exam 2

Question 1

What is this attack type:

Attacker obtains bank account number
and birth date by calling the victim.

Answer 1

Vishing

Social engineering over the telephone continues to be an effective attack vector,
and obtaining personal information such as a bank account or birth date would
be considered phishing over voice, or vishing.

Question 2

What is this attack type:

Attacker modifies a legitimate DNS server to resolve the IP address of a malicious site.

Answer 2

Spoofing

Spoofing happens any time a device pretends to be another device. If a DNS
server has been modified to hand out the IP address of a different server, then
it’s spoofing the IP address of the attacker.

Question 3

What is this attack type:

Attacker intercepts all communication between a client and a web server.

Answer 3

On-path attack (aka man-in-the-middle)

On-path attacks are quite effective because the attacker can often sit invisibly
between two devices and gather useful information or modify the data streams
in real-time.

Question 4

what is this attack type:

A virus alert appears in your browser from Microsoft with a phone number to call for support.

Answer 4

Hoax

A threat that seems real but doesn’t actually exist is a hoax. In this example, a
fake web site message is trying to convince you that this fake threat is actually a real security issue.

Question 5

You’ve hired a third-party to gather information about your company’s
servers and data. The third-party will not have direct access to your
internal network but can gather information from any other source.
Which of the following would BEST describe this approach?
❍ A. Backdoor testing
❍ B. Passive footprinting
❍ C. OS fingerprinting
❍ D. Partially known environment

Answer 5

The Answer: B. Passive footprinting
Passive footprinting focuses on learning as much information from
open sources such as social media, corporate websites, and business
organizations.
The incorrect answers:
A. Backdoor testing
Some active reconnaissance tests will directly query systems to see if a
backdoor has been installed.
C. OS fingerprinting
To fingerprint an operating system, you must actively query and receive
responses across the network.
D. Partially known environment
A partially known environment penetration test is a focused approach
that usually provides detailed information about specific systems or
applications.

Question 6

Which of these protocols use TLS to provide secure communication? 
(Select TWO)
❍ A. HTTPS 
❍ B. SSH
❍ C. FTPS
❍ D. SNMPv2
❍ E. DNSSEC
❍ F. SRTP

Answer 6

The Answer: A. HTTPS and C. FTPS
TLS (Transport Layer Security) is a cryptographic protocol used to
encrypt network communication. HTTPS is the Hypertext Transfer
Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.
An earlier version of TLS is SSL (Secure Sockets Layer). Although
we don’t commonly see SSL in use any longer, you may see TLS
communication referenced as SSL.
The incorrect answers:
B. SSH
SSH (Secure Shell) can use symmetric or asymmetric encryption, but
those ciphers are not associated with TLS.
D. SNMPv2
SNMPv2 (Simple Network Management Protocol version 2) does not
implement TLS, or any encryption, within the network communication.
E. DNSSEC
DNSSEC (DNS security extensions) do not provide any confidentiality
of data.
F. SRTP
SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP)
protocol used for encrypting conversations. SRTP protocol commonly uses
AES (Advanced Encryption Standard) for confidentiality

Question 7

A security incident has occurred on a file server. Which of the following 
data sources should be gathered to address file storage volatility?
(Select TWO)
❍ A. Partition data
❍ B. Kernel statistics
❍ C. ROM data
❍ D. Temporary file systems
❍ E. Process table

Answer 7

The Answer: A. Partition data and D. Temporary file systems
Both temporary file system data and partition data are part of the file
storage subsystem.
The incorrect answers:
B. Kernel statistics
Kernel statistics are stored in memory.
C. ROM data
ROM data is a type of memory storage.
E. Process table
The process table keeps track of system processes, and it stores this
information in RAM.

Question 8

An IPS at your company has found a sharp increase in traffic from
all-in-one printers. After researching, your security team has found a
vulnerability associated with these devices that allows the device to be
remotely controlled by a third-party. Which category would BEST
describe these devices?
❍ A. IoT
❍ B. RTOS
❍ C. MFD
❍ D. SoC

Answer 8

The Answer: C. MFD
An all-in-one printer that can print, scan, and fax is often categorized as
an MFD (Multifunction Device).
The incorrect answers:
A. IoT
Wearable technology and home automation devices are commonly called
IoT (Internet of Things) devices.
B. RTOS
RTOS (Real-time Operating Systems) are commonly used in
manufacturing and automobiles.
D. SoC
Multiple components that run on a single chip are categorized as an SoC
(System on a Chip).

