fqefqf Flashcards
1
Q
2. Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. Which of the following best describes this attack? A. Phishing B. Social engineering C. Spear phishing D. Trojan horse
A
C. The correct answer is spear phishing. Spear phishing is targeted to a specific group, in this case insurance professionals. Attackers can find individuals from public sources to target. This is known as open source intelligence.
Option A is incorrect because that is too broad a category.
Option B is incorrect because, though social engineering is a part of every phishing attack, this is more than just social engineering.
Option D is incorrect because this is not a Trojan horse. In fact, malware is not even part of the attack.
2
Q
6. Frank is deeply concerned about attacks to his company’s e-commerce server. He is particularly worried about cross-site scripting and SQL injection. Which of the following would best defend against these two specific attacks? A. Encrypted web traffic B. Filtering user input C. A firewall D. An IDS
A
B. The primary and best way to defend against the attacks mentioned is filtering user input.
Option A is incorrect. Encrypting the web traffic will not have any effect on these two attacks.
Option C is incorrect. A web application firewall (WAF) might mitigate these attacks, but it would be secondary to filtering user input.
Option D is incorrect. An IDS will simply detect the attack—it won’t stop it.
3
Q
16. Jared discovers that attackers have breached his WiFi network. They have gained access via the wireless access point (WAP) administrative panel, and have logged on with the credentials the WAP shipped with. What best describes this issue? A. Default configuration B. Race conditions C. Failure to patch D. Weak encryption
A
A. Credentials the WAP shipped with are an example of default configuration.
Option B is incorrect. Race conditions involve multithreaded applications accessing shared variables.
Option C is incorrect. Patches won’t change the default password.
Option D is incorrect. Encryption does not affect logging into the administrative screen.
4
Q
- You are responsible for incident response at a mid-sized bank. You have discovered that someone was able to successfully breach your network and steal data from your database server. All servers are configured to forward logs to a central logging server. However, when you examine that central log, there are no entries after 2:13 a.m. two days ago. You check the servers, and they are sending logs to the right server, but they are not getting there. Which of the following would be most likely to explain this?
A. Your log server has a backdoor.
B. Your log server has been hit with a buffer overflow attack.
C. Your switches have been hit with ARP poisoning.
D. Your IDS is malfunctioning and blocking log transmissions.
A
C. ARP poisoning is used to change the ARP tables routing data to a different MAC address, which would explain why there were no entries.
Option A is incorrect. A backdoor would not explain that the log entries were sent, but not received.
Option B is incorrect. A buffer overflow would not explain that the log entries were sent but not received.
Option D is incorrect. An IDS would not stop log entries even if it was malfunctioning.
5
Q
19. Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website and log in, they are told the service is down and to try again later. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the web server log and there is no record of those users ever connecting. Which of the following might best explain this? A. Typosquatting B. SQL injection C. Cross-site scripting D. Cross-site request forgery
A
A. From the description it appears that they are not logging into the real web server but rather a fake server. That indicates typosquatting: have a URL that is named very similarly to a real site so that when users mistype the real site’s URL they will go to the fake site.
Options B, C, and D are all incorrect. These are all methods of attacking a website, but in this case, the actual website was not attacked. Instead, some users are visiting a fake site
6
Q
27. While investigating a malware outbreak on your company network, you discover something very odd. There is a file that has the same name as a Windows system DLL, and even has the same API interface, but handles input very differently, in a manner to help compromise the system, and it appears that applications have been attaching to this file, rather than the real system DLL. What best describes this? A. Shimming B. Trojan horse C. Backdoor D. Refactoring
A
A. Shimming is when the attacker places some malware between an application and some other file, and intercepts the communication to that file (usually to a library or system API).
Option B is incorrect. A Trojan horse might be used to get the shim onto the system, but that is not described in this scenario.
Option C is incorrect. A backdoor is a means to circumvent system authorization and get direct access to the system.
Option D is incorrect. Refactoring is the process of changing names of variables, functions, etc. in a program.
7
Q
29. Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to a target external to the network. What best describes this attack? A. SYN flood B. DDoS C. Botnet D. Backdoor
A
B. His machines are part of a distributed denial-of-service attack.
Option A is incorrect. This scenario describes a generic DDoS, not a specific one like SYN
flood.
Option C is incorrect. These machines could be part of a botnet, or just have a trigger that causes them to launch the attack at a specific time. The real key in this scenario is the DDoS attack.
Option D is incorrect. A backdoor gives an attacker access to the target system.
8
Q
31. When phishing attacks are so focused that they target a specific individual, they are called what? A. Spear phishing B. Targeted phishing C. Phishing D. Whaling
A
D. Whaling is targeting a specific individual.
Option A is incorrect. Spear phishing targets a small group.
Option B is incorrect. Targeted phishing is not a term used in the industry.
Option C is incorrect. Phishing is the generic term for a wide range of related attacks.
9
Q
- You are concerned about a wide range of attacks that could affect your company’s web server. You have recently read about an attack wherein the attacker sends more data to the target than the target is expecting. If done properly, this could cause the target to crash.
What would best prevent this type of attack?
A. An SPI firewall
B. An active IDS/IPS
C. Checking buffer boundaries
D. Checking user input
A
C. You are concerned about buffer overflows, and thus checking buffer boundaries is the best defense.
Options A and B are incorrect. While these technological solutions can always be a benefit for security, they are unlikely to address buffer overflow attacks effectively.
Option D is incorrect. Checking user input helps defend against SQL injection and crosssite scripting.
10
Q
38. You have noticed that when in a crowded area, you sometimes get a stream of unwanted text messages. The messages end when you leave the area. What describes this attack? A. Bluejacking B. Bluesnarfing C. Evil twin D. Rogue access point
A
A. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range.
Option B is incorrect. Bluesnarfing involves getting data from the Bluetooth device.
Options C and D are incorrect. Evil twin uses a rogue access point whose name is similar or identical to that of a legitimate access point.
11
Q
40. You have noticed that when in a crowded area, data from your cell phone is stolen. Later investigation shows a Bluetooth connection to your phone, one that you cannot explain. What describes this attack? A. Bluejacking B. Bluesnarfing C. Evil twin D. RAT
A
B. Bluesnarfing involves accessing data from a Bluetooth device when it is in range.
Option A is incorrect. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range.
Option C is incorrect. Evil twin uses a rogue access point whose name is similar or identical to that of a legitimate access point.
Option D is incorrect. A RAT is a remote-access Trojan. Nothing in this scenario points to a RAT being the cause of the stolen data.
12
Q
41. Louis is investigating a malware incident on one of the computers on his network. He has discovered unknown software that seems to be opening a port, allowing someone to remotely connect to the computer. This software seems to have been installed at the same time as a small shareware application. Which of the following best describes this malware? A. RAT B. Backdoor C. Logic bomb D. Rootkit
A
A. This is a remote-access Trojan (RAT), malware that opens access for someone to remotely access the system.
Option B is incorrect. A backdoor does provide access but it is usually in the system due to programmers putting it there, not due to malware on the system.
Option C is incorrect. A logic bomb executes its misdeeds when some logical condition is met.
Option D is incorrect. A rootkit provides root or administrative access to the system.
13
Q
46. Your wireless network has been breached. It appears the attacker modified a portion of data used with the stream cipher and utilized this to expose wirelessly encrypted data. What is this attack called? A. Evil twin B. Rogue WAP C. IV attack D. WPS Attack
A
C. Initialization vectors are used with stream ciphers. An IV attack attempts to exploit a flaw to use the IV to expose encrypted data.
Options A and B are incorrect. Nothing in this scenario requires or describes a rogue access point/evil twin.
Option D is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password.
14
Q
47. John is concerned about disgruntled employees stealing company documents and exfiltrating them from the network. He is looking for a solution that will detect likely exfiltration and block it. What type of system is John looking for? A. IPS B. SIEM C. Honeypot D. Firewall
A
A. Any of these systems could help with detecting malicious activity by an insider, but the intrusion prevention system will block such activity, if detected.
Option B is incorrect. SIEMs simply aggregate logs.
Option C is incorrect. A honeypot can be useful in trapping a malicious actor but not in stopping data exfiltration.
Option D is incorrect. Firewalls can block traffic, but normally data exfiltration looks like normal traffic and is hard for a firewall to block.
15
Q
57. When an attacker tries to find an input value that will produce the same hash as a password, what type of attack is this? A. Rainbow table B. Brute force C. Session hijacking D. Collision attack
A
D. A collision is when two different inputs produce the same hash.
Option A is incorrect. A rainbow table is a table of precomputed hashes.
Option B is incorrect. Brute force attempts every possible random combination to get the password or encryption key.
Option C is incorrect. Session hijacking is when the attacker takes over an authenticated session.
16
Q
78. Zackary is a malware investigator with a cybersecurity firm. He is investigating malware that is able to compromise a target program by finding null references in the target program and dereferencing them, causing an exception to be generated. What best describes this type of attack? A. DLL injection B. Buffer overflow C. Memory leak D. Pointer dereference
A
D. This is the definition of pointer dereferencing. It is a somewhat obscure and sophisticated attack on a target program.
Option A is incorrect. In a DLL injection, the malware tries to inject code into the memory process space of a library.
Option B is incorrect. In a buffer overflow, the attacker sends more data to a variable than it can hold.
Option C is incorrect. A memory leak occurs when memory is allocated in some programming function but not deallocated. Each time the function is called, more system memory is used up.
17
Q
79. Frank has just taken over as CIO of a mid-sized insurance company. One of the first things he does is order a thorough inventory of all network equipment. He discovers two routers that are not documented. He is concerned that if they are not documented, they might not be securely configured, tested, and safe. What best describes this situation? A. Poor user training B. System sprawl C. Failure to patch systems D. Default configuration
A
B. System sprawl occurs when a system grows and there are devices on the system that are not documented.
Options A, C, and D are all incorrect. While these are all serious security issues, they are unrelated to the scenario presented.
18
Q
81. Daryl is investigating a recent breach of his company’s web server. The attacker used sophisticated techniques and then defaced the website, leaving messages that were denouncing the company’s public policies. He and his team are trying to determine the type of actor who most likely committed the breach. Based on the information provided,who was the most likely threat actor? A. A script B. A nation-state C. Organized crime D. Hacktivists
A
D. The fact that the website is defaced in a manner related to the company’s public policies is the definition of hacktivism.
Options A, B, and C are incorrect. None of these account for the statements adverse to the company’s policies, which is why hacktivism is the real cause.
19
Q
- You are investigating a breach of a large technical company. You discover that there have been several different attacks over a period of a year. The attacks were sustained, each lasting several weeks of continuous attack. The attacks were somewhat sophisticated and originated from a variety of IP addresses, but all the IP addresses are within your country.
Which threat actor would you most suspect of being involved in this attack?
A. Nation-state
B. Hacktivist
C. Script kiddie
D. A lone highly skilled hacker
A
A. The fact that the IP addresses are within your country might make you discard the nation-state attacker, but it is common for nation-state attackers to use compromised IP addresses in the target country from which to attack. The other symptoms—a sophisticated attack, over time—are hallmarks of nation-state attackers.
Option B is incorrect. Nothing in the scenario indicates an ideological motive.
Option C is incorrect. In fact, this attack is the antithesis of the simple attack of a script kiddie.
Option D is incorrect. A lone attacker, no matter how skilled, would have difficulty maintaining sustained attacks over a year.
20
Q
- Which of the following best describes a zero-day vulnerability?
A. A vulnerability that has been known to the vendor for zero days
B. A vulnerability that has not yet been breached
C. A vulnerability that can be quickly exploited (i.e., in zero days)
D. A vulnerability that will give the attacker brief access (i.e., zero days)
A
A. This is the definition of a zero-day attack.
Options B, C, and D are incorrect. These do not adequately describe a zero-day attack.
21
Q
88. Which of the following best describes software that will provide the attacker with remote access to the victim’s machine, but that is wrapped with a legitimate program in an attempt to trick the victim into installing it? A. RAT B. Backdoor C. Trojan horse D. Macro virus
A
A. A remote access Trojan (RAT) is malware that gives the attacker remote access to the victim machine.
Option B is incorrect. While a backdoor will give access, it is usually something in the system put there by programmers, not introduced by malware.
Option C is incorrect. A RAT is a type of Trojan horse, but Trojan horse is more general than what is described in the scenario.
Option D is incorrect. A macro virus is a virus embedded in a document.
22
Q
92. You are responsible for technical support at your company. Users are all complaining of very slow Internet connectivity. When you examine the firewall, you find a large number of incoming connections that are not completed, all packets coming from a single IP address. What best describes this attack? A. DDoS B. SYN flood C. Buffer overflow D. ARP poisoning
A
B. Large, half-open connections are the hallmark of a SYN flood.
Option A is incorrect. These are all coming from a single IP address, so they cannot be a distributed denial-of-service attack.
Option C is incorrect. A buffer overflow seeks to put more data in a variable than it is designed to hold.
Option D is incorrect. ARP poisoning poisons the address resolution table of a switch.
23
Q
95. Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to? A. DoS B. Backdoor C. SQL injection D. Buffer overflow
A
A. If an attacker can induce the web application to generate the memory leak, then eventually the web application will consume all memory on the web server and the web server will freeze up.
Option B is incorrect. Backdoors are not caused by memory leaks.
Option C is incorrect. SQL injection places malformed SQL into text boxes.
Option D is incorrect. A buffer overflow attempts to put more data in a variable than it can hold.
24
Q
98. John is responsible for physical security at a large manufacturing plant. Employees all use a smart card in order to open the front door and enter the facility. Which of the following is a common way attackers would circumvent this system? A. Phishing B. Tailgating C. Spoofing the smart card D. RFID spoofing
A
B. Tailgating involves simply following a legitimate user through the door once he or she
Option A is incorrect. This is unrelated to physical security.
Option C is incorrect. It is possible to generate a fake smartcard, but that is a very uncommon attack.
Option D is incorrect. Again, this is possible but is very uncommon.
25
```
99. Which of the following is the term for an attack wherein malware inserts itself as a library, such as a DLL, between an application and the real system library the application is attempting to communicate with?
A. Application spoofing
B. Jamming
C. Evil twin
D. Shimming
```
D. This is the definition of shimming.
Option A is incorrect. Application spoofing is not a term used in the industry.
Options B and C are incorrect. These are both wireless attacks.
26
```
100. You are responsible for incident response at Acme Corporation. You have discovered that someone has been able to circumvent the Windows authentication process for a specific network application. It appears that the attacker took the stored hash of the password and sent it directly to the backend authentication service, bypassing the application. What type of attack is this?
A. Hash spoofing
B. Evil twin
C. Shimming
D. Pass the hash
```
D. This scenario is the definition of passing the hash.
Option A is incorrect. A real hash was provided; it was not spoofed.
Option B is incorrect. Evil twin is a wireless attack.
Option C is incorrect. Shimming is inserting malicious code between an application and a library
27
```
101. A user in your company reports that she received a call from someone claiming to be from the company technical support team. The caller stated that there was a virus spreading through the company and he needed immediate access to the employee’s computer to stop it from being infected. What social-engineering principles did the caller use to try to trick the employee?
A. Urgency and intimidation
B. Urgency and authority
C. Authority and trust
D. Intimidation and authority
```
B. Claiming to be from tech support is claiming authority, and the story the caller gave indicates urgency.
Option A is incorrect. Yes, this caller used urgency (the virus spread) but did not attempt intimidation.
Option C is incorrect. Authority and trust are closely related, and in this case urgency was the second major factor.
Option D is incorrect. This caller used urgency but not intimidation.
28
```
106. Carlos works in incident response for a mid-sized bank. Users inform him that internal network connections are fine, but connecting to the outside world is very slow. Carlos reviews logs on the external firewall and discovers tens of thousands of ICMP packets coming from a wide range of different IP addresses. What type of attack is occurring?
A. Smurf
B. DoS
C. DDoS
D. SYN flood
```
C. The fact that the attack is coming from multiple sources makes this a distributed denial of service.
Option A is incorrect. A Smurf attack involves sending spoofed broadcast packets to the target network’s router.
Option B is incorrect. Yes, this is a denial-of-service attack, but it is distributed.
Option D is incorrect. A SYN flood involves lots of half-open connections
29
```
111. Francine is a network administrator for Acme Corporation. She has noticed that one of the servers is now unreachable. After carefully reviewing various logs, she discovers that a large number of broadcast packets were sent to the network router, spoofing the server’s IP address. What type of attack is this?
A. SYN flood
B. ICMP flood
C. Buffer overflow
D. Smurf attack
```
D. The sending of spoofed broadcast messages to the target network router is a Smurf attack.
Option A is incorrect. In a SYN flood, a large number of SYN packets are sent but not responded to. This leads to a large number of half-open connections.
Option B is incorrect. An ICMP flood is a large amount of ICMP (such as ping) packets sent to the target.
Option C is incorrect. In a buffer overflow attack, more data is sent to a variable than it was designed to hold.
30
```
125. You are a security administrator for Acme Corporation. You have discovered malware on some of your company’s machines. This malware seems to intercept calls from the web browser to libraries, and then manipulates the browser calls. What type of attack is this?
A. Man-in-the-browser
B. Man-in-the-middle
C. Buffer overflow
D. Session hijacking
```
A. In a man-in-the-browser attack, the malware intercepts calls from the browser to the system, such as system libraries.
Option B is incorrect. Man-in-the-middle involves having some process between the two ends of communication in order to compromise passwords or cryptography keys.
Option C is incorrect. In a buffer overflow attack, more data is put into a variable than the variable was intended to hold.
Option D is incorrect. Session hijacking involves taking over an authenticated session.
31
126. Your company has hired a penetration testing firm to test the company network security.
The penetration tester has just been able to achieve guest-level privileges on one low-security system. What best describes this phase of the test?
A. Vulnerability scanning
B. Initial exploit
C. Black-box testing
D. White-box testing
B. This is the initial exploit, which involves getting initial access to the system.
Option A is incorrect. Vulnerability scanning is an automated process that checks for the presence of known vulnerabilities.
Options C and D are incorrect. These both refer to how much information about the network the tester is given. In both black-box and white-box tests, there will still be an initial exploit.
32
```
128. You are responsible for software testing at Acme Corporation. You want to check all software for bugs that might be used by an attacker to gain entrance into the software or your network. You have discovered a web application that would allow a user to attempt to put a 64-bit value into a 4-byte integer variable. What is this type of flaw?
A. Memory overflow
B. Buffer overflow
C. Variable overflow
D. Integer overflow
```
D. Placing a larger integer value into a smaller integer variable is an integer overflow.
Option A is incorrect. Memory overflow is not a term used, and memory leak is about allocating memory and not deallocating it.
Option B is incorrect. Buffer overflows usually involve arrays.
Option C is incorrect. Variable overflow is not a term used in the industry.
33
```
129. Which type of virus is most difficult to analyze by reverse engineering?
A. Polymorphic
B. Macro
C. Armored
D. Boot sector
```
C. Armoring can be as simple as very trivial encryption, but any process that makes it difficult to reverse-engineer a virus is armoring.
Option A is incorrect. A polymorphic virus periodically changes itself.
Option B is incorrect. A macro virus is embedded, as a macro, into a document.
Option D is incorrect. A boot sector virus infects the boot sector of a hard drive.
34
```
131. John is a network administrator for a large retail chain. He has discovered that his DNS server is being attacked. The attack involves false DNS requests from spoofed IP addresses. The requests are far larger than normal. What type of attack is this?
A. Amplification
B. DNS poisoning
C. DNS spoofing
D. Smurf attack
```
A. Sending fake DNS requests that are overly large is called an amplification attack. It is a highly specialized type of denial of service.
Option B is incorrect. DNS poisoning seeks to put fake DNS records in a DNS server.
Option C is incorrect. DNS spoofing is using fake DNS information.
Option D is incorrect. The Smurf attack is a denial of service.
35
```
132. Heidi is a security officer for an investment firm. Many of the employees in her firm travel frequently and access the company intranet from remote locations. Heidi is concerned about users logging in from public WiFi, as well as other people seeing information such as login credentials or customer data. Which of the following is Heidi’s most significant concern?
A. Social engineering
B. Shoulder surfing
C. Man-in-the-middle attack
D. CSRF
```
B. In this scenario, no technical issues are mentioned—just people seeing information. So shoulder surfing best fits the scenario.
Option A is incorrect. No social engineering is involved in this scenario.
Option C is incorrect. Although a man-in-the-middle attack on the wireless access point (WAP) could compromise data, that’s not what is described in this scenario.
Option D is incorrect. Cross-site request forgery is a website attack.
36
```
135. You lead an incident response team for a large retail chain store. You have discovered what you believe is spyware on the point-of-sale systems. But the malware in question is encrypted, preventing you from analyzing it. What best describes this?
A. An armored virus
B. Ransomware
C. Polymorphic virus
D. Trojan horse
```
A. Encryption is one method for armored viruses.
Option B is incorrect. Ransomware encrypts files but is not encrypted itself.
Option C is incorrect. A polymorphic virus periodically changes itself.
Option D is incorrect. A Trojan horse combines malware with a legitimate program
37
```
136. Jared has discovered malware on the workstations of several users. This particular malware provides administrative privileges for the workstation to an external hacker. What best describes this malware?
A. Trojan horse
B. Logic bomb
C. Multipartite virus
D. Rootkit
```
D. This is the definition of a rootkit.
Option A is incorrect. A Trojan horse combines malware with a legitimate program.
Option B is incorrect. A logic bomb performs its malicious activity when some condition
is met.
Option C is incorrect. A multipartite virus infects the boot sector and a file.
38
```
137. Users in your company report someone has been calling their extension and claiming to be doing a survey for a large vendor. Based on the questions asked in the survey, you suspect that this is a scam to elicit information from your company’s employees. What best describes this?
A. Spear phishing
B. Vishing
C. War dialing
D. Robocalling
```
B. This is vishing, or using voice calls for phishing.
Option A is incorrect. Spear phishing is targeting a small, specific group.
Option C is incorrect. War dialing is dialing numbers hoping a computer modem answers.
Option D is incorrect. Robocalling is used to place unsolicited telemarketing calls.
39
```
138. Cross-site request forgery is an attack on the that is based on the trusting the .
A. website, website, user
B. user, user website
C. website, user, website
D. user, website, user
```
A. Cross-site request forgery is an attack on the website that is based on the website trusting the user.
Options B, C, and D are all incorrect.
40
150. You have just taken over as the CISO for a large bank. You are concerned about making sure all systems are secure. One major concern you have is security misconfiguration.
Which of the following is not a common security misconfiguration?
A. Unpatched operating system
B. Default accounts with passwords
C. Unneeded services running
D. No firewall running
D. A firewall not running is not a configuration issue.
| Options A, B, and C are all incorrect. These are all common security misconfiguration issues.
41
```
7. ACME Company has several remote offices. The CIO wants to set up permanent secure connections between the remote offices and the central office. What would be the best solution for this?
A. L2TP VPN
B. IPSEC VPN
C. Site-to-site VPN
D. Remote-access VPN
```
C. A site-to-site VPN is a permanent VPN connection between sites. Connecting remote offices is a typical site-to-site VPN implementation.
Option A is incorrect. L2TP is a protocol for VPN and could be used for either site-to-site or remote-access VPNs.
Option B is incorrect. IPSec is a protocol for VPN and could be used for either site-to-site or remote-access VPNs.
Option D is incorrect. A remote-access VPN is used by an individual to remotely access the corporate network.
42
10. Donald is working as a network administrator. He is responsible for the database cluster.
Connections are load-balanced in the cluster by each new connection being simply sent to the next server in the cluster. What type of load-balancing is this?
A. Round-robin
B. Affinity
C. Weighted
D. Rotating
A. Round-robin load balancing simply sends each new connection to the next server in the cluster.
Option B is incorrect. Affinity load balancing ties specific users to specific servers in the cluster.
Option C is incorrect. Weighted load balancing examines the bandwidth utilization for each server and sends the next connection to the server with the least current bandwidth utilization.
Option D is incorrect. Rotating is not a term used in load balancing
43
```
12. Mohaned is an IT manager for a hotel. His hotel wants to put wireless access points on each floor. The specifications state that the wireless access points should have minimal functionality, with all the configuration, authentication, and other functionality centrally controlled. What type of wireless access points should Mohaned consider purchasing?
A. Fat
B. Controller-based
C. Stand-alone
D. 801.11i
```
B. Controller-based wireless access points have minimal functionality, with most functions centrally controlled.
Option A is incorrect. A fat wireless access point has all necessary functionality contained in the WAP.
Option C is incorrect. Stand-alone is synonymous with fat WAP.
Option D is incorrect. 802.11i is the wireless security standard.
44
```
16. You are responsible for email server security in your company. You want to implement encryption of all emails, using third-party authenticated certificates. What protocol should you implement?
A. IMAP
B. S/MIME
C. PGP
D. SMTP-S
```
B. Secure Multipurpose Internet Mail Extensions (S/MIME) encrypts email using X.509
certificates that are created and authenticated by a trusted third party.
Option A is incorrect. The Internet Message Access Protocol is used for receiving email. It
does not send email and is not natively encrypted.
Option C is incorrect. PGP (Pretty Good Privacy) can be used to encrypt email, but it uses
self-generated certificates that are not authenticated by a third party.
Option D is incorrect. Simple Mail Transfer Protocol Secure is encrypted, but it is only for
sending email, not receiving. It can also be done with S/MIME or PGP.
45
```
18. You are responsible for network management at your company. You have been using SNMP for many years. You are currently using SNMP v2. A colleague has recently suggested you upgrade to SNMP v3. What is the primary benefit of SNMP v3?
A. It is much faster.
B. It integrates with SIEM.
C. It uses CHAP authentication.
D. It is encrypted.
```
D. Earlier versions of SNMP sent all traffic in clear text. SNMP v3 sends all data encrypted.
Options A, B, and C are incorrect. They are not features of SNMP v3.
46
```
19. Employees in your company are allowed to use tablets. They can select a tablet from four different models approved by the company but purchased by the employee. What best describes this?
