Pocket Prep 2

Question 1

The CISO asks you to assess the maturity of their security operations center. Which of the following is the most applicable model to use for the assessment?

A. GDPR
B. NIST
C. CMMI
D. COPPA

Answer 1

C. CMMI

Explanation:
Capability Maturity Model Integration is a method improvement tool that groups projects and organizational units into one of five maturity levels. From lwoest to highest the five maturity levels are:

1. Initial
2. Managed
3. Defined
4. Qualitatively managed
5. Optimized

Question 2

Which of the following does asymmetric cryptography provide?

A. Nonrepudiation and integrity only
B. Confidentiality only
C. Nonrepudiation, authentication, integrity and confidentiality
D. Authentication only

Answer 2

C. Nonrepudiation, authentication, integrity and confidentiality

Explanation:

Question 3

Which of the following is true about RPO and backup frequency?

A. Backup frequency + RPO = RTO
B. RPO should be less than or equal to backup frequency
C. RTO + RPO = backup frequency
D. Backup frequency should be less than or equal to RPO

Answer 3

D. Backup frequency should be less than or equal to RPO

Explanation:
RPO is the maximum amoujnt of allowable lost data in the event of a service disruption. Therefore, organizations should ensure their backups occur no longer than their RPO. Otherwise, even with an instaneous RTO, an unacceptable amount of data loss may occur

Question 4

What is the formula for calculating ALE?

A. ALE = SLE x AV
B. ALE = SLE x ARO
C. ALE = SLE x EF
D. ALE = AV x EF

Answer 4

B. ALE = SLE x ARO

Explanation:
The formula for calculating ALE (Annualized loss expectancy) is:

ALE = SLE x ARO

SLE (Single Loss Expectancy) is calculated by multiplying AV and exposure factor

Question 5

Two companies share the same office building and have determine thats its in both their best financial intertests to share hardware and infrastructure to save on costs.
They have drafted and signed an agreement stating the required controls for defense of the hardware and networking components.

What kind of agreement is this?

A. Operation level agreement
B. Interconnection security agreemennt
C. Nondisclosure agreement
D. Business partnership agreement

Answer 5

B. Interconnection security agreemennt

Explanation:
An ISA is a specific contract realted to network connections and exchanging traffic

An OLA (Operational Level Agreement) is an agreement about responsibilities between different support teams

Question 6

How is firmware patching different from application patching?

A. Firmware patchees are applied from within thee OS
B. Firmware patches are more frequent than application patches
C. Firmware patching updates instructions in EEPROM
D. Firmware patches apply to software such as web browsers and word processors

Answer 6

C. Firmware patching updates instructions in EEPROM

Explanation:
Patching firmware is a move involved process than patching application because it updates the underlying hardware=

Question 7

The expected risk factor of an annual threat event is referred to as what?

A. EF
B. SLE
C. AV
D. ALE

Answer 7

D. ALE

Explanation:
Annualized loss expectancy is the expected risk factor for a threat event on a yearly basis. To calculate ALE, you must know the SLE (single loss expectancy) and the ARO (annualized rate of occurrence). ALE is calculated as follows:

ALE = SLE x ARO

Question 8

Why do cloud service providers have availability zones?

A. To provide independent locations within a geographic region for failover and redundancy
B. To provide geographgically diverse servers to improve the performance, reliability and availability for delivering content
C. To provide logically isolated resources in a virtual network environment
D. To provide an environment for final testing before poutting an application into production

Answer 8

A. To provide independent locations within a geographic region for failover and redundancy

Explanation:
An availability zone is a unique location within a region that has indepedent power, cooling, and networking. It allows for increased availability and fault tolerance.

Question 9

Which is an application layer protocol used to retrieve email from an email server that can replace POP3?

A. IMAP
B. SMTP
C. POP6
D. HTTP

Answer 9

A. IMAP

Explanation:
Internet Message Access Protocol (IMAP) is an application layer email protocol. Unlike POP3, IMAP enables email download without deleting the copy of the email on the server, which is a useful feature for remote clieents. IMAP uses port 143. The secure version of IMAP uses SSL/TLS encryption and port 993

Question 10

When is it possible to perform passive sniffing with a packet sniffer?

A. When it is connected to a hub
B. When it is connected to an unmanaged switch
C. When it is connected to a VLAN
D. When it is connected to a managed switch

Answer 10

A. When it is connected to a hub

Explanation:
Network hubs do not break up collision domains and send all traffic to all ports. Therrefore, a packet sniffer can passively sniff all traffic sent to a hub

Question 11

Which of thew following is a document that details security requirements and supporting documents?

