Introduction to Security Terminology

Question 1

Your company issues smart phones to employees for business use. Corporate policy dictates that all data stored on smart phones must be encrypted. To which fundamental security concept does this apply?

Confidentiality

Integrity

Availability

Answer 1

Confidentiality

Confidentiality ensures that data is accessible only to those parties who should be authorized to access the data. Encrypting data stored on smart phones protects that data if the phone is lost or stolen

Question 2

You are the network administrator for your company. Your manager has asked you to evaluate cloud backup solutions for remote branch offices. To which fundamental security concept does this apply?

Confidentiality

Integrity

Availability

Answer 2

Availability

Backing up data is a safeguard in case data is corrupted or deleted, thus making that data available when required

Question 3

Your company requires all desktop computers to run a malware detection program twice daily. You configure your network so that only the specific digital version of the executable program that you specify is allowed to run. To which fundamental security concept does this apply?

Confidentiality

Integrity

Availability

Answer 3

Integrity

Integrity ensures that data actually comes from the user or device it appears to have come from and that the data has not been altered. File hashing can be used to validate that a specific version of a file is being used

Question 4

You store personal documents and spreadsheets with a cloud provider. You would like your data to be available only to people who have a special unlock key. What should you apply to your documents and spreadsheets?

File hashing

File backup

File encryption

Answer 4

File encryption

File encryption can be implemented using a passphrase or unlock key so that only parties with knowledge of the unlock key can decrypt the data

Question 5

You would like to send a confidential message to a family member through e-mail, but you have no way of encrypting the message. What alternative method would enable you to achieve your goal?

PKI

File hashing

Steganography

Answer 5

Steganography

Steganography is the act of hiding a message within an innocent-looking medium. A common example would be storing invisible hidden messages within pictures such that the receiving party would have to extract the hidden messages. Unsuspecting parties would see only a picture

Question 6

A corporate security policy emphasizes data confidentiality, and you must configure computing devices accordingly. What should you do? (Choose two.)

Install smartcard readers so users can identify themselves before sending important e-mail messages.

Enforce SD card encryption on smart phones issued to employees.

Configure a server failover cluster to ensure that sensitive documents are always available.

Set file and folder permissions to control user file access.

Answer 6

Enforce SD card encryption on smart phones issued to employees.

Set file and folder permissions to control user file access.

Encrypting data and setting file and folder permissions both keep data confidential. Remember that educating users about security and specific organization policies is crucial

Question 7

Michel, an IT security expert, grants permissions to folders on a file server to enable Marketing users to modify Marketing documents. Which information security goal has been satisfied?

Confidentiality

Integrity

Availability

Answer 7

Confidentiality

Confidentiality is achieved by allowing only Marketing users to modify Marketing documents. User accounts for Marketing staff must be secured properly, including account lockout and password policy settings

Question 8

You need to implement a solution that ensures data stored on a USB removable drive has not been tampered with. What should you implement?

Steganography

File backup

File hashing

Answer 8

File hashing

File hashing generates a unique value from a specific version of a file. When a file is modified and the hash value is computed once again, it will be different

Question 9

Ana must send an important e-mail message to Glen, the director of Human Resources (HR). Corporate policy states that messages to HR must be digitally signed. Which of the following statements is correct?

Ana’s public key is used to create the digital signature.

Ana’s public key is used to verify the digital signature.

Glen’s private key is used to create the digital signature.

Answer 9

Ana’s public key is used to verify the digital signature.

Digital signatures are created with the sender’s private key and verified with the sender’s mathematically related public key

Question 10

John is issuing a digital certificate for Carolyn’s computer. What can the certificate be used for? (Choose two.)

Setting permissions on sensitive files

Encrypting sensitive files

Verifying the computer’s identity to secure servers

Sending encrypted e-mail messages

Answer 10

Encrypting sensitive files

Verifying the computer’s identity to secure servers

The public and private key pair within a digital certificate can be used to encrypt and decrypt sensitive files. Digital certificates can also be used to authenticate a computer to a secure server or appliance, such as a VPN server

Question 11

Every month, Gene downloads and tests the latest software patches before applying them to production smart phones. To which security goal does this example apply?

