Practice Study 3 Flashcards
A finance company is legally required to maintain seven years of tax
records for all of their customers. Which of the following would be the
BEST way to implement this requirement?
❍ A. Create an automated script to remove all tax information
more than seven years old
❍ B. Print and store all tax records in a seven-year cycle
❍ C. Allow users to download tax records from their account login
❍ D. Create a separate daily backup archive for all applicable tax records
D. Create a separate daily backup archive for all
applicable tax records
The important consideration for a data retention mandate is to always have
access to the information over the proposed time frame. In this example,
a daily backup would ensure that tax information is constantly archived
over a seven year period and could always be retrieved if needed. If data
was inadvertently deleted from the primary storage, the backup would still
maintain a copy.
The incorrect answers:
A. Create an automated script to remove all tax information
more than seven years old
The requirement is to maintain data for at least seven years, but there’s no
requirement to remove that data once it’s more than seven years old. For
example, some financial information may need to be retained well beyond
the seven year mandate.
B. Print and store all tax records in a seven-year cycle
Paper has its place, but creating physical output of tax records and storing
them for seven years would include a significant cost in time, materials,
and inventory space. The requirement to store data for seven years doesn’t
require the information to be stored in a physical form.
C. Allow users to download tax records from their account login
Including a feature to allow users access to their records is useful for the
user community, but it doesn’t provide any data protection for the seven
year retention period.
SY0-501, Objective 5.8 - Data Roles and Retention
A system administrator is designing a data center for an insurance
company’s new private cloud. Which of the following technologies would
be commonly included in this design?
❍ A. SCADA
❍ B. HVAC
❍ C. SoC
❍ D. IoT
B. HVAC
An HVAC (Heating, Ventilation, and Air Conditioning) system would be an important consideration for any data center environment.
The incorrect answers:
A. SCADA
A SCADA (Supervisory Control and Data Acquisition System) network
is often a dedicated network used exclusively to manage and control
manufacturing equipment, power generation equipment, water
management systems, and other industrial machines. A data center for an
insurance company would not require a SCADA network design.
C. SoC
An SoC (System on a Chip) consists of multiple components running on a
single chip. These are usually small form-factor devices that work best as
embedded systems. SoC systems would not commonly be associated with
cloud computing systems in the data center of an insurance company.
D. IoT
IoT (Internet of Things) devices are generally associated with home
automation and not with a data center deployment of a private cloud.
SY0-501, Objective 3.5 - Embedded Systems
A security administrator is configuring a VPN concentrator with
centralized authentication for remote VPN users. The VPN concentrator
will authenticate users from a central LDAP database managed by the
Windows Active Directory domain. Access to the VPN will only be granted
if the user is a member of the authorized VPN group. Which of the
following LDAP syntax would provide this type of access?
❍ A. LDAP SERVER 10.10.11.1
❍ B. C=US, DC=domain, DC=local
❍ C. RADIUS SERVER 10.10.11.1
❍ D. CN=concentrator, OU=vpn, DC=domain, DC=local
D. CN=concentrator, OU=vpn, DC=domain, DC=local
The LDAP (Lightweight Directory Access Protocol) DN (Distinguished
Names) syntax provides a way to reference an LDAP database for specific
information. In this example, the CN (Common Name) is concentrator,
which references the name of the VPN (Virtual Private Network) device.
The OU (Organizational Unit) is VPN, and this associates the VPN group
with the LDAP query. The DC (Domain Component) attributes are
associated with the company’s domain name, domain.local.
The incorrect answers:
A. LDAP SERVER 10.10.11.1
Specifying the IP address of an LDAP server would not provide the
requested VPN group details.
B. C=US, DC=domain, DC=local
This LDAP DN syntax describes a country and a domain, but it doesn’t
make any reference to the VPN Active Directory group name.
C. RADIUS SERVER 10.10.11.1
The IP address of a RADIUS server may provide an address for
authentication, but it would not provide access to the Active Directory
VPN group.
SY0-501, Objective 4.2 - Identity and Access Services
A security administrator has identified an internally developed application
that allows the modification of SQL queries through a web-based front-end.
To prevent this modification, the administrator has recommended that all
queries be completely removed from the application front-end and placed
onto the back-end of the application server. Which of the following would
describe this implementation?
❍ A. Input validation
❍ B. Code signing
❍ C. Stored procedures
❍ D. Obfuscation
C. Stored procedures
Stored procedures are SQL queries that execute on the server side instead
of the client application. The client application calls the stored procedure
on the server, and this prevents the client from making any changes to the
actual SQL queries.
The incorrect answers:
A. Input validation
Input validation would examine the input from the client and make sure
that it is expected. In this example, moving the SQL queries to the backend
server process would not require any validation of the SQL queries.
