pm exam 3 Flashcards
A finance company is legally required to maintain seven years of tax
records for all of their customers. Which of the following would be the
BEST way to implement this requirement?
❍ A. Create an automated script to remove all tax information
more than seven years old
❍ B. Print and store all tax records in a seven-year cycle
❍ C. Allow users to download tax records from their account login
❍ D. Create a separate daily backup archive for all applicable tax records
The Answer: D. Create a separate daily backup archive for all
applicable tax records
The important consideration for a data retention mandate is to always have
access to the information over the proposed time frame. In this example,
a daily backup would ensure that tax information is constantly archived
over a seven year period and could always be retrieved if needed. If data
was inadvertently deleted from the primary storage, the backup would still
maintain a copy.
The incorrect answers:
A. Create an automated script to remove all tax information
more than seven years old
The requirement is to maintain data for at least seven years, but there’s no
requirement to remove that data once it’s more than seven years old. For
example, some financial information may need to be retained well beyond
the seven year mandate.
B. Print and store all tax records in a seven-year cycle
Paper has its place, but creating physical output of tax records and storing
them for seven years would include a significant cost in time, materials,
and inventory space. The requirement to store data for seven years doesn’t
require the information to be stored in a physical form.
C. Allow users to download tax records from their account login
Including a feature to allow users access to their records is useful for the
user community, but it doesn’t provide any data protection for the seven
year retention period.
More information:
SY0-601, Objective 5.3 - Managing Data
https://professormesser.link/601050303
A system administrator is designing a data center for an insurance
company’s new public cloud and would like to restrict user access to
sensitive data. Which of the following would provide ongoing visibility,
data security, and control of cloud-based applications?
❍ A. HSM
❍ B. CASB
❍ C. 802.1X
❍ D. EDR
The Answer: B. CASB
A CASB (Cloud Access Security Broker) allows the security administrator
to manage security policies for cloud-based applications.
The incorrect answers:
A. HSM
An HSM (Hardware Security Module) manages certificates, digital keys,
and can often offload cryptographic functions. An HSM is not used for
visibility and control of cloud-based applications.
C. 802.1X
802.1X is an authentication standard for port-based network access
control, or NAC. 802.1X does not provide visibility or control of
cloud-based applications.
D. EDR
EDR (Endpoint Detection and Response) is a security solution for
end-user devices to protect against malicious software and threats.
More information:
SY0-601, Objective 3.6 - Cloud Security Solutions
https://professormesser.link/601030605
A device is exhibiting intermittent connectivity when viewing remote web sites. A security administrator views the local device ARP table: Internet Address Physical Address 192.168.1.1 60:3d:26:69:71:fc 192.168.1.101 e2:c3:53:79:4c:51 192.168.1.102 7a:3b:8f:21:86:57 192.168.1.103 60:3d:26:69:71:fc 192.168.1.104 00:80:92:c7:c8:49 192.168.1.105 d0:81:7a:d3:f0:d5 Which of the following would be the MOST likely explanation of this connectivity issue? ❍ A. DDoS ❍ B. Wireless disassociation ❍ C. Rogue access point ❍ D. ARP poisoning
The Answer: D. ARP poisoning
The duplicate MAC (Media Access Control) address from 192.168.1.1
and 192.168.1.103 indicates MAC spoofing or ARP (Address Resolution
Protocol) poisoning. There should not be duplicate MAC addresses
associated with two IP addresses on the same subnet.
The incorrect answers:
A. DDoS
A DDoS (Distributed Denial of Service) attack would not duplicate a
MAC address on an IP subnet.
B. Wireless disassociation
Wireless disassociation uses specially crafted wireless management frames
to disconnect wireless devices from a network. A duplicate MAC address
does not indicate a wireless disassociation attack.
C. Rogue access point
A rogue access point would have its own MAC address and it would not
be duplicated on the local IP subnet.
More information:
SY0-601, Objective 1.4 - On-Path Attacks
https://professormesser.link/601010407
A system administrator is implementing a fingerprint scanner to provide
access to the data center. Which of these metrics should be kept at a
minimum in order to prevent unauthorized persons from accessing the
data center?
❍ A. TOTP
❍ B. FRR
❍ C. HOTP
❍ D. FAR
The Answer: D. FAR
FAR (False Acceptance Rate) is the likelihood that an unauthorized user
will be accepted. The FAR should be kept as close to zero as possible.
The incorrect answers:
A. TOTP
A TOTP (Time-based One-Time Password) is an algorithm that provides
a pseudo-random number as an authentication factor. A TOTP does not
describe the accuracy of a biometric system.
