keylogger
B. A backdoor
C. A bot
D. A logic bomb

Answer 43

C. The behaviors that Scott is seeing are characteristic of a bot infection. The bot was likely contacting command-and-control hosts, then downloading updates and/or additional packages, then uploading data from his organization. He will need to determine if sensitive or important business information was present on the system or accessible from it. Keyloggers will capture keystrokes and user input but would typically require additional malware packages to display this behavior. A logic bomb might activate after an event, but no event is described, and a backdoor is used for remote access.

Question 44

Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting?
A. Command and control
B. A hijacked web browser
C. A RAT
D. A worm

Answer 44

A. Amanda has most likely discovered a botnet’s command-and- control (C&C) channel, and the system or systems she is monitoring are probably using IRC as the C&C channel. A RAT is more likely to use a different control channel, worms spread by attacking vulnerable services, and a hijacked web browser would probably operate on common HTTP or HTTPS ports (80/443).

Question 45

Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his company’s network. How should he describe or classify this malware?
A. A worm
B. Crypto malware
C. A Trojan
D. A backdoor

Answer 45

D. Remote access to a system is typically provided by a backdoor. Backdoors may also appear in firmware or even in hardware. None of the other items listed provide remote access by default, although they may have a backdoor as part of a more capable malware package.

Question 46

Naomi wants to provide guidance on how to keep her organization’s new machine learning tools secure. Which of the following is not a common means of securing machine learning algorithms?
A. Understand the quality of the source data
B. Build a secure working environment for ML developers
C. Require third-party review for bias in ML algorithms
D. Ensure changes to ML algorithms are reviewed and tested

Answer 46

C. Requiring third-party review of ML algorithms is not a common requirement, but ensuring that you use high-quality source data, that the working environment remains secure, and that changes are reviewed and tested are all common best practices for ML algorithm security.

Question 47

What type of malware is adware typically classified as?
A. A DOG
B. A backdoor
C. A PUP
D. A rootkit

Answer 47

C. Adware is typically classified as a type of potentially unwanted program, or PUP. Backdoors and rootkits are definitely malicious, whereas adware may simply be unwanted and annoying. A DOG is not a term commonly used to describe malware.

Question 48

Matt uploads a malware sample to a third-party malware scanning site that uses multiple antimalware and antivirus engines to scan the sample. He receives several different answers for what the malware package is. What has occurred?
A. The package contains more than one piece of malware.
B. The service is misconfigured.
C. The malware is polymorphic and changed while being tested.
D. Different vendors use different names for malware packages.

Answer 48

D. One of the challenges security practitioners can face when attempting to identify malware is that different antivirus and antimalware vendors will name malware packages and families differently. This means that Matt may need to look at different names to figure out what he is dealing with.

Question 49

Nancy is concerned that there is a software keylogger on the system she is investigating. What data may have been stolen?
A. All files on the system
B. All keyboard input
C. All files the user accessed while the keylogger was active
D. Keyboard and other input from the user

Answer 49

D. Though keyloggers often focus on keyboard input, other types of input may also be captured, meaning Nancy should worry about any user input that occurred while the keylogger was installed. Keyloggers typically do not target files on systems, although if Nancy finds a keylogger she may want to check for other malware packages with additional capabilities.

Question 50

Crypto malware is a type of what sort of malware?
A. Worms
B. PUP
C. Ransomware
D. Rootkit

Answer 50

C. Crypto malware, a type of ransomware, typically demands payment to decrypt critical files or entire drives. PUPs are potentially unwanted programs like spyware and adware, whereas rootkits are used to gain control of systems without being detected and worms self-spread by exploiting vulnerabilities.

Question 51

Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs a virus scan, the system doesn’t show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system?
A. Rerun the antimalware scan.
B. Mount the drive on another system and scan it that way.
C. Disable the systems antivirus because it may be causing a false negative.
D. The system is not infected and he should move on.

Answer 51

B. Rootkits are designed to hide from antimalware scanners and can often defeat locally run scans. Mounting the drive in another system in read-only mode, or booting from a USB drive and scanning using a trusted, known good operating system, can be an effective way to determine what malware is on a potentially infected system.

Question 52

Tracy is concerned about attacks against the machine learning algorithm that her organization is using to assess their network. What step should she take to ensure that her baseline data is not tainted?
A. She should scan all systems on the network for vulnerabilities and remediate them before using the algorithm.
B. She should run the ML algorithm on the network only if she believes it is secure.
C. She should disable outbound and inbound network access so that only normal internal traffic is validated.
D. She should disable all firewall rules so that all potential traffic can be validated.

