Practice Study 1

Question 1

You’ve hired a third-party to gather information about
your company’s servers and data. The third-party will
not have direct access to your internal network but can
gather information from any other source. Which of the
following would best describe this approach?
❍ A. Backdoor testing
❍ B. Passive reconnaissance
❍ C. OS fingerprinting
❍ D. Grey box penetration testing

Answer 1

❍ B. Passive reconnaissance

Passive reconnaissance focuses on learning as much information from open sources such as social media, corporate websites, and business organizations.

The incorrect answers:
A. Backdoor testing
Some active reconnaissance tests will directly query systems to see if a
backdoor has been installed.

C. OS fingerprinting
To fingerprint an operating system, you must actively query and receive
responses across the network.

D. Grey box penetration testing
A grey box penetration test is a focused approach that usually provides
detailed information about specific systems or applications.

Question 2

Which of these protocols use TLS to provide secure
communication? (Select TWO)
❍ A. HTTPS
❍ B. SSH
❍ C. FTPS
❍ D. SNMPv2
❍ E. DNSSEC
❍ F. SRTP

Answer 2

A. HTTPS
C. FTPS

TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication. HTTPS is the Hypertext Transfer Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.

An earlier version of TLS is SSL (Secure Sockets Layer). Although we don’t commonly see SSL in use any longer, you may see TLS communication colloquially referenced as SSL.

The incorrect answers:

B. SSH
SSH (Secure Shell) can use symmetric or asymmetric encryption, but those
ciphers are not associated with TLS.

D. SNMPv2
SNMPv2 (Simple Network Management Protocol version 2) does not
implement TLS, or any encryption, within the network communication.

E. DNSSEC
DNSSEC (DNS security extensions) do not provide any confidentiality
of data.

F. SRTP
SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP)
protocol used for encrypting conversations. SRTP protocol commonly uses
AES (Advanced Encryption Standard) for confidentiality.

More information:
SY0-501, Objective 2.6 - Secure Protocols

Question 3

Which of these threat actors would be MOST likely to
attack systems for direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Competitor

Answer 3

A. Organized crime

An organized crime actor is motivated by money, and their hacking
objectives are usually based around objectives that can be easily exchanged
for financial capital.

The incorrect answers:
B. Hacktivist
A hacktivist is focused on a political agenda and not commonly on a
financial gain.

C. Nation state
Nation states are already well funded, and their primary objective is not
usually based on revenue or income.

D. Competitor
A competitor doesn’t have any direct financial gain by disrupting a
website or stealing customer lists, and often their objective is to disable
a competitor’s business or to harm their reputation. If there is a financial
gain, it would often be an indirect result of an attack.
More information:

SY0-501, Objective 1.3 - Threat Actors

Question 4

A security incident has occurred on a file server. Which of
the following data sources should be gathered to address
file storage volatility? (Select TWO)
❍ A. Partition data
❍ B. Kernel statistics
❍ C. ROM data
❍ D. Temporary file systems
❍ E. Process table

Answer 4

A. Partition data
D. Temporary file systems
Both temporary file system data and partition data are part of the file
storage subsystem.

Question 5

An IPS at your company has found a sharp increase in
traffic from all-in-one printers. After researching, your
security team has found a vulnerability associated with
these devices that allows the device to be remotely
controlled by a third-party. Which category would BEST
describe these devices?
❍ A. IoT
❍ B. RTOS
❍ C. MFD
❍ D. SoC

Answer 5

C. MFD

An all-in-one printer that can print, scan, and fax is often categorized as an
MFD (Multifunction Device).

The incorrect answers:
A. IoT
Wearable technology and home automation devices are commonly called
IoT (Internet of Things) devices.
B. RTOS
RTOS (Real-time Operating Systems) are commonly used in manufacturing
and automobiles.
D. SoC
Multiple components that run on a single chip are categorized as an SoC
(System on a Chip).
More information:
SY0-501, Objective 3.5 - Embedded Systems

Question 6

Which of the following would attempt to exploit a
vulnerability associated with a specific application?
❍ A. Vulnerability scan
❍ B. Active reconnaissance
❍ C. Penetration test
❍ D. Port scan

Answer 6

C. Penetration test

A penetration test is used to determine if a system or application can be
exploited. This process actively attempts to break into a system as part of
the testing.

The incorrect answers:

A. IoT
Wearable technology and home automation devices are commonly called
IoT (Internet of Things) devices.

B. RTOS
RTOS (Real-time Operating Systems) are commonly used in manufacturing
and automobiles.

D. SoC
Multiple components that run on a single chip are categorized as an SoC
(System on a Chip).

More information:
SY0-501, Objective 3.5 - Embedded Systems

Question 7

Elizabeth, a security administrator, is concerned about
the potential for data exfiltration using external storage
drives. Which of the following would be the BEST way to
prevent this method of data exfiltration?
❍ A. Create an operating system security policy to
prevent the use of removable media
❍ B. Monitor removable media usage in host-based
firewall logs
❍ C. Only whitelist applications that do not use
removable media
❍ D. Define a removable media block rule in the UTM

Answer 7

A. Create an operating system security policy to
prevent the use of removable media

Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.

The incorrect answers:

B. Monitor removable media usage in host-based firewall logs
A host-based firewall monitors traffic flows and does not commonly log
hardware or USB drive access.

C. Only whitelist applications that do not use removable media
File storage access options are not associated with applications, so it’s not
possible to whitelist based on external storage drive usage.

D. Define a removable media block rule in the UTM
A UTM (Unified Threat Manager) watches traffic flows across the network
and does not commonly manage the storage options on individual
computers.

More information:
SY0-501, Objective 2.4 - Analyzing Security Output

Question 8

Tayla is a help desk administrator for a major
transportation company. Her help desk has suddenly
been overwhelmed by phone calls from customers. The
customers are complaining that their browser is giving a
message that the company’s website is untrusted. Which
of the following would be the MOST likely reason for
this issue?
❍ A. The web server is not running the latest
version of software
❍ B. The corporate firewall is misconfigured
❍ C. A content filter is blocking web server traffic
❍ D. The web server has a certificate issue

Answer 8

D. The web server has a certificate issue

Any web server issues relating to trust are generally associated with the
status of the web server certificate. If a certificate has expired or the fullyqualified
domain name on the certificate does not match the name of the
web server, the end users will see errors in their browser.

The incorrect answers:
A. The web server is not running the latest version of software
Web server software should certainly be upgraded when appropriate, but
outdated software would not commonly cause problems with trusting
encrypted communication from a browser.
B. The corporate firewall is misconfigured
A firewall would be expected to either block or allow traffic to the web
server. In this example, the issue is related to the trust between a browser
and web server.
C. A content filter is blocking web server traffic
Content filters would allow or block certain types of web pages, and do not
commonly cause issues with web server trust.
More information:
SY0-501, Objective 2.3 - Common Security Issues

Question 9

An insurance company has created a set of policies to
handle data breaches. The security team has been given
this set of requirements based on these policies:
• Access records from all devices must be
saved and archived
• Any data access outside of normal working hours
must be immediately reported
• Data access must only occur inside of the country
• Access logs and audit reports must be created from a
single database
Which of the following should be implemented by the
security team to meet these requirements?
(Select THREE)
❍ A. Restrict login access by IP address and
GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts
that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the
authentication server

Answer 9

A. Restrict login access by IP address and
GPS location
E. Consolidate all logs on a SIEM
G. Enable time-of-day restrictions on the
authentication server

Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.

The incorrect answers:
B. Require government-issued identification during the onboarding process
Requiring proper identification is always a good idea, but it’s not one of the
listed requirements.
C. Add additional password complexity for accounts that access data
Additional password complexity is another good best practice, but it’s not
part of the provided requirements.
D. Conduct monthly permission auditing
No requirements for ongoing auditing were included in the requirements,
but ongoing auditing is always an important consideration.
F. Archive the encryption keys of all disabled accounts
If an account is disabled, there may still be encrypted data that needs to be
recovered later. Archiving the encryption keys will allow access to that data
after the account is no longer in use.

More information:
SY0-501, Objective 4.4 - Account Management

Question 10

Rodney, a security engineer, is viewing this record from
the firewall logs:
UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this
log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not

Answer 10

B. A download was blocked from a web server

A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and this
log entry shows that the file containing the XPACK.A_7854 Trojan was
blocked.

The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.
C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.
D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file.

More information:
SY0-501, Objective 2.4 - Analyzing Security Output

Question 11

Richard, an engineer, has been posting pictures of a
not-yet-released company product on an online forum.
Richard believed the forum was limited to a small group,
but his pictures were actually posted on a publicly
accessible area of the site. Which of the following
company policies should be discussed with Richard?
❍ A. Personal email
❍ B. Unauthorized software
❍ C. Social media
❍ D. Certificate issues

Answer 11

C. Social media

Most organizations have formal policies on managing social media
engagements, and those policies would most likely prevent someone from
disclosing any pre-release information to the public.

The Answer: C. Social media
Most organizations have formal policies on managing social media
engagements, and those policies would most likely prevent someone from
disclosing any pre-release information to the public.
The incorrect answers:
A. Personal email
This issue was related to postings on an online forum, and no personal
email messages were included with the forum posts.
B. Unauthorized software
No additional or unauthorized software appears to have been used by
Richard to post these pictures on a forum.
D. Certificate issues
A web server certification issue would commonly cause problems with
encryption between a client and a web server. This question doesn’t
include any certificate errors.

More information:
SY0-501, Objective 2.3 - Common Security Issues

Question 12

A group of universities sponsor a monthly speaking event
that is attended by faculty from many different schools.
Each month, a different university is selected to host
the event. The IT staff for the event would like to allow
access to the local wireless network using the faculty
member’s normal authentication credentials. These
credentials should properly authenticate, even when the
faculty member is not physically located at their home
campus. Which of the following authentication methods
would be the BEST choice for this requirement?
❍ A. RADIUS federation
❍ B. 802.1X
❍ C. PEAP
❍ D. EAP-FAST

Answer 12

A. RADIUS federation

RADIUS (Remote Authentication Dial-In User Service) with federation
would allow members of one organization to authenticate using the
credentials of another organization.

The incorrect answers:
B. 802.1X
802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.
C. PEAP
PEAP (Protected Extensible Authentication Protocol) provides a method of
authentication over a protected TLS (Transport Layer Security) tunnel, but
it doesn’t provide the federation needed for these requirements.
D. EAP-FAST
EAP-FAST (Extensible Authentication Protocol - Flexible Authentication
via Secure Tunneling) is an updated version of LEAP (Lightweight EAP)
that was commonly used after WEP (Wired Equivalent Privacy) was
replaced with WPA (Wi-Fi Protected Access).

More information:
SY0-501, Objective 2.3 - Common Security Issues

Question 13

A system administrator, Daniel, is working on a contract
that will specify a minimum required uptime for a set of
Internet-facing firewalls. Daniel needs to know how often
the firewall hardware is expected to fail between repairs.
Which of the following would BEST describe
this information?
❍ A. MTBF (Mean Time Between Failures)
❍ B. RTO (Recovery Time Objectives)
❍ C. MTTR (Mean Time to Restore)
❍ D. MTTF (Mean Time to Failure)

Answer 13

A. MTBF

The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.

