Mock Exam1

Question 1

You are the Chief Information Security Officer (CISO), and have been invited to meet with the board of directors at their monthly meeting. In that meeting, the CEO states that someone called Joe Hopkins from the help desk has been calling him and some of the board members to help reset their passwords as the old passwords were too insecure. The financial director found this very strange as this Joe Hopkins is not on the payroll. Which of the following is the BEST answer for what has been discovered?

Answer 1

A. Social engineering.
B. Spear phishing.
C. Vishing attack.
D. Password cracking.
E. Phishing.
F. Replay.

A Social engineering.

Concept: This is a social engineering impersonation attack where Joe pretends to be from the help desk. The financial director confirms this.

Question 2

You are the cybersecurity administrator for a large company that has offices in Stuttgart. The SIEM system alerts you that files are being deleted on file server FS001. The cyber administrator cannot find any remote connection to the file server. He then quarantines the file server from the network. The deletion of the files is still in progress. The forensics team discovers that a script was placed there by Dave Lloyd, who had left the company exactly four weeks ago. Which of the following BEST describes the actions of Dave Lloyd?

Answer 2

a. Dave Lloyd installed a RAT into the file server and is actively removing files.
b. Dave Lloyd placed a logic bomb on the file server to delete the files once he had gone so that he was not a suspect.
c. Dave Lloyd installed ransomware to encrypt the customers’ critical files.
d. Dave Lloyd connected through a VPN connection and remotely deleted files.

B

David Lloyd left exactly 4 weeks ago and logic bombs work on a trigger; here, it was the time of 4 weeks.

Question 3

Following an annual penetration test, the chief information security officer notices in the final report that all of the company’s domain controllers are vulnerable to a pass‐the‐hash attack. Which of the following actions should the company take to mitigate the risk (choose TWO)?

Answer 3

a. Enable CHAP.
b. Disable CHAP.
c. Disable NTLM.
d. Disable MD5.
e. Enable Kerberos.
f. Disable PAP.

c, e

A pass‐the‐hash attack needs NTLM authentication, therefore, if you disable it or use Kerberos authentication, both will prevent the attack.

Question 4

The new interns in the IT team are having a heated discussion on the differences between cross-site scripting and cross-site reverse forgery vulnerabilities. They have four different scenarios and want you as the chief information security officer to provide a solution. Which of the following will you select?

Answer 4

a. Cross-site reverse forgery does not need the victim to be authenticated by a domain controller.
b. Cross-site scripting needs the attacker to be authenticated by the domain controller.
c. Cross-site scripting does not need the victim to be authenticated by the trusted server.
d. Cross-site reverse forgery needs the victim to be authenticated by the trusted server.

c.

Cross-Site Scripting (XSS) normally can be identified by using HTML tags and JavaScript. The target of the attack does not need any type of authentication. Cross site reverse forgery (XSRF or CSRF) needs the victim to be authenticated to the web server not the trusted server.

Question 5

A well‐known hacker called Mark Birch has been detained by the local police. When they searched his home, they found various pieces of information about your company on a large whiteboard. The information has been obtained from a social media website, such as Facebook and LinkedIn. It has details about the company’s hierarchy, the executives, administrators, and help-desk staff. Which of the following BEST describes the type of attack he has carried out?

Answer 5

a. White-box testing.
b. Passive reconnaissance.
c. Black-box testing.
d. Initial exploitation.
e. Gray-box testing.
g. Intrusive scanning.

b

Passive reconnaissance is where information is gathered about the company, but no real action has been taken.

Question 6

You are a cybersecurity analyst working for the local police department because of an increase in crime being carried out by the vulnerabilities of IoT devices. You are running a one‐hour session to advise homeowners due to vulnerabilities:

• The attack vector of MFD used at home
• Control of passwords with IoT devices
• How to ensure that no attacks can be carried out through IoT devices

Which of the following BEST meets with the preceding objectives (choose THREE)?