A. BYOD
B. CYOD
C. COPE
D. BYOE
```
B. Choose Your Own Device (CYOD) allows employees to bring their own devices to
work, but only if they are chosen from a list of approved models.
Option A is incorrect. Bring Your Own Device (BYOD) allows employees to bring whatever model device they happen to have.
Option C is incorrect. Company-Owned Personally Enabled (COPE) equipment is provided by and owned by the company.
Option D is incorrect. BYOE is not a term used in the industry.
47
```
21. You have been assigned to select a backup communication method for your company to use in case of significant disasters that disrupt normal communication. Which option would provide the most reliability?
A. Cellular
B. WiFi
C. SATCOM
D. VoI P
```
C. Satellite communications are most resistant to disasters that disrupt communications.
Option A is incorrect. While cellular is effective and reasonably resilient, it is not as resilient as SATCOM.
Option B is incorrect. WiFi can fail for any number of reasons, and a disaster is very likely to affect it.
Option D is incorrect. If there is any disruption to the network, then VoIP will not function.
48
24. What best describes mobile device content management?
A. Limiting how much content can be stored.
B. Limiting the type of content that can be stored.
C. Blocking certain websites.
D. Digitally signing authorized content.
B. Content management for a mobile device involves limiting what content can be placed on the phone.
Option A is incorrect. Content management is not involved in limiting the amount of data.
Option C is incorrect. In the context of a mobile device, this is not content management.
Option D is incorrect. Digitally signing authorized content could be used in some content management systems, but this is not the best definition of content management.
49
```
26. Teresa is responsible for network administration at a health club chain. She is trying for find a communication technology that uses low power and can spend long periods in low-power sleep modes. Which of the following technologies would be the best fit?
A. WiFi
B. Cellular
C. Bluetooth
D. ANT
```
D. ANT is a proprietary wireless network technology that provides low-power modes and
is used in WiFi settings. It has been used in sports-related technologies.
Option A is incorrect. WiFi uses power constantly, whether users connect or not.
Option B is incorrect. Cellular consumes too much power.
Option C is incorrect. The range of Bluetooth is too short.
50
```
29. Frank is a network administrator for a small college. The college has implemented a simple NIDS. However, the NIDS seems to only catch well-known attacks. What technology is this NIDS likely missing?
A. Heuristic scanning
B. Signature scanning
C. Passive scanning
D. Active scanning
```
A. Heuristic scanning involves scanning for anomalous behavior that might indicate an attack, even if there is no known attack signature.
Option B is incorrect. Signature scanning can only detect known signatures, and that appears to be what the college is using now.
Options C and D are incorrect. Neither is an IDS term.
51
```
30. You are concerned about an attacker enumerating all of your network. What protocol might help at least mitigate this issue?
A. HTTPS
B. TLS
C. IPSec
D. LDAPS
```
D. Lightweight Directory Access Protocol Secure (LDAPS) would at least mitigate the risk. LDAP is a directory of the network (computers, users, etc.). Securing that would help mitigate network enumeration.
Option A is incorrect. HTTPS is for secure web pages.
Option B is incorrect. TLS will help only if applied to a directory protocol, as it is in LDAPS.
Option C is incorrect. A VPN won’t solve this issue.
52
```
31. You have been asked to implement a secure protocol for transferring files that uses digital certificates. Which protocol would be the best choice?
A. FTP
B. SFTP
C. FTPS
D. SCP
```
C. FTPS is File Transfer Protocol with SSL/TLS and uses digital certificates to secure file transfer.
Option A is incorrect. File Transfer Protocol is not secure.
Option B is incorrect. SFTP is secure, but it uses SSH for security and does not use digital certificates.
Option D is incorrect. Secure Copy is secure, but it uses SSH for security and does not use digital certificates.
53
```
32. Ahmed is responsible for VoIP at his company. He has been directed to ensure that all VoIP calls have the option to be encrypted. What protocol is best suited for security VoIP calls?
A. SIP
B. TLS
C. SRTP
D. SSH
```
C. Secure Real-Time Transport Protocol (SRTP) is used to encrypt and secure RTP. RTP is
the protocol for transmitting VoIP.
Option A is incorrect. Session Initiation Protocol is used to initiate a VoIP call but not to
send the VoIP data.
Option B is incorrect. TLS is used to secure data, but by itself it cannot secure VoIP.
Option D is incorrect. Secure Shell SSH is for remote terminal connection and is not used
in VoI P.
54
```
37. Remote employees at your company frequently need to connect to both the secure company network via VPN and open public websites, simultaneously. What technology would best support this?
A. Split tunnel
B. IPSec
C. Full tunnel
D. TLS
```
A. Split tunneling allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time.
Option B is incorrect. IPSec is the protocol for establishing and securing a VPN, rather than connecting to different resources. You can use IPSec in either a split or full tunnel.
Option C is incorrect. A full tunnel is a dedicated tunnel to one single target.
Option D is incorrect. TLS is a protocol that can be used for establishing and securing a VPN, rather than connecting to different resources. You can use TLS in either a split or full tunnel.
55
```
40. Derrick is responsible for a web server cluster at his company. The cluster uses various load-balancing protocols. Derrick wants to ensure that clients connecting from Europe are directed to a specific server in the cluster. What would be the best solution to his problem?
A. Affinity
B. Binding
C. Load balancing
D. Round-robin
```
A. Affinity load balancing ties certain users or groups of users to a specific server so they will be routed to that server if possible.
Option B is incorrect. Binding is not a term used in load balancing.
Option C is incorrect. Yes, load balancing is needed, but the question asks what type of load balancing.
Option D is incorrect. Round-robin simply goes to the next available server
56
```
41. Teresa is responsible for WiFi security in her company. Her main concern is that there are many other offices in the building her company occupies and that someone could easily attempt to breach their WiFi from one of these locations. What technique would be best in alleviating her concern?
A. Using thin WAPs
B. Geofencing
C. Securing the Admin screen
D. WAP placement
```
D. Placing the WAPs carefully so as to provide the best coverage for the company, with minimum overlap outside the company, will be the best way to keep those in adjacent offices from attempting to breach the WiFi. When placing WAPs for the best coverage, one needs to focus on signal strength to ensure there is no gaps between WPAs.
Option A is incorrect. Thin versus fat WAP refers to the functionality in the WAP and won’t have any effect on the ability of nearby people to breach the WAP.
Option B is incorrect. Geofencing is used to limit the area in which a mobile device can be used.
Option C is incorrect. Securing the admin screen is a great idea and should be done, but it won’t address the issue of nearby tenants attempting to breach the WiFi.
57
44. Shelly is very concerned about unauthorized users connecting to the company routers.
She would like to prevent spoofing. What is the most essential antispoofing technique for routers?
A. ACL
B. Logon
C. NIPS
D. NIDS
A. Access control lists are Cisco’s primary recommendation to prevent spoofing on routers. ACLs limit access to the router and its functionality.
Option B is incorrect. A login for accessing a router is often not practical because the router access may be needed when a user is not present to log on.
Option C is incorrect. A network intrusion prevention system is a good idea, but it won’t prevent spoofing.
Option D is incorrect. A network intrusion detection system is a good idea, but it won’t prevent spoofing.
58
46. Terrance is trying to get all of his users to connect to a certificate server on his network.
However, some of the users are using machines that are incompatible with the certificate server, and changing those machines is not an option. Which of the following would be the best solution for Terrance?
A. Use an application proxy for the certificate server.
B. Use NAT with the certificate server.
C. Change the server.
D. Implement a protocol analyzer.
A. An application proxy server is often used when the client and the server are incompatible for direct connection with the server.
Option B is incorrect. Network address translation involves translating a private IP address to a public IP address.
Option C is incorrect. Changing the server is a drastic measure. It is assumed that this server is being used for some valid reason.
Option D is incorrect. A protocol analyzer is essentially a packet sniffer.
59
47. John is implementing virtual IP load-balancing. He thinks this might alleviate network slowdowns, and perhaps even mitigate some of the impact of a denial-of-service attack.
What is the drawback of virtual IP load-balancing?
A. It is resource-intensive.
B. Most servers don’t support it.
C. It is connection-based, not load-based.
D. It works only on Unix/Linux servers.
C. Virtual IP load balancing does not take the load of each interface into account and assumes all loads are essentially similar.
Option A is incorrect. This load balancing is not resource intensive.
Option B is incorrect. Most servers do support virtual IP load-balancing.
Option D is incorrect. Windows will also support virtual IP load-balancing.
60
```
50. You are a security officer for a large law firm. You are concerned about data loss prevention. You have limited the use of USBs and other portable media, you use an IDS to look for large volumes of outbound data, and a guard searches all personnel and bags before they leave the building. What is a key step in DLP that you have missed?
A. Portable drives
B. Email
C. Bluetooth
D. Optical media
```
B. An insider could send out data as an email attachment.
Option A is incorrect. Portable devices usually connect via USB, which is blocked, and if they don’t, they will likely be found on the exit search.
Option C is incorrect. The range of Bluetooth is 10 meters. That makes it ineffective for data exfiltration.
Option D is incorrect. Optical media is a type of portable media.
61
```
51. Which of the following email security measures would have the most impact on phishing emails?
A. Email encryption
B. Hardening the email server
C. Digitally signing email
D. Spam filter
```
D. Phishing emails are often sent out to masses of people and a spam filter would block at least some of that, thus reducing the phishing email attacks.
Option A is incorrect. Although email encryption is a good idea, it will do nothing to stop phishing.
Option B is incorrect. Hardening all servers is a good security practice, but it has no impact on phishing emails.
Option C is incorrect. Although digitally signing email is a good idea, it cannot stop phishing or even reduce it significantly. It might mitigate phishing emails that claim to come from a company employee, but it won’t impact other phishing emails.
62
52. Joanne has implemented TLS for communication with many of her networks servers. She wants to ensure that the traffic cannot be sniffed. However, users now complain that this is slowing down connectivity. Which of the following is the best solution?
A. Increase RAM on servers.
B. Change routers to give more bandwidth to traffic to these servers.
C. Implement TLS accelerators.
D. Place all servers in clusters with extensive load-balancing.
C. A TLS accelerator is a processor that handles processing, specifically processor-intensive public-key encryption for Transport Layer Security (TLS). This should significantly
improve server responsiveness.
Option A is incorrect. Increasing RAM will have only a minimal effect on network responsiveness.
Option B is incorrect. From the question, there is no indication that the servers were not performing fine before TLS implementation, so addressing the TLS issues is the best solution.
Option D is incorrect. Setting up clustering is a rather significant step, and not the first
thing that should be considered. Implementation of TLS accelerators is a better option.
63
```
61. You are responsible for security at Acme Company. Recently, 20 new employee network accounts were created, with the default privileges for the network. You have discovered that eight of these have privileges that are not needed for their job tasks. Which security principle best describes how to avoid this problem in the future?
A. Least privileges
B. Separation of duties
C. Implicit deny
D. Weakest link
```
C. The security concept of implicit deny states that any new access account will by default be denied all access. When a request is made for specific privileges for that account, then the privileges are explicitly applied. This means that by default all privileges are implicitly denied.
Option A is incorrect. Least privileges are what every account should have, but in this scenario the accounts were all given default privileges. The concept of implicit deny is a better answer.
Option B is incorrect. Separation of duties is used to prevent any one person from executing any action that might have significant security ramifications for the company.
Option D is incorrect. It is true that your network is only as secure as its weakest link, but that is not the best description of this scenario.
64
62. Mary is concerned that SIEM logs at her company are not being stored long enough, or securely enough. She is aware that it is possible a breach might not be discovered until long after it occurs. This would require the company to analyze older logs. It is important that Mary find an SIEM log backup solution that can a) handle all the aggregate logs of the SIEM, b) be maintained for a long period of time, and c) be secure. What solution would be best for her?
A. Back up to large-capacity external drives.
B. Back up to large-capacity backup tapes.
C. Back up to WORM storage.
D. Back up to tapes that will be stored off-site.
C. Write once, read many (WORM) storage is a type of high-capacity storage wherein once the data is written to the storage, it cannot be edited. It provides both high-capacity storage and secure storage, since the backups cannot be tampered with.
Option A is incorrect. Large-capacity external drives would need to be stored in a secure place, and they can be edited and are thus not secure. You could secure one with encryption, but the question does not mention encrypted drives.
Option B is incorrect. Backup tapes are older technology. Tapes frequently have issues, and data can become irretrievable.
Answer D is incorrect. Backup media should always be stored off-site, but there is the issue that tapes can easily be damaged or corrupted, which is unacceptable for long-term storage.
65
```
64. You are responsible for network security at a university. Faculty members are issued laptops. However, many of the faculty members leave the laptops in their offices most of the time (sometimes even for weeks). You are concerned about theft of laptops. In this scenario, what would be the most cost-effective method of securing the laptops?
A. FDE(Full-disk encryption)
B. GPS tagging
C. Geofencing
D. Tethering
```
D. Tethering is usually inexpensive, and simply tethering a portable device to a desk makes it difficult to steal the device. No antitheft method is foolproof, but tethering is simple, cost effective, and reasonably effective.
Option A is incorrect. Full-disk encryption (FDE) can be a good idea and will protect the data on the laptop. However, the laptop can still be stolen, the drive wiped, and the laptop reused or sold.
Option B is incorrect. GPS tagging may allow you to locate a stolen laptop, but it is usually more expensive than tethering.
Option C is incorrect. Geofencing just limits where the device will work—it does not prevent theft of the device.
66
```
65. You work at a defense contracting company. You are responsible for mobile device security. Some researchers in your company use company-issued tablets for work. These tablets may contain sensitive, even classified data. What is the most important security measure for you to implement?
A. FDE
B. GPS tagging
C. Geofencing
D. Content management
```
A. Full-disk encryption (FDE) is the best way to protect data on any device. In this scenario, the sensitive data on the tablets is the most important concern; therefore, securing that data with FDE is the most important security measure to take.
Option B is incorrect. GPS tagging might be a good idea—it would help locate lost or stolen devices. However, it is less important than FDE.
Option C is incorrect. Geofencing limits where a device can be used, and it does not address the issues presented in this scenario.
Option D is incorrect. Content management is always a good idea. But in this case, it won’t address the most important security concern.
67
66. When using any HIDS/HIPS or NIDS/NIPS, the output is specific to the vendor. However, what is the basic set of information that virtually all HIDSs/HIPSs or NIDSs/NIPSs provide?
A. IP addresses (sender and receiver), ports (sender and receiver), and protocol
B. IP addresses (sender and receiver), ports (sender and receiver), and attack type
C. IP addresses (sender and receiver), ports (sender and receiver), usernames, and machine names
D. Usernames, machine names, and attack type
A. HIDSs/HIPSs and NIDSs/NIPSs each have output that the vendor specifies. But all such devices will output what protocol the traffic was, the source and destination IP addresses, as well as the source and destination port. More information may be provided, but this is the essential basic information all IDSs/IPSs display.
Option B is incorrect. Many of these devices won’t display the suspected attack type. The person operating the device should recognize that a flood of SYN packets on a given port is a SYN flood.
Option C is incorrect. Usernames and machine names may or may not be included, but IP addresses will be.
Option D is incorrect. Usernames and machine names may or may not be included, but IP addresses will be.
68
```
68. Teresa is responsible for incident response at ACME Company. There was a recent breach of the network. The breach was widespread and affected many computers. As part of the incident response process, Teresa will collect the logs from the SIEM, which aggregates logs from 20 servers. Which of the following should she do first?
A. Event de-duplication
B. Log forwarding
C. Identify the nature of the attack
D. Identify the source IP of the attack
```
A. Since 20 servers send logs to the SIEM, de-duplicating events will be important.
Option B is incorrect. An SIEM is a log aggregation and analysis tool. Log forwarding was established before the incident.
Option C is incorrect. This is certainly something to do at some point, but it won’t be the first action.
Option D is incorrect. This is certainly something to do at some point, but it won’t be the first action.
69
```
69. Hector is responsible for NIDS/NIPS in his company. He is configuring a new NIPS solution. What part of the NIPS collects data?
A. Sensor
B. Data source
C. Manager
D. Analyzer
```
A. In any IDS (HIDS/HIPS; NIDS/NIPS), the sensors collect data from the network segment they are on and forward that information to the analyzer.
Option B is incorrect. A data source is any source of information for the IDS.
Option C is incorrect. The manager is the interface that a human operator uses to interact with the NIDS/NIPS or HIDS/HIPS.
Option D is incorrect. The analyzer takes data sent to it from the sensors and analyzes the data looking for indicators of an attack.
70
```
74. Lars is responsible for incident response at ACME Company. He is particularly concerned about the network segment that hosts the corporate web servers. He wants a solution that will detect potential attacks and notify the administrator so the administrator can take whatever action he or she deems appropriate. Which of the following would be the best solution for Lars?
A. HIDS
B. HIPS
C. NIDS
D. NIPS
```
C. A network intrusion detection system (NIDS) will detect suspected attacks on a given network segment and notify the administrator. For example, in an anomaly detection, the administrator will be notified if there are any deviation from an expected pattern or behavior.
Option A is incorrect. A host intrusion detection system (HIDS) only detects intrusions for a single host.
Option B is incorrect. A host intrusion prevention system (HIPS) only detects intrusions on a single host, and it blocks suspected intrusions.
Option D is incorrect. A network intrusion prevention system (NIPS) will check the entire network segment, but rather than simply notify the administrator for him or her to take action, the NIPS will block the suspected traffic.
71
```
76. Abigail is a security manager for a small company. Many employees want to use handheld devices, such as smartphones and tablets. The employees want to use these devices both for work and outside of work. Abigail is concerned about security issues. Which of the following would be the most secure solution?
A. COPE
B. CYOD
C. Geotaggin
D. BYOD
```
A. Company-Provided Equipment provides the most security because the company owns and provides the equipment to employees. This allows the company to fully control security, such as preventing carrier unlocking, disable recording microphone, prevent WiFi direct and WiFi ad-hoc.
Option B is incorrect. Choose Your Own Device (CYOD) would have the employees choose any device they wish from a set of options selected by the company. But these would still be employee-owned and -controlled devices.
Option C is incorrect. Geotagging simply allows you to locate a device.
Option D is incorrect. Bring Your Own Device (BYOD) allows employees to bring whatever device they have to work. This is a security concern.
72
```
77. You are responsible for always-on VPN connectivity for your company. You have been told that you must use the most secure mode for IPSec that you can. Which of the following would be the best for you to select?
A. Tunneling
B. AH
C. IKE
D. Transport
```
A. A tunneling mode is the mode wherein IPSec encrypts the entire packet, header, and data. This prevents someone sniffing traffic from gathering metadata about the traffic.
Option B is incorrect. Authentication Header (AH) provides authentication and integrity but no encryption, so it cannot be the most secure mode.
Option C is incorrect. Internet Key Exchange (IKE) is used in setting up security associations in IPSec.
Option D is incorrect. Transport mode encrypts only the data, not the header. This allows metadata about traffic to be sniffed by an attacker. Therefore, this cannot be the most secure mode.
73
```
78. Debra is the network administrator for her company. Her company’s web servers are all in a cluster. Her concern is this: if one of the servers in the cluster fails, will the backup server be capable of running for a significant amount of time? She wants to make sure that the backup won’t soon fail. What would be her best choice in clustering?
A. Active-active
B. Round-robin
C. Affinity
D. Active-passive
```
D. An active-passive cluster has backup servers that are not handling any workload. They are brought into action if the primary server fails. This means the backup server will not have been subjected to any workload and is effectively a new machine.
Option A is incorrect. An active-active cluster has all servers working, with the load balanced between them. Should a primary server fail, there is some chance the backup might fail in the near future.
Options B and C are incorrect. Round-robin and affinity describe how connections are routed in the cluster, not how failover functions.
74
```
82. Sarah is the CIO for a small company. She recently had the entire company’s voice calls moved to VoIP. Her new VoIP system is using SIP with RTP. What might be the concern with this?
A. SIP is not secure.
B. RTP is not secure.
C. RTP is too slow.
D. SIP is too slow.
```
B. Real-time Transport Protocol (RTP) is used to transport VoIP and video signals, but it is not encrypted. Secure Real-time Transport Protocol (SRTP) should be used.
Option A is incorrect. Session Initiation Protocol (SIP) is used to initiate a VoIP call but not to send the VoIP data.
Option C is incorrect. The speed is not the issue.
Option D is incorrect. The speed is not the issue.
75
```
85. Elizabeth is responsible for security at a defense contracting company. She is concerned about users within her network exfiltrating data by attaching sensitive documents to emails. What solution would best address this concern?
A. Email encryption
B. USB blocking
C. NIPS
D. Content filtering
```
D. While most people think of content filtering in regard to filtering content you view, it can also be thought of in terms of content that is sent out. Implementing content filtering ensures that the problem of data exfiltration via email will be mitigated.
Option A is incorrect. Email encryption would actually make it easier to exfiltrate data, since the data would be hidden from any analysis.
Option B is incorrect. USB blocking won’t affect email filtration.
Option C is incorrect. A network-based intrusion prevention system (NIPS) cannot stop email attachments.
76
```
87. Gabriel is using nmap to scan one of his servers whose IP address is 192.168.1.1. He wants to perform a ping scan, but the network blocks ICMP, so he will try a TCP ping scan and do so very slowly. Which of the following would accomplish that?
A. nmap -O -PT -T1 192.168.1.1
B. nmap -O – T3 192.168.1.1
C. nmap -T -T1 192.168.1.1
D. nmap -PT -T5 192.168.1.1
```
A. The nmap -Oflag indicates that you want to guess the operating system. The -PTscan means do a ping with TCP. The -T1is a very slow scan.
Options B, C, and D are all incorrect. The ping scan variations all start with -P(-PT TCPping, -TS SYNping, etc.), the -Tis timing, and the options are T1(slowest) to T5(fastest).
77
```
94. Frank is a web server administrator for a large e-commerce company. He is concerned about someone using netcat to connect to the company web server and retrieving detailed information about the server. What best describes his concern?
A. Passive reconnaissance
B. Active reconnaissance
C. Banner grabbing
D. Vulnerability scanning
```
C. Banner grabbing is a process whereby someone connects to a target web server and attempts to gather information, literally grabbing the web services “banner.” This is often done by telnetting into the web server. It can also be done with netcat, using an HTTP request.
Option A is incorrect. Passive reconnaissance would not involve active connections to the server.
Option B is incorrect. Although this is active reconnaissance, it is more accurately described as banner grabbing.
Option D is incorrect. This scenario is not describing vulnerability scanning.
78
```
95. Mike is responsible for testing security at his company. He is using a tool that identifies vulnerabilities and provides mechanisms to test them by attempting to exploit them. What best describes this type of tool?
A. Vulnerability scanner
B. Exploit framework
C. Metasploit
D. Nessus
```
B. Exploit frameworks are tools that provide a framework for finding vulnerabilities and then attempting to exploit those vulnerabilities. These tools are an important part of network security testing.
Option A is incorrect. A vulnerability scanner would only identify the vulnerabilities; it would not provide a means to use the vulnerability.
Option C is incorrect. Metasploit is a popular exploit framework, but the question asked about the class of tools, not about identifying a specific tool.
Option D is incorrect. Nessus is a well-known vulnerability scanner.
79
```
96. William is a security officer for a large bank. When executives’ laptops are decommissioned, he wants to ensure that the data on those laptops is completely wiped so that it cannot be recovered, even using forensic tools. How many times should William wipe a hard drive?
A. 1
B. 3
C. 5
D. 7
```
D. US DoD data sanitization standard DoD 5220.22-M recommends an average of 7 complete wipes to wipe data. The standard has a matrix wherein you match the sensitivity of the data to a specific number of wipes, but the general rule is 7.
Options A, B, and C are all incorrect. Less than 7 wipes are considered inadequate to prevent data recovery tools from recovering the data.
80
```
102. Mark is responsible for security for a small bank. He has a firewall at the gateway as well as one at each network segment. Each firewall logs all accepted and rejected traffic. Mark checks each of these logs regularly. What is the first step Mark should take to improve his firewall configuration?
A. Integrate with SIEM.
B. Add a honeypot.
C. Integrate with AD.
D. Add a honeynet.
```
A. Each of these firewalls is logging all activity, but the logs are not centralized. This makes it quite difficult to monitor all logs. By integrating with an SIEM, all logs are centralized and Mark can get alerts for issues.
Options B and D are incorrect. A honeypot or honeynet might be a good idea, but neither is the next logical step or part of firewall configuration.
Option C is incorrect. Integrating with Active Directory (AD) may or may not be a good choice for Mark, but it won’t improve his firewall configuration.
81
```
106. Your company is issuing portable devices to employees for them to use for both work and personal use. This is done so the company can control the security of the devices. What, if anything, is an issue this process will cause?
A. Personal information being exposed
B. Company data being exfiltrated
C. Devices being insecurely configured
D. No issues
```
A. Since employees use the Company-Owned Personally Enabled (COPE) device for personal use, the devices will have the employee’s personal information. This can lead to personal and private data being exposed to the company.
Option B is incorrect. Any portable device has the chance of being used for data exfiltration, but COPE is no more susceptible than other configurations such as BYOD.
Option C is incorrect. In fact, the opposite is true. It is less likely that devices will be improperly configured because the company controls configuration.
Option D is incorrect. There are issues with this option.
82
```
107. Marsha is responsible for mobile device security. Her company uses COPE(Corporate-Owned Personally-Enabled) for mobile devices. All phones and tablets have a screen lock and GPS tagging. What is the next, most important step for Marsha to take to secure the phones?
A. Implement geofencing.
B. Implement application management.
C. Implement geolocation.
D. Implement remote wipe.
```
B. Application management is primarily concerned with ensuring only authorized and approved applications are installed on mobile devices. This would be the next logical step to perform. Control of which applications are allowed on the device is central to basic security.
Option A is incorrect. Geofencing may or may not even be appropriate for every company.
Option C is incorrect. Geolocation is useful to locating stolen devices, but it is not the next step to take in security.