Answer 52

B. If Tracy is worried about baselining her network and having tainted data, she needs to ensure that no malicious activity is occurring when she runs the baseline data capture. That way, the machine learning algorithm will only be working with normal traffic patterns and behaviors and can then detect and alert on things that are abnormal.

Question 53

Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this?
A. Run multiple antimalware tools and use them to remove all detections.
B. Wipe the drive and reinstall from known good media.
C. Use the delete setting in her antimalware software rather than the quarantine setting.
D. There is no way to ensure the system is safe and it should be destroyed.

Answer 53

B. In most malware infection scenarios, wiping the drive and reinstalling from known good media is the best option available. If the malware has tools that can infect the system BIOS, even this may not be sufficient, but BIOS-resident malware is relatively uncommon. Multiple antivirus and antimalware tools, even if they are set to delete malware, may still fail against unknown or advanced malware packages. Destroying systems is uncommon and expensive and is unlikely to be acceptable to most organizations as a means of dealing with a malware infection.

Question 54

What type of malware is frequently called stalkerware because of its use by those in intimate relationships to spy on their partners?
A. Worms
B. RATs
C. Crypto malware
D. PUPs

Answer 54

B. RATs, or remote access Trojans, are sometimes called stalkerware because they are often utilized by those in intimate relationships to spy on their partners. They provide remote access and other capabilities to computers and mobile devices.

Question 55

Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious?
A. Run a decompiler against it to allow him to read the code.
B. Open the file using a text editor to review the code.
C. Test the code using an antivirus tool.
D. Submit the Python code to a malware testing website.

Answer 55

B. Python is an interpreted rather than a compiled language, so Ben doesn’t need to use a decompiler. Instead, his best bet is to open the file and review the code to see what it does. Since it was written by an employee, it is unlikely that it will match an existing known malicious package, which means antivirus and antimalware tools and sites will be useless.

Question 56

What type of malware is VBA code most likely to show up in?
A. Macro viruses
B. RATs
C. Worms
D. Logic bombs

Answer 56

A. Visual Basic for Applications (VBA) code is most likely to show up in macro viruses. VBA is used inside Microsoft Office as a scripting language.

Question 57

Angela wants to limit the potential impact of malicious Bash scripts. Which of the following is the most effective technique she can use to do so without a significant usability impact for most users?
A. Disable Bash.
B. Switch to another shell.
C. Use Bash’s restricted mode.
D. Prevent execution of Bash scripts.

Answer 57

C. Bash’s restricted shell mode removes many of the features that can make Bash useful for malicious actors. You can read more about Bash in restricted shell mode at www.gnu.org/software/bash/manual/html_node/The-Restricted- Shell.html .

Question 58

Fred receives a call to respond to a malware-infected system. When he arrives, he discovers a message on the screen that reads “Send .5 Bitcoin to the following address to recover your files.” What is the most effective way for Fred to return the system to normal operation?
A. Pay the Bitcoin ransom.
B. Wipe the system and reinstall.
C. Restore from a backup if available.
D. Run antimalware software to remove malware.

Answer 58

C. In most cases, if a backup exists it is the most effective way to return to normal operation. If no backup exists, Fred may be faced with a difficult choice. Paying a ransom is prohibited by policy in many organizations and does not guarantee that the files will be unlocked. Wiping and reinstalling may result in the loss of data, much like not paying the ransom. Antimalware software may work, but if it did not detect the malware in the first place, it may not work, or it may not decrypt the files encrypted by the malware.

Question 59

What type of malware connects to a command-and-control system, allowing attackers to manage, control, and update it remotely?
A. A bot
B. A drone
C. A vampire
D. A worm

Answer 59

A. Bots connect to command-and-control systems, allowing them to be updated, controlled, and managed remotely. Worms spread via vulnerabilities, and drones and vampires aren’t common terms for malware.

Question 60

James notices that a macro virus has been detected on a workstation in his organization. What was the most likely path for the infection?
A. A drive-by download via a web browser
B. A worm spread the macro virus
C. A user intentionally enabled macros for an infected file
D. A remote access Trojan was used to install the macro virus

Answer 60

C. Modern versions of Microsoft Office disable macros by default. For most macro viruses to successfully attack systems, users must enable macros. Social engineering and other techniques are used to persuade users that they want or need to enable macros in infected files, allowing the malicious scripts to run.

Question 61

Which of the following is the best description of tailgating?

A. Following someone through a door they just unlocked
B. Figuring out how to unlock a secured area
C. Sitting close to someone in a meeting
D. Stealing information from someone’s desk

Answer 61

A. Tailgating is best defined as following someone through a door they just unlocked, thus gaining access to a secured area without presenting credentials or having the key or other access required to open the door.