Answer 6

a. Prevent IoT devices connecting directly to the internet.
b. Ensure that you have faster bandwidth to enable the smooth running of IoT devices.
c. MFD devices are attacked via their spooler.
d. MFD devices are attacked via their network interface.
e. Change the default username and password one day after device activation, as it takes that long to be established.
f. Change the default username and password immediately.

a, d, f

Most IoT devices are used at home, however, the home user is not aware of any vulnerabilities. If we prevent them from connecting directly to the internet, change the default setting including the password, will make it safer as these passwords are freely available on the internet. You must not assume all IoT have printing capabilities as it uses the phrase printers and MFD devices. They connect to the internet via their network interface whether it is wireless or cabled.

Question 7

You are the chief information security officer for a large multinational corporation that has offices in Hong Kong, London, Paris, and New York. The New York office has 100 employees, The Hong Kong office has five employees, Paris has four employees, and London has the most, with 10,000 employees. You have purchased a small company based in Alaska that has four people. They have been using weak passwords. Which of the following is a compensating control that was adopted to BEST mitigate the risk of using weak passwords?

Answer 7

a. Use a password history with a value of 3.
b. Implement time‐based one-time passwords.
c. Increase the password history to a value of 20.
d. Set the account lockout to a value of 1.
e. Set the password expiry to three days.

e

We should never use weak passwords, however, if the exam says we are using them, then we need to accept it. The only way to mitigate the risk is to use a very short password expiry time.

Question 8

What type of attack is a padding oracle on downgrading legacy encryption attack (Choose TWO)?

Answer 8

a. IV attack.
b. Replay attack.
c. Man‐in‐the-middle attack.
d. TLS 1.0 with electronic-code book.
e. SSL 3.0 with chain-block cipher.

c, e

A POODLE attack is a man in the middle that exploits a downgraded browser using SSL 3.0 with CBC.

Question 9

The cybersecurity team have set up a honeypot to track the attack vector of a newly released malware. As they review the virus, they notice that the hash value of the malware changes from host to host. Which of the following types of malware has been detected?

Answer 9

a. Virus.
b. RAT.
c. Worm.
d. Logic bomb.
e. Polymorphic virus.

e

A polymorphic virus mutates as it replicates; that is why the hash is changing.

Question 10

The cybersecurity team have looked at the latest trends and have identified that there has been an increase in brute-force attacks. Which of the following is a random value that can be appended to the stored password to make it more difficult for a brute-force password attack to be carried out (choose TWO)?

Answer 10

a. Obfuscation.
b. Nonce.
c. Key stretching.
d. Salting.

c, d

Both salting and key stretching increase the password length by appending random characters to the end of the password.

Question 11

There has been a spate of DNS-poisoning attacks and your company wants to make itself resilient against these attacks. Your company wants to encrypt the DNS traffic by using DNSSEC. Once you have signed the zone, what record is created for each host?

Answer 11

a. CNAME.
b. SPF.
c. RRSIG.
d. MX.
e. PTR

c

DNSSEC encrypts DNS traffic preventing DNS poisoning and produces RRSIG records.

Question 12

A security administrator discovers that an attacker used a compromised host as a platform for launching attacks deeper into a company’s network. What terminology BEST describes the use of the compromised host?

Answer 12

a. Brute force.
b. Active reconnaissance.
c. Pivoting.
d. Passing point.

c

Pivoting is where an attacker enters your network via a vulnerable host then attacks a secondary host.

Question 13

At what stage of the SDLC are computer systems no longer supported by the original vendor?

Answer 13

a. Sandboxing.
b. End‐of‐life systems.
c. Resource exhaustion.
d. System sprawl.

b

End‐of‐life systems are no longer supported, updated, or patched by the vendor, making them vulnerable to attack.

Question 14

Company A has just developed a bespoke system for booking airline tickets. What is it called if a freelance coding specialist tests it for security flaws?

Answer 14

a. Code review.
b. Static-code review.
c. Regression testing.
d. Dynamic-code review.

c

Regression testing is where a coding expert checks your code.