Option D is incorrect. Remote wipe can be useful should a device be lost or stolen, but it is not the next step to take in security.
83
110. You are responsible for DLP at a large company. Some employees have COPE and others BYOD. What DLP issue might these devices present?
A. COPE can be USB OTG.
B. BYOD can be USB OTG.
C. COPE and BYOD can be USB OTG.
D. Only jailbroken COPE or BYOD can be USB OTG.
C. Whether the device is Company-Owned and Personally Enabled (COPE) or Bring Your Own Device (BYOD), any mobile device can be a USB On-the-Go (OTG) device. This means the device itself serves as a mass storage USB drive, and data can be exfiltrated on the device. This is a concern for data loss prevention (DLP).
Options A and B are incorrect. Any device can be USB OTG.
Option D is incorrect. You need not jailbreak a phone or tablet in order to use it as USB OTG.
84
113. Frank is concerned about DHCP starvation attacks. He is even more worried since he learned that anyone can download software called a “gobbler” and execute a DHCP starvation attack. What technology would most help him mitigate this risk?
A. Encrypt all DHCP communication with TLS.
B. FDE on the DHCP server
C. Network Address Allocation
D. IPSec for all DHCP communications
C. Network Address Allocation is the process of allocating network addresses. In a DHCP environment, this can be done to limit how many IP addresses are requested from a single network segment. For example, if a network segment has only 30 nodes, then no more than 30 addresses can be allocated to that segment. This would mitigate DHCP starvation.
Option A is incorrect. Encrypting communications is often a good idea, but it won’t mitigate this issue.
Option B is incorrect. Full-disk encryption (FDE) is often a good idea but won’t mitigate this issue.
85
```
115. Lydia is trying to reduce costs at her company and at the same time centralize network administration and maintain direct control of the network. Which of the following solutions would provide the most network administration centralization and control while reducing costs?
A. Outsourcing network administration
B. IaaS
C. PaaS
D. Moving all OSs to open source
```
B. Infrastructure as a Service (IaaS) uses a third-party service and templates to provide the network infrastructure in a virtualized manner, but the client company still administers the network. By moving to a virtualized solution, administration is very centralized. By using IaaS, Lydia will reduce costs, but she will still maintain direct control.
Option A is incorrect. Outsourcing will remove control of the network to a third party.
Option C is incorrect. Platform as a Service (PaaS) can only provide operating systems.
Option D is incorrect. Open source won’t help centralized administration, and the total cost of ownership may not actually be less.
86
```
116. You are investigating a remote access protocol for your company to use. The protocol needs to fully encrypt the message, use reliable transport protocols, and support a range of network protocols. Which of the following would be the best choice?
A. RADIUS
B. Diameter
C. TACACS +
D. IPSec
```
C. Terminal Access Controller Access Control System+ (TACACS+) is a remote access protocol. It uses TCP, which is a reliable transport protocol, and it fully encrypts the messages. TACACS+ also supports a range of network protocols.
Option A is incorrect. Remote Authentication Dial-In User Service (RADIUS) uses UDP, which is not a reliable transport protocol and does not support many networking protocols.
Option B is incorrect. Diameter (not an acronym) does support TCP, but it does not fully encrypt the messages.
Option D is incorrect. IPSec is a VPN protocol, not a remote access and authentication protocol.
87
```
118. John is setting up all the database servers on their own subnet. He has placed them on 10.10.3.3/29. How many nodes can be allocated in this subnet?
A. 32
B. 16
C. 8
D. 6
```
D. Classless Inter-Domain Routing (CIDR) notation provides the number of bits that are masked for the network. Remaining bits are used for nodes. To determine the size of a subnet based in CIDR notation (/N), the formula is simple: [2 ^ (32 –N)] – 2. In this case, that is [2 ^ (32 – 29)] – 2, or (2 ^ 3) – 2, or 8 – 2, or 6 nodes.
Options A, B, and C are incorrect. The most common wrong answer is C, which would be the result if you forgot to subtract 2 at the end of the calculation.
88
125. You are responsible for mobile device security in your company. Employees have COPE devices. Many employees only enter the office infrequently, and you are concerned that their devices are not receiving firmware updates on time. What is the best solution for this problem?
A. Scheduled office visits for updates
B. OTA updates
C. Moving from COPE to BYOD
D. A policy that requires users to update their firmware regularly
B. Over-the-air (OTA) updates are accomplished wirelessly. This can be done over a cellular network, wherever the device is. Using OTA updates for the mobile devices is the most efficient solution.
Option A is incorrect. This would work but would interrupt the employees’ normal work schedules and be inefficient.
Option C is incorrect. Moving from Company-Owned and Personally Enabled to Bring Your Own Device (BYOD) would actually make the situation worse, but doing so would absolve the company of the responsibility of managing updates.
Option D is incorrect. Policies require a mechanism for implementation. OTA is such a mechanism.
89
```
126. Frank is looking for a remote authentication and access protocol. It must be one that uses UDP due to firewall rules. Which of the following would be the best choice?
A. RADIUS
B. Diameter
C. TACACS +
D. IPSec
```
A. Remote Authentication Dial-In User Service (RADIUS) is an older authentication and access control protocol, but it uses UDP. The other options mentioned do not use UDP.
Options B and C are incorrect. Both Diameter and TACACS+ are newer protocols, but both use TCP.
Option D is incorrect. IPSec is a VPN protocol, not a remote authentication and access control protocol.
90
```
130. You are configuring BYOD access for your company. You want the absolute most robust security for the BYOD on your network. What would be the best solution?
A. Agentless NAC
B. Agent NAC
C. Digital certificate authentication
D. Two-factor authentication
```
B. Network Access Control (NAC) allows the network to enforce a level of host health checks on devices before allowing it to connect. With agent NAC, a software agent is installed on any device that wishes to connect to the network. That agent can do a much
more thorough systems health check of the BYOD.
Option A is incorrect. Agentless NAC can be useful but is less effective than agent NAC.
Options C and D are incorrect. Stronger authentication is a good security measure but won’t address the issue of scanning BYOD to ensure compliance with security rules.
91
```
131. You work for a large law firm and are responsible for network security. It is common for guests to come to the law firm (clients, expert witnesses, etc.) who need to connect to the firm’s WiFi. You wish to ensure that you provide the maximum security when these guests connect with their own devices, but you also wish to provide assurance to the guest that you will have minimal impact on their device. What is the best solution?
A. Permanent NAC agent
B. Agentless NAC
C. Dissolvable NAC agent
D. Implement COPE
```
C. Network Access Control (NAC) performs a systems health check on devise and validates that the device meets minimum security standards before allowing it to connect. An agent-based NAC is more thorough in scanning the device. However, that leaves an agent on the visitor’s device. A dissolvable agent will delete after a period of time.
Option A is incorrect. A permanent NAC would have an impact on visitors’ devices.
Option B is incorrect. Agentless NAC would have less impact, and would also be less thorough and thus less secure.
Option D is incorrect. Company-Owned Personally Enabled (COPE) devices are not possible for guests.
92
133. Mary works for a large insurance company and is responsible for cybersecurity. She is concerned about insiders and wants to detect malicious activity on the part of insiders.
But she wants her detection process to be invisible to the attacker. What technology best fits these needs?
A. Hybrid NIDS
B. Out-of-band NIDS
C. NIPS
D. NNIDS
B. An out-of-band network intrusion detection system (NIDS) places the management portion on a different network segment, making detection of the NIDS more difficult.
Option A is incorrect. A hybrid NIDS combines a network node IDS with a host IDS.
Option C is incorrect. A network intrusion prevention system (NIPS) is usually quite detectable, by its very nature. By blocking offending traffic, it will absolutely be noticed.
Option D is incorrect. A network node IDS (NNIDS) uses a network approach, but it delegates the IDS functions to individual hosts.
93
```
135. You want to allow a media gateway to be accessible through your firewall. What ports should you open? (Choose two.)
A. 2427
B. 1707
C. 2727
D. 1727
```
A, C. One for the gateway and one for the call agent. From the call agent to the gateway is using UDP port 2427, and if it’s from the gateway to the call agent, it uses UDP port 2727.
Options B and D are incorrect. 1707 is L2TP, and 1727 is PPTP.
94
137. Dennis is implementing wireless security throughout his network. He is using WPA2.
However, there are some older machines that cannot connect to WPA2—they only support WEP. At least for now, he must keep these machines. What is the best solution for this problem?
A. Put those machines on a different VLAN.
B. Deny wireless capability for those machines.
C. Put those machines on a separate wireless network with separate WAP.
D. Encrypt their traffic with TLS.
C. When you must support machines that cannot connect to newer, more secure WiFi protocols, then put those machines on a separate WiFi network. That won’t prevent them from being breached, but it will prevent that breach from exposing your entire network.
Option A is incorrect. A VLAN is not applicable to this scenario.
Option B is incorrect. Denying wireless access is not necessary.
Option D is incorrect. Although encrypting network traffic is often a good idea, it won’t solve this problem.
95
```
138. You are a security administrator for Acme Company. Employees in your company routinely upload and download files. You are looking for a method that allows users to remotely upload or download files in a secure manner. The solution must also support more advanced file operations such as creating directories, deleting files, and so forth.
What is the best solution for this?
A. SFTP
B. SSH
C. SCP
D. IPSec
```
A. Secure File Transfer Protocol (SFTP) is a protocol based on Secure Shell, and it provides directory listing, remote file deletion, and other file management abilities. It is also secure.
Option B is incorrect. Secure Shell (SSH) provides a secure terminal connection.
Option C is incorrect. Secure Copy (SCP) is based on SSH and does allow file transfer. But it does not support other file management capabilities.
Option D is incorrect. IPSec is a VPN protocol.
96
140. John is the CISO for a small company. The company has password policies, but John is not sure the policies are adequate(enough). He is concerned that someone might be able to “crack” company passwords. What is the best way for John to determine whether his passwords are vulnerable?
A. Run a good vulnerability scan.
B. Perform a password policy audit.
C. Use one or more password crackers himself.
D. Ensure that passwords are stored as a hash.
C. The best way to see if passwords are crackable is to attempt to crack them. This is done by using one or more well-known and reliable password crackers. If you are able to crack your passwords, that demonstrates they are not adequate.
Option A is incorrect. Many vulnerability scanners don’t check passwords, and those that do only check rudimentary requirements.
Option B is incorrect. The concern is that the policies may not be adequate. So, an audit will only show if people are complying with the policy, not whether the policy itself is adequate.
Option D is incorrect. Passwords are usually stored as a hash. This does not prevent tools, like rainbow tables, from cracking passwords.
97
```
143. Gianna is evaluating the security of her company. The company has a number of mobile apps that were developed in house for use on COPE devices. She wants to ensure that these apps are updated as soon as an update is available. What should she ensure is being used?
A. Firmware OTA
B. Push notifications
C. Scheduled updates
D. A policy against custom firmware
```
B. Push notifications are used to send out updates when they are ready. With push notifications, you do not wait for the user to check for an update; the update is sent as soon as it is ready.
Option A is incorrect. Firmware Over-the-Air (OTA) updates are a good idea, but this question is about custom apps, not firmware.
Option C is incorrect. This issue in this question is not if updates are being scheduled but if they are being applied.
Option D is incorrect. A policy against custom firmware is a good security policy. However, this question is about custom apps, not firmware.
98
```
145. Heidi works for a large company that issues various mobile devices (tablets and phones) to employees. She is concerned about unauthorized access to mobile devices. Which of the following would be the best way to mitigate that concern?
A. Biometrics
B. Screen lock
C. Context-aware authentication
D. Storage segmentation
```
A. Biometrics, type III authentication, are very robust. Biometrics are based on a biological part of the authorized user, so they are very difficult to fake and impossible for the user to lose.
Option B is incorrect. Screen locks are necessary, but they are only a rudimentary security measure.
Option C is incorrect. In combination with the username and password, context-aware authentication examines the user’s location, the time of day the user is logging in, the computer that the user is logging in from, what the user is trying to do, the context, and so forth. This is a very good authentication method, but biometrics can still be more effective and more user-friendly.
Option D is incorrect. Storage segmentation is very good for separating user personal data from company data, but it won’t address unauthorized access.
99
```
146. You are looking for a point-to-point connection method that would allow two devices to synchronize data. The solution you pick should not be affected by EMI (electromagnetic interference) and should be usable over distances exceeding 10 meters, provided there is a line-of-sight connection. What would be the best solution?
A. Bluetooth
B. WiFi
C. Infrared
D. RF
```
C. Infrared uses a wavelength of light that is not visible to humans. Since it is light, it is
not susceptible to EMI. It can be used over most distances, provided there is a line of sight.
The disadvantage is that any break in the line of sight breaks communication.
Option A is incorrect. Bluetooth has a range of only 10 meters.
Option B is incorrect. WiFi is susceptible to EMI.
Option D is incorrect. RF is susceptible to EMI.
100
149. Ethan has noticed some users on his network accessing inappropriate videos. His network uses a proxy server that has content filtering with blacklisting. What is the most likely cause of this issue?
A. Sites not on the blacklist
B. Misconfigured content filtering
C. Misconfigured proxy server
D. Someone circumventing the proxy server
A. Blacklisting blocks any sites or content specifically on the blacklist. However, it is impossible to list every inappropriate site on the Internet, so some are not going to be listed and thus are accessible.
Option B is incorrect. You could argue that this issue is due to misconfiguration, but that
is most likely cause.
Option C is incorrect. The proxy server as a whole is not the issue. It is the content filtering that is at issue.
Option D is incorrect. While this is possible, it is not the most likely explanation.
101
151. Logan is responsible for enforcing security policies in his company. There are a number of policies regarding the proper configuration of public-facing servers. Which of the following would be the best way for Logan to check to see if such policies are being enforced?
A. Periodically audit selected servers.
B. Implement a configuration compliance scanning solution.
C. Conduct routine penetration tests of those servers.
D. Implement a vulnerability scanning solution.
B. Configuration compliance scanning solutions take the configuration settings that the administrator provides and scans targeted devices and computers to see whether they comply. This is an effective method for checking compliance.
Options A, C, and D are all incorrect. Each of these would uncover at least some configuration compliance issues but would be less effective and/or more cumbersome than configuration compliance scanning.
102
```
2. You are responsible for network security at an e-commerce company. You want to ensure that you are using best practices for the e-commerce website your company hosts. What standard would be the best for you to review?
A. OWASP
B. NERC
C. NIST
D. ISA/IEC
```
A. The correct answer is the Open Web Application Security Project. It is the de facto standard for web application security.
Option B is incorrect. The North American Electric Reliability Corporation is concerned with electrical power plant security.Option C is incorrect. The National Institute of Standards does not, as of this writing, publish web application standards.
Option D is incorrect. ISA/IEC standards are for securing industrial automation and control systems (IACSs).
103
4. Maria is a security administrator for a large bank. She is concerned about malware, particularly spyware that could compromise customer data. Which of the following would be the best approach for her to mitigate the threat of spyware?
A. Computer usage policies, network antimalware, and host antimalware
B. Host antimalware and network antimalware
C. Host and network antimalware, computer usage policies, and website whitelisting
D. Host and network antimalware, computer usage policies, and employee training
D. Control diversity means utilizing different controls to mitigate the same threat. For malware, the use of technical controls, such as anti-malware, is critical. But it is also important to have administrative controls, such as good policies, and to ensure employees are properly trained.
Option A is incorrect. This approach ignores training employees. Policies are only useful if employees are properly trained.
Option B is incorrect. This approach uses only one type of control: technical controls.
Option C is incorrect. This approach ignores training employees. Policies are useful only if employees are properly trained. Furthermore, website whitelisting can be beneficial but leaves many websites unchecked, each of which could be hosting malware.
104
9. You are the network administrator for a large company. Your company frequently has nonemployees in the company such as clients and vendors. You have been directed to provide these nonemployees with access to the Internet. Which of the following is the best way to implement this?
A. Establish a guest network.
B. Allow nonemployees to connect only to the DMZ.
C. Allow nonemployees to connect only to the intranet.
D. Establish limited accounts on your network for nonemployees to use.
A. A guest network is separate from your production network; therefore, even if there is some breach of that network, it won’t affect your production network. It is a common security practice to establish a guest network so that guests can access the Internet, without providing them with access to the corporate network resources.
Option B is incorrect. A DMZ is used to locate public-facing servers such as web servers.
Option C is incorrect. An intranet consists of internal web-based resources for employees.
Option D is incorrect. This would provide nonemployees with access to the corporate network
105
13. John works for an insurance company. His company uses a number of operating systems, including Windows and Linux. In this mixed environment, what determines the network operating system?
A. The OS of the DNS server
B. The OS of the domain controller
C. The OS of the majority of servers
D. The OS of the majority of client computers
B. The network operating system is determined by the operating system running on a domain controller. A network could be mostly Windows, but as long as the domain controller is Unix, the network operating system is Unix.
Options A, C, and D are all correct. These items do not determine the network operating system.
106
```
14. Juanita is implementing virtualized systems in her network. She is using Type I hypervisors. What operating system should be on the machines for her to install the hypervisor?
A. None
B. Windows
C. Any operating system
D. Windows or Linux
```
A. A Type I hypervisor is also known as a bare-metal hypervisor. It installs directly onto hardware and does not require an operating system to be installed first.
Options B, C, and D are all incorrect. Type I hypervisors do not require a preinstalled operating system.
107
```
15. You are responsible for security at your company. You want to improve cloud security by following the guidelines of an established international standard. What standard would be most helpful?
A. NIST 800-14
B. NIST 800-53
C. ISO 27017
D. ISO 27002
```
C. ISO 27017 is an international standard for cloud security.
Option A is incorrect. NIST 800-14 describes common security principles that should be addressed within security policies.
Option B is incorrect. NIST 800-53 organizes security measures into families of controls, such as risk assessment, access control, incident response, and others.
Option D is incorrect. ISO 27002 recommends best practices for initiating, implementing, and maintaining information security management systems (ISMSs).
108
```
22. Which type of firewall examines the content and context of each packet it encounters?
A. Packet filtering firewall
B. Stateful packet filtering firewall
C. Application layer firewall
D. Gateway firewall
```
B. A stateful inspection firewall examines the content and context of each packet it encounters. This means that an SPI firewall understands the preceding packets that came from the same IP address. This makes certain attacks, like a SYN flood, almost impossible.
Option A is incorrect. Packet filtering firewalls examine each packet, but not the context.
Option C is incorrect. Application layer firewalls can use SPI or simple packet filtering, but their primary role is to examine application-specific issues. A classic example is a web application firewall.
Option D is incorrect. A gateway firewall is simply a firewall at the network gateway. This does not tell us whether it is packet filtering or SPI.
109
```
28. Suzan is responsible for application development in her company. She wants to have all web applications tested prior to being deployed live. She wants to use a test system that is identical to the live server. What is this called?
A. Production server
B. Development server
C. Test server
D. Predeployment server
```
C. A test server should be identical to the production server. This can be used for functional testing as well as security testing, prior to deploying the application.
Option A is incorrect. The production server is the live server.
Option B is incorrect. A development server would be one the programmers use during development of a web application.
Option D is incorrect. Predeployment server is not a term used in the industry.
110
```
30. You are responsible for BIOS security in your company. Which of the following is the most fundamental BIOS integrity technique?
A. Verifying the BIOS version
B. Using a TPM
C. Managing BIOS passwords
D. Backing up the BIOS
```
C. BIOS password management is the most basic security measure for the BIOS. Without this fundamental step, any other steps will be far less effective.
Options A and B are incorrect. NIST 800-155 does list both of these as BIOS integrity
measures, but they are not the most fundamental measures—passwords are.
Option D is incorrect. Backing up the BIOS is not a common security measure, and it certainly would not be the most fundamental step.
111
```
33. John is installing an HVAC system in his datacenter. What will this HVAC have the most impact on?
A. Confidentiality
B. Availability
C. Fire suppression
D. Monitoring access to the datacenter
```
B. A heating, ventilation, and air conditioning system will affect availability. By maintaining temperature and humidity, the servers in the datacenter are less likely to crash and thus be more available.
Option A is incorrect. HVACs have no effect on data confidentiality.
Option C is incorrect. HVACs are not fire suppression systems.
Option D is incorrect. HVACs are not monitoring systems.
112
34. Maria is a security engineer with a manufacturing company. During a recent investigation, she discovered that an engineer’s compromised workstation was being used to connect to SCADA systems while the engineer was not logged in. The engineer is responsible for administering the SCADA systems and cannot be blocked from connecting to them.
What should Maria do to mitigate this threat?
A. Install host-based antivirus software on the engineer’s system.
B. Implement account usage auditing on the SCADA system.
C. Implement an NIPS on the SCADA system.
D. Use FDE on the engineer’s system.
B. Maria should implement ongoing auditing of the account usage on the SCADA system.
This will provide a warning that someone’s account is being used when they are not actually using it.
Option A is incorrect. Host based antivirus is almost never a bad idea. But this scenario did not indicate that the compromise was due to malware, so anti-malware may not address the threat.
Option C is incorrect. Since the engineer has access to the SCADA system, a NIPS is unlikely to block him from accessing the system.
Option D is incorrect. Full disk encryption will not mitigate this threat.
113
36. Gerard is responsible for secure communications with his company’s e-commerce server.
All communications with the server use TLS. What is the most secure option for Gerard to store the private key on the e-commerce server?
A. HSM
B. FDE
C. SED
D. SDN
A. A hardware security module (HSM) is the most secure way to store private keys for the e-commerce server. An HSM is a physical device that safeguards and manages digital keys.
Option B is incorrect. Full disk encryption will protect the data on the e-commerce server, but it won’t help store the key. It is also difficult to fully encrypt the e-commerce server drive, since the drive will need to be in use for the e-commerce to function.
Option C is incorrect. A self-encrypting drive (SED) is just an automatic full disk encryption.
Option D is incorrect. Software-defined networking won’t address the issues in this scenario.
114
```
38. Web developers in your company currently have direct access to the production server and can deploy code directly to it. This can lead to unsecure code, or simply code flaws being deployed to the live system. What would be the best change you could make to mitigate this risk?
A. Implement sandboxing.
B. Implement virtualized servers.
C. Implement a staging server.
D. Implement deployment policies.
```
C. You should implement a staging server so that code can be deployed to an intermediate staging environment. This will allow testing of security features, as well as checking to see that the code integrates with the entire system. Using third-party libraries and SDKs can help reduce errors and vulnerabilities in the code.
Option A is incorrect. Sandboxing is used to isolate a particular environment.
Option B is incorrect. Virtualization will not mitigate this risk. Even if the production server is virtualized, the risks are the same.
Option D is incorrect. Deployment policies are a good idea, but they are not the most effective way to mitigate this particular risk.
115
```
39. Denish is concerned about the security of embedded devices in his company. He is most concerned about the operating system security for such devices. Which of the following would be the best option for mitigating this threat?
A. RTOS
B. SCADA
C. FDE
D. TPM
```
A. A real-time operating system is a secure system used for embedded devices. RTOSs were originally developed for military applications but were not available to the public.
Option B is incorrect. Although SCADA systems can sometimes be embedded systems, this won’t address the security concerns.
Option C is incorrect. Full drive encryption won’t address issues with the security of the operating system.
Option D is incorrect. A trusted platform module can be very useful for cryptographic applications, but it will not address the security of the operating system.
116
```
41. Teresa is responsible for WiFi security in her company. Which wireless security protocol uses TKIP?
A. WPA
B. CCMP
C. WEP
D. WPA2
```
A. The encryption technology associated with WPA is TKIP.
Option B is incorrect. CCMP is the technology used in WPA2. It combines AES in cipherblock chaining mode with a message authentication code.
Option C is incorrect. WEP uses RC4.
Option D is incorrect. WPA2 uses CCMP.
117
```
43. Which cloud service model provides the consumer with the infrastructure to create applications and host them?
A. SaaS
B. PaaS
C. IaaS
D. CaaS
```
B. In the Platform as a Service (PaaS) model, the consumer has access to the infrastructure to create applications and host them.
Option A is incorrect. Software as a Service simply supplies a particular application.
Option C is incorrect. Infrastructure as a Service provides entire network infrastructure.
Option D is incorrect. Cloud as a Service provides access to cloud storage
118
```
46. Which type of hypervisor implementation is known as “bare metal”?
A. Ty pe I
B. Ty pe II
C. Type III
D. Ty pe IV
```
A. Type I hypervisor implementations are known as “bare metal.”
Option B is incorrect. Type II hypervisors have to be installed on an underlying operating system.
Options C and D are incorrect. These are not valid hypervisor types.
119
51. Mark is responsible for cybersecurity at a small college. There are many computer labs that are open for students to use. These labs are monitored only by a student worker, who may or may not be very attentive. Mark is concerned about the theft of computers. Which of the following would be the best way for him to mitigate this threat?
A. Cable locks
B. FDE on the lab computers
C. Strong passwords on the lab computers
D. Having a lab sign-in sheet
A. The correct answer is to attach cable locks to the computers that lock them to the table.
This makes it more difficult for someone to steal a computer.
Option B is incorrect. Full disk encryption won’t stop someone from stealing the computer.
Option C is incorrect. Strong passwords won’t stop someone from stealing a computer.
Option D is incorrect. A sign-in sheet is a good idea and may deter some thefts. But it is not the best approach to stopping theft.
120
```
56. Isabella is responsible for database management and security. She is attempting to remove redundancy in the database. What is this process called?
A. Integrity checking
B. Deprovisioning
C. Baselining
D. Normalization
```
D. Normalization is the process of removing duplication or redundant data from a database. There are typically four levels of normalization ranging from 1N at the lowest (i.e., the most duplication) to 4N at the highest (i.e., the least duplication).
Option A is incorrect. Although database integrity is important, that is not what is described in the question. Furthermore, integrity checking usually refers to checking the integrity of files.
Option B is incorrect. Deprovisioning is a virtualization term for removing a virtual system (server, workstation, etc.) and reclaiming those resources.
Option C is incorrect. Baselining involves setting security standards.