A. DAST
B. SAST
C. SRTM
D. CDN

Answer 11

C. SRTM

Explanation:
A security requirements traceability matrix is a document that contains security requirements and support documentation. It includes details such as requirement numbers, descriptions, and how to validate requirements

Question 12

Of the following, whichc specifically is a type of distributed infrastructure that emphasizes interoperability across applications?

A. CRM
B. GRC
C. ESB
D. SOA

Answer 12

D. SOA

Explanation:
A service oriented architecture (SOA) is a type of distributed infrastructure that emphasizes interoperability across applications and services

Question 13

What term describes information about data like EXIF information in a .jpeg file?

A. Metadata
B. Superdata
C. XOR data
D. CMDB data

Answer 13

A. Metadata

Explanation:
Metadata is information about data. EXIF information in a .jpeg file is one example of metadata. Another example is email headers

Question 14

Which of the following is NOT a risk related to PBX systems and traditional analog telephony?

A. Default passwords
B. SPIT
C. Slamming
D. Cramming

Answer 14

B. SPIT

Explanation:
Spam over Internet Telephony is a spam technique that targets VoIP, not legacy PBX and traditional analog telephony

Question 15

Which is a correct matching of the secure versions of the email protocols and their default ports?

A. IMAP: 993, POP:995, SMTP: 465 and 587
B. IMAP: 995 and 587, POP:993, SMTP: 465
C. IMAP: 465 and 587, POP: 993, SMTP: 995
D. IMAP: 993, POP: 465 and 587, SMTP: 995

Answer 15

A. IMAP: 993, POP:995, SMTP: 465 and 587

Explanation:
These email protocols and their default ports are IMAP: 143, POP: 110 and SMTP: 25

The protocols also support encryption on these ports: IMAP: 993, POP:995 and SMTP: 465 (implicit encryption) and 587 (explicit encryption)

Question 16

Which of the following is a difference between a SAN and a NAS?

A. Clients view a SAN as a local disk or volume and view a NAS as an independent file server
B. Clients can connect to a SAN via a network, but cannot connect to a NAS via a network
C. NAS is an authentication protocol; SAN is a privacy protocol
D. Clients view a NAS as a local disk or volume and view a SAN as an independent file server

Answer 16

A. Clients view a SAN as a local disk or volume and view a NAS as an independent file server

Explanation:
Clients view a SAn as a local disk or volume and view a NAS as an indepdent file server

SAN and NAS

Question 17

Which of the statements below about signature based and heuristic based antivirus programs is FALSE?

A. Signature based antivirus needs regular updates
B. Heuristic based antivirus is better at detecting zero day threats
C. Heuristic based antivirus often uses AI
D. Signature based antivirus is better at detecting polymorphic viruses

Answer 17

D. Signature based antivirus is better at detecting polymorphic viruses

Explanation:
Heuristic based AV detects threats based on behavior pattenrs. THis makes heuristic based AV better at detecting zero day and polymorphic threats that do not have a known signature.

Question 18

You manage a website that provides collaboration for several researches and analysts and currently allows everyone to work onn each others documents. You have been approached with some concerns by some of the group members that their documents should not be available to some individuals, and that they want to provide compelte access ot others.

Which of the following control methods should you implement?

A. MAC
B. DAC
C. RBAC
D. DNSSEC

Answer 18

B. DAC

Explanation:
With discretionary access control the owner of a file decides who is granted access to it.

Mandatory access control controls access based policies that use security levels to determine access

Role Based Access Control grants access based on user roles and permissions

Question 19

When it comes to data classification, who is responsible for technical controls?

A. Vector admin
B. Data owner
C. Vector enclave
D. Data custodian

Answer 19

D. Data custodian

Explanation:
Data custodians have technical control of data. Data owners have administrative control of data

Question 20

A company has decided that they need to secure and lock down all proprietary data currently located on an internal storage server. All of this data resides within a folder title Proprietary. The compnay has hired your firm to carry out this procedure.

What should you do?

A. Locate and encrypt the entire proprietary folder
B. Enact a hashing function for all files in the proprietary folder
C. Enact digital signatures for every user in the company who should have access to the prroprietary folder
D. Implement an HMAC for the data in the folder

Answer 20

A. Locate and encrypt the entire proprietary folder

Explanation:
Researching an algorithm and then locating the folder and implementing would be the move. Hashing only performs verification that the data has not beeen altered. Digital signatures are objects that provide sender authentication and message integrity when included with messages.