Confidentiality

Integrity

Availability

Answer 11

Availability

Patching devices helps ensure that they are available and secure

Question 12

You are evaluating public cloud-based e-mail hosting solutions. All vendors state that multiple servers are always running to ensure mailboxes are available. What is this an example of?

Clustering

Steganography

Digital mailbox signatures

Answer 12

Clustering

Clustering makes network services, such as e-mail, always available even if a mail server goes down

Question 13

Your network allows only trusted scripts to run on managed devices. You write a script that must run on all managed devices. What must you do? Place the following correct steps in proper order. (Choose three.)

Obtain a trusted digital certificate and install it on your computer.

Export the private key from your digital certificate to all managed devices.

Create the script.

Digitally sign the script.

On your computer, import digital certificates from all managed devices.

Answer 13

Obtain a trusted digital certificate and install it on your computer.

Create the script.

Digitally sign the script.

A trusted code-signing digital certificate must first be installed on your computer before you can sign a script. Target devices must trust the code-signing certificate to allow signed scripts to run. This prevents malicious code from threat actors from running

Question 14

You would like to track the modification of sensitive trade secret files. What should you implement?

Auditing

Encryption

File hashing

Answer 14

Auditing

Auditing the modification of files will identify who made changes from a specific machine at a certain date and time

Question 15

Which party determines how data labels are assigned?

Custodian

Owner

Privacy officer

Answer 15

Owner

Data owners decide how data should be labeled, such as top secret or publicly available

Question 16

Which of the following organizes the appropriate identification methods from least secure to most secure?

Smartcard, retinal scan, password

Retinal scan, password, smartcard

Username and password, smartcard, retinal scan

Answer 16

Username and password, smartcard, retinal scan

Username/password is single-factor authentication (something you know). Smartcard authentication is multifactor (something you have and something you know), and retinal scans are something you are, which is difficult to forge

Question 17

You are explaining how the corporate file auditing policy will work to a new IT employee. Place the following items in the correct order: ___, ___, ___, and ___.

A user opens a file, modifies the contents, and then saves the file.

A server validates a correct username and password combination.

A user provides a username and password at a logon screen.

The file activity generated by the user is logged.

Answer 17

A user provides a username and password at a logon screen.

A server validates a correct username and password combination.

A user opens a file, modifies the contents, and then saves the file.

The file activity generated by the user is logged.

After a user identifies himself with a username and password, authentication then occurs. Upon successful authentication, a user is then authorized to access the appropriate files. If the user’s current action is being audited for a given file, this information is logged

Question 18

Your manager has asked you to implement a solution that will prevent users from viewing inappropriate web sites. Which solution should you employ?

Router ACLs

Web site permissions

Proxy server

Answer 18

Proxy server

Proxy servers retrieve content that users request. Because of this, proxy servers can easily prevent users from accessing inappropriate content

Question 19

Trinity uses her building access card to enter a work facility after hours. She has access to only the second floor. What is this an example of?

Authorization

Authentication

Accountability

Answer 19

Authorization

Authorization means having legitimate access to specific resources such as web sites, files on a file server, or, in this case, access to a specific floor in a building

Question 20

Sean is capturing Wi-Fi network traffic using a packet analyzer and is able to read the contents of network transmissions. What can be done to keep network transmissions private?

Install digital certificates on each transmitting device.

Use smartcard authentication.

Encrypt the Wi-Fi traffic.

Answer 20

Encrypt the Wi-Fi traffic.

The network transmissions can be kept private by encrypting all Wi-Fi traffic using Wi-Fi encryption protocols such as Wi-Fi Protected Access 2 (WPA2)

Question 21

Which security mechanisms can be used for the purpose of nonrepudiation? (Choose two.)

Encryption

Clustering

Auditing

Digital signatures

Answer 21

Auditing

Digital signatures

Auditing can track activities from a specific user or computer. Digital signatures are unique in that they are created using a user’s or computer’s private key, which is accessible only to that user or computer. Both of these mechanisms invalidate any denials related to activities from the user or computer

Question 22

You are the network administrator for a pharmaceutical firm. Last month, the company hired a third party to conduct a security audit. From the audit findings, you learn that customers’ confidential medical data is not properly secured. Which security concept has been ignored in this case?

