Practice study 2

Question 1

A security administrator has performed an audit of the organization’s production web servers, and the results have identified banner information leakage, web services that run from a privileged account, and inconsistencies with SSL certificates. Which of the following would be the BEST way to resolve these issues?
❍ A. Server hardening
❍ B. Multi-factor authentication
❍ C. Use HTTPS
❍ D. Run operating system updates

Answer 1

A. Server hardening

Many applications and services include secure configuration guides that can assist in hardening the system. These hardening steps will make the
system as secure as possible while simultaneously allowing the application to run efficiently.

SY0-501, Objective 1.4 - Penetration Testing

The incorrect answers:
B. Multi-factor authentication
Although multi-factor authentication is always a good best practice, simply
enabling multiple authentication methods would not resolve the issues
identified during the audit.
C. Use HTTPS
Most web servers will use HTTPS to ensure that network communication
is encryption. However, the encrypted network traffic would not correct
the issues identified during the audit.
D. Run operating system updates
Keeping the system up to date is another good best practice, but the
issues identified during the audit were not bugs related to the operating
systems. All of the issues identified in the audit appear to be related to the
configuration of the web server, so any resolution will focus on correcting
these configuration issues.

Question 2

A shipping company stores information in small regional warehouses around the country. The company does not keep an IT person at each warehouse, and most configuration changes are completed remotely. The
company keeps an IPS online at each warehouse to watch for suspicious traffic patterns. Which of the following would BEST describe the security control used at the warehouse?
❍ A. Administrative
❍ B. Compensating
❍ C. Physical
❍ D. Detective

Answer 2

D. Detective

An IPS can detect and record any intrusion attempt.

The incorrect answers:
A. Administrative
Administrative controls would be guidelines that would control how people
act, such as security policies and standard operating procedures.
B. Compensating
A compensating control can’t prevent an attack, but it can compensate
when an attack occurs. For example, a compensating control would be the
re-imaging process or a server restored from backup if an attack had been
identified.
C. Physical
A physical control would block

SY0-501, Objective 5.7 - Security Controls

Question 3

An internal sales application is updated each day with new pricing information, feature updates, and security patches. The system administrators have traditionally pushed these updates to the end-user workstations every Friday night, but the sales management teams would prefer daily updates. Which of the following would be the BEST way to keep this application updated every day?
❍ A. IT configures an overnight testing environment and performs automated patch management
❍ B. The development team pushes the updates to the end-user workstations when ready
❍ C. The sales teams manually update the application on-demand
❍ D. The development team sends the updates directly to the sales managers

Answer 3

A. IT configures an overnight testing environment and
performs automated patch management

To properly deploy any changes, the IT team will need to perform testing to ensure that the change does not cause problems with any other application or the underlying operating system. After the testing is complete, the
update can be pushed out to the end-user device.

The incorrect answers:
B. The development team pushes the updates to the end-user
workstations when ready
Although the development team is usually very confident in the stability
of their application, they aren’t responsible for testing other applications
or the underlying operating system. Pushing an untested update could
potentially disable other applications or the entire operating system.
C. The sales teams manually update the application on-demand
Putting the responsibility for updates on the sales teams circumvents any
testing and requires that the sales teams actively remember to perform the
update.
D. The development team sends the updates directly to the sales managers
Not only does this option skip the testing process, but it requires the sales
managers to become experts at application updates and requires the sales
management team to troubleshoot

SY0-501, Objective 3.3 - Operating System Security

Question 4

A security engineer is preparing to conduct a penetration test. Part of the preparation involves reading through social media posts for information
about a third-party website. Which of the following describes this practice?
❍ A. Grey box testing
❍ B. Passive reconnaissance
❍ C. Exfiltration
❍ D. Active reconnaissance

Answer 4

B. Passive reconnaissance

Passive reconnaissance is the process of obtaining as much information as possible from open sources, such as social media sites, corporate websites, online forums, and other publicly available locations.

The incorrect answers:
A. Grey box testing
A grey box test describes how much information the attacker knows about
the test. With a grey box, the attacker may have access to some information
about the test, but not all information is disclosed.
C. Exfiltration
Exfiltration describes the theft of data by an attacker.
D. Active reconnaissance
Active reconnaissance would show some evidence of data gathering.
For example, performing a ping scan or DNS query wouldn’t exploit a
vulnerability, but it would show that someone was gathering information.

SY0-501, Objective 1.4 - Penetration Testing

Question 5

A company’s IT security team has used a known exploit against an internal server. This exploit allowed the security team to gain access to the operating system without using any authentication. Which of the
following describes the actions of the security team?
❍ A. Active reconnaissance
❍ B. Vulnerability scan
❍ C. Zero-day attack
❍ D. Penetration test

Answer 5

D. Penetration test

A penetration test will attempt to exploit a vulnerability to gain access to data or a system.

The incorrect answers:
A. Active reconnaissance
Active reconnaissance will gather information about a system, but it will
stop short of exploiting a vulnerability.
B. Vulnerability scan
A vulnerability scan will identify any known vulnerabilities that may be
associated with a system. However, a vulnerability scan will not attempt to
exploit a vulnerability.
C. Zero-day attack
A zero-day attack is an attempt to exploit a system using a vulnerability

SY0-501, Objective 1.4 - Penetration Testing

Question 6

An organization is using Shibboleth to implement SAML. Which of the
following would BEST describe this configuration?
❍ A. An internal help desk needs centralized logins to all switches and routers
❍ B. A user logging in once to the Windows Domain will not need to re-authenticate to other resources
❍ C. A university needs to provide login access to a research server with user accounts from many different schools
❍ D. The login credentials to a message board hash all passwords with a salt

Answer 6

C. A university needs to provide login access to a research
server with user accounts from many different schools

SAML (Security Assertion Markup Language) is an open standard for authentication and authorization. Shibboleth is open-source software that
implemenents SAML to provide federated authentication, which would fit the scenario where many different account types need to login to a shared resource.

The incorrect answers:
A. An internal help desk needs centralized logins to all switches
and routers
Internal authentication methods are usually centralized using RADIUS
(Remote Authentication Dial-In User Service), TACACS+ (Terminal
Access Controller Access-Control System Plus), or a similar authentication
framework. There would be no need for Shibboleth and SAML for internal
centralized authentication.
B. A user logging in once to the Windows Domain will not need to
re-authenticate to other resources
The Kerberos protocol provides the SSO (Single Sign On) functionality
used in Windows. Shibboleth and SAML are not associated with this SSO
process.
D. The login credentials to a message board hash all passwords with a salt
A good best practice is to store passwords as a salted hash. This

SY0-501, Objective 4.2 - Federated Identities

Question 7

Which of the following would be MOST associated with the testing phase of the secure deployment process?
❍ A. Performance baselines are created
❍ B. Updated application code is installed on end user computers
❍ C. Code is written and executed in a sandbox
❍ D. QA techs will evaluate the functionality of the application

Answer 7

D. QA techs will evaluate the functionality of the application

The QA (Quality Assurance) process tests the usability and features of an application to ensure that it will work as designed on the end user systems.

The incorrect answers:
A. Performance baselines are created
The performance of an application is usually created during the staging
phase once the application code has been frozen.
B. Updated application code is installed on end user computers
Applications aren’t updated on the end user devices until the testing and
staging phases are complete.
C. Code is written and executed in a sandbox
The development teams write their software and test the functionality of
the code in their own self-contained sandbox environment.

SY0-501, Objective 3.4 - Secure Deployments

Question 8

Which of the following allows an attacker to access a Bluetooth-enabled device and transfer contact lists, email, pictures, and other data without prior authorization?
❍ A. Bluejacking
❍ B. Spoofing
❍ C. Evil twin
❍ D. Bluesnarfing

Answer 8

D. Bluesnarfing

Bluesnarfing was one of the first major vulnerabilities associated with Bluetooth.

The incorrect answers:
A. Bluejacking
Bluejacking allowed a third-party to send unsolicited messages to another
device using Bluetooth.
B. Spoofing
Spoofing is when one device pretends to be another. The Bluesnarfing
vulnerability doesn’t require a device to be spoofing another.
C. Evil twin
An evil twin is a malicious device that is configured identically to a
legitimate device. These are often associated with wireless network attacks.

SY0-501, Objective 1.2 - Bluejacking and Bluesnarfing

Question 9

A company is launching a new internal application that will not startup until a username and password is entered and a smart card is plugged into the computer. Which of the following BEST describes this process?
❍ A. Federation
❍ B. Accounting
❍ C. Authentication
❍ D. Authorization

Answer 9

C. Authentication

The process of proving who you say you are is authentication. In this example, the password and smart card are two factors of authentication, and both reasonably prove that the person logging in is authentic.

The incorrect answers:
A. Federation
Federation provides a way to authenticate and authorize between two
different organizations. In this example, the authentication process uses
internal information without any type of connection or trust to a
third-party.
B. Accounting
Accounting will document information regarding a user’s session, such as
login time, data sent and received, files transferred, and logout time.
D. Authorization
The authorization process assigns users to resources. This process

SY0-501, Objective 4.1 - AAA and Authentication

Question 10

An online retailer is planning a penetration test as part of their PCI DSS validation. A third-party organization will be performing the test, and the online retailer has provided the Internet-facing IP addresses for their public web servers but no other details. What penetration testing methodology is the online retailer using?
❍ A. White box
❍ B. Passive reconnaissance
❍ C. Grey Box
❍ D. Ping scan

Answer 10

C. Grey Box

A grey box test is performed when the attacker knows some information about the victim, but not all information is available.

The incorrect answers:
A. White box
A white box test is performed when the attacker has complete details about
the victim’s systems and infrastructure.
B. Passive reconnaissance
Passive reconnaissance is the process of gathering information from
publicly available sites, such as social media or corporate websites.
D. Ping scan
A ping scan is a type of network scan that can identify devices

SY0-501, Objective 1.4 - Penetration Testing

Question 11

A manufacturing company makes radar used by commercial and military organizations. A recently proposed policy change would allow the use of
mobile devices inside the facility. Which of the following would be the MOST significant security issue associated with this change in policy?
❍ A. Unauthorized software on rooted devices
❍ B. Remote access clients on the mobile devices
❍ C. Out of date mobile operating systems
❍ D. Photo and video use

Answer 11

D. Photo and video use

The exfiltration of company confidential information is relatively simple with an easily transportable camera or video recorder. Organizations associated with sensitive products or services must always be aware of the
potential for information leaks using photos or video.

The incorrect answers:
A. Unauthorized software on rooted devices
Although unauthorized software use can be a security issue, it isn’t as
significant as the exfiltration of company confidential information.
B. Remote access clients on the mobile devices
It’s sometimes convenient to have a remote access client available, and this
type of access can certainly be a concern if the proper security is not in
place. However, the much more significant security issue in this list would
be associated with the ease of photos and videography when working with
confidential information.
C. Out of date mobile operating systems
Having an outdated operating system can potentially include security
vulnerabilities, but these vulnerabilities

SY0-501, Objective 2.5 - Mobile Device Enforcement

Question 12

A company is designing an application that will be used at their remote storefronts. It is expected that this application will have a high demand and will require significant computing resources during the summer. During the winter, there will be little to no application use and resource use should be minimal. Which of these characteristics BEST describe this
application requirement?
❍ A. Availability
❍ B. Orchestration
❍ C. Imaging
❍ D. Elasticity

Answer 12

D. Elasticity

Elasticity is the process of providing resources when demand increases and scaling down when the demand is low.

