exam 3

Question 1

A user in the accounting department has received an email from the
CEO requesting payment for a recently purchased tablet. However, there
doesn’t appear to be a purchase order associated with this request. Which
of the following would be the MOST likely attack associated with
this email?
❍ A. Spear phishing
❍ B. Watering hole attack
❍ C. Invoice scam
❍ D. Credential harvesting

Answer 1

The Answer: C. Invoice scam
Invoice scams attempt to take advantage of the miscommunication
between different parts of the organization. Fake invoices are submitted by the attacker, and these invoices can sometimes be incorrectly paid without
going through the expected verification process.
The incorrect answers:
A. Spear phishing
Spear phishing is a directed attack that attempts to obtain private or
personal information. In this example, the result was to obtain payment
and not to gather private information.
B. Watering hole attack
A watering hole attack requires users to visit a central website or location.
This example did not require the user to visit any third-party websites.
D. Credential harvesting
Credential harvesting attempts to transfer password files and
authentication information from other computers.

More information:
SY0-601, Objective 1.1 - Other Social Engineering Attacks
https://professormesser.link/601010109

Question 2

An online retailer is planning a penetration test as part of their PCI
DSS validation. A third-party organization will be performing the test,
and the online retailer has provided the Internet-facing IP addresses for
their public web servers but no other details. What penetration testing
methodology is the online retailer using?
❍ A. Known environment
❍ B. Passive footprinting
❍ C. Partially known environment
❍ D. Ping scan

Answer 2

The Answer: C. Partially known environment
A partially known environment test is performed when the attacker knows
some information about the victim, but not all information is available.
The incorrect answers:
A. Known environment
A known environment test is performed when the attacker has complete
details about the victim’s systems and infrastructure.
B. Passive footprinting
Passive footprinting is the process of gathering information from publicly
available sites, such as social media or corporate websites.
D. Ping scan
A ping scan is a type of network scan that can identify devices connected
to the network. A ping scan is not a type of penetration test.

Question 3

Vala, a security analyst, has received an alert from her IPS regarding active
exploit attempts from the Internet. Which of the following would provide
detailed information about these exploit attempts?
❍ A. Netstat
❍ B. Nmap
❍ C. Nessus
❍ D. Wireshark

Answer 3

The Answer: D. Wireshark
Wireshark is a protocol analyzer, and it can provide information about
every frame that traverses the network. From a security perspective, the
protocol decode can show the exploitation process and details about the
payloads used during the attempt.
The incorrect answers:
A. Netstat
The netstat command can display connectivity information about a device,
but it won’t provide any additional details about an exploit attempt.
B. Nmap
An Nmap scan is a useful tool for understanding the potential exploit
vectors of a device, but it won’t show information about an active
exploitation attempt.
C. Nessus
Nessus is a vulnerability scanner that can help identify potential exploit
vectors, but it’s not useful for showing active exploitation attempts by a
third-party

Question 4

A technician at an MSP has been asked to manage devices on third-party
private network. The technician needs command line access to internal
routers, switches, and firewalls. Which of the following would provide the
necessary access?
❍ A. HSM
❍ B. Jump server
❍ C. NAC
❍ D. Air gap

Answer 4

The Answer: B. Jump server
A jump server is a highly secured device commonly used to access secure
areas of another network. The technician would first connect to the jump
server using SSH or a VPN tunnel, and then “jump” from the jump server
to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access
devices on their customer’s network.
The incorrect answers:
A. HSM
An HSM (Hardware Security Module) is a secure method of
cryptographic key backup and hardware-based cryptographic offloading.
C. NAC
NAC (Network Access Control) is a broad term describing access control
based on a health check or posture assessment. NAC will deny access to
devices that don’t meet the minimum security requirements.
D. Air gap
An air gap is a segmentation strategy that separates devices or networks by
physically disconnecting them from each other.

Question 5

A transportation company is installing new wireless access points in their
corporate offices. The manufacturer estimates that the access points will
operate an average of 100,000 hours before a hardware-related outage.
Which of the following describes this estimate?
❍ A. MTTR
❍ B. RPO
❍ C. RTO
❍ D. MTBF

Answer 5

The Answer: D. MTBF
The MTBF (Mean Time Between Failures) is the average time expected
between outages. This is usually an estimation based on the internal device
components and their expected operational lifetime.
The incorrect answers:
A. MTTR
MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure.
B. RPO
RPO (Recovery Point Objectives) define how much data loss would be
acceptable during a recovery.
C. RTO
RTO (Recovery Time Objectives) define the minimum objectives required
to get up and running to a particular service level.