Question 21

Which of the following is a protocol that devices can use to obtain digital certificates?

A. VNC
B. SCEP
C. VPC
D. OTA

Answer 21

B. SCEP

Explanation:
Simple Certificate Enrollment Protocol is used by devices to obtain digital certificates

Over the Air (OTA) is taken from the term OTA updates. OTA updates allow teams responsible for applying updates to software or firmware to apply them remotely without requiring physical access to the devices

Question 22

Which peer to peer protocol is middleware used in air traffic control and autonomous vehicles that includes features such as authentication, access control, confidentiality and integrity.

A. DNP3
B. Zigbee
C. Data distribution service
D. CAN bus

Answer 22

C. Data distribution service

Explanation:
The Data Distribution Service is a middleware protocol for data centric connectivity that requires real time data exchange

Question 23

What technology is often used with cloud data storage and spreads data, parity information and capacity across multiple drives to improve availability and recovery times relative to RAID?

A. IR
B. DDP
C. MPLS
D. VPC

Answer 23

B. DDP

Explanation:
Dynamic Disk Pool spreads data and storage capacity across a pool of disks to improve availability and recovery times relative to traditional RAID

Question 24

Which protocol allows for the key agreement process in asymmetric algorithms?

A. Diffie Hellman
B. 3DES
C. ECB
D. RACE integrity primitives evaluation message digest

Answer 24

A. Diffie Hellman

Explanation:
The Diffiee Hellman process involvees two parties generating public and private keys, The key shares the public keys with each other, and use these resources to derive a shared secret key for communicating securely

Question 25

Which mode of 3DES has each block of data encrypted with the first key, decrypted with the second key and then encrypted with the third key?

A. 3DES-EEE2
B. 3DES-EEE3
C. 3DES-EDE3
D. 3DES-EDE2

Answer 25

C. 3DES-EDE3

Explanation:
3DES-EEE3 has each block encrypted three times, with a different key each time. 3DES-EE2 has each block encrypted with the first key, encrypted with the second key and then encrypted with the first key again. 3DES-EDE2 has each block encrypted with the first key, decrypted with the second key and encrypted again with the first key

Question 26

Which does not describe a perimeter network?

A. It is not accessible externally or by the public
B. Allows controlled access to publicly available servers
C. Allows precise control of traffic between the internal, external and perimeter networks
D. Requires additional interfaces on the firewall

Answer 26

A. It is not accessible externally or by the public

Explanation:
One of the most common implementations of a security zone is a perimeter network, such as the internet and an internal network. The advantage of having a perimeter network is that it enables you have controlled access to publicly available servers and provides precide control of traffic between those servers and the internal, external and perimeter network zones of the network
However, it does require additional interfaces on the firewall as well as multiple public IP addresses for servers in the perimeter network, since NAT is not possible here

Question 27

What term describes an application programminng interface (API) that allows access to multiple endpoints via a single call?

A. Open API
B. Composite API
C. Private API
D. RFC 6902 API

Answer 27

B. Composite API

Explanation:
A composite API allows access to multiple endpoints via a single call. An open API is a publicly available API.

Question 28

Database admins have been looking over their customer database because of concerns about the performance impact of this database. They have found that only some of the entries need to be encrypted.

What type of encryption would youu suggest?

A. File
B. Record
C. Block
D. Disk

Answer 28

B. Record

Explanation:
Record level encryption is encryption done at the record level, which has positive effect on both performance and security.

Question 29

What is the purpose of using NX bits?

A. To detect and correct errors in data during transmission and storage
B. To specify areas of memory that cannot be used for execution
C. To indicate that a file has been modified since the last full backup
D. To segregate areas of memory for use by either storage of code or storage of data

Answer 29

D. To segregate areas of memory for use by either storage of code or storage of data

Explanation:
The No-Execute (NX) bit enhannces the security of a CPU as it operates. It can protect againstr buffer overflow and code injection attacks

Question 30

What technology is often used with cloud data storage and spreads data, parity information and capacity across multiple drives to improve availability and recovery times relative to RAID?

A. IR
B. DDP
C. MPLS
D. VPC

Answer 30

B. DDP

Explanation:
A dynamic disk pool spreads data and storage capacity across a pool of disks to improve availability and recovery times related to traditional RAID>

Question 31

A company wants to increase its security by encrypting the communication used to translate IP addresses to domain names, which is normally done in plaintext. WHich solution should they enable on both clients and servers to enable this?