As a best practice, any additional input from the client would still need
validation.
B. Code signing
Code that has been digitally signed by the application developer can be
evaluated to ensure that nothing has changed with the application code
since it was published.
D. Obfuscation
Obfuscation makes something that is normally understandable very
difficult to understand. The move of SQL queries to the server changes the
processing of the application itself, but it isn’t a method of obfuscation.
SY0-501, Objective 3.6 - Secure Coding Techniques
A system administrator is implementing a fingerprint scanner to provide
access to the data center. Which of these metrics would be the most
important to minimize so that unauthorized persons are prevented from
accessing the data center?
❍ A. TOTP (Time-based One-Time Password)
❍ B. FRR (False Rejection Rate)
❍ C. HOTP (HMAC-based One-Time Password)
❍ D. FAR (False Acceptance Rate)
D. FAR
FAR (False Acceptance Rate) is the likelihood that an unauthorized user
will be accepted. The FAR should be kept as close to zero as possible.
The incorrect answers:
A. TOTP
A TOTP (Time-based One-Time Password) is an algorithm that provides
a pseudo-random number as an authentication factor. A TOTP does not
describe the accuracy of a biometric system.
B. FRR
FRR (False Rejection Rate) is the likelihood that an authorized user will be
rejected. If the FRR is incrementing, then authorized users will not gain
access to the data center. This value is not associated with unauthorized
access.
C. HOTP
HOTP (HMAC-based One-Time Password) is an algorithm that provides
an authentication factor based on a one-time password. An HOTP does not
describe the accuracy of a biometric system.
SY0-501, Objective 4.3 - Access Control Technologies
The IT department of a transportation company maintains an on-site
inventory of chassis-based network switch interface cards. If a failure
occurs with any of the interface cards in the company’s core switch, the
on-site technician can replace the interface card and have the system
running again in sixty minutes. Which of the following BEST describes
this recovery metric?
❍ A. MTBF (Mean Time Between Failures)
❍ B. MTTR (Mean Time To Restore)
❍ C. RPO (Recovery Point Objective)
❍ D. MTTF (Mean Time To Failure)
B. MTTR
MTTR (Mean Time To Restore) is the amount of time required to get back
up and running. This is sometimes called Mean Time To Repair.
The incorrect answers:
A. MTBF
MTBF (Mean Time Between Failures) is a prediction of how long the
system will be operational before a failure occurs.
C. RPO
An RPO (Recovery Point Objective) is a qualifier that determines when the
system is recovered. A recovered system may not be completely repaired,
but it will be running well enough to maintain a certain level of operation.
D. MTTF
An MTTF (Mean Time To Failure) is the expected lifetime of a nonrepairable
product or system.
SY0-501, Objective 5.2 - Business Impact Analysis
A company maintains a server farm in a large data center. These servers
are for internal use only and are not accessible externally. Updates to
these servers are staged in groups to avoid any significant downtime. The
security team has discovered that a group of servers was breached before
the latest updates were applied. Breach attempts were not logged on any
other servers. Which of these threat actors would be MOST likely involved
in this breach?
❍ A. Competitor
❍ B. Insider
❍ C. Nation state
❍ D. Script kiddie
B. Insider
None of these servers were accessible from the outside, and the only
servers with any logged connections were those that also were susceptible
to the latest vulnerabilities. To complete this attack, you would need a very
specific knowledge of the exact systems that were vulnerable and a way to
communicate with those servers. For either of those reasons, the Insider
threat as would be the most likely from the available list.
The incorrect answers:
A. Competitor
Although an unethical competitor could be interested in disabling certain
systems, the specificity of this attack and the lack of accessibility to the
systems would seem to dismiss a competitor.
C. Nation state
A nation state would have the resources needed to attack a network, gain
access to the internal systems, and then somehow monitor the update
processes for each server. However, the scope and breadth of such an attack
would be complex, and this would make the nation state a very speculative
option and not the most likely option from the available list.
D. Script kiddie
Script kiddies don’t generally have access to an internal network, and they
aren’t discerning enough to track the status of which systems may have
been recently updated.
SY0-501, Objective 1.3 - Threat Actors
An organization has contracted with a third-party to perform a
vulnerability scan of their Internet-facing web servers. The report shows
that the web servers have multiple Sun Java Runtime Environment (JRE)
vulnerabilities, but the server administrator has verified that JRE is not
installed. Which of the following would be the BEST way to handle this
report?
❍ A. Install the latest version of JRE on the server
❍ B. Quarantine the server and scan for malware
❍ C. Harden the operating system of the web server
❍ D. Ignore the JRE vulnerability alert
D. Ignore the JRE vulnerability alert
It’s relatively common for vulnerability scans to show vulnerabilities that
don’t actually exist, especially if the scans are not credentialed. An issue
that is identified but does not actually exist is a false positive, and it can be
dismissed once the alert has been properly researched.