B. FRR
FRR (False Rejection Rate) is the likelihood that an authorized user will
be rejected. If the FRR is incrementing, then authorized users will not gain
access to the data center. This value is not associated with unauthorized
access.
C. HOTP
HOTP (HMAC-based One-Time Password) is an algorithm that
provides an authentication factor based on a one-time password. An
HOTP does not describe the accuracy of a biometric system.
More information:
SY0-601, Objective 2.4 - Biometrics
https://professormesser.link/601020402
The IT department of a transportation company maintains an on-site
inventory of chassis-based network switch interface cards. If a failure
occurs, the on-site technician can replace the interface card and have the
system running again in sixty minutes. Which of the following BEST
describes this recovery metric?
❍ A. MTBF
❍ B. MTTR
❍ C. RPO
❍ D. RTO
The Answer: B. MTTR
MTTR (Mean Time To Restore) is the amount of time required to get
back up and running. This is sometimes called Mean Time To Repair.
The incorrect answers:
A. MTBF
MTBF (Mean Time Between Failures) is a prediction of how long the
system will be operational before a failure occurs.
C. RPO
An RPO (Recovery Point Objective) is a qualifier that determines when
the system is recovered. A recovered system may not be completely
repaired, but it will be running well enough to maintain a certain level of
operation.
D. RTO
An RTO (Recovery Time Objective) is the service level goal to work
towards when recovering a system and getting back up and running.
More information:
SY0-601, Objective 5.4 - Business Impact Analysis
https://professormesser.link/601050403
A company maintains a server farm in a large data center. These servers
are for internal use only and are not accessible externally. The security
team has discovered that a group of servers was breached before the latest
updates were applied. Breach attempts were not logged on any other
servers. Which of these threat actors would be MOST likely involved in
this breach?
❍ A. Competitor
❍ B. Insider
❍ C. Nation state
❍ D. Script kiddie
The Answer: B. Insider
None of these servers were accessible from the outside, and the only
servers with any logged connections were those that also were susceptible
to the latest vulnerabilities. To complete this attack, you would need a very
specific knowledge of the exact systems that were vulnerable and a way to
communicate with those servers. For either of those reasons, the Insider
threat as would be the most likely from the available list.
The incorrect answers:
A. Competitor
Although an unethical competitor could be interested in disabling certain
systems, the specificity of this attack and the lack of accessibility to the
systems would seem to dismiss a competitor.
C. Nation state
A nation state would have the resources needed to attack a network, gain
access to the internal systems, and then somehow monitor the update
processes for each server. However, the scope and breadth of such an attack
would be complex, and this would make the nation state a very speculative
option and not the most likely option from the available list.
D. Script kiddie
Script kiddies don’t generally have access to an internal network, and they
aren’t discerning enough to track the status of which systems may have
been recently updated.
More information:
SY0-601, Objective 1.5 - Threat Actors
https://professormesser.link/601010501
An organization has contracted with a third-party to perform a
vulnerability scan of their Internet-facing web servers. The report shows
that the web servers have multiple Sun Java Runtime Environment ( JRE)
vulnerabilities, but the server administrator has verified that JRE is not
installed. Which of the following would be the BEST way to handle this
report?
❍ A. Install the latest version of JRE on the server
❍ B. Quarantine the server and scan for malware
❍ C. Harden the operating system of the web server
❍ D. Ignore the JRE vulnerability alert
The Answer: D. Ignore the JRE vulnerability alert
It’s relatively common for vulnerability scans to show vulnerabilities that
don’t actually exist, especially if the scans are not credentialed. An issue
that is identified but does not actually exist is a false positive, and it can be
dismissed once the alert has been properly researched.
The incorrect answers:
A. Install the latest version of JRE on the server
The system administrator verified that JRE was not currently installed
on the server, so it would not be possible for that vulnerability to actually
exist. Installing an unneeded version of JRE on the server could potentially
open the server to actual vulnerabilities.
B. Quarantine the server and scan for malware
The JRE false positive isn’t an indication of malware, and no mention is
made of the report including any additional vulnerabilities or reports of
malware.
C. Harden the operating system of the web server
Although it’s always a good best practice to harden the operating system
of an externally-facing server, this vulnerability scan report doesn’t indicate
any particular vulnerability with the operating system itself. If the scan
identified specific OS vulnerabilities, then additional hardening may be
required.