Due diligence

Due care

Due process

Answer 22

Due care

Due care means taking steps to address a security problem, such as ensuring client data is kept confidential

Question 23

Which of the following are the best examples of the Custodian security role? (Choose three.)

Human Resources department employee

Server backup operator

CEO

Law enforcement employee responsible for signing out evidence

Sales executive

Answer 23

Human Resources department employee

Server backup operator

Law enforcement employee responsible for signing out evidence

Custodians are responsible for maintaining access to and the integrity of data. Human Resources employees, server backup operators, and law enforcement employees all must ensure that data access and integrity are preserved

Question 24

Franco, an accountant, accesses a shared network folder containing travel expense documents to which he has read and write access. What is this an example of?

Privilege escalation

Due care

Authorization

Answer 24

Authorization

Franco is accessing an item that he has legitimate access to; this is authorization

Question 25

A large corporation requires new employees to present a driver’s license and passport to a security officer before receiving a company-issued laptop. Which security principle does this map to?

Authorization

Confidentiality

Identification

Answer 25

Identification

Providing a driver’s license and passport means employees are providing identification

Question 26

Choose the best example of authentication from the following:

Each morning a network administrator visits various web sites looking for the newest Windows Server vulnerabilities.

Before two systems communicate with one another across a network, they exchange PKI certificates to ensure they share a common ancestor.

A file server has two power supplies in case one fails.

Answer 26

Before two systems communicate with one another across a network, they exchange PKI certificates to ensure they share a common ancestor.

Exchanging PKI certificates before allowing communication is an example of system authentication

Question 27

Raylee is the new network administrator for a legal firm. She studies the existing file server folder structures and permissions and quickly realizes the previous administrator did not properly secure legal documents in these folders. She sets the appropriate file and folder permissions to ensure that only the appropriate users can access the data, based on corporate policy. What security role has Raylee undertaken?

Custodian

Data owner

User

Answer 27

Custodian

The Custodian performs data protection and maintenance duties based on established security policies, which Raylee is doing in this case

Question 28

From the following list, which best describes authentication?

Logging in to a TFTP server with a username and password

Using a username, password, and token card to connect to the corporate VPN

Checking corporate web mail on a secured web site at http://owa.acme.com after supplying credentials

Answer 28

Using a username, password, and token card to connect to the corporate VPN

Proving who you are with something you know (username/password) and something you have (token card) is authentication

Question 29

While experimenting with various server network configurations, you discover an unknown weakness in the server operating system that could allow a remote attacker to connect to the server with administrative privileges. What have you discovered?

Exploit

Bug

Vulnerability

Answer 29

Vulnerability

Vulnerabilities are unintended weaknesses in computing devices

Question 30

Sean is a security consultant and has been hired to perform a network penetration test against his client’s network. Sean’s role is best described as which of the following:

White-hat hacker

Black-hat hacker

Gray-hat hacker

Answer 30

White-hat hacker

White-hat hackers expose security flaws without malicious intent for the purposes of better protecting computers and computer networks

Question 31

Which of the following are classified as availability solutions? (Choose two.)

Auditing

RAID

File server backups

Smartcard authentication

Answer 31

RAID

File server backups

Redundant Array of Independent Disks (RAID) groups disks together for the purpose of performance and data availability. RAID level 1 (disk mirroring), for example, ensures that all disk writes occur on two disks in case one disk fails. File server backups ensure that corrupted or deleted data is available from the backup media

Question 32

You are reviewing document security on your private cloud document server. You notice employees in the Sales department have been given full permissions to all project documents. Sales personnel should have only read permissions to all project documents. Which security principle has been violated?

Separation of duties

Least privilege

Job rotation

Answer 32

Least privilege

The concept of least privilege is designed so that users have only the permissions they need to do their jobs

Question 33

A user, Sylvain, downloads an exploit that takes advantage of a web site vulnerability. Without detailed knowledge of the exploit, Sylvain runs the malicious code against numerous web sites he wishes to gain access to. Which label best identifies Sylvain?