The incorrect answers:
A. Install the latest version of JRE on the server
The system administrator verified that JRE was not currently installed
on the server, so it would not be possible for that vulnerability to actually
exist. Installing an unneeded version of JRE on the server could potentially
open the server to actual vulnerabilities.
B. Quarantine the server and scan for malware
The JRE false positive isn’t an indication of malware, and no mention is
made of the report including any additional vulnerabilities or reports of
malware.
C. Harden the operating system of the web server
Although it’s always a good best practice to harden the operating system of
an externally-facing server, this vulnerability scan report doesn’t indicate
any particular vulnerability with the operating system itself. If the scan
identified specific OS vulnerabilities, then additional hardening may be
required.
SY0-501, Objective 1.5 - Vulnerability Scanning
A security administrator has received a help desk ticket that states a user
downloaded and installed a utility for compressing and decompressing
files. Immediately after installing the utility, the user’s overall workstation
performance degraded, and it now takes twice as much time to perform
any tasks on the computer. The compression utility does not appear on the
list of authorized company software. Which of the following is the BEST
description of this malware infection?
❍ A. Ransomware
❍ B. Adware
❍ C. Logic bomb
❍ D. Trojan
D. Trojan
A Trojan horse is malicious software that pretends to be something benign.
The user will install the software with the expectation that it will perform a
particular function, but in reality it is installing malware on the computer.
The incorrect answers:
A. Ransomware
Ransomware will lock a system and present a message to the user with
instructions on how to unlock the system. This usually involves sending the
attacker money in exchange for the unlock key.
B. Adware
Adware is obvious due to the increased number of advertisements that will
be displayed after the infection.
C. Logic bomb
A logic bomb will execute when a certain event occurs, such as a specific
date and time.
SY0-501, Objective 1.1 - Trojans and RATs
A company has installed a computer in a public area that will allow anyone
to submit job applications. What operating system type should the security
administrator configure?
❍ A. Appliance
❍ B. Kiosk
❍ C. Network
❍ D. Workstation
B. Kiosk
An operating system running in kiosk mode has a locked-down operating
system and is designed to be used as a public device without any particular
security authentication requirements.
The incorrect answers:
A. Appliance
An appliance is usually a purpose-built piece of hardware that runs a
minimal operating system. For job application submissions, a specialized
piece of hardware is not necessary.
C. Network
A network operating system is a full-featured OS that supports servers,
workstations, and other network-connected devices. A network operating
system would be too specialized and insecure to use as a public computer.
D. Workstation
A workstation would provide extensive access to the operating system, and
would be inappropriate for such a public device.
SY0-501, Objective 3.3 - Operating System Security
A security administrator has installed a new firewall to protect a web
server VLAN. The application owner requires that all web server sessions
communicate over an encrypted channel. Which of these rules should the
security administrator include in the firewall rulebase? (Select TWO)
❍ A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny
❍ B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny
❍ C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny
❍ D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow
❍ E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow
C. Source: ANY, Destination: ANY,
Protocol: TCP, Port: 80, Deny and
D. Source: ANY, Destination: ANY,
Protocol: TCP, Port: 443, Allow
Most web servers use tcp/80 for HTTP (Hypertext Transfer Protocol)
communication and tcp/443 for HTTPS (Hypertext Transfer Protocol
Secure). HTTP traffic sends traffic in the clear, so the first firewall rule
would block any tcp/80 traffic before it hits the web server. The second
rule allows HTTPS encrypted traffic to continue to the web server over
tcp/443.
The incorrect answers:
A. Source: ANY, Destination: ANY, Protocol: TCP,
Port: 23, Deny
The insecure Telnet protocol commonly uses tcp/23, but most web servers
would not be listening on tcp/23. An explicit tcp/23 deny rule would not
provide any additional web server security.
B. Source: ANY, Destination: ANY, Protocol: TCP,
Port: 443, Deny
The encrypted HTTPS protocol uses tcp/443, so the security administrator
would not want to deny that traffic through the firewall.
E. Source: ANY, Destination: ANY, Protocol: TCP,
Port: 80, Allow
Since the application owner requires encrypted communication, allowing
HTTP over tcp/80 should not be allowed through the firewall.
SY0-501, Objective 2.3 - Common Security Issues
Which of these items would commonly be used by a field engineer to
provide multi-factor authentication?
❍ A. USB-connected storage drive with FDE
❍ B. Employee policy manual
❍ C. Null-modem serial cable
❍ D. Smart card with picture ID
D. Smart card with picture ID
A smart card commonly includes a certificate that can be used as a
multifactor authentication of something you have. These smart cards are
commonly combined with an employee identification card, and often
require a separate PIN (Personal Identification Number) as an additional
authentication factor.
