Exam Questions Flashcards
Tom is preparing to build a credit card processing system. As he creates his design, he realizes that the operating environment will not allow him to include one of the PCI DSS required elements. What type of control should Tom discuss implementing?
A. Technical control
B. Operational control
C. Administrative control
D. Compensating control
Answer:
D. Compensating controls are used to fulfill the same control objective as a required control when it is not feasible to implement that required control. The scenario describes a need for a compensating control. This control may be technical, operational, and/or administrative in nature.
Shane administers a Linux server running Apache. During the middle of his workday, tweets start to appear in his Twitter feed about compromises of Apache servers due to a flaw that had not been previously reported. What type of threat is this?
A. A local exploit
B. Advanced persistent threat
C. A zero-day exploit
D. A zero-knowledge threat
Answer:
C. Zero-day exploits take advantage of a security vulnerability that is not known until the exploit has been used—there is no time (zero days) between the discovery and the attack.
Juan is analyzing systems on his network for known indicators of compromise. What term best describes the work he is performing?
A. Threat hunting
B. Vulnerability scanning
C. Intrusion prevention
D. Data mining
Answer:
A. Threat hunting activities presume that a compromise has already taken place and search for indicators of that compromise. Vulnerability scanning activities probe systems for known vulnerabilities. Juan’s activity could be described as intrusion detection, but not as intrusion prevention because he is not taking any action to block future attacks. Data mining is a generic term used in machine learning activities and Juan is not leveraging data mining in this work.
Which one of the following controls may be used to attract the attention of intruders who gain access to a network segment so that they are distracted from high-value targets and may be monitored?
A. MAC
B. Honeypot
C. Intrusion prevention system
D. Rogue AP
Answer:
B. Honeypots are decoy systems used to attract the attention of intruders so that they may be monitored in a controlled environment. Mandatory access controls (MACs) are used to enforce system security policies. Intrusion prevention systems are designed to detect and block malicious activity. Rogue access points provide an unauthorized means of wireless access.
While engaging in an attack, the attacker sends an email message to the targeted victim that contains malicious software as an attachment. What phase of the Cyber Kill Chain is occurring?
A. Weaponization
B. Delivery
C. Action on Objectives
D. Reconnaissance
Answer:
B. This is an example of delivering the payload to the victim, so it is from the Delivery stage of the Cyber Kill Chain.
Betsy receives many requests from IT staff members for remote access to internal systems through the DMZ. What type of system might Betsy place in the DMZ to accommodate these requests?
A. Jump box
B. Virtual machine
C. Honeypot
D. Firewall
Answer:
A. A jump box is a system designed to accept remote connection requests and act as an intermediary between those remote systems and local hosts. Virtual machines, honeypots, and firewalls may all exist in the DMZ but do not have the express purpose of providing remote administrative access.
Karen is configuring the host firewall on a web server that allows both encrypted and unencrypted web connections. It also must allow SSH access for users to securely drop off files. Which one of the following ports should not be open on the host firewall?
A. 22
B. 80
C. 443
D. 1433
Answer:
D. Port 1433 is used for Microsoft SQL Server and should not be exposed on a web server. Ports 22, 80, and 443 are required for SSH, HTTP, and HTTPS connectivity, respectively.
Jacob has been tasked with using NetFlow to monitor network traffic flows in his organization, but the systems he is using are unable to keep up with the volume of data. What is his best option to deal with the traffic without adding new hardware while retaining visibility into the entire network?
A. Switch to RMON monitoring
B. Use flow sampling
C. Decrease the number of flows allowed for each user
D. Use packet shaping to reduce traffic rates to one that the flow collector can keep up with
Answer:
B. Sampling is often used to retain flow visibility while reducing the overall flow rates to a reasonable level. Rates of 1:10, 1:100, or 1:1000 can significantly decrease the load that flows create while providing useful visibility. RMON does not provide visibility into flow data. Decreasing the number of flows per user would require reducing users’ ability to use the network, much like using packet shaping to reduce traffic rates would cause the network to be less usable—not a desirable option in almost any network!
Brooke is helping her organization implement a new cloud service. She is configuring the operating system on a server built in the cloud provider’s environment. What cloud service model is in use?
A. PaaS
B. FaaS
C. SaaS
D. IaaS
Answer:
D. Infrastructure as a service (IaaS) is the only cloud service model where customers would configure operating systems themselves. In platform as a service (PaaS), function as a service (FaaS), and software as a service (SaaS) models, the cloud service provider is responsible for operating system configuration.