121
58. Hans is a security administrator for a large company. Users on his network visit a wide range of websites. He is concerned they might get malware from one of these many websites. Which of the following would be his best approach to mitigate this threat?
A. Implement host-based antivirus.
B. Blacklist known infected sites.
C. Set browsers to allow only signed components.
D. Set browsers to block all active content (ActiveX, JavaScript, etc.).
C. The correct answer is to only allow signed components to be loaded in the browser.
Code signing verifies the originator of the component (such as an ActiveX component) and thus makes malware far less likely.
Option A is incorrect. Although host-based anti-malware is a good idea, it is not the best remedy for this specific threat.
Option B is incorrect. Blacklists cannot cover all sites that are infected, just the sites you know about. And given that users on Hans’s network visit a lot of websites, blacklisting is likely to be ineffective.
Option D is incorrect. If you block all active content, many websites will be completely unusable.
122
```
61. You are responsible for database security at your company. You are concerned that programmers might pass badly written SQL commands to the database, or that an attacker might exploit badly written SQL in applications. What is the best way to mitigate this threat?
A. Programmer training
B. Programming policies
C. Agile programming
D. Stored procedures
```
D. Stored procedures are the best way to have standardized SQL. Rather than programmers writing their own SQL commands, they simply call the stored procedures that the database administrator creates.
Options A and B are both incorrect. Although these are good ideas, they are not as effective as stored procedures in addressing concerns about bad SQL commands.
Option C is incorrect. Agile programming is a method for developing applications rapidly and won’t determine how SQL commands are created.
123
62. Mary is concerned about application security for her company’s application development.
Which of the following is the most important step for addressing application security?
A. Proper error handling
B. Regular data backups
C. Encrypted data transmission
D. Strong authentication
A. Proper error handling is the most fundamental item to address in application development. Robust and thorough error handling will mitigate many security risks.
Options B, C, and D are all incorrect. Each of these is a good security measure but not the most important step for Mary to take.
124
63. Farès is responsible for managing the many virtual machines on his company’s networks.
Over the past two years, the company has increased the number of virtual machines significantly. Farès is no longer able to effectively manage the large number of machines.
What is the term for this situation?
A. VM overload
B. VM sprawl
C. VM spread
D. VM zombies
B. When virtualization reaches the point that IT can no longer effectively manage it, the condition is known as VM sprawl.
Options A and C are incorrect. These are not the terms used in industry.
Option D is incorrect. VM zombie is a term for a virtual machine that is running and consuming resources but no longer has a purpose.
125
```
66. Juan is responsible for the physical security of the company server room. He has been asked to recommend a type of fire suppression system for the server room. Which of the following would be the best choice?
A. Wet pipe
B. Deluge
C. Pre-action
D. Halon
```
C. Pre-action fire suppression is ideal for computers. The pipes have no water in them during normal operations. When the temperature rises to a certain level, water fills the pipes.
Then if the temperature continues to rise, the fire suppression system activates. This provides time to stop the fire before the servers are soaked with water.
Option A is incorrect. Wet pipes have water in them at all times. If a pipe freezes and/or bursts, then the servers will be damaged.
Option B is incorrect. Deluge fire suppression, as the name suggests, uses a very large amount of water. This is not appropriate for computers.
Option D is incorrect. Halon is now banned.
126
67. You are responsible for server room security for your company. You are concerned about physical theft of the computers. Which of the following would be best able to detect theft or attempted theft?
A. Motion sensor–activated cameras
B. Smart card access to the server rooms
C. Strong deadbolt locks for the server rooms
D. Logging everyone who enters the server room
A. The correct answer is to have a motion-activated camera that records everyone who enters the server room.
Options B, C, and D are all incorrect. These are all good security measures but won’t detect theft.
127
```
68. Teresa has deployed session tokens on her network. These would be most effective against which of the following attacks?
A. DDoS
B. Replay
C. SYN flood
D. Malware
```
B. Session tokens are used to authenticate sessions. These can be effective against replay attacks and session hijacking.
Options A, C, and D are all incorrect. Session tokens will not be effective in mitigating these attacks.
128
```
69. Hector is using infrared cameras to verify that servers in his datacenter are being properly racked. Which of the following datacenter elements is he concerned about?
A. EMI blocking
B. Humidity control
C. Hot and cold aisles
D. HVAC
```
C. Hot aisle/cold aisle is a layout design for server racks and other computing equipment in a data center. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing airflow. An infrared camera will detect heat levels on the aisles.
Options A, B, and D are all incorrect. Although these are issues to be concerned about in a data center, the infrared camera is not an appropriate way to monitor them.
129
72. Mark is an administrator for a health care company. He has to support an older, legacy application. He is concerned that this legacy application might have vulnerabilities that would affect the rest of the network. What is the most efficient way to mitigate this?
A. Use an application container.
B. Implement SDN.
C. Run the application on a separate VLAN.
D. Insist on an updated version of the application.
A. The correct answer is to use an application container to isolate that application from the host operating system. Applications containers provide a virtualized environment in which to run an application.
Option B is incorrect. Moving to software-defined networking is a very involved process and does not provide an efficient solution.
Option C is incorrect. Not only will this not separate the application from the host operating system; it might not solve the problem.
Option D is incorrect. This is not an option in this question. Mark must support the legacy application.
130
```
73. Lars is auditing the physical security of a company. The company uses chain-link fences on its perimeter. The fence is over pavement, not soft ground. How close to the ground should the bottom of the fence be?
A. Touching the ground
B. Within 4 inches
C. There is no standard for this.
D. Within 2 inches
```
D. The fence should reach within 2 inches of hard surfaces like pavement or concrete. For soft dirt it should actually go into the ground.
Options A and B are incorrect. These are not the correct measurements.
Option C is incorrect. Per the standard, chain-link fence should reach within 2 inches of hard surfaces like pavement or concrete. For soft dirt, it should actually go into the ground.
131
74. Mia has to deploy and support a legacy application. The configuration for this application and the OS it runs on are very specific and cannot be changed. What is the best approach for her to deploy this?
A. Use an immutable server.
B. Use a VM.
C. Set permissions on the application so it cannot be changed.
D. Place the application on a separate VLAN.
A. An immutable(不可變) server’s configuration cannot be changed.
Option B is incorrect. A virtual machine won’t stop the application or the OS from being altered.
Option C is incorrect. This won’t prevent the OS from being altered.
Option D is incorrect. Segregating the application on a separate VLAN won’t address the issues.
132
76. Abigail is responsible for datacenters in a large, multinational company. She has to support multiple datacenters in diverse geographic regions. What would be the most effective way for her to manage these centers consistently across the enterprise?
A. Hire datacenter managers for each center.
B. Implement enterprise-wide SDN.
C. Implement Infrastructure as Code (IaC).
D. Automate provisioning and deprovisioning.
C. The correct answer is to implement IaC. Infrastructure as Code (IaC) is the process of managing and provisioning computer datacenters through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
Whether the data center(s) use physical machines or virtual machines, this is an effective way to manage the data centers.
Option A is incorrect. Although data center managers may be needed, that won’t necessarily provide consistent management across the enterprise.
Option B is incorrect. Software-defined networking will not fix this problem.
Option D is incorrect. The issue is not just provisioning; it is management.
133
```
85. Ixxia is a software development team manager. She is concerned about memory leaks in code. What type of testing is most likely to find memory leaks?
A. Fuzzing
B. Stress testing
C. Static code analysis
D. Normalization
```
C. The correct answer is to use static code analysis. Memory leaks are usually caused by failure to deallocate memory that has been allocated. A static code analyzer can check to see if all memory allocation commands (malloc, alloc, etc.) have a matching deallocation command.
Option A is incorrect. Fuzzing involves entering data that is outside expected values to see how the application handles it.
Option B is incorrect. Stress testing involves testing how a system handles extreme workloads.
Option D is incorrect. Normalization is a technique for deduplicating a database.
134
87. Mark is responsible for a server that runs sensitive software for a major research facility.
He is very concerned that only authorized software execute on this server. He is also concerned about malware masquerading as legitimate, authorized software. What technique would best address this concern?
A. Secure boot
B. Software attestation
C. Sandboxing
D. TPM
```
B. Software attestation is often done with digital certificates and digital signing. The software proves that it is the legitimate program before being allowed to execute.
Option A is incorrect. Secure boot involves the system booting into a trusted configuration.
Option C is incorrect. Sandboxing is used to isolate an application.
Option D is incorrect. Trusted platform module is a cryptoprocessor, often used for key management.
```
135
```
88. Hannah is a programmer with a large software company. She is interested in ensuring that the module she just created will work well with a module created by another program.
What type of testing is this?
A. Unit testing
B. Regression testing
C. Stress testing
D. Integration testing
```
D. When two or more components are tested together, this is referred to as integration testing.
Option A is incorrect. Unit testing is testing a single unit of code.
Option B is incorrect. Regression testing is testing a system after a change to ensure that the change did not cause any other problems.
Option C is incorrect. Stress testing involves subjecting a system to extensive loads to determine if it can handle them.
136
89. Erik is responsible for the security of a SCADA system. Availability is a critical issue.
Which of the following is most important to implement?
A. SIEM
B. IPS
C. Automated patch control
D. Honeypot
B. Intrusion prevention systems are critical for a system that needs high availability.
Depending on the nature of the system, it may require an HIPS, NIPS, or both.
Option A is incorrect. Security information and event management consolidates logs.
Although this can be a valuable security feature, it is not the most important in this situation.
Option C is incorrect. Automated patch control is usually a good idea; however, it is not the most important in this situation.
Option D is incorrect. Honeypots can be a valuable security control, but they are far less important than IPS or patch control.
137
90. You are concerned about the security of new devices your company has implemented.
Some of these devices use SoC technology. What would be the best security measure you could take for these?
A. Using a TPM
B. Ensuring each has its own cryptographic key
C. Using SED
D. Using BIOS protection
B. System on a Chip devices are complete self-contained systems on a single chip. Therefore, having their own unique cryptographic keys is the best way to implement authentication and security.
Option A is incorrect. A system on a chip is self-contained, so a TPM would not be an appropriate solution.
Option C is incorrect. A self-encrypting drive is not relevant to system on a chip, since that system does not have a “drive.”
Option D is incorrect. Many SoC technologies don’t use a BIOS.
138
91. Vincent works for a company that manufactures portable medical devices, such as insulin pumps. He is concerned about ensuring these devices are secure. Which of the following is the most important step for him to take?
A. Ensure all communications with the device are encrypted.
B. Ensure the devices have FDE.
C. Ensure the devices have individual antimalware.
D. Ensure the devices have been fuzz tested.
A. Such systems need to have all communications encrypted. As of the current date, breaches of portable network devices have all involved unencrypted communications.
Option B is incorrect. Full disk encryption may or may not even be appropriate for such devices. Many don’t have a disk to encrypt.
Option C is incorrect. It may not be possible to install anti-malware on many such devices.
Option D is incorrect. Fuzz testing is used for applications.
139
```
93. Ariel is responsible for software development in her company. She is concerned that the software development team integrate well with the network system. She wants to ensure that software development processes are aligned with the security needs of the entire network. Which of the following would be most important for her to implement?
A. Integration testing
B. Secure DevOps
C. Clear policies
D. Employee training
```
B. DevOps is a compound term: software DEVelopment and information technology OPerationS. The term refers to collaboration between software developers and IT professionals to align software development with infrastructure issues.
Option A is incorrect. Integration testing refers to testing two or more components.
Options C and D are both incorrect. Although clear policies and employee training are usually a good idea, they won’t be the best way to address Ariel’s concerns.
140
94. Greg is a programmer with a small company. He is responsible for the web application.
He has become aware that one of the modules his web application uses may have a security flaw allowing an attacker to circumvent authentication. There is an update available for this module that fixes the flaw. What is the best approach for him to take to mitigate this threat?
A. Submit an RFC.
B. Immediately apply the update.
C. Place the update on a test server, then if it works apply it to the production server.
D. Document the issue.
A. All software changes must go through proper change management. That includes a request for changes (RFC) that will be evaluated.
Option B is incorrect. Greg cannot know what effect the change might have on other aspects of the system. This fix could cause additional problems.
Option C is incorrect. This is a better answer than B but still does not follow change control procedures.
Option D is incorrect. Simply documenting the issue does nothing to correct it.
141
95. You are using a sophisticated system that models various attacks on your networks. You intend for this system to help your team realize weak areas and improve response to incidents. What is the most important step to take before relying on data from this system?
A. Get approval from a CAB.
B. Thoroughly review the systems documentation.
C. Verify the models being used.
D. Perform integration testing on the system.
C. Model verification must be completed before you can rely on the models used. It is important to verify that all aspects of a simulation model are accurate. If the model has any inaccurate data or settings, then the results will not be accurate.
Option A is incorrect. Change approval boards (CABs) are part of the change control process.
Option B is incorrect. Although it is always a good idea to thoroughly read documentation, this is not the most critical issue in this scenario.
Option D is incorrect. Integration testing involves testing two or more components to ensure they function together.
142
99. Your development team primarily uses Windows, but they need to develop a specific solution that will run on Linux. What is the best solution to getting your programmers access to Linux systems for development and testing?
A. Set their machines to dual-boot Windows and Linux.
B. PaaS
C. Set up a few Linux machines for them to work with as needed.
D. IaaS
B. Platform as a Service is a good solution to this problem. The programmer can access a virtualized Linux machine with PaaS.
Options A and C are both incorrect. Although these would work, they are less efficient than using PaaS.
Option D is incorrect. Infrastructure as a Service is used to provide networking infrastructure via virtualization. In this scenario, you only need an operating system.
143
100. Daniel works for a mid-sized financial institution. The company has recently moved some of its data to a cloud solution. Daniel is concerned that the cloud provider may not support the same security policies as the company’s internal network. What is the best way to mitigate this concern?
A. Implement a cloud access security broker.
B. Perform integration testing.
C. Establish cloud security policies.
D. Implement Security as a Service.
A. A cloud access security broker (CASB) is a software tool or service that sits between an organization’s on-premises network and a cloud provider’s infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies into the cloud.
Option B is incorrect. Integration testing is used to test two or more components to ensure they integrate.
Option C is incorrect. Although security policies are a good idea, just having policies in your company won’t affect the cloud solution.
Option D is incorrect. Security as a Service is a process of outsourcing certain security functions.
144
```
102. You are the CIO for a small company. The company wants to use cloud storage for some of its data, but cost is a major concern. Which of the following cloud deployment models would be best?
A. Community cloud
B. Private cloud
C. Public cloud
D. Hybrid cloud
```
C. The correct answer is a public cloud. Public clouds are usually less expensive. The cloud provider has a number of customers and costs are dispersed. Even individuals can afford to use cloud storage with services like iCloud and Amazon Cloud.
Option A is incorrect. A community cloud is usually private for a small group of partners.
Each of the partners must share a greater part of the expense than they would with a public cloud. But they retain more control over the cloud than they would with a public cloud.
Option B is incorrect. Private clouds are the most expensive. The company must completely develop and maintain the cloud resources.
Option D is incorrect. A hybrid deployment model is a good compromise for many situations, but it will be more expensive than a public cloud.
145
111. Teresa is the network administrator for a small company. The company is interested in a robust and modern network defense strategy but lacks the staff to support it. What would be the best solution for Teresa to use?
A. Implement SDN.
B. Use automated security.
C. Use Security as a Service.
D. Implement only as much security controls as they can support.
C. Security as a Service uses an outside company to handle security tasks. Some or even all security tasks can be outsourced, including IDS/IPS management, SIEM integration, and other security controls.
Option A is incorrect. Software-defined networking would make managing security somewhat easier but would itself be difficult to implement.
Option B is incorrect. Automating as much security activity as is practical would help alleviate the problem but would not be as effective as Security as a Service.
Option D is incorrect. This would mean intentionally not implementing some security controls.
146
113. George is a network administrator at a power plant. He notices that several turbines had unusual ramp-ups in cycles last week. After investigating, he finds that an executable was uploaded to the system control console and caused this. Which of the following would be most effective in preventing this from affecting the SCADA system in the future?
A. Implement SDN.
B. Improve patch management.
C. Place the SCADA system on a separate VLAN.
D. Implement encrypted data transmissions.
C. Separating the SCADA system from the main network makes it less likely that the SCADA system can be affected from the main network. This includes malware as well human action.
Option A is incorrect. Software-defined networking would make isolating the SCADA system easier but would not actually isolate it.
Option B is incorrect. Patch management is always important, but in this case it would not have prevented the issue.
Option D is incorrect. Encrypted data transmissions, such as TLS, would have no effect on this situation.
147
116. Abigail is responsible for setting up an NIPS on her network. The NIPS is located in one particular network segment. She is looking for a passive method to get a copy of all traffic to the NIPS network segment so that it can analyze the traffic. Which of the following would be her best choice?
A. Using a network tap
B. Using port mirroring
C. Setting the NIPS on a VLAN that is connected to all other segments
D. Setting up an NIPS on each segment
A. Network taps are analogous to phone taps. They are completely passive methods of getting network traffic to a central location.
Option B is incorrect. Port mirroring would get all the traffic to the NIPS but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configurations can cause looping. Configuring loop detection can prevent looped ports.
Option C is incorrect. It is not clear that this answer would even work.
Option D is incorrect. This is not the assignment. Setting up an NIPS on each segment would also dramatically increase administrative efforts.
148
```
117. Janice is explaining how IPSec works to a new network administrator. She is trying to explain the role of IKE. Which of the following most closely matches the role of IKE in IPSec?
A. It encrypts the packet.
B. It establishes the SAs.
C. It authenticates the packet.
D. It establishes the tunnel.
```
B. Internet key exchange is used to set up security associations on each end of the tunnel.
The security associations have all the settings (i.e., cryptographic algorithms, hashes, etc.) for the tunnel.
Options A and C are incorrect. IKE is not directly involved in encrypting or authenticating.
Option D is incorrect. One might argue that by establishing the security associations, IKE is establishing the tunnel. However, answer B is a more accurate answer.
149
119. Doug is a network administrator for a small company. The company has recently implemented an e-commerce server. This has placed a strain on network bandwidth. What would be the most cost-effective means for him to address this issue?
A. Isolate the new server on a separate network segment.
B. Upgrade the network to CAT 7.
C. Move to fiber optic.
D. Implement aggregation switches.
D. Link aggregation switches allow you to combine the bandwidth of multiple links into one connection. This would allow Doug to improve bandwidth to the e-commerce server.
Option A is incorrect. This would reduce the impact on the rest of the network but would not address the bandwidth needs of the e-commerce server.
Options B and C are both incorrect. Each of these would most likely address the problem, but neither is cost effective.
150
```
120. Liam is responsible for monitoring security events in his company. He wants to see how diverse events may connect. He is interested in identifying different indicators of compromise that may point to the same breach. Which of the following would be most helpful for him to implement?
A. NIDS
B. SIEM
C. Correlation engine
D. Aggregation switch
```
C. A correlation engine is software that is used to aggregate events and to seek out correlations. In some cases, this is done with advanced analytic algorithms, including fuzzy logic.
Option A is incorrect. A network intrusion detection system would be helpful but will not (by itself) necessarily correlate events.
Option B is incorrect. A security information event manager will certainly aggregate log information but may not correlate the events.
Option D is incorrect. An aggregation switch simply combines bandwidth.
151
121. Emily manages the IDS/IPS for her network. She has an NIPS installed and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most efficient way for her to address this?
A. Implement port mirroring for that segment.
B. Install an NIPS on that segment.
C. Upgrade to a more effective NIPS.
D. Isolate that segment on its own VLAN.
A. The NIPS is not seeing the traffic on that network segment. By implementing port mirroring, the traffic from that segment can be copied to the segment where the NIPS is installed.
Option B is incorrect. This would work but is not the most efficient approach.
Option C is incorrect. Nothing in this scenario suggests that the NIPS is inadequate. It just is not seeing all the traffic.
Option D is incorrect. This would isolate that network segment but would still not allow the NIPS to analyze the traffic from that segment.
152
```
122. You have been instructed to find a VPN solution for your company. Your company uses TACACS+ for remote access. Which of the following would be the best VPN solution for your company?
A. PPTP
B. RADIUS
C. L2TP
D. CHAP
```
C. Layer 2 Tunneling Protocol is a VPN technology that supports a wide range of remote access methods, including TACACS+. L2TP also supports a range of protocols, including ATM and X.25.
Option A is incorrect. Point-to-Point Tunneling Protocol is a VPN protocol but won’t support TACACS+.
Option B is incorrect. Remote Authentication Dial-In User Service is a remote access protocol, not a VPN protocol. It is an early predecessor to TACACS+.
Option D is incorrect. Challenge Handshake Authentication Protocol is an authentication
protocol, not a VPN protocol.
153
126. You are working for a large company. You are trying to find a solution that will provide controlled physical access to the building and record every employee who enters the building. Which of the following would be the best for you to implement?
A. A security guard with a sign-in sheet
B. Smart card access
C. A camera by the entrance
D. A sign-in sheet by the front door
B. Smartcards can be used to allow entrance into a building. The smartcard can also store information about the user, and thus the system can log who enters the building.
Option A is incorrect. A security guard with a sign-in sheet would function, but there are many ways to subvert a sign-in sheet, and a guard can be distracted or become inattentive.
This makes smartcard access a better solution.
Option C is incorrect. Yes, a camera would record who enters but would not control access. A nonemployee could enter the building.
Option D is incorrect. An uncontrolled/supervised sign-in sheet would not be secure.
154
```
129. Carole is concerned about security for her server room. She wants the most secure lock she can find for the server room door. Which of the following would be the best choice for her?
A. Combination lock
B. Key-in-knob
C. Deadbolt
D. Padlock
```
C. Of the locks listed here, deadbolts are the most secure. The locking bolt goes into the door frame, making it more secure.
Option A is incorrect. Whether a lock uses a key or combination does not change how secure it is.
Option B is incorrect. Key-in-knob is a very common, and fairly insecure, solution.
Option D is incorrect. Padlocks can be cut off with common bolt cutters.
155
133. Donald is responsible for networking for a defense contractor. He is concerned that emanations from UTP cable could reveal classified information. Which of the following would be his most effective way to address this?
A. Migrate to CAT 7 cable.
B. Implement protected cabling.
C. Place all cable in a Faraday cage.
D. Don’t send any classified information over the cable.
B. Protected cabling will secure the cable and prevent anyone from eavesdropping. These systems, also called protected distribution systems, use a variety of safeguards so that classified information can be sent unencrypted.
Option A is incorrect. Cat 7 will improve bandwidth, not security.
Option C is incorrect. This is not even a practical solution. To place a Faraday cage around all cable would require extensive rework of the building(s).
Option D is incorrect. That is not a viable option. The scenario indicates that Donald needs to send classified data.
156
134. Fred is responsible for physical security in his company. He wants to find a good way to protect the USB thumb drives that have BitLocker keys stored on them. Which of the following would be the best solution for this situation?
A. Store the drives in a secure cabinet.
B. Encrypt the thumb drives.
C. Don’t store BitLocker keys on these drives.
D. Lock the thumb drives in desk drawers.
A. A secure cabinet is tamper proof and provides a good place to store anything you are trying to physically protect.
Option B is incorrect. This would then require you to store the key used to encrypt the thumb drive, thus continuing the problem.
Option C is incorrect. It is actually a good practice to store BitLocker keys on removable media, provided that media is safeguarded.
Option D is incorrect. Desk drawers are not secure and can easily be broken into.
157
137. Mike is a network administrator for an e-commerce company. There have been several updates to the operating system, the web server software, and the web application, all within the last 24 hours. It appears that one of these updates has caused a significant security problem. What would be the best approach for Mike to take to correct this problem?
A. Remove the updates one at a time to see which corrects the problem.
B. Roll the server back to the last known good state.
C. Investigate and find out which update caused the problem, and remove only that update.
D. Investigate and find out which update caused the problem, and find a patch for that issue.
B. There is now a serious security issue on the web server. The primary concern must be to correct this. Rolling back to the last known good state will immediately correct the problem; then Mike can investigate to find the cause.
Option A is incorrect. This would be too slow, and in the interim the flaw would be on the live website.
Options C and D are both incorrect. These would be the slowest solutions and thus leave the security flaw in place for an unacceptable amount of time.
158
```
139. Ixxia is responsible for security at a mid-sized company. She wants to prevent users on her network from visiting job-hunting sites while at work. Which of the following would be the best device to accomplish this goal?
A. Proxy server
B. NAT
C. Firewall
D. NIPS
```
A. A web proxy can be used to block certain websites. It is common practice for network administrators to block either individual sites or general classes of sites (like job-hunting sites).
Option B is incorrect. Network address translation is used to translate the private IP addresses of internal computers to public IP addresses.
Option C is incorrect. A firewall can block traffic on a given port or using a particular protocol, but generally they are not able to block specific websites.
Option D is incorrect. Network intrusion prevention systems identify and block attacks.
They cannot prevent users from visiting specific websites.
159
141. When you are concerned about application security, what is the most important issue in memory management?
A. Never allocate a variable any larger than is needed.
B. Always check bounds on arrays.
C. Always declare a variable where you need it (i.e., at function or file level if possible).
D. Make sure you release any memory you allocate.
D. Failure to release memory you have allocated can lead to a memory leak. Therefore, if you are using a programming language like C++ that allows you to allocate memory, make certain you deallocate that memory as soon as you are finished using it.
Options A and C are incorrect. Both of these are good programming practices. However, failure to follow them just leads to wasteful use of memory; it does not lead to a security problem like a memory leak.
Option B is incorrect. Although this is a good idea to prevent buffer overflows, it is not a memory management issue.
160
```
142. Darrel is looking for a cloud solution for his company. One of the requirements is that the IT staff can make the transition with as little change to the existing infrastructure as possible. Which of the following would be his best choice?
A. Off-premises cloud
B. On-premises cloud
C. Hybrid solution
D. Use only a community cloud
```
A. Off-premises clouds are always less expensive and require less changes to the existing infrastructure. That is true for public, private, or community clouds.