Question 9

Which of the following standards provides information on privacy and 
managing PII?
❍ A. ISO 31000
❍ B. ISO 27002
❍ C. ISO 27701
❍ D. ISO 27001

Answer 9

The Answer: C. ISO 27701
The ISO (International Organization for Standardization) 27701
standard extends the ISO 27001 and 27002 standards to include detailed
management of PII (Personally Identifiable Information) and data privacy.
The incorrect answers:
A. ISO 31000
The ISO 31000 standard sets international standards for risk management
practices.
B. ISO 27002
Information security controls are the focus of the ISO 27002 standard.
D. ISO 27001
The ISO 27001 standard is the foundational standard for Information
Security Management Systems (ISMS).

More information:
SY0-601, Objective 5.2 - Security Frameworks
https://professormesser.link/601050202

Question 10

Rodney, a security engineer, is viewing this record from the firewall logs:

UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not

Answer 10

The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.
The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.
C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.
D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file

Question 11

A user connects to a third-party website and receives this message:
Your connection is not private. 
NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason 
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Disassociation

Answer 11

The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.
B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.
D. Disassociation
Disassociation attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.

Question 12

An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Tailgating
❍ C. Vishing
❍ D. On-path

Answer 12

The Answer: A. Social engineering
A social engineering attack takes advantage of authority and urgency
principles in an effort to convince someone else to circumvent normal
security controls.
The incorrect answers:
B. Tailgating
A tailgating attack follows someone else with proper credentials through a
door. This allows the attack to gain access to an area that’s normally locked.
C. Vishing
Vishing (voice phishing) attacks use the phone to obtain private
information from others. In this example, the attacker was not asking for
confidential information.
D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly.

Question 13

A security administrator has been using EAP-FAST wireless
authentication since the migration from WEP to WPA2. The company’s
network team now needs to support additional authentication protocols
inside of an encrypted tunnel. Which of the following would meet the
network team’s requirements?
❍ A. EAP-TLS
❍ B. PEAP
❍ C. EAP-TTLS
❍ D. EAP-MSCHAPv2

Answer 13

The Answer: C. EAP-TTLS
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport
Layer Security) allows the use of multiple authentication protocols
transported inside of an encrypted TLS (Transport Layer Security) tunnel.
This allows the use of any authentication while maintaining confidentiality
with TLS.
The incorrect answers:
A. EAP-TLS
EAP-TLS does not provide a mechanism for using multiple
authentication types within a TLS tunnel.
B. PEAP
PEAP (Protected Extensible Authentication Protocol) encapsulates EAP
within a TLS tunnel, but does not provide a method of encapsulating
other authentication methods.
D. EAP-MSCHAPv2
EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake
Authentication Protocol v2) is a common implementation of PEAP.

Question 14

Which of the following would be commonly provided
by a CASB? (Select TWO)
❍ A. List of all internal Windows devices that have not installed the
latest security patches
❍ B. List of applications in use
❍ C. Centralized log storage facility
❍ D. List of network outages for the previous month
❍ E. Verification of encrypted data transfers
❍ F. VPN connectivity for remote users

Answer 14

The Answer: B. A list of applications in use
E. Verification of encrypted data transfers
A CASB (Cloud Access Security Broker) can be used to apply security
policies to cloud-based implementations. Two common functions of a
CASB are visibility into application use and data security policy use. Other
common CASB functions are the verification of compliance with formal
standards and the monitoring and identification of threats.
The incorrect answers:
A. List of all internal Windows devices that have not installed the latest
security patches
A CASB focuses on policies associated with cloud-based services and not
internal devices.
C. Centralized log storage facility
Using Syslog to centralize log storage is most commonly associated with a
SIEM (Security Information and Event Manager).
D. List of network outages for the previous month
A network availability report would be outside the scope of a CASB.
F. VPN connectivity for remote users
VPN concentrators are commonly used to provide security connectivity
for remote users.

Question 15

What kind of security control is associated with a login banner?
❍ A. Preventive
❍ B. Deterrent 
❍ C. Corrective
❍ D. Detective
❍ E. Compensating
❍ F. Physical

Answer 15

The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
The incorrect answers:
A. Preventive
A preventive control physically limits access to a device or area.
C. Corrective
A corrective control can actively work to mitigate any damage.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
E. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means.
F. Physical
A physical control is real-world security, such as a fence or door lock.