A. SED
B. Custom DNS
C. COBO
D. DoH

Answer 31

D. DoH

Explanation:
DNS over HTTP is a method for encrypting DNS queries

Question 32

The CTO is looking at whether the security requirements of a new asset are up to standard. They would like to determine whether the security requirements were adhered to from origin to implementation

Which of the following would they look to for this information?

A. SCEP
B. SAST
C. DAST
D. SRTM

Answer 32

D. SRTM

Explanation:
A security requirements traceability matrix is a document that contains security security and supporting documentation. It includes details such as requirement numbers, descriptions and how to validate the reequirements

Question 33

The two most common algoritm types for encryption are asymmetric and symmetric. Of the following, which is NOT an asymmetric algorithm?

A. Diffie-Hellman
B. RSA
C. Blowfish
D. ECC

Answer 33

C. Blowfish

Explanation:
RSA, Diffie-Hellman and ECC are all asymmetric encryption algorithms; Blowfish is a symmetric algorithm.
Asymmetric algortihms are much harder to decipher, but they require more complicated encryption methods that can take longer in certain instances. Asymmetric usees a public key to encrypt data so that only the private key can decrypt it

Question 34

What type of rule action tells an IDS to block a packet without logging it?

A. NLdrop
B. Reject
C. Drop
D. Sdrop

Answer 34

D. Sdrop

Explanation:
IDS support a variety of rule actions that allows administrators to define what the system should do with a packet that meets the criteria of a specific rule. Three different ways a rule can block transmission of a packet are:

Drop - Blocks transmission of a network packet and logs the activity.
Reject - Blocks transmission of a network packet and logs the activity. Sends a TCP reset for TCP traffic. Sends an ICMP unreachable message for UDP traffic
Sdrop - Blocks transmission of a netowkr packet and does not log the activity

Question 35

A company has suffered a security incident and needs to start collecting evidence. Of the following types of evidence, which should be collected first?

A. Swap space
B. Memory
C. Cache
D. Kernel statistics

Answer 35

C. Cache

Explanation:
When there is an incident, the most volatile information should be collected first, so that it does not get overwitten. The most volatile information should be collected first, so that it does not get overwritten.
The most volatile information is the CPU, cache, and registers

Kernel statistics is in the list of the second most volatile components. Memory is the third most volatile component. Swap space is the fourth most volatile components

Question 36

Which of the following statements about FIM is false?

A. FIM agents provide continuous monitoring in real time
B. FIM agents consume host resources
C. Agentless FIM scanners provide continious monitoring in real time.
D. Agentless FIM scanners have to rebaseline on every scan

Answer 36

C. Agentless FIM scanners provide continious monitoring in real time.

Explanation:
There are two basic approaches to FIM:

Agent Based - This involves running a FIM agent on each host. This approach provides continous real time file monitoring, but is more complex to maintain and consumes host resources at a much higher level than agentless FIM

Agentless - involves running FIM scans at predefined times. This approach is easier to manage (no agents to maintain) and does not consume the level of host resources agent based FIM does. However, agentless FIM does not provide continous real time monitoring and must bre-baseline on every scan

Question 37

A company has a disaster recovery site with networking gear and servers rrunning backups that are running backups and updated every week. The room has production ready power and cooling and is 75 degrees Fahrenheit. The IT operations team will have to restore more recent backups to get the servers to be production ready in the event of a failure.

What type of disaster recovery site is this?

A. Warm site
B. Cold site
C. Hot site
D. Mobile Site

Answer 37

A. Warm site

Explanation:
Mobile site - A DR site that can move to a new location, such as a trailer full of preconfigured IT infrastructure equipment

Hot Site - A DR Site that is running with a recent copy eof production data. Switching over to a hot site generally comes with minimal data loss

Warm Site - A DR site that is set up but does not have the latest backups. A warm site generally takes longer than a hot site to provision and make production ready

Cold Site - A DR site that is not fully set up and will take significant work to configure and make production ready. Failing over to a cold site will generally involve much more downtime and data loss than a hot or warm site

Question 38

What protocol is susceptible to SYN floods?

A. TCP
B. UDP
C. OTA
D. SAST

Answer 38

A. TCP

Explanation:
TCP uses a three way handshake to establish communications. The three way handshakee process includes a SYN (synchronize) message from the sender that the client should acknowledge with an ACK message. However, threat actors can abuse this behavior in DDoS attacks by sending a flood of SYN messages without properly waiting for an ACK

UDP does not support SYN packets and is therefore not susceptible to SYN floods

Question 39

A company is concerned that business may come to a complete halt in the event of a natural disaster. They ask you to draft a set of procedures and practices that will enable the business to continue operations in the event of a natural disaster or comparable event.