White-hat hacker

Script kiddie

Red-hat hacker

Answer 33

Script kiddie

Script kiddies simply download and run exploits created by others without having a full understanding of what the exploit actually does. Technical proficiency in the attack itself is not required; the exploit is simply run by the script kiddie. This can be used by the casual malicious user, by organized crime rings, or even by nation states that buy zero-days (currently unknown exploits) for surveillance purposes. Nation states supporting surveillance or hacking against other nations are especially worrisome due to a potentially endless source of funding

Question 34

Which term refers to individuals who use computer hacking to promote a political or ideological agenda?

Scriptivist

Script kiddie

Hacktivist

Answer 34

Hacktivist

Hacktivism compromises IT system security for the purposes of spreading the word about a specific agenda such as human rights or government corruption

Question 35

In planning your network infrastructure, you decide to use a layered firewall approach between the Internet and your internal network. Which firewall strategy should you also employ?

The last ACL rule should allow all.

Use firewall appliances from different vendors.

The first ACL rule should deny all.

Answer 35

Use firewall appliances from different vendors.

Vendor diversity increases security; a specific security compromise on one firewall appliance most likely will not work on a different vendor’s firewall appliance. This adds another layer of security, which is referred to as defense-in-depth

Question 36

Which application-testing technique uncovers improper input handling?

Fuzzing

Overloading

Penetration test

Answer 36

Fuzzing

Fuzzing provides a large amount of input data, even invalid data, to an application in order to observe its behavior; the idea is to ensure that the application is stable and secure with its input and error handling

Question 37

Which type of tools are used for reconnaissance to collect and analyze public information about an organization?

Big data suite

Packet sniffer

Open source intelligence

Answer 37

Open source intelligence

Open source intelligence tools are used to collect and analyze publicly available data about an organization. The goal is to make intelligent decisions based on this analysis

Question 38

Which programming problem stems from multiple threads not executing in a predictable sequential pattern?

Fuzzing

Blue screen of death

Race condition

Answer 38

Race condition

In a race condition, when code is executed by multiple threads, the timing of dependent events is not predictable, and as a result a different thread can function in an unintended manner. For example, a piece of code might check the value of a variable and take action later, while that variable’s value can change in the interim

Question 39

Your company plans to use multiple Internet of Things (IoT) devices in the facility to control lighting and temperature. You suggest to management that the use of IoT devices presents many security risks. Which of the following is a known security issue with many IoT devices?

Use of Telnet

Inability to update embedded firmware

Inability to log events

Answer 39

Inability to update embedded firmware

Many IoT devices are unable to update embedded firmware, as is also often seen with end-of-life systems that are no longer supported by the vendor. This means as IoT device vulnerabilities are discovered, there is no way to apply a fix directly to the device, since often the firmware does not accept updates; this is simply a choice made by the vendor. IoT devices are targeted to general consumers, and security is often not a priority

Question 40

Jim is an IT technician for a medium-sized medical clinic. The clinic recently purchased four wireless access points to cover medical devices within a floor of the building. Jim installed the access points in the best locations for signal coverage and then changed the WPA2 password. What mistake did Jim make?

Jim should have enabled WEP.

No more than two access points should be used due to interference.

The default administrator configuration was left unchanged.

Answer 40

The default administrator configuration was left unchanged.

Many network and IoT devices ship with a default administrative configuration including the username and password; this must be changed immediately since it is known by all

Question 41

Which type of vulnerability results from writing data beyond expected memory boundaries?

Pointer dereference

Integer overflow

Buffer overflow

Answer 41

Buffer overflow

Buffer overflows result from writing data beyond expected memory boundaries, which can crash a program or provide escalated privileges

Question 42

A piece of malware replaces a library of code used as needed by a controlling program. What name describes this type of security issue?

DLL injection

Pointer dereference

Integer overflow

Answer 42

DLL injection

DLL injections insert code into a dynamic link library, which is called by a program at runtime as needed