Jason Dion - Security+ Udemy Course

Question 1

You are at the doctor’s office and waiting for the physician to enter the room to examine you. You look across the room and see a pile of patient records on the physician’s desk. There is no one in the room and your curiosity has gotten the better of you, so you walk across the room and start reading through the other patient records on the desk. Which tenent of security have you just violated?

Authentication
Confidentiality
Integrity
Availability

Answer 1

Confidentiality

Explanation:
Confidentiality ensures that data or information has not been disclosed to unauthorized people. In this case, you are not the doctor or the patient whose records you looked at, therefore, confidentiality has been breached.

Question 2

You have just walked up to the bank teller and requested to withdraw $100 from checking account #7654123 (your account). The teller asks for your name and driver’s license before conducting this transaction. After she looks at your driver’s license, she thanks you for your business, pulls out $100 from the cash drawer, and hands you back the license and the $100 bill. What category best describes what the bank teller just did?

Accounting
Authorization
Authentication
Availability

Answer 2

Authentication

Explanation:
Authentication occurs when a person’s identity is established with proof and confirmed by a system. In this case, the bank teller verified you were the account holder by verifying your name and looking over your photo identification (driver’s license) prior to giving you the cash being withdrawn.

Question 3

You are in the kitchen cooking dinner while your spouse is in the other room watching the news on the television. The top story is about how hackers have been able to gain access to one of the state’s election systems and tamper with the results. Unfortunately, you only heard a fraction of the story, but your spouse knows that you have been learning about hackers in your Security+ course and asks you, “Which type of hacker do you think would be able to do this?”

Hactivists
Organized Crime Groups
APTs
Script Kiddies

Answer 3

APTs (Advanced Persistant Threats)

Explanation:
APTs are highly organized, well-funded, and often part of a nation state’s larger foreign policy and influence campaigns. Hacktivists are usually political, but they are disorganized and don’t have the level of sophistication needed to hack into a well-defended government computer network like the election system. While organized crime groups may have the sophistication to conduct the hack, they are usually more interested in conducting criminal actions to make money instead of getting involved in politics. Script kiddies are low skilled hackers who can only use other people’s tools.

Question 4

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?

Rootkit
Trojan
Keylogger
Ransomware

Answer 4

Trojan

Explanation:
A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which is used to allow an attacker to remotely control a workstation or steal information from it. To operate, a trojan will create numerous processes that run in the background of the system.

Question 5

On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full screen image with a padlock and a message stating you have to pay 1 BTC to regain access to your personal files. What type of malware has infected your laptop?

Trojan
Spyware
Ransomware
Rootkit

Answer 5

Ransomware

Explanation:
This scenario is describing a ransomware attack. Your personal files are being held hostage and will not be released unless you pay a ransom (in this case, 1 BTC). You should restore your machine from a known good backup and restore your personal files from the backup, as well. You should not pay the ransom since the attackers usually still will not unlock your files.

Question 6

A computer is infected with a piece of malware that has infected the Windows kernel in an effort to hide. Which type of malware MOST likely infected this computer?

Ransomware
Trojan
Rootkit
Botnet

Answer 6

Rootkit

Explanation:
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.

Question 7

Your company’s Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network’s file server. One of the cybersecurity analysts has identified forty internal workstations on the network that are conducting the attack against your network’s file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined area of the network. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided?

Spyware
Botnet
Rootkit
Ransomware

Answer 7

Botnet

Explanation:
A botnet is a number of internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. A zombie (also known as a bot) is a computer or workstation that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the internet.

Question 8

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee that may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could create a negative effect on Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?

Worm
Trojan
Adware
Logic Bomb

Answer 8

Logic Bomb

Explanation:
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.

Question 9

In which type of attack does the attacker begin with a normal user account and then seeks to gain additional access rights?

Privilege Escalation
Cross-Site Scripting
Spear Phishing
Remote Code Execution

Answer 9

Privilege Escalation

Explanation:
Privilege escalation attacks seek to increase the level of access that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

Question 10

You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server’s BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again?