The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
C. MTTR
MTTR (Mean Time to Restore) is the amount of time it takes to repair a
component.
D. MTTF
MTTF (Mean Time to Failure) is the expected lifetime of a non-repairable
product or system.

More information:
SY0-501, Objective 5.2 - Business Impact Analysis

Question 14

An attacker calls into a company’s help desk and pretends
to be the director of the company’s manufacturing
department. The attacker states that they have forgotten
their password and they need to have the password reset
quickly for an important meeting. The help desk engineer
requests the employee’s ID number and sends a password
reset validation code to the user’s registered mobile
device number. What kind of attack is the help desk
engineer preventing by following these processes?
❍ A. Social engineering
❍ B. Tailgating
❍ C. Vishing
❍ D. Man-in-the-middle

Answer 14

A. Social engineering

A social engineering attack takes advantage of authority and urgency
principles in an effort to convince someone else to circumvent normal
security controls.

The incorrect answers:
B. Tailgating
A tailgating attack follows someone else with proper credentials through a
door. This allows the attack to gain access to an area that’s normally locked.
C. Vishing
Vishing (voice phishing) attacks use the phone to obtain private
information from others. In this example, the attacker was not asking for
confidential information.
D. Man-in-the-middle
A man-in-the-middle attack commonly occurs without any knowledge to
the parties involved, and there’s usually no additional notification that an
attack is underway. In this question, the attacker contacted the help desk
engineer directly.

More information:
SY0-501, Objective 1.2 - Principles of Social Engineering

Question 15

A security administrator has been using EAP-FAST
wireless authentication since the migration from WEP
to WPA2. The company’s network team now needs to
support additional authentication protocols inside of an
encrypted tunnel. Which of the following would meet the
network team’s requirements?
❍ A. EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)
❍ B. PEAP (Protected Extensible Authentication Protocol)
❍ C. EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security)
❍ D. EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake Authentication Protocol v2)

Answer 15

C. EAP-TTLS

EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer
Security) allows the use of multiple authentication protocols transported
inside of an encrypted TLS (Transport Layer Security) tunnel. This allows
the use of any authentication while maintaining confidentiality with TLS.

The incorrect answers:
A. EAP-TLS
EAP-TLS does not provide a mechanism for using multiple authentication
types within a TLS tunnel.
B. PEAP
PEAP (Protected Extensible Authentication Protocol) encapsulates EAP
within a TLS tunnel, but does not provide a method of encapsulating other
authentication methods.
D. EAP-MSCHAPv2
EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake Authentication
Protocol v2) is a common implementation of PEAP.
More information:
SY0-501, Objective 6.3 - Wireless Authentication Protocols

Question 16

Which of the following would be commonly provided
by a CASB? (Select TWO)
❍ A. List of all internal Windows devices that have not
installed the latest security patches
❍ B. List of applications in use
❍ C. Centralized log storage facility
❍ D. List of network outages for the previous month
❍ E. Verification of encrypted data transfers
❍ F. VPN connectivity for remote users

Answer 16

B. A list of applications in use
E. Verification of encrypted data transfers

A CASB (Cloud Access Security Broker) can be used to apply security
policies to cloud-based implementations. Two common functions of a
CASB are visibility into application use and data security policy use. Other
common CASB functions are the verification of compliance with formal
standards and the monitoring and identification of threats.

The incorrect answers:
A. List of all internal Windows devices that have not installed the latest
security patches
A CASB focuses on policies associated with cloud-based services and not
internal devices.
C. Centralized log storage facility
Using Syslog to centralize log storage is most commonly associated with a
SIEM (Security Information and Event Manager).
D. List of network outages for the previous month
A network availability report would be outside the scope of a CASB.
F. VPN connectivity for remote users
VPN concentrators are commonly used to provide security connectivity for
remote users.
More information:
SY0-501, Objective 3.7 - Security in the Cloud

Question 17

The embedded OS in a company’s time clock appliance is
configured to reset the file system and reboot when a file
system error occurs. On one of the time clocks, this file
system error occurs during the startup process and causes
the system to constantly reboot. This loop continues until
the time clock is powered down. Which of the following
BEST describes this issue?
❍ A. DLL injection
❍ B. Resource exhaustion
❍ C. Race condition
❍ D. Weak configuration

Answer 17

C. Race condition

A race condition occurs when two processes occur at similar times, usually
with unexpected results. The file system problem is usually fixed before
a reboot, but a reboot is occurring before the fix can be applied. This has
created a race condition that results in constant reboots.

The incorrect answers:
A. DLL injection
One method of exploiting an application is to take advantage of the
libraries reference by the application rather than the application itself.
DLL (Dynamic Link Library) injection manipulates the library as the attack
vector.
B. Resource exhaustion
If the time clock was running out of storage space or memory, it would
most likely be unusable. In this example, the issue isn’t based on a lack of
resources.
D. Weak configuration
If the system is poorly configured, there may be unintended access to a
service or data. This time clock issue wasn’t related to any misconfiguration
or weak configuration on the time clock appliance.
More information:
SY0-501, Objective 1.6 - Vulnerability Types

Question 18

A recent audit has found that existing password policies
do not include any restrictions on password attempts,
and users are not required to periodically change their
passwords. Which of the following would correct these
policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password history
❍ D. Password lockout
❍ E. Password recovery

Answer 18

B. Password expiration
D. Password lockout

Password expiration would require a new password after the expiration
date. Password lockout would disable an account after a predefined
number of unsuccessful login attempts.

The incorrect answers:
A. Password complexity
A complex password would make it more difficult to brute force, but it
would not solve the issues listed in this question.
C. Password history
Having a password history would prevent the reuse of any previous
passwords.
E. Password recovery
The password recovery process provides a method for users to recover an
account that has been locked out or has a forgotten password.
More information:
SY0-501, Objective 4.4 - Account Policy Enforcement

Question 19

What kind of security control is associated
with a login banner?
❍ A. Preventive
❍ B. Deterrent
❍ C. Corrective
❍ D. Detective
❍ E. Compensating
❍ F. Physical

Answer 19

B. Deterrent

A deterrent control does not directly stop an attack, but it may discourage
an action.

The incorrect answers:
A. Preventive
A preventive control physically limits access to a device or area.
C. Corrective
A corrective control can actively work to mitigate any damage.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
E. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means.
F. Physical
A physical control is real-world security, such as a fence or door lock.
More information:
SY0-501, Objective 5.7 - Security Controls

Question 20

Your security team has been provided with an
uncredentialed vulnerability scan report created by a
third-party. Which of the following would you expect to
see on this report?
❍ A. A summary of all files with invalid group
assignments
❍ B. A list of all unpatched operating system files
❍ C. The version of web server software in use
❍ D. A list of local user accounts

Answer 20

C. The version of web server software in use

A scanner like Nmap can query services and determine version numbers
without any special rights or permissions, which makes it well suited for
non-credentialed scans.

The incorrect answers:
A. A summary of all files with invalid group assignments
Viewing file permissions and rights requires authentication to the
operating system, so you would not expect to see this information if the
scan did not have credentials.
B. A list of all unpatched operating system files
Viewing detailed information about the operating system files requires
authentication to the OS, and an uncredentialed scan does not have those
permissions.
D. A list of local user accounts
Local user accounts are usually protected by the operating system, so you
would need to have credentials to view this information.
More information:
SY0-501, Objective 1.5 - Vulnerability Scanning

Question 21

The security team of a small manufacturing company
is investigating a compromised server that resulted in a
defaced internal website home page. The web server had
been running for a year, but no security patches were ever
applied. Logs from the web server show a large number
of attacks containing well-known exploits occurred just
before the server was defaced. Which of these would be
the MOST likely source of this attack?
❍ A. Hacktivist
❍ B. Script kiddie
❍ C. Insider
❍ D. Nation state

Answer 21

B. Script kiddie

A script kiddie commonly runs pre-made scripts without any knowledge of
what the script is actually doing. The script kiddie is simply hoping that at
least one of the many exploit attempts will be successful.

The incorrect answers:
A. Hacktivist
A hacktivist often uses sophisticated attacks in an effort to address a
particular political agenda or worldview. An attack of an internal web
server would have a limited scope and reach, and the large number of
exploit attempts would seem to show a lack of sophistication.
C. Insider
Insiders usually have enhanced rights and permissions and don’t need to
use a script or exploit a vulnerability.
D. Nation state
Nation states are focused on attacking governments and large entities.
Defacing a website home page would not be a common objective of a
nation state.
More information:
SY0-501, Objective 1.3 - Threat Actors

Question 22

Which of these would be MOST significant security
concern for an insider threat?
❍ A. Passwords written on sticky notes
❍ B. An unpatched file server
❍ C. A VPN concentrator that uses an older
encryption cipher
❍ D. Limited bandwidth available on the Internet link

Answer 22

A. Passwords written on sticky notes

A password written down and left in an open area can be used by any
insider who happens to walk by.

The incorrect answers:
B. An unpatched file server
Insider threats usually have access to more resources than those outside of
the organization, so identifying and exploiting an open vulnerability isn’t
usually necessary.
C. A VPN concentrator that uses an older encryption cipher
Internal users already have access to the inside of the network, so issues
on the VPN (Virtual Private Networking) concentrator aren’t usually
considered to be a concern as an insider threat.
D. Limited bandwidth available on the Internet link
A limited amount of bandwidth is useful for an external entity who wants
to perform a denial of service, but that isn’t usually an issue for threats that
are already on the inside.
More information:
SY0-501, Objective 1.3 - Threat Actors

Question 23

A security administrator would like to limit access from
a user VLAN to the server VLAN. All traffic to the server
VLAN communicates through the core router. Users
should only be able to connect to servers using standard
protocols. Which of the following options would be the
BEST way to implement this security feature?
❍ A. Configure a reverse proxy
❍ B. Define an ACL on the core router
❍ C. Replace the core router with a layer 3 firewall
❍ D. Add a load balancer for each server cluster

Answer 23

B. Define an ACL on the core router

Configuring an ACL (Access Control List) is a feature already included with
the router. The ACL will allow the filtering of traffic by IP address and port
number.

The incorrect answers:
A. Configure a reverse proxy
Although a proxy may provide some additional security functionality, the
installation and configuration of a reverse proxy is unnecessary if all you
need is a relatively simple protocol filtering mechanism.
C. Replace the core router with a layer 3 firewall
A firewall would certainly provide the filtering required for this scenario,
but it would require additional cost, installation, and time to implement.
The filtering functionality described in the question is already available in
the existing core router.
D. Add a load balancer for each server cluster
Adding load balancing to your servers would provide additional fault
tolerance to your server farm, but it is not commonly used for traffic
filtering. The load balancer would also require a purchase and require
additional network configurations.
More information:
SY0-501, Objective 2.1 - Router and Switch Security

Question 24

A file server has a full backup performed each Monday
at 1 AM. Incremental backups are performed at 1 AM on
Tuesday, Wednesday, Thursday, and Friday. The system
administrator needs to perform a full recovery of the file
server on Thursday afternoon. How many backup sets
would be required to complete the recovery?
❍ A. 2
❍ B. 3
❍ C. 4
❍ D. 1

Answer 24

C. 4

Each incremental backup will archive all of the files that have changed
since the last full or incremental backup. To complete this full restore, the
administrator will need the full backup from Monday and the incremental
backups from Tuesday, Wednesday, and Thursday.