The incorrect answers:
A. USB-connected storage drive with FDE
FDE (Full Disk Encryption) will protect the data on a drive, but it doesn’t
provide a factor of authentication.
B. Employee policy manual
Employee policy manuals aren’t commonly associated with a specific
individual, so they are not a good factor of authentication.
C. Null-modem serial cable
A null-modem serial cable is an important accessory for any field
technician, but it doesn’t provide any authentication factors.
SY0-501, Objective 4.1 - AAA and Authentication
A security administrator is connecting two remote locations across the
Internet using an IPsec tunnel. The administrator would like the IPsec
tunnel to securely transfer symmetric keys between IPsec endpoints
during the tunnel initialization. Which of the following would provide this
functionality?
❍ A. Diffie-Hellman
❍ B. 3DES
❍ C. RC4
❍ D. AES
❍ E. Twofish
A. Diffie-Hellman
Diffie-Hellman is a method of securely exchanging encryption keys over an
insecure communications channel. DH uses asymmetric cryptography to
create an identical symmetric key between devices without ever sending
the symmetric key over the network.
The incorrect answers:
B. 3DES
3DES (Triple DES) is a symmetric encryption algorithm that encrypts,
decrypts, and encrypts again with different symmetric keys. 3DES does not
provide a method for secure key exchange.
C. RC4
RC4 (Rivest Cipher 4) is a symmetric encryption algorithm that was
common in wireless WEP encryption. RC4 does not provide a way to
securely exchange symmetric keys.
D. AES
AES (Advanced Encryption Standard) is a common symmetric encryption
standard and is used in WPA2 wireless encryption. AES does not provide a
way to securely exchange symmetric keys.
E. Twofish
Twofish is a public domain symmetric encryption method. Twofish does
not provide a way to securely exchange encryption keys.
SY0-501, Objective 6.2 - Asymmetric Algorithms
A company’s security cameras have identified an unknown person walking
into a fenced disposal area in the back of the building and then leaving
with a box containing printed documents. Which of the following attacks
is this person attempting?
❍ A. Dumpster diving
❍ B. Shoulder surfing
❍ C. Tailgating
❍ D. Phishing
A. Dumpster diving
A company can often throw out useful information, and attackers will
literally climb through the trash bin to obtain this information.
The incorrect answers:
B. Shoulder surfing
Shoulder surfing is viewing someone else’s screen, which is effectively over
their shoulder.
C. Tailgating
If you follow someone through a locked door without providing any
credentials or using an access card, you would be tailgating.
D. Phishing
Phishing is the process of tricking someone into providing their personal
information.
SY0-501, Objective 1.2 - Dumpster Diving
A technology company is manufacturing a military-grade radar tracking
system that can instantly identify any nearby unmanned aerial vehicles
(UAVs). The UAV detector must be able to instantly identify and react to
a vehicle without delay. Which of the following would BEST describe this
tracking system?
❍ A. RTOS (Real-Time Operating System)
❍ B. IoT (Internet of Things)
❍ C. ICS (Industrial Control System)
❍ D. MFD (A multifunction device)
A. RTOS
This tracking system requires an RTOS (Real-Time Operating System) that
can instantly react to input without any significant delays or queuing in
the operating system. Operating systems used by the military, automobile
manufacturers, and industrial equipment developers often use RTOS to
ensure that certain transactions can be processed without any significant
delays.
The incorrect answers:
B. IoT
IoT (Internet of Things) devices are generally associated with home
automation and do not have a requirement for real-time operation.
C. ICS
An ICS (Industrial Control System) is often a dedicated network used
exclusively to manage and control manufacturing equipment, power
generation equipment, water management systems, and other industrial
machines. Although some industrial control systems may use an RTOS,
using a real-time operating system is not a requirement of an ICS.
D. MFD
A multifunction device (MFD) is commonly associated with a device that
can print, scan, and fax. There are no real-time OS requirements in a
typical MFD.
SY0-501, Objective 3.5 - Embedded Systems
A private company uses an SSL proxy to examine the contents of an
encrypted application during transmission. How could the application
developers prevent the use of this proxy examination in the future?
❍ A. OCSP stapling
❍ B. Offline CAs
❍ C. Certificate chaining
❍ D. Certificate pinning
D. Certificate pinning
Certificate pinning embeds or “pins” a certificate inside of an application.
When the application contacts a service, the service certificate will
be compared to the pinned certificate. If the certificates match, the
application knows that it can trust the service. If the certificates don’t
match, then the application can choose to shut down, show an error
message, or make the user aware of the discrepancy. An SSL proxy will use
a different certificate than the service certificate, so an application using
certificate pinning can identify and react to this situation.