Install an Anti-Malware Application
Install a Host-Based IDS
Utilize Secure Boot
Utilize File Integrity Monitoring

Answer 10

Utilize Secure Boot

Explanation:
Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.

Question 11

Your company recently suffered a small data breach that was caused by an employee emailing themselves a copy of the current customer’s names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data?

Firewall
MDM
DLP
Strong Passwords

Answer 11

DLP (Data Loss Prevention)

Explanation:
Data loss prevention software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in transit (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up a MDM solution would not solve this problem. Instead, a DLP solution must be implemented.

Question 12

You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?

Proxy Server
Authentication Server
IPS
IDS

Answer 12

IDS (Intrusion Detection System)

Explanation:
An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.

Question 13

Which mobile device strategy is most likely to result in the introduction of vulnerable devices to a corporate network?

COPE
CYOD
BYOD
MDM

Answer 13

BYOD (Bring Your Own Device)

Explanation:
The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People are able to bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network.

Question 14

Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur?

Packet Sniffing
Bluesnarfing
Bluejacking
Geotagging

Answer 14

Bluejacking

Explanation:
Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

Question 15

Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company’s executive. Tim quickly checks the MDM administration tool and identifies that the user’s smartphone is still communicating with the MDM and displays the location of the device on a map. What should Tim do next to ensure the data on the stolen device remains confidential and inaccessible to the thief?

Reset the device’s password.
Perform a Remote Wipe of the device.
Remotely encrypt the device.
Identify the IP Address of the Smartphone.

Answer 15

Perform a Remote Wipe of the device.

Explanation:
To ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any and all corporate data is erased prior to anyone accessing it. Additionally, Tim could reset the device’s password, but if the thief is able to guess or crack the password, then they would have access to the data. Identifying the IP address of the smartphone is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after.

Question 16

Which type of threat will patches NOT effectively combat as a security control?

Zero-Day Attacks
Known Vulnerabilities
Discovered Software Bugs
Malware with defined indicators of compromise

Answer 16

Zero-Day Attacks

Explanation:
Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, there is normally a patch or mitigation available for it. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

Question 17

What should administrators perform to reduce the attack surface of a system and to remove unnecessary software, services, and insecure configuration settings?

Harvesting
Windowing
Hardening
Stealthing

Answer 17

Hardening

Explanation:
Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.

Question 18

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices?

Patch Management
GPO
HIPS
Anti-Malware

Answer 18

GPO (Group Policy Objectives)

Explanation:
Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across a large number of devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different types of host security controls, but only GPOs have the ability to configure settings across multiple Windows devices efficiently.

Question 19

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica that is sold in the general marketplace?

Recycling
Capitalism
Counterfeiting
Entrepreneurship

Answer 19

Counterfeiting

Explanation:
While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer’s legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization’s supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect the security of your network.

Question 20

Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military?

Trusted Foundry (TF)
Supplies Assured (SA)
Supply Secure (SS)
Trusted Access Program (TAP)

Answer 20

Trusted Foundry (TF)

Explanation:
The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.

Question 21

Following a root cause analysis of the unexpected failure of an edge router, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?

Increase Network vulnerability scan frequency.
Ensure all Anti-Virus Signatures are up to date.
Conduct Secure Supply chain management training.
Verify that all Routers are patched to the latest release.

Answer 21

Conduct Secure Supply chain management training.

Explanation:
Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.

Question 22

What is the lowest layer (bottom layer) of a bare-metal virtualization environment?

Hypervisor
Host Operating System
Guest Operating System
Physical Hardware

Answer 22

Physical Hardware

Explanation:
The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.

Question 23

You need to determine the best way to test operating system patches in a lab environment prior to deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches prior to deployment?

Sandboxing
Virtualization
Purchase Additional Workstations
Bypass Testing and deploy patches directly into the production environment.

Answer 23

Virtualization

Explanation:
When you have a limited amount of hardware resources to utilized but have a required to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system prior to deployment. You should never deploy patches directly into production without testing them first in the lab.

Question 24

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?

VM Escape
VM Migration
VM Sprawl
VM Data Remnant

Answer 24

VM Escape

Explanation:
Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines.