The incorrect answers:
A. 2
If the daily backup was differential, the administrator would only need the
full backup and the differential backup from Thursday.
B. 3
Since the incremental backup only archives files that have changed, he will
need all three daily incremental backups as well as Monday’s full backup.
D. 1
To recover incremental backups, you’ll need the full backup and all
incremental backups since the full backup.
More information:
SY0-501, Objective 5.6 - Application Recovery

Question 25

A company is creating a security policy that will protect
all corporate mobile devices:
• All mobile devices must be automatically locked
after a predefined time period.
• Some mobile devices will be used by the
remote sales teams, so the location of each device
needs to be traceable.
• The mobile devices should not be operable
outside of the country.
• All of the user’s information should be completely
separated from company data.
Which of the following would be the BEST way to
establish these security policy rules?
❍ A. Containerization strategy
❍ B. Biometrics
❍ C. COPE (Corporately Owned and Personally Enabled)
❍ D. VDI (Virtual Desktop Infrastructure)
❍ E. Geofencing
❍ F. MDM (Mobile Device Manager)

Answer 25

F. MDM

An MDM (Mobile Device Manager) provides a centralized management
system for all mobile devices. From this central console, security
administrators can set policies for many different types of mobile devices.

The incorrect answers:
A. Containerization strategy
Mobile device containerization allows an organization to securely separate
user data from company data on a mobile device. Implementing this
strategy usually requires a mobile device manager, and containerization
alone won’t address all of the required security policies.
B. Biometrics
Biometrics can be used as another layer of device security, but you need
more than biometrics to implement the required security policies in this
question.
Practice Exam A - Answers 73
C. COPE
A device that is COPE (Corporately Owned and Personally Enabled) is
commonly purchased by the corporation and allows the use of the mobile
device for both business and personal use. The use of a COPE device does
not address all of the required security policies.
D. VDI
A VDI (Virtual Desktop Infrastructure) separates the applications from the
mobile device. This is useful for securing data, but it doesn’t implement all
of the requirements in this question.
E. Geofencing
Geofencing could be used to prevent mobile device use from other
countries, but you would still need an MDM to implement the other
requirements.
More information:
SY0-501, Objective 2.5 - Mobile Device Management

Question 26

Jack, a security engineer, runs a monthly vulnerability
scan and creates a report with the results. The latest
report doesn’t list any vulnerabilities for Windows
servers, but a significant vulnerability was announced
last week and none of the servers are patched yet.
The vulnerability scanner is running the latest set of
signatures. Which of the following best describes
this result?
❍ A. Exploit
❍ B. False positive
❍ C. Zero-day attack
❍ D. False negative

Answer 26

D. False negative

A false negative is a result that fails to detect an issue when one actually
exists.

The incorrect answers:
A. Exploit
An exploit is an attack against a vulnerability. Vulnerability scans do not
commonly attempt to exploit the vulnerabilities that they identify.
B. False positive
A false positive is when an issue is identified but it doesn’t actually exist.
C. Zero-day attack
A zero-day attack focuses on previously unknown vulnerabilities. In this
example, the vulnerability scan isn’t an attack, and the vulnerabilities are
already known and patches are available.
More information:
SY0-501, Objective 1.5 - Vulnerability Scanning

Question 27

A security administrator is reviewing a 30-day
access report to determine if there are any unusual
or unexpected authentications. After these reviews,
the security administrator decides to add additional
authentication controls to the existing infrastructure.
Which of the following should be added by the security
administrator? (Select TWO)
❍ A. TOTP (Time-based One-Time Passwords)
❍ B. Least privilege
❍ C. Role-based awareness training
❍ D. Separation of duties
❍ E. Job rotation
❍ F. Smart Card

Answer 27

A. TOTP
F. Smart Card

TOTP (Time-based One-Time Passwords) and smart cards are
useful authentication controls when used in conjunction with other
authentication factors.

The incorrect answers:
B. Least privilege
Least privilege is a security principle that limits access to resources based
on a person’s job role. Least privilege is managed through security policy
and is not an authentication control.
C. Role-based awareness training
Role-based awareness training is specialized training that is based on a
person’s control of data within an organization. This training is not part of
the authentication process.
D. Separation of duties
A security policy that separates duties across different individuals is
separation of duties. This separation is not part of the authentication
process.
E. Job rotation
Job rotation is a security policy that moves individuals into different job
roles on a regular basis. This rotation is not part of the authentication
process.
More information:
SY0-501, Objective 4.3 - Access Control Technologies

Question 28

A network administrator would like to reconfigure
the authentication process on the company’s wireless
network. Instead of using the same wireless password
for all users, the administrator would like each user to
authenticate with their personal username and password.
Which of the following should the network administrator
configure on the wireless access points?
❍ A. WPA2-PSK
❍ B. 802.1X
❍ C. WPS
❍ D. WPA2-AES

Answer 28

B. 802.1X

802.1X uses a centralized authentication server, and all users can use their
normal credentials to authenticate to an 802.1X network.

The incorrect answers:
A. WPA2-PSK
The PSK (Pre-shared Key) is the shared password that this network
administration would like to avoid using in the future.
C. WPS
WPS (Wi-Fi Protected Setup) connects users to a wireless network using a
shared PIN (Personal Identification Number).
D. WPA2-AES
WPA2 (Wi-Fi Protected Access 2) encryption with AES (Advanced
Encryption Standard) is a common encryption method for wireless
networks, but it does not provide any centralized authentication
functionality.
More information:
SY0-501, Objective 6.3 - Wireless Security

Question 29

Which of the following technologies use a challenge
message during the authentication process?
❍ A. TLS (Transport Layer Security)
❍ B. TACACS+ (Terminal Access Controller Access-Control System)
❍ C. Kerberos
❍ D. CHAP (Challenge-Handshake Authentication Protocol)

Answer 29

D. CHAP

CHAP (Challenge-Handshake Authentication Protocol) combines a
server’s challenge message with the client’s password hash during the
authentication process.

Question 30

A user has saved a presentation file to a network
drive, and the user has assigned individual rights and
permissions to the file. Prior to the presentation date, the
user adds three additional individuals to have read-only
access to the file. Which of the following would describe
this access control model?
❍ A. DAC (Discretionary Access Control)
❍ B. MAC (Mandatory Access Control)
❍ C. ABAC (Attribute-based Access Control)
❍ D. RBAC (Role-based Access Control)

Answer 30

A. DAC

DAC (Discretionary Access Control) is used in many operating systems,
and this model allows the owner of the resource to control who has access.

The incorrect answers:
A. TLS
TLS (Transport Layer Security) is an encryption mechanism that’s
commonly associated with web server communication. TLS uses public-key
cryptography instead of a challenge method.
B. TACACS+
TACACS+ (Terminal Access Controller Access-Control System) does not
use a challenge message when authenticating.
C. Kerberos
Kerberos uses public-key cryptography to provide security during the
authentication process.
More information:
SY0-501, Objective 4.2 - PAP, CHAP, and MS-CHAP

Question 31

The network administrator for an organization is building
a security strategy that can continually monitor the
network and systems for threats. This strategy focuses
on protecting the automated creation of cloud-based
services, the teardown process of cloud-based services,
and the rollback of cloud-based services from one version
to another. Which of the following BEST describes the
environment that the network administrator will secure?
❍ A. Redundant
❍ B. Highly-available
❍ C. Fault-tolerant
❍ D. Non-persistent

Answer 31

D. Non-persistent

A non-persistent environment is always in motion, and application
instances can be created, changed, or removed at any time.

The incorrect answers:
A. Redundant
A redundant environment maintains the availability of the system if a
problem occurs. This redundancy may need to be manually enabled if an
issue is identified.
B. Highly-available
A highly-available environment maintains the availability of a system if
a problem occurs. In a highly-available environment, the corrections are
implemented automatically and usually without the knowledge of the
end user. An application platform that is constantly changing many not
necessarily be highly-available.
C. Fault-tolerant
A fault-tolerant environment can correct itself if a problem is identified.
More information:
SY0-501, Objective 3.8 - Resiliency and Automation

Question 32

A department store offers gift certificates that can be
used to purchase merchandise. The store policy requires
that a floor manager approves each transaction when a
gift certificate is used for payment. The security team
has found that some of these transactions have been
processed without the approval of a manager. Which of
the following would provide a separation of duties to
enforce this store policy?
❍ A. Use a WAF (Web Application Firewall) to monitor all gift certificate transactions
❍ B. Disable all gift certificate transactions for cashiers
❍ C. Implement a discretionary access control policy
❍ D. Require an approval PIN for the cashier and a
separate approval PIN for the manager

Answer 32

D. Require an approval PIN for the cashier and a
separate approval PIN for the manager

This separation of duties would be categorized as dual control, where
two people must be present to perform the business function. In this
example, the dual control is managed by using two separate PINs (Personal
Identification Numbers) that would not be shared among individuals.

The Answer: D. Non-persistent
A non-persistent environment is always in motion, and application
instances can be created, changed, or removed at any time.
The incorrect answers:
A. Redundant
A redundant environment maintains the availability of the system if a
problem occurs. This redundancy may need to be manually enabled if an
issue is identified.
B. Highly-available
A highly-available environment maintains the availability of a system if
a problem occurs. In a highly-available environment, the corrections are
implemented automatically and usually without the knowledge of the
end user. An application platform that is constantly changing many not
necessarily be highly-available.
C. Fault-tolerant
A fault-tolerant environment can correct itself if a problem is identified.
More information:
SY0-501, Objective 3.8 - Resiliency and Automation

Question 33

Which of the following is true of a rainbow table?
(Select TWO)
❍ A. The rainbow table is built in real-time
during the attack
❍ B. Rainbow tables are the most effective
online attack type
❍ C. Rainbow tables require significant CPU cycles
at attack time
❍ D. Different tables are required for different
hashing methods
❍ E. A rainbow table won’t be useful if the
passwords are salted

Answer 33

D. Different tables are required for different
hashing methods
E. A rainbow table won’t be useful if the
passwords are salted

A rainbow table is built prior to an attack to match a specific password
hashing technique. If a different hashing technique is used, a completely
different rainbow table must be built.

The use of a salt will modify the expected results of a hash. Since a salted
hash will not be predictable, the rainbow table can’t be built for these
hashes.

The incorrect answers:
A. Use a WAF to monitor all gift certificate transactions
A WAF (Web Application Firewall) is commonly used to monitor the input
to web-based applications. WAFs do not commonly ensure separation of
duties.
B. Disable all gift certificate transactions for cashiers
A separation of duties would give each person half of the information
needed to complete the transaction, or it would require both persons to
be present. Limiting the transaction to one person would not provide any
separation between duties.
C. Implement a discretionary access control policy
A discretionary access control policy (DAC) is commonly used in operating
system to allow the data owner to decide who has access to data. A DAC
would not provide a way to manage separation of duties.
More information:
SY0-501, Objective 5.1 - Personnel Management

Question 34

Before an application is moved into production, a
company’s development team runs a static code analyzer
to identify any security vulnerabilities. In the latest scan,
the analyzer has identified seven security issues. After
reviewing the code, the development team finds that only
five of the reported vulnerabilities are actual security
problems. Which of the following would BEST describe
the two incorrect vulnerability reports?
❍ A. Normalization
❍ B. Fuzzing
❍ C. Obfuscation
❍ D. False positive

Answer 34

D. False positive

A false positive is the report of an issue where no issue actually exists. In
this example, two of the seven reported security issues were false positives.