The incorrect answers:
A. OCSP stapling
OCSP (Online Certificate Status Protocol) stapling is a method that has
the certificate holder verify their own certificate status. The OCSP status is
commonly “stapled” into the SSL handshake process.
B. Offline CAs
An offline CA (Certificate Authority) is a common way to prevent the
exploitation of a root authority. If the CA is offline, then you can’t hack it.
However, an online or offline CA won’t prevent the use of an SSL proxy.
C. Certificate chaining
Intermediate certificates are often listed between a web server’s SSL
certificate and the root certificate. This list of intermediate certificates is
called a “chain.” It’s important to configure web servers with the proper
chain, or the end user may receive an error in their browser that the server
can’t be trusted.
SY0-501, Objective 6.4 - PKI Concepts
A security administrator is concerned that a user may have installed a
rogue access point on the corporate network. Which of the following
could be used to confirm this suspicion?
❍ A. UTM log (Unified Threat Management)
❍ B. WAF log (Web Application Firewall)
❍ C. Switch log
❍ D. DLP log (Data Loss Prevention)
C. Switch log
A rogue access point would be difficult to identify once it’s on the network,
but at some point the access point would need to physically connect to the
corporate network. An analysis of switch interface activity would be able to
identify any new devices and their MAC addresses.
The incorrect answers:
A. UTM log
A UTM (Unified Threat Management) gateway is an all-in-one device that
provides firewall services, URL filtering, spam filtering, and more. From
the UTM’s perspective, the traffic from a rogue access point would look
similar to all other traffic on the network.
B. WAF log
A WAF (Web Application Firewall) would not be able to determine if web
server traffic was from a rogue access point or a legitimate wired device.
D. DLP log
DLP (Data Loss Prevention) is important for stopping the transfer of
confidential data, but it would not be able to identify traffic from a rogue
access point.
SY0-501, Objective 2.4 - Analyzing Security Output
During a ransomware outbreak, an organization was forced to rebuild
database servers from known good backup systems. In which of the
following incident response phases were these database servers brought
back online?
❍ A. Recovery
❍ B. Lessons learned
❍ C. Containment
❍ D. Identification
A. Recovery
The recovery phase focuses on getting things back to normal after an
attack. This is the phase that removes malware, fixes vulnerabilities, and
recovers the damaged systems.
The incorrect answers:
B. Lessons learned
Once an event is over, it’s useful to have a post-incident meeting to discuss
the things that worked and things that didn’t.
C. Containment
When an event occurs, it’s important to minimize the impact. Isolation and
containment can help to limit the spread and effect of an event.
D. Identification
Identifying the event is an important step that initiates the rest of the
incident response processes.
SY0-501, Objective 5.4 - Incident Response Process
A transportation company has been using a logistics application for
many years on their local network. A researcher has been asked to test
the security of the application, but the uptime and availability of the
application is of primary importance. Which of the following techniques
would provide a list of application security issues without performing an
exploit?
❍ A. Penetration test
❍ B. Grey box test
❍ C. Vulnerability scan
❍ D. SQL injection
C. Vulnerability scan
A vulnerability scan is commonly performed as a minimally invasive scan,
and it avoids performing exploits on the target systems.
The incorrect answers:
A. Penetration test
A penetration test will attempt to exploit vulnerabilities, and the process
of running these exploits can have unpredictable results. Some systems
will crash or fail during a penetration test and will require a reboot before
normal operation can continue.
B. Grey box test
A grey box test describes the information provided to a penetration tester
prior to the actual attack. A grey box test provides some information
about the systems under attack, but not all information is disclosed to the
attacker.
D. SQL injection
A SQL injection is an exploit that injects code into website communication
to communicate directly to the underlying database.
SY0-501, Objective 1.5 - Vulnerability Scanning
A network IDS has alerted on this SQL injection attack:
Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured
Ethernet II, Src: HewlettP_82:d8:31), Dst: Cisco_a1:b0:d1
Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244
Transmission Control Protocol, Src Port: 3863, Dst Port: 80
Hypertext Transfer Protocol,
http://www.example.com/index.php?option=com_
glossary&func=display&Itemid=s@bun&catid=-1%20union%20
select%201,username,password,4,5,6,7,8,9,10,11,12,13,14%20
from%20mos_users–]
The security administrator would like to protect against future attacks
from this IP address without interrupting service for other users. Which of
the following firewall rules would be the BEST choice for this
requirement?