Question 6

A company has connected their wireless access points and have enabled
WPS. Which of the following security issues would be associated with
this configuration?
❍ A. Brute force
❍ B. Client hijacking
❍ C. Cryptographic vulnerability
❍ D. Spoofing

Answer 6

The Answer: A. Brute force
A WPS personal identification number (PIN) was designed to have only
11,000 possible iterations, making a brute force attack possible if the
access point doesn’t provide any protection against multiple guesses.
The incorrect answers:
B. Client hijacking
The processes of adding a device through WPS occurs well before any app
or client is used.
C. Cryptographic vulnerability
The vulnerability in WPS is based on a limited number of PIN options
and not a cryptographic shortcoming.
D. Spoofing
Spoofing an existing device would not provide access to a WPS-enabled
network.

Question 7

An IPS report shows a series of exploit attempts were made against
externally facing web servers. The system administrator of the web servers
has identified a number of unusual log entries on each system. Which of
the following would be the NEXT step in the incident response process?
❍ A. Check the IPS logs for any other potential attacks
❍ B. Create a plan for removing malware from the web servers
❍ C. Disable any breached user accounts
❍ D. Disconnect the web servers from the network

Answer 7

The Answer: D. Disconnect the web servers from the network
The unusual log entries on the web server indicate that the system may
have been exploited. In that situation, the servers should be isolated to
prevent access to or from those systems.
The incorrect answers:
A. Check the IPS logs for any other potential attacks
Before looking for additional exploits, the devices showing a potential
exploit should be isolated and contained.
B. Create a plan for removing malware from the web servers
The recovery process should occur after the systems have been isolated and
contained.
C. Disable any breached user accounts
This is part of the recovery process, and it should occur after isolation and
containment of the exploited servers.

Question 8

A security administrator is designing a storage array that would maintain
an exact replica of all data without striping. The array needs to operate
normally if a single drive was to fail. Which of the following would be the
BEST choice for this storage system?
❍ A. RAID 1
❍ B. RAID 5
❍ C. RAID 0
❍ D. RAID 10

Answer 8

The Answer: A. RAID 1
RAID (Redundant Array of Independent Disks) type 1 maintains a mirror
(or exact duplicate) of data across multiple drives. If a single drive was to
fail, the mirror would continue to operate with the redundant data.
The incorrect answers:
B. RAID 5
RAID 5 provides redundancy through striping with parity. Although
RAID 5 arrays would continue to operate through a single drive failure,
the data is not replicated across drives.
C. RAID 0
RAID 0 is a striped storage system with no parity, and a single drive
failure does not maintain uptime or any redundancy of data.
D. RAID 10
RAID 10 or RAID 1+0 maintains mirrored drives that contain
striped data.

Question 9

A transportation company headquarters is located in an area with
frequent power surges and outages. The security administrator is
concerned about the potential for downtime and hardware failures.
Which of the following would provide the most protection against
these issues? Select TWO.
❍ A. UPS
❍ B. NIC teaming
❍ C. Incremental backups
❍ D. Port aggregation
❍ E. Load balancing
❍ F. Dual power supplies

Answer 9

The Answers: A. UPS and F. Dual power supplies
A UPS (Uninterruptible Power Supply) can provide backup power
when the main power source is unavailable, and dual power supplies can
maintain uptime when power surges cause physical damage to one of the
power supplies in a system.
The incorrect answers:
B. NIC teaming
NIC (Network Interface Card) teaming can be used for redundant
network paths from a server, but it won’t help with power-related issues.
C. Incremental backups
Backups are an important part of any recovery plans, but they won’t avoid
any power issues.
D. Port aggregation
Port aggregation is used to increase network bandwidth between switches
or devices. Port aggregation won’t provide any protection for power surges
or power outages.
E. Load balancing
Load balancers provide a way to manage busy services by increasing the
number of available servers and balancing the load between them. A load
balancer won’t provide any help with power issues, however.