The incorrect answers:
A. The rainbow table is built in real-time during the attack
One of the benefits of a rainbow table is that the table is built before an
attack begins. This provides a significant speed increase at attack time.
B. Rainbow tables are the most effective online attack type
Rainbow tables are almost exclusively used as an offline attack type. The
most common use of a rainbow table is for the attacker to obtain a list
of password hashes from a system and then use the rainbow tables while
offline.
C. Rainbow tables require significant CPU cycles at attack time
Rainbow tables are built prior to an attack, so most of the CPU (Central
Processing Unit) calculations and time is spent building the tables before
an attack begins.
More information:
SY0-501, Objective 1.2 - Cryptographic Attacks

Question 35

Which of these cloud deployment models would share
resources between a private virtualized data center and
externally available cloud services?
❍ A. SaaS
❍ B. Community
❍ C. Hybrid
❍ D. Containerization

Answer 35

C. Hybrid

A hybrid cloud model combines both private and public cloud
infrastructures.

The Answer: C. Hybrid
A hybrid cloud model combines both private and public cloud
infrastructures.
The incorrect answers:
A. SaaS
Software as a Service (SaaS) is a cloud deployment model that provides ondemand
software without any context about the software’s location.
B. Community
A community cloud model allows multiple organizations to share the same
cloud resources, regardless of the resource’s location.
D. Containerization
Containerization can be used with mobile devices to partition user data
and corporate data.
More information:
SY0-501, Objective 3.7 - Cloud Deployment Models

Question 36

A company hires a large number of seasonal employees,
and those contracts commonly end after the beginning
of the calendar year. All system access should be disabled
when an employee leaves the company, and the security
administrator would like to verify that their systems
cannot be accessed by any of the former employee
accounts. Which of the following would be the BEST way
to provide this verification? (Select TWO)
❍ A. Confirm that no unauthorized accounts have
administrator access
❍ B. Validate the account lockout policy
❍ C. Audit and verify the operational status of
all accounts
❍ D. Create a report that shows all authentications for
a 24-hour period
❍ E. Validate the processes and procedures for all
outgoing employees
❍ F. Schedule a required password change for
all accounts

Answer 36

C. Audit and verify the operational status of
all accounts
F. Schedule a required password change for
all accounts

The disabling of an employee account is commonly part of the offboarding
process. One way to validate an offboarding policy is to perform an audit of
all accounts and compare active accounts with active employees.

The incorrect answers:
A. Confirm that no unauthorized accounts have administrator access
It’s always a good idea to periodically audit administrator accounts, but this
audit won’t provide any validation that all former employee accounts have
been disabled.
B. Validate the account lockout policy
Account lockouts occur when a number of invalid authentication attempts
have been made to a valid account. Disabled accounts would not be locked
out because they are not currently valid accounts.
D. Create a report that shows all authentications for a 24-hour period
A list of all authentications would be quite large, and it would not be
obvious to see which authentications were made with valid accounts and
which authentications were made with former employee accounts.
F. Schedule a required password change for all accounts
A password change would not prevent access to an account that has not
been properly disabled, and it would not provide the security administrator
with any additional information about an account that has not been
properly disabled.
More information:
SY0-501, Objective 4.4 - Account Management

Question 37

Sam has just replaced a broken wireless access point in
a warehouse. With the new access point online, only a
portion of the wireless devices are able to connect to
the network. Other devices can see the access point, but
they are not able to connect even when using the correct
wireless settings. Which of the following security features
did Sam MOST likely enable?
❍ A. MAC filtering (Media Access Control)
❍ B. SSID broadcast suppression
❍ C. 802.1X authentication
❍ D. Anti-spoofing
❍ E. LWAPP management

Answer 37

A. MAC filtering

Filtering addresses by MAC (Media Access Control) address will limit
which devices can connect to the wireless network. If a device is filtered by
MAC address, it will be able to see an access point but it will not be able to
connect.

The incorrect answers:
B. SSID broadcast suppression
A suppressed SSID (Service Set Identifier) broadcast will hide the name
from the list of available wireless networks. Properly configured client
devices can still connect to the wireless network, even with the SSID
suppression.
C. 802.1X authentication
With 802.1X authentication, users will be prompted for a username and
password to gain access to the wireless network. Enabling 802.1X would
not restrict properly configured devices.
D. Anti-spoofing
Anti-spoofing features are commonly used with routers to prevent
communication from spoofed IP addresses. This issue in this question
doesn’t appear to involve any spoofed addresses.
E. LWAPP management
LWAPP (Lightweight Access Point Protocol) is useful for managing access
points, and LWAPP does not have an impact on a user’s ability to connect to
the access point.
More information:
SY0-501, Objective 2.1 - Access Points

Question 38

A security administrator has gathered this information:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 416 0 2601:4c3:4080:82.63976 yv-in-x5e.1e100..https CLOSE_WAIT
tcp6 0 0 2601:4c3:4080:82.63908 atl14s80-in-x0a..https ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.36253 fe80::38b0:a2b1:.1025 ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.1024 fe80::38b0:a2b1:.1024 ESTABLISHED
Which of the following is being used to create
this information?
❍ A. tracert
❍ B. netstat
❍ C. dig
❍ D. nbtstat

Answer 38

B. netstat

The netstat command provides a list of network statistics, and the default
view shows the traffic sessions between the local device and other devices
on the network.

The incorrect answers:
A. tracert
Traceroute lists the route between devices and shows the IP address
information of the routers at each hop.
C. dig
The dig (Domain Information Groper) command queries DNS servers
for the fully-qualified domain name and IP address information of other
devices.
D. nbtstat
The nbtstat (NetBIOS over TCP/IP statistics) command is used in Windows
to send NetBIOS queries to other Windows devices.
More information:
SY0-501, Objective 2.2 - Command Line Security Tools

Question 39

An attacker has discovered a way to disable a server
by sending a specially crafted packet to the operating
system. When the packet is received, the system crashes
and must be rebooted to restore normal operations.
Which of the following would BEST describe
this situation?
❍ A. Privilege escalation
❍ B. Spoofing
❍ C. Replay attack
❍ D. DoS

Answer 39

D. DoS

A DoS (Denial of Service) is an attack that overwhelms or disables a service
to prevent the service from operating normally. A packet that disables a
server would be an example of a DoS attack.

The incorrect answers:
A. Privilege escalation
A privilege escalation attack allows a user to exceed their normal rights
and permissions. In this example, user permission escalations were not
required to perform this attack.
B. Spoofing
Spoofing is when a device pretends to be a different device or pretends to
be something they aren’t. This attack explanation did not appear to emulate
or pretend to be a different user or address than the actual attacker.
C. Replay attack
A replay attack captures information and then replays that information as
the method of attack. In this question, no mention was made of a prior data
capture.
More information:
SY0-501, Objective 1.2 - Denial of Service

Question 40

A data breach has occurred in a large insurance company.
A security administrator is building new servers and
security systems to get all of the financial systems back
online. Which part of the incident response process
would BEST describe these actions?
❍ A. Lessons learned
❍ B. Isolation and containment
❍ C. Reconstitution
❍ D. Precursors

Answer 40

C. Reconstitution

The recovery after a breach can be a phased approach that may take
months to complete.

The incorrect answers:
A. Lessons learned
Once the event is over, it’s useful to revisit the process to learn and improve
for next time.
B. Isolation and containment
During an incident, it’s useful to separate infected systems from the rest of
the network.
D. Precursors
Log files and alerts can often warn you of potential problems.
More information:
SY0-501, Objective 5.4 - Incident Response Process

Question 41

A service technician would like to protect some private
information sent over email. This information should
only be viewable by the recipient. Which of these
cryptographic algorithms would be the BEST choice?
❍ A. MD5
❍ B. HMAC
❍ C. SHA-2
❍ D. RC4

Answer 41

D. RC4

RC4 (Rivest Cipher 4) is the only encryption cipher in the list. All of the
other algorithms are used for hashing.

The incorrect answers:
A. MD5
MD5 (Message Digest 5) is a hashing algorithm and does not provide a
method of encrypting and decrypting information.
B. HMAC
HMAC (Hash-based Message Authentication Code) can check for data
integrity and authenticity with a hash, but it does not provide encryption
or decryption features.
C. SHA-2
SHA-2 (Secure Hash Algorithm 2) is a hashing algorithm. SHA-2 does not
provide any encryption or decryption functionality.
More information:
SY0-501, Objective 6.2 - Symmetric Algorithms

Question 42

Your CISO (Chief Information Security Officer) has
contracted with a third-party to identify security
vulnerabilities associated with all Internet-facing systems.
This organization has identified a significant vulnerability
in the newly-released firewall used in your DMZ. When
you contact the firewall company, you find there are no
plans to create a patch for this specific vulnerability.
Which of the following would BEST describe this issue?
❍ A. Lack of vendor support
❍ B. Improper input handling
❍ C. Improper key management
❍ D. End-of-life

Answer 42

A. Lack of vendor support

Security issues can be identified in a system or application at any time, so
it’s important to have a vendor that can support their software and correct
issues as they are discovered. If a vendor won’t provide security patches,
then you may be susceptible to security vulnerabilities.

The incorrect answers:
B. Improper input handling
A best practice for application security is to provide the proper handling
of invalid or unnecessary input. Adding a patch to firewall software for a
vulnerability would probably not be related to input handling.
C. Improper key management
Cryptographic keys can be used for many security purposes, but managing
those keys isn’t part of the patching process from a vendor.
D. End-of-life
In this case, the firewall is a relatively new product. If the product was no
longer officially sold or supported by the company, this would be an end-oflife
issue.
More information:
SY0-501, Objective 1.6 - Vulnerability Types

Question 43

A company has decided to perform a disaster recovery
exercise during an annual meeting. This exercise will
include the IT directors and senior directors. A simulated
disaster will be presented, and the participants will
discuss the logistics and processes requires to resolve the
disaster. Which of the following would BEST describe
this exercise?
❍ A. After-action report
❍ B. Business impact analysis
❍ C. Alternate business practice
❍ D. Tabletop exercise

Answer 43

D. Tabletop exercise

A tabletop exercise allows a disaster recovery team to evaluate and plan
disaster recovery processes without performing a full-scale drill.

The incorrect answers:
A. After-action report
An after-action report is commonly created after a disaster recovery drill to
document which aspects of the plan worked or did not work.
B. Business impact analysis
A business impact analysis is usually created during the disaster recovery
planning process. Once the disaster has occurred, it becomes much more
difficult to complete an accurate impact analysis.
C. Alternate business practice
An alternate business practice may be one of the steps in completing a
disaster recovery exercise, but it does not describe the exercise itself.
More information:
SY0-501, Objective 5.6 - Continuity of Operation

Question 44

Which of the following would be the MOST secure
hashing method?
❍ A. RIPEMD (RACE Integrity Primitives Evaluation Message
Digest)
❍ B. AES (Advanced Encryption Standard)
❍ C. SHA-2 (Secure Hash Algorithm 2)
❍ D. MD5 (Message Digest Algorithm 5)

Answer 44

C. SHA-2

Of the available options, SHA-2 (Secure Hash Algorithm 2) is the only
hashing algorithm listed that does not currently have a collision attack
vector.