Question 25

A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?

Forcing the use of TLS for the Web App
Forcing the use of SSL for the Web App
Setting the secure attribute on the Cookie
Hashing the Cookie value

Answer 25

Setting the secure attribute on the Cookie

Explanation:
When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still would need to set the Secure attribute on the cookie. Hashing the cookie provides integrity of the cookie, not confidentiality.

Question 26

A user reports that every time they try to access https://www.diontraining.com, they receive an error stating “Invalid or Expired Security Certificate”. The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user’s workstation to fix the “Invalid or Expired Security Certificate” error?

Logon Times
Date and Time
User Access Control
UEFI Boot Mode

Answer 26

Date and Time

Explanation:
There are two causes of the “Invalid or Expired Security Certificate”. The first is a problem with your computer, and the second occurs when the certificate itself has an issue. Since the technician can successfully connect to the website from other computers, it shows that the error is on the user’s computer. One of the common causes of an Invalid or Expired Security Certificate error is the clock on the user’s computer being wrong since the website security certificates are issued to be valid within a given date range.

Question 27

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company’s computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement?

Application Whitelist
Disable Removable Media
Application Blacklist
Application Hardening

Answer 27

Application Blacklist

Explanation:
You should create and implement an application blacklist that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application whitelists will allow only authorized applications to be run, while application blacklists will prevent any application listed from being run.

Question 28

(where email=support@diontraining.com and password=‘ or 7==7’)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of attack is being performed?

XML Injection
SQL Injection
Header Manipulation
Cross-Site Scripting

Answer 28

SQL Injection

Explanation:
SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7.

Question 29

alert(“This site is vulnerable to an attack!”)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?

Buffer Overflow
Cross-Site Request Forgery
Distributed Denial of Service
Cross-Site Scripting

Answer 29

Cross-Site Scripting

Explanation:
This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Question 30

https://www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/>

Answer 30

XML Injection

Explanation:
This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.

Question 31

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

Scan the laptops for vulnerabilities and patch them.
Increase encryption level of VPN used by the laptops.
Implement a Jumpbox System
Require 2FA on the laptops.

Answer 31

Implement a Jumpbox System

Explanation:
jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop.

Question 32

An analyst is reviewing the configuration of a triple-homed firewall that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall?

DMZ
Subnet
NIDS
GPO

Answer 32

DMZ (Demilitarized Zone)

Explanation:
A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts.

Question 33

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

Create an ACL to allow access.
Configure a SIEM
MAC Filtering
Implement NAC

Answer 33

Implement NAC (Network Access Control)

Explanation:
Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

Question 34

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization’s normal business operations?

Honeypot
Jumpbox
Sandbox
Containerization

Answer 34

Honeypot

Explanation:
A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.

Question 35

You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?

Proxy Server
Authentication Server
IPS
IDS

Answer 35

IDS (Intrusion Detection System)

Explanation:
An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.

Question 36

During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?

SSL
UTM
DLP
MDM

Answer 36

DLP (Data Loss Prevention)

Explanation:
Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use, in-motion, and at-rest. This can be configured to detect and alert on future occurrences of this issue.

Question 37

The Pass Certs Fast corporation has recently been embarrassed by a number of high profile data breaches. The CIO proposes improving the cybersecurity posture of the company by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?

This approach assumes that the cloud will provide better security than is currently done on site.

This approach only changes the location of the Network and not the attack surface of it.

The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration.

This is a reasonable approach that will increase the security of the servers and infrastructure.

Answer 37

This approach only changes the location of the Network and not the attack surface of it.

Explanation:
A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will simply change the location of where the processing occurs without improving the security of the network. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the fallacy of the sunk cost argument.

Question 38

Which of the following would a virtual private cloud infrastructure be classified as?

IaaS
PaaS
SaaS
FaaS

Answer 38

IaaS (Infrastructure as a Service)

Explanation:
Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud.

Question 39

Dave’s company utilizes Google’s G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used?