Question 62

When you combine phishing with Voice over IP, it is known as:
A. Spoofing
B. Spooning
C. Whaling
D. Vishing

Answer 62

D. Vishing involves combining phishing with Voice over IP. Whaling focuses on targeting important targets for phishing attacks, spoofing is a general term that means faking things, and spooning is not a technical term used for security practices.

Question 63

Alan reads Susan’s password from across the room as she logs in. What type of technique has he used?
A. A man-in-the-room attack
B. Shoulder surfing
C. A man-in-the-middle attack
D. Pretexting

Answer 63

B. Shoulder surfing is the process of watching what someone is doing to acquire passwords or other information. A man-in-the- middle attack is a technical attack that inserts an attacker between a victim and a legitimate server or other destination to capture traffic. Pretexting is a social engineering technique that presents a reason or excuse why something is needed or done. A man-in-the-room attack was made up for this question.

Question 64

Joanna recovers a password file with passwords stored as MD5 hashes. What tool can she use to crack the passwords?
A. MD5sum
B. John the Ripper
C. GPG
D. Netcat

Answer 64

B. Joanna needs to use a password cracking tool. Although John the Ripper is a useful password cracking tool, an even faster technique for most passwords with a known hashing scheme would be to use a rainbow table–based password cracker like OphCrack to look up the hashes using a precomputed database of likely passwords. MD5sum is a tool for creating MD5 hashes, not for cracking passwords, GPG is an encryption tool, and netcat is a great network tool with many uses, but password cracking is not one of them!

Question 65

What technique is most commonly associated with the use of malicious flash drives by penetration testers?
A. Mailing them to targets
B. Sneaking them into offices and leaving them in desk drawers
C. Distributing them in parking lots as though they were dropped
D. Packing them to look like a delivery and dropping them off with a target’s name on the package

Answer 65

C. Distributing malicious flash drives in a parking lot or other high-traffic area, often with a label that will tempt the person who finds it into plugging it in, is a technique used by penetration testers.

Question 66

Selah infects the ads on a website that users from her target company frequently visit with malware as part of her penetration test. What technique has she used?
A. A watering hole attack
B. Vishing
C. Whaling
D. Typosquatting

Answer 66

A. Watering hole attacks rely on compromising or infecting a website that targeted users frequently visit, much like animals will visit a common watering hole. Vishing is phishing via voice, whaling is a targeted phishing attack against senior or important staff, and typo squatting registers similar URLs that are likely to be inadvertently entered in order to harvest clicks or conduct malicious activity.

Question 67

Ben searches through an organization’s trash looking for sensitive documents, internal notes, and other useful information. What term describes this type of activity?
A. Waste engineering
B. Dumpster diving
C. Trash pharming
D. Dumpster harvesting

Answer 67

B. Dumpster diving is a broad term used to describe going through trash to find useful information, often as part of a penetration test or by attackers looking for information about an organization. As you may have guessed, the other answers were made up.

Question 68

Skimming attacks are often associated with what next step by attackers?
A. Phishing
B. Dumpster diving
C. Vishing
D. Cloning

Answer 68

D. Cloning attacks often occur after a skimmer is used to capture card information. Skimming devices may include magnetic stripe readers, cameras, and other technology to allow attackers to make a complete copy of a captured card. Phishing focuses on acquiring credentials or other information but isn’t a typical follow-up to a skimming attack. Dumpster diving and vishing are both unrelated techniques as well.

Question 69

Alaina suspects that her organization may be targeted by a SPIM attack. What technology is she concerned about?
A. Spam over Instant Messaging
B. Social Persuasion and Intimidation by Managers
C. Social Persuasion by Internet Media
D. Spam over Internal Media

Answer 69

A. SPIM is Spam over Internet Messaging (originally “Instant Messenger,” but this acronym was updated after IM tools became less common). Alaina will need to consider a variety of messaging tools where external and internal communications could also include spam. The other answers were made up.

Question 70

Alex discovers that the network routers that his organization has recently ordered are running a modified firmware version that does not match the hash provided by the manufacturer when he compares them. What type of attack should Alex categorize this attack as?
A. An influence campaign
B. A hoax
C. A supply chain attack
D. A pharming attack

Answer 70

C. Supply chain attacks occur before software or hardware is delivered to an organization. Influence campaigns seek to change or establish opinions and attitudes. Pharming attacks redirect legitimate traffic to fake sites, and hoaxes are intentional deceptions.