Question 16

A security team has been provided with a non-credentialed vulnerability
scan report created by a third-party. Which of the following would they
expect to see on this report?
❍ A. A summary of all files with invalid group assignments
❍ B. A list of all unpatched operating system files
❍ C. The version of web server software in use
❍ D. A list of local user accounts

Answer 16

The Answer: C. The version of web server software in use
A scanner like Nmap can query services and determine version numbers
without any special rights or permissions, which makes it well suited for
non-credentialed scans.
The incorrect answers:
A. A summary of all files with invalid group assignments
Viewing file permissions and rights requires authentication to the
operating system, so you would not expect to see this information if the
scan did not have credentials.
B. A list of all unpatched operating system files
Viewing detailed information about the operating system files requires
authentication to the OS, and an uncredentialed scan does not have those
permissions.
D. A list of local user accounts
Local user accounts are usually protected by the operating system, so you
would need to have credentials to view this information.

Question 17

A file server has a full backup performed each Monday at 1 AM.
Incremental backups are performed at 1 AM on Tuesday, Wednesday,
Thursday, and Friday. The system administrator needs to perform a full
recovery of the file server on Thursday afternoon. How many backup sets
would be required to complete the recovery?
❍ A. 2
❍ B. 3
❍ C. 4
❍ D. 1

Answer 17

The Answer: C. 4
Each incremental backup will archive all of the files that have changed
since the last full or incremental backup. To complete this full restore, the
administrator will need the full backup from Monday and the incremental
backups from Tuesday, Wednesday, and Thursday.
The incorrect answers:
A. 2
If the daily backup was differential, the administrator would only need the
full backup and the differential backup from Thursday.
B. 3
Since the incremental backup only archives files that have changed, he will
need all three daily incremental backups as well as Monday’s full backup.
D. 1
To recover incremental backups, you’ll need the full backup and all
incremental backups since the full backup.

Question 18

A security engineer runs a monthly vulnerability scan. The scan doesn’t
list any vulnerabilities for Windows servers, but a significant vulnerability
was announced last week and none of the servers are patched yet. Which
of the following best describes this result?
❍ A. Exploit
❍ B. Credentialed
❍ C. Zero-day attack
❍ D. False negative

Answer 18

The Answer: D. False negative
A false negative is a result that fails to detect an issue when one
actually exists.
The incorrect answers:
A. Exploit
An exploit is an attack against a vulnerability. Vulnerability scans do not
commonly attempt to exploit the vulnerabilities that they identify.
B. Credentialed
A credentialed scan would authenticate to the operating system and have
access to files that would normally only be available to authorized users.
C. Zero-day attack
A zero-day attack focuses on previously unknown vulnerabilities. In this
example, the vulnerability scan isn’t an attack, and the vulnerabilities are
already known and patches are available.

Question 19

. A security administrator is adding additional authentication controls to 
the existing infrastructure. Which of the following should be added by 
the security administrator? (Select TWO)
❍ A. TOTP 
❍ B. Least privilege
❍ C. Role-based awareness training
❍ D. Separation of duties
❍ E. Job rotation
❍ F. Smart Card

Answer 19

The Answer: A. TOTP and F. Smart Card
TOTP (Time-based One-Time Passwords) and smart cards are
useful authentication controls when used in conjunction with other
authentication factors.
The incorrect answers:
B. Least privilege
Least privilege is a security principle that limits access to resources based
on a person’s job role. Least privilege is managed through security policy
and is not an authentication control.
C. Role-based awareness training
Role-based awareness training is specialized training that is based on a
person’s control of data within an organization. This training is not part of
the authentication process.
D. Separation of duties
A security policy that separates duties across different individuals is
separation of duties. This separation is not part of the authentication
process.
E. Job rotation
Job rotation is a security policy that moves individuals into different job
roles on a regular basis. This rotation is not part of the authentication
process.

Question 20

A security administrator needs to identify all references to a Javascript
file in the HTML of a web page. Which of the following tools should be
used to view the source of the web page and search through the file for a
specific filename? (Select TWO)
❍ A. tail
❍ B. openssl
❍ C. scanless
❍ D. grep
❍ E. Nmap
❍ F. curl
❍ G. head

Answer 20

The Answer: D. grep and F. curl
The curl (Client URL) command will retrieve a web page and display it
as HTML at the command line. The grep command can then be used to
search through the file for a specific string of text.
The incorrect answers:
A. tail
The tail command will display the information at the end of a file.
B. openssl
OpenSSL is a cryptography library that is commonly used to support
SSL/TLS encryption on web servers.
C. scanless
Scanless is a utility that can perform a port scan using a proxy service.
E. Nmap
The Nmap utility is a popular port scanning and reconnaissance utility.
G. head
The head command will display the information at the start of a file.

Question 21

A user has assigned individual rights and permissions to a file on their
network drive. The user adds three additional individuals to have readonly access to the file. Which of the following would describe this access
control model?
❍ A. DAC
❍ B. MAC
❍ C. ABAC
❍ D. RBAC

Answer 21

The Answer: A. DAC
DAC (Discretionary Access Control) is used in many operating systems,
and this model allows the owner of the resource to control who has access.
The incorrect answers:
B. MAC
MAC (Mandatory Access Control) allows access based on the security
level assigned to an object. Only users with the object’s assigned security
level or higher may access the resource.
C. ABAC
ABAC (Attribute-based Access Control) combines many different
parameters to determine if a user has access to a resource.
D. RBAC
RBAC (Role-based Access Control) assigns rights and permissions based
on the role of a user. These roles are usually assigned by group.

Question 22

what is DAC

Answer 22

Discretionary Access Control is used in many operating systems, and this model allows the owner of the resource to control who has access.

Question 23

what is MAC

Answer 23

MAC (Mandatory Access Control) allows access based on the security
level assigned to an object. Only users with the object’s assigned security
level or higher may access the resource.

Question 24

what is ABAC

Answer 24

ABAC (Attribute-based Access Control) combines many different parameters to determine if a user has access to a resource.

Question 25

what is RBAC

Answer 25

RBAC (Role-based Access Control) assigns rights and permissions based on the role of a user. These roles are usually assigned by group.

Question 26

A company hires a large number of seasonal employees, and their
system access should normally be disabled when the employee leaves
the company. The security administrator would like to verify that their
systems cannot be accessed by any of the former employees. Which of the
following would be the BEST way to provide this verification?
❍ A. Confirm that no unauthorized accounts have administrator access
❍ B. Validate the account lockout policy
❍ C. Validate the processes and procedures for all outgoing employees
❍ D. Create a report that shows all authentications for a 24-hour period

Answer 26

The Answer: C. Validate the processes and procedures for all
outgoing employees
The disabling of an employee account is commonly part of the offboarding
process. One way to validate an offboarding policy is to perform an audit
of all accounts and compare active accounts with active employees.
The incorrect answers:
A. Confirm that no unauthorized accounts have administrator access
It’s always a good idea to periodically audit administrator accounts, but
this audit won’t provide any validation that all former employee accounts
have been disabled.
B. Validate the account lockout policy
Account lockouts occur when a number of invalid authentication attempts
have been made to a valid account. Disabled accounts would not be locked
out because they are not currently valid accounts.
D. Create a report that shows all authentications for a 24-hour period
A list of all authentications would be quite large, and it would not be
obvious to see which authentications were made with valid accounts and
which authentications were made with former employee accounts.

Question 27

A manufacturing company has moved an inventory application from their
internal systems to a PaaS service. Which of the following would be the
BEST way to manage security policies on this new service?
❍ A. DLP
❍ B. SIEM
❍ C. IPS
❍ D. CASB

Answer 27

The Answer: D. CASB
A CASB (Cloud Access Security Broker) is used to manage compliance
with security policies when using cloud-based applications.
The incorrect answers:
A. DLP
DLP (Data Loss Prevention) can identify and block PII (Personally
Identifiable Information) and other private details from being transferred
across the network.
B. SIEM
A SIEM (Security Information and Event Manager) is a management
system for log consolidation and reporting. A SIEM cannot managed
cloud-based security policies.
C. IPS
An IPS (Intrusion Prevention System) can identify and block known
vulnerabilities on the network, but it does not provide policy management
for cloud-based systems.