Multi-Cloud
Community
Private
Public

Answer 39

Multi-Cloud

Explanation:
Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon’s AWS, and Slack’s cloud-based SaaS product simultaneously. A private cloud is a cloud that is deployed for use by a single entity. A public cloud is a cloud that is deployed for shared use by multiple independent tenants. A community cloud is a cloud that is deployed for shared use by cooperating tenants.

Question 40

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly?

Continuous Delivery
Continuous Integration
Continuous Deployment
Continuous Monitoring

Answer 40

Continuous Deployment

Explanation:
Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to a development or build server/code repository rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected.

Question 41

Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?

SaaS
IaaS
IaC
SDN

Answer 41

IaC (Infrastructure as Code)

Explanation:
IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise, and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries, but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs.

Question 42

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?

Artificial Intelligence
Machine Learning
Deep Learning
Generative Adversarial Network

Answer 42

Machine Learning (ML)

Explanation:
A machine learning (ML) system uses a computer to accomplish a task without ever being explicitly programmed to do it. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and use that to categorize future traffic presented to it.

Question 43

Which of the following types of attacks are usually used as part of a man-in-the-middle attack?

Brute Force
Spoofing
DDoS
Tailgating

Answer 43

Spoofing

Explanation:
A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between them.

Question 44

TCP: 80
TCP: 110
TCP: 443
TCP: 1433
TCP: 3306
TCP: 3389
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on these scan results, which of the following services are NOT currently operating?

Web
Database
SSH
RDP

Answer 44

SSH (Secure Shell)

Explanation:
Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

Question 45

Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred?

DNS Brute Forcing
ARP Spoofing
DNS Poisoning
MAC Spoofing

Answer 45

DNS Poisoning

Explanation:
DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.

Question 46

You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network?

WPA2 and AES
WPA and MAC Filtering
WEP and TKIP
WPA2 and RC4

Answer 46

WPA2 and AES (WIFI Protected Access v2 and Advanced Encryption Standard)

Explanation:
The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard, as it has replaced both WPA and WEP. AES is an extremely strong encryption algorithm that is used by default in the WPA2 standard.

Question 47

Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of “connected clients” and see that “Bob’s Laptop” is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the WPA2 password?

Disable WPS
Enable WPA
Disable SSID Broadcast
Disable WPA2

Answer 47

Disable WPS (WIFI Protected Setup)

Explanation:
Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of “connected clients” and see that “Bob’s Laptop” is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the WPA2 password?

Question 48

Which of the following is the LEAST secure wireless security and encryption protocol?

AES
WPA
WPA2
WEP

Answer 48

WEP (Wired Equivelant Privacy)

Explanation:
Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It is the oldest form of wireless security and the weakest form. WEP can be cracked with brute force techniques in less than 5 minutes with a normal end-user computer.

Question 49

Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization’s headquarters?

Mantraps
Security Guards
Bollards
Intrusion Alarm

Answer 49

Bollards

Explanation:
Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards that are created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring, but not truly prevent them.

Question 50

You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first?

Install CCTV to monitor the entrance.
Install a Mantrap at the entrance.
Require all employees to wear seucrity badges entering the building.
Install a RFID badge reader at the entrance.

Answer 50

Install a Mantrap at the entrance.

Expalanation:
A mantrap is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a pin number, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence happened. Wearing security badges is useful, but it won’t stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won’t stop a determined piggyback who follows an employee in.

Question 51

The public library has had a recent issue with their laptops being stolen from their computer lab. Since this is a public library, it is not a high security area and is fully accessible by patrons during the day. What is the best way to prevent the theft of the laptops?

Motion Sensors
Mobile Device Management
Cable Locks
CCTV

Answer 51

Cable Locks

Explanation:
Cable locks are the best solution, as it will allow the laptops to be physically connected to the desks in the computer lab and can prevent theft. CCTV is a deterrent or detective control, but will require someone monitoring it to detect the theft. Mobile device management is focused on tablets or phones, not laptops. Motion sensors are not useful during the library’s open hours, since authorized patrons are allowed into the lab during the day. Therefore, if a laptop is being stolen during the day, motion senors will be useless to stop them.