The incorrect answers:
A. RIPEMD
The original RIPEMD (RACE Integrity Primitives Evaluation Message
Digest) hashing algorithm was found to have collision issues in 2004.
B. AES
AES (Advanced Encryption Standard) is an encryption standard and not a
hashing algorithm.
D. MD5
Collisions using MD5 (Message Digest Algorithm 5) were found in 1996.
More information:
SY0-501, Objective 6.2 - Hashing Algorithms

Question 45

A system administrator uses an EV certificate for the
corporate web server. Which of these would be the MOST
likely reason for using this certificate type?
❍ A. Adds additional encryption features over a
non-EV certificate
❍ B. Shows that additional checks have been made
to validate the site owner
❍ C. Allows the certificate to support many
different domains
❍ D. Shows that the owner of the certificate has
control over a DNS domain

Answer 45

B. Shows that additional checks have been made to validate the site owner

An EV (Extended Validation) certificate is provided by a Certificate
Authority after additional checks have been made to validate the certificate
owner’s identity. This may require additional documentation or validation
requirements with the site owners.

The incorrect answers:
A. Adds additional encryption features over a non-EV certificate
An EV certificate does not provide any additional encryption features over
a non-EV certificate.
C. Allows the certificate to support many different domains
A SAN (Subject Alternative Name) extension to an X.509 certificate is
commonly used to include many different domain names in a single web
server certificate.
D. Shows that the owner of the certificate has control over a DNS domain
A DV (Domain Validation) certificate shows that the owner can manage
aspects of their DNS configuration. A DV certificate would generally go
through less validation than an EV certificate.
More information:
SY0-501, Objective 6.4 - Types of Certificates

Question 46

How can a company ensure that all data on a mobile
device is unrecoverable if the device is lost or stolen?
❍ A. Storage segmentation
❍ B. Geofencing
❍ C. Screen locks
❍ D. Remote wipe

Answer 46

D. Remote wipe

Most organizations will use a mobile device manager (MDM) to manage
mobile phones and tablets. Using the MDM, specific security policies can
be created for each mobile device, including the ability to remotely send a
remote wipe command that will erase all data on a mobile device.

The incorrect answers:
A. Storage segmentation
Storage segmentation on a mobile device will separate the user’s data
from the company information. This allows the company to control their
corporate data without modifying or accessing the end user’s data.
B. Geofencing
Geofencing would allow the company to limit functionality or access based
on the location of the mobile device. Geofencing does not securely wipe
data from a device.
C. Screen locks
Screen locks are important, but won’t help when you need to permanently
remove data from a device.
More information:
SY0-501, Objective 2.5 - Mobile Device Management

Question 47

A server team has just installed a new web service in the
DMZ, and has added firewall rules to allow web browser
access to the service from the Internet. After the server
is active, the security team captures this network traffic
between the Internet and the server:
Which of these should the security team be MOST
concerned about this server implementation?
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
Cookie: _fzvid=l=PM&rv=55f9b606bb547e235476e660;
__VerificationToken=g4-iTGqsT5BA5zqYiR0FIRf29rtG8-M59Lq5Y
Cookie pair: _fzvid=l=9/16/2015 6:33:42 PM&rv=55f9b606bb547e235
Cookie pair: __VerificationToken=g4-iTGqsT69Qo87MjixNqTBDT-x8FA
Cookie pair: __fzg=g=5993ad10bb547e238cca3ff5&l
Cookie pair: _ga=GA1.2.924799034.1442428422
Cookie pair: _gid=GA1.2.110485488.1502030607
Cookie pair: __fz55facc21bb547f0ec82ad5a7=l

Answer 47

C. Unencrypted traffic

Attackers can easily gather information sent across the network in the
clear, and cookie information may contain valuable information that could
be used in a replay attack.

The incorrect answers:
A. Unauthorized software
The packet trace does not appear to show any evidence of unauthorized
software.
B. Data exfiltration
A packet trace containing exfiltrated data would have evidence of large file
transfers.
D. Access violations
Cookie information is commonly transferred between a client and a server,
and no special access is usually required.
More information:
SY0-501, Objective 2.3 - Common Security Issues

Question 48

Sam is a user in the accounting department, and she uses
the corporate accounting software to perform her daily
job duties. Sam’s organization uses a role-based access
control model to assign permissions. Who is responsible
for managing these roles and permissions?
❍ A. Data owners
❍ B. Administrators
❍ C. Users
❍ D. Application owners

Answer 48

B. Administrators

With RBAC (Role-based Access Control), administrators define the access
that a particular role will have. As users are added to a role, they will gain
the rights and permissions that have been defined for members of that role.

The incorrect answers:
A. Data owners
Data owners are usually responsible for the application data, but they do
not commonly assign permissions with RBAC.
C. Users
Users do not commonly assign any rights and permissions when using a
role-based access control model.
D. Application owners
Like data owners, application owners have responsibility for the
application but do not assign rights and permissions to the application
when using RBAC.
More information:
SY0-501, Objective 4.3 - Access Control Models

Question 49

Which of these best describes two-factor authentication?
❍ A. A printer that uses a password and a PIN
❍ B. The door to a building that requires
a fingerprint scan
❍ C. An application that checks your GPS coordinates
❍ D. A Windows Domain that requires a username,
password, and smart card

Answer 49

D. A Windows Domain that requires a username, password, and smart card

The multiple factors of authentication used to login to this Windows
Domain are a password (something you know), and a smart card
(something you have).

The incorrect answers:
A. A printer that uses a password and a PIN
A password and a PIN (Personal Identification Number) are both
something you know, so only one authentication factor is used.
B. The door to a building that requires a fingerprint scan
A biometric scan (something you are) is a single factor of authentication.
C. An application that checks your GPS coordinates
GPS (Global Positioning System) coordinates (somewhere you are)
describe a single factor of authentication.
More information:
SY0-501, Objective 4.1 - AAA and Authentication

Question 50

A company is deploying a new mobile application to
all of its employees in the field. Some of the problems
associated with this rollout include:
• The company does not have a way to manage the mobile
devices in the field
• Company data on mobile devices in the field introduces
additional risk
• Team members have many different kinds of mobile
devices
Which of the following deployment models would
address these concerns?
❍ A. Corporate-owned
❍ B. COPE (Corporate Owned and Personally Enabled)
❍ C. VMI (Virtual Mobile Infrastructure)
❍ D. BYOD (Bring Your Own Device)

Answer 50

C. VMI

A VMI (Virtual Mobile Infrastructure) would allow the field teams to
access their applications from many different types of devices without the
requirement of a mobile device management or concern about corporate
data on the devices.

The incorrect answers:
A. Corporate-owned
A corporate-owned device would solve the issue of device standardization,
but the corporate data would be stored on the mobile devices in the field.
B. COPE
COPE (Corporate Owned and Personally Enabled) devices are purchased
by the company but are used as both a corporate device and a personal
device. This would standardize the devices, but the corporate data would
still be at-risk in the field.
D. BYOD
BYOD (Bring Your Own Device) means that the employee would choose
the mobile platform. This would not address the issue of mobile device
management, data security in the field, or standardization of mobile
devices and apps.
More information:
SY0-501, Objective 2.5 - Mobile Device Deployment Models

Question 51

An organization is installing a UPS for their new data
center. Which of the following would BEST describe this
type of control?
❍ A. Compensating
❍ B. Preventive
❍ C. Administrative
❍ D. Detective

Answer 51

A. Compensating

A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means. In this example, the UPS does
not stop a power outage, but it does provide alternative power if an outage
occurs.

The incorrect answers:
B. Preventive
A preventive control physically limits access to a device or area.
C. Administrative
An administrative control sets a policy that is designed to control how
people act.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
More information:
SY0-501, Objective 5.7 - Security Controls

Question 52

Your security team has been tasked with completing a
comprehensive study that will involve all devices in the
corporate data center. Because of the sensitive nature
of your business, all of the testing must be completed
by internal team members. A requirement of the study
is to identify any security weaknesses in the operating
systems or applications running on data center hardware.
There can be no downtime or data loss during the testing
process. Which of the following would best describe
this project?
❍ A. Threshold analysis
❍ B. Vulnerability scanning
❍ C. Fault tolerance
❍ D. Penetration testing

Answer 52

B. Vulnerability scanning

A vulnerability scan will examine devices for potential security holes, but
it will stop short of actively exploiting a vulnerability. This process will
minimize the potential for any downtime or data loss.

The incorrect answers:
A. Threshold analysis
A threshold analysis is the process of identifying business processes that
are privacy-sensitive, and it’s usually associated with privacy compliance
and not with the identification of security weaknesses.
C. Fault tolerance
A fault tolerant configuration will remain running if a fault occurs. This
is commonly accomplished by using multiple systems in a specialized
configuration, and if one system fails the other can continue operating.
D. Penetration testing
Penetration tests are commonly used to actively exploit vulnerabilities in
a system or application. Because of the risk associated with downtime,
penetration tests are often performed in controlled environments or during
non-production hours.
More information:
SY0-501, Objective 1.5 - Vulnerability Scanning

Question 53

Jack is a member of the incident response team at his
company. Jack has been asked to respond to a potential
security breach of the company’s databases, and he needs
to gather the most volatile data before powering down
the database servers. In which order should Jack collect
this information?
❍ A. CPU registers, temporary files, memory,
remote monitoring data
❍ B. Memory, CPU registers, remote monitoring data,
temporary files
❍ C. Memory, CPU registers, temporary files,
remote monitoring data
❍ D. CPU registers, memory, temporary files,
remote monitoring data

Answer 53

D. CPU registers, memory, temporary files, remote monitoring data

The most volatile data disappears quickly, so data such as the CPU registers
and information in memory will be lost before temporary files and remote
monitoring data are no longer available.

The incorrect answers:
A. CPU registers, temporary files, memory, remote monitoring data
Memory is more volatile than temporary files.
B. Memory, CPU registers, remote monitoring data, temporary files
CPU registers are more volatile than memory, and temporary files are more
volatile than remote monitoring data.
C. Memory, CPU registers, temporary files, remote monitoring data
CPU registers are more volatile than information in memory.
More information:
SY0-501, Objective 5.5 - Gathering Forensics Data

Question 54

Samantha, a Linux administrator, is downloading an
updated version of her Linux distribution. The download
site shows a link to the ISO and a SHA256 hash value.
Which of these would describe the use of this hash value?
❍ A. Verifies that the file was not corrupted during
the file transfer
❍ B. Provides a key for decrypting the ISO
after download
❍ C. Authenticates the site as an official ISO
distribution site
❍ D. Confirms that the file does not contain
any malware

Answer 54

A. Verifies that the file was not corrupted during the file transfer

Once the file is downloaded, Samantha can calculate the file’s SHA256
hash and confirm that it matches the value on the website.