The incorrect answers:
A. Availability
Availability describes the ability to use a service, but it doesn’t directly
describe the ability of the service resources to grow or shrink based on
demand.
B. Orchestration
The process of automating the configuration, maintenance, and operation
of an application instance is called orchestration. The description of the
application requirement didn’t mention the use of automation when
scaling resources.
C. Imaging
Imaging is a technique that allows a system administrator to build a
specific operating system and application configuration. This configuration
can then be saved as an “image” and easily deployed to other systems.

SY0-501, Objective 3.8 - Resiliency and Automation

Question 13

Vala, a security analyst, has received an alert from her IPS regarding active exploit attempts from the Internet. Which of the following would provide
detailed information about these exploit attempts?
❍ A. Netstat command
❍ B. Nmap scan
❍ C. Vulnerability scan
❍ D. Protocol analyzer

Answer 13

D. Protocol analyzer

A protocol analyzer can provide information about every frame that traverses the network. From a security perspective, the protocol decode can show the exploitation process and details about the payloads used during the attempt.

The incorrect answers:
A. Netstat command
The netstat command can display connectivity information about a device,
but it won’t provide any additional details about an exploit attempt.
B. Nmap scan
An Nmap scan is a useful tool for understanding the potential exploitation
vectors of a device, but it won’t show information about an active
exploitation attempt.
C. Vulnerability scan
A vulnerability scan can help identify potential exploit vectors, but

SY0-501, Objective 2.2 - Software Security Tools

Question 14

A user in the accounting department would like to send a spreadsheet to a list of third-party vendors. The size of the spreadsheet is too large to email, and the spreadsheet contains private information that must not be intercepted in-transit. Which of the following could be used to transfer this spreadsheet to the vendors? (Select TWO)
❍ A. IMAPS
❍ B. SRTP
❍ C. DNSSEC
❍ D. FTPS
❍ E. HTTPS
❍ F. SNMPv3

Answer 14

D. FTPS and E. HTTPS

FTPS (File Transfer Protocol Secure) and HTTPS (HyperText Transfer Protocol Secure) both provide mechanisms for transferring files using encrypted communication.

The incorrect answers:
A. IMAPS
IMAPS (Internet Message Access Protocol Secure) is a protocol exclusive
to email communication.
B. SRTP
SRTP (Secure Real-Time Transport Protocol) is used for secure voice over
IP and media communication across the network.
C. DNSSEC
DNSSEC (Domain Name System Secure Extensions) are used on DNS
servers to validate DNS responses using public key cryptography.
F. SNMPv3
SNMPv3 (Simple Network Management Protocol version 3) uses
encrypted communication to manage devices, but it is not used for secure
file transfers between devices.

SY0-501, Objective 2.6 - Secure Protocols

Question 15

A system administrator would like to segment the network by department. The marketing, accounting, and manufacturing departments would have
their own private networks, and the network communication between departments would be restricted to provide security. Which of the
following should be configured on this network?
❍ A. VPN
❍ B. RBAC
❍ C. VLAN
❍ D. NAT

Answer 15

C. VLAN

A VLAN (Virtual Local Area Network) is a common method of logically segmenting a network. The devices in each segmented VLAN can only communicate with other devices in the same VLAN. A router is used to
connect VLANs, and this router can often be used to control traffic flows between VLANs.

The incorrect answers:
A. VPN
A VPN (Virtual Private Network) is an encryption technology that can
be used to secure network connections between sites or remote enduser
communication. VPNs are not commonly used to segment internal
network communication.
B. RBAC
RBAC (Role-Based Access Control) describes a control mechanism for
managing rights and permissions in an operating system. RBAC is not used
for network segmentation.
D. NAT
NAT (Network Address Translation) is used to modify the source or
destination IP address or port number of a network traffic flow. NAT would
not be used when segmenting internal networks.

SY0-501, Objective 3.2 - Network Segmentation

Question 16

A transportation company has installed a new application in their data center to assist with client reservations. The application works properly
in the test environment, but it doesn’t respond when moved to the production data center network. The security team does not find any rules in the data center firewall that would be specific to this application.
Which of the following is the MOST likely reason for this issue?
❍ A. The firewall is not configured with the correct application
encryption certificate
❍ B. The application is being blocked by an implicit deny rule
❍ C. The application service is not started
❍ D. A VPN configuration is required for the application traffic flows

Answer 16

B. The application is being blocked by an implicit deny rule

If network traffic does not match an explicit rule in the firewall rulebase, the traffic will be blocked. This implicit deny rule is the default for any non-matching traffic flows.

The incorrect answers:
A. The firewall is not configured with the correct application
encryption certificate
Encryption certificates for applications are configured on the application
server and not the firewall.
C. The application service is not started
A non-operational application service would certainly cause a
communications issue, but it would not be the most likely reason. The
question already identified a missing security rule that would prevent all
application traffic flows, and this would prevent all traffic regardless of the
application service’s status.
D. A VPN configuration is required for the application traffic flows
VPNs are not a common requirement for application use. Without a
specific firewall security rule, all application traffic would be blocked
regardless of the transportation method.

SY0-501, Objective 2.1 - Firewalls

Question 17

A company has determined that a device on the manufacturing floor used to cut aluminum is not repairable and it’s estimated that it will operate
approximately ninety days before it must be replaced. Which of the following describes this estimate?
❍ A. MTTR (Mean Time to Repair)
❍ B. RPO (Recovery Point Objectives)
❍ C. RTO (Recovery Time Objectives)
❍ D. MTTF (Mean Time to Failure)

Answer 17

D. MTTF

The MTTF (Mean Time to Failure) is the expected lifetime of a nonrepairable product or system.

The incorrect answers:
A. MTTR
MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure. In this example, the device is not repairable.
B. RPO
RPO (Recovery Point Objectives) define how much data loss would be
acceptable during a recovery.
C. RTO
RTO (Recovery Time Objectives) define the minimum objectives required
to get up and running to a particular service level.
SY0-501, Objective 5.2 - Business Impact Analysis

Question 18

Janet, a manager in the marketing department, is promoting the company by posting pictures from her mobile device to a popular social media
image sharing service. She has manually disabled the location services in the social media app, but she has asked the IT department to disable this functionality for all apps on the device. Which of the following should be disabled to meet this requirement?
❍ A. USB OTG
❍ B. WiFi Direct
❍ C. Geotagging
❍ D. Tethering

Answer 18

C. Geotagging

Geotagging adds location information to document metadata. With geotagging enabled, photos and videos can include longitude and latitude details as part of the shared file. Disabling geotagging will still allow the
sharing of the media, but the location information will not be saved when the image or video is created.

The incorrect answers:
A. USB OTG
USB OTG (USB On-The-Go) allows two mobile devices to be cabled
directly together for transferring information. USB OTG is not commonly
associated with location services.
B. WiFi Direct
WiFi Direct is another common method of connecting mobile devices
directly together over a wireless network without the need for an access
point. Location services are not part of WiFi Direct.
D. Tethering
Tethering is the process of connecting a cable between a computer and
mobile phone to provide Internet access for the computer. The tethering
process is not related to location services.

SY0-501, Objective 2.5 - Mobile Device Enforcement

Question 19

Which of the following would be considered multi-factor authentication?
❍ A. PIN and fingerprint
❍ B. USB token and smart card
❍ C. Username, password, and email address
❍ D. Face scan and voiceprint

Answer 19

A. PIN and fingerprint

A PIN (Personal Identification Number) is something you know, and a fingerprint is something you are.

The incorrect answers:
B. USB token and smart card
A USB token and a smart card are both something you have. Both of these
describe a single factor of authentication.
C. Username, password, and email address
A password is something you know, but a username and email address
claim an identity but do not authenticate or prove the identity.
D. Face scan and voiceprint
Both a face scan and a voiceprint are biometric factors, or something you
are. Both of these describe a single factor of authentication.
SY0-501, Objective 4.1 - AAA and Authentication

Question 20

Sam, a security administrator, is configuring the authentication process used by technicians when logging into a router. Instead of using accounts that are local to the router, Sam would like to pass all login requests to a centralized database. Which of the following would be the BEST way to implement this requirement?
❍ A. NTLM (NT LAN Manager)
❍ B. RADIUS (Remote Authentication Dial-In User Service)
❍ C. IPsec
❍ D. MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol)

Answer 20

B. RADIUS

The RADIUS (Remote Authentication Dial-In User Service) protocol is a common method of centralizing authentication for users. Instead of having
separate local accounts on different devices, users can authenticate with account information that is maintained in a centralized database.

The incorrect answers:
A. NTLM
NTLM (NT LAN Manager) authentication was first used in LAN Manager,
a precursor to the modern Windows operating systems. Unfortunately,
vulnerabilities with NTLM would limit its use as an authentication
method.
C. IPsec
IPsec is commonly used as an encrypted tunnel between sites or endpoints.
It’s useful for protecting data sent over the network, but IPsec isn’t used to
centralize the authentication process.
D. MS-CHAP
MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol) was
commonly used in Microsoft’ PPTP (Point-to-Point Tunneling Protocol),
but vulnerabilities related to the use of DES (Data Encryption Standard)
encryption make it relatively easy to brute force the NTLM hash used in
MS-CHAP.

SY0-501, Objective 4.2 - Identity and Access Services

Question 21

A security administrator is part of a project that will enhance the security of the desktops and servers in the company. An audit has recently found
some old company login credentials on a public Internet message board. Which of the following policies should the security administrator enforce
to limit the impact of this type of breach?
❍ A. Create a Group Policy to specify a minimum password length
❍ B. Encrypt all authentication traffic on the network
❍ C. Decrease the password expiration timeframe
❍ D. Store all passwords as salted hashes

Answer 21

C. Decrease the password expiration timeframe

Decreasing the password expiration timeframe would require users to change their password more often, therefore limiting the impact of a breached username and password.

The incorrect answers:
A. Create a Group Policy to specify a minimum password length
It’s always a good idea to have passwords with at least eight characters, but
the issue in this question was related to login credentials that were made
public. A minimum password length would limit the impact of this breach.
B. Encrypt all authentication traffic on the network
If captured data can’t be viewed, then it will remain confidential. In this
example, the credentials were already made public, so encrypting future
communication wouldn’t limit the impact of this breach.
D. Store all passwords as salted hashes
Secure storage of passwords is important, but once the password is public
the salted hash is no longer protecting password.

SY0-501, Objective 4.4 - Account Policy Enforcement

Question 22

A system administrator is setting up an IPsec tunnel on a firewall with the
following parameters:
Peer: 10.1.1.2
Version: IKEv1 mode
Authentication: Pre-Shared Key
Encryption: DES
Authentication hash: SHA256
DH Group: Group 5
Lifetime: 1 hour
Which of the following would best describe these configuration settings?
❍ A. The authentication mode is not associated with an IPsec tunnel
❍ B. The IKE version is invalid
❍ C. The encryption standard is too weak
❍ D. The peer address is invalid

Answer 22

C. The encryption standard is too weak

DES (Data Encryption Standard) encryption is a weak encryption protocol that could be easily circumvented through the use of a brute-force attack.
Using 3DES (Triple DES) or an AES (Advanced Encryption Standard) variant would be a better choice for encryption.