❍ A. Source: 172.16.22.7, Destination: 10.8.122.244,
Protocol: TCP, Deny
❍ B. Source 172.16.22.0/24, Destination: 10.8.122.0/24,
Protocol: UDP, Deny
❍ C. Source: 172.16.22.7/32, Destination: ANY,
Protocol: IP, Deny
❍ D. Source: ANY, Destination: 10.8.122.244,
Protocol: TCP, Deny
C. Source: 172.16.22.7/32, Destination: ANY,
Protocol: IP, Deny
In this example, all future attacks from this IP address must be blocked,
regardless of the type of attack or the target of the attack. This rule would
effectively block all traffic from this source IP address, and it summarizes
this requirement by selecting just the single source of 172.16.22.7/32. The
/32 CIDR-block notation designates that this address range is for the single
IP of 172.16.22.7. Using the /32 option is optional for most firewalls, but
using /32 clearly shows that this rule will only affect one IP address. The
destination IP address of the rule is ANY, which prevents any future attacks
to any other device. Specifying the protocol as IP restricts both TCP- and
UDP-based attack types.
The incorrect answers:
A. Source: 172.16.22.7, Destination: 10.8.122.244,
Protocol: TCP, Deny
Specifying the destination IP address would allow attacks to other IP
addresses, and limiting the protocol to TCP would allow UDP-based attacks
to pass through the firewall.
B. Source 172.16.22.0/24, Destination: 10.8.122.0/24,
Protocol: UDP, Deny
This rule broadens the source and destination range to the /24 subnet,
which may interrupt legitimate traffic flows. This rule also only includes
UDP, which would not block the original traffic flow.
D. Source: ANY, Destination: 10.8.122.244,
Protocol: TCP, Deny
This rule would effectively block all TCP traffic to the 10.8.122.244 server,
including the legitimate web server traffic flows.
SY0-501, Objective 2.4 - Analyzing Security Output
Which of the following stores session information on a client device? ❍ A. Token-based authentication ❍ B. Federation ❍ C. Server-based authentication ❍ D. LDAP
A. Token-based authentication
Token-based authentication stores session information using a token that
is stored on the local client. The token is provided with each request to the
server, and the server validates the token before providing a response.
The incorrect answers:
B. Federation
Federation is used to provide network access using third-party
authentication. Federation doesn’t specify where session information is
stored after authentication is complete.
C. Server-based authentication
With server-based authentication, each session ID is stored and maintained
on the server.
D. LDAP
LDAP (Lightweight Directory Access Protocol) is a common protocol for
user and device authentication, but it does not specify the location of the
session identification once the authentication is complete.
SY0-501, Objective 4.2 - Federated Identities
A system administrator has installed a new firewall between the corporate
user network and the data center network. When the firewall is turned
on, users complain that the application in the data center is no longer
working. The firewall is running with the default settings, and no
additional firewall rules have been added to the configuration. Which of
the following would be the BEST way to correct this application issue?
❍ A. Create a single firewall rule with an explicit deny
❍ B. Build a separate VLAN for the application
❍ C. Create firewall rules that match the application traffic flow
❍ D. Disable spanning tree protocol on the data center switches
C. Create firewall rules that match the application
traffic flow
By default, firewalls implicitly deny all traffic. Firewall rules must be built
that match the traffic flows, and only then will traffic pass through the firewall.
The incorrect answers:
A. Create a single firewall rule with an explicit deny
By default, the firewall has an implicit deny as the last policy in the firewall
rulebase. If traffic does not match any other firewall rule, then the implicit
deny drops that traffic. Manually configuring an explicit deny doesn’t
provide any additional traffic control because of the already-existing
implicit deny, and it doesn’t allow any traffic to pass through the firewall
because it’s a rule that denies all traffic.
B. Build a separate VLAN for the application
VLAN (Virtual Local Area Network) separation can be used to manage
traffic flows or provide additional security options, but a VLAN alone won’t
bypass an existing firewall deny rule.
D. Disable spanning tree protocol on the data center switches
Spanning tree protocol (STP) is configured on most switches to prevent
any layer 2 switching loops. Disabling spanning tree won’t bypass any
firewall security controls, and it would put the network at risk if a
misconfiguration creates a switching loop. A good best practice is to always
use STP on a switched network.
SY0-501, Objective 2.1 - Firewalls
Which of these would be used to provide HA for a web-based database
application?
❍ A. SIEM (Security Information and Event Management)
❍ B. UPS (Uninterruptible Power Supply)
❍ C. DLP (Data Loss Prevention)
❍ D. VPN concentrator
B. UPS
HA (High Availability) means that the service should always be on and
available. The only device on this list that would provide HA is the UPS
(Uninterruptible Power Supply). If power is lost, the UPS will provide
electricity using battery power or a gas-powered generator.
The incorrect answers:
A. SIEM
A SIEM (Security Information and Event Management) system
consolidates data from devices on the network and provides log searching
and reporting features. A SIEM does not provide any HA functionality.
