Exam B

Question 1

A security administrator has performed an audit of the organization’s production web servers, and the results have identified default configurations, web services running from a privileged account, and inconsistencies with SSL certificates. Which would be the BEST way to resolve these issues?

Answer 1

Server hardening
Many applications and services include secure configuration guides to
assist in hardening the system. These hardening steps will make the system
as secure as possible while simultaneously allowing the application to run
efficiently.

Question 2

A shipping company stores information in small regional warehouses around the country. The company maintains an IPS at each warehouse to watch for suspicious traffic patterns. Which would BEST describe the security control used at the warehouse?

Answer 2

Detective
An IPS can detect, alert, and log an intrusion attempt. The IPS could also be categorized as a preventive control, since it has the ability to actively block known attacks.

Question 3

The Vice President of Sales has asked the IT team to create daily backups of the sales data. The Vice President is an example of a:

Answer 3

Data owner
The data owner is accountable for specific data, so this person is often a senior officer of the organization.

Question 4

A security engineer is preparing to conduct a penetration test of a third-party website. Part of the preparation involves reading through social media posts for information about this site. Which describes this practice?

Answer 4

OSINT
OSINT (Open Source Intelligence) describes the process of obtaining information from open sources such as social media sites, corporate websites, online forums, and other publicly available locations.

Question 5

A company would like to orchestrate the response when a virus is detected on company devices. Which would be the BEST way to implement this function?

Answer 5

Escalation scripting
Scripting and automation can provide methods to automate or orchestrate
the escalation response when a security issue is detected.

Question 6

A user in the accounting department has received a text message from
the CEO. The message requests payment by cryptocurrency for a recently
purchased tablet. Which of the following would BEST describe this
attack?

Answer 6

Smishing
Smishing is phishing using SMS (Short Message Service), and is more commonly referenced as text messaging. A message allegedly from the CEO asking for an unusual payments using cryptocurrency or gift cards
would be categorized as smishing.

Question 7

A company has been informed of a hypervisor vulnerability that could allow users on one virtual machine to access resources on another virtual machine. Which would BEST describe this vulnerability?

Answer 7

Escape
A VM (Virtual Machine) escape is a vulnerability that allows communication between separate VMs.

Question 8

While working from home, users are attending a project meeting over
a web conference. When typing in the meeting link, the browser is
unexpectedly directed to a different website than the web conference. Users in the office do not have any issues accessing the conference site.
Which would be the MOST likely reason for this issue?

Answer 8

DNS poisoning
An attacker with access to a DNS (Domain Name System) server can modify the DNS configuration files and redirect users to a different website. Anyone using a different DNS server may not see any problems
with connectivity to the original site.

Question 9

A company is launching a new internal application that will not start until a username and password is entered and a smart card is plugged into the computer. Which BEST describes this process?

Answer 9

Authentication
The process of proving who you say you are is authentication. In this example, the password and smart card are two factors of authentication, and both reasonably prove that the person with the login credentials is
authentic.

Question 10

An online retailer is planning a penetration test as part of their PCI DSS validation. A third-party organization will be performing the test, and the online retailer has provided the Internet-facing IP addresses for their
public web servers. No other details were provided. What penetration testing methodology is the online retailer using?

Answer 10

Partially known environment
A partially known environment test is performed when the attacker knows
some information about the victim, but not all information is available.

Question 11

A manufacturing company produces radar used by commercial and military organizations. A recently proposed policy change would allow the use of mobile devices inside the facility. Which would be the MOST significant threat vector issue associated with this change in policy?

Answer 11

Loss of intellectual property
The exfiltration of confidential information and intellectual property is relatively simple with an easily transportable mobile phone. Organizations associated with sensitive products or services must always be aware of the potential for information leaks using files, photos, or video.

Question 12

Which would be the BEST way for an organization to verify the digital signature provided by an external email server?

Answer 12

Check the DKIM record
A DKIM (Domain Keys Identified Mail) record is a DNS (Domain Name System) entry that includes the public key associated with an email server’s digital signatures. A legitimate email server will digitally sign all outgoing emails and provide the public key in their DNS for third-party validation.