Question 52

Which of the following is NOT considered part of the Internet of Things?

SCADA
ICS
Smart Television
Laptop

Answer 52

Laptop

Explanation:
Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than as part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Question 53

Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company’s transcontinental oil pipeline. What type of network is this?

SoC
CAN
SCADA
BAS

Answer 53

SCADA (Supervisory Control and Data Acquisition)

Explanation:
SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. A building automation system (BAS) for offices and data centers (“smart buildings”) can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators.

Question 54

An analyst is reviewing the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors are able to access the internet. How can this type of attack be prevented from occurring in the future?

Implement a VLAN to separate the HVAC control system from the open wireless Network.

Install an IDS to protect the HVAC system.

Enable NAC on the open wireless Network

Enable WPA2 Security on the open wireless Network.

Answer 54

Implement a VLAN to separate the HVAC control system from the open wireless Network.

Explanation:
A VLAN is useful to segment out network traffic to various parts of the network, and can stop someone from the open wireless network from being able to attempt to login to the HVAC controls.

Question 55

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?

MySQL
RDP
LDAP
IMAP

Answer 55

RDP (Remote Desktop Protocol)

Explanation:
Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Question 56

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?

RADIUS
CHAP
TACACS+
Kerberos

Answer 56

TACACS+ (Terminal Access Controller Access Control System+)

Explanation:
TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco.

Question 57

What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+?

802.1q
802.3af
802.11ac
802.1x

Answer 57

802.1x

Explanation:
If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.

Question 58

Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights?

MAC
RBAC
DAC
ABAC

Answer 58

RBAC (Role-based Access Control)

Explanation:
Role-based access control (RBAC) is a modification of DAC that provides a set of organizational roles that users may be assigned in order to gain access rights. The system is non-discretionary since the individual users cannot modify the ACL of a resource. Users gain their access rights implicitly based on the groups to which they are assigned as members.

Question 59

Julie was just hired to conduct a security assessment of Dion Training’s security policies. During her assessment, she noticed that there were many group accounts being shared by users to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?

More routing auditing.
Increase Password Security
Increase individual accountability.
More efficient baseline management.

Answer 59

Increase individual accountability.

Explanation:
To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on their individual user accounts. This enables the organization to hold users accountable for their actions, too.

Question 60

Marta’s organization is concerned with the vulnerability of a user’s account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?

Minimum password length.
Password History
Password Expiration
Password Complexity

Answer 60

Password Expiration

Explanation:
A password expiration control in the policy would force users to change their password at specific intervals of time. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario, as it states the issue is based on time.

Question 61

After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization’s privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete?

Quantitative Risk Assessment
Privacy Assessment
Supply Chain Assessment
Qualitative Risk Assessment

Answer 61

Qualitative Risk Assessment

Explanation:
This describes a qualitative risk assessment since it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low. If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.

Question 62

Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of the data is $120,000. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?

$9,000
$36,000
$90,000
$360,000

Answer 62

$9,000

Explanation:
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).

Question 63

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in the event of an incident. Which of the following best describes the company’s risk response?

Avoidance
Transference
Acceptance
Mitigation

Answer 63

Transference

Explanation:
Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as by patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Question 64

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?

PING
NMAP
NETSTAT
Wireshark

Answer 64

NMAP

Explanation:
Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. In addition, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems.

Question 65

A cybersecurity analyst in your company notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002, and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?

Rainbow Table
Dictionary
Hybrid
Brute-Force

Answer 65

Brute-Force

Explanation:
A brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, then it will take more time, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

Question 66

Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?

Red Team
White Team
Blue Team
Yellow Team

Answer 66

Blue Team

Explanation:
Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play “war game” exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Question 67

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?

NetFlow
SMTP
MIB
SNMP

Answer 67

SNMP (Simple Network Management Protocol)

Explanation:
Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

Question 68

Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment?

SIEM
SOAR
MDM
DLP

Answer 68

SOAR (Security Orchestration Automation, and Response)

Explanation:
A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization’s store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

Question 69

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?