The incorrect answers:
B. Provides a key for decrypting the ISO after download
ISO files containing public information are usually distributed without
any encryption, and a hash value would not commonly be used as a
decryption key.
C. Authenticates the site as an official ISO distribution site
Although it’s important to download files from known good sites, providing
a hash value on a site would not provide any information about the site’s
authentication.
D. Confirms that the file does not contain any malware
A hash value doesn’t inherently provide any protection against malware.
More information:
SY0-501, Objective 6.1 - Hashing and Digital Signatures

Question 55

The security policy at a company requires that login
access should only be available if a person is physically
within the same building as the server. Which of the
following would be the BEST way to provide this
requirement?
❍ A. TOTP (Time-based One-Time Password)
❍ B. Biometric scanner
❍ C. PIN
❍ D. SMS

Answer 55

B. Biometric scanner

A biometric scanner would require a person to be physically present to
verify authentication.

The incorrect answers:
A. TOTP
A TOTP (Time-based One-Time Password) generator may be associated
with a single person, but the TOTP code does not guarantee that a person
is physically present.
C. PIN
Although a PIN (Personal Identification Number) can be used as an
authentication factor, the use of the PIN does not guarantee that a person
is physically present.
D. SMS
SMS messages are commonly used as authentication factors. However, the
use of a mobile device to receive the SMS message does not guarantee that
the owner of the mobile device is physically present.
More information:
SY0-501, Objective 3.9 - Physical Security Controls

Question 56

Your development team has installed a new application
and database to a cloud service. After running a
vulnerability scanner on the application instance, you
find that the database is available for anyone to query
without providing any authentication. Which of these
vulnerabilities is MOST associated with this issue?
❍ A. Improper error handling
❍ B. Misconfiguration
❍ C. Race condition
❍ D. Memory leak

Answer 56

B. Misconfiguration

Just like your local systems, proper permissions and security controls are
also required when information is added to a cloud-based system. If any of
your systems leave an open door, your data may be accessible by anyone on
the Internet.

The incorrect answers:
A. Improper error handling
This issue wasn’t associated with any error messages, so this wouldn’t be
categorized as a problem with error handling.
C. Race condition
If two processes occur simultaneously without any prior consideration,
bad things could happen. In this example, a single vulnerability scan has
identified the issue and other processes do not appear to be involved.
D. Memory leak
An application with a memory leak will gradually use more and more
memory until the system or application crashes. The issue in this question
was related to permissions and not available resources.
More information:
SY0-501, Objective 1.6 - Vulnerability Types

Question 57

One of the computers in the shipping department is
showing signs of a malware infection. Which of the
following would be the BEST next step to completely
remove the malware?
❍ A. Run a virus scan
❍ B. Degauss the hard drive
❍ C. Format the system partition
❍ D. Reimage the computer

Answer 57

D. Reimage the computer

Completely wiping the drive with a new image is an effective way to
completely remove any malware from a computer.

The incorrect answers:
A. Run a virus scan
A virus scan may identify and attempt to remove the malware, but there’s
no guarantee that the anti-virus software can completely remove all of the
malware. To guarantee removal, you must delete everything and reload or
reimage from scratch.
B. Degauss the hard drive
Degaussing the hard drive will remove everything on the drive, but it will
also erase any ROM or flash memory components on the drive. If the goal
is to completely destroy the drive, then degaussing would be a good choice.
C. Format the system partition
Malware can embed itself in other parts of the operating system, such as
the boot partition or boot record. To completely remove the malware, you
must wipe the entire drive and not just a single partition.
More information:
SY0-501, Objective 1.1 - An Overview of Malware

Question 58

Which of these would best describe the use of a nonce?
❍ A. Information encrypted with a public key is
decrypted with a private key
❍ B. Prevents replay attacks during authentication
❍ C. Information is hidden inside of an image
❍ D. The sender of an email can be verified

Answer 58

B. Prevents replay attacks during authentication

A nonce adds additional randomization to a cryptographic function. This
means that an authentication hash sent across the network will be different
for each authentication request.

The incorrect answers:
A. Information encrypted with a public key is decrypted with a private key
The use of public and private keys in asymmetric cryptography can be
used to provide confidentiality. A nonce is not necessary to provide this
functionality.
C. Information is hidden inside of an image
Steganography is the process of concealing information within an image.
D. The sender of an email can be verified
Digital signatures are commonly used to ensure the integrity of the
transmitted data and confirm that the author of the message is genuine
(non-repudiation).
More information:
SY0-501, Objective 6.1 - Randomizing Cryptography

Question 59

Which of the following would be the BEST way to
confirm the secure baseline of a deployed application
instance?
❍ A. Compare the production application to the sandbox
❍ B. Perform an integrity measurement
❍ C. Compare the production application to
the previous version
❍ D. Perform QA testing on the application instance

Answer 59

B. Perform an integrity measurement

An integrity measurement is designed to check for the secure baseline
of firewall settings, patch levels, operating system versions, and any
other security components associated with the application. These secure
baselines may vary between different application
versions.

The incorrect answers:
A. Compare the production application to the sandbox
A sandbox is commonly used as a development environment. Security
baselines in a production environment can be quite different when
compared to the code in a sandbox.
C. Compare the production application to the previous version
The newer version of an application may have very different security
requirements than previous versions.
D. Perform QA testing on the application instance
QA (Quality Assurance) testing is commonly used for finding bugs and
verifying application functionality. The primary task of QA is not generally
associated with verifying security baselines.
More information:
SY0-501, Objective 3.4 - Secure Deployments

Question 60

Which of the following would BEST describe a security
feature based on administrative control diversity?
❍ A. Data center cameras
❍ B. Active directory authentication
❍ C. Off-boarding process
❍ D. Laptop full disk encryption

Answer 60

C. Off-boarding process

When a person leaves the organization, there needs to be a formal
administrative policy on how to handle the hardware, software, and data
associated with that person. These formal policies and procedures would
be an important administrative control associated with defense-in-depth.

The incorrect answers:
A. Data center cameras
Cameras can be useful security controls, but they are considered physical
controls and not administrative.
B. Active directory authentication
One way to manage security in a large environment is with a centralized
authentication database. AD authentication would be categorized as a
technical control.
D. Laptop full disk encryption
Another useful technical control is the automatic encryption of all data on
a mobile device.
More information:
SY0-501, Objective 3.1 - Defense-in-Depth

Question 61

An analyst is examining the traffic logs to a server in the
DMZ. The analyst has identified a number of sessions
from a single IP address that appear to be received with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has a destination of your DMZ server. Which of the following BEST describes this log information?
❍ A. Someone is performing a vulnerability scan
against your firewall and DMZ server
❍ B. Your users are performing DNS lookups
❍ C. A remote user is grabbing banners of your
firewall and DMZ server
❍ D. Someone is performing a traceroute to
the DMZ server

Answer 61

D. Someone is performing a traceroute to the DMZ server

A traceroute maps each hop by slowly incrementing the TTL (Time to Live)
value during each request. When the TTL reaches zero, the receiving router
drops the packet and sends an ICMP (Internet Control Message Protocol)
TTL Exceeded message back to the original station.

The incorrect answers:
A. Someone is performing a vulnerability scan against your
firewall and DMZ server
Vulnerability scans are usually very specific requests, and they won’t get
to their destination if the TTL is zero. The question did not provide any
information that would indicate an active vulnerability scan.
B. Your users are performing DNS lookups
Properly working DNS (Domain Name System) responses would not have a
TTL of zero, and nothing in the question indicated information that would
commonly be included in a DNS query.
C. A remote user is grabbing banners of your firewall and DMZ server
Banners can provide useful reconnaissance information about a service,
but the TTL of zero and the lack of connection to a specific service would
not indicate a banner grabbing session.
More information:
SY0-501, Objective 2.2 - Command Line Security Tools

Question 62

Rodney is a security administrator for a large
manufacturing company. His company has just acquired
a transportation company, and Rodney has connected the two networks together with an IPsec VPN. Rodney needs to allow access to the manufacturing company network for anyone who authenticates to the transportation company network. Which of these authentication methods BEST meets Rodney’s requirements?
❍ A. One-way trust
❍ B. Mobile device location services
❍ C. Smartphone software tokens
❍ D. Two-factor authentication

Answer 62

A. One-way trust

A one-way trust would allow the manufacturing company to trust the
transportation company, but there would not be a trust in the other
direction.

The incorrect answers:
B. Mobile device location services
Mobile device location services would use a GPS (Global Positioning
System) coordinate to authenticate a user. This example did not require the
location of the users as part of the authentication method.
C. Smartphone software tokens
Software tokens are inexpensive authentication factors, but they would not
provide the trust requirement described in this question.
D. Two-factor authentication
Two-factor authentication may be part of the authentication factor for
the transportation network, but it does not provide any additional trust or
access to the manufacturing network.
More information:
SY0-501, Objective 4.1 - AAA and Authentication

Question 63

A company encourages users to encrypt all of their
confidential materials on a central server. The
organization would like to enable key escrow as a backup.
Which of these keys should the organization place
into escrow?
❍ A. Private
❍ B. CA
❍ C. Session
❍ D. Public

Answer 63

A. Private

With asymmetric encryption, the private key is used to decrypt information
that has been encrypted with the public key. To ensure continued access to
the encrypted data, the company must have a copy of each private key.

The incorrect answers:
B. CA
A CA (Certificate Authority) key is commonly used to validate the digital
signature from a trusted CA. This is not commonly used for user data
encryption.
C. Session
Session keys are commonly used temporarily to provide confidentiality
during a single session. Once the session is complete, the keys are
discarded. Session keys are not used to provide long-term data encryption.
D. Public
In asymmetric encryption, a public key is already available to everyone. It
would not be necessary to escrow a public key.
More information:
SY0-501, Objective 6.4 - PKI Concepts

Question 64

Daniel, a security administrator, is designing an
authentication process for a new remote site deployment.
Daniel would like the users to provide their credentials
when they authenticate in the morning, and he does not
want any additional authentication requests to appear
during the rest of the day. Which of the following should
Daniel use to meet this requirement?
❍ A. TACACS+
❍ B. LDAPS
❍ C. Kerberos
❍ D. 802.1X

Answer 64

C. Kerberos

Kerberos uses a ticket-based system to provide SSO (Single Sign-On)
functionality. You only need to authenticate once with Kerberos to gain
access to multiple resources.

The incorrect answers:
A. TACACS+
TACACS+ (Terminal Access Controller Access-Control System) is a
common authentication method, but it does not provide any single sign-on
functionality.
B. LDAPS
LDAPS (Lightweight Directory Access Protocol Secure) is a standard for
accessing a network directory. This can provide an authentication method,
but it does not provide any single sign-on functionality.
D. 802.1X
802.1X is a standard for port-based network access control (PNAC), but it
does not inherently provide any single sign-on functionality.
More information:
SY0-501, Objective 4.2 - Identity and Access Services

Question 65

A manufacturing company would like to use an
existing router to separate a corporate network and
the manufacturing floor. The corporate network and
manufacturing floor currently operate on the same
subnet and the same physical switch. The company does
not want to install any additional hardware. Which of the
following would be the BEST choice for
this segmentation?
❍ A. Connect the corporate network and the
manufacturing floor with a VPN
❍ B. Build an air gapped manufacturing floor network
❍ C. Use personal firewalls on each device
❍ D. Create separate VLANs for the corporate network
and the manufacturing floor

Answer 65

D. Create separate VLANs for the corporate network and the manufacturing floor

Creating VLANs (Virtual Local Area Networks) will segment a network
without requiring additional switches.