The incorrect answers:
A. The authentication mode is not associated with an IPsec tunnel
Pre-shared keys are commonly used with IPsec tunnel configurations,
although stronger authentication methods are certainly available.
B. The IKE version is invalid
Both IKEv1 (Internet Key Exchange v1) and IKEv2 are both valid options
for IPsec tunnel configurations.
D. The peer address is invalid
The peer address should be a valid IP address for the remote device at the
other end of the IPsec tunnel. The address listed in this configuration is a
valid IP address.

SY0-501, Objective 2.3 - Common Security Issues

Question 23

A company has connected their wireless access points and have enabled WPS. Which of the following security issues would be associated with this configuration?
❍ A. Brute force
❍ B. Client hijacking
❍ C. Cryptographic vulnerability
❍ D. Spoofing

Answer 23

A. Brute force

A WPS personal identification number (PIN) was designed to have only 11,000 possible iterations, making a brute force attack very possible if the access point doesn’t provide any protection against multiple guesses.

The incorrect answers:
B. Client hijacking
The processes of adding a device through WPS occurs well before any app
or client is used.
C. Cryptographic vulnerability
The vulnerability in WPS is based on a limited number of PIN options and
not a cryptographic shortcoming.
D. Spoofing
Spoofing an

SY0-501, Objective 1.2 - WPS Attacks

Question 24

An organization has traditionally purchased insurance to cover a ransomware attack, but the costs of maintaining the policy have increased above the acceptable budget. The company has now decided to cancel the insurance policies and deal with ransomware issues internally. Which of the following would best describe this action?
❍ A. Mitigating the risk
❍ B. Accepting the risk
❍ C. Transferring the risk
❍ D. Avoiding the risk

Answer 24

B. Accepting the risk

Risk acceptance is a business decision that places the responsibility of the risky activity on the organization itself.

The incorrect answers:
A. Mitigating the risk
If the organization was to purchase additional backup facilities and update
their backup processes to include offline backup storage, they would be
mitigating the risk of a ransomware infection.
C. Transferring the risk
Purchasing insurance to cover a risky activity is a common method of
transferring risk from the organization to the insurance company.
D. Avoiding the risk
To avoid the risk of ransomware, the organization would need to
completely disconnect from the Internet and disable all methods that
ransomware might use to infect a system. This risk response technique
would most likely not apply to ransomware.

SY0-501, Objective 5.3 - Risk Assessment

Question 25

Which of these threat actors would be the MOST likely to deface a website to promote a political agenda?
❍ A. Organized crime
❍ B. Nation state
❍ C. Hacktivist
❍ D. Competitor

Answer 25

C. Hacktivist

A hacktivist often has a political statement to make, and their hacking efforts would commonly result in a public display of that information.

The incorrect answers:
A. Organized crime
Organized crime is usually motivated by money. An organized crime group
is more interested in stealing information than defacing sites.
B. Nation state
Nation states are highly sophisticated hackers, and their efforts are usually
focused on obtaining confidential government information or disrupting
governmental operations.
D. Competitor
A competitor may be interested in making another company look bad, but
the reason for the denial of services is not commonly based on a political
agenda.
SY0-501, Objective 1.3 - Threat Actors

Question 26

An IPS report of the last 24 hours shows that a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log
entries on each system. Which of the following would be the NEXT step in the incident response process?
❍ A. Check the IPS logs for any other potential attacks
❍ B. Create a plan for removing malware from the web servers
❍ C. Disable any breached user accounts
❍ D. Disconnect the web servers from the network

Answer 26

D. Disconnect the web servers from the network

The unusual log entries on the web server indicate that the system may have been exploited. In that situation, the servers should be isolated to prevent access to or from those systems.

The incorrect answers:
A. Check the IPS logs for any other potential attacks
Before looking for additional exploits, the devices showing a potential
exploit should be isolated and contained.
B. Create a plan for removing malware from the web servers
The recovery process should occur after the systems have been isolated and
contained.
C. Disable any breached user accounts
This is part of the recovery process, and it should occur after isolation and
containment of the exploited servers.

SY0-501, Objective 5.4 - Incident Response Process

Question 27

A security administrator is viewing the logs on a laptop in the shipping and receiving department and identifies these events:
8:55:30 AM | D:\Downloads\ChangeLog-5.0.4.scr | Quarantine Success
9:22:54 AM | C:\Program Files\Photo Viewer\ViewerBase.dll | Quarantine Failure
9:44:05 AM | C:\Sales\Sample32.dat | Quarantine Success
Which of the following would BEST describe the circumstances surrounding these events?
❍ A. The antivirus application identified three viruses and
quarantined two viruses
❍ B. The host-based firewall blocked two traffic flows
❍ C. A host-based whitelist has blocked two applications from executing
❍ D. A network-based IPS has identified two known vulnerabilities

Answer 27

A. The antivirus application identified three viruses and quarantined two viruses

The logs are showing the name of files on the local device and a quarantine disposition, which indicates that two of the files were moved (quarantined)
to a designated area of the drive. This will prevent the malicious files from executing and will safely store the files for any future investigation. The second file in the list failed the quarantine process, and was most likely
because the library was as already in use by the operating system and could not be moved.

The incorrect answers:
B. The host-based firewall blocked two traffic flows
A host-based firewall will allow or deny traffic flows based on IP address,
port number, application, or other criteria. A host-based firewall does not
block traffic flows based on the name of an existing file, and the firewall
process would not quarantine or move files to other folders.
C. A host-based whitelist has blocked two applications from executing
The “quarantine” disposition refers to a file that has been moved from one
location to another. A whitelist function would simply stop the application
from executing without changing the location of an application file.
8:55:30 AM | D:\Downloads\ChangeLog-5.0.4.scr | Quarantine Success
9:22:54 AM | C:\Program Files\Photo Viewer\ViewerBase.dll | Quarantine Failure
9:44:05 AM | C:\Sales\Sample32.dat | Quarantine Success
Practice Exam B - Answers 205
D. A network-based IPS has identified two known vulnerabilities
The logs from a network-based IPS (Intrusion Prevention System) would
not commonly be located on a user’s laptop, and those logs would display
allow or deny dispositions based on the name of a known vulnerability. A
network-based IPS would also not commonly move (quarantine) files on an
end-user’s computer.

SY0-501, Objective 2.4 - Analyzing Security Output

Question 28

In the past, an organization has relied on the curated Apple App Store to avoid the issues associated with malware and insecure applications. However, the IT department has discovered an iPhone in the shipping
department that includes applications that are not available on the Apple App Store. How did the shipping department user install these apps on
their mobile device?
❍ A. Sideloading
❍ B. MMS install
❍ C. OTA updates
❍ D. Tethering

Answer 28

A. Sideloading

If Apple’s iOS has been circumvented using jailbreaking, then apps can be installed without using the Apple App Store. This installation process that circumvents the App Store is called sideloading.

The incorrect answers:
B. MMS install
Text messages that prompt to install an application will link to the App
Store version of the application.
C. OTA updates
OTA (Over the Air) updates are commonly provided from the carrier and
are not part of mobile app installations.
D. Tethering
Tethering uses a mobile phone as a communications medium to the
Internet, and it does not have any relationship to the apps that are installed
on the mobile device.

SY0-501, Objective 2.5 - Mobile Device Enforcement

Question 29

A security team is investigating a compromised server that resulted in the loss of credit card information for thousands of customers. The web servers associated with the data breach was patched regularly each month. Forensic reviews show that the initial exploit was from a previously unknown application vulnerability. A week later, the stolen credit card
data was found to be available for purchase on a well-known dark web credit card site. Which of these would be the MOST likely source of this attack?
❍ A. Organized crime
❍ B. Nation state
❍ C. Script kiddie
❍ D. Insiders

Answer 29

A. Organized crime

The primary goal of organized crime is to make money, and accessing and selling credit card data is a common method of revenue generation. Organized crime also has the capital to fund their hacking efforts, and the use of zero-day or unknown vulnerabilities is not uncommon.

The incorrect answers:
B. Nation state
A nation state is generally less concerned with revenue generation and
more interested in gaining access to confidential data or disrupting the
operations of another government.
C. Script kiddie
A script kiddie does not often use sophisticated methods to gain access to a
system. Using an unknown vulnerability would be well outside the scope of
knowledge for most script kiddies.
D. Insiders
An insider wouldn’t need to use an unknown vulnerability to gain access to
data. Their existing rights

SY0-501, Objective 1.3 - Threat Actors

Question 30

A security manager has ensured that the security posture of the organization includes electronic locks with cameras at the data center, firewalls on the Internet links, and specific policies for onboarding and
offboarding employees. Which of the following would BEST describe these security mechanisms?
❍ A. OSI Layering
❍ B. Defense-in-depth
❍ C. Multi-factor authentication
❍ D. Role-based access control

Answer 30

B. Defense-in-depth

The process of layering physical, technical, and administrative security controls is called defense-in-depth. No single process or technology will secure the entire network, so you have to layer multiple security controls to
provide the best possible security posture.

SY0-501, Objective 3.1 - Defense-in-Depth

Question 31

A recent audit has found four different active service accounts that are configured with Administrator rights. The applications associated with these service accounts haven’t been used for years, and therefore the accounts are no longer necessary. Which of the following would be the BEST way to prevent this issue from occurring again?
❍ A. Enable password expirations for all accounts
❍ B. Disable all service accounts with Administrator permissions
❍ C. Increase the password complexity policy
❍ D. Require passwords of eight characters or more

Answer 31

A. Enable password expirations for all accounts

A standard password expiration timeout of 30 days would be a good way to ensure that accounts were constantly updated. Abandoned accounts would be automatically disabled within 30 days, regardless of their rights
and permissions. This is a good best practice for all accounts and not just service or administrator accounts.

The incorrect answers:
A. OSI Layering
The OSI model is a concept related to the transfer of data across the
network. The layers of the OSI model are not related to a layered security
approach.
C. Multi-factor authentication
Multi-factor authentication uses different techniques to help confirm the
identity of a user. The security mechanisms listed above do not describe
multi-factor authentication.
D. Role-based access control
Role-based access control is a method of assigning rights and permissions
based on job responsibilities. The security

SY0-501, Objective 4.4 - Account Policy Enforcement

Question 32

Jack, a hacker, has identified a number of devices on a corporate network that use the username of “admin” and the password of “admin.” Which vulnerability describes this situation?
❍ A. Improper error handling
❍ B. Default configuration
❍ C. Weak cipher suite
❍ D. NULL pointer dereference

Answer 32

B. Default configuration

When a device is first installed, it will often have a default set of credentials, such as admin/password or admin/admin. Many times, these default credentials are never changed and can allow access by anyone who
knows the default configuration.

The incorrect answers:
B. Disable all service accounts with Administrator permissions
Some services may require administrator permissions, so disabling all of
them would not be the best option in this case.
C. Increase the password complexity policy
A complex password can still be attacked. Disabling an abandoned account
would ensure that forgotten accounts would not be a significant security
risk.
D. Require passwords of eight characters or more
Abandoned accounts that have Administrator rights would hopefully use
a secure password, but the more pressing issue is that these powerful
accounts are still accessible yet not in production use.

SY0-501, Objective 1.6 - Vulnerability Types

Question 33

A security administrator has instituted a company-wide policy that disables the use of USB interfaces for removable storage devices. Which of the following is the MOST likely reason for this policy?
❍ A. Prevent operating system file corruption
❍ B. Avoid license compliance violations
❍ C. Prevent the use of a non-standard mouse or keyboard
❍ D. Protect against data exfiltration

Answer 33

D. Protect against data exfiltration

A common way to remove data from a facility is to copy the data to a portable storage device such as a USB flash drive. Once the data is on the USB drive, it can be easily taken outside of the facility.