Option B is incorrect. An on-premises cloud is always the most expensive solution and has a tremendous impact on the existing IT infrastructure. Few companies opt for this approach.
Option C is incorrect. A hybrid solution is better than on-premises but not as good as offpremises.
Option D is incorrect. It need not be a community cloud. An off-premises public cloud or even a private cloud would fulfill the requirements.
161
144. Arjun has just taken over web application security for a small company. He notices that some values are temporarily stored in hidden fields on one of the web pages. What is this called and how would it be best characterized?
A. This is obfuscation, a weak security measure.
B. This is data hiding, a weak security measure.
C. This is obfuscation, a possible security flaw.
D. This is data hiding, a possible security flaw.
C. This is commonly called obfuscation. Many years ago (i.e., late 1990s) it was thought of as a weak security measure. Today it can only be thought of as a possible security flaw and should not be used.
Options A, B, and D are all incorrect. These are not accurate descriptions of what is being done in this scenario.
162
146. When you’re implementing security cameras in your company, which of the following is the most important concern?
A. High-definition video
B. Large storage capacity
C. How large an area the camera can cover
D. Security of the camera and video storage
D. The most important issue is that the camera itself is tamper proof and that the data stored is tamper proof. Wireless security cameras are an example of home automation and is one of the driving factors behind the IoT movement.
Options A, B, and C are all incorrect. These are important considerations, and you should consider all three of these. But the most important issue is the security of the camera and the video storage.
163
147. What is the primary security issue presented by monitors?
A. Unauthorized users may see confidential data.
B. Data can be detected from electromagnetic emanations.
C. Poor authentication
D. Screen burn
A. A monitor displays data, and it is possible others can see that data. For example, traveling employees with laptops may inadvertently disclose data on their monitor that someone else can see. For this reason, screen filters are recommended for laptops.
Option B is incorrect. This may be theoretically possible but has not been reported to have actually ever occurred. And even if it should be encountered, it is not the primary security issue.
Option C is incorrect. Although the monitor displays login screens, it is not where the actual authentication processing occurs.
Option D is incorrect. Old CRT monitors were very susceptible to this issue. For modern monitors, screen burn is very unlikely to occur. If it is a concern, it is certainly not the primary concern.
164
```
148. Clark is responsible for mobile device security in his company. Which of the following is the most important security measure for him to implement?
A. Encrypted drives
B. Patch management
C. Remote wiping
D. Geotagging
```
B. Just like desktops, laptops, and servers, patch management is a fundamental security issue and must be addressed. Many malware outbreaks and other breaches can be prevented by simply having good patch management.
Options A, C, and D are all incorrect. Each of these is a good idea and should at least be considered. However, they apply only to specific security issues, primarily how to handle lost or stolen mobile devices. Patch management affects all mobile devices, even if the device is never lost or stolen, and is thus more important.
165
```
150. You are the CISO for a mid-sized health care company. Which of the following is the most important for you to implement?
A. Industry best practices
B. Contractual requirements
C. Strong security policies
D. Regulatory requirements
```
D. Regulatory requirements are enforced by law. You must implement these; therefore, they are the most important.
Options A, B, and C are incorrect. Each is very important, and you should implement all three. But they are less important than regulatory requirements.
166
```
3. You are selecting an authentication method for your company’s servers. You are looking for a method that periodically reauthenticates clients to prevent session hijacking. Which of the following would be your best choice?
A. PAP
B. SPAP
C. CHAP
D. OAUTH
```
C. The correct answer is that Challenge Handshake Authentication Protocol (CHAP) periodically has the client reauthenticate. This is transparent to the user, but specifically is done to prevent session hijacking.
Option A is incorrect. Password Authentication Protocol is actually quite old and does not reauthenticate. In fact, it even sends the password in clear text, so it should not be used any longer.
Option B is incorrect. SPAP (Shiva Password Authentication Protocol) adds password encryption to PAP but does not reauthenticate.
Option D is incorrect. OAUTH is used in web authentication and does not reauthenticate.
167
```
6. You have been asked to select an authentication method that will support single sign-on, integrate with SAML, and work well over the Internet. Which of the following would be your best choice?
A. Shibboleth
B. OAUTH
C. SPAP
D. CHAP
```
A. Shibboleth is a middleware solution for authentication and identity management that uses SAML (Security Assertions Markup Language) and works over the Internet.
Option B is incorrect. OAUTH (Open Authorization) allows an end user’s account information to be used by third-party services, without exposing the user’s password.
Option C is incorrect. Shiva Password Authentication Protocol (SPAP) is an older authentication method that simply encrypted the username and password in transit.
Option D is incorrect. Challenge Handshake Authentication Protocol (CHAP) periodically re-authenticates the user.
168
```
11. You work for a social media website. You wish to integrate your users’ accounts with other web resources. To do so, you need to allow authentication to be used across different domains, without exposing your users’ passwords to these other services. Which of the following would be most helpful in accomplishing this goal?
A. Kerberos
B. SAML
C. OAUTH
D. OpenID
```
C. OAUTH (Open Authorization) is an open standard for token-based authentication and authorization on the Internet and allows an end user’s account information to be used by third-party services, without exposing the user’s password.
Option B is incorrect. Kerberos is a network authentication protocol and not used for cross domain/service authentication.
Option B is incorrect. Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties.
Option D is incorrect. OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID. It would be possible for this to work, but only with websites that support OpenID, so it is not as good a solution as OAUTH.
169
12. Mary is trying to set up remote access to her network for salespeople in her company.
Which protocol would be most helpful in accomplishing this goal?
A. RADIUS
B. Kerberos
C. CHAP
D. OpenID
A. Remote Authentication Dial-In User Service (RADIUS) is a protocol specifically designed for remotely accessing a network.
Option B is incorrect. Kerberos could be used to authenticate these users, but by itself cannot connect them.
Option C is incorrect. CHAP could be used to authenticate these users, but by itself cannot connect them.
Option D is incorrect. OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID. It is not used for remotely accessing a network.
170
```
16. Mia is responsible for website security for a bank. When a user forgets their password, she wants a method to give them a temporary password. Which of the following would be the best solution for this situation?
A. Facial recognition
B. Digital certificate authentication
C. RBAC
D. TOTP
```
D. A Time-based One-time Password (TOTP), can only be used once and is only valid for a brief period of time after issues. Users can request a password reset and a TOTP can be sent to some alternate communications, such as a text message to their phone.
Option A is incorrect. Many users won’t have the equipment to support facial recognition.
Option B is incorrect. Not all users will have Digital certificates.
Option C is incorrect. Role Based Access Control won’t solve this problem.
171
```
18. Jacob is responsible for database server security in his company. He is very concerned about preventing unauthorized access to the databases. Which of the following would be the most appropriate for him to implement?
A. ABAC
B. TOTP
C. HIDS
D. DAMP
```
D. A Database Activity Monitoring and Prevention (DAMP) system would be the most effective of the choices given. These systems work like an IPS, but specifically for databases.
Option A is incorrect. Attribute-Based Access Control (ABAC) can be a powerful way to control access in any system. However, DAMP is specifically designed for databases, so it would be the best choice in this scenario.
Option B is incorrect. A Time-based One-time Password (TOTP) is not for regular use, as each user would need a new password each time they need to access the database.
Option C is incorrect. A Host-Based Intrusion Detection System (HIDS) doesn’t prevent access; it simply records anomalous behavior.
172
```
20. You work for a U.S. defense contractor. You are setting up access cards that have chips embedded in them to provide access control for users in your company. Which of the following types of cards would be best for you to use?
A. CAC
B. PIV
C. NFC
D. Smart card
```
B. Personal Identity Verification is a standardized FIPS 201 (Federal Information Processing Standard Publication 201) for use with federal employees.
Option A is incorrect. Common Access Cards (CACs) are for U.S. Military personnel.
Option C is incorrect. Near Field Communication (NFC) cards might be used, but PIV cards are more appropriate for DoD contractors.
Answer D is incorrect. Smartcard is a generic term. Both PIV and CAC are smartcards.
173
```
22. Fares is a security administrator for a large company. Occasionally, a user needs to access a specific resource that they don’t have permission to access. Which access control methodology would be most helpful in this situation?
A. Mandatory Access Control
B. Discretionary Access Control
C. Role-based Access Control
D. Rule-based Access Control
```
D. Rule-Based Access Control applies a set of rules to an access request. Based on the application of the rules, the user may be given access to a specific resource that they were not explicitly granted permission to.
Options A, B, and C are all incorrect. None of these could give a user access unless that user has already been explicitly given said access.
174
```
30. You are looking for an authentication method that has one-time passwords and works well with the Initiative for Open Authentication. However, the user should have unlimited time to use the password. Which of the following would be your best choice?
A. CHAP
B. TOTP
C. HOTP
D. ABAC
```
C. HMAC-based One-Time Password (HOTP) is a one-time password that is used by the Initiative for Open Authentication.
Option A is incorrect. CHAP is an authentication protocol but is not a one-time password.
Option B is incorrect. A Time-based One-time Password (TOTP) algorithm does work with Initiative for Open Authentication, but it is time limited. The password must be used within a short time of being issued.
Option D is incorrect. Attribute-Based Access Control (ABAC) is a method for controlling access to your system.
175
```
31. Gerard is trying to find a flexible remote access protocol that can use either TCP or UDP.
Which of the following should he select?
A. RADIUS
B. DIAMETER
C. TACACS+
D. TACACS
```
D. The original TACACS defined in RFC 1492 can use either UDP or TCP.
Option A is incorrect. RADIUS uses only UDP.
Option B is incorrect. DIAMETER uses only TCP.
Option C is incorrect. TACACS+ uses only TCP.
176
```
32. Emiliano is considering voice recognition as part of his access control strategy. What is one weakness with voice recognition?
A. People’s voices change.
B. Systems require training.
C. High false negative rate
D. High false positive rate
```
B. Voice recognition systems have to be trained to recognize the voices of authorized users, and that training takes time.
Option A is incorrect. Minor and normal changes to a person’s voice will not prevent voice recognition from recognizing the user.
Options C and D are incorrect. Voice recognition does not have a false negative or false positive rate that is particularly higher than other biometrics.
177
33. You are explaining facial recognition to a colleague. What is the most significant drawback to implementing facial recognition?
A. These systems can be expensive.
B. These systems can be fooled with facial hair, glasses, etc.
C. These systems have a high false positive rate.
D. The systems require a long time to observe a face.
A. The correct answer is that facial recognition is among the most expensive biometrics to implement.
Option B is incorrect. They cannot be fooled easily. Adding glasses, changing hair color, or even gaining or losing some weight, will not prevent most facial recognition systems from functioning properly.
Option C is incorrect. Facial recognition systems actually have very low false positive rates.
Option D is incorrect. Most of these systems only need a few seconds.
178
```
34. Mohanned is responsible for account management at his company. He is very concerned about hacking tools that rely on rainbow tables. Which of the following would be most effective in mitigating this threat?
A. Password complexity
B. Password age
C. Password expiration
D. Password length
```
D. Rainbow table attacks are best mitigated by longer passwords. Generating rainbow tables are computationally intensive, and longer passwords (over 14 characters) cannot be cracked by most rainbow tables.
Options A, B, and C are incorrect. These are all password issues that should be addressed, but they have no impact on rainbow tables.
179
```
37. What port does TACACS use?
A. TCP 143
B. TCP and UDP 49
C. TCP 443
D. UDP 53
```
B. TACACS uses TCP and UDP 49.
Option A is incorrect. IMAP4 uses TCP 143.
Option C is incorrect. SSL uses port TCP 443 for web communications.
Option D is incorrect. DNS queries use UDP 53.
180
```
44. Kerberos uses which of the following to issue tickets?
A. Authentication service
B. Certificate authority
C. Ticket-granting service
D. Key distribution center
```
D. The Key Distribution Center (KDC) issues tickets. The tickets are generated by the ticket-granting service, which is usually part of the KDC.
Option A is incorrect. The authentication service simply authenticates the user.
Option B is incorrect. X.509 certificates and certificate authorities are not part of Kerberos.
Option C is incorrect. The ticket-granting service does generate the ticket, but the KDC issues it.
181
```
46. Samantha is looking for an authentication method that incorporates the X.509 standard and will allow authentication to be digitally signed. Which of the following authentication methods would best meet these requirements?
A. Certificate-based authentication
B. OAUTH
C. Kerberos
D. Smart cards
```
A. Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests.
Option B is incorrect. OAUTH allows an end user’s account information to be used by third-party services, without exposing the user’s password. It does not use digital certificates or support digital signing.
Option C is incorrect. Kerberos does not use digital certificates nor does it support digitally signing.
Option D is incorrect. Smartcards can contain digital certificates, but don’t necessarily have them.
182
```
47. Your company relies heavily on cloud and SaaS service providers such as salesforce.com, Office365, and Google. Which of the following would you have security concerns about?
A. LDAP
B. TACACS+
C. SAML
D. Transitive trust
```
C. SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between partners online. The integrity of users is the weakness in the SAML identity chain. To mitigate this risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS.
Option A is incorrect. LDAP (Lightweight Directory Access Protocol) is a protocol that enables a user to locate individuals and other resources such as files and devices in a network.
Option B is incorrect. TACACS+ is a protocol that is used to control access into networks.
TACACS+ provides authentication and authorization in addition to accounting of access requests against a central database.
Option D is incorrect. Transitive trust is a two-way relationship that is automatically created between a parent and a child domain in a Microsoft Active Directory forest. It shares resources with its parent domain by default and enables an authenticated user to access resources in both the child and parent domain.
183
```
48. Greg is responsible for database security for his company. He is concerned about authentication and permissions. Which of the following should be his first step?
A. Implement minimum password length.
B. Implement password lockout.
C. Conduct a permissions audit.
D. Ensure least privileges.
```
C. A permissions audit will tell Greg exactly what the current situation is. He must know what is occurring now, in order to address any weaknesses.
Option A is incorrect. Minimum password length is a good idea, but he first needs to know the current situation.
Option B is incorrect. Password lockout is a good idea, but he first needs to know the current situation.
Option D is incorrect. It’s important to ensure least privileges, but Greg must first conduct a permissions audit in order to determine if this principle is being adhered to or not.
184
49. Which of the following is a step in account maintenance?
A. Implement two-factor authentication.
B. Check for time of day restrictions.
C. Review onboarding processes.
D. Check to see that all accounts are for active employees.
D. An essential part of account maintenance is checking all accounts to ensure there are no active accounts for employees who are no longer with the company.
Option A is incorrect. Two-factor authentication is always preferred, but is not part of account maintenance.
Option B is incorrect. Time-of-day restrictions are optional. If they are implemented, then that would be a part of account maintenance, but option D is a better answer because it is always a part of account maintenance.
Option C is incorrect. Onboarding is critical (as is offboarding), but is not generally considered a part of account maintenance.
185
```
50. Tyrell works as a security officer for a mid-sized bank. All the employees only work in the office; there are no employees who work remotely or travel for company business. Tyrell is concerned about someone using an employee’s login credentials to access the bank’s network. Which of the following would be most effective in mitigating this threat?
A. Kerberos authentication
B. TOTP
C. Location-based policies
D. Group-based access control
```
C. Location-based policies can be used to prevent any login that is not from within the physical network. In this scenario, since no employees work remotely, such a policy would be practical.
And it would prevent an attacker from using an employee’s login from outside the network.
Option A is incorrect. Kerberos is an effective authentication protocol, but if the attacker has the user’s login credentials, Kerberos cannot prevent them from logging in.
Option B is incorrect. Time-based One-Time Passwords (TOTPs) are not practical for daily use.
Option D is incorrect. Group-based access control would do nothing to prevent an attacker who had the credentials of a legitimate user.
186
```
52. Sheila is concerned that some users on her network may be accessing files that they should not—specifically, files that are not required for their job tasks. Which of the following would be most effective in determining if this is happening?
A. Usage auditing and review
B. Permissions auditing and review
C. Account maintenance
D. Policy review
```
A. Auditing and reviewing how users actually utilize their account permissions would be the best way to determine if there is any inappropriate use. A classic example would be a bank loan officer. By the nature of their job, they have access to loan documents. But they should not be accessing loan documents for loans they are not servicing.
Option B is incorrect. The issue in this case is not permissions, because the users require permission to access the data. The issue is how the users are using their permissions.
Option C is incorrect. Usage auditing and permissions auditing are both part of account maintenance, but answer A is directly addressing the issue in this question.
Option D is incorrect. This is not a policy issue.
187
53. In which of the following scenarios would using a shared account pose the least security risk?
A. For a group of tech support personnel
B. For guest Wi-Fi access
C. For students logging in at a university
D. For accounts with few privileges
B. A scenario such as guest WiFi access does not provide the logins with any access to corporate resources. The people logging in merely get to access the Internet. This poses very
limited security risk to the corporate network, and thus is often done with a common or
shared account.
Option A is incorrect. Tech support personnel generally have significant access to corporate network resources.
Option C is incorrect. While this is a relatively low access scenario, it is still important to
know which specific student is logging on and accessing what resources.
Option D is incorrect. Any level of access to corporate resources should have its own individual login account.
188
```
55. Jane is setting up login accounts for federated identities. She wants to avoid requiring the users to remember login credentials and allow them to use their logins from the originating network. Which of the following technologies would be most suitable for implementing this?
A. Credential management
B. OAUTH
C. Kerberos
D. Shibboleth
```
A. Credential management is expressly designed for this, and it is explicitly for federated identities. In fact, Microsoft has a credential management API that programmers can use to implement this.
Option B is incorrect. OAUTH allows an end user’s account information to be used by third-party services, without exposing the user’s password and is used for services, not federated identities. Even the service being logged onto won’t know the password.
Option C is incorrect. Kerberos is a network/domain authentication protocol.
Option D is incorrect. Shibboleth is a middleware solution for authentication and identity management that uses SAML (Security Assertion Mark-up Language) and works over the Internet.
189
57. You are a security administrator for an insurance company. You have discovered that there are a few active accounts for employees who left the company over a year ago.
Which of the following would best address this issue?
A. Password complexity
B. Offboarding procedures
C. Onboarding procedures
D. Password expiration
D. Password expiration would mean that even if the exiting employee’s login is not disabled, the password will simply expire without anyone having to take any action.
Option A is incorrect. Password complexity won’t address this issue. That would simply make a password harder to guess.
Option B is incorrect. Offboarding would help in this situation and should be implemented. But password expiration would occur automatically, even if offboarding procedures are not followed. That is why password expiration is a better answer.工三小
Option C is incorrect. Onboarding involves bringing a new employee into the team, not the process of exiting an employee.
190
```
60. Charles is a CISO for an insurance company. He recently read about an attack wherein an attacker was able to enumerate all the network resources, and was able to make some resources unavailable. All this was done by exploiting a single protocol. Which protocol should Charles secure to mitigate this attack?
A. SNMP
B. LDAP
C. HTTP
D. DHCP
```
B. Lightweight Directory Access Protocol (LDAP) is often described as a phone book for your network. It lists all the network resources. Various attacks on LDAP can give the attacker a very thorough inventory of your network. Furthermore, an attacker can remove an item from LDAP and thus render it inaccessible. LDAP can be secured with TLS, and thus become LDAPS (LDAP Secure).
Option A is incorrect. Simple Network Management Protocol (SNMP) would give an attacker a great deal of information about your network, but not all. Also, it would not allow the attacker to make resources unavailable.
191
```
63. Which of the following is most important in managing account permissions?
A. Account recertification
B. Usage auditing
C. Standard naming conventions
D. Account recovery
```
A. Periodic recertification of accounts is critical. The recertification process verifies that the account holder still requires the permissions they have been granted.
Option B is incorrect. Usage auditing could be done to support recertification, but is not as important as the recertification process.
Option C is incorrect. Standard naming conventions would not help.
Option D is incorrect. Account recovery won’t help in managing permissions.
192
```
65. Megan is very concerned about file system security on her network servers. Which of the following is the most basic form of file system security?
A. Encryption
B. Access control
C. Auditing
D. RAID
```
B. Access control to files and directories is the most fundamental aspect of file system security. This includes selecting the correct access control methodology (MAC, DAC, RBAC).
Option A is incorrect. Encryption is a very good technique for file system security, but is not the most fundamental.工三小
Option C is incorrect. Auditing is definitely recommended for file system security, but is not the most fundamental activity.
Option D is incorrect. RAID provides fault tolerance, which is certainly necessary for servers, but is not the most fundamental form of file system security.
193
68. Which of the following is a difference between TACACS and TACACS+?
A. TACACS uses TCP, TACACS+ uses UDP
B. TACACS uses UDP, TACACS+ uses TCP
C. TACACS uses TCP or UDP, TACACS+ uses UDP
D. TACACS uses UDP, TACACS+ uses UDP or TCP
D. TACACS+ can use TCP or UDP, though it is more common to use TCP. It should also
be noted that TACACS+ is not backward compatible.
Options A, B, and C are all incorrect. These do not accurately describe TACACS v
TACACS+.
194
69. Greg is considering using CHAP or MS-CHAPv2 for authenticating remote users. Which of the following is a major difference between the two protocols?
A. CHAP uses a hash for the challenge, MS-CHAPv2 uses AES.
B. CHAP provides mutual authentication, MS-CHAPv2 does not.
C. CHAP uses AES for the challenge, MS-CHAPv2 uses a hash.
D. MS-CHAPv2 provides mutual authentication, CHAP does not.
D. CHAP uses a hash, often MD5 for authentication, as does MS-CHAPv2. However, MS-CHAPv2 provides for mutual authentication(相互身份驗證), whereas CHAP only provides authenticating the client to the server.
Options A and C are incorrect. Neither one of these uses AES.
Option B is incorrect. CHAP does not provide mutual authentication, MS-CHAPv2 does.
195
```
70. Terrance is looking for a physical access solution that uses asymmetric cryptography (public key cryptography) to authorize the user. What type of solution is this?
A. Asynchronous password token
B. Challenge response token
C. TOTP token
D. Static password token
```
B. With a challenge response token, the system will encrypt some value (often a random number) with the user’s public key. If the user’s token has the correct private key, it can decrypt the value that the system sent, and confirm that.
Option A is incorrect. An asynchronous password token generates a one-time password without the use of a clock.
Option C is incorrect. TOTP is a time synchronized one-time password.
Option D is incorrect. A static password token simply contains a password.
196
```
71. Which access control model is based on the Trusted Computer System Evaluation Criteria (TCSEC)?
A. ABAC
B. MAC
C. RBAC
D. DAC
```
D. Discretionary Access Control (DAC) is based on the Trusted Computer System Evaluation Criteria (TCSEC). The data owner has control over the access control.
Options A, B, and C are all incorrect. These models are not based on TCSEC.
197
```
72. Mary is responsible for the security of database servers at a mortgage company. The servers are Windows Server 2016. She is concerned about file system security. Which of the following Microsoft features would be most helpful to her in implementing file system security?
A. Password policies
B. EFS
C. Account lockout
D. UAC
```
B. While all of these features are important to security, the Encrypted File System (EFS) allows a person to easily encrypt any file or folder. This is important to file systems security.
Option A is incorrect. Password policies are important, but not as important to file system security as being able to encrypt files and folders.
Option C is incorrect. Account lockout, like password policies, is important. But EFS is more central to file system security.
Option D is incorrect. User account control prevents unauthorized applications from running, which is important. But it’s not as central to file system security as EFS.
198
```
73. Santiago manages database security for a university. He is concerned about ensuring that appropriate security measures are implemented. Which of the following would be most important to database security?
A. Password policies
B. Antivirus
C. EFS
D. Access control policies
```
D. Access control is the most important issue for database security. It is critical that the principle of least privileges is adhered to and that each database user only has access to the data necessary to do his or her job.
Option A is incorrect. Password policies are important, but are less important than access control.
Option B is incorrect. Anti-virus is always important. But database servers are not usually used for web surfing or email, thus two common means of getting a virus removed. This means anti-virus is less important than access control.
Option C is incorrect. Encrypting files is not as important to database security as access control. The files must be decrypted for access; therefore, access control is more important.
199
```
75. Emma is concerned about credential management. Users on her network often have over a half-dozen passwords to remember. She is looking for a solution to this problem. Which of the following would be the best way to address this issue?
A. Implement a manager.
B. Use shorter passwords.
C. Implement OAUTH.
D. Implement Kerberos.
```
A. While there are security concerns with password managers, they can provide a method for storing large numbers of passwords so that users don’t have to remember them all.
Option B is incorrect. Using shorter passwords would compromise security.
Option C is incorrect. OAUTH allows an end user’s account information to be used by third-party services, without exposing the user’s password. It won’t reduce the number of passwords one has to remember.
Option D is incorrect. Kerberos is an excellent authentication protocol, but will not reduce the number of passwords one must remember.
200
```
81. Joshua is looking for an authentication protocol that would be effective at stopping session hijacking. Which of the following would be his best choice?
A. CHAP
B. PAP
C. SPAP
D. RADIUS
```
A. Challenge Handshake Authentication Protocol (CHAP) was designed specifically for this purpose. It periodically reauthenticates, thus preventing session hijacking.
Options B and C are incorrect. Neither of these prevents session hijacking.
Option D is incorrect. RADIUS is a protocol for remote access, not authentication.
201
```
83. Phillip is examining options for controlling physical access to the server room at his company. He wants a hands-free solution. Which of the following would be his best choice?
A. Smart cards
B. Proximity cards
C. Tokens
D. Fingerprint scanner
```
B. Proximity cards(感應卡) only need to be very close to the card reader to work properly.
Option A is incorrect. Smartcards can include proximity cards, but don’t have to. Put another way, there are smartcards that don’t work based on proximity and have to be inserted or swiped.
Option C is incorrect. Tokens don’t have a hands-free option.
Option D is incorrect. Clearly a fingerprint scanner is not hands free.