Barry joins a hotel wireless network and opens a web browser. No matter which page he visits, he is redirected to a web page requesting him to provide his name and room number. What type of network access control is the hotel using?
A. In-band
B. Out-of-band
C. 802.1x
D. Agent-based
Answer:
A. This is an example of a captive portal network access control (NAC) solution, which is an in-band NAC because it inserts a device between Barry and the Internet. Out-of-band solutions, such as 802.1x, require that Barry’s system communicate with the network switch to support NAC. Agent-based solutions would require the installation of software on Barry’s computer.
Charles has been asked to secure the wired network that is normally a suite of offices that will be temporarily used by a visiting team from another company. If he wants to continue to allow members of his team to use the jacks, what technical means can he use to do this while also verifying the security posture of the systems that connect?
A. NAC
B. MAC filtering
C. Port security
D. HIPS
Answer:
A. A network access control (NAC) system can allow Charles to require network authentication while performing security posture assessments on the systems that connect. This will allow his team to authenticate and use the network if they have secure systems.
Which one of the following components is built into most modern computer systems and is used to store disk encryption keys?
A. HSM
B. Trusted foundry
C. Root of trust
D. TPM
Answer:
D. The Trusted Platform Module (TPM) is a hardware chip found inside most modern computers that is used to store disk encryption keys. Hardware security modules (HSMs) also store encryption keys, but they are dedicated, costly devices. Trusted foundries are trusted sources for hardware, and the root of trust is a concept used to describe how trust flows through the components of a secure system.
Which media disposition is typically the most expensive option from NIST’s options in NIST SP 800-88?
A. Clearing
B. Purging
C. Destruction
D. Obliteration
Answer:
C. Destruction is both the most effective and the costliest option identified in the NIST Guidelines for Media Sanitization. Clearing by using logical methods to clear addressable storage locations and using overwriting and cryptographic erase techniques for purging are both cheaper and easier to perform. Obliteration is not an option in the NIST listing.
What type of firewall is able to incorporate contextual information about the user and application when making permit/deny decisions?
A. NGFW
B. Perimeter firewall
C. Stateful inspection
D. Packet filter
Answer:
A. Next-generation firewalls (NGFWs) are able to incorporate contextual information about a connection attempt when making access control decisions. This capability is not available in packet filters or stateful inspection firewalls. While an NGFW may be a perimeter firewall, not all perimeter firewalls have next-generation capabilities.
During a network attack simulation exercise, which team is responsible for securing the targeted environment?
A. Red
B. White
C. Blue
D. Black
Answer:
C. During a network attack simulation, the blue team is responsible for securing the targeted environment and keeping the attacking (red) team out. The white team serves as referees. There is no black team during a network attack simulation.
Laura is investigating a potential security breach within her organization. She believes that an attacker stole a file containing employee information. Which information security tenet would this attack violate?
A. Confidentiality
B. Integrity
C. Availability
D. Nonrepudiation
Answer:
A. The three pillars of information security are confidentiality, integrity, and availability. Attacks against confidentiality seek to disclose sensitive information. Attacks against integrity seek to alter information in an unauthorized manner. Attacks against availability seek to prevent legitimate use of information or systems.
Which of the following incident response activities should not happen during the eradication phase of incident response?
A. Sanitization
B. Reconstruction/re-imaging
C. Secure disposal
D. Segmentation
Answer:
D. Segmentation occurs in the containment phase in the CompTIA incident response process. Bear in mind that CompTIA’s incident response process differs from the NIST standard, and places sanitization, reconstruction/re-imaging, and secure disposal in the eradication and recovery phase.
Karen is conducting a risk analysis for her organization and identifies that one potential threat is a widespread power outage that disrupts service to her organization’s datacenters. How should Karen classify this threat?
A. Accidental
B. Adversarial
C. Structural
D. Environmental
Answer:
D. Environmental threats are natural or man-made disasters outside the control of the organization. Accidental threats occur when an inadvertent action jeopardizes security. Adversarial threats occur when someone is actively seeking to attack the organization. Structural threats occur when there is an exhaustion of available resources.
Which of the following is not a law?
A. HIPAA
B. PCI DSS
C. FERPA
D. SOX
Answer:
B. PCI DSS is an information security standard required by major payment card brands for organizations that use their cards. HIPAA, SOX, and FERPA are all U.S. laws.
Which of the following is not typically involved in the initial phases of a CSIRT activation?
A. Technical staff
B. CSIRT leader
C. Law enforcement
D. First responder
Answer:
C. For most organizations, CSIRT activities initially involve internal resources. Law enforcement is involved only when it is believed that a crime has been committed, requiring participation of law enforcement officers.