What type of document should you create?

A. FRAP
B. OLA
C. COOP
D. Residual Risk

Answer 39

C. COOP

Explanation:
A continuity of operations (COOP) document details the procedures and practices that will enable a business to continue operations in the event of a natural disaster or similarity severe service disruption

An OLA (Operation level agreement) is an agreement about responsibilities between different support teams.

Question 40

What is the difference between OCSP and CRL revocation control?

A. CRL is slower but more reliable than OCSP
B. CRL actively responds and OCSP is a static list
C. CRL is a premium service, and OCSP is open source
D. OCSP provides information in real time, and CRL is a static list

Answer 40

D. OCSP provides information in real time, and CRL is a static list

Explanation:
Online Certificate Status Protocol (OCSP) is an Internet protocol that obtains the revocation status of digital certificates using a serial number. OCSP is an alternative to the standard certificate revocation list. OCSP automatically validates the certs and reports back the status of the digitial certs by accessing the CRL on the certificate authority (CA)

Question 41

A company has a disaster recovery site with an empty server rack. Air conditioning and power are available at the site and servers and network equipment is still in the box. The IT operations team plans to install the equipment in the event of a production site failure.

What type of disaster recovery site is this?

A. Warm site
B. Hot Site
C. Cold Site
D. Mobile Site

Answer 41

C. Cold Site

Explanation:

Question 42

A company uses a public cloud storage service. To avoid the cloud service provider being able to decrypt the companys data, the company created their own keys and manages them directly. The service provider does not have access to the keys and cannot decrypt the data.

What approach to key ownership is this?

A. A RRSIG
B. BYOK
C. BYOD
D. HYOK

Answer 42

D. HYOK

Explanation:
Hold Your Own Key model, cutomers create and manage their own keys. The cloud service provider does not have access to the keys and cannot decrypt the data

Question 43

Of the following, which is the protocol used to send mail from clients to server and from server to server?

A. IMAP
B. MPLS
C. POP3
D. SMTP

Answer 43

D. SMTP

Explanation:
Simple Mail Transfer Protocol (SMTP) is a network protocol for sending emails.

IMAP and POP3 are protocols for downloading email, not sending it.

Question 44

The portion of the Internet that search engines have not indexed is known as which of the following?

A. Dark web
B. Deep web
C. OSINT
D. HUMINT

Answer 44

B. Deep web

Explanation:
The deep web is the portion of the Internet that search engines have not indexed. The deep web is a common source of OSINT

The dark weeb is a subset of the deep web that emphasizes anonymity annd often enables illegal activity

Question 45

What advantage does PAT have for a network?

A. To allow diffeerent software applications to interact with each other
B. To enable devices with private IP addresses to connect to the Internet
C. To detect and prevent attacks against a network
D. To protect web application servers from various types of attacks

Answer 45

B. To enable devices with private IP addresses to connect to the Internet

Explanation:
Port Address Translation is a one to many mapping of Network Address Translation that allows one device to representt an entire private network

Question 46

Which of the following is true about Elliptic Curve Cryptography (ECC)?

A. It is a form of RSA
B. It is a form of symmetric encryption
C. It is not suitable for mobile devices because it is resource intensive
D. It is cryptographically stronger than algorithms based on logarithms

Answer 46

D. It is cryptographically stronger than algorithms based on logarithms

Explanation:
ECC is stronger than algorithms based on logarithms

Question 47

What is the primary difference between a message authentication code (MAC) and digital signature?

A. Digital signatures use symmetric encryption, MACs use asymmetric encryption
B. MACs use symmetric encryption, digital signatures use asymmetric encryption
C. MACs use 256 bit encryption, digital signatures use 512 bit encryption
D. MACs and digital signatures are the same thing

Answer 47

B. MACs use symmetric encryption, digital signatures use asymmetric encryption

Explanation:
MACs use symmetric encryption, digital signatures use asymmetric encryption
MACs use a shared secret key and symmetric encryption. Digital signatures rely on asymmetric encryption

Question 48

Disabling USB ports and restricting physicall access to servers are examples of which type of defennse in depth?

A. Vector oriented security
B. Uniform protection
C. Information centric security
D. Protected enclaves

Answer 48

A. Vector oriented security

Explanation:
Vector oriented security deals with protecting common attack vectors. Limiting physical access to servers and disabling USB ports are two examples of vector oriented security