Question 13

A company is using older operating systems for their web servers and are concerned of their stability during periods of high use. Which should the company use to maximize the uptime and availability of this service?

Answer 13

Load balancer
A load balancer maintains a pool of servers and can distribute the load across those devices. If a device fails, the other servers will continue to operate and provide the necessary services.

Question 14

A user in the accounting department would like to email a spreadsheet with sensitive information to a list of third-party vendors. Which would be the BEST way to protect the data in this email?

Answer 14

Asymmetric encryption
Asymmetric encryption uses a recipient’s public key to encrypt data, and this data can only be decrypted with the recipient’s private key. This encryption method is commonly used with software such as PGP or GPG.

Question 15

A system administrator would like to segment the network to give the marketing, accounting, and manufacturing departments their own private network. The network communication between departments would
be restricted for additional security. Which of the following should be configured on this network?

Answer 15

VLAN
A VLAN (Virtual Local Area Network) is a common method of using a switch to logically segment a network. The devices in each segmented VLAN can only communicate with other devices in the same VLAN. A router is used to connect VLANs, and this router can often be used to control traffic flows between the VLANs.

Question 16

A technician at an MSP has been asked to manage devices on third-party private network. The technician needs command line access to internal routers, switches, and firewalls. Which of the following would provide the necessary access?

Answer 16

Jump server
A jump server is a highly secured device commonly used to access secure areas of another network. The technician would first connect to the jump server using SSH or a VPN tunnel, and then “jump” from the jump server to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access devices on their customer’s private networks.

Question 17

A transportation company is installing new wireless access points in their corporate office. The manufacturer estimates the access points will operate an average of 100,000 hours before a hardware-related outage. Which describes this estimate?

Answer 17

MTBF
The MTBF (Mean Time Between Failures) is the average time expected between outages. This is usually an estimation based on the internal device components and their expected operational lifetime.

Question 18

A security administrator is creating a policy to prevent the disclosure of credit card numbers in a customer support application. Users of the application would only be able to view the last four digits of a credit card number. Which of the following would provide this functionality?

Answer 18

Masking
Data masking hides data from being viewed. The full credit card numbers are stored in a database, but only a limited view of this data is available when accessing the information from the application.

Question 19

A user is authenticating through the use of a PIN and a fingerprint. Which would describe these authentication factors?

Answer 19

Something you know, something you are A PIN (Personal Identification Number) is something you know, and a fingerprint is something you are.

Question 20

A security administrator is configuring the authentication process used by technicians when logging into wireless access points and switches. Instead of using local accounts, the administrator would like to pass all login
requests to a centralized database. Which would be the BEST way to implement this requirement?

Answer 20

AAA
Using AAA (Authentication, Authorization, and Accounting) is a common method of centralizing authentication. Instead of having separate local accounts on different devices, users can authenticate with account information maintained in a centralized database.

Question 21

A recent audit has determined that many IT department accounts have
been granted Administrator access. The audit recommends replacing these
permissions with limited access rights. Which of the following would
describe this policy?

Answer 21

Least privilege
The policy of least privilege limits the rights and permissions of a user account to only the access required to accomplish their objectives. This policy would limit the scope of an attack originating from a user in the IT department.

Question 22

A recent security audit has discovered usernames and passwords which can be easily viewed in a packet capture. Which of the following did the audit identify?

Answer 22

Insecure protocols
An insecure authentication protocol will transmit information “in the clear,” or without any type of encryption or protection.

Question 23

Before deploying a new application, a company is performing an internal audit to ensure all of their servers are configured with the appropriate security features. Which would BEST describe this process?

Answer 23

Due care
Due care describes a duty to act honestly and in good faith. Due diligence is often associated with third-party activities, and due care tends to refer to internal activities.

Question 24

An organization has previously purchased insurance to cover a ransomware attack, but the costs of maintaining the policy have increased above the acceptable budget. The company has now decided to cancel the insurance policies and address potential ransomware issues internally. Which would best describe this action?

Answer 24

Acceptance
Risk acceptance is a business decision that places the responsibility of the risky activity on the organization itself.

Question 25

Which of these threat actors would be MOST likely to install a
company’s internal application on a public cloud provider?

Answer 25

Shadow IT
Shadow IT is an internal organization within the company but is not part of the IT department. Shadow IT often circumvents or ignores existing IT policies to build their own infrastructure with company resources.

Question 26

An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which would be the NEXT step in the incident response process?

Answer 26

Disconnect the web servers from the network
The unusual log entries on the web server indicate that the system may have been exploited. In that situation, the servers should be contained to prevent all connectivity to those systems.

Question 27

A security administrator is viewing the logs on a laptop in the shipping and receiving department and identifies these events:
8:55:30 AM | D:\Downloads\ChangeLog-5.0.4.scr | Quarantine Success
9:22:54 AM | C:\Program Files\Photo Viewer\ViewerBase.dll | Quarantine Failure
9:44:05 AM | C:\Sales\Sample32.dat | Quarantine Success

Which would BEST describe the circumstances surrounding these events?

Answer 27

The antivirus application identified three viruses and
quarantined two viruses

The logs are showing the name of files on the local device and a quarantine disposition, which indicates that two of the files were moved (quarantined) to a separate area of the drive. This will prevent the malicious files from executing and will safely store the files for any future investigation. The second file in the list failed the quarantine process, and was most likely because the library was already in use by the operating system and could not be moved.

Question 28

In the past, an organization has relied on the curated Apple App Store to avoid issues associated with malware and insecure applications. However, the IT department has discovered an iPhone in the shipping department
with applications not available on the Apple App Store. How did the shipping department user install these apps on their mobile device?

Answer 28

Side loading
If Apple’s iOS has been circumvented using jailbreaking, a user can install apps without using the Apple App Store. Circumventing a curated app store to install an app manually is called side loading.

Question 28

A company has noticed an increase in support calls from attackers. These attackers are using social engineering to gain unauthorized access to customer data. Which would be the BEST way to prevent these attacks?

Answer 28

User training
Many social engineering attacks do not involve technology, so the best way to prevent the attack is to properly train users to watch for these techniques.

Question 29

As part of an internal audit, each department of a company has been asked to compile a list of all devices, operating systems, and applications in use. Which would BEST describe this audit?

Answer 29

Self-assessment
A self-assessment describes an organization performing their own security checks.

Question 30

A company is concerned about security issues at their remote sites. Which would provide the IT team with more information of potential shortcomings?

Answer 30

Gap analysis
A gap analysis is a formal process comparing the current security posture with where the company would like to be. This often examines many different aspects of the overall security environment.

Question 31

An attacker has identified a number of devices on a corporate network with the username of “admin” and the password of “admin.” Which of the following describes this situation?

Answer 31

Default credentials
When a device is first installed, it will often have a default set of credentials such as admin/password or admin/admin. If these default credentials are never changed, they would allow access by anyone who knows the default configuration.

Question 32

A security administrator attends an annual industry convention with other security professionals from around the world. Which attack would be MOST likely in this situation?

Answer 32

Watering hole
A watering hole attack infects a third-party visited by the intended victims. An industry convention would be a perfect location to attack security professionals.

Question 33

A transportation company headquarters is located in an area with frequent power surges and outages. The security administrator is concerned about the potential for downtime and hardware failures. Which would provide the most protection against these issues? Select TWO.
❍ A. UPS
❍ B. Parallel processing
❍ C. Snapshots
❍ D. Multi-cloud system
❍ E. Load balancing
❍ F. Generator

Answer 33

A. UPS and F. Generator
A UPS (Uninterruptible Power Supply) can provide backup power for a limited time when the main power source is unavailable, and a generator can maintain uptime as long as a fuel source is available.

Question 34

An organization has developed an in-house mobile device app for order processing. The developers would like the app to identify revoked server certificates without sending any traffic over the corporate Internet
connection. Which must be configured to allow this functionality?

Answer 34

OCSP stapling
The use of OCSP (Online Certificate Status Protocol) requires communication between the client and the issuing CA (Certificate Authority). If the CA is an external organization, then validation checks will communicate across the Internet. The certificate holder can verify
their own status and avoid client Internet traffic by storing the status information on an internal server and “stapling” the OCSP status into the SSL/TLS handshake.