Question 28

A security administrator needs to identify all computers on the company
network infected with a specific malware variant. Which of the following
would be the BEST way to identify these systems?
❍ A. Honeynet
❍ B. Data masking
❍ C. DNS sinkhole
❍ D. DLP

Answer 28

The Answer: C. DNS sinkhole
A DNS (Domain Name System) sinkhole can be used to redirect and
identify devices that may attempt to communicate with an external
command and control (C2) server. The DNS sinkhole will resolve an
internal IP address and can report on all devices that attempt to access the
malicious domain.
The incorrect answers:
A. Honeynet
A honeynet is a non-production network that has been specifically created
to attract attackers. A honeynet is not commonly used to identify infected
devices.
B. Data masking
Data masking provides a way to hide data by substitution, shuffling,
encryption, and other methods. Data masking does not provide a method
of identifying infected devices.
D. DLP
DLP (Data Loss Prevention) systems can identify and block private
information from transferring between systems. DLP does not provide any
direct method of identifying devices infected with malware.

Question 29

A security administrator is collecting information associated with a
ransomware infection on the company’s web servers. Which of the
following log files would provide information regarding the memory
contents of these servers?
❍ A. Web
❍ B. Packet
❍ C. Dump
❍ D. DNS

Answer 29

The Answer: C. Dump
A dump file contains the contents of system memory. In Windows, this
file can be created from the Task Manager.
The incorrect answers:
A. Web
Web server logs will document web pages that were accessed, but it doesn’t
show what information may be contained in the system RAM.
B. Packet
A packet trace would provide information regarding network
communication, but it would not include any details regarding the
contents of memory.
D. DNS
DNS (Domain Name System) server logs can show which domain names
were accessed by internal systems, and this information can help identify
systems that may be infected. However, the DNS log doesn’t include any
information about the memory contents of a server.

Question 30

Which part of the PC startup process verifies the digital signature of the 
OS kernel?
❍ A. Measured Boot
❍ B. Trusted Boot
❍ C. Secure Boot
❍ D. POST

Answer 30

The Answer: B. Trusted Boot
The Trusted Boot portion of the startup process verifies the operating
system kernel signature and starts the ELAM (Early Launch
Anti-Malware) process.
The incorrect answers:
A. Measured Boot
Measured Boot occurs after the Trusted Boot process and verifies that
nothing on the computer has been changed by malicious software or other
processes.
C. Secure Boot
Secure Boot is a UEFI BIOS boot feature that checks the digital signature
of the bootloader. The Trusted Boot process occurs after Secure Boot has
completed.
D. POST
POST (Power-On Self-Test) is a hardware check performed prior to
booting an operating system.

Question 31

A company is deploying a new mobile application to all of its employees
in the field. Some of the problems associated with this rollout include:
• The company does not have a way to manage the mobile devices
in the field
• Company data on mobile devices in the field introduces additional risk
• Team members have many different kinds of mobile devices
Which of the following deployment models would address
these concerns?
❍ A. Corporate-owned
❍ B. COPE
❍ C. VDI
❍ D. BYOD

Answer 31

The Answer: C. VDI
A VDI (Virtual Desktop Infrastructure) would allow the field teams to
access their applications from many different types of devices without the
requirement of a mobile device management or concern about corporate
data on the devices.
The incorrect answers:
A. Corporate-owned
A corporate-owned device would solve the issue of device standardization,
but the corporate data would be stored on the mobile devices in the field.
B. COPE
COPE (Corporate Owned and Personally Enabled) devices are purchased
by the company but are used as both a corporate device and a personal
device. This would standardize the devices, but the corporate data would
still be at-risk in the field.
D. BYOD
BYOD (Bring Your Own Device) means that the employee would choose
the mobile platform. This would not address the issue of mobile device
management, data security in the field, or standardization of mobile
devices and apps.

Question 32

An organization is installing a UPS for their new data center. Which of
the following would BEST describe this type of control?
❍ A. Compensating
❍ B. Preventive
❍ C. Managerial
❍ D. Detective

Answer 32

The Answer: A. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means. In this example, the UPS does
not stop a power outage, but it does provide alternative power if an outage
occurs.
The incorrect answers:
B. Preventive
A preventive control physically limits access to a device or area.
C. Managerial
A managerial control sets a policy that is designed to control how people
act.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.

Question 33

A manufacturing company would like to track the progress of parts as
they are used on an assembly line. Which of the following technologies
would be the BEST choice for this task?
❍ A. Quantum computing
❍ B. Blockchain
❍ C. Hashing
❍ D. Asymmetric encryption

Answer 33

The Answer: B. Blockchain
The ledger functionality of a blockchain can be used to track or verify
components, digital media, votes, and other physical or digital objects.
The incorrect answers:
A. Quantum computing
Quantum computing uses quantum theory to perform high-speed
calculations. Quantum computing doesn’t inherently provide any tracking
mechanisms.
C. Hashing
Cryptographic hashes are commonly used to provide integrity
verifications, but they don’t necessarily include any method of tracking
components on an assembly line.
D. Asymmetric encryption
Asymmetric encryption uses different keys for encryption and decryption.
Asymmetric encryption does not provide any method for tracking objects
on an assembly line.

Question 34

A security administrator has been asked to respond to a potential security
breach of the company’s databases, and they need to gather the most
volatile data before powering down the database servers. In which order
should they collect this information?
❍ A. CPU registers, temporary files, memory, remote monitoring data
❍ B. Memory, CPU registers, remote monitoring data, temporary files
❍ C. Memory, CPU registers, temporary files, remote monitoring data
❍ D. CPU registers, memory, temporary files, remote monitoring data

Answer 34

The Answer: D. CPU registers, memory, temporary files,
remote monitoring data
The most volatile data disappears quickly, so data such as the CPU
registers and information in memory will be lost before temporary files
and remote monitoring data are no longer available.
The incorrect answers:
A. CPU registers, temporary files, memory, remote monitoring data
Memory is more volatile than temporary files.
B. Memory, CPU registers, remote monitoring data, temporary files
CPU registers are more volatile than memory, and temporary files are
more volatile than remote monitoring data.
C. Memory, CPU registers, temporary files, remote monitoring data
CPU registers are more volatile than information in memory.

Question 35

Which of the following risk management strategies would include the 
purchase and installation of an NGFW?
❍ A. Transference
❍ B. Mitigation
❍ C. Acceptance
❍ D. Risk-avoidance

Answer 35

The Answer: B. Mitigation
Mitigation is a strategy that decreases the threat level. This is commonly
done through the use of additional security systems and monitoring, such
as an NGFW (Next-Generation Firewall).
The incorrect answers:
A. Transference
Transference would move the risk from one entity to another. Adding an
NGFW would not transfer any risk to another party.
C. Acceptance
The acceptance of risk is a position where the owner understands the risk
and has decided to accept the potential results.
D. Risk-avoidance
With risk-avoidance, the owner of the risk decides to stop participating in
a high-risk activity. This effectively avoids the risky activity and prevents
any future issues.

Question 36

Which of the following would be the BEST way to confirm the secure
baseline of a deployed application instance?
❍ A. Compare the production application to the sandbox
❍ B. Perform an integrity measurement
❍ C. Compare the production application to the previous version
❍ D. Perform QA testing on the application instance

Answer 36

The Answer: B. Perform an integrity measurement
An integrity measurement is designed to check for the secure baseline
of firewall settings, patch levels, operating system versions, and any other
security components associated with the application. These secure baselines
may vary between different application versions.
The incorrect answers:
A. Compare the production application to the sandbox
A sandbox is commonly used as a development environment. Security
baselines in a production environment can be quite different when
compared to the code in a sandbox.
C. Compare the production application to the previous version
The newer version of an application may have very different security
requirements than previous versions.
D. Perform QA testing on the application instance
QA (Quality Assurance) testing is commonly used for finding bugs and
verifying application functionality. The primary task of QA is not generally
associated with verifying security baselines.

Question 37

A company encourages users to encrypt all of their confidential materials
on a central server. The organization would like to enable key escrow as a
backup. Which of these keys should the organization place into escrow?
❍ A. Private
❍ B. CA
❍ C. Session
❍ D. Public

Answer 37

The Answer: A. Private
With asymmetric encryption, the private key is used to decrypt
information that has been encrypted with the public key. To ensure
continued access to the encrypted data, the company must have a copy of
each private key.
The incorrect answers:
B. CA
A CA (Certificate Authority) key is commonly used to validate the digital
signature from a trusted CA. This is not commonly used for user data
encryption.
C. Session
Session keys are commonly used temporarily to provide confidentiality
during a single session. Once the session is complete, the keys are
discarded. Session keys are not used to provide long-term data encryption.
D. Public
In asymmetric encryption, a public key is already available to everyone. It
would not be necessary to escrow a public key

Question 38

0. A manufacturing company would like to use an existing router to
   separate a corporate network and a manufacturing floor that use the same
   physical switch. The company does not want to install any additional
   hardware. Which of the following would be the BEST choice for this
   segmentation?
   ❍ A. Connect the corporate network and the manufacturing floor
   with a VPN
   ❍ B. Build an air gapped manufacturing floor network
   ❍ C. Use personal firewalls on each device
   ❍ D. Create separate VLANs for the corporate network and the
   manufacturing floor

Answer 38

The Answer: D. Create separate VLANs for the corporate network and
the manufacturing floor
Creating VLANs (Virtual Local Area Networks) will segment a network
without requiring additional switches.
The incorrect answers:
A. Connect the corporate network and the manufacturing floor
with a VPN
A VPN (Virtual Private Network) would encrypt all information between
the two networks, but it would not provide any segmentation. This process
would also commonly require additional hardware to provide VPN
connectivity.
B. Build an air gapped manufacturing floor network
An air gapped network would require separate physical switches on each
side of the gap, and this would require the purchase of an additional
switch.
C. Use personal firewalls on each device
While personal firewalls provide protection for individual devices, they
do not segment networks. It’s also uncommon for personal firewalls to be
installed on manufacturing equipment.

Question 39

When a home user connects to the corporate VPN, they are no longer
able to print to their local network printer. Once the user disconnects
from the VPN, the printer works normally. Which of the following would
be the MOST likely reason for this issue?
❍ A. The VPN uses IPSec instead of SSL
❍ B. Printer traffic is filtered by the VPN client
❍ C. The VPN is stateful
❍ D. The VPN tunnel is configured for full tunnel

Answer 39

The Answer: D. The VPN tunnel is configured for full tunnel
A split tunnel is a VPN (Virtual Private Network) configuration that
only sends a portion of the traffic through the encrypted tunnel. A split
tunnel would allow work-related traffic to securely traverse the VPN, and
all other traffic would use the non-tunneled option. In this example, the
printer traffic is being redirected through the VPN instead of the local
home network because of the non-split/full tunnel.
The incorrect answers:
A. The VPN uses IPSec instead of SSL
There are many protocols that can be used to send traffic through
an encrypted tunnel. IPsec is commonly used for site-to-site VPN
connections, and SSL (Secure Sockets Layer) is commonly used for enduser VPN connections. However, either protocol can technically be used
for any VPN tunnel, and the choice of protocol would have no difference
on the operation of the local printer.
B. Printer traffic is filtered by the VPN client
VPN clients are usually tasked with sending traffic unfiltered through the
encrypted tunnel. Although data could be filtered at some point along the
communication path, it’s not commonly filtered by the VPN client.
C. The VPN is stateful
A stateful communication is commonly associated with firewalls, and it
refers to the firewall’s ability to track traffic flows. Stateful communication
would not be a technology commonly associated with a VPN, and it would
not be part of the user’s printing issue.

Question 40

Which cryptographic method is used to add trust to a digital certificate?
❍ A. X.509
❍ B. Hash
❍ C. Symmetric encryption
❍ D. Digital signature

Answer 40

The Answer: D. Digital signature
A certificate authority will digitally sign a certificate to add trust. If you
trust the certificate authority, you can then trust the certificate.
The incorrect answers:
A. X.509
The X.509 standard defines the structure of a certificate. This standard
format makes it easy for everyone to view the contents of a certificate, but
it doesn’t provide any additional trust.
B. Hash
A hash can help verify that the certificate has not been altered, but it does
not provide additional third-party trust.
C. Symmetric encryption
Symmetric encryption has the same issue as asymmetric encryption. The
information in a certificate commonly needs to be viewable by others.

Question 41

An organization maintains a large database of customer information for
sales tracking and customer support. Which person in the organization
would be responsible for managing the access rights to this data?
❍ A. Data processor
❍ B. Data owner
❍ C. Privacy officer
❍ D. Data custodian

Answer 41

The Answer: D. Data custodian
The data custodian manages access rights and sets security controls
to the data.
The incorrect answers:
A. Data processor
The data processor manages the operational use of the data, but not the
rights and permissions to the information.
B. Data owner
The data owner is usually a higher-level executive who makes business
decisions regarding the data.
C. Privacy officer
A privacy officer sets privacy policies and implements privacy processes
and procedures.

Question 42

A corporate security team would like to consolidate and protect the
private keys across all of their web servers. Which of these would be the
BEST way to securely store these keys?
❍ A. Use an HSM
❍ B. Implement full disk encryption on the web servers
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS

Answer 42

The Answer: A. Use an HSM
An HSM (Hardware Security Module) is a high-end cryptographic
hardware appliance that can securely store keys and certificates for all
devices.
The incorrect answers:
B. Implement full disk encryption on the web servers
Full-disk encryption would only protect the keys if someone does not have
the proper credentials, and it won’t help consolidate all of the web server
keys to a central point.
C. Use a TPM
A TPM (Trusted Platform Module) is used on individual devices to
provide cryptographic functions and securely store encryption keys.
Individual TPMs would not provide any consolidation of web server
private keys.
D. Upgrade the web servers to use a UEFI BIOS
A UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/
Output System) does not provide any additional security or consolidation
features for web server private keys.

Question 43

Jennifer is reviewing this security log from her IPS:
ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String “-“
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token=”” key=”key7” value=”alert(2)”
Which of the following can be determined from this log information?
(Select TWO)
❍ A. The alert was generated from a malformed User Agent header
❍ B. The alert was generated from an embedded script
❍ C. The attacker’s IP address is 222.43.112.74
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid client port number

Answer 43

The Answer: B. The alert was generated from an embedded script and
C. The attacker’s IP address is 222.43.112.74
The details of the IPS (Intrusion Prevention System) alert show a script
value embedded into JSON ( JavaScript Object Notation) data. The IPS
log also shows the flow of the attack with an arrow in the middle. The
attacker was IP address 222.43.112.74 with port 3332, and the victim was
64.235.145.35 over port 80.
The incorrect answers:
A. The alert was generated from a malformed User Agent header
The user agent information is provided as additional supporting data
associated with the alert. The agent itself is not the cause of this alert.
D. The attacker’s IP address is 64.235.145.35
The attacker’s IP address is listed first, so the victim’s IP address is
64.235.145.35.
E. The alert was generated due to an invalid client port number
The port number associated with the client, 3332, is a valid port number
and not associated with the cause of the alert.

Question 44

Which of the following describes a monetary loss if one event occurs?
❍ A. ALE
❍ B. SLE
❍ C. RTO
❍ D. ARO

Answer 44

The Answer: B. SLE
SLE (Single Loss Expectancy) describes the financial impact of
a single event.
The incorrect answers:
A. ALE
ALE (Annual Loss Expectancy) is the financial loss over an entire
12-month period.
C. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
D. ARO
The ARO (Annualized Rate of Occurrence) is the number of times an
event will occur in a 12-month period.

Question 45

A security administrator has configured a virtual machine in a screened
subnet with a guest login account and no password. Which of the
following would be the MOST likely reason for this configuration?
❍ A. The server is a honeypot for attracting potential attackers
❍ B. The server is a cloud storage service for remote users
❍ C. The server will be used as a VPN concentrator
❍ D. The server is a development sandbox for third-party
programming projects

Answer 45

The Answer: A. The server is a honeypot for attracting potential attackers
A screened subnet is a good location to configure services that can be
accessed from the Internet, and building a system that can be easily
compromised is a common tactic for honeypot systems.
The incorrect answers:
B. The server is a cloud storage service for remote users
Although cloud storage is a useful service, configuring storage on a server
with an open guest account is not a best practice.
C. The server will be used as a VPN concentrator
VPN (Virtual Private Networking) concentrators should be installed
on secure devices, and configuring an open guest account would not be
considered a secure configuration.
D. The server is a development sandbox for third-party
programming projects
It would not be secure to configure a development sandbox on a system
with an open guest account.

Question 46

A company’s outgoing email server currently uses SMTP with no
encryption. The security administrator would like to implement
encryption between email clients without changing the existing
server-to-server communication. Which of the following would be the
BEST way to implement this requirement?
❍ A. Implement Secure IMAP
❍ B. Require the use of S/MIME
❍ C. Install an SSL certificate on the email server
❍ D. Use a VPN tunnel between email clients

Answer 46

The Answer: B. Require the use of S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way
to integrate public key encryption and digital signatures into most modern
email clients. This would encrypt all email information from client to
client, regardless of the communication used between email servers.
The incorrect answers:
A. Implement Secure IMAP
Secure IMAP (Internet Message Access Protocol) would encrypt
communication downloaded from an email server, but it would not provide
any security for outgoing email messages.
C. Install an SSL certificate on the email server
An SSL certificate on an email server could potentially be used to encrypt
server-to-server communication, but the security administrator is looking
for an encryption method between email clients.
D. Use a VPN tunnel between email clients
Email communication does not occur directly between email clients, so
configuring a VPN between all possible email recipients would not be a
valid implementation.