Question 15

You are the security administrator for an airline company that suffered a loss of availability of their systems last month. Which of the following attacks would MOST LIKELY affect the availability of your IT systems?

Answer 15

a. Spear phishing.
b. Replay.
c. Man‐in‐the‐middle.
d. DoS.

d

Loss of availability means the system is down; DoS is where one host takes down another and is the most likely answer.

Question 16

You are a lecturer in a college and you need to deliver a session on salting passwords. What are the two main reasons you would salt passwords?

Answer 16

a. To slow down brute-force attacks.
b. To make access to the password slower.
c. To prevent duplicate passwords from being stored.
d. To stop simple passwords from being used.

a,c

Salting appends random characters to a password; therefore, it makes the password longer and more difficult to crack. If two people use the same password, the random characters appended to them make them unique.

Question 17

17. An auditor is carrying out an annual inspection of a SCADA network and finds that the programmable logic controllers (PLCs) have not been updated since last year. Upon further investigation, it is discovered that the company manufacturing these PLCs has gone into liquidation, making these controls end-of-life systems. The manufacturer is currently looking for another company to make an upgraded PLC. Which of the following recommendations should the auditor make to the management team to mitigate the risk in the short term?

Answer 17

a. Remove the PLCs from the manufacturing infrastructure.
b. Produce their own updated PLCs for the firmware.
c. Set up a SIEM system for real-time monitoring of the SCADA system.
d. Place the PLCs in a VLAN.

d

If a system or a printer is vulnerable and it cannot be replaced, we can segment it from the rest of the network by placing it in a VLAN.

Question 18

18. The security administrator has identified an unknown vulnerability on an application that is used infrequently. They have isolated the application and gathered information to send to the vendor so that a patch can be produced. Once the company receives a patch for the application, what is the best way for the company to test the application before rolling it out into production?

Answer 18

a. Obfuscation.
b. VLAN.
c. Regression testing.
d. Sandboxing.

d

Sandboxing can be used to isolate an application for testing or patching or because it is dangerous. The Linux version is called chroot jail.

Question 19

What is it called when a user has exploited an IT system so that he has obtained access to all files on the file server?

Answer 19

a. Remote exploit.
b. Zero‐day exploit.
c. Privilege escalation.
d. Pivoting.

c

It takes someone with admin right to access all files, therefore the user would need to have privilege escalation to do so

Question 20

Which of the following is an email‐based attack on all members of the sales team?

Answer 20

a. Phishing.
b. Vishing.
c. Spear phishing.
d. Pharming.

c

An email attack on a group of users is called spear phishing. Watch out in the exam for plural words. Phishing is attacking one person by email.

Question 21

An attacker tries to target a high‐level executive, but unfortunately has to leave a voicemail as they did not answer the telephone. What was the intended attack and what attack was eventually was used (choose all that apply)?

Answer 21

a. Whaling.
b. Vishing.
c. Phishing.
d. Spear phishing.

b

The attack method, first of all, uses a telephone, but the attacker has to leave a voicemail; this is known as vishing. For whaling to take place, the CEO would have to take some sort of action.

Question 22

You are carrying out annual training for your company and need to put a PowerPoint slide together for the symptoms of a backdoor virus. Which three bullet points will you include in the slide? Each provides part of the explanation of a backdoor virus.

Answer 22

a. Passwords may have been there a long time.
b. You must click on several items.
c. Can be included in an email attachment.
d. Files open quicker than before.
e. You can only get infected through a link on a webpage.

a, b, c

A backdoor password is written by the application developer to be used at a later stage should the user lock themselves out. Another form is when you have to click several times to execute it.

Question 23

Which of the following commands can be used to create a buffer overflow (choose all that apply)?

Answer 23

a. var char.
b. strcpy.
c. var data.
d. strcat.

b. d

Buffer overflow happens when an application receives more data than it can deal with. Both strcpy and strcat can collect strings of data that would cause a buffer overflow.