202
84. Which of the following is the most significant disadvantage of federated identities?
A. They cannot be used with Kerberos.
B. They don’t implement least privileges.
C. Poor password management
D. Transitive trust
D. Federated identities introduce transitive trust. A login account can be used across multiple business entities, thus creating an implied trust relationship between them. The security of any of the federated identities is impacted by the security of the others.
Option A is incorrect. Kerberos can be configured to work with federated identities via remote ticket granting servers.
Options B and C are incorrect. The use of federated identities has no impact on whether or not least privileges is being obeyed or if good password management is being practiced.
203
86. Nicole is implementing a server authentication method that depends on a TPM in the server. Which of the following best describes this approach?
A. Hardware-based access control
B. Software-based access control
C. Digital certificate–based access control
D. Chip-based access control
A. A TPM (Trusted Platform Module) can be used in authentication. These are computer chips, and thus hardware-based access control.
Option B is incorrect. While one could argue that all hardware has at least firmware operating it, software-based access control is not a good description of this scenario.
Option C is incorrect. TPMs may use digital certificates, but this question did not specify that this particular TPM did or did not use digital certificates.
Option D is incorrect. While grammatically correct, this is not a term used in the industry.
204
```
1. You are a manager of a bank and you suspect one of your tellers(出納員) has stolen money from their station. After talking with your supervisor, you place the employee on leave with pay, suspend their computer account, and obtain their proximity card and keys to the building. Which of the following policies did you follow?
A. Mandatory vacations
B. Exit interviews
C. Adverse actions
D. Onboarding
```
C. Adverse actions are administrative actions that are placed against employees. These actions include letters of reprimand, leave with or without pay, or termination. Along with these actions the policy should include actions such as disabling user accounts and revoking privileges, such as access to facilities to prevent data from being compromised. When an employee has been placed with administrative actions, the company shouldn’t worry about vindictive actions they will take against the company.
Option A is incorrect. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities.
Option B is incorrect. Exit interviews give the company an opportunity to find problems within departments. They also allow HR to identify any knowledge that is about to be lost, such as information the employee knows that is not written down anywhere.
Option D is incorrect. Onboarding is the process of adding an employee to a company’s identity and access management system.
205
5. What should be done to back up tapes that are stored off-site?
A. Generate a file hash for each backup file.
B. Scan the backup data for viruses.
C. Perform a chain of custody on the backup tape.
D. Encrypt the backup data.
D. Encrypting the backup data before storing it off-site ensures data confidentiality.
Option A is incorrect. Generating file hashes will ensure integrity; files have not changed or been tampered with.
Option B is incorrect. Scanning the backup data for viruses is a task that’s performed before the data is restored.
Option C is incorrect. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
206
```
14. Your manager has instructed the team to test certain systems based on the business continuity plan to ensure they are operating properly. The manager wants to ensure there are no overlaps in the plan before implementing the test. Which continuity of operation planning concept is your manager referring to?
A. After-action report
B. Failover
C. Eradication
D. Tabletop exercise
```
D. The tabletop exercise test is considered a cost-effective and efficient way to identify areas of overlaps in a plan before implementing a test.
Option A is incorrect. An after-action report examines a response to an incident or exercise and identifies its strengths that will be maintained and built on. Also, it helps recognize potential areas of improvement.
Option B is incorrect. Failover is the continuous ability to automatically and flawlessly switch to a highly reliable backup. This can be activated in a redundant manner or in a standby operating mode should the primary server fail. The main purpose of failover is to provide availability of data or service to a user.
Option C is incorrect. The eradication process involves removing and restoring affected systems by reimaging the system’s hard drive and installing patches.
207
```
15. Which of the following is an example of PHI?
A. Passport number
B. Criminal record
C. Fingerprints
D. Name of school attended
```
C. Fingerprints are considered PHI (Protected Health Information), according to HIPPA rules.
Options A, B, and D are incorrect. These are classified as PII (Personally Identifiable Information), according to the NIST.
208
```
17. Your competitors are offering a new service that is predicted to sell strong. After much careful research, your company has decided not to launch a competing service due to the uncertainty of the market and the enormous investment required. Which of the following best describes the company’s decision?
A. Risk transfer
B. Risk avoidance
C. Risk acceptance
D. Risk mitigation
```
B. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event. It also attempts to minimize vulnerabilities that can pose a threat.
Option A is incorrect. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk.
Option C is incorrect. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has limited impact that a corrective control is not warranted.
Option D is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
209
```
21. During a meeting, you present management with a list of access controls used on your network. Which of the following controls is an example of a corrective control?
A. IDS
B. Audit logs
C. Antivirus software
D. Router
```
C. Antivirus is an example of a corrective control. A corrective control is designed to correct a situation.
Option A is incorrect. An IDS (intrusion detection system) is a detective control because it detects security breaches.
Option B is incorrect. An audit log is a detective control because it detects security breaches.
Option D is incorrect. A router is a preventive control because it prevents security breaches with access control lists.
210
```
22. You are the new security administrator and have discovered your company lacks deterrent controls. Which of the following would you install that satisfies your needs? (Choose two.)
A. Lighting
B. Motion sensor
C. No trespassing signs
D. Antivirus scanner
```
A, C. A deterrent control is used to warn a potential attacker not to attack. Lighting added to the perimeter and warning signs such as a “no trespassing” sign are deterrent controls.
Options B and D are incorrect. These are examples of detective controls. A detective control is designed to uncover a violation.
211
```
24. Which step of the incident response process occurs after containment?
A. Preparation
B. Recovery
C. Identification
D. Eradication
```
D. Eradication is the next step after containment.
Options A, B, and C are incorrect. The correct steps of the incident response process are preparation, identification, containment, eradication, recovery, and lessons learned.
212
```
25. You are a security administrator for your company and you identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan in case the security risk occurs. Which of the following type of risk response technique are you demonstrating?
A. Accept
B. Transfer
C. Avoid
D. Mitigate
```
A. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has limited impact that a corrective control is not warranted.
Option B is incorrect. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk.
Option C is incorrect. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether.
Option D is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
213
```
26. Which of the following best visually shows the state of a computer at the time it was collected by law enforcement?
A. Screenshots
B. Identification
C. Tabletop exercise
D. Generate hash values
```
A. Taking screenshots gives an investigator a useful way to collect information on a computer screen. Screenshots can be acquired in many ways and allow the investigator to reproduce what happened on the screen.
Option B is incorrect. The identification phase is part of an incident response process and deals with the discovery and determination of whether a deviation from normal operations within a company was an incident.
Option C is incorrect. The tabletop exercise test is considered a cost-effective and efficient
way to identify areas of overlaps in a plan before implementing a test.
Option D is incorrect. Generating file hashes will ensure integrity and ensure that files have not changed or been tampered with.
214
```
29. You have purchased new laptops for your salespeople. You plan to dispose of the hard drives of the former laptops as part of a company computer sale. Which of the following methods would you use to properly dispose of the hard drives?
A. Destruction
B. Shredding
C. Purging
D. Formatting
```
C. Purging removes all the data from a hard drive and the data cannot be rebuilt.
Option A is incorrect. Destruction wouldn’t help the company sell the hard drive at the computer sale.
Option B is incorrect. Shredding wouldn’t help the company sell the hard drive at the computer sale because it physically destroys the hard drive.
Option D is incorrect. Formatting isn’t good enough to remove data because it can be recovered by third-party software. Formatting moves the pointer to the location the data resides.
215
```
30. You are the head of the IT department of a school and are looking for a way to promote safe and responsible use of the Internet for students. With the help of the teachers, you develop a document for students to sign that describes methods of accessing the Internet on the school’s network. Which of the following best describes this document?
A. Service level agreement
B. Acceptable use policy
C. Incident response plan
D. Chain of custody
```
B. An acceptable use policy describes the limits and guidelines for users to make use of an organization’s physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours.
Option A is incorrect. A service level agreement (SLA) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area.
Option C is incorrect. An incident response plan provides instructions for detecting, responding to, and limiting the effects of an information security event.
Option D is incorrect. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
216
```
31. You are the security administrator and have discovered a malware incident. Which of the following responses should you do first?
A. Recovery
B. Eradication
C. Containment
D. Identification
```
C. After identifying the malware incident, the next step you would perform based on the incident response process is to contain the malware to further study the incident and prevent it from spreading across the network.
Option A is incorrect. Recovery is performed after eradicating the malware.
Option B is incorrect. Eradicating the malware is performed after you have contained the malware.
Option D is incorrect. Identification has been performed when you discovered the malware.
217
33. Your company is partnering with another company and requires systems to be shared.
Which of the following agreements would outline how the shared systems should be interfaced?
A. BPA
B. MOU
C. SLA
D. ISA
D. An interconnection security agreement (ISA) is an agreement that specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between at least two companies.
Option A is incorrect. A business partners agreement (BPA) is a written agreement that details what the relationship will be between business partners. This agreement will include the partner’s obligations toward the partnership. A BPA can help settle conflicts that arise within the partnership.
Option B is incorrect. A memorandum of understanding (MOU) is an agreement of understanding between two or more parties signifying their purpose to work together toward a common goal. A MOU is less formal than an SLA and will not include monetary penalties.
Option C is incorrect. A service level agreement (SLA) is an agreement between a company and a vendor that specifies performance expectations. Minimum uptime and maximum downtime levels are included in an SLA. Also included is a monetary penalty should the vendor not be able to meet the agreed expectations.
218
```
37. As the IT security officer, you are configuring data label options for your company’s research and development file server. Regular users can label documents as contractor, public, or internal. Which label should be assigned to company trade secrets?
A. High
B. Top secret
C. Proprietary
D. Low
```
C. Proprietary data is a form of confidential information, and if the information is revealed, it can have severe effects on the company’s competitive edge.
Option A is incorrect. High is a generic label assigned to data internally that represents the amount of risk being exposed outside the company.
Option B is incorrect. The top-secret label is often used within governmental systems where data and access may be granted or denied based on assigned categories.
Option D is incorrect. Low is a generic label assigned to data internally that represents the amount of risk being exposed outside the company.
219
38. Users are currently accessing their personal email through company computers, so you and your IT team have created a security policy for email use. What is the next step after creating and approving the email use policy?
A. Encrypt all user email messages.
B. Provide security user awareness training.
C. Provide every employee with their own device to access their personal email.
D. Forward all personal emails to their company email account.
B. Provide security user awareness training to all employees regarding the risk of using personal email through company computers. The ability to access personal email is a security risk because the company is unable to filter emails through the company’s Exchange server.
Option A is incorrect. The company is unable to encrypt user’s email messages through services such as Yahoo Mail and Gmail. The encryption is performed by the company providing the email service.
Option C is incorrect. Providing every user with their own device to access their personal email is not the best option as the next step. While employees use these devices within the company’s network, the company doesn’t have full control of what emails are entering the network.
Option D is incorrect. The company may have some control of personal emails routing through the company’s Exchange server, but this is not the best next step after creating and approving the email use policy. The purpose of the email use policy is to limit the use of personal email because the company doesn’t have full control of what emails the employees are allowing into the network.
220
42. Your company has outsourced its proprietary processes to Acme Corporation. Due to technical issues, Acme Corporation wants to include a third-party vendor to help resolve the technical issues. Which of the following must Acme Corporation consider before sending data to the third party?
A. This data should be encrypted before it is sent to the third-party vendor.
B. This may constitute unauthorized data sharing.
C. This may violate the privileged user role-based awareness training.
D. This may violate a nondisclosure agreement.
D. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands.
Options A, B, and C are incorrect. An NDA is a legal contract between the company and third-party vendor to not disclose information per the agreement. Sending encrypted data can still be decrypted by the third-party vendor if they have the appropriate certificate but does not restrict access to the data. Violating an NDA would constitute unauthorized data
sharing, and a violation of privileged user role-based awareness training has nothing to do with sharing proprietary information.
221
```
46. Which of the following can be classified as a single point of failure?
A. Failover
B. A cluster
C. Load balancing
D. A configuration
```
D. A single point of failure is a weakness in the design or configuration of a system in which one fault or malfunction will cause the whole system to halt operating.
Option A is incorrect. Failover is the continuous ability to automatically and flawlessly switch to a highly reliable backup.
Option B is incorrect. A cluster ensures the availability of critical services by using a group of computers instead of a single computer.
Option C is incorrect. Load-balancing divides the amount of work a computer can do between two or more computers. This allows more work to be completed in the same amount of time.
222
```
48. Your CIO wants to move the company’s large sets of sensitive data to an SaaS cloud provider to limit the storage and infrastructure costs. Both the cloud provider and the company are required to have a clear understanding of the security controls that will be applied to protect the sensitive data. What type of agreement would the SaaS cloud provider and your company initiate?
A. MOU
B. BPA
C. SLA
D. ISA
```
D. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations.
Option A is incorrect. A memorandum of understanding (MOU) is a type of agreement that is usually not legally binding. This agreement is intended to be mutually beneficial without involving courts or money.
Option B is incorrect. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners.
Option C is incorrect. An SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area.
223
49. Which of the following is typically included in a BPA?
A. Clear statements detailing the expectation between a customer and a service provider
B. The agreement that a specific function or service will be delivered at the agreed-upon level of performance
C. Sharing of profits and losses and the addition or removal of a partner
D. Security requirements associated with interconnecting IT systems
C. Sharing of profits and losses and the addition or removal of a partner are typically included in a BPA (business partner agreement). Also included are the responsibilities of each partner.
Option A is incorrect. Expectations between parties such as a company and an Internet service provider are typically found in a service level agreement. Expectations include the level of performance given during the contractual service.
Option B is incorrect. A service level agreement will provide a clear means of determining whether a specific function or service has been provided according to the agreed-upon level of performance.
Option D is incorrect. Security requirements associated with interconnecting IT systems are typically found in an interconnection security agreement.
224
```
51. Which of the following role-based positions should receive training on how to manage a particular system?
A. Users
B. Privileged users
C. Executive users
D. System owners
```
D. System owner is a type of employee who would receive role-based training on how best to manage a particular system.
Option A is incorrect. Users are generally the front-line employees and would receive general security awareness training.
Option B is incorrect. Privileged users would receive training on how best to handle additional network and system access.
Option C is incorrect. Executive users would receive training on how to spot targeted attacks.
225
```
53. You have been instructed to introduce an affected system back into the company’s environment and be sure that it will not lead to another incident. You test, monitor, and validate that the system is not being compromised by any other means. Which of the incident response processes have you completed?
A. Lessons learned
B. Preparation
C. Recovery
D. Containment
```
C. Recovery process brings affected systems back into the company’s production environment carefully to avoid leading to another incident.
Option A is incorrect. The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first
detected and by whom, how the problem was contained and eradicated, the work that was
performed during the recovery, and areas that may need improvement.
Option B is incorrect. The preparation process prepares a company’s team to be ready to handle an incident at a moment’s notice.
Option D is incorrect. The containment process is designed to minimize the damage and prevent any further damage from happening.
226
```
55. You receive a call from the help desk manager stating that there has been an increase in calls from users reporting their computers are infected with malware. Which of the following incident response steps should be completed first?
A. Containment
B. Eradication
C. Lessons learned
D. Identification
```
D. The first response from the incident response should be identification. The malware needs to be identified as well as the computers.
Option A is incorrect. The containment process is designed to minimize the damage and prevent any further damage from happening.
Option B is incorrect. The eradication process involves removing and restoring affected systems by reimaging the system’s hard drive and installing patches.
Option C is incorrect. The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement.
227
```
56. Which of the following are examples of custodian security roles? (Choose two.)
A. Human resources employee
B. Sales executive
C. CEO
D. Server backup operator
```
A, D. Custodians maintain access to data as well as the integrity.
Options B and C are incorrect. CEO and sales executives are not normally responsible for maintaining access to and integrity of the data.
228
```
61. Which of the following are considered inappropriate places to store backup tapes? (Choose two.)
A. Near a workstation
B. Near a speaker
C. Near a CRT monitor
D. Near an LCD screen
```
B and C. Backup tapes should not be stored near power sources such as CRT monitors and speakers. These devices can cause the tapes to be degaussed.
Option A is incorrect. A workstation has no chance of degaussing backup tapes.
Option D is incorrect. An LCD screen has no chance of degaussing backup tapes.
229
```
62. You are a member of your company’s security response team and have discovered an incident within your network. You are instructed to remove and restore the affected system. You restore the system with the original disk image and then install patches and disable any unnecessary services to harden the system against any future attacks. Which incident response process have you completed?
A. Eradication
B. Preparation
C. Containment
D. Recovery
```
A. The eradication process involves removing and restoring affected systems by reimaging the system’s hard drive and installing patches.
Option B is incorrect. The preparation process prepares a company’s team to be ready to handle an incident at a moment’s notice.
Option C is incorrect. The purpose of the containment process is to minimize the damage and prevent any further damage from happening.
Option D is incorrect. The recovery process brings affected systems back into the company’s production environment carefully to avoid leading to another incident.
230
```
67. Which option is an example of a workstation not hardened?
A. Risk
B. Threat
C. Exposure
D. Mitigate
```
A. Risk is defined as the likelihood of occurrence of a threat and the corresponding loss potential. Risk is the probability of a threat actor to exploit vulnerability. The purpose of system hardening is to remove as many security risks as possible. Hardening is typically performed by disabling all nonessential software programs and utilities from the workstation.
Option B is incorrect. The threat agent is the component that exploits a vulnerability.
Option C is incorrect. The exposure factor is the percentage or portion of the asset that will be lost or destroyed when exposed to a threat.
Option D is incorrect. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
231
```
68. Which of the following elements should not be included in the preparation phase of the incident response process?
A. Policy
B. Lesson learned documentation
C. Response plan/strategy
D. Communication
```
B. Lessons learned documentation is a phase of the incident response process.
Options A, C, and D are incorrect. These elements should be included in the preparation phase.
232
69. Which of the following does not minimize security breaches committed by internal employees?
A. Job rotation
B. Separation of duties
C. Nondisclosure agreements signed by employees
D. Mandatory vacations
C. Nondisclosure agreements (NDAs) are signed by an employee at the time of hiring, and they impose a contractual obligation on employees to maintain the confidentiality of information. Disclosure of information can lead to legal ramifications and penalties. NDAs cannot ensure a decrease in security breaches.
Option A is incorrect. Job rotation policy is the practice of moving employees between different tasks to promote experience and variety.
Option B is incorrect. Separation of duties is the concept of having more than one person required to complete a task.
Option D is incorrect. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities
233
```
70. You find one of your employees posting negative comments about the company on Facebook and Twitter. You also discover the employee is sending negative comments from their personal email on the company’s computer. You are asked to implement a policy to help the company avoid any negative reputation in the marketplace. Which of the following would be the best option to fulfill the request?
A. Account policy enforcement
B. Change management
C. Security policy
D. Risk assessment
```
C. Security policy defines how to secure physical and information technology assets.
This document should be continuously updated as technology and employee requirements change.
Option A is incorrect. Account policy enforcement regulates the security parameters of who can and cannot access a system.
Option B is incorrect. Change management is the process of managing configuration changes made to a network.
Option D is incorrect. Risk assessment identifies the dangers that could negatively impact a company’s ability to conduct business.
234
```
72. During which step of the incident response process does root cause analysis occur?
A. Preparation
B. Lessons learned
C. Containment
D. Recovery
```
B. Lessons learned process is the most critical phase because it is the phase to complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement.
Option A is incorrect. The preparation process prepares a company’s team to be ready to handle an incident at a moment’s notice.
Option C is incorrect. The containment process is designed to minimize the damage and prevent any further damage from happening.
Option D is incorrect. The recovery process brings affected systems back into the company’s production environment carefully to avoid leading to another incident.
235
```
73. Which of the following types of testing can help identify risks? (Choose two.)
A. Quantitative
B. Penetration testing
C. Vulnerability testing
D. Qualitative
```
B and C. Penetration and vulnerability testing can help identify risk. Before a tester performs these tests, they should receive written authorization.
Option A is incorrect. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have.
Option D is incorrect. Qualitative risk assessment is the process of ranking which risk poses the most danger using measures such as low, medium, and high.
236
81. You are attending a meeting with your manager and he wants to validate the cost of a warm site versus a cold site. Which of the following reasons best justify the cost of a warm site? (Choose two.)
A. Small amount of income loss during long downtime
B. Large amount of income loss during short downtime
C. Business contracts enduring no more than 72 hours of downtime
D. Business contracts enduring no more than 8 hours of downtime
B and D. Companies can lose a large amount of income in a short period of downtime.
Companies can have business contracts that state a minimum amount of downtime can occur if a disaster occurs. These reasons can be used to support the reason for a warm site because the warm site relies on backups to recover from a disaster.
Option A is incorrect. A company losing a small amount of income during a long period of downtime may not support the cost of a warm site.
Option C is incorrect. A company can bring a cold site online within 72 hours and resume business services. This would not support the cost of a warm site.
237
```
84. Which of the following impact scenarios would include severe weather events? (Choose two.)
A. Life
B. Reputation
C. Salary
D. Property
```
A and D. The correct answer is life and property. Both of these impact scenarios include
examples of severe weather events.
Option B is incorrect. A reputation impact scenario includes price gouging during natural
disasters and response time for addressing information disclosure.
Option C is incorrect. Salary is not an impact scenario.
238
```
86. Which of the following is an example of a preventive control? (Choose two.)
A. Data backups
B. Security camera
C. Door alarm
D. Cable locks
```
A and D. Preventive controls are proactive and are used to avoid a security breach or an interruption of critical services before they can happen.
Options B and C are incorrect. Security cameras and door alarms are examples of detective control. Detective controls detect intrusion as it happens and uncovers a violation.
239
```
92. You are a server administrator for your company’s private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives?
A. MTTR
B. RPO
C. MTBF
D. ALE
```
C. Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is.
Option A is incorrect. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced.
Option B is incorrect. RPO (recovery point objective) is the period of time a company can tolerate lost data being unrecoverable between backups.
Option D is incorrect. ALE (annual loss expectancy) is the sum of the annual rate of occurrence and the single loss expectancy.
240
```
95. In the initial stages of a forensics investigation, Zack, a security administrator, was given the hard drive of the compromised workstation by the incident manager. Which of the following data acquisition procedures would Zack need to perform in order to begin the analysis? (Choose two.)
A. Take hashes
B. Take screenshots
C. Capture the system image
D. Start the order of volatility
```
A and C. Taking hashes of the hard drive will preserve the evidence. If the hash has not been changed, the data hasn’t changed. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation.
Option B is incorrect. Taking screenshots gives an investigator a useful way to collect information on a computer screen. This will allow the investigator to reproduce what happened on the screen.
Option D is incorrect. Order of volatility represents the order in which you should collect evidence. In general terms, evidence should be collected starting with the most volatile and moving to the least volatile. Volatile means data is not permanent.
241
```
99. What should human resources personnel be trained in regarding security policies?
A. Guidelines and enforcement
B. Order of volatility
C. Penetration assessment
D. Vulnerability assessment
```
A. A standard operating procedure (SOP) is a document that details the processes that a company will have in place to ensure that routine operations are delivered consistently every time. Guidelines and enforcement are items that are included in a SOP.
Option B is incorrect. Order of volatility represents the order in which you should collect evidence. In general terms, evidence should be collected starting with the most volatile and moving to the least volatile. Volatile means data is not permanent.
Option C is incorrect. Penetration assessment is a simulated attack authorized on a network system that searches for security weaknesses that may potentially gain access to the network’s features and data.
Option D is incorrect. A vulnerability assessment identifies, quantifies, and prioritizes vulnerabilities in a network system.
242
102. Choose the correct order of volatility when collecting digital evidence.
A. Hard disk drive, DVD-R, RAM, swap file
B. Swap file, RAM, DVD-R, hard disk drive
C. RAM, DVD-R, swap file, hard disk drive
D. RAM, swap file, hard disk drive, DVD-R
D. Digital evidence for forensic review must first be collected from the most volatile (not permanent) locations such as RAM and swap files. A swap file is a location on a hard disk drive used as the virtual memory extension of a computer’s RAM. A hard disk drive is the next least volatile, then DVD-R. Some digital evidence can be gathered by using a live boot
media.
Options A, B, and C are incorrect. RAM is more volatile than swap files and hard disk drives. Swap files are more volatile than DVD-R.
243
103. Which of the following pieces of information would be summarized in the lessons learned phase of the incident response process? (Choose three.)
A. When the problem was first detected and by whom
B. How the problem was contained and eradicated
C. The work that was performed during the recovery
D. Preparing a company’s team to be ready to handle an incident at a moment’s notice
A, B, and C. The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement.
Option D is incorrect. The preparation process prepares a company’s team to be ready to handle an incident at a moment’s notice.
244
```
107. During which step of the incident response process does identification of incidents that can be prevented or mitigated occur?
A. Containment
B. Eradication
C. Preparation
D. Lessons learned
```
C. The preparation phase of the incident response process prepares a company’s team to be ready to handle an incident at a moment’s notice. During this step, a company may identify incidents that can be prevented or mitigated.
Option A is incorrect. The containment process is designed to minimize the damage and avoid any further damage from happening.
Option B is incorrect. The eradication phase involves removing and restoring affected systems by reimaging the system’s hard drive and installing patches.
Option D is incorrect. The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement.
245
108. Which of the following best describes the disadvantages of quantitative risk analysis compared to qualitative risk analysis? (Choose two.)
A. Quantitative risk analysis requires complex calculations.
B. Quantitative risk analysis is sometimes subjective.
C. Quantitative risk analysis is generally scenario-based.
D. Quantitative risk analysis is more time-consuming than qualitative risk analysis.
A and D. Quantitative risk analysis requires complex calculations and is more timeconsuming.
Options B and C are incorrect. These statements describe qualitative risk analysis, not quantitative risk analysis.
246
```
115. The chief security officer (CSO) has seen four security breaches during the past 2 years. Each breach cost the company $30,000, and a third-party vendor has offered to repair the security weakness in the system for $250,000. The breached system is set to be replaced in 5 years. Which of the following risk response techniques should the CSO use?