Question 71

Nicole accidentally types www.smazon.com into her browser and discovers that she is directed to a different site loaded with ads and pop-ups. Which of the following is the most accurate description of the attack she has experienced?
A. DNS hijacking
B. Pharming
C. Typosquatting
D. Hosts file compromise

Answer 71

C. Typo squatting uses misspellings and common typos of websites to redirect traffic for profit or malicious reasons. Fortunately, if you visit smazon.com , you’ll be redirected to the actual amazon.com website, because Amazon knows about and works to prevent this type of issue. DNS hijacking and hosts file modifications both attempt to redirect traffic to actual URLs or hostnames to different destinations, and pharming does redirect
legitimate traffic to fake sites, but typo squatting is the more specific answer.

Question 72

Lucca’s organization runs a hybrid datacenter with systems in Microsoft’s Azure cloud and in a local facility. Which of the following attacks is one that he can establish controls for in both locations?
A. Shoulder surfing
B. Tailgating
C. Dumpster diving
D. Phishing

Answer 72

D. Shoulder surfing, tailgating, and dumpster diving are all in- person physical attacks and are not something that will be in Lucca’s control with a major cloud vendor. Antiphishing techniques can be used regardless of where servers and services are located.

Question 73

Alaina discovers that someone has set up a website that looks exactly like her organization’s banking website. Which of the following terms best describes this sort of attack?
A. Phishing
B. Pharming
C. Typosquatting
D. Tailgating

Answer 73

B. Pharming best fits this description. Pharming attacks use web pages that are designed to look like a legitimate site but that attempt to capture information like credentials. Typo squatting relies on slightly incorrect hostnames or URLs, and nothing like that is mentioned in the question. Tailgating is an in-person attack, and phishing is typically done via email or other means to request information, not by setting up a site like this, although some phishing attacks may direct to a pharming website!

Question 74

When a caller was recently directed to Amanda, who is a junior IT employee at her company, the caller informed her that they were the head of IT for her organization and that she needed to immediately disable the organization’s firewall due to an ongoing issue with their e-commerce website. After Amanda made the change, she discovered that the caller was not the head of IT, and that it was actually a penetration tester hired by her company. Which social engineering principle best matches this type of attack?
A. Authority
B. Consensus
C. Scarcity
D. Trust

Answer 74

A. The caller relied on their perceived authority to require Amanda to make the change. They likely also used urgency, which isn’t mentioned here, but that would cause Amanda to potentially skip the validation or verification processes she would have normally used in a scenario like this. There is no effort to build consensus or establish trust, nor is there a sense of scarcity as described in the scenario.

Question 75

What type of malicious actor is most likely to use hybrid warfare?
A. A script kiddie
B. A hacktivist
C. An internal threat
D. A nation-state

Answer 75

D. Hybrid warfare combines active cyberwarfare, influence campaigns, and real-world direct action. This makes hybrid warfare almost exclusively the domain of nation-state actors.

Question 76

Sharif receives a bill for services that he does not believe his company requested or had performed. What type of social engineering technique is this?
A. Credential harvesting
B. A hoax
C. Reconnaissance
D. An invoice scam

Answer 76

D. This is an example of an invoice scam. Most invoice scams involve sending fake invoices hoping to be paid. No information is being gathered, so this isn’t reconnaissance or credential harvesting. This could be a hoax, but the more accurate answer is an invoice scam. Note that some social engineering uses false invoices to deploy malware by including it as an attachment or by using an attachment with malicious scripts built into a Microsoft Office file.

Question 77

Naomi receives a report of smishing. What type of attack should she be looking for?
A. Compressed files in phishing B. Text message–based phishing C. Voicemail-based phishing
D. Server-based phishing

Answer 77

B. Smishing is a type of phishing that occurs via text (SMS) message.

Question 78

Charles wants to find out about security procedures inside his target company, but he doesn’t want the people he is talking to realize that he is gathering information about the organization. He engages staff members in casual conversation to get them to talk about the security procedures without noticing that they have done so. What term describes this process in social engineering efforts?
A. Elicitation
B. Suggestion
C. Pharming
D. Prepending

Answer 78

A. Elicitation is the process of using casual conversation and subtle direction to gather information without the targets realizing they have disclosed details to that social engineer. Suggestion is not one of the terms used in the Security+ exam outline, pharming redirects traffic to malicious sites, and prepending can include a variety of techniques that add data or terms.