Question 24

You are the security administrator for a multinational corporation and the development team have asked your advice as to how BEST to prevent SQL injection, integer overflow, and buffer overflow attacks. Which of the following should you advise them to use?

Answer 24

a. Input validation.
b. A host‐based firewall with advanced security.
c. strcpy.
d. Hashing.

a

Input validation only accepts data in a certain format within a certain length and will prevent buffer overflow, integer overflow, and injection types attacks such as SQL injection.

Question 25

Your company is opening up a new data center in Galway in Ireland where you have installed the server farm, and now a construction company has come in to put a six‐foot mantrap into the entrance. What the main two reasons why this mantrap has been installed?

Answer 25

a. To prevent theft.
b. To prevent tailgating.
c. To prevent unauthorized personnel gaining access to the data center.
d. To allow faster access to the facility.

b, c

Mantraps only allow one person in at a time and control who can access the facility; they are used frequently with data centers.

Question 26

Which of the following devices can prevent unauthorized access to the network and prevent attacks from unknown sources?

Answer 26

a. Router.
b. Load balancer.
c. Web-security gateway.
d. UTM.

d

The UTM’s first role is a firewall that prevents unauthorized access to the network. It can also provide URL and content filtering and malware protection.

Question 27

You are the cybersecurity analyst for a large corporation, and have been investigating recent incidents. You found an attacker who seems to be trying to post political messages on your company website. Which of the following BEST describes this threat actor?

Answer 27

a. Organized crime.
b. Script kiddie.
c. Hacktivist.
d. APT.
e. Malicious insider.
f. Nation state.

c

A hacktivist is a politically motivated threat actor.

Question 28

A security administrator wants to audit a web application to determine whether default accounts are being used. What technique is being used to carry this task out?

Answer 28

a. Social engineering.
b. Banner grabbing.
c. Protocol analyzer.
d. Netcat (nc).

b

Banner grabbing is a technique that can interrogate the web servers; it can provide login details and patch level versions of a web server. Two common applications used for banner grabbing are netcat (nc) and telnet.

Question 29

You are the CISO for a large financial institution. You are setting up an annual contract with a third‐party company who will take the data away for shredding and pulping. What type of attack are you preventing?

Answer 29

a. Social engineering.
b. Dumpster diving.
c. Watering-hole attack.
d. Smurf attack.
e. Replay attack.

b

Dumpster diving is where an attacker will look for company information in the trash can. Most companies have a third party collect their paper waste and destroy it.

Question 30

You are the chief information security officer for a large corporation and you have been informed that the forms on the company’s website are passing unsanitized values to the backend ticketing system. Which of the following types of attack has been carried out?

Answer 30

a. Input validation.
b. Buffer overflow.
c. XSS attack.
d. Replay attack.
e. SQL injection.
f. Integer overflow.

e

The frontend would be a web server and the backend would be a database such as a SQL server that would hold ticketing and credit card information.

Question 31

Company A are using a third party to perform a pen test against the company’s network. No information has been given to the company prior to their visit. As the pen testers are about to start testing, one of the ladies from the network gives them a floor plan showing all of the network points. Which type of pen testing is being carried out?

Answer 31

a. Gray box.
b. White box.
c. Intrusive scan.
d. Black box.

a

Gray box penetration testing is where the tester has at least one piece of information.

Question 32

You are the cybersecurity analyst for a large corporation, and have been analyzing various log files on the external firewall. You notice the following:

SELECT* from Customers, Orders, Bank Account Number, 1=1.

Which of the following types of attack is being carried out?

Answer 32

a. Buffer overflow.
b. Social engineering.
c. Customer services are printing off a list of all customers.
d. SQL injection.
e. Smurf.

d

In the Security+ exam, the phrase 1=1 means a SQL injection attack.

Question 33

A black-box pen tester has crashed the company’s main systems. Which type of scan have they been using?