A. Accept the risk.
B. Transfer the risk.
C. Avoid the risk.
D. Mitigate the risk.
```
B. Each breach cost the company $60,000 per year and over the course of 5 years, the total amount will total $300,000. Transferring the risk will help save money for the company because the third-party vendor’s solution will cost $250,000.
Option A is incorrect. Accepting the risk will cost the company $50,000.
Option C is incorrect. Avoiding the risk is not engaging in the service at all, which may be the effective solution but often not possible due to the company’s requirements.
Option D is incorrect. Mitigating the risk is reducing the engagement of the service, and the company may not be able to reduce the system.
247
118. Your company has lost power and the salespeople cannot take orders because the computers and phone systems are unavailable. Which of the following would be the best options to an alternate business practice? (Choose two.)
A. Tell the salespeople to go home for the day until the power is restored.
B. Tell the salespeople to use their cell phones until the power is restored.
C. Have the salespeople use paper and pen to take orders until the power is restored.
D. Have the salespeople instruct customers to fax their orders until the power is restored.
B and C. An alternate business practice is a temporary substitute for normal business activities. When the power is out, the salespeople can use their cell phones to continue to sell and write the orders on a sheet of paper. Once the power is restored, the salespeople can enter the orders into the system without compromising business activities.
Option A is incorrect. Having the salespeople go home until the power is restored is not an example of an alternate business practice. The company may not know how long the power will be out, and this could lead to lost business opportunities.Option D is incorrect. The company’s fax machine will not operate if the company’s power is out.
248
```
120. Which of the following methods is not recommended for removing data from a storage media that is used to store confidential information?
A. Formatting
B. Shredding
C. Wiping
D. Degaussing
```
A. Formatting is not a recommended method. Formatting removes the pointer to the location of the data on the storage media but does not ensure the data is removed.
Option B is incorrect. Shredding physically destroys the storage media in a way data cannot be retrieved.
Option C is incorrect. Wiping, also known as overwriting, will replace the data with all zeros to prevent data from being recovered by third-party software.
Option D is incorrect. Degaussing is a method of removing data from a magnetic storage media by changing the magnetic field.
249
```
125. Which of the following policies would you implement to help prevent the company’s users from revealing their login credentials for others to view?
A. Job rotation
B. Data owner
C. Clean desk
D. Separation of duties
```
C. A clean desk policy ensures that all sensitive/confidential documents are removed from
an end-user workstation and locked up when the documents are not in use.
Option A is incorrect. Job rotation is the practice of rotating employees that are assigned jobs within their employment to promote flexibility and keep employees interested in their jobs.
Option B is incorrect. A data owner has administrative control and can be designated as accountable and responsible for a particular set of data.
Option D is incorrect. Separation of duties is the concept of having more than one person required to complete a task.
250
131. Matt is the head of IT security for a university department. He recently read articles about security breaches that involved malware on USB removable devices and is concerned about future incidents within the university. Matt reviews the past incident responses to determine how these occurrences may be prevented and how to improve the past responses.
What type of document should Matt prepare?
A. MOU
B. SLA
C. After-action report
D. Nondisclosure agreement
C. An after-action report examines a response to an incident or exercise and identifies its strengths that will be maintained and built on. Also, it helps recognize potential areas of improvement.
Option A is incorrect. An MOU (memorandum of understanding) is a legal document that describes a mutual agreement between parties.
Option B is incorrect. An SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area.
Option D is incorrect. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands.
251
```
143. Your IT team has created a disaster recovery plan to be used in case a SQL database server fails. What type of control is this?
A. Detective
B. Corrective
C. Preventive
D. Deterrent
```
B. A corrective control is designed to correct a situation.
Option A is incorrect. Detective controls detect intrusion as it happens and uncover a violation.
Option C is incorrect. A preventive control is used to avoid a security breach or an interruption of critical services before they can happen.
Option D is incorrect. A deterrent control is used to deter a security breach.
252
```
147. You are a network administrator and have been given the duty of creating users accounts for new employees the company has hired. These employees are added to the identity and access management system and assigned mobile devices. What process are you performing?
A. Offboarding
B. System owner
C. Onboarding
D. Executive user
```
C. Onboarding is the process of adding an employee to a company’s identity and access management system.
Option A is incorrect. Offboarding is the process of removing an employee from the company’s identity and access management system.
Option B is incorrect. A system owner is an individual who is in charge of physically securing one or more systems and can include patching and updating operating systems.
Option D is incorrect. An Executive User is a group that users are assigned to along with the least privilege policy
253
```
150. Which of the following should be performed when conducting a qualitative risk analysis? (Choose two.)
A. ARO
B. SLE
C. Asset estimation
D. Rating potential threats
```
C and D. The correct answers are asset estimation and rating potential threats. Qualitative risk analysis measures the probability of risks that will hinder normal business operations and rate them relative to one another. Assets that are protected from risks must have assigned value to determine whether the cost of risk mitigation is justified.Options A and B are incorrect. ARO (annual rate of occurrence) and SLE (single loss expectancy) are used to calculate the ALE (annual loss expectancy) by multiplying ARO by SLE.
254
2. Your company’s web server certificate has been revoked and external customers are receiving errors when they connect to the website. Which of following actions must you take?
A. Renew the certificate.
B. Create and use a self-signed certificate.
C. Request a certificate from the key escrow.
D. Generate a new key pair and new certificate.
D. A revoked certificate is no longer valid for the intended purpose, and a new key pair and certificate will need to be generated.
Option A is incorrect. The certificate cannot be renewed after its expiration date.
Option B is incorrect. A self-signed certificate will generate errors within the client’s web browser and should not be used as a replacement since the self-signed certificate is not from a trusted certificate authority.
Option C is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user’s key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state. This scenario didn’t state the key was lost but rather that the certificate had expired.
255
```
4. Wi-Fi Alliance recommends that a passphrase be how many characters in length for WPA2-Personal security?
A. 6 characters
B. 8 characters
C. 12 characters
D. 16 characters
```
B. WiFi Alliance, a nonprofit organization that promotes WiFi technology, recommends a passphrase be at least eight characters long and include a mixture of upper- and lowercase letters and symbols.
Options A, C, and D are incorrect.
256
```
6. Which of the following are restricted to 64-bit block sizes? (Choose two.)
A. DES
B. SHA
C. MD5
D. 3DES
```
A and D. DES and 3DES are symmetric-key block ciphers using a 64-bit block size.
Option B is incorrect. SHA is a hashing algorithm and is used for integrity.
Option C is incorrect. MD5 is a hashing algorithm and is used for integrity.
257
```
7. Your company has implemented a RADIUS server and has clients that are capable of using multiple EAP types, including one configured for use on the RADIUS server. Your security manager wants to implement a WPA2-Enterprise system. Since you have the RADIUS server and clients, what piece of the network would you need?
A. Network access control
B. Authentication server
C. Authenticator
D. Supplicant
```
D. You would need the supplicant. The authenticator, an AP or wireless controller, sends authentication messages between the supplicant and authentication server.
Option A is incorrect. Network access control (NAC) increases the security of a proprietary network by restricting access to devices that do not comply with a defined security policy.
Option B is incorrect. The authentication server is the RADIUS server and is responsible for authenticating users wanting to connect to the network.
Option C is incorrect. The authenticator is the client that authenticates against the RADIUS server using an EAP method configured on the RADIUS server.
258
```
10. You are asked to configure a WLAN that does not require a user to provide any credentials to associate with a wireless AP and access a WLAN. What type of authentication is said to be in use?
A. IV
B. WEP
C. WPA
D. Open
```
D. An open wireless network does not require a user to enter credentials for access.
Option A is incorrect. An IV (initialization vector) is an arbitrary number that is used with a secret key for data encryption.
Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b.
It is designed to provide a level of security for a WLAN.
Option C is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP.
259
```
16. James, an IT manager, expresses a concern during a monthly meeting about weak user passwords used on company servers and how they may be susceptible to brute-force password attacks. Which concept can James implement to make the weak passwords stronger?
A. Key stretching
B. Key escrow
C. Key strength
D. ECC
```
A. Key stretching increases the strength of stored passwords and protects passwords from brute-force attacks and rainbow table attacks.
Option B is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user’s key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state.
Option C is incorrect. Key strength is the length of the key that is being used to encrypt the data. According to NIST guidance, the use of keys that provide less than 112 bits of security strength for key agreement is disallowed.
Option D is incorrect. ECC (elliptic curve cryptography) is an asymmetric algorithm that uses smaller keys and has the same level of strength compared to longer key length asymmetric algorithm.
260
```
19. You must implement a cryptography system that applies encryption to a group of data at a time. Which of the following would you choose?
A. Stream
B. Block
C. Asymmetric
D. Symmetric
```
B. Block ciphers encrypt data one block, or fixed block, at a time. Cryptographic service provider, a cryptographic module, performs block and stream cryptography algorithms.
Option A is incorrect. Stream ciphers encrypt data one bit at a time.
Option C is incorrect. An asymmetric algorithm, also known as public key cryptography, uses public and private keys to encrypt and decrypt data.
Option D is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data.
261
```
20. Which symmetric block cipher supersedes Blowfish?
A. RSA
B. Twofish
C. MD5
D. PBKDF2
```
B. Twofish is a symmetric block cipher that replaced Blowfish.
Option A is incorrect. RSA is an asymmetric algorithm.
Option C is incorrect. MD5 is a hashing algorithm.
Option D is incorrect. PBKDF2 is a key stretching algorithm.
262
```
21. Root CAs can delegate their authority to which of the following to issue certificates to users?
A. Registered authorities
B. Intermediate CAs
C. CRL
D. CSR
```
B. In a certification hierarchy, the root CA certifies the intermediate CA and can issue certificates to users, computers, or services.
Option A is incorrect. A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA.
Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted.
Option D is incorrect. A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate.
263
23. Tom is sending Mary a document and wants to show the document came from him.
Which of the following should Tom use to digitally sign the document?
A. TKIP
B. Intermediate CA
C. Public key
D. Private key
D. Digital signatures are created by using the user’s or computer’s private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something.
Option A is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and is used in WPA. TKIP replaced WEP in WLAN devices.
Option B is incorrect. An intermediate certificate authority sits between the root certificate authority and the end entity to better secure the root certificate authority. Intermediate certificate authorities can also help a large organization handle large requests for certifications.
Option C is incorrect. A public key is held by the certificate authority and is available for anyone to use to encrypt data or verify a user’s digital signature.
264
```
24. Which of the following EAP types offers support for legacy(舊式) authentication protocols such as PAP, CHAP, MS-CHAP, or MS-CHAPv2?
A. PEAP
B. EAP-FAST
C. EAP-TLS
D. EAP-TTLS
```
D. EAP-TTLS determines how user authentication will perform during phase 2. The user authentication may be a legacy protocol such as PAP, CHAP, MS-CHAP, or MSCHAPV2.
Options A, B, and C are incorrect. PEAP, EAP-FAST, and EAP-TLS create a TLS tunnel to protect the supplicant credentials but do not support legacy authentication protocols.
265
```
31. Which of the following EAP types use a three-phase operation?
A. EAP-FAST
B. EAP-TLS
C. EAP-TTLS
D. PEAP
```
A. EAP-FAST is for situations where strong password policy cannot be enforced and certificates are not used. EAP-FAST consists of three phases: EAP-FAST authentication, establishment of a secure tunnel, and client authentication.
Options B, C, and D are incorrect. These EAP types do not use a three-phase phase.
266
```
32. Which of the following is an encryption standard that uses a single 56-bit symmetric key?
A. DES
B. 3DES
C. AES
D. WPS
```
A. DES is a symmetric encryption standard that uses a key length of 56 bits.
Option B is incorrect.
Option C is incorrect. AES uses a block length of 128 bits and key lengths of 128, 192, or 256 bits.
Option D is incorrect. WPS is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases.
267
34. SSL is a protocol used for securing transactions transmitting over an untrusted network such as the Internet. Which of the following best describes the action that occurs during the SSL connection setup process?
A. The client creates a session key and encrypts it with the server’s private key.
B. The client creates a session key and encrypts it with the server’s public key.
C. The server creates a session key and encrypts it with the client’s private key.
D. The server creates a session key and encrypts it with the client’s public key.
B. SSL (Secure Socket Layer) uses public key encryption. When a client accesses a secured website, it will generate a session key and encrypt it with the server’s public key. The session key is decrypted with the server’s private key, and the session key is used to encrypt and decrypt data sent back and forth.
Option A is incorrect. The server’s private key is held privately by the server and is used only to decrypt data the client encrypted with the server’s public key.
Option C is incorrect. The server doesn’t create the session key as the client is accessing the secured website.
Option D is incorrect. The server doesn’t create the session key as the client is accessing the secured website. The server’s public key is used to encrypt the session key created by the client.
268
```
35. Which of the following EAP types requires both server and client certificates?
A. EAP-FAST
B. PEAP
C. EAP-TLS
D. EAP-TTLS
```
C. EAP-TLS requires both client and server to have certificates. The authentication is mutual where the server authenticates to the client and the client authenticates to the server.
Options A, B, and D are incorrect. The other EAP types may use client certificates but they are not required.
269
```
39. Which of the following are authentication protocols? (Choose two.)
A. WPS
B. EAP
C. IPSec
D. IEEE 802.1x
```
B and D. EAP and IEEE 802.1x are authentication protocols that transfer authentication data between two devices.
Option A is incorrect. WPS (WiFi Protected Setup) is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases.
Option C is incorrect. IPSec is a framework of open standards that ensures communications are private and secure over IP networks.
270
```
42. Which of the following is mainly used for remote access into a network?
A. TACACS+
B. XTACACS
C. Kerberos
D. RADIUS
```
D. RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security.
Option A is incorrect. TACACS+ is a Cisco proprietary authentication protocol and is used to securely access Cisco devices.
Option B is incorrect. XTACACS is a Cisco proprietary authentication protocol that replaced TACACS and was used to securely access Cisco devices.
Option C is incorrect. Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network such as the Internet.
271
```
48. Your company has asked you to recommend a secure method for password storage. Which of the following would provide the best protection against brute-force attacks? (Choose two.)
A. ROT13
B. MD5
C. PBKDF2
D. BCRYPT
```
C and D. PBKDF2 applies a pseudo-random function such as a HMAC to the password along with a salt value and produces a derived key. PBKDF2 is designed to protect against brute-force attacks. BCRYPT is a password-hashing function derived from the Blowfish cipher. It adds a salt value to protect against rainbow table attacks.
Option A is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, that replaces a letter with the 13th letter after it in the alphabet. ROT13 is not recommended in this scenario due to patterns it creates.
Option B is incorrect. MD5 is a hashing algorithm that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages. MD5 is considered weak and is not recommended.
272
```
51. You are performing a vulnerability assessment on a company’s LAN and determine they are using 802.1x for secure access. Which of the following attacks can a threat actor use to bypass the network security?
A. MAC spoofing
B. ARP poisoning
C. Ping of death
D. Xmas attack
```
A. A threat actor can spoof a device’s MAC address and bypass 802.1x authentication.
Using 802.1x with client certificates or tunneled authentication can help prevent this attack.
Option B is incorrect. ARP poisoning is an attack where a threat actor sends spoofed ARP messages over a LAN.
Option C is incorrect. Ping of death is a denial-of-service attack in which a threat actor sends a larger IP packet than allowed by the IP protocol. The IP packet is broken down into smaller segments, which would cause the system to crash.
Option D is incorrect. The Xmas attack is a specifically crafted TCP packet that turns on flags to scan the system and determine what operating system it’s using.
273
```
53. A threat actor has created a man-in-the-middle attack and captured encrypted communication between two users. The threat actor was unable to decrypt the messages. Which of the following is the reason the threat actor is unable to decrypt the messages?
A. Hashing
B. Symmetric encryption
C. Asymmetric encryption
D. Key escrow
```
C. In asymmetric encryption, sometimes referred to as public key encryption, the private key is used to decrypt an encrypted file.
Option A is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
Option B is incorrect. Symmetric encryption uses the same key to encrypt and decrypt the data.
Option D is incorrect. Key escrow is a cryptographic key exchange process in which a key is stored by a third party. Should the original user’s key be lost or compromised, the stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state.
274
```
60. Which of the following are negotiation protocols commonly used by TLS? (Choose two.)
A. DHE
B. ECDHE
C. RSA
D. SHA
```
A and B. DHE (Diffie-Hellman Ephemeral) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) are commonly used with TLS to provide perfect forward secrecy.
Option C is incorrect. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a public and a private key to encrypt and decrypt data during transmissions.
Option D is incorrect. SHA is a hashing algorithm and is used for integrity.
275
63. Katelyn is sending an important email to Zackary, the manager of human resources.
Company policy states messages to human resources must be digitally signed. Which of the following statements is correct?
A. Katelyn’s public key is used to verify the digital signature.
B. Katelyn’s private key is used to verify the digital signature.
C. Zackary’s public key is used to verify the digital signature.
D. Zackary’s private key is used to verify the digital signature.
A. Digital signatures are created with the sender’s private key and verified by the sender’s public key.
Answers B, C, and D are incorrect. Katelyn is sending the digital signature created by her private key and Zackary verifies the digital signature by obtaining Katelyn’s public key.
276
```
66. Which of the following items are found within a digital certificate? (Choose two.)
A. Serial number
B. Default gateway
C. Public key
D. Session key
```
A and C. The structure of an X.509 digital signature includes a serial number and public key of the user or device.
Option B is incorrect. A default gateway is an access point that a device uses to send data to a device in another network or to the Internet.
Option D is incorrect. A session key is a symmetric key that uses the same key for encryption and decryption.
277
```
67. In an 802.1x implementation, which of the following devices mutually authenticate with each other? (Choose two.)
A. Authentication server
B. Certificate authority
C. Domain controller
D. Supplicant
```
A and D. The authentication server and supplicant mutually authenticate with each other.
This helps prevent rogue devices from connecting to the network.
Option B is incorrect. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet or computer network.
Option C is incorrect. A domain controller (DC) is a server computer within a Windows domain that responds to requests such as logging in or checking permissions.
278
68. Which of the following statements is true regarding the confusion encryption method?
A. It puts one item in the place of another; for example, one letter for another or one letter for a number.
B. It scrambles data by reordering the plain text in a certain way.
C. It uses a relationship between the plain text and the key that is so complicated the plain text can’t be altered and the key can’t be determined.
D. Change in the plain text will result in multiple changes that are spread throughout the cipher text.
C. Confusion encryption is a method that uses a relationship between the plain text and the key that is so complicated the plain text can’t be altered and the key can’t be determined by a threat actor.
Option A is incorrect. This method defines substitution.
Option B is incorrect. This method defines transposition.
Option D is incorrect. This method defines diffusion.
279
```
69. Which of the following is required when employing PKI and preserving data is important?
A. CA
B. CRL
C. Key escrow
D. CER
```
C. Key escrow is a database of stored keys that can be retrieved should the original user’s key be lost or compromised. The stored key can be used to decrypt encrypted material, allowing restoration of the original material to its unencrypted state.
Option A is incorrect. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet or computer network.
Option B is incorrect. A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted.
Option D is incorrect. CER is a certificate file extension for an SSL certificate and is used by web servers to help confirm the identity and security of the site a user is visiting.
280
```
71. Which of the following standards was developed by the Wi-Fi Alliance and implements the requirements of IEEE 802.11i?
A. NIC
B. WPA
C. WPA2
D. TKIP
```
C. 802.11i is an amendment to the original IEEE 802.11 and is implemented as WPA2.
The amendment deprecated WEP.
Option A is incorrect. A NIC (network interface card) enables a device to network with other devices.
Option B is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP.
Option D is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and is used in WPA. TKIP replaced WEP in WLAN devices.
281
```
72. You are asked to create a wireless network for your company that implements a wireless protocol that provides maximum security while providing support for older wireless devices. Which protocol should you use?
A. WPA
B. WPA2
C. WEP
D. IV
```
A. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP and is designed to work with older wireless clients.
Option B is incorrect. WPA2 implements the 802.11i standard completely but does not support the use of older wireless cards.
Option C is incorrect. WEP is a security standard for wireless networks and devices but is not as secure as WPA.
Option D is incorrect. An IV (initialization vector) is an arbitrary number that is used with a secret key for data encryption.
282
```
78. Which of the following automatically updates browsers with a list of root certificates from an online source to track which certificates are to be trusted?
A. Trust model
B. Key escrow
C. PKI
D. RA
```
A. A trust model is a collection of rules that informs applications as to how to decide the validity of a digital certificate.
Option B is incorrect. Key escrow is a security measure where cryptographic keys are held in escrow by a third party, and under normal circumstances, the key should not be released to someone other than the sender or receiver without proper authorization.
Option C is incorrect. PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates.
Option D is incorrect. A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA.
283
```
79. Which of the following EAP types uses the concepts of public key infrastructure (PKI)?
A. EAP-TLS
B. PEAP
C. EAP-FAST
D. EAP-TTLS
```
A. EAP-TLS uses the concepts of public key infrastructure (PKI). It eliminates the need for a shared secret between the client and the server. Digital certificates are used instead.
Options B, C, and D are incorrect. These EAP types do not use PKI.
284
```
80. Which of the following use PSK authentication? (Choose two.)
A. WPA-Enterprise
B. WPA-Personal
C. WPA2-Personal
D. WPA2-Enterprise
```
B and C. Security used in SOHO environments is PSK (preshared key) authentication.
WPA-Personal and WPA2-Personal use the PSK authentication method.
Options A and D are incorrect. WPA-Enterprise and WPA2-Enterprise, also known as 802.1x, use a RADIUS server for authentication purposes.
285
82. Elliptic curve cryptosystem (ECC) is an asymmetric algorithm. Which of the following statements best describe why ECC is different from other asymmetric algorithms? (Choose two.)
A. It is more efficient.
B. It provides digital signatures, secure key distribution, and encryption.
C. It uses more processing power to perform encryption.
D. It provides fast key generation.
A and D. Elliptic curve cryptosystem (ECC) differs from other asymmetric algorithms due to its efficiency. ECC uses less processing power and works best in low power devices such as wireless devices and cellular phones. ECC generates keys faster than other asymmetric algorithms.
Option B is incorrect. ECC is not the only asymmetric algorithm that provides digital signatures, secure key distribution, and encryption.
Option C is incorrect. ECC uses less processing power than other asymmetric algorithms.
286
```
83. WEP’s RC4 approach to encryption uses a 24-bit string of characters added to data that are transmitted. The same plain text data frame will not appear as the same WEPencrypted data frame. What is this string of characters called?
A. Diffusion
B. IV
C. Session key
D. Hashing
```
B. IV (initialization vector) is an arbitrary number that is used with a secret key for data encryption. IV makes it more difficult for hackers to break a cipher.
Option A is incorrect. Diffusion is a property of cryptography that makes cryptanalysis hard. A change of a single character of the input will change many characters of the output.
Option C is incorrect. A session key is a symmetric key that uses the same key for encryption and decryption.
Option D is incorrect. Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
287
85. Katelyn, a network administrator, has deleted the account for a user who left the company last week. The user’s files were encrypted with a private key. How can Katelyn view the user’s files?
A. The data can be decrypted using the backup user account.
B. The data can be decrypted using the recovery agent.
C. She must re-create the former user’s account.
D. The data can be decrypted using a CRL.
B. The data can be decrypted with a recovery agent if the company configured one before.
If there is no recovery agent, the encrypted file will be unrecoverable.
Option A is incorrect. The backup user account does not have the ability to recover the files that were encrypted by the other user.
Option C is incorrect. The encrypted file cannot be recovered by re-creating the user’s account. The new user account will have a different SID even though the name is the same, and it will not be able to access the files.
Option D is incorrect. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted.
288
```
89. Matt, a network administrator, is deciding which credential-type authentication to use within the company’s planned 802.1x deployment. He is searching for a method that requires a client certificate and a server-side certificate, and that uses tunnels for encryption. Which credential-type authentication method would Matt use?
A. EAP-TLS
B. EAP-FAST
C. PEAP
D. EAP
```
A. EAP-TLS is a remote access authentication protocol that supports the use of smartcards or user and computer certificates, also known as machine certificates, to authenticate wireless access clients. EAP-TLS can use tunnels for encryption by use of TLS.
Option B is incorrect. EAP-FAST is designed to increase the speed of reauthentication when a user roams from one AP to another. It authenticates the user over an encrypted TLS tunnel but uses a shared secret key
Option C is incorrect. PEAP is an encapsulating protocol that uses a certificate on the authentication server and a certificate on the client. It supports password-based authentication but does not use TLS for encryption.
Option D is incorrect. EAP is a framework for authentication in a WLAN and point-topoint connections. EAP defines message formats and doesn’t use tunnels for encryption.
289
```
98. You are a security technician and have been given the task to implement a PKI on the company’s network. When verifying the validity of a certificate, you want to ensure bandwidth isn’t consumed. Which of the following can you implement?
A. CRL
B. OCSP
C. Key escrow
D. CA
```
A. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted.
Option B is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. An OCSP response contains signed assertions that a certificate is not revoked.
290
```
99. Which of the following types of device are found in a network that supports Wi-Fi Protected Setup (WPS) protocol? (Choose three.)
A. Registrar
B. Supplicant
C. Enrollee
D. Access Point
```
A, C, and D. The WiFi Protected Setup protocols define the following devices in a network. A registrar is the device with the authority to issue or revoke access to the network.
The enrollee is a client device that is seeking to join the wireless network. The AP (access point) functions as a proxy between the registrar and the enrollee.
Option B is incorrect. A supplicant is the client that authenticates against the RADIUS server using an EAP method configured on the RADIUS server.
291
```
107. Which of the following defines a file format commonly used to store private keys with associated public key certificates?
A. PKCS #1
B. PKCS #3
C. PKCS #7
D. PKCS #12
```
D. PKCS #12 is a file that contains both the private key and the X.509 certificate and can be installed by the user on servers or workstations. X.509 certificates can be a wildcard certificate for multiple entities under a single fully qualified domain name.
Option A is incorrect. PKCS #1 defines the mathematical properties and format of RSA public and private keys.