Question 35

A security administrator has been asked to build a network link to secure all communication between two remote locations. Which would be the best choice for this task?

Answer 35

IPsec
IPsec (Internet Protocol Security) is commonly used to create a VPN (Virtual Private Network) protected tunnel between devices or locations.

Question 36

A Linux administrator has received a ticket complaining of response issues with a database server. After connecting to the server, the administrator views this information:

Filesystem Size Used Avail Use% Mounted on
/dev/xvda1 158G 158G 0 100% /

Which would BEST describe this information?

Answer 36

Resource consumption
The available storage on the local filesystem has been depleted, and the information shows 0 bytes available. More drive space would need to be available for the server to return to normal response times.

Question 37

Which of the following can be used for credit card transactions from a mobile device without sending the actual credit card number across the network?

Answer 37

Tokenization
Tokenization replaces sensitive data with a non-sensitive placeholder. Tokenization is commonly used for NFC (Near-Field Communication) payment systems, and sends a single-use token across the network instead
of the actual credit card information.

Question 38

A security administrator receives a report each week showing a Linux vulnerability associated with a Windows server. Which would prevent this information from appearing in the report?

Answer 38

Alert tuning
Our monitoring systems are not always perfect, and many require ongoing tuning to properly configure alerts and notifications of important events.

Question 39

Which would a company use to calculate the loss of a business activity if a vulnerability is exploited?

Answer 39

Exposure factor
An exposure factor describes a loss of value to the organization. For example, a network throughput issue might limit access to half of the users, creating a 50% exposure factor. A completely disabled service would
calculated as a 100% exposure factor.

Question 40

An administrator is designing a network to be compliant with a security standard for storing credit card numbers. Which would be the BEST choice to provide this compliance?

Answer 40

Perform regular audits and vulnerability scans
A focus of credit card storage compliance is to keep credit card information private. The only option matching this requirement is scheduled audits and ongoing vulnerability scans.

Question 41

A company is accepting proposals for an upcoming project, and one of the responses is from a business owned by a board member. Which would describe this situation?

Answer 41

Conflict of interest
A conflict of interest occurs when a personal interest in a business transaction could compromise the judgment of the people involved.
Personal and family relationships between organizations may potentially be a conflict of interest.

Question 42

A company has rolled out a new application that requires the use of a hardware-based token generator. Which would be the BEST description of this access feature?

Answer 42

Something you have
The use of the hardware token generator requires the user be in possession of the device during the login process.

Question 43

A company has signed an SLA with an Internet service provider. Which would BEST describe the requirements of this SLA?

Answer 43

The service provider will provide 99.99% uptime
An SLA (Service Level Agreement) is a contract specifying the minimum terms for provided services. It’s common to include uptime, response times, and other service metrics in an SLA.

Question 44

An attacker has created multiple social media accounts and is posting information in an attempt to get the attention of the media. Which would BEST describe this attack?

Answer 44

Misinformation campaign
Misinformation campaigns are carefully crafted attacks that exploit social media and traditional media.

Question 45

Which would be the BEST way to protect credit card account information when performing real-time purchase authorizations?

Answer 45

Tokenization
Tokenization is a technique that replaces user data with a non-sensitive placeholder, or token. Tokenization is commonly used on mobile devices during a purchase to use a credit card without transmitting the physical
credit card number across the network.

Question 46

A company must comply with legal requirements for storing customer data in the same country as the customer’s mailing address. Which would describe this requirement?

Answer 46

Data sovereignty
Data sovereignty laws can mandate how data is handled and stored. Data residing in a country is usually subject to the laws of that country, and compliance regulations may not allow the data to be moved outside of the
country.

Question 47

A company is installing access points in all of their remote sites. Which would provide confidentiality for all wireless data?

Answer 47

WPA3
WPA3 (Wi-Fi Protected Access 3) is an encryption protocol used on wireless networks. All data sent over a WPA3-protected wireless network will be encrypted.

Question 48

A security administrator has found a keylogger installed in an update
of the company’s accounting software. Which of the following would
prevent the transmission of the collected logs?