Answer 33

a. Intrusive scan.
b. Vulnerability scan.
c. Non‐credentialed.
d. Application scan.

a

Penetration tests are intrusive and can cause damage, therefore, the type of scan would be an intrusive scan.

Question 34

A payroll department has contacted the security team regarding a problem with the transfer of the payroll that was submitted to the bank. The payroll system log files revealed the following entries:

• September 1, 2020, August Payroll File created – File transferred to the bank
• October 1, 2020, September Payroll File created – File transferred to the bank
• November 1, 2020, October Payroll File created – Transfer failed
• November 2, 2020, October Payroll File created – File transferred to the bank

Which of the following explains why the file transfer failed?

Answer 34

a. The file hashed changed while in transit.
b. The file was transferred to the wrong destination.
c. The file was corrupted while in transit.
d. The bank refused the transfer.

c

Files were created and transferred regularly, therefore, files being corrupted in transit looks the most likely—after all, the next file transfer worked.

Question 35

During a routine review of firewall log reports, a security technician discovers multiple successful logins for users during unusual hours. The technician contacts the network administrator, who confirms that the logins were not related to the administrator’s activities. Which of the following is the MOST likely reason for these logins?

Answer 35

a. The file hashed changed while in transit.
b. The file was transferred to the wrong destination.
c. The file was corrupted while in transit.
d. The bank refused the transfer.

c

Files were created and transferred regularly, therefore, files being corrupted in transit looks the most likely—after all, the next file transfer worked.

Question 36

You are an employee working in the finance department, and have just received an email from the Chief Financial Officer (CFO) instructing you to pay $3,000 immediately to a vendor before critical services are cut. The vendor’s invoice is attached for ease of reference. Which of the following BEST describes the type of attack being used (choose TWO)?

Answer 36

a. Impersonating.
b. Shoulder surfing.
c. Consensus/social proof.
d. Authority.
e. Urgency.

d, e

Social engineering authority gets an email from the CEO or the HR director, and urgency means that you have to deal with something immediately.

Question 37

During a routine review of firewall log reports, a security technician discovers multiple successful logins for users during unusual hours. The technician contacts the network administrator, who confirms that the logins were not related to the administrator’s activities. Which of the following is the MOST likely reason for these logins?

Answer 37

a. Firewall maintenance service windows were scheduled.
b. Default credentials were still in place.
c. The entries in the log were caused by the file-integrity monitoring system.
d. A blue team was conducting a penetration test on the firewall.

b

If we did not change the default credentials for the firewall, this would explain why someone other than the administrators could access the firewall.

Question 38

A security analyst is assigned to perform a penetration test for one of the company’s clients. During the scope discussion, the analyst is notified that the client is not going to share any information related to the environment to be tested. Which of the following BEST identifies this type of penetration testing?

Answer 38

a. Black box.
b. White box.
c. Gray box.
d. Blue teaming.

a

A black box penetration tester is given no information prior to starting the pen test.

Question 39

Company emails have been intercepted and altered in transit. The security administrator needs to implement a solution that provides both email integrity and nonrepudiation. Which of the following should he use?

Answer 39

a. OAuth.
b. Kerberos.
c. S/MIME.
d. TLS.

c

SMIME is where a user will digitally sign an email to ensure integrity, and using their private key ensures non‐repudiation of the message being sent.

Question 40

Which of the following is an example of resource exhaustion?

Answer 40

a. A penetration tester requests every available IP address from a DHCP server.
b. An SQL injection attack returns confidential data back to the browser.
c. Server CPU utilization peaks at 100% during the reboot process.
d. System requirements for a new software package recommend having 12 GB of RAM, but only 8 GB are available.

c

Resource exhaustion is where a system has no resources left; the best example here is when the CPU is running at 100%, meaning full capacity.

Question 41

A security scanner lists security discrepancies that are not present when the system is manually inspected. Which of the following is the MOST likely reason for this?