Question 79

A caller reached a member of the IT support person at Carlos’s company and told them that the chairman of the company’s board was traveling and needed immediate access to his account but had been somehow locked out. They told the IT support person that if the board member did not have their password reset, the company could lose a major deal. If Carlos receives a report about this, which of the principles of social engineering should he categorize the attacker’s efforts under?
A. Scarcity
B. Familiarity
C. Consensus
D. Urgency

Answer 79

D. The caller was attempting to create a sense of urgency that would cause the help desk staff member to bypass normal procedures and let them set the board member’s password to something that the social engineer would know. There is no implication of something scarce or that the caller is trying to get the help desk member to feel like others agree about the topic, thus using consensus. Familiarity takes more than using a board member’s name or details about the company.

Question 80

What type of phishing targets specific groups of employees, such as all managers in the financial department of a company?
A. Smishing
B. Spear phishing
C. Whaling
D. Vishing

Answer 80

B. Spear phishing is aimed at specific groups. Whaling would target VIPs and executives, smishing uses SMS (text) messages, and vishing is done via voice or voicemail.

Question 81

Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise?
A. Vulnerability scanning
B. Penetration testing
C. Threat hunting
D. War driving

Answer 81

C. Threat hunting is an assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirm the assumption. Vulnerability scanning, penetration testing, and war driving are all assessment techniques that probe for vulnerabilities but do not assume that a compromise has already taken place.

Question 82

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
A. Domain administrator
B. Local administrator
C. Root
D. Read-only

Answer 82

D. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.

Question 83

Ryan is planning to conduct a vulnerability scan of a business- critical system using dangerous plug-ins. What would be the best approach for the initial scan?
A. Run the scan against production systems to achieve the most realistic results possible.
B. Run the scan during business hours.
C. Run the scan in a test environment.
D. Do not run the scan to avoid disrupting the business.

Answer 83

C. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.

Question 84

Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?
A. High
B. Medium
C. Low
D. Severe

Answer 84

C. An attack complexity of “low” indicates that exploiting the vulnerability does not require any specialized conditions.

Question 85

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?

A. False positive
B. False negative
C. True positive
D. True negative

Answer 85

A. A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.

Question 86

Brian ran a penetration test against a school’s grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school’s cybersecurity team to prevent students from engaging in this type of activity?
A. Confidentiality
B. Integrity
C. Alteration
D. Availability

Answer 86

B. By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications.

Question 87

Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test?
A. Nmap
B. Nessus
C. Metasploit
D. Nslookup

Answer 87

C. Nmap is a port scanning tool used to enumerate open network ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information gathering utility. All three of these tools may be used to gather information and detect vulnerabilities. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test.

Question 88

During a vulnerability scan, Brian discovered that a system on his network contained this vulnerability (See image)

What security control, if deployed, would likely have addressed this issue?
A. Patch management
B. File integrity monitoring
C. Intrusion detection
D. Threat hunting

Answer 88

A. This vulnerability is corrected by a patch that was released by Microsoft in 2017. A strong patch management program would have identified and remediated the missing patch.

Question 89

Which one of the following tools is most likely to detect an XSS vulnerability?
A. Static application test
B. Web application vulnerability scanner
C. Intrusion detection system
D. Network vulnerability scanner

Answer 89

B. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web applications.

Question 90

During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity?
A. Lateral movement
B. Privilege escalation
C. Footprinting
D. OSINT

Answer 90

A. Moving from one compromised system to other systems on the same network is known as lateral movement. Privilege escalation attacks increase the level of access that an attacker has to an already compromised system. Footprinting and OSINT are reconnaissance techniques.

Question 91

Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization’s systems. What role is Kevin playing in this exercise?
A. Red team
B. Blue team
C. Purple team
D. White team

Answer 91

A. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. Blue teams are responsible for managing the organization’s defenses. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Question 92

Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities?
A. Threat hunting
B. Penetration testing
C. Bug bounty
D. Vulnerability scanning

Answer 92

C. Bug bounty programs are designed to allow external security experts to test systems and uncover previously unknown
vulnerabilities. Bug bounty programs offer successful testers financial rewards to incentivize their participation.

Question 93

Kyle is conducting a penetration test. After gaining access to an organization’s database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action?
A. Privilege escalation
B. Lateral movement
C. Maneuver
D. Persistence

Answer 93

D. Backdoors are a persistence tool, designed to make sure that the attacker’s access persists after the original vulnerability is remediated. Kyle can use this backdoor to gain access to the system in the future, even if the original exploit that he used to gain access is no longer effective.

Question 94

Which one of the following techniques would be considered passive reconnaissance?
A. Port scans
B. Vulnerability scans
C. WHOIS lookups
D. Footprinting

Answer 94

C. WHOIS lookups use external registries and are an example of open source intelligence (OSINT), which is a passive reconnaissance technique. Port scans, vulnerability scans, and footprinting all require active engagement with the target and are, therefore, active reconnaissance.