Question 10

An organization has developed an in-house mobile device app for order
processing. The developers would like the app to identify revoked server
certificates without sending any traffic over the corporate Internet
connection. Which of the following MUST be configured to allow this
functionality?
❍ A. CSR
❍ B. OCSP stapling
❍ C. Key escrow
❍ D. Hierarchical CA

Answer 10

The Answer: B. OCSP stapling
The use of OCSP (Online Certificate Status Protocol) requires
communication between the client and the CA that issued a certificate.
If the CA is an external organization, then validation checks will
communicate across the Internet. The certificate holder can verify
their own status and avoid client Internet traffic by storing the status
information on an internal server and “stapling” the OCSP status into the
SSL/TLS handshake.
The incorrect answers:
A. CSR
A CSR (Certificate Signing Request) is used during the key creation
process. The public key is sent to the CA to be signed as part of the CSR.
C. Key escrow
Key escrow will provide a third-party with access to decryption keys. The
escrow process is not involved in real-time server revocation updates.
D. Hierarchical CA
A hierarchical CA design will create intermediate CAs to distributed the
certificate management load and minimize the impact if a CA certificate
needs to be revoked. The hierarchical design is not involved in the
certification revocation check process.

Question 11

Sam, a security administrator, is configuring an IPsec tunnel to a remote
site. Which protocol should she enable to protect all of the data traversing
the VPN tunnel?
❍ A. AH
❍ B. Diffie-Hellman
❍ C. ESP
❍ D. SHA-2

Answer 11

The Answer: C. ESP
The ESP (Encapsulation Security Payload) protocol encrypts the data that
traverses the VPN.
The incorrect answers:
A. AH
The AH (Authentication Header) is used to hash the packet data for
additional data integrity.
B. Diffie-Hellman
Diffie-Hellman is an algorithm used for two devices to create identical
shared keys without transferring those keys across the network.
D. SHA-2
SHA-2 (Secure Hash Algorithm) is a hashing algorithm, and does not
provide any data encryption.

Question 12

A company has signed an SLA with an Internet service provider. Which
of the following would BEST describe the content of this SLA?
❍ A. The customer will connect to partner locations over an IPsec tunnel
❍ B. The service provider will provide 99.999% uptime
❍ C. The customer applications use HTTPS over tcp/443
❍ D. Customer application use will be busiest on the 15th
of each month

Answer 12

The Answer: B. The service provider will provide 99.999% uptime
An SLA (Service Level Agreement) is a contract that specifies the
minimum terms for provided services. It’s common to include uptime,
response times, and other service metrics in an SLA.
The incorrect answers:
A. The customer will connect to partner locations over an IPsec tunnel
A service level agreement describes the minimum service levels provided
to the customer. You would not commonly see descriptions of how the
service will be used in the SLA contract.
C. The customer applications use HTTPS over tcp/443
The protocols used by the customer’s applications aren’t part of the service
requirements from the ISP.
D. Customer application use will be busiest on the 15th of each month
The customer’s application usage isn’t part of the service requirements
from the ISP.

Question 13

The network design of an online women’s apparel company includes a
primary data center in the United States and secondary data centers in
London and Tokyo. Customers place orders online via HTTPS to servers
at the closest data center, and these orders and customer profiles are then
centrally stored in the United States data center. The connections between
all data centers use Internet links with IPsec tunnels. Fulfillment requests
are sent from the United States data center to shipping locations in the
customer’s country. Which of the following should be the CIO’s MOST
significant security concern with this existing network design?
❍ A. IPsec connects data centers over public Internet links
❍ B. Fulfillment requests are shipped within the customer’s country
❍ C. Customer information is transferred between countries
❍ D. The data centers are located geographically distant from each other

Answer 13

The Answer: C. Customer information is transferred between countries
Data sovereignty laws can mandate how data is handled. Data that resides
in a country is usually subject to the laws of that country, and compliance
regulations may not allow the data to be moved outside of the country.
The incorrect answers:
A. IPsec connects data centers over public Internet links
Connecting remote locations using IPsec tunnels over public Internet
connections is a common method of securely linking sites together. If
someone was to capture the data traversing these links, they would find
that all of the data was encrypted.
B. Fulfillment requests are shipped within the customer’s country
There are no significant security issues associated with shipments within
the same country.
D. The data centers are located geographically distant from each other
A best practice for many international organizations is to have data centers
in geographically diverse locations to minimize the impact of any single
data center outage.

Question 14

A government transport service has installed access points that support
WPA3. Which of the following technologies would provide enhanced
security for PSK while using WPA3?
❍ A. 802.1X
❍ B. SAE
❍ C. WEP
❍ D. WPS

Answer 14

The Answer: B. SAE (simultaneous authentication of equals)
WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key)
authentication process by privately deriving session keys instead of sending
the key hashes across the network.