Answer 41

a. Credentialed scan.
b. Fail-acceptance rate.
c. False positives.
d. False negatives.

c

When a monitoring system finds that attacks are in place and when a manual inspection does not find any, this is called a false positive.

Question 42

Which of the following methods minimizes the use of a system interaction when conducting a vulnerability scan?

Answer 42

a. Stopping the firewall service.
b. Running a credentialed scan first thing in the morning.
c. Conducting the assessment once everyone finishes work.
d. Running a non‐credentialed scan first thing in the morning.

c

When there are no users in the company, they will not be using the system.

Question 43

A security analyst monitoring the domain controller identifies the following attack:

Pinging 192.168.5.253 with 24456 bytes of data
Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128
Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128
Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128
Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128

Which of the following attacks is occurring?

Answer 43

a. Ping of death.
b. DNS poisoning.
c. Buffer overflow.
d. SQL injection.
e. Remote-access trojan.
f. Integer overflow.

c

Buffer overflow is where data larger than normal is being submitted; in this case, the normal number of bytes is 32, so 24,456 exceeds this and causes a buffer overflow.

Question 44

Which of the following are considered among the best indicators that a received message is a hoax (choose TWO)?

Answer 44

a. License violation.
b. Warnings of monetary loss.
c. Claims of possible damage to the computer.
d. Event logs filling up.
e. Certificate trust error.

b, c

The question asks for a message as a hoax; the only two items that produce messages are warning of monetary loss and claims of possible damage. All other items won’t send a message.

Question 45

A threat actor purchases an exploit from the dark web to launch an attack. Name the threat actor.

Answer 45

a. Organized crime.
b. Malicious insider.
c. Script kiddie.
d. Competitor.
e. Hacktivist.

c

A script kiddie does not have a high technical skill set, therefore, he has to use script or programs written by others; in this example, they are purchasing one from an illegal website.

Question 46

What type of threat actor would attend a political rally?

Answer 46

a. Organized crime.
b. Malicious insider.
c. Script kiddie.
d. Competitor.
e. Hacktivist.

e

A hacktivist is politically motivated.

Question 47

A security administrator has completed a monthly review of DNS server query logs. He notices persistent TCP connections to a remote server carrying megabytes of data each day. Which of the following is the most likely explanation for this anomaly?

Answer 47

a. An attacker is stealing large amounts of proprietary company data.
b. Employees are playing multiplayer computer games.
c. A worm is attempting to spread to other hosts via SMB exploits.
d. Internal hosts have become members of a botnet.

d

An infected machine that is running as a bot member can be accessed 24/7, 365 days a year. If they were playing games, that traffic would be intermittent.

Question 48

Which of the following can be implemented to prevent a local LAN attack?

Answer 48

a. arp ‐s.
b. dig ‐n.
c. arp ‐a.
d. netstat ‐an.
e. tcpdump ‐.

a

Arp is the only local attack, arp ‐s IP address MAC address, inserts static entries into the arp cache and prevents it from being poisoned.

Question 49

A black box penetration tester has managed to access the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
What type of penetration-testing technique did he use?

Answer 49

a. Privilege escalation.
b. Pivoting.
c. Regression testing.
d. Active reconnaissance.

d

Active reconnaissance is where an action is taken; this time, the attacker has got access to the system’s registry

Question 50

The CISO has written a policy informing the IT team that he wants company personnel to be able to make changes to data and delete documents. Which of the following titles should he use for the policy?

Answer 50

a. On‐boarding policy.
b. Acceptable-use policy (AUP).
c. Least-privilege policy.
d. Separation-of-duties policy.

c

Least privilege allows access and permissions to data.

Question 51

The company is upgrading the computers for the customer services department, and the cybersecurity team has built an image to roll out. Which of the following is the best security reason that an image was used for the deployment?

Answer 51

a. To enable the computers to boot securely.
b. To ensure that the same applications are deployed.
c. To reduce the number of updates.
d. To ensure that the computers have the same baseline.

d

Rolling out an image ensures that all of the computers have the same baseline, including security settings and patches.