Answer 48

Block all unknown outbound network traffic at the
Internet firewall
Keylogging software has two major functions; record user input, and transmit that information to a remote location. Local file scanning and software best-practices can help prevent the initial installation, and controlling outbound network traffic can block unauthorized file transfers.

Question 49

A user in the marketing department is unable to connect to the wireless network. After authenticating with a username and password, the user receives this message:
– – –
The connection attempt could not be completed.
The Credentials provided by the server could not be validated.
Radius Server: radius.example.com
Root CA: Example.com Internal CA Root Certificate
– – –
The access point is configured with WPA3 encryption and 802.1X authentication.

Answer 49

The client computer does not have the proper
certificate installed
The error message states that the server credentials could not be validated. This indicates that the certificate authority that signed the server’s certificate is either different than the CA certificate installed on the client’s workstation, or the client workstation does not have an installed copy of the CA’s certificate. This validation process ensures that the client is communicating to a trusted server and there are no on-path attacks occurring.

Question 50

A security administrator has created a new policy prohibiting the use of MD5 hashes due to collision problems. Which describes the reason for this new policy?

Answer 50

Two different messages share the same hash
A well-designed hashing algorithm will create a unique hash value for every possible input. If two different inputs create the same hash, the hash algorithm has created a collision.

Question 51

A security administrator has been tasked with hardening all internal web servers to control access from certain IP address ranges and ensure all transferred data remains confidential. Which should the administrator include in his project plan? (Select TWO)
❍ A. Change the administrator password
❍ B. Use HTTPS for all server communication
❍ C. Uninstall all unused software
❍ D. Enable a host-based firewall
❍ E. Install the latest operating system update

Answer 51

B. Use HTTPS for all server communication, and
D. Enable a host-based firewall
Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol will ensure that all network communication is encrypted between the web
server and the client devices. A host-based firewall can be used to allow or disallow traffic from certain IP address ranges.

Question 52

A security administrator has identified the installation of ransomware on a database server and has quarantined the system. Which should be followed to ensure that the integrity of the evidence is maintained?

Answer 52

Chain of custody
A chain of custody is a documented record of the evidence. The chain of custody also documents the interactions of every person who comes into contact with the evidence to maintain the integrity.

Question 53

Which would be the BEST option for application testing in an environment completely separated from the production network?

Answer 53

Air gap
An air gapped network removes all connectivity between components and ensures there would be no possible communication path between the test network and the production network.

Question 54

Which describes the process of hiding data from others by embedding the data inside of a different media type?

Answer 54

Obfuscation
Obfuscation is the process of taking something normally understandable and making it very difficult to understand or to be seen. One common obfuscation method used by steganography is to embed a document
within an image file.

Question 55

A security engineer is planning the installation of a new IPS. The network must remain operational if the IPS is turned off or disabled. Which would describe this configuration?

Answer 55

Fail open
An IPS (Intrusion Prevention System) designed to fail open will maintain network connectivity during an outage or failure of the IPS. Even if the IPS was not actively preventing an intrusion, the network would still be up and running.

Question 56

Which vulnerability would be the MOST significant security concern when protecting against a hacktivist?

Answer 56

Lack of patch updates on an Internet-facing
database server
One of the easiest ways for a third-party to obtain information is through an existing Internet connection. A hacktivist could potentially exploit an unpatched server to obtain unauthorized access to the operating system
and data.

Question 57

A company is installing a security appliance to protect the organization’s web-based applications from attacks such as SQL injections and unexpected input. Which would BEST describe this appliance?

Answer 57

WAF
A WAF (Web Application Firewall) is designed as a firewall for web-based applications. WAFs are commonly used to protect against application attacks such as injections, cross-site scripting, and invalid input types.

Question 58

A system administrator is implementing a password policy that would require letters, numbers, and special characters to be included in every password. Which controls MUST be in place to enforce
this password policy?

Answer 58

Complexity
Adding different types of characters to a password requires technical controls that increase password complexity.

Question 59

Which would be the BEST way to determine if files have been modified after the forensics data acquisition process has occurred?