The incorrect answers:
A. 802.1X
802.1X is a standard for authentication using AAA (Authentication,
Authorization and Accounting) services. 802.1X is commonly used in
conjunction with LDAP, RADIUS, or a similar authentication service.
C. WEP
WEP (Wired Equivalent Privacy) is an older wireless encryption
algorithm that was ultimately found to have cryptographic vulnerabilities.
D. WPS
WPS (Wi-Fi Protected Setup) is a standard method of connecting devices
to a wireless network without requiring a PSK or passphrase.

Question 15

A user in the marketing department is unable to connect to the wireless
network. After authenticating with a username and password, the user
receives this message:
– – –
The connection attempt could not be completed.
The Credentials provided by the server could not be validated.
Radius Server: radius.example.com
Root CA: Example.com Internal CA Root Certificate
– – –
The AP is configured with WPA3 encryption and 802.1X authentication.
Which of the following is the MOST likely reason for this login issue?
❍ A. The user’s computer is in the incorrect VLAN
❍ B. The RADIUS server is not responding
❍ C. The user’s computer does not support WPA3 encryption
❍ D. The user is in a location with an insufficient wireless signal
❍ E. The client computer does not have the proper certificate installed

Answer 15

The Answer: E. The client computer does not have the proper
certificate installed
The error message states that the server credentials could not be validated.
This indicates that the certificate authority that signed the server’s
certificate is either different than the CA certificate installed on the
client’s workstation, or the client workstation does not have an installed
copy of the CA’s certificate. This validation process ensures that the client
is communicating to a trusted server and there are no man-in-the-middle
attacks occurring.
The incorrect answers:
A. The user’s computer is in the incorrect VLAN
The RADIUS server certificate validation process should work properly
from all VLANs. The error indicates that the communication process is
working properly, so an incorrect VLAN would not be the cause of this
issue.
Practice Exam B - Answers 221
B. The RADIUS server is not responding
If the RADIUS server had no response to the user, then the process would
simply timeout. In this example, the error message indicates that the
communication process is working between the RADIUS server and the
client’s computer.
C. The user’s computer does not support WPA3 encryption
The first step when connecting to a wireless network is to associate with
the 802.11 access point. If WPA3 encryption was not supported, the
authentication process would not have occurred and the user’s workstation
would not have seen the server credentials.
D. The user is in a location with an insufficient wireless signal
The error message regarding server validation indicates that the wireless
signal is strong enough to send and receive data on the wireless network.

Question 16

Which of the following vulnerabilities would be the MOST significant
security concern when protecting against a competitor?
❍ A. Data center access with only one authentication method
❍ B. Spoofing of internal IP addresses when accessing an intranet server
❍ C. Employee VPN access uses a weak encryption cipher
❍ D. Lack of patch updates on an Internet-facing database server

Answer 16

The Answer: D. Lack of patch updates on an Internet-facing
database server
One of the easiest ways for a competitor to obtain information is through
an existing Internet connection. An unpatched server could be exploited to
obtain customer data that would not normally be available otherwise.
The incorrect answers:
A. Data center access with only one authentication method
Most competitors don’t have access to walk around inside of your
building, and they certainly wouldn’t have access to secure areas. A single
authentication method would commonly prevent unauthorized access
to a data center for both employees and non-employees, although more
authentication factors would provide some additional security.
B. Spoofing of internal IP addresses when accessing an intranet server
Intranet servers are not accessible from the outside. This makes them an
unlikely target for competitors and other non-employees.
C. Employee VPN access uses a weak encryption cipher
A weak encryption cipher can be a security issue, but a potential
exploitation would need the raw network traffic to begin any decryption
attempts. Although this scenario would technically be possible if someone
was to catch an employee on a public wireless network, it’s not the most
significant security issue in the available list.