Which one of the following activities would not normally occur during the attack phase of a penetration test?
A. System browsing
B. Network reconnaissance
C. Escalating privileges
D. Gaining access
Answer:
B. Network reconnaissance normally takes place during the discovery phase of a penetration test. The attack phase consists of gaining access, escalating privileges, system browsing, and installing additional tools.
Bob is evaluating the risk to his organization from advanced persistent threat (APT) attackers. He assesses the likelihood of this risk occurring to be medium and the impact high. How would this risk be categorized under most organizations’ risk evaluation matrices?
A. Low risk
B. Moderate risk
C. Semi-moderate risk
D. High risk
Answer:
D. Under the risk management matrix used by most organizations, a risk with a medium likelihood and high impact would be considered a high risk.
Which of the following is not a common network issue?
A. Bandwidth consumption
B. Beaconing
C. Link aggregation
D. Unexpected traffic
Answer:
C. Bandwidth consumption, beaconing, and unexpected traffic are all common network issues that you should monitor for. Link aggregation refers to combining links to create a higher throughput link.
Richard wants to build DDoS detection capability into his network. Which of the following tools is not appropriate for that task?
A. Network bandwidth monitoring tools
B. IPS
C. Active performance monitoring tools
D. Network fuzzers
Answer:
D. Distributed denial-of-service (DDoS) attacks can be detected in many ways, including use of SIEM devices, IDSs and IPSs, network bandwidth and connection monitoring tools, and performance monitoring utilities. Fuzzers are used to send unexpected data to applications and won’t help detect a DDoS.
Which one of the following technologies is commonly used to integrate software as a service (SaaS) productivity platforms?
A. API
B. SOAR
C. SCAP
D. CI/CD
Answer:
A. Application programming interfaces (APIs) are used to programmatically integrate systems, including SaaS platforms. Security orchestration, automation, and response (SOAR) does integrate systems but specifically in the security, not productivity, space. The Security Content Automation Protocol (SCAP) also is used to integrate security, not productivity, systems. Continuous integration/continuous delivery (CI/CD) is an operational philosophy and not a specific technology.
What concern may make active monitoring less attractive in some heavily used networks?
A. Active monitoring can’t monitor busy networks.
B. Active monitoring bypasses IPSs.
C. Active monitoring consumes additional bandwidth.
D. Active monitoring requires SNMP to be enabled.
Answer:
C. Although the bandwidth used for active monitoring is typically relatively low, it does add to the total network traffic load. If the monitoring traffic is not prioritized, information is available less quickly than desired, and if it is prioritized, it may compete with other important traffic.
Which one of the following analysis techniques requires samples of known malicious activity to identify future instances of the same activity?
A. Signature analysis
B. Trend analysis
C. Behavioral analysis
D. Anomaly analysis
Answer:
A. Signature analysis uses a fingerprint or signature to detect threats or other events. This means that a signature has to exist before it can be detected, but if the signature is well designed, it can reliably detect the specific threat or event.
Fiona is investigating the misuse of her company’s network and needs to capture network traffic for analysis. She wants to use a dedicated open source tool that is designed for packet capture and analysis. Which one of the following tools best meets her needs?
A. Nessus
B. Nmap
C. Wireshark
D. Nikto
Answer:
C. Wireshark is a protocol analyzer and can be used to capture network traffic in a standard format. Nessus and Nmap are vulnerability scanners. Nikto is a web application security scanner.
Bill is analyzing a system that is experiencing strange symptoms. He would like a list of the open network connections on that system. Which one of the following tools would be helpful in this scenario?
A. Traceroute
B. Netstat
C. Tcpdump
D. Wireshark
Answer:
B. The Netstat tool shows all open connections on a system. Tcpdump and Wireshark are capable of capturing traffic from open connections but will not display connections that are silent during the capture period. Traceroute shows the path between two systems.
Which of the following is not a reason to avoid imaging live systems?
A. The drive may be modified by the forensic tool.
B. The drive contents may change during the imaging process.
C. Unallocated space will not be included.
D. Capturing memory contents is more difficult.
Answer:
D. There are many reasons to avoid imaging live machines if it is not absolutely necessary, but one advantage that imaging a live machine has is the ability to directly capture the contents of memory. Risks of capturing images from live machines include inadvertent modification of the systems, changes that may occur on the machine during imaging, the potential for malware to attack the imaging system or to detect and avoid it, and the fact that most live images don’t capture unallocated space.