The incorrect answers:
A. Prevent operating system file corruption
There are many ways to corrupt operating system files, but blocking
removable USB drives doesn’t make the system files any less susceptible to
corruption.
B. Avoid license compliance violations
USB interfaces are sometimes used for application licensing through the
use of a USB dongle. Restricting the use of the USB interface could prevent
the application from starting and may prevent the proper use of licensing
tools. If the applications don’t require a USB dongle, then USB interface
policies will have no effect on license compliance.
C. Prevent the use of a non-standard mouse or keyboard
The USB policies allow USB devices that do not register as a storage device,
so mouse and keyboard connections will still work normally.

SY0-501, Objective 2.3 - Common Security Issues

Question 34

A manufacturing company owns industrial equipment that cuts and shapes aluminum parts. The company has created an isolated network exclusively for the control and management of this equipment. Which
category BEST describes this network?
❍ A. ICS (Industrial Control System)
❍ B. SoC (System on a Chip)
❍ C. MFD (Multifunction Device)
❍ D. IoT (Internet of Things)

Answer 34

A. ICS

An ICS (Industrial Control System) is often a dedicated network used to manage and control manufacturing equipment, power generation equipment, water management systems, and other industrial machines.

The incorrect answers:
B. SoC
An SoC (System on a Chip) consists of multiple components running on a
single chip. These are usually small form-factor devices that work best as
embedded systems. SoC systems would not commonly be associated with
the control and management of industrial equipment.
C. MFD
An MFD (Multifunction Device) is commonly associated with a device that
can print, scan, and fax.
D. IoT
IoT (Internet of Things) devices are generally associated with home
automation and not with the management and control of industrial
equipment.

SY0-501, Objective 3.5 - Embedded Systems

Question 35

An organization has developed an in-house mobile device app for order processing. The developers would like to have the app identify revoked server certificates without sending any traffic over the corporate Internet
connection. Which of the following MUST be configured to allow this functionality?
❍ A. CSR (Certificate Signing Request)
❍ B. OCSP stapling (Online Certificate Status Protocol)
❍ C. Key escrow
❍ D. Hierarchical CA

Answer 35

B. OCSP stapling

The use of OCSP (Online Certificate Status Protocol) requires communication between the client and the CA that issued a certificate. If the CA is an external organization, then validation checks will communicate across the Internet. The certificate holder can verify
their own status and avoid client Internet traffic by storing the status information on an internal server and “stapling” the OCSP status into the SSL/TLS handshake.

The incorrect answers:
A. CSR
A CSR (Certificate Signing Request) is used during the key creation
process. The public key is sent to the CA to be signed as part of the CSR.
C. Key escrow
Key escrow will provide a third-party with access to decryption keys. The
escrow process is not involved in real-time server revocation updates.
D. Hierarchical CA
A hierarchical CA design will create intermediate CAs to distributed the
certificate management load and minimize the impact if a CA certificate
needs to be revoked. The hierarchical design is not involved in the
certification revocation check process.

SY0-501, Objective 6.4 - PKI Concepts

Question 36

Sam, a security administrator, is configuring an IPsec tunnel to a remote site. Which protocol should she enable to protect all of the data traversing the VPN tunnel?
❍ A. AH (Authentication Header)
❍ B. Diffie-Hellman
❍ C. ESP (Encapsulation Security Payload)
❍ D. SHA-2 (Secure Hash Algorithm)

Answer 36

C. ESP

The ESP (Encapsulation Security Payload) protocol encrypts the data that traverses the VPN.

The incorrect answers:
A. AH
The AH (Authentication Header) is used to hash the packet data for
additional data integrity.
B. Diffie-Hellman
Diffie-Hellman is an algorithm used for two devices to create identical
shared keys without transferring those keys across the network.
D. SHA-2
SHA-2 (Secure Hash Algorithm) is a hashing algorithm, and does not
provide any data encryption.

SY0-501, Objective 2.1 - VPN Concentrators

Question 37

A retail company is installing new credit card readers at their store locations. All of the card readers are the same make and model. One of the card readers is showing this message:
SEGMENTATION FAULT!
0/PC=304C300h/JT#352
DdgPC=286EA8h/GID7
PLEASE REBOOT
None of the other card readers are displaying this message. A check of the firewall log shows a remote device accessing the card reader prior to this
issue. Which of the following would be the MOST likely reason for this issue?
❍ A. The card reader has identified a network issue
❍ B. The card reader is infected with malware
❍ C. The card reader requires a firmware upgrade
❍ D. The card reader has declined a transaction

Answer 37

B. The card reader is infected with malware

Of the available options, a malware infection is the only answer that would best describe the messages displayed on the card reader. A segmentation fault is commonly caused by a program attempting to write or read
information from an illegal memory location.

The incorrect answers:
A. The card reader has identified a network issue
A network issue would cause the reader to display an error message
relating to network communication, or transactions would not complete
and show a communications error. A segmentation fault would not
commonly be caused by a network issue.
C. The card reader requires a firmware upgrade
Although it’s always a good idea to keep devices updated with the latest
firmware, an older version of firmware would not be a common reason for
a segmentation fault.
D. The card reader has declined a transaction
A declined transaction would show information regarding the transaction
failure. Segmentation faults are memory conflicts and would not be
expected during normal operation.

SY0-501, Objective 2.3 - Common Security Issues

Question 38

Which of the following must be evaluated on all IT systems before a PIA is started?
❍ A. PTA (Privacy Threshold Analysis)
❍ B. RTO (Recovery Time Objectives)
❍ C. BIA (Business Impact Analysis)
❍ D. RPO (Recovery Point Objectives)

Answer 38

A. PTA

A PIA (Privacy Impact Assessment) is a process that ensures that all systems are compliant with privacy laws and regulations. To determine if a system should be part of the PIA, a PTA (Privacy Threshold Analysis) is performed. If the PTA determines that a privacy impact assessment is required, the system will be subject to a PIA.

The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) defines the minimum service level
acceptable when recovering from an outage.
C. BIA
A BIA (Business Impact Analysis) documents the potential effects that the
organization would suffer if normal operations are interrupted.
D. RPO
RPO (Recovery Point Objectives) define the objectives that are required
when recovering a system.

SY0-501, Objective 5.2 - Business Impact Analysis

Question 39

A security administrator has identified a DoS attack against the company’s web server from an IPv4 address on the Internet. Which of the following security tools would provide additional details about the attacker’s
location? (Select TWO)
❍ A. tracert
❍ B. arp (Address Resolution Protocol)
❍ C. ping 
❍ D. ipconfig
❍ E. dig (Domain Information Groper)
❍ F. netcat

Answer 39

A. tracert and E. dig

Tracert (traceroute) provides a summary of hops between two devices. In this example, tracert can be used to determine the local ISP’s IP addresses and more information about the physical location of the attacker.

The dig
(Domain Information Groper) command can be used to perform a reverselookup of the IPv4 address and determine the IP address block owner that
may be responsible for this traffic.

The incorrect answers:
B. arp
The arp (Address Resolution Protocol) command shows a mapping of IP
addresses to local MAC addresses. This information doesn’t provide any
detailed location information outside of the local IP subnet.
C. ping
The ping command can be used to determine if a device may be connected
to the network, but it doesn’t help identify any geographical details.
D. ipconfig
The ipconfig command shows the IP address configuration of a local
device, but it doesn’t provide any information about a remote computer.
F. netcat
Netcat allows the reading or writing of information to the network. Netcat
is often used as a reconnaissance tool, but it has limited abilities to provide
any location information of a device.

SY0-501, Objective 2.2 - Command Line Security Tools

Question 40

Which of the following cryptographic methods encrypts multiple fixedlength blocks of plaintext with the same key?
❍ A. RIPEMD
❍ B. 3DES
❍ C. SHA
❍ D. ECB

Answer 40

D. ECB

ECB (Electronic Code Book) is a simple block cipher that encrypts each block with the same encryption key. When using ECB, identical plaintext blocks will create identical ciphertext blocks.

The incorrect answers:
A. RIPEMD
RIPEMD (RACE Integrity Primitives Evaluation Message Digest) is a
hashing algorithm.
B. 3DES
3DES (Triple Data Encryption Standard) commonly uses three keys to
provide encryption and decryption.
C. SHA
SHA (Secure Hash Algorithm) is a hashing algorithm.

SY0-501, Objective 6.2 - Block Cipher Modes

Question 41

An internal development team is building a new application that will traverse the corporate firewall during normal operation. While the application is in development, the programmers would like to have access to the logs on a test firewall to view the traffic flows of the application. The security administrator would like to grant this access during working
hours, but restrict access after work. Which of these would be the BEST way for the security administrator to address this requirement?
❍ A. Assign firewall access to the developer group
❍ B. Block all network traffic during non-working hours
❍ C. Add TACACS+ integration to the firewall
❍ D. Use rule-based access controls

Answer 41

D. Use rule-based access controls

Rule-based access control evaluates a series of rules to determine if access should be granted. For example, the rule may check the time of day before determining if access should be granted.

The incorrect answers:
A. Assign firewall access to the developer group
Role-based access grants permission based on the role of the user. A
common example of role-based access control is based on groups within
an operating system. For example, a user added to the “developer” group
would have the rights and permissions associated with that group. Rolebased
access control does not usually include rules, such as access based on
the time of day.
B. Block all network traffic during non-working hours
Blocking network traffic has a much larger impact than restricting
access to the firewall logs, and blocking traffic on the test network could
potentially impact other development efforts.
C. Add TACACS+ integration to the firewall
A centralized login for firewall users would make it easier to manage
user accounts, but it does not inherently provide any time-based login
restrictions.

SY0-501, Objective 4.3 - Access Control Models

Question 42

A security administrator is performing an audit of a server farm, and has obtained this information:
Server: cloudflare-nginx
Date: Mon, 19 May 2014 16:53:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: \_\_cfduid=d0437368; expires=23:50:00 GMT;
Cache-Control: max-age=15
Expires: Mon, 19 May 2014 16:54:12 GMT
CF-RAY: 12d1d045a3880a12-ATL
Which of these would describe this output?
❍ A. Password cracking
❍ B. Results of the nbtstat command
❍ C. Banner grabbing
❍ D. Exploit log

Answer 42

C. Banner grabbing

Netcat or Telnet can be commonly used to view the initial application connection text, or the banner. This banner is from a reverse-proxy that is the connection point for a web server farm.

The incorrect answers:
A. Password cracking
The output from password cracking usually displays the password hash and
the tested or identified matches for those hashes.
B. Results of the nbtstat command
The nbtstat command is used by Windows system to perform queries
across the network. A typical nbtstat output would display Windows device
names, IP addresses, and other Windows-specific information.
D. Exploit log
An exploit log will display the results of a penetration test or exploitation
framework. The output in this question does not display any exploit
information.

SY0-501, Objective 2.2 - Software Security Tools

Question 43

A company has rolled out a new application that requires the use of a hardware-based token generator. Which of the following would be the BEST description of this access feature?
❍ A. Something you know
❍ B. Something you do
❍ C. Something you are
❍ D. Something you have

Answer 43

D. Something you have

The use of the hardware token generator requires that the user be in possession of the device during the login process.