Question 17

Which of the following applies scientific principles to provide a 
post-event analysis of an intrusion?
❍ A. MITRE ATT&CK framework
❍ B. ISO 27701
❍ C. Diamond model
❍ D. NIST RMF

Answer 17

The Answer: C. Diamond model
The diamond model was created by the United State intelligence
community as a way to standardize the attack reporting and the analysis of
the intrusions.
The incorrect answers:
A. MITRE ATT&CK framework
MITRE provides the ATT&CK framework as a knowledgebase of attack
types, techniques, and mitigation options.
B. ISO 27701
The ISO 27701 standard focuses on the implementation and maintenance
of a privacy information management system (PIMS).
D. NIST RMF
The NIST (National Institute of Standards and Technology) RMF (Risk
Management Framework) is a guide to help understand, manage, and rate
the risks found in an organization.

Question 18

Which of the following would be the MOST likely result of plaintext 
application communication?
❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Resource exhaustion
❍ D. Directory traversal

Answer 18

The Answer: B. Replay attack
To perform a replay attack, the attacker needs to capture the original
non-encrypted content. If an application is not using encrypted
communication, the data capture process is a simple process for
the attacker.
The incorrect answers:
A. Buffer overflow
A buffer overflow takes advantage of an application vulnerability and can
perform this overflow over both an encrypted or non-encrypted channel.
C. Resource exhaustion
Resource exhaustion can take many different forms, but those resource
issues don’t necessarily require the network communication to be send in
the clear.
D. Directory traversal
Directory traversal is commonly associated with moving around the file
system of a server. Non-encrypted communication is not a prerequisite in
a directory traversal attack.

Question 19

A security administrator is updating the network infrastructure to support
802.1X authentication. Which of the following would be the BEST
choice for this configuration?
❍ A. LDAP
❍ B. HTTPS
❍ C. SNMPv3
❍ D. MS-CHAP

Answer 19

The Answer: A. LDAP
LDAP (Lightweight Directory Access Protocol) is a common protocol
to use for centralized authentication. Other protocols such as RADIUS,
TACACS+, or Kerberos would also be valid options for 802.1X
authentication.
The incorrect answers:
B. HTTPS
HTTPS (Hypertext Transfer Protocol Secure) is commonly used to
encrypt web server communication. HTTPS is not an authentication
protocol.
C. SNMPv3
SNMPv3 (Simple Network Management Protocol version 3) is used to
manage servers and infrastructure devices. SNMP is not an authentication
protocol.
D. MS-CHAP
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
was commonly used to authenticate devices using Microsoft’s Point-toPoint Tunneling Protocol (PPTP). Security issues related to the use of
DES (Data Encryption Standard) encryption in MS-CHAP eliminate it
from consideration for modern authentication.

Question 20

A security manager believes that an employee is using their laptop to
circumvent the corporate Internet security controls through the use of
a cellular hotspot. Which of the following could be used to validate this
belief? (Select TWO)
❍ A. HIPS
❍ B. UTM appliance logs
❍ C. Web application firewall events
❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

Answer 20

The Answer: A. HIPS and D. Host-based firewall logs
If the laptop is not communicating across the corporate network, then
the only evidence of the traffic would be contained on the laptop itself. A
HIPS (Host-based Intrusion Prevention System) and host-based firewall
logs may contain information about recent traffic flows to systems outside
of the corporate network.
The incorrect answers:
B. UTM appliance logs
A unified threat management appliance is commonly located in the core of
the network. The use of a cellular hotspot would circumvent the UTM and
would not be logged.
C. Web application firewall events
Web application firewalls are commonly used to protect internal web
servers. Outbound Internet communication would not be logged, and
anyone circumventing the existing security controls would also not be
logged.
E. Next-generation firewall logs
Although a next-generation firewall keeps detailed logs, any systems
communicating outside of the normal corporate Internet connection
would not appear in those logs.

Question 21

An application developer is creating a mobile device app that will
include extensive encryption and decryption. Which of the following
technologies would be the BEST choice for this app?
❍ A. AES
❍ B. Elliptic curve
❍ C. Diffie-Hellman
❍ D. PGP

Answer 21

The Answer: B. Elliptic curve
ECC (Elliptic Curve Cryptography) uses smaller keys than non-ECC
encryption and has smaller storage and transmission requirements. These
characteristics make it an efficient option for mobile devices.
The incorrect answers:
A. AES
AES (Advanced Encryption Standard) is a useful encryption cipher, but
the reduced overhead of elliptic curve cryptography is a better option for
this scenario.
C. Diffie-Hellman
Diffie-Hellman is a key-agreement protocol, and Diffie-Hellman does not
provide for any encryption or authentication.
D. PGP
PGP’s public-key cryptography requires much more overhead than the
elliptic curve cryptography option.