More information:
SY0-601, Objective 1.7 - Vulnerability Scans
https://professormesser.link/601010702
A security administrator has installed a new firewall to protect a web
server VLAN. The application owner requires that all web server sessions
communicate over an encrypted channel. Which of these rules should the
security administrator include in the firewall rulebase? (Select TWO)
❍ A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny
❍ B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny
❍ C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny
❍ D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow
❍ E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow
The Answers:
C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny
D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow
Most web servers use tcp/80 for HTTP (Hypertext Transfer Protocol)
communication and tcp/443 for HTTPS (Hypertext Transfer Protocol
Secure). HTTP traffic sends traffic in the clear, so the first firewall rule
would block any tcp/80 traffic before it hits the web server. The second
rule allows HTTPS encrypted traffic to continue to the web server over
tcp/443.
The incorrect answers:
A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny
The insecure Telnet protocol commonly uses tcp/23, but most web servers
would not be listening on tcp/23. An explicit tcp/23 deny rule would not
provide any additional web server security.
B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny
The encrypted HTTPS protocol uses tcp/443, so the security
administrator would not want to deny that traffic through the firewall.
E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow
Since the application owner requires encrypted communication, allowing
HTTP over tcp/80 should not be allowed through the firewall.
More information:
SY0-601, Objective 3.3 - Firewalls
https://professormesser.link/601030306
A private company uses an SSL proxy to examine the contents of an
encrypted application during transmission. How could the application
developers prevent the use of this proxy examination in the future?
❍ A. OCSP stapling
❍ B. Offline CAs
❍ C. Certificate chaining
❍ D. Certificate pinning
The Answer: D. Certificate pinning
Certificate pinning embeds or “pins” a certificate inside of an application.
When the application contacts a service, the service certificate will
be compared to the pinned certificate. If the certificates match, the
application knows that it can trust the service. If the certificates don’t
match, then the application can choose to shut down, show an error
message, or make the user aware of the discrepancy. An SSL proxy will use
a different certificate than the service certificate, so an application using
certificate pinning can identify and react to this situation.
The incorrect answers:
A. OCSP stapling
OCSP (Online Certificate Status Protocol) stapling is a method that has
the certificate holder verify their own certificate status. The OCSP status is
commonly “stapled” into the SSL handshake process.
B. Offline CAs
An offline CA (Certificate Authority) is a common way to prevent the
exploitation of a root authority. If the CA is offline, then you can’t hack it.
However, an online or offline CA won’t prevent the use of an SSL proxy.
C. Certificate chaining
Intermediate certificates are often listed between a web server’s SSL
certificate and the root certificate. This list of intermediate certificates is
called a “chain.” It’s important to configure web servers with the proper
chain, or the end user may receive an error in their browser that the server
can’t be trusted.
More information:
SY0-601, Objective 3.9 - Certificate Concepts
http://professormesser.link/601030904
A security administrator is concerned that a user may have installed a
rogue access point on the corporate network. Which of the following
could be used to confirm this suspicion?
❍ A. UTM log
❍ B. WAF log
❍ C. Switch log
❍ D. DLP log
The Answer: C. Switch log
A rogue access point would be difficult to identify once it’s on the network,
but at some point the access point would need to physically connect to the
corporate network. An analysis of switch interface activity would be able
to identify any new devices and their MAC addresses.
The incorrect answers:
A. UTM log
A UTM (Unified Threat Management) gateway is an all-in-one device
that provides firewall services, URL filtering, spam filtering, and more.
From the UTM’s perspective, the traffic from a rogue access point would
look similar to all other traffic on the network.
B. WAF log
A WAF (Web Application Firewall) would not be able to determine if
web server traffic was from a rogue access point or a legitimate wired
device.
D. DLP log
DLP (Data Loss Prevention) is important for stopping the transfer of
confidential data, but it would not be able to identify traffic from a rogue
access point.
More information:
SY0-601, Objective 4.3 - Log Files
https://professormesser.link/601040303
During a ransomware outbreak, an organization was forced to rebuild
database servers from known good backup systems. In which of the
following incident response phases were these database servers brought
back online?
❍ A. Recovery
❍ B. Lessons learned
❍ C. Containment
❍ D. Identification
The Answer: A. Recovery
The recovery phase focuses on getting things back to normal after an
attack. This is the phase that removes malware, fixes vulnerabilities, and
recovers the damaged systems.
The incorrect answers:
B. Lessons learned
Once an event is over, it’s useful to have a post-incident meeting to discuss
the things that worked and things that didn’t.
C. Containment
When an event occurs, it’s important to minimize the impact. Isolation
and containment can help to limit the spread and effect of an event.