The incorrect answers:
A. Something you know
The number, or token, created by the token generator isn’t previously
known by the user, and there’s no requirement to remember the tokens
once the authentication process is complete.
B. Something you do
The process of pressing the button on the token generator isn’t something
that would be unique to an individual user.
C. Something you are
The token generator works without any type of biometric scan or
voiceprint.
SY0-501, Objective 4.1 - AAA and Authentication

Question 44

A company has signed an SLA with an Internet service provider. Which of the following would BEST describe the content of the SLA?
❍ A. The customer will connect to partner locations over an IPsec tunnel
❍ B. The service provider will provide 99.999% uptime
❍ C. The customer applications use HTTPS over tcp/443
❍ D. Customer application use will be busiest on the 15th of each month

Answer 44

B. The service provider will provide 99.999% uptime

An SLA (Service Level Agreement) is a contract that specifies the minimum terms for provided services. It’s common to include uptime, response times, and other service metrics in an SLA.

The incorrect answers:
A. The customer will connect to partner locations over an IPsec tunnel
A service level agreement describes the minimum service levels provided
to the customer. You would not commonly see descriptions of how the
service will be used in the SLA contract.
C. The customer applications use HTTPS over tcp/443
The protocols used by the customer’s applications aren’t part of the service
requirements from the ISP.
D. Customer application use will be busiest on the 15th of each month
The customer’s application usage isn’t part of the service requirements
from the ISP.

SY0-501, Objective 5.1 - Agreement Types

Question 45

Malware that can copy itself to other systems without any user intervention is known as a:
❍ A. Virus
❍ B. Bot
❍ C. Worm
❍ D. Trojan

Answer 45

C. Worm

One of the fundamental characteristics of a worm is the ability to replicate between systems without any human interaction.

The incorrect answers:
A. Virus
A virus traditionally requires a user to perform a function for the virus to
replicate. When you click a link or run an application, the virus can execute
code to potentially duplicate itself.
B. Bot
A bot is often the result of a worm or virus infection, but bots cannot
inherently copy themselves from system to system.
D. Trojan
A Trojan horse is specifically designed to fool the user and encourage them
to run the malware software. Trojan horse software relies on the user to
duplicate itself between systems.

SY0-501, Objective 1.1 - Viruses and Worms

Question 46

At which point during the deployment process should the secure baseline be updated?
❍ A. During the QA process
❍ B. After the move to production
❍ C. Between staging and production
❍ D. In the development sandbox

Answer 46

C. Between staging and production

The staging process is the step just prior to moving into production, so the application code would not be expected to change. This would allow the security team to update or verify the security baseline prior to going live.

The incorrect answers:
A. During the QA process
The QA (Quality Assurance) process is for internal testing, and it’s possible
that the application code may continue to change during this process.
B. After the move to production
Once the application has been moved into production, it’s too late to
provide any protection of the data or users.
D. In the development sandbox
The developers perform constant changes to the application during the
development process. A secure baseline would only be useful once no
further changes will occur.

SY0-501, Objective 3.4 - Secure Deployments

Question 47

The CIO of an international online women’s apparel company has been making changes to their network over the last few years. The latest network design includes a primary data center in the United States and
secondary data centers in London and Tokyo. Customers place orders online via HTTPS to servers at the closest data center, and these orders and customer profiles are then centrally stored in the United States data center. The connections between all data centers use Internet links with IPsec tunnels. Fulfillment requests are sent from the United States data center to shipping locations in the customer’s country. Which of the
following should be the CIO’s MOST significant security concern with this existing network design?
❍ A. IPsec connects data centers over public Internet links
❍ B. Fulfillment requests are shipped within the customer’s country
❍ C. Customer information is transferred between countries
❍ D. The data centers are located geographically distant from each other

Answer 47

C. Customer information is transferred between countries

Data sovereignty laws can mandate how data is handled. Data that resides in a country is usually subject to the laws of that country, and compliance regulations may not allow the data to be moved outside of the country.

The incorrect answers:
A. IPsec connects data centers over public Internet links
Connecting remote locations using IPsec tunnels over public Internet
connections is a common method of securely linking sites together. If
someone was to capture the data traversing these links, they would find
that all of the data was encrypted.
B. Fulfillment requests are shipped within the customer’s country
There are no significant security issues associated with shipments within
the same country.
D. The data centers are located geographically distant from each other
A best practice for many international organizations is to have data centers
in geographically diverse locations to minimize the impact of any single
data center outage.

SY0-501, Objective 5.6 - Geographic Considerations

Question 48

A company would like to modify the access control method used on their network. The existing access control method allows users to assign permissions, and some of those permission settings are not properly
securing the company data.

The security administrator is looking for an access control model that would allow the administrator to assign rights and permissions to a group.
Users placed into this group would then inherit the group’s permissions, and changes to the group permissions would affect everyone in the group.
Which of the following access control methods would BEST fit this requirement?
❍ A. Rule-based access control
❍ B. Role-based access control
❍ C. Discretionary access control
❍ D. Mandatory access control

Answer 48

B. Role-based access control

Role-based access control uses groups to assign
permissions. Any users placed into the group will be assigned the same rights and permissions as the group.

The incorrect answers:
A. Rule-based access control
Rule-based access control determines access based on a series of systemenforced
rules. An access rule might require that a particular browser type
be used to complete a web page form, or that access to a file or system is
only allowed during certain times of the day.
C. Discretionary access control
Discretionary access control allows the owner of an object to assign access.
If a user creates a spreadsheet, then the user can then assign other users
and groups to have a particular level of access to that spreadsheet.
D. Mandatory access control
Mandatory access control uses a series of security levels (i.e., public,
private, secret) and assigns those levels to each object in the operating
system. Users are assigned a security level, and they would only have access
to objects that meet or are below that assigned security level.

SY0-501, Objective 4.3 - Access Control Models

Question 49

The security team at a company has found a computer in the accounting department that is infected with a keylogger. After additional research, the security team has found that the keylogger was installed alongside an
update of legitimate accounting software. Which of the following would prevent the transmission of the collected logs?
❍ A. Prevent the installation of all software
❍ B. Block all unknown outbound network traffic at the Internet firewall
❍ C. Install host-based anti-virus software
❍ D. Scan all incoming email attachments at the email gateway

Answer 49

B. Block all unknown outbound network traffic at the
Internet firewall

Keylogging software has two major functions; record keystrokes, and transmit those keystrokes to a remote location. Local file scanning and software best-practices can help prevent the initial installation, and controlling outbound network traffic can block unauthorized file transfers.
The incorrect answers:
A. Prevent the installation of all software
Blocking software installations may prevent the initial malware infection,
but it won’t provide any control of outbound keylogged data.
C. Install host-based anti-virus software
A good anti-virus application can identify malware before the installation
occurs, but anti-virus does not commonly provide any control of network
communication.
D. Scan all incoming email attachments at the email gateway
Malware can be installed from many sources, and sometimes the source
is unexpected. Scanning or blocking executables at the email gateway can
help prevent infection but it won’t provide any control of outbound file
transfers.

SY0-501, Objective 1.1 - Keyloggers

Question 50

A user in the marketing department is unable to connect to the wireless network. After authenticating with a username and password, the user receives this message:
– – –
The connection attempt could not be completed.
The Credentials provided by the server could not be validated.
Radius Server: radius.example.com
Root CA: Example.com Internal CA Root Certificate
– – –
The AP is configured with WPA2 encryption and 802.1X authentication.
Which of the following is the MOST likely reason for this login issue?
❍ A. The user’s computer is in the incorrect VLAN
❍ B. The RADIUS server is not responding
❍ C. The user’s computer does not support WPA2 encryption
❍ D. The user is in a location with an insufficient wireless signal
❍ E. The client computer does not have the proper certificate installed

Answer 50

E. The client computer does not have the proper
certificate installed

The error message states that the server credentials could not be validated. This indicates that the certificate authority that signed the server’s certificate is either different than the CA certificate installed on the client’s workstation, or the client workstation does not have an installed copy of the CA’s certificate. This validation process ensures that the client is communicating to a trusted server and there are no man-in-the-middle attacks occurring.

The incorrect answers:
A. The user’s computer is in the incorrect VLAN
The RADIUS server certificate validation process should work properly
from all VLANs. The error indicates that the communication process is
working properly, so an incorrect VLAN would not be the cause of this
issue.
B. The RADIUS server is not responding
If the RADIUS server had no response to the user, then the process would
simply timeout. In this example, the error message indicates that the
communication process is working between the RADIUS server and the
client’s computer.
Practice Exam B - Answers 229
C. The user’s computer does not support WPA2 encryption
The first step when connecting to a wireless network is to associate with
the 802.11 access point. If WPA2 encryption was not supported, the
authentication process would not have occurred and the user’s workstation
would not have seen the server credentials.
D. The user is in a location with an insufficient wireless signal
The error message regarding server validation indicates that the wireless
signal is strong enough to send and receive data on the wireless network.

SY0-501, Objective 6.3 - Wireless Authentication Protocols

Question 51

A security administrator has created a new policy that prohibits the use of MD5 hashes due to collision problems. Which of the following describes
the reason for this new policy?
❍ A. Two different messages have different hashes
❍ B. The original message can be derived from the hash
❍ C. Two identical messages have the same hash
❍ D. Two different messages share the same hash

Answer 51

D. Two different messages share the same hash

A well-designed hashing algorithm will create a unique hash value for every possible input. If two different inputs create the same hash, the hash algorithm has created a collision.

SY0-501, Objective 6.1 - Hashing and Digital Signatures

Question 52

Jack, a security administrator, has been tasked with hardening all of the internal web servers used by the organization. The web servers should be configured to prevent man-in-the-middle attacks and to protect the
application traffic from protocol analysis. These requirements should be implemented without changing the configuration on the client systems. Which of the following should Jack include in his project plan?
(Select TWO)
❍ A. Add DNSSEC records on the internal DNS servers
❍ B. Use HTTPS over port 443 for all server communication
❍ C. Use IPsec for client connections
❍ D. Create a web server certificate and sign it with the internal CA
❍ E. Require FTPS for all file transfers

Answer 52

B. Use HTTPS over port 443 for all server communication and D.

Create a web server certificate and sign it with the internal CA Using the secure HTTPS (Hypertext Transfer
Protocol Secure) protocol will ensure that all network communication is protected between the web
server and the client devices. If someone manages to capture the network traffic, they would be viewing encrypted data. A signed certificate from a trusted internal CA (Certificate Authority) allows web browsers to trust that the web server is the legitimate server endpoint. If someone attempts a man-in-the-middle attack, the certificate presented by the MitM will not
validate and a warning message will appear in the browser.

The incorrect answers:
A. Two different messages have different hashes
In normal operation, two different inputs will create two different hash
outputs.
B. The original message can be derived from the hash
Hashing is a one-way cipher, and you cannot derive the original message
from a hash value.
C. Two identical messages have the same hash
Two identical messages should always create exactly the same hash output.

SY0-501, Objective 2.6 - Secure Protocols

Question 53

A transportation company is building an email server that will integrate public key encryption and digital signatures of email content on a permessage basis. The integration of these features will be part of the email
client. Which of these protocols would be the BEST choice for these requirements?
❍ A. POP3S (Post Office Protocol version 3)
❍ B. IPsec
❍ C. S/MIME
❍ D. IMAPS (Internet Message Access Protocol Secure)

Answer 53

C. S/MIME

S/MIME (Secure/Multipurpose Internet Mail Extensions) are used to encrypt and digitally sign email messages using public key encryption in an email client.

The incorrect answers:
A. POP3S
The secure version of POP3 (Post Office Protocol version 3) can be used to
encrypt email communication across the network, but it doesn’t provide
any public key encryption or digital signature functionality in an email
client.
B. IPsec
IPsec (IP Security) tunnels are useful when encrypting the communication
between sites or from end user devices. However, IPsec does not provide
any functionality for encrypting or digitally signing individual messages in
an email client.
D. IMAPS
IMAPS (Internet Message Access Protocol Secure) can be used to encrypt
email communication over the network, but it does not provide any permessage
encryption or digital signature features.

SY0-501, Objective 2.6 - Secure Protocols

Question 54

Which of the following would be the BEST option for application testing in an environment that is completely separated from the production network?
❍ A. Virtualization
❍ B. VLANs (Virtual Local Area Networks)
❍ C. Cloud computing
❍ D. Air gap

Answer 54

D. Air gap

An air gapped network removes all connectivity between components and ensures that there would be no possible communication path between the test network and the production network.

The incorrect answers:
A. Virtualization
Although virtualization provides the option to connect devices in a
private network, there’s still the potential for a misconfigured network
configuration or an application to communicate externally.
B. VLANs
VLANs (Virtual Local Area Networks) are a common segmentation
technology, but a router could easily connect the VLANs to the production
network.
C. Cloud computing
Cloud-based technologies provide for many network options, and it’s
common to maintain a connection between the cloud and the rest of the
network.

SY0-501, Objective 3.2 - Network Segmentation

Question 55

Hank, a finance manager, is responsible for the monthly employee payroll. To process the payroll, Hank logs into a third-party browser-based application and enters the hours worked for each employee. The financial transfers and physical check mailings are all provided by the third-party company. Hank does not maintain any servers or virtual machines within his company. Which of the following would BEST describe this application
model?
❍ A. PaaS (Platform as a Service)
❍ B. Private
❍ C. SaaS (Software as a Service)
❍ D. IaaS (Infrastructure as a Service)

Answer 55

C. SaaS

The SaaS (Software as a Service) model generally has no local application installation, no ongoing maintenance tasks, and no local infrastructure requirements. A third-party provides the application and the support, and
the user simply logs in, uses the service, and logs out.

The incorrect answers:
A. PaaS
PaaS (Platform as a Service) is a model that provides a building block of
features, and requires the end user to customize their own application from
the available modules. There can be a significant development effort to
build an application with a PaaS model.
B. Private
A private model requires that the end user purchase, install, and maintain
their own application hardware and software. The SaaS model doesn’t
require any initial hardware or software capital purchase.
D. IaaS
IaaS (Infrastructure as a Service) is a model that provides the user with the
hardware needed to get up and running, and the end user is responsible for
the operating system, the application, and any ongoing maintenance tasks.

SY0-501, Objective 3.7 - Cloud Deployment Models

Question 56

Which of the following BEST describes the modification of application source code that removes white space, shortens variable names, and rearranges the text into a compact format?
❍ A. Confusion
❍ B. Obfuscation
❍ C. Encryption
❍ D. Diffusion

Answer 56

B. Obfuscation

Obfuscation is the process of taking something that is normally understandable and making it very difficult to understand. Many developers will obfuscate their source code to prevent others from following the logic used in the application.

The incorrect answers:
A. Confusion
Confusion is a concept associated with data encryption where the
encrypted data is drastically different than the plaintext.
C. Encryption
Encrypting source code will effectively make it impossible to use unless
you have the decryption key. In this example, the source code remained
usable, but the readability of the source code was dramatically affected by
the changes.
D. Diffusion
Diffusion is an encryption concept where changing one character of the
input will cause many characters to change in the output.

SY0-501, Objective 3.6 - Secure Coding Techniques

Question 57

Which of the following vulnerabilities would be the MOST significant security concern when protecting against a competitor?
❍ A. Data center access with only one authentication method
❍ B. Spoofing of internal IP addresses when accessing an intranet server
❍ C. Employee VPN access uses a weak encryption cipher
❍ D. Lack of patch updates on an Internet-facing database server

Answer 57

D. Lack of patch updates on an Internet-facing
database server

One of the easiest ways for a competitor to obtain information is through an existing Internet connection. An unpatched server could be exploited to obtain customer data that would not normally be available otherwise.

The incorrect answers:
A. Data center access with only one authentication method
Most competitors don’t have access to walk around inside of your
building, and they certainly wouldn’t have access to secure areas. A single
authentication method would commonly prevent unauthorized access
to a data center for both employees and non-employees, although more
authentication factors would provide some additional security.
B. Spoofing of internal IP addresses when accessing an intranet server
Intranet servers are not accessible from the outside. This makes them an
unlikely target for competitors and other non-employees.
C. Employee VPN access uses a weak encryption cipher
A weak encryption cipher can be a security issue, but a potential
exploitation would need the raw network traffic to begin any decryption
attempts. Although this scenario would technically be possible if someone
was to catch an employee on a public wireless network, it’s not the most
significant security issue in the available list.

SY0-501, Objective 1.3 - Threat Actors

Question 58

A shipping company has hired a third-party to perform a vulnerability scan of all Internet-facing web servers. The third-party company reports that the current web server software version is susceptible to a memory leak vulnerability. Which of the following would be the expected result if this vulnerability was exploited?
❍ A. DoS
❍ B. Data theft
❍ C. Unauthorized system access
❍ D. Rootkit installation

Answer 58

A. DoS

A denial of service (DoS) is a common result of a memory leak. Unused memory is not properly released, and eventually the leak uses all available memory. The system eventually crashes due to lack of resources.

The incorrect answers:
B. Data theft
A memory leak doesn’t provide any additional access to data, so the theft of
private information would not be an expected result.
C. Unauthorized system access
A memory leak can prevent all access to the system, but it doesn’t allow any
unauthorized access to the system.
D. Rootkit installation
A rootkit installation would need to be executed on the operating system,
and a memory leak doesn’t provide any opportunity for this installation to
run.

SY0-501, Objective 1.6 - Vulnerability Types

Question 59

Which of the following would be the BEST way to determine if files have been modified after the forensics process has occurred?
❍ A. Use a tamper seal on all storage devices
❍ B. Create a hash of the data
❍ C. Create an image of each storage device for future comparison
❍ D. Take screenshots of file directories with file sizes

Answer 59

B. Create a hash of the data

A hash will create a unique value that can be quickly validated at any time in the future. If the hash value changes, then the data must have also changed.

The incorrect answers:
A. Use a tamper seal on all storage devices
A physical tamper seal will identify if a device has been opened, but it
cannot identify any changes to the data on the storage device.
C. Create an image of each storage device for future comparison
A copy of the data would allow for comparisons later, but the process of
doing the comparison would take much more time than validating a hash
value. It’s also possible that someone could tamper with both the original
data and the copy of the data.
D. Take screenshots of file directories with file sizes
It’s very easy to change the contents of a file without changing the size of
the file.

SY0-501, Objective 5.5 - Gathering Forensics Data

Question 60

A system administrator is implementing a password policy that would require letters, numbers, and special characters to be included in every password. Which of the following controls MUST be in place to enforce
this password policy?
❍ A. Length
❍ B. Expiration
❍ C. Reuse
❍ D. Complexity

Answer 60

D. Complexity

Adding different types of characters to a password requires technical controls that increase password complexity.

The incorrect answers:
A. Length
Adding all of these character types to a password do not necessarily change
the length of the password.
B. Expiration
All passwords should expire, but the expiration date should not affect the
characters used in the password.
C. Reuse
The controls that prohibit the reuse of passwords do not control the
characters used in the password.

SY0-501, Objective 4.4 - Account Policy Enforcement

Question 61

A software developer for a medical imaging company is creating an application to store image files using asymmetric encryption. Which of these technologies could be used for this application?
❍ A. Blowfish
❍ B. AES (Advanced Encryption Standard)
❍ C. RSA (Rivest, Shamir, and Adelman)
❍ D. RC4 (Rivest Cipher 4)
❍ E. 3DES (Triple DES)

Answer 61

C. RSA

RSA (Rivest, Shamir, and Adelman) is a public domain asymmetric algorithm.

The incorrect answers:
A. Blowfish
Blowfish is a symmetric algorithm, and was one of the first ciphers not
limited by patents.
B. AES
AES (Advanced Encryption Standard) is a symmetric algorithm that is used
in many applications, including WPA2 wireless encryption.
D. RC4
RC4 (Rivest Cipher 4) is a symmetric algorithm that was used in 802.11
WEP encryption.
E. 3DES
3DES (Triple DES) is a symmetric encryption method that extends the use
of the DES cipher by commonly using three keys during the encryption and
decryption process.

SY0-501, Objective 6.2 - Asymmetric Algorithms

Question 62

A security analyst has installed an HTTPS-based web server application on the company intranet. Once login credentials are verified, access to the application is based on the IP address of the remote device. Which of the following security issues would be associated with this application?
❍ A. An attacker could use a replay attack to gain access to the application
❍ B. A spoofing attack would provide an attacker with unauthorized access to the application
❍ C. A watering hole attack would provide access to the application by outside users
❍ D. An MitM attack would allow an attacker to inject malicious code
❍ E. A manipulated network driver would allow an attacker to access the application data

Answer 62

B. A spoofing attack would provide an attacker with
unauthorized access to the application

Once this application authenticates a user, it maintains the session information based on the IP address of the authenticated user. Anyone who spoofs this IP address would gain access to the application with the same
rights as the authenticated user.

The incorrect answers:
A. An attacker could use a replay attack to gain access to the application
Since the web-based application is on an HTTPS (HTTP Secure)
connection, a replay attack would not be available to an attacker.
C. A watering hole attack would provide access to the application by
outside users
An application on an intranet would not be accessible to anyone outside of
the organization.
D. An MitM attack would allow an attacker to inject malicious code
A man-in-the-middle attack would not be useful over a secure connection.
E. A manipulated network driver would allow an attacker to access the
application data
Although modified drivers are certainly a security issue, there’s no mention
of any server modifications in this question.

SY0-501, Objective 1.2 - Spoofing

Question 63

Daniel, a system administrator, believes that certain configuration files on a Linux server have been modified from their original state. These modifications allow a particular group to restart a daemon on the server
without the need for administrative access. Daniel has reverted the configurations to their original state, but he would like to be notified if they are changed again. Which of the following would be the BEST way to
provide this functionality?
❍ A. HIPS (Host-based Intrusion Prevention System)
❍ B. File integrity check
❍ C. Application whitelist
❍ D. Patch management
❍ E. WAF (Web Application Firewall)

Answer 63

B. File integrity check

A file integrity checker (i.e., Tripwire, System File Checker, etc.) can be used to monitor and alert if there are any changes to a file.

The incorrect answers:
A. HIPS
HIPS (Host-based Intrusion Prevention System) would help identify any
security vulnerabilities, but there’s nothing relating to this issue that would
indicate that this issue was caused by an operating system or application
vulnerability. A HIPS would not commonly alert on the modification of a
specific file.
C. Application whitelist
In this example, we’re not sure how the file was changed or if a separate
application or editor was even used. If the change was made with a valid
application, a whitelist would not provide any feedback or alerts.
D. Patch management
Patch management would handle the updates for the operating system
and applications, but it would not provide any monitoring or alerting if a
specific file is changed.
E. WAF
A WAF (Web Application Firewall) is used to protect web-based
applications from malicious attack. The example in this question was not
related to a web-based application.
SY0-501, Objective 2.4 - Analyzing Security Output

Question 64

A security administrator is updating the network infrastructure to support 802.1X authentication. Which of the following would be the BEST choice for this configuration?
❍ A. RADIUS (Remote Authentication Dial-In User Service)
❍ B. HTTPS (Hypertext Transfer Protocol Secure)
❍ C. SNMPv3 (Simple Network Management Protocol version 3)
❍ D. MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)

Answer 64

A. RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a common protocol to use for centralized uthentication. Other protocols such as LDAP, TACACS+, or Kerberos would also be valid options for 802.1X authentication.

The incorrect answers:
B. HTTPS
HTTPS (Hypertext Transfer Protocol Secure) is commonly used to encrypt
web server communication. HTTPS is not an authentication protocol.
C. SNMPv3
SNMPv3 (Simple Network Management Protocol version 3) is used to
manage servers and infrastructure devices. SNMP is not an authentication
protocol.
D. MS-CHAP
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
was commonly used to authenticate devices using Microsoft’s Point-to-
Point Tunneling Protocol (PPTP). Security issues related to the use of DES
(Data Encryption Standard) encryption in MS-CHAP eliminate it from
consideration for modern authentication.

SY0-501, Objective 6.3 - Wireless Authentication Protocols

Question 65

Your company owns a purpose-built appliance that doesn’t provide any access to the operating system and does not provide a method to upgrade the firmware. Which of the following describes this appliance?
❍ A. End-of-life
❍ B. Weak configuration
❍ C. Improper input handling
❍ D. Embedded system

Answer 65

D. Embedded system

An embedded system usually does not provide access to the OS and may not even provide a method of upgrading the system firmware.

The incorrect answers:
A. End-of-life
A device at its end-of-life is no longer supported by the vendor. In this
example, the vendor support status isn’t mentioned.
B. Weak configuration
A weak configuration would leave the system easily accessible by an
attacker. In this example, the described scenario doesn’t describe any weak
configurations.
C. Improper input handling
Improper handling of user input can sometimes result in an exploit. In this
example, no specific user input issues were described.

SY0-501, Objective 1.6 - Vulnerability Types

Question 66

Last month, a finance company disposed of seven-year-old printed customer account summaries that were no longer required for auditing purposes. A recent online search has now found that images of these documents are available as downloadable torrents. Which of the following would MOST likely have prevented this information breach?
❍ A. Pulping
❍ B. Degaussing
❍ C. NDA
❍ D. Fenced garbage disposal areas

Answer 66

A. Pulping

Pulping places the papers into a large washing tank to remove the ink, and the paper is broken down into pulp and recycled. The information on the paper is not recoverable after pulping.

The incorrect answers:
B. Degaussing
Degaussing removes the electromagnetic field of storage media and
electronics. Degaussing will not have any effect on paper items.
C. NDA
A non-disclosure agreement is only valid to the people who have signed the
agreement. In this case, it can be assumed that the papers were obtained by
a third-party after being placed in the trash.
D. Fenced garbage disposal areas
Although a fenced disposal area would have protected this information
while it was on-site, the papers could have been obtained once they left the
facility. The best choice for this question would be the option that would
render the information on the pages unreadable.

SY0-501, Objective 5.8 - Data Destruction

Question 67

A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of
a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO)
❍ A. HIPS (Host-based Intrusion Prevention System)
❍ B. UTM appliance logs
❍ C. Web application firewall events
❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

Answer 67

A. HIPS and D. Host-based firewall logs

If the laptop is not communicating across the corporate
network, then the only evidence of the traffic would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network.

The incorrect answers:
B. UTM appliance logs
A unified threat management appliance is commonly located in the core of
the network. The use of a cellular hotspot would circumvent the UTM and
would not be logged.
C. Web application firewall events
Web application firewalls are commonly used to protect internal web
servers. Outbound Internet communication would not be logged, and
anyone circumventing the existing security controls would also not be
logged.
E. Next-generation firewall logs
Although a next-generation firewall keeps detailed logs, any systems
communicating outside of the normal corporate Internet connection
would not appear in those logs.

SY0-501, Objective 2.4 - Analyzing Security Output

Question 68

An application developer is creating a mobile device app that will include extensive encryption and decryption. Which of the following technologies would be the BEST choice for this app?
❍ A. AES (Advanced Encryption Standard) is
❍ B. Elliptic curve
❍ C. Diffie-Hellman
❍ D. PGP

Answer 68

B. Elliptic curve

ECC (Elliptic Curve Cryptography) uses smaller keys than non-ECC encryption and has smaller storage and transmission requirements. These characteristics make it an efficient option for mobile devices.

The incorrect answers:
A. AES
AES (Advanced Encryption Standard) is a useful encryption cipher, but the
reduced overhead of elliptic curve cryptography is a better option for this
scenario.
C. Diffie-Hellman
Diffie-Hellman is a key-agreement protocol, and Diffie-Hellman does not
provide for any encryption or authentication.
D. PGP
PGP’s public-key cryptography requires much more overhead than the
elliptic curve cryptography option.

SY0-501, Objective 6.2 - Asymmetric Algorithms

Question 69

Which of the following would be a common result of a successful vulnerability scan?
❍ A. A list of usernames and password hashes from a server
❍ B. A list of Microsoft patches that have not been applied to a server
❍ C. A copy of image files from a private file share
❍ D. The BIOS configuration of a server

Answer 69

B. A list of Microsoft patches that have not been applied
to a server

A vulnerability scan will identify known vulnerabilities, but it will stop short of exploiting these vulnerabilities.

The incorrect answers:
A. A list of usernames and password hashes from a server
This type of secure information cannot be obtained through a
vulnerability scan.
C. A copy of image files from a private file share
A private file share would prevent any access by unauthorized users,
including vulnerability scans.
D. The BIOS configuration of a server
Private information, such as a device’s BIOS configuration, is not available
from a vulnerability scan.

SY0-501, Objective 1.5 - Vulnerability Scanning

Question 70

A hospital has hired a third-party to check all Internet-facing servers for any security issues. The terms of the engagement are to obtain as much information as possible without actively gaining access to parts of the file system that require authentication. Which of the following would describe this engagement?
❍ A. Vulnerability scan
❍ B. Zero-day attack
❍ C. Passive reconnaissance
❍ D. Penetration test

Answer 70

A. Vulnerability scan

A vulnerability scan can be used to identify any known security vulnerabilities, but it will not attempt to exploit those vulnerabilities.

The incorrect answers:
B. Zero-day attack
A zero-day attack is an attempt to exploit a vulnerability that is not publicly
known. A zero-day attack would operate against unknown vulnerabilities.
C. Passive reconnaissance
Passive reconnaissance is used to gather information about a target without
performing any direct scans or network traffic. An example of passive
reconnaissance is gathering information from social media or a company
website.
D. Penetration test
A penetration test will attempt to exploit a vulnerability to gain access to
data or a system.

SY0-501, Objective 1.5 - Vulnerability Scanning

Question 71

A network administrator is troubleshooting an issue with a web server and is examining the server certificate. Which of the following would the administrator be able to view in this certificate?
❍ A. CRL (Certificate Revocation List)
❍ B. CSR (Certificate Signing Request)
❍ C. CA name (certificate authority)
❍ D. The server’s private key

Answer 71

C. CA name

The name of the issuing CA (certificate authority) is listed in a server certificate.

The incorrect answers:
A. CRL
A CRL (Certificate Revocation List) is maintained on the certificate
authority (CA) server or a different local server. The list itself is not part of
the certificate.
B. CSR
The CSR (Certificate Signing Request) is sent to the certification authority
with the public key to be signed.
D. The server’s private key
Private keys are not included inside of a public server certificate.

SY0-501, Objective 6.4 - PKI Components

Question 72

A system administrator has protected a set of system backups with an encryption key. The system administrator used the same key when restoring files from this backup. Which of the following would BEST
describe this encryption type?
❍ A. Asymmetric
❍ B. Key escrow
❍ C. Symmetric
❍ D. Out-of-band key exchange

Answer 72

C. Symmetric

Symmetric encryption uses the same key for both encryption and decryption.

The incorrect answers:
A. Asymmetric
Asymmetric encryption uses different keys for encryption and decryption.
B. Key escrow
Key escrow is when a third-party holds the decryption keys for your data.
D. Out-of-band key exchange
Keys can be transferred between people or systems over the network (inband)
or outside the normal network communication (out-of-band). In this
example, the key wasn’t exchanged between people or systems, since the
system administrator is the same person who encrypted and decrypted.

SY0-501, Objective 6.1 - Symmetric and Asymmetric Encryption

Question 73

A security administrator has noticed an increase in the number of people who are writing down their login credentials on notepads at their desk. The company currently maintains seven different applications
that all have different authentication methods. Which of the following technologies would be the BEST way to resolve the issue found by the security administrator?
❍ A. Multi-factor authentication
❍ B. SSO
❍ C. Server certificates
❍ D. AAA framework

Answer 73

B. SSO

SSO (Single Sign-On) would require the user to memorize one single set of authentication credentials, and those single credentials would provide access to all of the necessary resources.

The incorrect answers:
A. Multi-factor authentication
Although additional authentication factors may be less intensive than
remembering a passphrase, the users will still be in the position of
maintaining seven separate login names and passwords to gain access to
the company applications.
C. Server certificates
A server certificate is useful to show that the server is trusted by the end
user, but it doesn’t help the users manage their large list of usernames and
passwords.
D. AAA framework
Using a AAA framework would be a good way to centralize the
management of the login credentials, but it would not by itself decrease the
number of login credentials that each user would have to maintain.

SY0-501, Objective 4.1 - AAA and Authentication

Question 74

An organization has identified a security breach and has removed the affected servers from the network. Which of the following is the NEXT step in the IR process?
❍ A. Eradication
❍ B. Preparation
❍ C. Recovery
❍ D. Identification
❍ E. Containment

Answer 74

A. Eradication

The IR (Incident Response) process is preparation, identification, containment, eradication, recovery, and lessons learned. Once a system has been contained, any malware or breached user accounts should be removed from the system.

The incorrect answers:
B. Preparation
Before an incident occurs, you should compile contact information,
incident handling hardware and software, analysis resources, and other
important tools and policies.
C. Recovery
The focus of the recovery process is to get all of the systems back to
normal. This phase removes malware, deletes breached user accounts, and
fixes any vulnerabilities.
D. Identification
Identification of an event can be challenging, but it usually consists of IPS
reports, anti-virus alerts, configuration change notifications, and other
indicators.
E. Containment
In this example, the containment and isolation occurred when the affected
servers were removed from the network.

SY0-501, Objective 5.4 - Incident Response Process

Question 75

A manager of the accounting department would like to minimize the opportunity for embezzlement and fraud from any of the current accounting team employees. Which of these policies should the manager use to avoid these issues?
❍ A. Background checks
❍ B. Clean desk policy
❍ C. Mandatory vacations
❍ D. Acceptable use policy

Answer 75

C. Mandatory vacations

It’s difficult to maintain fraudulent activities if the person executing the fraud is out of the office. In financial environments, it’s not uncommon to require at least a week of consecutive vacation time at some point during
the year.

The incorrect answers:
A. Background checks
Background checks are useful to discover information prior to hiring
someone, but these checks are not commonly performed after someone is
an employee.
B. Clean desk policy
If confidential information was left available on someone’s desk, then it
would be appropriate to institute a clean desk policy. In this example, the
fraudulent activity did not include any mention of confidential information
on a desk.
D. Acceptable use policy
The acceptable use policy (AUP) of an organization describes how company
assets are to be used, especially computers, Internet connections, and
mobile devices.

SY0-501, Objective 5.1 - Personnel Management

Question 76

Which of the following would be the MAIN reasons why a system administrator would use a TPM when configuring full disk encryption?
(Select TWO)
❍ A. Allows the encryption of multiple volumes
❍ B. Uses burned-in cryptographic keys
❍ C. Stores certificates in a hardware security module
❍ D. Protects against EMI leakage
❍ E. Includes built-in protections against brute-force attacks

Answer 76

B. Uses burned-in cryptographic keys and
E. Includes built-in protections against brute-force attacks

A TPM (Trusted Platform Module) is hardware that is part of a computer’s motherboard, and it’s specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burnedin TPM keys to verify that the local device hasn’t changed, and there are security features in the TPM that will prevent brute-force or dictionary attacks against the full disk encryption login credentials.

The incorrect answers:
A. Allows the encryption of multiple volumes
The use of a TPM is not associated with the number of volumes that may
be encrypted with FDE.
C. Stores certificates in a hardware security module
A hardware security module (HSM) is high-end cryptographic hardware
specifically designed for large-scale secured storage on the network. An
HSM server is a separate device that is not associated with an individual
device’s TPM.
D. Protects against EMI leakage
The leakage of EMI (Electromagnetic Interference) from keyboards,
storage drives, or network connections can be a security concern, but it is
not related to the use of a trusted platform module.
More information:
SY0-501, Objective 3.3 - Hardware Security

Question 77

A security administrator would like to create an access control where each file or folder is assigned a security clearance level, such as “confidential” or “secret.” The security administrator would then assign a maximum
security level to each user. What type of access control would be used in this network?
❍ A. Mandatory
❍ B. Rule-based
❍ C. Discretionary
❍ D. Role-based

Answer 77

A. Mandatory

Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level.

The incorrect answers:
B. Rule-based
Rule-based access control determines access based on a series of systemenforced
rules. An access rule might require that a particular browser be
used to complete a web page form, or that access to a file or system is only
allowed during certain times of the day.
C. Discretionary
Discretionary access control allows the owner of an object to assign access.
If a user creates a spreadsheet, the user can then assign users and groups to
have a particular level of access to that spreadsheet.
D. Role-based
Role-based access control assigns a user’s permissions based on their role
in the organization. For example, a manager would have a different set of
rights and permissions than a team lead.

SY0-501, Objective 4.3 - Access Control Models

Question 78

Cameron, a security administrator, is reviewing a report that shows a number of devices on internal networks attempting to connect with servers in the data center network. Which of the following security controls should Cameron add to prevent internal systems from accessing data center devices?
❍ A. VPN (Virtual Private Network)
❍ B. IPS (Intrusion Prevention System)
❍ C. NAT (Network Address Translation)
❍ D. ACL (Access Control List)

Answer 78

D. ACL

An ACL (Access Control List) is a security control commonly implemented on routers to allow or restrict traffic flows through the network.

The incorrect answers:
A. VPN
A VPN (Virtual Private Network) can be used to secure data traversing the
network, but it’s not commonly used to control traffic flows on an internal
network.
B. IPS
An IPS (Intrusion Prevention System) is designed to identify and block
known vulnerabilities traversing the network. An IPS is not used to control
other traffic flows.
C. NAT
NAT (Network Address Translation) is a method of modifying the source
and/or destination IP addresses of network traffic. NAT is not a security
control.

SY0-501, Objective 2.1 - Router and Switch Security

Question 79

George is an executive for an advertising company, and he is attending a conference in another city. During the conference, he will be using his laptop in the conference center and his hotel. Which of the following would prevent direct access to his laptop from other devices on these networks?
❍ A. Host-based firewall
❍ B. VPN software
❍ C. Proxy
❍ D. Anti-virus and anti-malware software

Answer 79

A. Host-based firewall

A host-based firewall is designed to protect an operating system from unwanted network communication. Since the firewall is software that runs in the laptop’s OS, it can provide protection from any external network connection.

The incorrect answers:
B. VPN software
VPN (Virtual Private Network) software would encrypt communication
from the laptop, but it wouldn’t prevent someone else from directly
connecting to other services running on the laptop.
C. Proxy
A proxy can be used to protect inbound traffic to servers, but it’s not
practical to have a proxy server provide inbound protection to a laptop.
D. Anti-virus and anti-malware software
Anti-virus and anti-malware software can identify and block known
malware, but it’s not designed to block interactive network communication
from other devices.

SY0-501, Objective 2.1 - Firewalls

Question 80

A user in the mailroom has reported an overall slowdown of his shipping management software. An a anti-virus scan did not identify any issues, but a more thorough malware scan identified a kernel driver that was not part of the original operating system installation. Which of the following malware was installed on this system?
❍ A. Rootkit
❍ B. RAT (Remote Administration Tool)
❍ C. Bot
❍ D. Ransomware
❍ E. Keylogger

Answer 80

A. Rootkit

A rootkit traditionally modifies core system files and becomes effectively invisible to the rest of the operating system. The modification of system files and specialized kernel-level drivers are common rootkit techniques.

The incorrect answers:
B. RAT
A RAT (Remote Administration Tool) is often installed as a Trojan horse
and used for malicious purposes. Although these utilities are sometimes
installed subversively, they can still be identified through normal malware
scans and host-based firewall software.
C. Bot
A bot is relatively active malware that can usually be seen in a process list
and by examining network communication. Botnet participants can often
be identified using traditional anti-malware software.
D. Ransomware
Ransomware makes itself quite visible on your system, and it usually
presents warning messages and information on how to remove the
ransomware from the system.
E. Keylogger
A keylogger is a utility that captures keyboard and mouse input and sends
that information to another device. This usually means that the keylogger
has a visible component in the list of processes and traffic that can be seen
on the network.

SY0-501, Objective 1.1 - Rootkits

Question 81

A large multinational company is launching a new application that will allow employees to access their benefits packages through an online web portal, and the application will be used for all employees around the world. The development team has designed the application to use token based authentication when users login. Which of the following would BEST describe this authentication process? (Select TWO)
❍ A. The server maintains the state of each authenticated user
❍ B. Token information can be sent in the clear
❍ C. No session information is stored on the server
❍ D. The token is provided with each request to the server
❍ E. The token for each user is stored in a centralized database

Answer 81

C. No session information is stored on the server and
D. The token is provided with each request to the server

A significant benefit of token-based authentication is that no session information is stored on the server, so the process of maintaining a login session is completely stateless. The client is provided a token during the
login process, and that token is sent with each server request to validate the user’s session.

The incorrect answers:
A. The server maintains the state of each authenticated user
A server providing token-based authentication does not keep a list of
authenticated users. The token provided to the user verifies the successful
authentication, so the server doesn’t have to keep a long list of valid
sessions.
B. Token information can be sent in the clear
The token is an important security access mechanism, so it’s a best practice
to encrypt the token when it’s sent across the network.
E. The token for each user is stored in a centralized database
Each token is stored on the user device. None of the tokens are maintained
or stored on the server or in a centralized database.

SY0-501, Objective 4.2 - Federated Identities

Question 82

The manager of a data center needs to control and manage the people visiting and leaving the data center facilities throughout the day. If a person is entering the facility, they must check-in before they are allowed
to move further into the building. People who are leaving must be formally checked-out before they are able to exit the building. Which of the following would be the BEST solution for this requirement?
❍ A. Mantrap
❍ B. Air gap
❍ C. Faraday cage
❍ D. Protected distribution

Answer 82

A. Mantrap

A mantrap is commonly used to control the flow of people through a particular area. Unlocking the one door of a mantrap commonly restricts the other door from opening, thereby preventing someone from walking through the mantrap without stopping. It’s common in large data centers to have a single room as the mantrap where users are checked in and out of the facility.

The incorrect answers:
B. Air gap
An air gap is a technical control that creates a physical separation between
devices or networks. An air gap is not used to manage the flow of people.
C. Faraday cage
A Faraday cage is used to block electromagnetic fields, and it is useful in
environments where electromagnetic and radio signals can be an issue.
D. Protected distribution
A protected distribution system (PDS) is a physically secure cabled
network. Cable and fiber in a protected distribution are protected from
taps, cuts, or similar security breaches.

SY0-501, Objective 3.9 - Physical Security Controls

Question 83

A security administrator has discovered that an employee has been exfiltrating confidential company information by embedding the data within image files and emailing the images to a third-party. Which of the
following would best describe this activity?
❍ A. Digital signatures
❍ B. Steganography
❍ C. Block cipher
❍ D. Perfect forward secrecy

Answer 83

B. Steganography

Steganography is the process of hiding information within another document. For example, one common method of steganography will embed data or documents within image files.

The incorrect answers:
A. Digital signatures
A digital signature is a cryptographic method to check the integrity,
authentication, and non-repudiation of a message. Digital signatures are
not used to hide information within image files.
C. Block cipher
A block cipher is used to encrypt fixed-length groups of data. Block ciphers
do not hide data within another object.
D. Perfect forward secrecy
Perfect forward secrecy is a key exchange method that creates a new and
unique set of session keys for each session.

SY0-501, Objective 6.1 - Steganography

Question 84

A security engineer is running a vulnerability scan on their own workstation. The scanning software is using the engineers account access to perform all scans. What type of scan is running?
❍ A. Black box
❍ B. Passive
❍ C. Credentialed
❍ D. Agile

Answer 84

C. Credentialed

A credentialed scan uses valid access rights to perform the scanning functions. This type of scan is designed to show what someone on the inside with these rights would be able to exploit.

The incorrect answers:
A. Black box
Black box information is generally associated with penetration testing.
Someone performing a black box penetration test will not have any prior
knowledge of the systems under attack.
B. Passive
Passive information gathering is usually associated with penetration
testing. Passive reconnaissance is the process of gathering information
from outside sources, such as social media sites and online forums.
D. Agile
An agile environment is often associated with a development life-cycle
model that focuses on rapid development and constant collaboration.

SY0-501, Objective 1.5 - Vulnerability Scanning

Question 85

Which of the following would be the best way to describe the estimated number of laptops that might be stolen in a fiscal year?
❍ A. ALE (Annual Loss Expectancy)
❍ B. SLE (Single Loss Expectancy)
❍ C. ARO (Annualized Rate of Occurrence)
❍ D. MTTR (Mean Time to Repair)

Answer 85

C. ARO

The ARO (Annualized Rate of Occurrence) describes the number of instances that an event would occur in a year. For example, if the organization expect to lose seven laptops to theft in a year, the ARO for laptop theft is seven.

The incorrect answers:
A. ALE
The ALE (Annual Loss Expectancy) is the expected cost for all events in a
single year. If it costs $1,000 to replace a single laptop (the SLE) and you
expect to lose seven laptops in a year (the ARO), the ALE for laptop theft
is $7,000.
B. SLE
SLE (Single Loss Expectancy) is the monetary loss if a single event occurs.
If one laptop is stolen, the cost to replace that single laptop is the SLE,
or $1,000.
D. MTTR
MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure.

SY0-501, Objective 5.3 - Risk Assessment