Question 95

Which element of the SCAP framework can be used to consistently describe vulnerabilities?
A. CPE
B. CVE
C. CVSS
D. CCE

Answer 95

B. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws.

Question 96

Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting?
A. Gray-box test
B. Blue-box test
C. White-box test
D. Black-box test

Answer 96

C. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Question 97

Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information?
A. Contract
B. Statement of work
C. Rules of engagement
D. Lessons learned report

Answer 97

C. The rules of engagement provide technical details on the parameters of the test. This level of detail would not normally be found in a contract or statement of work. The lessons learned report is not produced until after the test.

Question 98

Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information?
A. Port scanning
B. Footprinting
C. Vulnerability scanning
D. Packet capture

Answer 98

B. All of these techniques might provide Grace with information about the operating system running on a device. However,
footprinting is a technique specifically designed to elicit this information.

Question 99

Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into?
A. Low
B. Medium
C. High
D. Critical

Answer 99

B. Vulnerabilities with CVSS base scores between 4.0 and 6.9 fit into the medium risk category.

Question 100

Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?
A. AV
B. C
C. PR
D. AC

Answer 100

C. The privileges required (PR) metric indicates the type of system access that an attacker must have to execute the attack.

Question 101

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
A. Mutation testing
B. Static code analysis
C. Dynamic code analysis
D. Fuzzing

Answer 101

B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.

Question 102

Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
A. Using secure session management
B. Enabling logging on the database
C. Performing user input validation
D. Implementing TLS

Answer 102

C. Charles should perform user input validation to strip out any SQL code or other unwanted input. Secure session management can help prevent session hijacking, logging may provide useful information for incident investigation, and implementing TLS can help protect network traffic, but only input validation helps with the issue described.

Question 103

Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
A. Parameterized queries
B. Encoding data
C. Input validation
D. Appropriate access controls

Answer 103

A. A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data. Encoding data helps to prevent cross-site scripting attacks, as does input validation. Appropriate access controls can prevent access to data that the account or application should not have access to, but they don’t use precompiled SQL statements. Stored procedures are an example of a parameterized query implementation.

Question 104

During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?
A. Improper error handling
B. Code exposure
C. SQL injection
D. A default configuration issue

Answer 104

A. Improper error handling often exposes data to users and possibly attackers that should not be exposed. In this case, knowing what SQL code is used inside the application can provide an attacker with details they can use to conduct further attacks. Code exposure is not one of the vulnerabilities we discuss in this book, and SQL code being exposed does not necessarily mean that SQL injection is possible. While this could be caused by a default configuration issue, there is nothing in the question to point to that problem.

Question 105

The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?
A. De-referencing
B. A race condition
C. An insecure function
D. Improper error handling

Answer 105

B. The application has a race condition, which occurs when multiple operations cause undesirable results due to their order of completion. De-referencing would occur if a memory location was incorrect, an insecure function would have security issues in the function itself, and improper error handling would involve an error and how it was displayed or what data it provided.

Question 106

Every time Susan checks code into her organization’s code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this?
A. Continuous integration
B. Continuous delivery
C. A security nightmare
D. Agile development

Answer 106

B. Although this example includes continuous integration, the key thing to notice is that the code is then deployed into production. This means that Susan is operating in a continuous deployment environment, where code is both continually integrated and deployed. Agile is a development methodology and often uses CI/CD, but we cannot determine if Susan is using Agile.

Question 107

Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?
A. Test
B. Development
C. Staging
D. Production

Answer 107

B. Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.

Question 108

Which one of the following software development models focuses on the early and continuous delivery of software?
A. Waterfall
B. Agile
C. Spiral
D. Butterfly

Answer 108

B. One of the core principles of the Agile approach to software development is to ensure customer satisfaction via early and continuous delivery of software.

Question 109

Kevin would like to ensure that his software runs on a platform that is able to expand and contract as needs change. Which one of the following terms best describes his goal?
A. Scalability
B. Elasticity
C. Cost effectiveness
D. Agility

Answer 109

B. The situation described in the scenario, expanding capacity when demand spikes and then reducing that capacity when demand falls again, is the definition of elasticity.

Question 110

Which one of the following is not an advantage of database normalization?
A. Preventing data inconsistencies
B. Preventing injection attacks
C. Reducing the need for database restructuring
D. Making the database schema more informative

Answer 110

B. Database normalization has four main benefits. Normalized designs prevent data inconsistencies, prevent update anomalies, reduce the need for restructuring existing databases, and make the database schema more informative. They do not prevent web application attacks, such as SQL injection.