D. Identification
Identifying the event is an important step that initiates the rest of the
incident response processes.
More information:
SY0-601, Objective 4.2 - Incident Response
https://professormesser.link/601040201
Which of these would be used to provide HA for a web-based database application? ❍ A. SIEM ❍ B. UPS ❍ C. DLP ❍ D. VPN concentrator
The Answer: B. UPS
HA (High Availability) means that the service should always be on and
available. The only device on this list that would provide HA is the UPS
(Uninterruptible Power Supply). If power is lost, the UPS will provide
electricity using battery power or a gas-powered generator.
The incorrect answers:
A. SIEM
A SIEM (Security Information and Event Management) system
consolidates data from devices on the network and provides log searching
and reporting features. A SIEM does not provide any HA functionality.
C. DLP
DLP (Data Loss Prevention) is a method of identifying and preventing
the transfer of personal or confidential information through the network.
DLP does not provide any HA functionality.
D. VPN concentrator
A VPN (Virtual Private Network) concentrator is used as an endpoint to
an endpoint VPN solution. VPN concentrators do not provide any HA
functionality.
More information:
SY0-601, Objective 2.5 - Power Redundancy
https://professormesser.link/601020503
Sam, a user in the purchasing department, would like to send an email to
Jack. Which of these would allow Jack to verify the sender of the email?
❍ A. Digitally sign it with Sam’s private key
❍ B. Digitally sign it with Sam’s public key
❍ C. Digitally sign it with Jack’s private key
❍ D. Digitally sign it with Jack’s public key
The Answer: A. Digitally sign it with Sam’s private key
The sender of a message digitally signs with their own private key to
ensure integrity, authentication, and non-repudiation of the signed
contents. The digital signature is validated with the sender’s public key.
The incorrect answers:
B. Digitally sign it with Sam’s public key
Since everyone effectively has access to public keys, adding a digital
signature with a publicly available key doesn’t provide any security features.
C. Digitally sign it with Jack’s private key
Jack’s private key would only be available to Jack, so Sam could not
possibly use Jack’s private key when performing any cryptographic
functions.
D. Digitally sign it with Jack’s public key
As with Sam’s public key that would be available to anyone, using Jack’s
public key would not provide any security features.
More information:
SY0-601, Objective 2.8 - Hashing and Digital Signatures
https://professormesser.link/601020803
The contract of a long-term temporary employee is ending. Which of
these would be the MOST important part of the off-boarding process?
❍ A. Perform an on-demand audit of the user’s privileges
❍ B. Archive the decryption keys associated with the user account
❍ C. Document the user’s outstanding tasks
❍ D. Obtain a signed copy of the Acceptable Use Policies
The Answer: B. Archive the decryption keys associated with the
user account
Without the decryption keys, it will be impossible to access any of the
user’s protected files once they leave the company. Given the other possible
answers, this one is the only one that would result in unrecoverable data
loss if not properly followed.
The incorrect answers:
A. Perform an on-demand audit of the user’s privileges
The user’s account will be disabled once they leave the organization, so an
audit of their privileges would not be very useful.
C. Document the user’s outstanding tasks
Creating documentation is important, but it’s not as important as retaining
the user’s data with the decryption keys.
D. Obtain a signed copy of the Acceptable Use Policies
Acceptable Use Policies (AUPs) are usually signed during the on-boarding
process. You won’t need an AUP if the user is no longer accessing the
network.
More information:
SY0-601, Objective 5.3 - Personnel Security
https://professormesser.link/601050301
A security administrator would like to encrypt all telephone
communication on the corporate network. Which of the following
protocols would provide this functionality?
❍ A. TLS
❍ B. SRTP
❍ C. SSH
❍ D. S/MIME
The Answer: B. SRTP
SRTP (Secure Real-Time Transport Protocol) is an encrypted version of
the RTP (Real-Time Transport Protocol) VoIP (Voice over IP) protocol.
SRTP uses AES (Advanced Encryption Standard) to encrypt the voice
and video over a VoIP connection.
The incorrect answers:
A. TLS
TLS (Transport Layer Security) is the modern version of SSL (Secure
Sockets Layer), and it’s commonly used for encrypting communication to
a web server.
C. SSH
SSH (Secure Shell) is used to encrypt terminal communication. The best
practice is to use SSH instead of the insecure Telnet protocol.
D. S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides
security for the content of an email message.
More information:
SY0-601, Objective 3.1 - Secure Protocols
https://professormesser.link/601030101