The incorrect answers:
A. Connect the corporate network and the manufacturing floor with a VPN
A VPN (Virtual Private Network) would encrypt all information between
the two networks, but it would not provide any segmentation. This
process would also commonly require additional hardware to provide VPN
connectivity.
B. Build an air gapped manufacturing floor network
An air gapped network would require separate physical switches on each
side of the gap, and this would require the purchase of an additional
switch.
C. Use personal firewalls on each device
While personal firewalls provide protection for individual devices, they
do not segment networks. It’s also uncommon for personal firewalls to be
installed on manufacturing equipment.
More information:
SY0-501, Objective 3.2 - Network Segmentation

Question 66

Hank, a security administrator, has received an email
from an employee regarding their VPN connection from
home. When this user connects to the corporate VPN,
they are no longer able to print to their network printer
at home. Once the user disconnects from the VPN, the
printer works normally. Which of the following would be
the MOST likely reason for this issue?
❍ A. The VPN uses IPSec instead of SSL
❍ B. Printer traffic is filtered by the VPN client
❍ C. The VPN is stateful
❍ D. The VPN tunnel is configured for full tunnel

Answer 66

D. The VPN tunnel is configured for full tunnel

A split tunnel is a VPN (Virtual Private Network) configuration that only
sends a portion of the traffic through the encrypted tunnel. A split tunnel
would allow work-related traffic to securely traverse the VPN, and all other
traffic would use the non-tunneled option. In this example, the printer
traffic is being redirected through the VPN instead of the local home
network because of the non-split/full tunnel.

The incorrect answers:
A. The VPN uses IPSec instead of SSL
There are many protocols that can be used to send traffic through
an encrypted tunnel. IPsec is commonly used for site-to-site VPN
connections, and SSL (Secure Sockets Layer) is commonly used for enduser
VPN connections. However, either protocol can technically be used
for any VPN tunnel, and the choice of protocol would have no difference
on the operation of the local printer.
B. Printer traffic is filtered by the VPN client
VPN clients are usually tasked with sending traffic unfiltered through the
encrypted tunnel. Although data could be filtered at some point along the
communication path, it’s not commonly filtered by the VPN client.
C. The VPN is stateful
A stateful communication is commonly associated with firewalls, and it
refers to the firewall’s ability to track traffic flows. Stateful communication
would not be a technology commonly associated with a VPN, and it would
not be part of the user’s printing issue.
More information:
SY0-501, Objective 2.1 - VPN Concentrators

Question 67

A data center manager has built a Faraday cage in the
data center. A set of application servers has been placed
into racks inside the Faraday cage. Which of the following would be the MOST likely reason for the data center manager to install this configuration of equipment?
❍ A. Protect the servers against any unwanted
electromagnetic fields
❍ B. Prevent physical access to the servers without
the proper credentials
❍ C. Provide additional cooling to all devices in the cage
❍ D. Adds additional fire protection for the
application servers

Answer 67

A. Protect the servers against any unwanted electromagnetic fields

A Faraday cage is a mesh of conductive material that will cancel electromagnetic fields.

The incorrect answers:
B. Prevent physical access to the servers without the proper credentials
A Faraday cage does not provide any protection against system logins.
C. Provide additional cooling to all devices in the cage
A Faraday cage does not provide any additional cooling features.
D. Adds additional fire protection for the application servers
A Faraday cage does not provide any additional fire protection features.
More information:
SY0-501, Objective 3.9 - Physical Security Controls

Question 68

A security administrator is evaluating a monthly
vulnerability report associated with web servers in the
data center. The report shows the return of a vulnerability
that was previously patched four months ago. The report
shows that the vulnerability has been active on the web
servers for three weeks. After researching this issue,
the security team has found that a recent patch has
reintroduced this vulnerability on the servers. Which
of the following should the security administrator
implement to prevent this issue from occurring
in the future?
❍ A. Templates
❍ B. Elasticity
❍ C. Master image
❍ D. Continuous monitoring

Answer 68

D. Continuous monitoring

It’s common for organizations to continually monitor services for any
changes or issues. A nightly vulnerability scan across important servers
would identify issues like this one.

The incorrect answers:
A. Templates
Templates can be used to easily build the basic structure of an application
instance. These templates are not used to identify or prevent the
introduction of vulnerabilities.
B. Elasticity
Elasticity is important when scaling resources as the demand increases or
decreases. Unfortunately, elasticity will not help with the identification of
vulnerabilities.
C. Master image
A master image is used to quickly copy a server for easy deployment.
This image will need to be updated and maintained to prevent the issues
associated with unexpected vulnerabilities.
More information:
SY0-501, Objective 3.8 - Resiliency and Automation

Question 69

A critical security patch has been rolled out on short
notice to a large number of servers in a data center. IT
management is requiring verification that this patch has
been properly installed on all applicable servers. Which
of the following would be the BEST way to verify the
installation of this patch?
❍ A. Use a vulnerability scanner
❍ B. Examine IPS logs
❍ C. Use a data sanitization tool
❍ D. Monitor real-time traffic with a protocol analyzer

Answer 69

A. Use a vulnerability scanner

A vulnerability scanner can check the status of a vulnerability on a device
and create a report of which devices may be susceptible to a particular
vulnerability.

The incorrect answers:
B. Examine IPS logs
IPS (Intrusion Prevention System) logs can show attacks that may be
attempting to exploit this vulnerability, but the logs won’t proactively
identify devices that are not patched.
C. Use a data sanitization tool
Data sanitization is commonly used to permanently delete individual files
from a drive or permanently delete all data on a drive.
D. Monitor real-time traffic with a protocol analyzer
A protocol analyzer can provide more detail about specific traffic flows, but
it won’t query devices to determine if a patch has been installed.
More information:
SY0-501, Objective 2.2 - Software Security Tools

Question 70

Which cryptographic method is used to add trust to a
digital certificate?
❍ A. X.509
❍ B. Hash
❍ C. Symmetric encryption
❍ D. Digital signature

Answer 70

D. Digital signature

A certificate authority will digitally sign a certificate to add trust. If you
trust the certificate authority, you can then trust the certificate.

The incorrect answers:
A. X.509
The X.509 standard defines the structure of a certificate. This standard
format makes it easy for everyone to view the contents of a certificate, but
it doesn’t provide any additional trust.
B. Hash
A hash can help verify that the certificate has not been altered, but it does
not provide additional third-party trust.
C. Symmetric encryption
Symmetric encryption has the same issue as asymmetric encryption. The
information in a certificate commonly needs to be viewable by others.
More information:
SY0-501, Objective 6.4 - PKI Components

Question 71

Which of these would be commonly used during the
authentication phase of the AAA framework?
❍ A. Username
❍ B. Login time
❍ C. Password
❍ D. Access to the /home directory

Answer 71

C. Password

The authentication portion of the AAA framework is used to prove that
you are who you say you are. This would include passwords and other
authentication factors.

The incorrect answers:
A. Username
A username is part of the identification phase of the AAA framework.
You make a claim during the identification process and then provide
authentication with a password or other authentication factor.
B. Login time
The accounting phase of the AAA framework stores information such as
login timestamps, data transferred, and logout timestamps.
D. Access to the /home directory
The authorization phase of the AAA framework provides appropriate access
to resources based on the identification and authorization of a user.
More information:
SY0-501, Objective 4.1 - AAA and Authentication

Question 72

An organization maintains a large database of customer
information for sales tracking and customer support.
Which person in the organization would be responsible
for managing the access rights to this data?
❍ A. Data steward
❍ B. Data owner
❍ C. Privacy officer
❍ D. Data custodian

Answer 72

D. Data custodian

The data custodian manages access rights and sets security controls
to the data.

The incorrect answers:
A. Data steward
The data steward is responsible for data accuracy, privacy, and adding
sensitivity labels to the data.
B. Data owner
The data owner is usually a higher-level executive who makes business
decisions regarding the data.
C. Privacy officer
A privacy officer sets privacy policies and implements privacy processes
and procedures.
More information:
SY0-501, Objective 5.8 - Data Roles and Retention

Question 73

An organization’s content management system (CMS)
currently labels files and documents as “Unclassified”
and “Restricted.” On a recent updated to the CMS, a
new classification type of “PII” was added. Which of the
following would be the MOST likely reason for
this addition?
❍ A. Healthcare system integration
❍ B. Simplified categorization
❍ C. Expanded privacy compliance
❍ D. Decreased search time

Answer 73

C. Expanded privacy compliance

The labeling of PII (Personally Identifiable Information) is often associated
with privacy and compliance concerns.

The incorrect answers:
A. Healthcare system integration
Healthcare data would most likely be labeled as PHI (Protected Health
Information). Personal information isn’t necessarily health-related.
B. Simplified categorization
Adding additional categories would not commonly be considered a
simplification.
D. Decreased search time
Adding additional classifications would not necessarily provide any
decreased search times.
More information:
SY0-501, Objective 5.8 - Handling Sensitive Data

Question 74

A corporate security team has performed a data center audit and found that most web servers store their certificates on the server itself. The security team would like to consolidate and protect the certificates across all of their web servers. Which of these would be the BEST way to securely store these certificates?
❍ A. Use an HSM
❍ B. Implement full disk encryption on the web servers
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS

Answer 74

A. Use an HSM

An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices.

The incorrect answers:
B. Implement full disk encryption on the web servers
Full-disk encryption would only protect the certificates if someone does
not have the proper credentials, and it won’t help consolidate all of the web
server keys to a central point.
C. Use a TPM
A TPM (Trusted Platform Module) is used on individual devices to provide
cryptographic functions and securely store encryption keys. Individual
TPMs would not provide any consolidation of web server certificates.
D. Upgrade the web servers to use a UEFI BIOS
A UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/Output
System) does not provide any additional security or consolidation features
for web server certificates.
More information:
SY0-501, Objective 3.3 - Hardware Security

Question 75

Which of the following describes a monetary loss if one event occurs?
❍ A. ALE
❍ B. SLE
❍ C. RTO
❍ D. ARO

Answer 75

B. SLE

SLE (Single Loss Expectancy) describes the financial impact of
a single event.

