PM SG 3-4

Question 1

Match the technology:
1) Verify the status of a web server certificate
2) Credit card numbers are replaced with temporary values
3) Add randomization to a hash
4) Create a document with invalid authentication information

A) False negative
B) Honeyfile
C) Federation
D) OCSP
E) Salting
F) Tokenization
G) Blockchain

Answer 1

1.Verify the status of a web server certificate → D. OCSP
2.Credit card numbers are replaced with temporary values → F. Tokenization
3.Add randomization to a hash → E. Salting
4.Create a document with invalid authentication information → B. Honeyfile

A:

OCSP (Online Certificate Status Protocol): Verifies the status of certificates by checking with a Certificate Authority.

Tokenization: Replaces sensitive data (e.g., credit card numbers) with non-sensitive, temporary tokens.

Salting: Adds random data to a hash to prevent attackers from using precomputed tables (e.g., rainbow tables).

Honeyfile: A decoy document containing fake authentication information, used to detect attackers.

Question 2

A user is asymmetrically encrypting an outgoing email message.Which of the following is used to encrypt this information?

1.Sender’s public key
2.Receipient’s private key
3.Sender’s private key
4.Recipient’s public key and sender’s private key
5.Receipient’s public key

Answer 2

Correct Answer: 5.Recipient’s public key

A:

Recipient’s public key is used to encrypt data in asymmetric encryption because only the recipient can decrypt it using their private key.

Incorrect options:
Sender’s public/private key: Encrypting with these would allow anyone to decrypt (not secure).

Recipient’s private key: Used only for decryption, not encryption.

Question 3

Which of the following external threat actors commonly has limited resources and relatively low attack sophistication?

1.Unskilled
2.Shadow IT
3.Organized crime
4.Nation state
5.Hacktivist

Answer 3

Correct Answer: 1.Unskilled
A:

Unskilled (script kiddies): Often rely on pre-made tools and lack advanced knowledge.

Incorrect options:
2.Shadow IT: Refers to unauthorized technology within an organization, not a threat actor.
3.Organized crime: Well-funded and highly skilled.
4.Nation state: Most sophisticated and resourceful.
5.Hacktivist: Motivated by ideology, often more skilled than unskilled attackers.

Question 4

An administrator is configuring the security rules in a firewall. Which of the following SDN plane would be most associated with this task?

1.Data
2.Active
3.Control
4.Infrastructure
5.Management

Answer 4

Correct Answer: 5.Management
A:

Management plane: Handles administrative tasks like configuring rules and policies.

Incorrect options:
3.Control plane: Directs how data flows but doesn’t manage firewall rules.
1.Data plane: Handles actual data traffic.
4.Infrastructure plane: Refers to physical or virtual components of the network.

Question 5

A security analyst would like to be informed if any core operating system files are modified. Which of the following would provide this functionality?

1.SIM
2.SNMP
3.FIM
4.NetFlow
5.DLP

Answer 5

Correct Answer: 1.FIM (File Integrity Monitoring)
A:

FIM: Monitors file changes to detect unauthorized modifications.

Incorrect options:
1.SIM (Security Information Management): Focuses on log collection and analysis.
2.SNMP: Used for network monitoring, not file integrity.
4.NetFlow: Monitors network traffic.
5.DLP: Prevents sensitive data leaks, not file changes

Question 6

A security administrator has copied a suspected malware executable from a user’s computer and is running the program in a sandbox. Which of the following would describe this part of the incident response process?

1.Eradication
2.Preparation
3.Recovery
4.Containment

Answer 6

Correct Answer: 4.Containment
A:

Containment: Limits the spread of malware by isolating the suspicious executable in a safe environment.

Incorrect options:
1.Eradication: Removes the threat after containment.
2.Preparation: Refers to planning and readiness, not active handling.
3.Recovery: Restores systems after containment and eradication.

Question 7

Match the attack with the description:
1) Files have been accessed outside of the main website
2) User accounts with weak passwords have been identified
3) Malware is hidden in the core files of an operating system
4) Web server CPU is stuck at 100% utilization

A) Buffer overflow
B) DDoS
C) Directory traversal
D) On-path
E) SQL injection
F) Rootkit
G) Spraying

Answer 7

1.Files accessed outside the main website → C. Directory traversal
2.Weak passwords identified → G. Spraying
3.Malware hidden in core OS files → F. Rootkit
4.Web server CPU at 100% → B. DDoS
A:

Directory traversal: Exploits improper validation to access files outside of the intended directory.

Spraying: Attempts weak passwords across many accounts.

Rootkit: Hides malware deep within OS files.

DDoS: Overwhelms system resources, causing high CPU utilization.

Question 8

A new firewall specification states the firewall is expected to operate properly for 29 years. Which of the following describes this expectation?

1.RTO
2.MOU
3.MTBF
4.RPO
5.MTTR

Answer 8

Correct Answer: 3.MTBF (Mean Time Between Failures)
A:

MTBF: Predicts how long a device will operate without failure.

Incorrect options:
1.RTO (Recovery Time Objective): Refers to downtime recovery goals.
2.MOU (Memorandum of Understanding): Outlines agreements, not hardware lifespans.

Question 9

In a zero trust architecture, which component is responsible for allowing, monitoring, and terminating connections?

1.Policy decision point
2.Policy enforcement point
3.Control plane
4.Policy engine
5.Policy administrator

Answer 9

Correct Answer: 2.Policy enforcement point
A:

Policy enforcement point: Monitors, allows, or terminates connections based on policy.

Incorrect options:
1.Policy decision point: Makes decisions but doesn’t enforce them.
5.Policy administrator: Implements decisions but doesn’t directly handle traffic.

Question 10

A web server log file contains this query: “SELECT * FROM users WHERE name = ‘Professor’ OR ‘1’ = ‘1’”; Which of the following would describe this log entry?

1.DoS
2.SQL injection
3.Cross-site scripting
4.Race condition
5.Buffer overflow

Answer 10

Correct Answer: 2.SQL injection
A:

SQL injection: Attacker manipulates SQL queries to access or modify database data.

Incorrect options:
1.DoS: Denies service but doesn’t involve SQL queries.
3.Cross-site scripting: Exploits user-side scripts.

Question 11

A security administrator requires all laptop storage drives to be configured with full disk encryption. Which of the following would BEST describe the state of this data?

1.Data sovereignty
2.Data at rest
3.Data redundancy
4.Data masking
5.Data retention

Answer 11

Correct Answer: 2.Data at rest
A:

Data at rest: Refers to data stored on physical media, protected by encryption.

Incorrect options:
3.Data redundancy: Refers to data backup copies.
4.Data masking: Hides specific data fields, unrelated to encryption.

Question 12

A security engineer is viewing this record from the firewall logs:
UTC 04/05/2023 03:09: 15809 AV Gateway Alert
136.127.92.171 80 > 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?

1.The victim’s IP address is 136.127.92.171
2.A download was blocked from a web server
3.A botnet DDoS attack was blocked
4.The Trojan was blocked, but the file was not

Answer 12

Correct Answer: 2.A download was blocked from a web server
A:

A download was blocked: The log indicates an anti-virus alert from the gateway, stopping the Trojan.

Incorrect options:
1.Victim’s IP: 136.127.92.171 is the web server, not the victim.
4.Trojan was blocked but file was not: The log states the Trojan was blocked outright.