Question 111

What data minimization technique replaces personal identifiers with unique identifiers that may be cross-referenced with a lookup table?
A. Tokenization
B. Hashing
C. Salting
D. Masking

Answer 111

A. Tokenization replaces personal identifiers that might directly reveal an individual’s identity with a unique identifier using a lookup table. Hashing uses a cryptographic hash function to replace sensitive identifiers with an irreversible alternative identifier. Salting these values with a random number prior to hashing them makes these hashed values resistant to a type of attack known as a rainbow table attack.

Question 112

Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?
A. Cross-site request forgery
B. Server-side request forgery
C. Command injection
D. Buffer overflow

Answer 112

D. Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program’s use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.

Question 113

What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?
A. Man-in-the-middle
B. Session hijacking
C. Buffer overflow
D. Meet-in-the-middle

Answer 113

A. In a man-in-the-middle attack, the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user’s behalf and obtain the cookie. This is slightly different from a session hijacking attack, where the attacker steals the cookie associated with an active session.

Question 114

Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
A. Code signing
B. Code endorsement
C. Code encryption
D. Code obfuscation

Answer 114

A. Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

Question 115

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?
A. Reflected XSS
B. Stored XSS
C. Persistent XSS
D. DOM-based XSS

Answer 115

D. DOM-based XSS attacks hide the attack code within the Document Object Model. This code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser.

Question 116

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:

http://www.mycompany.com/servicestatus.php?
   serviceID=892&serviceID=892' ; DROP TABLE Services;--

What type of attack was most likely attempted?
A. Cross-site scripting
B. Session hijacking
C. Parameter pollution
D. Man-in-the-middle

Answer 116

C. This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

Question 117

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:
http://www.mycompany.com/servicestatus.php?serviceID=1
http://www.mycompany.com/servicestatus.php?serviceID=2
http://www.mycompany.com/servicestatus.php?serviceID=3
http://www.mycompany.com/servicestatus.php?serviceID=4
http://www.mycompany.com/servicestatus.php?serviceID=5
http://www.mycompany.com/servicestatus.php?serviceID=6
What type of vulnerability was the attacker likely trying to exploit?
A. Insecure direct object reference
B. File upload
C. Unvalidated redirect
D. Session hijacking

Answer 117

A. The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.

Question 118

Joe’s adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request

http://www.mycompany.com/../../../etc/passwd

What type of attack was most likely attempted?
A. SQL injection
B. Session hijacking
C. Directory traversal
D. File upload

Answer 118

C. In this case, the .. operators are the tell-tale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server

Question 119

Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?
A. Session ticket
B. Session cookie
C. Username
D. User password

Answer 119

B. Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of the user’s session cookie, she can use that cookie to impersonate the user’s browser and hijack the authenticated session.

Question 120

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
A. Timing-based SQL injection
B. HTML injection
C. Cross-site scripting
D. Content-based SQL injection

Answer 120

A. The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.

Question 121

Mike is sending David an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message?
A. Mike’s public key
B. Mike’s private key
C. David’s public key
D. Shared secret key

Answer 121

D. In symmetric encryption algorithms, both the sender and the receiver use a shared secret key to encrypt and decrypt the message, respectively.

Question 122

Alan’s team needs to perform computations on sensitive personal information but does not need access to the underlying data. What technology can the team use to perform these calculations without accessing the data?
A. Quantum computing
B. Blockchain
C. Homomorphic encryption
D. Certificate pinning

Answer 122

C. Homomorphic encryption technology protects privacy by encrypting data in a way that preserves the ability to perform computation on that data.

Question 123

Norm is using full-disk encryption technology to protect the contents of laptops against theft. What goal of cryptography is he attempting to achieve?
A. Integrity
B. Nonrepudiation
C. Authentication
D. Confidentiality

Answer 123

D. Norm’s actions are designed to protect against the unauthorized disclosure of sensitive information. This is a clear example of protecting confidentiality.

Question 124

Brian discovers that a user suspected of stealing sensitive information is posting many image files to a message board. What technique might the individual be using to hide sensitive information in those images?
A. Steganography
B. Homomorphic encryption
C. Replay attack
D. Birthday attack

Answer 124

A. Steganography is the art of using cryptographic techniques to embed secret messages within another file.

Question 125

Which one of the following statements about cryptographic keys is incorrect?
A. All cryptographic keys should be kept secret.
B. Longer keys are better than shorter keys when the same algorithm is used.
C. Asymmetric algorithms generally use longer keys than symmetric algorithms.
D. Digital certificates are designed to share public keys.