Answer 59

Create a hash of the data
A hash creates a unique value and can be quickly validated at any time in the future. If the hash value changes, then the data must have also changed.

Question 60

Which would a company follow to deploy a weekly operating system patch?

Answer 60

Change management
Change management is a formal process used to control and manage any changes to hardware, software, or any other part of the IT infrastructure.

Question 61

Which would be the MOST likely result of plaintext application communication?

Answer 61

Replay attack
To perform a replay attack, the attacker needs to capture the original non-encrypted content. If an application is not using encrypted communication, the data capture process is a relatively simple process for the attacker.

Question 62

A system administrator believes that certain configuration files on a Linux server have been modified from their original state. The administrator has reverted the configurations to their original state, but he would like to be notified if they are changed again. Which would be the BEST way to provide this functionality?

Answer 62

File integrity monitoring
File integrity monitoring software (i.e., Tripwire, System File Checker, etc.) can be used to alert if the contents of a file are modified.

Question 63

A security administrator is updating the network infrastructure to support 802.1X. Which would be the BEST choice for this configuration?

Answer 63

LDAP
802.1X is a standard for authentication, and LDAP (Lightweight Directory Access Protocol) is a common protocol used for centralized authentication. Other protocols such as RADIUS, TACACS+, or Kerberos
would also be options for 802.1X authentication.

Question 64

A company owns a time clock appliance, but the time clock doesn’t provide any access to the operating system and it doesn’t provide a method to upgrade the firmware. Which describes this appliance?

Answer 64

Embedded system
An embedded system often does not provide access to the OS and may not provide a method of upgrading the system firmware.

Question 65

A company has deployed laptops to all employees, and each laptop is enumerated during each login. Which is supported with this configuration?

Answer 65

If the laptop hardware is modified, the security team
is alerted
The enumeration process identifies and reports on the hardware and software installed on the laptop. If this configuration is changed, an alert can be generated.

Question 66

A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO)
❍ A. HIPS
❍ B. UTM logs
❍ C. Web application firewall events
❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

Answer 66

A. HIPS and D. Host-based firewall logs
If the laptop is not communicating across the corporate network, then the only evidence of the traffic would be contained on the laptop itself.
A HIPS (Host-based Intrusion Prevention System) logs and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network.

Question 67

An application developer is creating a mobile device app that will require a true random number generator real-time memory encryption. Which technologies would be the BEST choice for this app?

Answer 67

Secure enclave
A secure enclave describes a hardware processor designed for security. The secure enclave monitors the boot process, create true random numbers, store root cryptography keys, and much more.

Question 68

Which would be a common result of a successful
vulnerability scan?

Answer 68

A list of missing software patches
A vulnerability scan can identify vulnerabilities and list the patches associated with those vulnerabilities.

Question 69

When connected to the wireless network, users at a remote site receive an IP address which is not part of the corporate address scheme. Communication over this network is also slower than the wireless connections elsewhere in the building. Which would be the MOST likely reason for these issues?

Answer 69

Rogue access point
A rogue access point is an unauthorized access point added by a user or attacker. This access point may not necessarily be malicious, but it does create significant security concerns and unauthorized access to the
corporate network.

Question 70

A company has identified a compromised server, and the security team would like to know if an attacker has used this device to move between systems. Which would be the BEST way to provide this nformation?

Answer 70

NetFlow logs
NetFlow information can provide a summary of network traffic, application usage, and details of network conversations. The NetFlow logs will show all conversations from this device to any others in the network.

Question 71

A system administrator has protected a set of system backups with an encryption key. The system administrator used the same key when restoring files from this backup. Which would BEST describe this encryption type?

Answer 71

Symmetric
Symmetric encryption uses the same key for both encryption and decryption.

Question 72

A new malware variant takes advantage of a vulnerability in a popular email client. Once installed, the malware forwards all email attachments with credit card information to an external email address. Which would limit the scope of this attack?

Answer 72

Scan outgoing traffic with DLP
DLP (Data Loss Prevention) systems are designed to identify sensitive data transfers. If the DLP finds a data transfer with financial details, personal information, or other private information, the DLP can block the data transfer.