Question 22

Which of the following would be the MAIN reasons why a system
administrator would use a TPM when configuring full disk encryption?
(Select TWO)
❍ A. Allows the encryption of multiple volumes
❍ B. Uses burned-in cryptographic keys
❍ C. Stores certificates in a hardware security module
❍ D. Protects against EMI leakage
❍ E. Includes built-in protections against brute-force attacks

Answer 22

The Answer: B. Uses burned-in cryptographic keys and
E. Includes built-in protections against brute-force attacks
A TPM (Trusted Platform Module) is hardware that is part of a
computer’s motherboard, and it’s specifically designed to assist and protect
with cryptographic functions. Full disk encryption (FDE) can use the
burned-in TPM keys to verify that the local device hasn’t changed, and
there are security features in the TPM that will prevent brute-force or
dictionary attacks against the full disk encryption login credentials.
The incorrect answers:
A. Allows the encryption of multiple volumes
The use of a TPM is not associated with the number of volumes that may
be encrypted with FDE.
C. Stores certificates in a hardware security module
A hardware security module (HSM) is high-end cryptographic hardware
specifically designed for large-scale secured storage on the network. An
HSM server is a separate device that is not associated with an individual
device’s TPM.
D. Protects against EMI leakage
The leakage of EMI (Electromagnetic Interference) from keyboards,
storage drives, or network connections can be a security concern, but it is
not related to the use of a trusted platform module.

Question 23

A security administrator would like to create an access control where each
file or folder is assigned a security clearance level, such as “confidential”
or “secret.” The security administrator would then assign a maximum
security level to each user. What type of access control would be used in
this network?
❍ A. Mandatory
❍ B. Rule-based
❍ C. Discretionary
❍ D. Role-based

Answer 23

The Answer: A. Mandatory
Mandatory access control uses a series of security levels (i.e., public,
private, secret) and assigns those levels to each object in the operating
system. Users are assigned a security level, and they would only have access
to objects that meet or are below that assigned security level.
The incorrect answers:
B. Rule-based
Rule-based access control determines access based on a series of systemenforced rules. An access rule might require that a particular browser be
used to complete a web page form, or that access to a file or system is only
allowed during certain times of the day.
C. Discretionary
Discretionary access control allows the owner of an object to assign access.
If a user creates a spreadsheet, the user can then assign users and groups to
have a particular level of access to that spreadsheet.
D. Role-based
Role-based access control assigns a user’s permissions based on their role
in the organization. For example, a manager would have a different set of
rights and permissions than a team lead.

Question 24

Cameron, a security administrator, is reviewing a report that shows a
number of devices on internal networks attempting to connect with
servers in the data center network. Which of the following security
controls should Cameron add to prevent internal systems from accessing
data center devices?
❍ A. VPN
❍ B. IPS
❍ C. NAT
❍ D. ACL

Answer 24

The Answer: D. ACL
An ACL (Access Control List) is a security control commonly
implemented on routers to allow or restrict traffic flows through the
network.
The incorrect answers:
A. VPN
A VPN (Virtual Private Network) can be used to secure data traversing
the network, but it’s not commonly used to control traffic flows on an
internal network.
B. IPS
An IPS (Intrusion Prevention System) is designed to identify and block
known vulnerabilities traversing the network. An IPS is not used to
control other traffic flows.
C. NAT
NAT (Network Address Translation) is a method of modifying the source
and/or destination IP addresses of network traffic. NAT is not a security
control.

Question 25

Which of the following would be the best way to describe the estimated
number of laptops that might be stolen in a fiscal year?
❍ A. ALE
❍ B. SLE
❍ C. ARO
❍ D. MTTR

Answer 25

The Answer: C. ARO
The ARO (Annualized Rate of Occurrence) describes the number
of instances that an event would occur in a year. For example, if the
organization expect to lose seven laptops to theft in a year, the ARO for
laptop theft is seven.
The incorrect answers:
A. ALE
The ALE (Annual Loss Expectancy) is the expected cost for all events in a
single year. If it costs $1,000 to replace a single laptop (the SLE) and you
expect to lose seven laptops in a year (the ARO), the ALE for laptop theft
is $7,000.
B. SLE
SLE (Single Loss Expectancy) is the monetary loss if a single event
occurs. If one laptop is stolen, the cost to replace that single laptop is the
SLE,
or $1,000.
D. MTTR
MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure.