Practice Exam 1

Question 1

Which of the following refers to the connection of events based on some common basis?

Answer 1

Correlation

Question 2

A manufacturing company has hired a third-party team to discover and exploit it system vulnerabilities on two subnets used by devices in a tire manufacturing plant. Prior to the technical testing portion of the engagement, team members scanned public social media posts of plan employees and discovered specific versions of network infrastructure equipment in use at that plant.
After the testing, what phrase should testers include in the documented findings that are presented to the manufacturing company?
-Penetration tested a partially known environment
-Vulnerability scanned an unknown environment
-Penetration tested an unknown environment
-Vulnerability scanned a partially known environment

Answer 2

Penetration tested a partially known environment.

Something about the environment is known, makes it “partially known”.
Testers are attempting to identify and exploit discovered vulnerabilities, makes it “penetration testing”

Question 3

What technique is used to identify and track patterns in human emotions, opinions, or attitudes that may be present in data?

Answer 3

Sentiment analysis

Question 4

Your web application developers come to you and request affinity scheduling from the load balancers. Why does a web application benefit from affinity scheduling?

Answer 4

Affinity scheduling can allow a user to stay logged in to a session instead of opening a new session each time they are sent to a new server host.

Affinity scheduling sends each subsequent request to the same web server, allowing the server to track session state even though HTTP/HTTPS is a stateless protocol

Question 5

Which of the following is an older form of attack where a malicious/compromised website places invisible controls on a page, giving users the impression they are clicking some safe item that actually is an active control for something malicious?

Answer 5

Clickjacking

This attack is almost never seen anymore as it’s easy to detect this type of attack

Question 6

Which of the following is a software or a hardware appliance responsible for balancing user requests and network traffic among several different physical or virtualized hosts?

Answer 6

Load Balancer

Question 7

What capability is used to check the origin of an email sender?

Answer 7

DNS

Question 8

For which of the following should employees receive training to establish how they are to treat information of differing sensitivity levels?

Answer 8

Information classification

An organization’s information classification policy outlines what level of security protections certain data receives and instructs employees on how to treat sensitive data

Question 9

Which of the following statements best defines the recovery point objective (RPO)?

Answer 9

The maximum allowable amount of data (measured in time) that the organization can afford to lose during a disaster or an incident

Question 10

You have been tasked with conducting a security assessment of hosts on a n IP subnet. The subnet hosts run a variety of services including HTTP and SQL databases. When configuring the vulnerability scan, you enter a number of sets of valid credentials that will be used when probing hosts. After running the scan and reviewing the results, a colleague suggests the scan results are useless since the credentials were known.
Which IT security concept validates the scan results?

Answer 10

Zero Trust

This concept requires security experts to consider the insider threat; not to trust users and IT systems behind firewalls on internal networks

Question 11

Which correctly describes the incident response team?

Answer 11

Personnel designated to respond to an incident

Question 12

What role does the blue team play in exercises and competitions?

Answer 12

Defensive actions

Question 13

Which of the following statements is not true about PUPs (potentially unwanted programs)?

Answer 13

PUPs are usually installed by worms.

PUPs are usually bundled with legitimate apps by third-party download sites and not spread by worms. Example- you may download and install a photo editing app but it also installs a browser toolbar that you don’t really want.

Question 14

You have been tasked with planning a solution where cryptographic key generation and web application cryptographic operations are centralized on the network. What should you implement?

Answer 14

HSM

A network hardware security module (HSM) is a tamper-proof security device connected to the network that can perform cryptographic operations for many network hosts

Question 15

You are preparing to begin an IT technical penetration test of a web application server. Which tasks relate to the reconnaissance phase of the testing?

Answer 15

Identify the web administrator

The reconnaissance phase focuses on learning as much as possible about the target. Knowing the web administrator can lead attackers to scour the web for anything related to that person

Question 16

Which of the following terms indicates the length of time a device is expected to last in operation, and only a single, definitive failure will occur and will require that the device be replaced rather than repaired?

Answer 16

mean time to failure

The MTTF is the length of time a device is expected to last in operation

Question 17

You get a new batch of servers into your network operations center. After you install the initial operating system (OS), what is your first step in applying system hardening to the servers?

Answer 17

Closing unused ports and disabling unused services

This reduces the attack vector and can prevent future vulnerabilities

Question 18

Which of the following is the biggest risk involved in cloud computing?

Answer 18

Lack of control

lack of control over data and the infrastructure

Question 19

Which type of cloud service is usually operated by a third-party provider that sells or rents “pieces” of the cloud to different entities, such as small businesses or large corporations, to use as they need?

Answer 19

Public

A public cloud is operated by a third-party provider who leases the space in the cloud to anyone who needs it

Question 20

You are asked to prepare a brief to senior management about insider threats. You detail the use of data loss prevention (DLP) as a major factor in identifying and protecting against insider threats. What is the primary reason DLP can protect against these threats?

Answer 20

Prevention of sensitive data being transferred in an unauthorized manner

DLP is designed to prevent sensitive data from being moved unto storage that could allow it to be transferred outside an organization, or to prevent sensitive data from being sent via email

Question 21

To reduce the configuration management burden of user devices, your manager has decided a security monitoring solution must be implemented where technician stations can scan and query user devices on demand. The installation, configuration, and maintenance of security monitoring software on user devices is not desirable. What type of device security monitoring solution should be considered?

Answer 21

Agentless

An agentless solution does not require software running on user devices. Instead, security actions can be initiated from servers or technician stations

Question 22

Which of the following terms represents the manufacturer’s best guess (based on historical data) regarding how much time will pass between major failures of a component produced by that manufacturer?

Answer 22

Mean time between failures

MTBF represents the manufacturer’s best guess (based on historical data) regarding how much time will pass between major failures of that component. This is assuming that more than one failure will occur, which means that the component will be repaired, rather than replaced

Question 23

You are part of a penetration testing red team that will attempt to discover and exploit IT service vulnerabilities. Due to the sensitive nature of data on the network to be pen tested, the red team has been asked to sign a legal document. Which document is the most likely to be signed?

Answer 23

Non-disclosure agreement

An NDA is common with penetration testing teams. It assures the data custodians that any sensitive data exposed during the testing will not be disclosed to third parties under any circumstances

Question 24

Which of the following solutions allow applications that users can download, install, and execute to be added to a safe list?

Answer 24

Whitelisting

Applications that users are allowed to download, install, and execute are added a whitelist (“allow list”) by an administrator. The opposite of blacklisting

Question 25

Which of the following refers to the collecting of information in a central place, in a common format, to facilitate analysis and decision making?

Answer 25

Aggregation

Question 26

Which of the following correctly defines a combination of hardware and software that classify and analyze data from numerous sources?

Answer 26

SIEM Security Information and Event Management systems consist of a combination of hardware and software that classify and analyze data from numerous sources

Question 27

Your monitoring and patch management was put together in house. It has multiple scripts that need to log in to servers and network devices to query for certain information. It currently uses Telnet to establish these connections using credentials stored in a flat file. In improving security of the monitoring system, what are some reason you would mandate switching to SSH? -Uses asymmetric keys for authentication -Allows access to superuser commands -Does not require the use of pre-shared keys -Uses an encrypted connection

Answer 27

-Uses asymmetric keys for authentication -Uses an encrypted connection The connections between the client and server are encrypted. This prevents the credentials from being observed in the packets on the network. SSH performs authentication using server asymmetric keys

Question 28

You have received an unsolicited email message from a website stating that you should click a button to rest your password. What would you do?

Answer 28

Visit the vendor website and, if needed, update your password there.

Question 29

Why is event deduplication an important function of a SIEM system?

Answer 29

A SIEM system can record events in a central store and eliminate redundant events to produce more accurate statistics and analysis

Question 30

Which of the following types of network connected systems can managed heating, ventilation, and air conditioning controls?

Answer 30

Supervisory control and data acquisition

Question 31

What is one major disadvantage external actors have when compared to internal actors?

Answer 31

External actors have to establish access to the systems they want to attack

Question 32

Which of the following formal management efforts is designed to remediate security flaws discovered in applications and operating systems?

Answer 32

Patch management It is the formal management effort designed to remediate vulnerabilities and other software flaws on a regular basis

Question 33

Which of the following are used to back up files that have changed since the last full backup of a virtual machine? Select two. -Differential backup -Incremental backup -System state backup -Snapshot

Answer 33

-Differential backup -Incremental backup

Question 34

Your organization wants you to create and implement a policy that will detail proper use of its information systems during work hours. Which of the following is the best choice?

Answer 34

Acceptable use policy The policy details what is and what is not acceptable for users to do during their working hours, including personal use and unacceptable activities on the company network, such as gambling

Question 35

You have received reports that a number of hosts in your company's internal network are sluggish and unresponsive. After troubleshooting other items, you decide to use a sniffer to examine the network traffic coming into the host. You see that massive amounts of ICMP broadcasts are being sent on the network. The switch is having trouble processing all of this traffic, due to repeated ICMP replies, causing it to slow down. Which of the following is the most likely explanation for this?

Answer 35

Flood attack This is a type of network attack based upon confusing a switch with ICMP traffic

Question 36

The installation guide for your new antivirus includes a section on encryption/decryption loop-monitoring options. The guide says these options may use more resources if enabled, so why should you enable them?

Answer 36

Encrypted executables cannot be scanned with traditional mean. Therefore, watching for unusual encryption/decryption loops can indicate a program is malicious. Encryption prevents antivirus programs from scanning the files used by the malware, thus preventing detection. Scanning for encryption operations when most programs do not use encryption regularly in a good way to identify potential threats.

Question 37

Which of these items are considered "unsecure" protocols? Select three. -HTTP -SSH -Telnet -FTP

Answer 37

-HTTP -Telnet -FTP SSH is incorrect, it stands for Secure Shell

Question 38

Which of the following statements best describes a buffer overflow attack?

Answer 38

An attack that exceeds the memory allocated to an application for a particular function, causing it to crash.

Question 39

You are conducting a penetration test for a vehicle repair shop. The environment consists of a guest Wi-Fi network requiring a security code, which is printed on a piece of paper in the guest waiting area. The employee computers are connected to a separate wired network in the office. After posing as a legitimate customer, you wait in the guest lounge connected to the Wi-Fi network, and capture network traffic using a network protocol analyzer program. After analyzing traffic, you realize that the Wi-Fi router appears to be using vulnerable network protocols. To which penetration testing phase does this activity apply?

Answer 39

Reconnaissance Reconnaissance means learning as much as possible about attack targets. Capturing network traffic is considered passive; there is no reaching out and scanning of some or all hosts and devices on the network

Question 40

What resides on network devices and filters traffic coming into and out of the device?

Answer 40

ACL An Access Control List

Question 41

If you are trying to collect information about a company in the stealthiest manner possible without being discovered, you might use which of the following?

Answer 41

Passive reconnaissance This is performed using methods to gain information about targeted computers and networks without actively engaging with the target system, thus avoiding detection. May gain less information than other methods, but is quieter

Question 42

Travis just got promoted to network administrator after the previous administrator left rather abruptly. There are three new hires that need onboarding with user accounts. When Travis looks at all the existing account names, he notices there is no common naming system. Where should he look to try to give the new hires user accounts with proper naming conventions?

Answer 42

The company's account policy

Question 43

Which of the following is a form of intentional interference with a wireless network?

Answer 43

Jamming This is an intentional interference with the signal of a wireless network. Often part of DoS attack

Question 44

Public legers are used to track transactions for which of the following?

Answer 44

Cryptocurrency

Question 45

Which of the following types of factors could be used to describe a fingerprint-based method of logging in and authenticating to a touchscreen device?

Answer 45

Something you are A biometric factor

Question 46

Why is time synchronization an important function for a SIEM system to perform?

Answer 46

It's important to compare events in both local time for local events and UTC SIEM systems can simplify the maintenance and correlation of local events to UTC

Question 47

Which of the following involves the use of rules and analytical engines to identify predetermines patterns and react to them?

Answer 47

Automated alerting

Question 48

What type of control assists and mitigates the risk an existing control is unable to mitigate?

Answer 48

Compensating control A compensating control assists and mitigates the risk an existing control is unable to mitigate

Question 49

For security purposes, how are network hosts typically separated? Choose two. -Physically -Functionally -Logically -Geographically

Answer 49

-physically -logically Networks are typically separated for security purposes either physically, logically, or both. Physical separation involves separating network hosts by connecting them to different devices. Logical separation involves separating them through segmented IP subnetworks

Question 50

Your company is in the midst of negotiating a business partnership with an organization specializing in secure software development for the medical industry. The partner organization has requested proof that your organization is compliant with HIPAA data privacy standards. What type of documentation

Answer 50

Security Attestation This is a formal verification that a given party has achieved a specified security status, or compliance, with a security regulation such as HIPAA in the medical industry. Attestation letters can be provided by third party security auditors or data privacy officers within an organization

Question 51

Jewel's team located a compromised system. Their SIEM software successfully disconnected the system, but her team hasn't yet cleaned up the compromised system. What point of the incident response process has Jewel's team completed?

Answer 51

containment containment separates the incident from the rest of the enterprise

Question 52

Which of the following statements best describes the relationship between the elements of risk?

Answer 52

Threats exploit vulnerabilities

Question 53

Your compnay has deployed Linux virtual machines in the public cloud. After recent attempts at SSH brute-forcing against the Linux hosts were detected, you decide to mitigate the possiblity of attacks initiated from the Internet while allowing secured remote management connections over the Internet. What should you configure?

Answer 53

Jump Server A jump server allows secured and authenticated connections from a public network such as the Internet, and it serves as a launching pad from which remote service management, including Linux SSH remote management, is possible using only private IP addresses. The use of only private Ip addresses for cloud-based virtual machines means they are not even visible from the Internet

Question 54

Which of the following algorithms won the US government-sponsored competition to become the Advanced Encryption Standard (AES)?

Answer 54

Rijndael

Question 55

What are the IPSec modes of connection? Select three. -Server to network -Hose to host -Host to server -Server to server

Answer 55

-host to host -host to server -server to server IPSec can establish tunnels between different networks by using servers as endpoints and establishing a server-to-server connection, or it performs transport between hosts

Question 56

The Morris finger work, Code Red, and Slammer all used what type of attack to compromise systems?

Answer 56

Buffer overflow Each of the worms used buffer overflow attacks. In a buffer overflow attack, the input buffer used to hold program input is overwritten with data that is larger than the buffer can hold. This can lead to things such as program crashes and execution of malicious code

Question 57

When information is converted to an unreadable state using cryptography, in what form is the information?

Answer 57

Ciphertext

Question 58

If a person knows a control exists, and this control keeps him or her from performing a malicious act, what type of control would this be classified as?

Answer 58

Deterrent control A deterrent control keeps someone from performing a malicious act, provided that he or she knows the control is there and is aware of the consequences of violating it

Question 59

You are working on a project to implement VPNs between all remote offices that are part of the corporate network. The choices made here will be in place for at least five years. Due to its open framework, you are wanting to implement IPSec. How does the open framework affect your choice?

Answer 59

An open framework allows the underlying cipher suites to be updated as needed IPSec has an open framework that does not specify any specific algorithm. This allows IPSec to use modernized versions of ciphers and hashes when an issue is found with older algorithms

Question 60

Which of the following are characteristics of hashing? Select three. -hashing can be used to protect data integrity -hashes are decrypted using the same algorithm and key that encrypted them -hashes are cryptographic representations of plaintext -hashes produce fixed-length digests for variable-length text

Answer 60

-hashing can be used to protect data integrity -hashes are cryptographic representations of plaintext -hashes produce fixed-lenght digest for variable-length text not -hashes are decrypted using the same algorithm and key that encrypted them they are one-way mathematical functions and cannot be decrypted

Question 61

Which of the following is a point-in-time backup of certain key configuration settings of a virtual machine, allowing the VM to be restored back to that point in time if it suffers a crash or other issue?

Answer 61

Snapshot Snapshot is a quick backup of critical configuration files, used by the hypervisor to restore the virtual machine back to its point-in-time status should it become unstable or suffer any other issues

Question 62

Which of the following statements about EOSL items is true?

Answer 62

An EOSL item is no longer supported by the OEM End of Service Life item is something that is no longer supported by the original equipment manufacturer (OEM)

Question 63

Which of the following concepts should be the most important consideration when determining how to budget properly for security controls?

Answer 63

Risk likelihood and impact

Question 64

You are in a meeting with a vendor selling antivirus products. You are interested in heuristic-based antivirus, but this vendor is heavily pushing signature-based antivirus. What is the strongest reason you might avoid this product?

Answer 64

Signature antivirus can only detect known malware Antivirus programs that use signature detection can only protect against threats that are known

Question 65

Why is remote wiping of mobile devices so important?

Answer 65

They are more susceptible to loss than other devices

Question 66

Which type of assessment looks at events that could exploit vulnerabilities?

Answer 66

threat assessment

Question 67

Rules of engagement for a penetration test are primarily used for the following?

Answer 67

to establish boundaries associated with the testing What systems and actions are in scope, what should never be done, who should be contacted if vulnerabilities are found, etc.

Question 68

Your company plans on opening three new branch offices in different parts of the world. Devices on each branch office network must be able to securely connect to services on all other branch office networks with the least amount of network latency. The solution must include web filtering and firewall rule capabilities. Each branch office currently has a secured connection into a public cloud provider. Which solution should you implement? -cloud-based reverse proxying -SASE -site-to-site VPN -SD-WAN

Answer 68

SASE A secure-access-service edge solution combines cloud-based wide area network virtualization and network security services, such as firewall rules and web filtering. Branch offices already connecting to the public cloud can route traffic through a cloud-based SASE configuration that uses the public cloud provider global network backbone to get traffic to other branch offices with standard Internet network congestion issues

Question 69

What does WPA3 use Simultaneous Authentication of Equals (SAE) to do?

Answer 69

It is used as a password-based key exchange to create strong shared secrets SAE is an enhancement to the WPA2 pre-shared key weakness; it creates a strong shared secret without needing to pre-share a key

Question 70

You are a security technician participating in a penetration testing red team. What is another name for a pen test red team?

Answer 70

Offensive team Called offensive teams because they actively scan for and attempt to exploit vulnerabilities in business processes and IT systems

Question 71

Which of the following is a list of known vulnerabilities in software systems?

Answer 71

Common Vulnerabilities and Exposures THE CVE enumeration is a list of known vulnerabilities in software systems. Each vulnerability in the list has an identification number, a description, and reference

Question 72

What type of organizations are the main users of an interconnection service agreement (ISA)?

Answer 72

Telecommunication companies Companies will use an interconnection service agreement (ISA) when connecting to each other's network to handle essential details about technology and personnel

Question 73

Which of the following allows for the mixing of business and personal matters?

Answer 73

Containerization Containerization divides a device into containers-one holding company information, and the other holding personal information

Question 74

Which of the following provides the capability to capture and analyze traffic passing through a network?

Answer 74

Protocol analyzer

Question 75

You have successfully deployed antivirus to all client workstations but are still dealing with virus problems. What would be your next target for antivirus filtering?

Answer 75

Email servers Antivirus programs are almost always deployed as part of a modern email server package. The email system has been a large vector for malware, as it delivers external data directly to internal endpoints.

Question 76

What are two major causes of weak encryption?

Answer 76

Developing your own, proprietary algorithm and using weak cipher suites Self-developed or proprietary cryptographic algorithms that do not undergo widespread scrutiny and testing are often inferior to widely tested and scrutinized algorithms, as weaknesses are not discovered by the algorithm's inventors. Weak cipher suites are suites that were once considered to be secure but are no longer secure due to discovered weakness or advancements in computational power

Question 77

It has been discovered that you have an attacker in your systems that has been performing LDAP injection attacks against your directory in an attempt to escalate their privileges onto other systems. After the initial response, you consider using LDAPS to make a future injection attack more difficult. What is required to make LDAP traffic secure with LDAPS and how can it help prevent injection attacks?

Answer 77

A certificate provided by a certificate authority (CA); encrypting the LDAP traffic prevents attackers from knowing attribute names LDAPS utilizes a TLS connection in LDAPSv2 and SASL in LDAPSv3. This requires a certificate to be applied that has been signed by a CA that is trusted by the client. This method makes injection attacks more difficult by preventing an attacker from monitoring the network for LDAP attribute streams.

Question 78

Which is a specific element of an incident response plan?

Answer 78

Roles and responsibilities

Question 79

The incident response team is activated because the load balancing system failed after the installation of a new application. The only difference with the new application is that it required active/active load balancing. What likely caused this issue?

Answer 79

A poor capacity plan. Because active/active load balancing is handling all traffic, any failure will cause all traffic to go through a single node, potentially overloading the system. As active/active load balancing handles a portion of all traffic, the system should not exceed 50% of total capacity to avoid being overloaded should a node go offline

Question 80

Which of the following DES/AES encryption modes is considered the weakest?

Answer 80

ECB With ECB mode, a give piece of plaintext will always produce the same corresponding piece of ciphertext. The predictability makes it weak.

Question 81

Which technique is employed when executing a distributed denial-of-service attack?

Answer 81

Spoofing Attackers will spoof, or forge, the source IP address of the victim device when requesting responses from servers (reflectors), which in turn send the responses (reflections) to victim devices. Specifically crafted requests sent to vulnerable network services running on a reflector server can result in very large amounts of useless network traffic.

Question 82

In a vulnerability scan, a reported vulnerability that is not actually a vulnerability is known as which of the following?

Answer 82

False positive A reported vulnerability that is not actually a real vulnerability is known as a false positive. You get an indicator for something, but that indicator is wrong and should not have been reported

Question 83

Which of the following statements about bug bounty programs are true? Select two. -Companies pay people to find vulnerabilities in their software -They are not used by reputable companies -Discovered bugs are worth very little -They are usually open

Answer 83

-companies pay people to find vulnerabilities in their software -they are usually open to the public Bug bounty programs are mechanisms where companies pay hackers for revealing the details of vulnerabilities that they discover in software and/or hardware products, providing the company an opportunity to correct an issue before it is exploited for malicious purposes. They are usually open to the public as companies like to have as many people testing their software as possible.

Question 84

What does the A in the CIA triad stand for?

Answer 84

Availability

Question 85

What is the main goal of an APT?

Answer 85

To establish and maintain a presence on the target network for a long period of time Advanced Persistent Threat attacks are characterized by using toolkits to achieve a presence on a target network and then, instead of just moving to steal information, focusing on the long game by maintaining a persistent presence on the target network for as long as possible.

Question 86

What is the largest advantage host-based firewalls have over network-based firewalls?

Answer 86

Host-based firewalls have knowledge of the functions of the endpoint and can tune the traffic management to match. Host-based firewalls can be tuned to the specific applications on the endpoint and the normal traffic on the endpoint.

Question 87

Which of the following is generally a script planted by a disgruntled employee or other malicious actor that is set to execute at a certain time?

Answer 87

Logic bomb A logic bomb is simply a script that is set to execute at a certain time. Logic bombs are usually created by rogue administrators or disgruntled employees.

Question 88

Which of the following processes is concerned with validating credentials?

Answer 88

Authentication Authentication is the process of validating that a user's credentials are authentic, after the user has presented them through the identification process.

Question 89

Which of the following formal management efforts is a formalized process that involves both long-term and short-term infrastructure changes?

Answer 89

Change management

Question 90

Which is not a specific type of recovery site?

Answer 90

Geographic site