C. DLP
DLP (Data Loss Prevention) is a method of identifying and preventing the
transfer of personal or confidential information through the network. DLP
does not provide any HA functionality.
D. VPN concentrator
A VPN (Virtual Private Network) concentrator is used as an endpoint to
an endpoint VPN solution. VPN concentrators do not provide any HA
functionality.
SY0-501, Objective 3.8 - Redundancy, Fault Tolerance,
An IT manager is building a quantitative risk analysis related to corporate
laptops used by the field engineering team. Each year, a certain number of
laptops are lost or stolen and must be replaced by the company. Which of
the following would describe the total cost the company spends each year
on laptop replacements?
❍ A. SLE (Single Loss Expectancy)
❍ B. SLA (Service Level Agreement)
❍ C. ALE (Annual Loss Expectancy)
❍ D. ARO (Annualized Rate of Occurrence)
C. ALE
The ALE (Annual Loss Expectancy) is the total amount of the loss over an entire year.
The Answer: C. ALE
The ALE (Annual Loss Expectancy) is the total amount of the loss over an
entire year.
The incorrect answers:
A. SLE
SLE (Single Loss Expectancy) describes the loss for a single incident.
B. SLA
SLA (Service Level Agreement) is a contractual agreement that specifies a
minimum service level.
D. ARO
An ARO (Annualized Rate of Occurrence) is the number of times an event
is expected to occur in a year.
SY0-501, Objective 5.3 - Risk Assessment
A pentest engineer is using a banner grabbing utility on the local network.
Which of the following would be the MOST likely use of this utility?
❍ A. Create a list of open ports on a device
❍ B. Identify a web server version
❍ C. Create a honeypot
❍ D. Brute force the encryption key of a wireless network
B. Identify a web server version
A banner grabbing utility will show the banner information that’s
commonly only seen in the network packets. Many services will provide a
greeting banner that includes the name and version of the service, and this
information can provide useful reconnaissance.
The incorrect answers:
A. Create a list of open ports on a device
A port scanner or network scanner is commonly used to scan devices for
open ports. A banner grabber does not commonly provide any scanning for
open ports.
C. Create a honeypot
Honeypots are useful security tools that can entice and trap attackers
inside of a fake virtual network. Banner grabbing utilities do not commonly
provide any honeypot functionality.
D. Brute force the encryption key of a wireless network
There are many utilities that can be used to brute force local and wireless
passwords. A banner grabbing utility does not commonly includes any
brute force functionality.
SY0-501, Objective 2.2 - Software Security Tools
Sam, a user in the purchasing department, would like to send an email to
Jack, a user in the manufacturing department. Which of these should Sam
do to allow Jack to verify that the email really came from Sam?
❍ A. Digitally sign it with Sam’s private key
❍ B. Digitally sign it with Sam’s public key
❍ C. Digitally sign it with Jack’s private key
❍ D. Digitally sign it with Jack’s public key
A. Digitally sign it with Sam’s private key
The sender of a message digitally signs with their own private key to ensure
integrity, authentication, and non-repudiation of the signed contents. The
digital signature is validated with the sender’s public key.
The incorrect answers:
B. Digitally sign it with Sam’s public key
Since everyone effectively has access to public keys, adding a digital
signature with a publicly available key doesn’t provide any security features.
C. Digitally sign it with Jack’s private key
Jack’s private key would only be available to Jack, so Sam could not possibly
use Jack’s private key when performing any cryptographic functions.
D. Digitally sign it with Jack’s public key
As with Sam’s public key that would be available to anyone, using Jack’s
public key would not provide any security features.
SY0-501, Objective 6.1 - Hashing and Digital Signatures
The contract of a long-term temporary employee is ending. Which of these
would be the MOST important part of the off-boarding process?
❍ A. Perform an on-demand audit of the user’s privileges
❍ B. Archive the decryption keys associated with the user account
❍ C. Document the user’s outstanding tasks
❍ D. Obtain a signed copy of the Acceptable Use Policies
B. Archive the decryption keys associated with the
user account
Without the decryption keys, it will be impossible to access any of the
user’s protected files once they leave the company. Given the other possible
answers, this one is the only one that would result in unrecoverable data
loss if not properly followed.
The incorrect answers:
A. Perform an on-demand audit of the user’s privileges
The user’s account will be disabled once they leave the organization, so an
audit of their privileges would not be very useful.
C. Document the user’s outstanding tasks
Creating documentation is important, but it’s not as important as retaining
the user’s data with the decryption keys.
D. Obtain a signed copy of the Acceptable Use Policies
Acceptable Use Policies (AUPs) are usually signed during the on-boarding
process. You won’t need an AUP if the user is no longer accessing the
network.