Syslog
Network Mapping
Firewall Logs
NIDS

Answer 69

Syslog

Explanation:
The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.

Question 70

Which of the following cryptographic algorithms is classified as asymmetric?

ECC
RC4
Twofish
DES

Answer 70

ECC (Elliptic-Curve Cryptography)

Explanation:
Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.

Question 71

Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption?

DES with a 56-bit Key
AES with a 256-bit Key
ECC with a 256-bit Key
Randomized One-Time use Pad

Answer 71

Randomized One-Time use Pad

Explanation:
The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used.

Question 72

A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. There is one user that has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user’s recent trip to Australia. What is the most likely explanation for how the data left the network?

Steganography was used to hide the leaked data inside the user’s photos.

The files were downloaded from home while connected to the corporate VPN.

The data was hashed and then emailed to their personal email account.

The data was encrypted and emailed it to their spouse’s email account.

Answer 72

Steganography was used to hide the leaked data inside the user’s photos.

Explanation:
The most likely explanation is that the user utilized steganography to hide the leaked data inside the photos from their trip. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not be able to see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip.

Question 73

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?

File size and file creation date.
MD5 or SHA1 hash digest of the file.
Private Key of the file.
Public Key of the file.

Answer 73

MD5 or SHA1 hash digest of the file.

Explanation:
My Take: Per Dion Training, he said if the Question mentions Integrity with regards to Hashing - it is referring to MD5 or SHA1.

Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file in order to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on the comparison of the two hash digests.

Question 74

Which of the following hashing algorithms results in a 160-bit fixed output?

MD-5
SHA-1
NTLM
SHA-2

Answer 74

SHA-1

Explanation:
SHA-1 creates a 160-bit fixed output.
SHA-2 creates a 256-bit fixed output.
NTLM creates a 128-bit fixed output.
MD-5 creates a 128-bit fixed output.

Question 75

In an effort to increase the security of their passwords, Dion Training has added a salt and cryptographic hash to their passwords prior to storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?

Key Stretching
Rainbow Table
Salting
Collision Resistance

Answer 75

Key Stretching

Explanation:
In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

Question 76

Assuming that Dion Training trusts Thor Teaches, and Thor Teaches trusts Udemy, then we can assume Dion Training also trusts Udemy. What concept of PKI does the previous statement represent?

Domain Level Trust
Certificate Authority Trust
Public Key Trust
Transitive Trust

Answer 76

Transitive Trust

Explanation:
Transitive trust occurs when X trusts Y, and Y trusts Z, therefore X trusts Z. This is because the trust flows from the first part (Dion Training) through the second party (Thor Teaches) to the third party (Udemy).

Question 77

You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam!, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender actually sent a particular email message and avoid this type of situation?

CRL
Trust Models
Recovery Agents
Non-Repudiation

Answer 77

Non-Repudiation

Explanation:
Non-repudiation occurs when a sender cannot claim they didn’t send an email when they did. A digital signature should be attached to each email sent to achieve non-repudiation. This digital signature is comprised of a digital hash of the email’s contents, and then encrypting that digital hash using the sender’s private key. The receiver can then unencrypt the digital hash using the sender’s public key to verify the integrity of the message.

Question 78

The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA in order to renew the server’s certificate?

OSCP
CSR
Key Escrow
CRL

Answer 78

CSR (Certificate Signing Request)

Explanation:
A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificate, and the OCSP is a status of certificates that provides validity such as good, revoked, or unknown.

Question 79

$ tcpdump -n -i eth0

15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549

15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113

Which of the following statements is true based on this output?

10.0.19.121 is under attack from host at 11.154.12.121

10.0.19.121 is a client that is accessing an SSH server over port 52497.

11.154.12.121 is under attack from a host at 10.0.19.121.

11.154.12.121 is a client that is accessing an SSH server over port 52497.

Answer 79

10.0.19.121 is a client that is accessing an SSH server over port 52497.

Explanation:
This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) is running an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not content being sent between the client and server.

Question 80

Which of the protocols listed is NOT likely to be a trigger for a vulnerability scan alert when it is used to support a virtual private network (VPN)?