The incorrect answers:
A. The alert was generated from a malformed User Agent header
The user agent information is provided as additional supporting data
associated with the alert. The agent itself is not the cause of this alert.
D. The attacker’s IP address is 64.235.145.35
The attacker’s IP address is listed first, so the victim’s IP address is
64.235.145.35.
E. The alert was generated due to an invalid client port number
The port number associated with the client, 3332, is a valid port number
and not associated with the cause of the alert.
More information:
SY0-501, Objective 2.4 - Analyzing Security Output

Question 76

Jonas has an Internet connection at home that he accesses using a wireless network. He’s noticed lately that his throughput has not been as fast as normal, and he suspects that his neighbors may be using his wireless connection. Jonas can view this list of connected wireless devices from his router configuration:
Which of the following would be the NEXT step to identify any unwanted
users on his wireless network?
Computer Name IP Address MAC Address
unknown 10.1.1.7 a0-21-b7-63-40-40
unknown 10.1.2.2 0c-2a-69-09-11-33
unknown 10.1.1.12 7c-2e-0d-30-3d-38
unknown 10.1.10.2 00-26-55-dd-75-d0
unknown 10.1.1.22 d0-81-7a-3d-0f-5d

❍ A. Disable the SSID broadcast on the wireless router
❍ B. Perform a port scan of each IP address connected to the router
❍ C. Enable MAC filtering and add Jonas’ devices to the filter
❍ D. Connect a wired network device and perform a speed test

Answer 76

C. Enable MAC filtering and add Jonas’ devices to the filter

We don’t have enough information from the connected device list to
know which devices may belong to Jonas and which devices may be
unauthorized. To filter out unwanted users, Jonas should enable MAC
address filtering and then add the MAC (Media Access Control) address of
each wireless device to the router configuration.

The incorrect answers:
A. Disable the SSID broadcast on the wireless router
Disabling the SSID (Service Set Identifier) would prevent Jonas’ network
name from appearing in lists of wireless networks, but it won’t stop any
unauthorized users who may have already connected to his network. It’s
also relatively easy to find the wireless network without the broadcast
enabled, so this option would not be a viable security measure.
B. Perform a port scan of each IP address connected to the router
A port scan would certainly gather more information about the connected
devices, but the primary goal is to identify and restrict any unauthorized
devices.
D. Connect a wired network device and perform a speed test
A speed test would give us more information about the available network
bandwidth to the Internet, but it won’t help Jonas find unauthorized users.
More information:
SY0-501, Objective 2.1 - Access Points

Question 77

Sam, the manager of the accounting department, has opened a helpdesk
ticket complaining of poor system performance and excessive pop up
messages. Her cursor is also moving without anyone touching the mouse.
This issue began after Sam opened a spreadsheet from a vendor containing
part numbers and pricing information. Sam recalls clicking through a
number of warning messages before the spreadsheet would open. Which
of the following is MOST likely the cause of Sam’s issues?
❍ A. Man-in-the-middle
❍ B. Worm
❍ C. RAT
❍ D. Logic bomb

Answer 77

C. RAT

A RAT (Remote Access Trojan) is malware that can control a computer
using desktop sharing and other administrative functions. Because the
installation program is often disguised as something else, the victim often
doesn’t realize they’re installing malware. Once the RAT is installed, the
attacker can control the desktop, capture screenshots, reboot the computer,
and many other administrative functions.

The incorrect answers:
A. Man-in-the-middle
A man-in-the-middle attack commonly occurs without any knowledge to
the parties involved, and there’s usually no additional notification that an
attack is underway.
B. Worm
A worm is malware that can replicate itself between systems without any
user intervention, so a spreadsheet that requires additional a user to click
warning messages would not be categorized as a worm.
D. Logic bomb
A logic bomb is malware that installs and operates silently until a certain
event occurs. Once the logic bomb has been triggered, the results usually
involve loss of data or a disabled operating system.
More information:
SY0-501, Objective 1.1 - Trojans and RATs

Question 78

A systems engineer in the sales department has left the organization for a
position with another company. The engineer’s accounts were disabled on
his last day with the company, but security logs show that attempts were
made to access email accounts after the account was disabled. Which of
these security practices protected the organization from any unauthorized
access?
❍ A. Least privilege
❍ B. Auditing
❍ C. Offboarding
❍ D. Location-based policies

Answer 78

C. Offboarding

The offboarding process is a pre-planned set of tasks that occur when
someone leaves an organization. This plan documents the process of
turning over company computers, how to maintain the user’s data after
their departure, and the automatic deactivation of any company accounts.

The incorrect answers:
A. Least privilege
Least privilege sets user rights and permissions to the bare minimum, but
it does not provide a method of disabling accounts after a user leaves the
organization.
B. Auditing
In this question, an audit was performed that identified the authorization
attempts. However, the security practice that originally prevented the login
listed in the audit logs was related to the offboarding process. Auditing
documents historical activities and does not generally prevent real-time
access.
D. Location-based policies
The authorization attempts in this question did not specify a particular
geographical location. The location of the user was not the reason for
preventing the authentication.
More information:
SY0-501, Objective 4.4 - Account Management

Question 79

A security manager has created a report that shows intermittent network
communication from external IP addresses to certain workstations on the
internal network. These traffic patterns occur at random times during the
day. Which of the following would be the MOST likely reason for these
traffic patterns?
❍ A. ARP poisoning
❍ B. Backdoor
❍ C. Polymorphic virus
❍ D. Trojan horse

Answer 79

B. Backdoor

A backdoor would allow an attacker to access a system at any time without
any user intervention. If there are inbound traffic flows that cannot be
identified, it may be necessary to isolate that computer and examine it for
signs of a compromised system.

The incorrect answers:
A. ARP poisoning
ARP (Address Resolution Protocol) poisoning is a local exploit that is often
associated with a man-in-the-middle attack. The attacker must be on the
same local IP subnet as the victim, so this is not often associated with an
external attack.
C. Polymorphic virus
Polymorphic viruses will modify themselves each time they are
downloaded. Although a virus could potentially install a backdoor,
a polymorphic virus would not be able to install itself without user
intervention.
D. Trojan horse
A Trojan horse is malware that is hidden inside of a seemingly harmless
application. Once the Trojan horse is executed, the malware will be
installed onto the victim’s computer. Trojan horse malware could possibly
install backdoor malware, but the Trojan horse itself would not be the
reason for these traffic patterns.
More information:
SY0-501, Objective 1.1 - Trojans and RATs

Question 80

A company has installed a new set of switches in their data center. The security team would like to authenticate to the switch using the same credentials as their existing Windows Active Directory network. However, the switches do not support Kerberos as an authentication method.
Which of the following would be the BEST option for the security team’s
authentication requirement?
❍ A. Local authentication
❍ B. LDAP
❍ C. Multi-factor authentication
❍ D. Captive portal

Answer 80

B. LDAP

LDAP (Lightweight Directory Access Protocol) is a common standard that
works across many different operating systems. Microsoft Active Directory

The incorrect answers:
A. Local authentication
Local authentication would create a username and password database on
each individual switch. This would not provide any integration into the
Active Directory database.
C. Multi-factor authentication
Multi-factor authentication can help secure the authentication process, but
it would not provide any integration to Active Directory.
D. Captive portal
A captive portal is commonly used on web-based systems as an
authentication method. Captive portal does not describe a method of
integrating with other directory services.
More information:
SY0-501, Objective 4.2 - Identity and Access Services

Question 81

A company has just deployed a new application into their production environment. Unfortunately, a significant bug has been identified that must be quickly corrected. The operations team will not allow any incremental bug fixes to the production system, and instead require an entirely new application instance deployment for any updates. Which of the following would BEST describe this production system?
❍ A. Immutable
❍ B. Agile
❍ C. IAC
❍ D. Sandbox

Answer 81

A. Immutable

An immutable system cannot be changed once deployed. To update the application, a new iteration must be deployed.

The incorrect answers:
B. Agile
An agile development life-cycle describes a system of rapid development
and a highly-collaborative development methodology. Agile describes the
process of developing code, and not the process for deploying or changing
the production code.
C. IAC
Infrastructure as code (IAC) describes the virtualization of infrastructure
components such as firewalls, routers, and switches.
D. Sandbox
A sandbox is commonly referenced as a development or test environment
where changes and modifications can be attempted without affecting the
production systems.
More information:
SY0-501, Objective 3.6 - Secure DevOps

Question 82

A security administrator would like to increase the security of the company’s email communication. The outgoing email server currently uses SMTP with no encryption. The security administrator would like to implement encryption between email clients without changing the existing server-to-server communication. Which of the following would be the BEST way to implement this requirement?
❍ A. Implement Secure IMAP
❍ B. Require the use of S/MIME
❍ C. Install an SSL certificate on the email server
❍ D. Use a VPN tunnel between email clients

Answer 82

B. Require the use of S/MIME

S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way to integrate public key encryption and digital signatures into most modern email clients. This would encrypt all email information from client to client, regardless of the communication used between email servers.

The incorrect answers:
A. Implement Secure IMAP
Secure IMAP (Internet Message Access Protocol) would encrypt
communication downloaded from an email server, but it would not provide
any security for outgoing email messages.
C. Install an SSL certificate on the email server
An SSL certificate on an email server could potentially be used to encrypt
server-to-server communication, but the security administrator is looking
for an encryption method between email clients.
D. Use a VPN tunnel between email clients
Email communication does not occur directly between email clients, so
configuring a VPN between all possible email recipients would not be a
valid implementation.
More information:
SY0-501, Objective 2.6 - Secure Protocols

Question 83

A company is updating their VoIP handsets and would like to use SRTP for all phone calls. Which of these technologies would MOST commonly be used to implement this feature?
❍ A. AES (Advanced Encryption Standard)
❍ B. TLS (Transport Layer Security) is
❍ C. Asymmetric encryption
❍ D. SSH (Secure Shell)
❍ E. IPS (Intrusion Prevention System)

Answer 83

A. AES

The Advanced Encryption Standard (AES) cipher is used to encrypt traffic over SRTP (Secure Real-time Protocol) VoIP (Voice over IP) communication.

The incorrect answers:
B. TLS
TLS (Transport Layer Security) is commonly used for HTTPS (Hypertext
Transfer Protocol Secure) and FTPS (File Transfer Protocol Secure), but it’s
not used for SRTP traffic.
C. Asymmetric encryption
Asymmetric encryption isn’t suited for real-time or streaming protocols, so
it’s not used for SRTP traffic.
D. SSH
SSH (Secure Shell) is useful for encrypted terminal sessions, but it’s not
used with SRTP.
E. IPS
An IPS (Intrusion Prevention System) is used to identify network-based
attacks. An IPS is not used for implementing security over VOIP protocols.
More information:
SY0-501, Objective 2.6 - Secure Protocols

Question 84

A company has just purchased a new application server, and the security director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to your users until the rollout to production next week. Which of the following would be the BEST way to determine if any part of the system can be exploited?
❍ A. Tabletop exercise
❍ B. Vulnerability scanner
❍ C. Password cracker
❍ D. Penetration test

Answer 84

D. Penetration test

A penetration test can be used to actively exploit potential vulnerabilities in a system or application. This could cause a denial of service or loss of data, so the best practice is to perform the penetration test during nonproduction
hours or in a test environment.

The incorrect answers:
A. Tabletop exercise
A tabletop exercise is used to talk through a security event with an
incident response team around a conference room table. This is commonly
performed as a training device instead of performing a full-scale disaster
drill.
B. Vulnerability scanner
Vulnerability scanners may identify a vulnerability, but they do not actively
attempt to exploit the vulnerability.
C. Password cracker
A password cracker is usually an offline brute force tool used against a
list of password hashes. A password cracker may be able to identify weak
passwords, but it would not identify any other types of vulnerabilities.
More information:
SY0-501, Objective 1.4 - Penetration Testing