Option B is incorrect. PKCS #3 is a cryptographic protocol that allows two parties to jointly establish a shared key over an insecure network such as the Internet.
Option C is incorrect. PKCS #7 is used to sign and/or encrypt messages within a PKI (public key nfrastructure).
292
```
109. How many effective key sizes of bits does 3DES have? (Choose three.)
A. 56
B. 112
C. 128
D. 168
```
A, B, and D. 3DES is a symmetric key block cipher that applies the DES cipher algorithm three times to each data block. 3DES has three keying options. First, all three keys are independent, so 3 × 56 = 168-bit key length. Second, key 1 and key 2 are independent and the third key is the same as the first key, so 2 × 56 = 112-bit key length. Third, all three keys are identical, so 1 × 56 = 56-bit key length.
Option C is incorrect. With three keying options, 3DES has effective key sizes of 56, 128, and 168 bits.
293
```
112. Which of the following takes each bit in a character and is XORed with the corresponding bit in the secret key?
A. ECDHE
B. PBKDF2
C. Obfuscation
D. One-time pad
```
D. A one-time pad is a stream cipher that encrypts the plain text with a secret random key that is the same length as the plain text. The encryption algorithm is the XOR operation.
Option A is incorrect. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is commonly used with TLS to provide perfect forward secrecy.
Option B is incorrect. PBKDF2 is a key stretching algorithm. Key stretching makes a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the time it takes to test each possible key.
Option C is incorrect. Obfuscation is the action of making something difficult to read and understand.
294
```
113. Which of the following works similarly to stream ciphers?
A. One-time pad
B. RSA
C. AES
D. DES
```
A. A stream cipher encrypts one plain text digit at a time with the corresponding digit of the keystream. Stream ciphers provide the same type of protection as one-time pads do.
Option B is incorrect. RSA is an asymmetric algorithm and uses a different type of mathematics to encrypt the data.
Option C is incorrect. AES is a symmetric block cipher, and the message is divided into blocks of bits and then encrypted one block at a time.
Option D is incorrect. DES is a symmetric block cipher, and the message is divided into blocks of bits and then encrypted one block at a time.
295
```
118. Which certificate format is typically used on Windows OS machines to import and export certificates and private keys?
A. DER
B. AES
C. PEM
D. PFX
```
D. PFX (personal information exchange) files are typically used with Windows OSs that include digital certificates and are used for authentication processes involved in determining if a user or device can access certain files.
Option A is incorrect. DER (distinguished encoding rules) is a binary form of PEM certificate and is typically used in Java platform.
Option B is incorrect. AES is an asymmetric encryption algorithm.
Option C is incorrect. PEM (privacy-enhanced electronic mail) is a certificate format used for securing email using public key cryptography. PEM became an IETF proposed standard; it was never widely developed or used.
296
```
122. Which of the following encryption methods is used by RADIUS?
A. Asymmetric
B. Symmetric
C. Elliptic curve
D. RSA
```
B. RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security.
Option A is incorrect. RADIUS does not use asymmetric encryption. Asymmetric encryption uses a key pair, and RADIUS uses the same key to encrypt and decrypt information.
Option C is incorrect. Elliptic curve cryptography is a public key encryption based on the elliptic curve equation rather than large prime numbers.
Option D is incorrect. RSA is a public key encryption and includes hardware and software tokens.
297
```
124. You want to authenticate and log connections from wireless users connecting with EAP-TLS. Which of the following should be used?
A. Kerberos
B. LDAP
C. SAML
D. RADIUS
```
D. RADIUS is a networking protocol that provides centralized AAA for users connecting and using a network service. EAP-TLS offers a good deal of security with the use of TLS and uses PKI to secure communication to the RADIUS authentication server.
Option A is incorrect. Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network such as the Internet. Kerberos uses tickets to provide mutual authentication.
Option B is incorrect. LDAP (Lightweight Directory Access Protocol) is a software protocol to help locate individuals and other resources within a network.
Option C is incorrect. SAML (Security Assertion Markup Language) is an open-standard data format centered on XML. It supports the exchange of authentication and authorization details between systems, services, and devices. It does not authenticate and log connections from wireless users.
298
```
125. Which of the following would be used to allow certain traffic to traverse from a wireless network to an internal network?
A. WPA
B. WEP
C. Load balancers
D. 802.1x
```
D. 802.1x enhances security within a WLAN by providing an authentication framework.
Users are authenticated by a central authority before they are allowed within the network.
Option A is incorrect. WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP and is designed to work with older wireless clients, but it does not transverse traffic from a wireless network to an internal network.
Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b but does not transverse traffic from a wireless network to an internal network.
Option C is incorrect. A load-balancer improves the workload by distributing traffic across multiple computer resources such as servers.
299
```
130. Which of the following hardware devices can store keys? (Choose two.)
A. USB flash drive
B. Smartcard
C. PCI expansion card
D. Cipher lock
```
A and B. USB flash drives and smartcards can carry a token and store keys for authentication to systems. They are often used in a multifactor authentication situation.
Option C is incorrect. A PCI expansion card is internal to a PC and normally doesn’t store keys for authentication purposes.
Option D is incorrect. A cipher lock is a programmable lock used for controlling access to a secure area.
300
```
132. James is a security administrator and wants to ensure the validity of public trusted certificates used by the company’s web server, even if there is an Internet outage. Which of the following should James implement?
A. Key escrow
B. Recovery agent
C. OCSP
D. CSR
```
C. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. OCSP can prepackage a list of revoked certificates and distribute them through browser updates and can be checked if there is an Internet outage.
Option A is incorrect. Key escrow is a security measure in which cryptographic keys are held in escrow by a third party, and under normal circumstances, the key should not be released to someone other than the sender or receiver without proper authorization.
Option B is incorrect. A recovery agent is a user who is permitted to decrypt another user’s data in case of emergency or in special situations.
Option D is incorrect. A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate. A CSR can be generated for code signing purposes.
301
```
133. You are a security administrator looking to implement a two-way trust model. Which of the following would you use?
A. ROT13
B. PGP
C. WPA2
D. PKI
```
D. PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates.
A trust model is used to set up trust between CAs. A certificate has a subject alternative name (SAN) for machines (fully qualified domain names) or users (user principal name).
Option A is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, and it replaces a letter with the 13th letter after it in the alphabet.
Option B is incorrect. PGP (Pretty Good Privacy) is a method used for encrypting and decrypting digital files and communications over the Internet. It also provides data and file integrity services by digitally signing messages.
302
```
134. If a threat actor obtains an SSL private key, what type of attack can be performed? (Choose two.)
A. Eavesdropping
B. Man-in-the-middle
C. Social engineering
D. Brute force
```
A and B. A threat actor can create an eavesdropping and a man-in-the-middle attack.
Eavesdropping with a private key can allow the threat actor to see data in clear text. A man-in-the-middle attack can allow the threat actor to modify the data transmitting to the server, such as adding malware to the data.
Option C is incorrect. Social engineering is exploiting a person’s trust to give up confidential information.
Option D is incorrect. A brute-force attack is used to obtain information such as a user password or personal identification number (PIN) by use of a trial-and-error method.
303
136. Which of the following transpires in a PKI environment?
A. The CA signs the certificate.
B. The RA signs the certificate.
C. The RA creates the certificate and the CA signs it.
D. The CA creates the certificate and the RA signs it.
A. A CA (certificate authority) is a trusted entity that creates and digitally signs certificates so the receiver can verify the certificate came from that specific CA.
Option B is incorrect. The RA (registered authority) does not digitally sign the certificate; the CA (certificate authority) performs this action.
Option C is incorrect. The RA (registered authority) performs the certification registration duties. The RA identifies the individual requesting a certificate and initiates the certification process with the CA on behalf of the individuals. The CA creates and signs the certificate.
Option D is incorrect. The CA (certificate authority) creates and digitally signs the certificate. The RA (registered authority) performs the certification registration duties.
304
```
139. PEAP protects authentication transfers by implementing which of the following?
A. TLS tunnels
B. SSL tunnels
C. AES
D. SHA hashes
```
A. PEAP is a protocol that encapsulates the EAP within a TLS tunnel.
Option B is incorrect. SSL was superseded by TLS and is considered not as secure as TLS.
Option C is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data.
Option D is incorrect. SHA is a hashing algorithm and is used for integrity. SHA is used with SSL, and HMAC is used with TLS.
305
```
140. AES-CCMP uses a 128-bit temporal key and encrypts data in what block size?
A. 256
B. 192
C. 128
D. 64
```
C. The AES-CCMP encryption algorithm used in the 802.11i security protocol uses the AES block cipher and limits the key length to 128 bits. AES-CCMP makes it difficult for an eavesdropper to spot patterns.
Options A, B, and D are incorrect. AES-CCMP is restricted to a key length of 128 bits.
306
```
141. Which of the following implement Message Integrity Code (MIC)? (Choose two.)
A. AES
B. DES
C. CCMP
D. TKIP
```
C and D. Message Integrity Code (MIC) is a security improvement for WEP encryption within wireless networks. TKIP and CCMP use MIC, which provides an integrity check on the data packet.
Options A and B are incorrect. They are encryption algorithms and are not concerned with message integrity.
307
142. James, a WLAN security engineer, recommends to management that WPA-Personal security should not be deployed within the company’s WLAN for their vendors. Which of the following statements best describe James’s recommendation? (Choose two.)
A. Static preshared passphrases are susceptible to social engineering attacks.
B. WPA-Personal uses public key encryption.
C. WPA-Personal uses a weak TKIP encryption.
D. WPA-Personal uses a RADIUS authentication server.
A and C. Preshared passphrases can be obtained from a threat actor by the use of social engineering skills and connect to the AP. WPA-Personal uses TKIP encryption, which is considered a weak option.
Option B is incorrect. WPA-Personal uses a preshared passphrase that is entered in the AP and each device that wants to connect to the network.
Option D is incorrect. WPA-Enterprise uses a RADIUS server, not WPA-Personal.
308
```
145. Which of the following are the filename extensions for PKCS #12 files? (Choose two.)
A. .p12
B. .KEY
C. .pfx
D. .p7b
```
A and C. .p12and .pfxare filename extensions for PKCS #12 files.
Option B is incorrect. KEY is used for both private and public PKCS #8 keys.
Option D is incorrect. p7bis a filename extension for PKCS #7 and is used to sign and/or encrypt messages under a PKI. It also provides a syntax for disseminating certificates.
309
146. Your company has discovered that several confidential messages have been intercepted.
You decide to implement a web of trust to encrypt the files. Which of the following are used in a web of trust concept? (Choose two.)
A. RC4
B. AES
C. PGP
D. GPG
C and D. PGP and GPG use a web of trust to establish the authenticity of the binding between a public key and its owner.
Option A is incorrect. RC4 is a symmetric algorithm and does not use the web of trust concept.
Option B is incorrect. AES is a symmetric algorithm and does not use the web of trust concept.
310
```
16. Which of the following symmetric algorithms are block ciphers? (Choose three.)
A. 3DES
B. ECDHE
C. RSA
D. RC4
E. SHA
F. Twof ish
```
A, D, F. 3DES, RC4, and Twofish are known as symmetric algorithms. They use the same key to encrypt and decrypt data.
Options B and C are incorrect. ECDHE and RSA are known as asymmetric algorithms.
They use private and public keys to encrypt and decrypt data.
Option E is incorrect. SHA is known as a hashing algorithm. Hashing transforms a string of characters into a key that represents the original string. This is also known as a one-way encryption because the hash cannot be decrypted to reveal the original string
311
17. A security officer has asked you to use a password cracking tool on the company’s computers. Which of the following best describes what the security officer is trying to accomplish?
A. Looking for strong passwords
B. Enforcing a minimum password length policy
C. Enforcing a password complexity policy
D. Looking for weak passwords
D. The correct answer is looking for weak passwords. A password-cracking tool can
potentially discover users who are currently using weak passwords.
Options A, B, and C are incorrect. A password cracking program will not discover any
strong passwords. It will not inform you if users are following the password complexity
policy and minimum password length policy.
312
20. Why is input validation important to secure coding techniques? (Choose two.)
A. It mitigates shoulder surfing.
B. It mitigates buffer overflow attacks.
C. It mitigates ARP poisoning.
D. It mitigates XSS vulnerabilities.
B, D. The correct answers are mitigating buffer overflow attacks and cross-site scripts (XSS) vulnerabilities. A buffer overflow attack occurs when a program attempts to place more data in a buffer (memory) than it can hold. This action can corrupt data, crash the program, or execute malicious code. XSS vulnerabilities are found in web applications and are executed by injecting malicious code to gather users’ information.
Option B is incorrect. Shoulder surfing is a social engineering attack in which the attacker gathers personal information through direct observation such as looking over a person’s shoulder.
Option D is incorrect. Address Resolution Protocol (ARP) poisoning is caused by an attacker sending spoofed ARP messages onto a local network. This allows the attacker to monitor data passing through the network.
313
```
35. Users of your company have been visiting the website www.abccompany.com and a recent increase in virus detection has been noted. Your company has developed a relationship with another company using the web address www.abccompany.com, but not with the site that has been causing the increase of viruses. Which of the following would best describe this attack?
A. Session hijacking
B. Cross-site scripting
C. Replay attack
D. Typo squatting
```
D. Typosquatting is used by attackers by redirecting web traffic to another website the attacker maintains. The attacker achieves this by purchasing a misspelled URL and creating a website similar to the original. The attacker can then try to sell products or install malware on a user’s computer.
Option A is incorrect. Session hijacking is a method by which an attacker takes over a web user’s session by capturing the session ID and impersonating the authorized user. This allows the attacker to do whatever the authorized user can do on the network.
Option B is incorrect. Cross-site scripting enables attackers to insert client-side script into a webpage that other users can view.
Option C is incorrect. Replay attack occurs when legitimate network transmission is captured by an attacker and then is maliciously retransmitted to trick the receiver into unauthorized operations.
314
```
42. Which of the following measures the amount of time required to return a failed device, component, or network to normal functionality?
A. RTO
B. MTTR
C. MTBF
D. RPO
```
B. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced要多久才會修好.
Option A is incorrect. RTO (recovery time objective) is the amount of time it takes to resume normal business operations after an event.
Option C is incorrect. MTBF (mean time between failures) is the rating on a device or component that predicts the expected time between failures.下次甚麼時候壞
Option D is incorrect. RPO (recovery point objective) is the period of time a company can tolerate lost data being unrecoverable between backups.
315
```
49. Which of the following are examples of PII? (Choose two.)
A. Fingerprint
B. MAC address
C. Home address
D. Gender
```
A, C. The correct answers are fingerprint and home address. This data is often used to distinguish an individual identity as per the personally identifiable information definition used by NIST.
Option B is incorrect. The MAC address is used to identify a device that connects to a network. Anyone can use a particular device without being personally identified.
Option D is incorrect. Gender alone is less often used to characterize an individual’s identity. When combined with a standalone PII element, gender can be used to identify an individual.
316
```
50. An employee informs you they have lost a corporate mobile device. What is the first action you perform?
A. Enable push notification services.
B. Remotely wipe the mobile device.
C. Enable screen lock.
D. Enable geofencing.
```
B. The correct answer is to remotely wipe the mobile device. This action will prevent sensitive data from being accessed by an unauthorized person.
Option A is incorrect. Push notification is a message that pops up on a mobile device. It can provide convenience and value to app users. Users can receive important information ranging from sports scores, new updates, flight status, to weather reports.
Option C is incorrect. Screen lock requires the user to perform a specific action and will not be able to lock the screen if they don’t have possession of the mobile device.
Option D is incorrect. Geofencing defines a virtual boundary in a geographical area and can generate alerts based on defined coordinates of the geographical area.
317
```
56. You are the IT security officer of your company and have established a security policy that requires users to protect all sensitive documents to avoid their being stolen. What policy have you implemented?
A. Separation of duties
B. Clean desk
C. Job rotation
D. Privacy
```
B. Clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use.
Option A is incorrect. Separation of duties is a concept of having more than one person required to complete a task.
Option C is incorrect. A job rotation policy is the practice of moving employees between different tasks to promote experience and variety.
Option D is incorrect. A privacy policy is a policy that describes the ways a party gathers, uses, discloses, and manages a customer’s or client’s data
318
58. You are a system administrator and are asked to prevent staff members from using each other’s credentials to access secured areas of the building. Which of the following will best address this request?
A. Install a biometric reader at the entrance of the secure area.
B. Install a proximity card reader at the entrance of the secure area.
C. Implement least privilege.
D. Implement group policy enforcement.
A. Biometrics are a person’s physical characteristics, such as a fingerprint, retina, hand geometry, and voice.
Option B is incorrect. A proximity card is a contactless smartcard that is held near an electronic reader to grant access to a particular area.
Option C is incorrect. Least privilege gives users the lowest level of rights so they can do their job to limit the potential chance of security breach.
Option D is incorrect. Group Policy is used by network administrators in a Microsoft Active Directory to implement certain configurations for users and computers.
319
```
61. Which of the following is considered the strongest access control?
A. RBAC
B. DAC
C. MAC
D. ABAC
```
C. The correct answer is mandatory access control (MAC). Access is controlled by comparing security labels with security clearances such as Confidential, Secret, and Top Secret.
Option A is incorrect. Role-based access control (RBAC) controls access based on the roles the users have within the system and on rules stating the access that is allowed for the users in a given role.
Option B is incorrect. Discretionary access control (DAC) controls access based on the object’s owner policy.
Option D is incorrect. Attribute-based access control (ABAC) controls access on three types of attributes: the user attributes, current environmental conditions, and accessed application or system attribute
320
```
64. Which of the following must a security administrator implement to allow customers, vendors, suppliers, and other businesses to obtain information while preventing access to the company’s entire network?
A. Intranet
B. Internet
C. Extranet
D. Honeynet
```
C. An extranet(外聯網) will give customers, vendors, suppliers, and other business access to a controlled private network while preventing them from accessing the company’s entire network.
Option A is incorrect. An intranet is a private network found within a company accessed from within the LAN.
Option B is incorrect. The Internet is a global network of computers and devices that can communicate with anyone or any device anywhere in the world.
Option D is incorrect. A honeynet is a collection of honeypots. A honeypot is a system that is set up with vulnerabilities to entice an attacker so as to view their activity and methods for research purposes.
321
```
65. The head of HR is conducting an exit interview with an IT network administrator named Matt. The interview questions include Matt’s view of his manager, why he is leaving his current position, and what he liked most about his job. Which of the following should also be addressed in this exit interview?
A. Job rotation
B. NDA
C. Background checks
D. Property return form
```
D. A property return form properly records all equipment, keys, and badges that must be surrendered to the company when the employee leaves the company.
Option A is incorrect. Job rotation is a policy that describes the practice of moving employees between different tasks to promote experience and variety.
Option B is incorrect. An NDA (nondisclosure agreement) protects sensitive and intellectual data from getting into the wrong hands.
Option C is incorrect. Background checks is a process that is performed when a potential employee is considered for hire.
322
```
67. You are a security administrator for your company and have been asked to recommend a secure method for storing passwords due to recent brute-force attempts. Which of the following will provide the best protection? (Choose two.)
A. ROT13
B. BCRYPT
C. RIPEMD
D. PBKDF2
```
B, D. BCRYPT and PBKDF2 use key stretching to reduce brute-force attacks against vulnerabilities of encrypted keys. Both are considered password hashing functions.
Option A is incorrect. ROT13 is an encrypting method by replacing each letter of the alphabet with the corresponding letter of the second half of the alphabet. A becomes N, B becomes O, and so on.
Option C is incorrect. RIPEMD is a cryptographic hashing function based on MD4 and does not offer adequate protection.
323
```
73. Which of the following controls can you implement together to prevent data loss if a mobile device is lost or stolen? (Choose two.)
A. Geofencing
B. Full-device encryption
C. Screen locks
D. Push notification services
```
B, C. The correct answers are full-device encryption and screen locks. Full-device encryption encodes all the user’s data on a mobile device by using an encrypted key, and enabling screen lock prevents an unauthorized person from viewing the data on a device should the owner leave it unattended.
Option A is incorrect. Geofencing defines a virtual boundary in a geographical area and can generate alerts based on defined coordinates of the geographical area.
Option D is incorrect. Push notification is a message that pops up on a mobile device. It can provide convenience and value to app users. Users can receive important information ranging from sports scores, new updates, flight status, to weather reports.
324
```
77. Which of the following deployment models allows a business to have more control of the devices given to employees that handle company information?
A. DLP
B. COPE
C. BYOD
D. CYOD
```
D. CYOD (Choose Your Own Device) allows an employee to choose from a limited number of devices. The business can also limit the usage of the device to work activities only.
Option A is incorrect. Data loss prevention (DLP) prevents sensitive data from leaving a company’s network by method of scanning.
Option B is incorrect. Company-owned, personally enabled (COPE) allows companies to provide employees with devices. The company maintains ownership of these devices,
and frequently monitors and controls their activity to a larger scale. With COPE devices, employees can access social media sites, email, and personal calls.
Option C is incorrect. Bring Your Own Device (BYOD) allows an employee to use their own personal device, such as a smartphone or laptop, and connect to the company’s network.
325
```
79. Your company wants to perform a privacy threshold assessment (PTA) to identify all PII residing in its systems before retiring hardware. Which of the following would be examples of PII? (Choose two.)
A. Date of birth
B. Email address
C. Race
D. Fingerprint
```
B, D. The correct answers are email address and fingerprint. Personally identifiable information (PII) is any information that can be used to distinguish or trace an individual’s identity.
Options A and C are incorrect. Date of birth and race cannot identify an individual on its own because those items are considered general information
326
```
80. Your HIPS is incorrectly reporting legitimate network traffic as suspicious activity. What is this best known as?
A. False positive
B. False negative
C. Credentialed
D. Noncredentialed
```
A. The correct answer is a false positive. When legitimate data enters a system and the host intrusion prevention system (HIPS) mistakenly marks it as malicious, it is referred to as a false positive.
Option B is incorrect. False negative is the opposite of false positive, where an HIPS allows malicious data into your network by marking it as legitimate activity.他叫漏報
Option C is incorrect. A credentialed vulnerability scan consists of a scanning computer with an account on the computer being scanned so that the scanner can perform a deeper check for problems not seen from the network.
Option D is incorrect. A noncredentialed vulnerability scan provides a quick view of vulnerabilities by looking at network services that are exposed by the host
327
```
83. You are the network administrator for your company’s Microsoft network. Your CISO is planning the network security and wants a secure protocol that will authenticate all users logging into the network. Which of the following authentication protocols would be the best choice?
A. RADIUS
B. TACACS+
C. Kerberos
D. SAML
```
C. Kerberos is an authentication protocol that uses tickets to allow access to resources within the network.
Option A is incorrect. Remote Authentication Dial-In User Service (RADIUS) enables remote access servers to communicate with a central server. This central server is used to authenticate and authorize users to access network services and resources.
Option B is incorrect. TACACS+ is a protocol developed by Cisco and uses TCP for authentication, authorization, and accounting services.
Option D is incorrect. Security Assertion Markup Language (SAML) is an XML standard that allows a user to log in once to an affiliate website and that supports Single Sign-On (SSO) authentication.
328
```
89. You are the security administrator for a local hospital. The doctors want to prevent the data from being altered while working on their mobile devices. Which of the following would most likely accomplish the request?
A. Cloud storage
B. Wiping
C. SIEM
D. SCADA
```
A. Cloud storage offers protection from cyberattacks since the data is backed up. Should the data become corrupted, the hospital can recover the data from cloud storage.
Option B is incorrect. Wiping is the action of making data that is stored on a mobile device inaccessible.
Option C is incorrect. A security incident and event management (SIEM) identifies, monitors, records, and analyzes any security event or incident in real time.
Option D is incorrect. Supervisory Control and Data Acquisition (SCADA) is used in power plants to gather and analyze data information in real time from a remote location to control the equipment.
329
```
93. Which of the following can be restricted on a mobile device to prevent security violations? (Choose three.)
A. Third-party app stores
B. Biometrics
C. Content management
D. Rooting
E. Sideloading
```
A, D, E. The correct answers are third-party app store, rooting, and sideloading. Restricting these options will increase the security of a device. Third-party app stores can carry apps that may contain malware. Companies will allow certain apps to be downloaded.
Rooting is the process of gaining privileged control over a device. For a user with root access, anything is possible, such as installing new applications, uninstalling system applications, and revoking existing permissions. Sideloading is installing applications on a mobile device without using an official distributed scheme.
Option B is incorrect. Biometrics is a person’s physical characteristics, such as a fingerprint, retina, hand geometry, and voice.
Option C is incorrect. Content management systems are used to create and manage digital content for enterprises and web content
330
```
95. Matt, a security administrator, wants to use a two-way trust model for the owner of a certificate and the entity relying on the certificate. Which of the following is the best option to use?
A. WPA
B. Object identifiers
C. PFX
D. PKI
```
D. Public Key Infrastructure (PKI) distributes and identifies public keys to users and computers securely over a network. It also verifies the identity of the owner of the public key.
Option A is incorrect. WiFi Protected Access (WPA) is a security protocol for WLANs.
They are known to have vulnerabilities and are prone to attacks.
Option B is incorrect. Object identifiers are unique numeric value to identify an object to avoid conflicts with another object when different directories are combined.
Option C is incorrect. PFX is a file extension for an encrypted security file that stores secure certificates that are used for authentication.
331
```
99. Which of the following is best used to prevent ARP poisoning on a local network? (Choose two.)
A. Antivirus
B. Static ARP entries
C. Patching management
D. Port security
```
B, D. The correct answers are static ARP entries and port security. Static ARP entry is the process of assigning a MAC address to an IP address to prevent an attacker from poisoning the cache. Disabling unused physical ports will prevent an attacker from plugging in their laptop and performing an ARP poisoning.
Option A is incorrect. An antivirus is designed to prevent, detect, and remove malware infections from a user’s computer.
Option C is incorrect. Patching management is the process of collecting, testing, and
installing patches to computers in a local network