Answer 125

A. All of these statements are correct except for the statement that all cryptographic keys should be kept secret. The exception to this rule are public keys used in asymmetric cryptography. These keys should be freely shared.

Question 126

What type of cipher operates on one character of text at a time?
A. Block cipher
B. Bit cipher
C. Stream cipher
D. Balanced cipher

Answer 126

C. Stream ciphers operate on one character or bit of a message (or data stream) at a time. Block ciphers operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time.

Question 127

Vince is choosing a symmetric encryption algorithm for use in his organization. He would like to choose the strongest algorithm from the choices below. What algorithm should he choose?
A. DES
B. 3DES
C. RSA
D. AES

Answer 127

D. AES is the successor to 3DES and DES and is the best choice for a symmetric encryption algorithm. RSA is a secure algorithm, but it is asymmetric rather than symmetric.

Question 128

Kevin is configuring a web server to use digital certificates. What technology can he use to allow clients to quickly verify the status of that digital certificate without contacting a remote server?
A. CRL
B. OCSP
C. Certificate stapling
D. Certificate pinning

Answer 128

C. The Online Certificate Status Protocol (OCSP) provides real- time checking of a digital certificate’s status using a remote server. Certificate stapling attaches a current OCSP response to the certificate to allow the client to validate the certificate without contacting the OCSP server. Certificate revocation lists (CRLs) are a slower, outdated approach to managing certificate status. Certificate pinning is used to provide an expected key, not to manage certificate status.

Question 129

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system?
A. 1
B. 2
C. 10
D. 11

Answer 129

C. When the 11th employee joins Acme Widgets, they will need a shared secret key with every existing employee. There are 10 existing employees, so 10 new keys are required

Question 130

Referring to the scenario in question 9, if Acme Widgets switched to an asymmetric encryption algorithm, how many keys would be required to add the 11th employee?
A. 1
B. 2
C. 10
D. 11

Answer 130

B. In an asymmetric encryption algorithm, each employee needs only two keys: a public key and a private key. Adding a new user to the system requires the addition of these two keys for that user, regardless of how many other users exist.

Question 131

What type of digital certificate provides the greatest level of assurance that the certificate owner is who they claim to be?
A. DV
B. OV
C. UV
D. EV

Answer 131

D. Extended validation (EV) certificates provide the highest available level of assurance. The CA issuing an EV certificate certifies that they have verified the identity and authenticity of the certificate subject.

Question 132

Glenn recently obtained a wildcard certificate for *. mydomain.com. Which one of the following domains would not be covered by this certificate?
A. mydomain.com
B. core.mydomain.com
C. dev. www.mydomain.com
D. mail.mydomain.com

Answer 132

C. Wildcard certificates protect the listed domain as well as all first-level subdomains. dev.www.mydomain.com is a second-level subdomain of mydomain.com and would not be covered by this certificate.

Question 133

Which one of the following servers is almost always an offline CA in a large PKI deployment?
A. Root CA
B. Intermediate CA
C. RA
D. Internal CA

Answer 133

A. Root CAs are highly protected and not normally used for certificate issuance. A root CA is usually run as an offline CA that delegates authority to intermediate CAs that run as online CAs.

Question 134

Which one of the following certificate formats is closely associated with Windows binary certificate files?
A. DER
B. PEM
C. PFX
D. P7B

Answer 134

C. The PFX format is most closely associated with Windows systems that store certificates in binary format, whereas the P7B format is used for Windows systems storing files in text format.

Question 135

What type of security solution provides a hardware platform for the storage and management of encryption keys?
A. HSM
B. IPS
C. SIEM
D. SOAR

Answer 135

A. Hardware security modules (HSMs) provide an effective way to manage encryption keys. These hardware devices store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys.

Question 136

What type of cryptographic attack attempts to force a user to reduce the level of encryption that they use to communicate with a remote server?
A. Birthday
B. Frequency
C. Downgrade
D. Rainbow table

Answer 136

C. A downgrade attack is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes. The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.

Question 137

David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key

Answer 137

C. When encrypting a message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient’s public key.

Question 138

When Mike receives the message that David encrypted for him, what key should he use to decrypt the message?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key

Answer 138

D. In an asymmetric encryption algorithm, the recipient of a message uses their own private key to decrypt messages that they receive.

Question 139

If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key

Answer 139

B. The sender of a message may digitally sign the message by encrypting a message digest with the sender’s own private key.

Question 140

When Mike receives the digitally signed message from David, what key should he use to verify the digital signature?
A. David’s public key
B. David’s private key
C. Mike’s public key
D. Mike’s private key

Answer 140

A. The recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message.