IPSec
SSLv2
PPTP
SSLv3

Answer 80

IPSec

Explanation:
IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

Question 81

Your company just installed a new webserver within your DMZ. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server?

21
80
143
443

Answer 81

443

Explanation:
Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for unsecured web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).

Question 82

You are configuring a RAID drive for a Media Streaming Server. Your primary concern is speed of delivery of the data. This server has two hard disks installed.

What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2?

RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe)
RAID 0 - Disk 1 (Mirror) and Disk 2 (Mirror)
RAID 1 - Disk 1 (Stripe) and Disk 2 (Stripe)
RAID 1 - Disk 1 (Mirror) and Disk 2 (Mirror)

Answer 82

RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe)

Explanation:
Since this is a Media Streaming Server, you should implement a RAID 0 which provides disk stripping across both drives. This will increase the speed of the data delivery, but provides no redundancy. If you were concerned with redundancy, then you should choose a RAID 1 which uses a mirror of the data on both hard disks. You cannot use a RAID 5, since this requires a minimum of 3 disk drives and stripes the data across the hard disks. You also can not use a RAID 6 since this requires at least 4 hard disks with dual parity and disk stripping.

Question 83

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization’s RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?

RTO
RPO
MTTR
MTBF

Answer 83

MTTR (Mean Time To Repair)

Explanation:
Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.

Question 84

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the power to the building is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend?

Surge Protector
Power Distribution Unit
Uninterruptible Power Supply
Line Conditioner

Answer 84

Uninterruptible Power Supply (UPS)

Explanation:
An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low, or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system.

Question 85

Which attack method is MOST likely to be used by a malicious employee or insider who is trying to obtain another user’s passwords?

Main-in-the-Middle
Shoulder Surfing
Tailgating
Phishing

Answer 85

Shoulder Surfing

Explanation:
While all of the methods listed could be used by a malicious employee or insider to obtain another user’s passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Since a malicious employee or insider can work in close proximity to their victims (other users), they could easily use this technique to collect the passwords of the victimized users.

Question 86

Which type of threat actor can accidentally or inadvertently cause a security incident in your organization?

Insider Threat
Hactivist
Organized Crime
APT

Answer 86

Insider Threat

Explanation:
An insider threat is a type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or may make crucial mistakes that can open up exploitable security vulnerabilities.

Question 87

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following best describes this type of attack?

Phishing
Spear Phishing
Whaling
Brute Force

Answer 87

Phishing

Explanation:
This is an example of a phishing attack. Phishing is the fraudulent practice of sending emails and pretending to be from a reputable company in order to trick users into revealing personal information, such as passwords and credit card numbers. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.

Question 88

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?

Data Custodian
Data Steward
Data Owner
Privacy Officer

Answer 88

Data Owner

Explanation:
A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations.

Question 89

Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned within dealing with credit cards?

PHI
PCI-DSS
GDPR
PII

Answer 89

PCI-DSS (Payment Card Industry Data Security Standard)

Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to host your data securely and follow PCI compliance requirements.

Question 90

Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union?

PHI
PCI
GDPR
PII

Answer 90

GDPR (General Data Protection Regulation)

Explanation:
GDPR (General Data Protection Regulation) is a regulation that applies to companies that do business in the European Union. The four forms of regulated data covered by the CompTIA A+ (220-1002) exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information).

Question 91

During which incident response phase is the preservation of evidence performed?

Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-incident Activity

Answer 91

Containment, Eradication, and Recovery

Explanation:
A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation.

Question 92

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?

Image the server’s SSD
L3 Cache
Backup Tapes
ARP Cache

Answer 92

L3 Cache

Explanation:
When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first, and the least volatile (least likely to change) last. You should always begin the collection with the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices.

Question 93

Which of the following is required for evidence to be admissible in a court of law?

Order of Volatility
Legal Hold
Chain of Custody
Right to Audit

Answer 93

Chain of Custody

Explanation:
The chain of custody is used to document the collection and preservation of evidence from its initial acquisition, throughout the handling leading up to a trial, and during its preservation in case of an appeal or retrial.