Question 73

An organization has identified a security breach and has removed the affected servers from the network. Which is the NEXT step in the incident response process?

Answer 73

Eradication
The incident response process is preparation, detection, analysis, containment, eradication, recovery, and lessons learned. Once a system has been contained, any malware or breached user accounts should be removed
from the system.

Question 74

A security administrator has been tasked with storing and protecting customer payment and shipping information for a three-year period. Which would describe the source of this data?

Answer 74

Controller
A data controller manages the processing of the data. A payroll department would be an example of a data controller.

Question 75

Which of the following would be the main reasons why a system administrator would use a TPM when configuring full disk encryption? (Select TWO)
❍ A. Allows the encryption of multiple volumes
❍ B. Uses burned-in cryptographic keys
❍ C. Stores certificates in a hardware security module
❍ D. Maintains a copy of the CRL
❍ E. Includes built-in protections against brute-force attacks

Answer 75

B. Uses burned-in cryptographic keys and
E. Includes built-in protections against brute-force attacks
A TPM (Trusted Platform Module) is part of a computer’s motherboard, and it’s specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burned-in TPM keys to verify the local device hasn’t changed, and there are security features in
the TPM to prevent brute-force or dictionary attacks against the full disk encryption login credentials.

Question 76

A security administrator is using an access control where each file or folder is assigned a security clearance level, such as “confidential” or “secret.” The security administrator then assigns a maximum security level to each user. What type of access control is used in this network?

Answer 76

Mandatory
Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level.

Question 77

A security administrator is reviewing a report showing a number of devices on internal networks are connecting with servers in the data center network. Which security system should be added to prevent internal systems from accessing data center devices?

Answer 77

ACL
An ACL (Access Control List) is a security control commonly implemented on routers to allow or restrict traffic flows through the network.

Question 78

A financial services company is headquartered in an area with a high occurrence of tropical storms and hurricanes. Which would be MOST important when restoring services disabled by a storm?

Answer 78

Disaster recovery plan
A disaster recovery plan is a comprehensive set of processes for large-scale outages that affect the organization. Natural disasters, technology failures,
and human-created disasters would be reasons to implement a disaster recovery plan.

Question 79

A user in the mail room has reported an overall slowdown of his shipping management software. An anti-virus scan did not identify any issues, but a more thorough malware scan identified a kernel driver which is not part of the original operating system installation. Which malware was installed on this system?

Answer 79

Rootkit
A rootkit often modifies core system files and becomes effectively invisible to the rest of the operating system. The modification of system files and specialized kernel-level drivers are common rootkit techniques.

Question 80

A virus scanner has identified a macro virus in a word processing file attached to an email. Which information could be obtained from the metadata of this file?

Answer 80

Date and time when the file was created
The data and time the file was created is commonly found in the metadata of the document.

Question 81

When a person enters a data center facility, they must check-in before they are allowed to move further into the building. People who are leaving must be formally checked-out before they are able to exit the building.
Which would BEST facilitate this process?

Answer 81

Access control vestibule
An access control vestibule is commonly used to control the flow of people through a particular area. Unlocking the one door of the vestibule commonly restricts the other door from opening, thereby preventing someone from walking through without stopping. It’s common in large data centers to have a single room as the access control vestibule where users are checked in and out of the facility.

Question 82

A security administrator has discovered an employee exfiltrating confidential company information by embedding data within image files and emailing the images to a third-party. Which would best describe this activity?

Answer 82

Steganography
Steganography is the process of hiding information within another document. For example, one common method of steganography embeds data or documents within image files.

Question 83

A third-party has been contracted to perform a penetration test on a company’s public web servers. The testing company has been provided with the external IP addresses of the servers. Which would describe this scenario?

Answer 83

Partially known environment
A partially known environment provides limited information about the testing systems and networks during a penetration test.

Question 84

Which would be the best way to describe the estimated number of laptops that might be stolen in a fiscal year?

Answer 84

ARO
The ARO (Annualized Rate of Occurrence) describes the number of instances estimated to occur in a year. For example, if the organization expect to lose seven laptops to theft in a year, the ARO for laptop theft is seven.