exam 3 Flashcards
A user in the accounting department has received an email from the
CEO requesting payment for a recently purchased tablet. However, there
doesn’t appear to be a purchase order associated with this request. Which
of the following would be the MOST likely attack associated with
this email?
❍ A. Spear phishing
❍ B. Watering hole attack
❍ C. Invoice scam
❍ D. Credential harvesting
The Answer: C. Invoice scam
Invoice scams attempt to take advantage of the miscommunication
between different parts of the organization. Fake invoices are submitted by the attacker, and these invoices can sometimes be incorrectly paid without
going through the expected verification process.
The incorrect answers:
A. Spear phishing
Spear phishing is a directed attack that attempts to obtain private or
personal information. In this example, the result was to obtain payment
and not to gather private information.
B. Watering hole attack
A watering hole attack requires users to visit a central website or location.
This example did not require the user to visit any third-party websites.
D. Credential harvesting
Credential harvesting attempts to transfer password files and
authentication information from other computers.
More information:
SY0-601, Objective 1.1 - Other Social Engineering Attacks
https://professormesser.link/601010109
An online retailer is planning a penetration test as part of their PCI
DSS validation. A third-party organization will be performing the test,
and the online retailer has provided the Internet-facing IP addresses for
their public web servers but no other details. What penetration testing
methodology is the online retailer using?
❍ A. Known environment
❍ B. Passive footprinting
❍ C. Partially known environment
❍ D. Ping scan
The Answer: C. Partially known environment
A partially known environment test is performed when the attacker knows
some information about the victim, but not all information is available.
The incorrect answers:
A. Known environment
A known environment test is performed when the attacker has complete
details about the victim’s systems and infrastructure.
B. Passive footprinting
Passive footprinting is the process of gathering information from publicly
available sites, such as social media or corporate websites.
D. Ping scan
A ping scan is a type of network scan that can identify devices connected
to the network. A ping scan is not a type of penetration test.
Vala, a security analyst, has received an alert from her IPS regarding active
exploit attempts from the Internet. Which of the following would provide
detailed information about these exploit attempts?
❍ A. Netstat
❍ B. Nmap
❍ C. Nessus
❍ D. Wireshark
The Answer: D. Wireshark
Wireshark is a protocol analyzer, and it can provide information about
every frame that traverses the network. From a security perspective, the
protocol decode can show the exploitation process and details about the
payloads used during the attempt.
The incorrect answers:
A. Netstat
The netstat command can display connectivity information about a device,
but it won’t provide any additional details about an exploit attempt.
B. Nmap
An Nmap scan is a useful tool for understanding the potential exploit
vectors of a device, but it won’t show information about an active
exploitation attempt.
C. Nessus
Nessus is a vulnerability scanner that can help identify potential exploit
vectors, but it’s not useful for showing active exploitation attempts by a
third-party
A technician at an MSP has been asked to manage devices on third-party
private network. The technician needs command line access to internal
routers, switches, and firewalls. Which of the following would provide the
necessary access?
❍ A. HSM
❍ B. Jump server
❍ C. NAC
❍ D. Air gap
The Answer: B. Jump server
A jump server is a highly secured device commonly used to access secure
areas of another network. The technician would first connect to the jump
server using SSH or a VPN tunnel, and then “jump” from the jump server
to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access
devices on their customer’s network.
The incorrect answers:
A. HSM
An HSM (Hardware Security Module) is a secure method of
cryptographic key backup and hardware-based cryptographic offloading.
C. NAC
NAC (Network Access Control) is a broad term describing access control
based on a health check or posture assessment. NAC will deny access to
devices that don’t meet the minimum security requirements.
D. Air gap
An air gap is a segmentation strategy that separates devices or networks by
physically disconnecting them from each other.
A transportation company is installing new wireless access points in their
corporate offices. The manufacturer estimates that the access points will
operate an average of 100,000 hours before a hardware-related outage.
Which of the following describes this estimate?
❍ A. MTTR
❍ B. RPO
❍ C. RTO
❍ D. MTBF
The Answer: D. MTBF
The MTBF (Mean Time Between Failures) is the average time expected
between outages. This is usually an estimation based on the internal device
components and their expected operational lifetime.
The incorrect answers:
A. MTTR
MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure.
B. RPO
RPO (Recovery Point Objectives) define how much data loss would be
acceptable during a recovery.
C. RTO
RTO (Recovery Time Objectives) define the minimum objectives required
to get up and running to a particular service level.
A company has connected their wireless access points and have enabled
WPS. Which of the following security issues would be associated with
this configuration?
❍ A. Brute force
❍ B. Client hijacking
❍ C. Cryptographic vulnerability
❍ D. Spoofing
The Answer: A. Brute force
A WPS personal identification number (PIN) was designed to have only
11,000 possible iterations, making a brute force attack possible if the
access point doesn’t provide any protection against multiple guesses.
The incorrect answers:
B. Client hijacking
The processes of adding a device through WPS occurs well before any app
or client is used.
C. Cryptographic vulnerability
The vulnerability in WPS is based on a limited number of PIN options
and not a cryptographic shortcoming.
D. Spoofing
Spoofing an existing device would not provide access to a WPS-enabled
network.
An IPS report shows a series of exploit attempts were made against
externally facing web servers. The system administrator of the web servers
has identified a number of unusual log entries on each system. Which of
the following would be the NEXT step in the incident response process?
❍ A. Check the IPS logs for any other potential attacks
❍ B. Create a plan for removing malware from the web servers
❍ C. Disable any breached user accounts
❍ D. Disconnect the web servers from the network
The Answer: D. Disconnect the web servers from the network
The unusual log entries on the web server indicate that the system may
have been exploited. In that situation, the servers should be isolated to
prevent access to or from those systems.
The incorrect answers:
A. Check the IPS logs for any other potential attacks
Before looking for additional exploits, the devices showing a potential
exploit should be isolated and contained.
B. Create a plan for removing malware from the web servers
The recovery process should occur after the systems have been isolated and
contained.
C. Disable any breached user accounts
This is part of the recovery process, and it should occur after isolation and
containment of the exploited servers.
A security administrator is designing a storage array that would maintain
an exact replica of all data without striping. The array needs to operate
normally if a single drive was to fail. Which of the following would be the
BEST choice for this storage system?
❍ A. RAID 1
❍ B. RAID 5
❍ C. RAID 0
❍ D. RAID 10
The Answer: A. RAID 1
RAID (Redundant Array of Independent Disks) type 1 maintains a mirror
(or exact duplicate) of data across multiple drives. If a single drive was to
fail, the mirror would continue to operate with the redundant data.
The incorrect answers:
B. RAID 5
RAID 5 provides redundancy through striping with parity. Although
RAID 5 arrays would continue to operate through a single drive failure,
the data is not replicated across drives.
C. RAID 0
RAID 0 is a striped storage system with no parity, and a single drive
failure does not maintain uptime or any redundancy of data.
D. RAID 10
RAID 10 or RAID 1+0 maintains mirrored drives that contain
striped data.
A transportation company headquarters is located in an area with
frequent power surges and outages. The security administrator is
concerned about the potential for downtime and hardware failures.
Which of the following would provide the most protection against
these issues? Select TWO.
❍ A. UPS
❍ B. NIC teaming
❍ C. Incremental backups
❍ D. Port aggregation
❍ E. Load balancing
❍ F. Dual power supplies
The Answers: A. UPS and F. Dual power supplies
A UPS (Uninterruptible Power Supply) can provide backup power
when the main power source is unavailable, and dual power supplies can
maintain uptime when power surges cause physical damage to one of the
power supplies in a system.
The incorrect answers:
B. NIC teaming
NIC (Network Interface Card) teaming can be used for redundant
network paths from a server, but it won’t help with power-related issues.
C. Incremental backups
Backups are an important part of any recovery plans, but they won’t avoid
any power issues.
D. Port aggregation
Port aggregation is used to increase network bandwidth between switches
or devices. Port aggregation won’t provide any protection for power surges
or power outages.
E. Load balancing
Load balancers provide a way to manage busy services by increasing the
number of available servers and balancing the load between them. A load
balancer won’t provide any help with power issues, however.
An organization has developed an in-house mobile device app for order
processing. The developers would like the app to identify revoked server
certificates without sending any traffic over the corporate Internet
connection. Which of the following MUST be configured to allow this
functionality?
❍ A. CSR
❍ B. OCSP stapling
❍ C. Key escrow
❍ D. Hierarchical CA
The Answer: B. OCSP stapling
The use of OCSP (Online Certificate Status Protocol) requires
communication between the client and the CA that issued a certificate.
If the CA is an external organization, then validation checks will
communicate across the Internet. The certificate holder can verify
their own status and avoid client Internet traffic by storing the status
information on an internal server and “stapling” the OCSP status into the
SSL/TLS handshake.
The incorrect answers:
A. CSR
A CSR (Certificate Signing Request) is used during the key creation
process. The public key is sent to the CA to be signed as part of the CSR.
C. Key escrow
Key escrow will provide a third-party with access to decryption keys. The
escrow process is not involved in real-time server revocation updates.
D. Hierarchical CA
A hierarchical CA design will create intermediate CAs to distributed the
certificate management load and minimize the impact if a CA certificate
needs to be revoked. The hierarchical design is not involved in the
certification revocation check process.
Sam, a security administrator, is configuring an IPsec tunnel to a remote
site. Which protocol should she enable to protect all of the data traversing
the VPN tunnel?
❍ A. AH
❍ B. Diffie-Hellman
❍ C. ESP
❍ D. SHA-2
The Answer: C. ESP
The ESP (Encapsulation Security Payload) protocol encrypts the data that
traverses the VPN.
The incorrect answers:
A. AH
The AH (Authentication Header) is used to hash the packet data for
additional data integrity.
B. Diffie-Hellman
Diffie-Hellman is an algorithm used for two devices to create identical
shared keys without transferring those keys across the network.
D. SHA-2
SHA-2 (Secure Hash Algorithm) is a hashing algorithm, and does not
provide any data encryption.
A company has signed an SLA with an Internet service provider. Which
of the following would BEST describe the content of this SLA?
❍ A. The customer will connect to partner locations over an IPsec tunnel
❍ B. The service provider will provide 99.999% uptime
❍ C. The customer applications use HTTPS over tcp/443
❍ D. Customer application use will be busiest on the 15th
of each month
The Answer: B. The service provider will provide 99.999% uptime
An SLA (Service Level Agreement) is a contract that specifies the
minimum terms for provided services. It’s common to include uptime,
response times, and other service metrics in an SLA.
The incorrect answers:
A. The customer will connect to partner locations over an IPsec tunnel
A service level agreement describes the minimum service levels provided
to the customer. You would not commonly see descriptions of how the
service will be used in the SLA contract.
C. The customer applications use HTTPS over tcp/443
The protocols used by the customer’s applications aren’t part of the service
requirements from the ISP.
D. Customer application use will be busiest on the 15th of each month
The customer’s application usage isn’t part of the service requirements
from the ISP.
The network design of an online women’s apparel company includes a
primary data center in the United States and secondary data centers in
London and Tokyo. Customers place orders online via HTTPS to servers
at the closest data center, and these orders and customer profiles are then
centrally stored in the United States data center. The connections between
all data centers use Internet links with IPsec tunnels. Fulfillment requests
are sent from the United States data center to shipping locations in the
customer’s country. Which of the following should be the CIO’s MOST
significant security concern with this existing network design?
❍ A. IPsec connects data centers over public Internet links
❍ B. Fulfillment requests are shipped within the customer’s country
❍ C. Customer information is transferred between countries
❍ D. The data centers are located geographically distant from each other
The Answer: C. Customer information is transferred between countries
Data sovereignty laws can mandate how data is handled. Data that resides
in a country is usually subject to the laws of that country, and compliance
regulations may not allow the data to be moved outside of the country.
The incorrect answers:
A. IPsec connects data centers over public Internet links
Connecting remote locations using IPsec tunnels over public Internet
connections is a common method of securely linking sites together. If
someone was to capture the data traversing these links, they would find
that all of the data was encrypted.
B. Fulfillment requests are shipped within the customer’s country
There are no significant security issues associated with shipments within
the same country.
D. The data centers are located geographically distant from each other
A best practice for many international organizations is to have data centers
in geographically diverse locations to minimize the impact of any single
data center outage.
A government transport service has installed access points that support
WPA3. Which of the following technologies would provide enhanced
security for PSK while using WPA3?
❍ A. 802.1X
❍ B. SAE
❍ C. WEP
❍ D. WPS
The Answer: B. SAE (simultaneous authentication of equals)
WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key)
authentication process by privately deriving session keys instead of sending
the key hashes across the network.
The incorrect answers:
A. 802.1X
802.1X is a standard for authentication using AAA (Authentication,
Authorization and Accounting) services. 802.1X is commonly used in
conjunction with LDAP, RADIUS, or a similar authentication service.
C. WEP
WEP (Wired Equivalent Privacy) is an older wireless encryption
algorithm that was ultimately found to have cryptographic vulnerabilities.
D. WPS
WPS (Wi-Fi Protected Setup) is a standard method of connecting devices
to a wireless network without requiring a PSK or passphrase.
A user in the marketing department is unable to connect to the wireless
network. After authenticating with a username and password, the user
receives this message:
– – –
The connection attempt could not be completed.
The Credentials provided by the server could not be validated.
Radius Server: radius.example.com
Root CA: Example.com Internal CA Root Certificate
– – –
The AP is configured with WPA3 encryption and 802.1X authentication.
Which of the following is the MOST likely reason for this login issue?
❍ A. The user’s computer is in the incorrect VLAN
❍ B. The RADIUS server is not responding
❍ C. The user’s computer does not support WPA3 encryption
❍ D. The user is in a location with an insufficient wireless signal
❍ E. The client computer does not have the proper certificate installed
The Answer: E. The client computer does not have the proper
certificate installed
The error message states that the server credentials could not be validated.
This indicates that the certificate authority that signed the server’s
certificate is either different than the CA certificate installed on the
client’s workstation, or the client workstation does not have an installed
copy of the CA’s certificate. This validation process ensures that the client
is communicating to a trusted server and there are no man-in-the-middle
attacks occurring.
The incorrect answers:
A. The user’s computer is in the incorrect VLAN
The RADIUS server certificate validation process should work properly
from all VLANs. The error indicates that the communication process is
working properly, so an incorrect VLAN would not be the cause of this
issue.
Practice Exam B - Answers 221
B. The RADIUS server is not responding
If the RADIUS server had no response to the user, then the process would
simply timeout. In this example, the error message indicates that the
communication process is working between the RADIUS server and the
client’s computer.
C. The user’s computer does not support WPA3 encryption
The first step when connecting to a wireless network is to associate with
the 802.11 access point. If WPA3 encryption was not supported, the
authentication process would not have occurred and the user’s workstation
would not have seen the server credentials.
D. The user is in a location with an insufficient wireless signal
The error message regarding server validation indicates that the wireless
signal is strong enough to send and receive data on the wireless network.