SY0-501, Objective 4.4 - Account Management
Sam, a cybersecurity analyst, has been asked to respond to a denial of
service attack against a web server. While gathering forensics data, Sam
first collects information in the ARP cache, then a copy of the server’s
temporary file system, and finally system logs from the web server. What
part of the forensics gathering process did Sam follow?
❍ A. Chain of custody
❍ B. Data hashing
❍ C. Legal hold
❍ D. Order of volatility
D. Order of volatility
Order of volatility ensures that data will be collected before it becomes
unrecoverable. For example, information stored in a router table is more
volatile than data stored on a backup tape, so the router table data will be
collected first and the backup tape data will be collected second.
The incorrect answers:
A. Chain of custody
Chain of custody ensures that the integrity of evidence is maintained. The
contents of the evidence are documented, and each person who contacts
the evidence is required to document their activity.
B. Data hashing
Data hashing creates a unique message digest based on stored data. If
the data is tampered with, a hash taken after the change will differ from
the original value. This allows the forensic engineer to identify that
information has been changed.
C. Legal hold
A legal hold is a legal technique to preserve relevant information. This will
ensure the data remains accessible for any legal preparation that needs to
occur prior to litigation.
SY0-501, Objective 5.5 - Gathering Forensics Data
An attacker was able to download a list of ten thousand company
employee login credentials containing usernames and hashed passwords.
Less than an hour later, a list containing all ten thousand usernames and
passwords in plain text were posted to an online file storage repository.
Which of the following would BEST describe how this attacker was able to
post this information?
❍ A. Improper certificate management
❍ B. Phishing
❍ C. Untrained users
❍ D. Weak cipher suite
D. Weak cipher suite
Creating a password hash is a one-way process that can’t be reversed. If the
hash has not been salted, then a rainbow table lookup would be an easy way
to find the plaintext passwords. Since none of the answers in this question
included rainbow tables as an option, the most reasonable of the remaining
choices would be a weak cipher suite that allowed for a very fast brute
force attack of the password hashes. Of the available options, this is the
only choice that would BEST fit the results.
The incorrect answers:
A. Improper certificate management
Passwords are stored as a hash. As a best practice, passwords are never
stored or transmitted as plain text or in a form that could be recovered to
plain text. If a certificate was mis-managed, the attacker might be able to
decode network traffic or perform man-in-the-middle attacks. However,
they would not be able to view a user’s password, since those passwords
are already hashed. Since all ten thousand accounts were downloaded, it’s
unlikely the attacker collected them one user at a time over the network.
B. Phishing
Phishing is a useful attack for gathering information from one user at a
time, but it doesn’t scale when you need to collect data from ten thousand
accounts.
C. Untrained users
Individual users might accidentally disclose their password information,
but you would not expect ten thousand users to perform the same security
breach simultaneously.
SY0-501, Objective 1.6 - Vulnerability Types
Which of the following would commonly be associated with an
application’s secure baseline?
❍ A. Secure baseline violations are identified in the IPS logs
❍ B. The baseline is based on the developer sandbox configurations
❍ C. Firewall settings are not included in the baseline
❍ D. Integrity measurements are used to validate the baseline
D. Integrity measurements are used to validate the baseline
It’s important to constantly audit the security of an application instance,
and the security baseline precisely defines the security settings for the
firewall, patch levels, operating system file versions, and more. Since
operating system patches are common, the secure baseline will tend to be
updated often.
The incorrect answers:
A. Secure baseline violations are identified in the IPS logs
An IPS would identify attacks against an application or device, but it would
not provide any proactive identification of security issues.
B. The baseline is based on the developer sandbox configurations
The developer sandbox is used to test code prior to deployment, and it
should not be considered a secure environment.
C. Firewall settings are not included in the baseline
Anything related to the security of the application instance are included in
the secure baseline, including firewall settings.
SY0-501, Objective 3.4 - Secure Deployments
A server administrator is building a new web server and needs to provide
operating system access to the web server executable. Which of the
following account types should be configured?
❍ A. User
❍ B. Privileged
❍ C. Service
❍ D. Guest
C. Service
A service account is commonly used by local services on a system, but
service accounts are not generally enabled for interactive logins. Web
servers, database servers, and other local servers use service accounts.
The incorrect answers:
A. User
A user account is associated with an interactive user or person. Because
user accounts have additional functionality over service accounts, the best
practice is to avoid assigning user account access to a service.
B. Privileged
A privileged account is an Administrator or root account, and it generally
has complete access to the operating system. This should be your most
protected account type, and you would not associate a privileged account to
a service.
D. Guest
A guest account often has very limited operating system access, so it would
not be a useful account type to use for a service.
SY0-501, Objective 4.4 - Account Types
The manager of the corporate security team maintains a large storage
array of archived video from security cameras. Historically, the security
manager has been responsible for searching the video archive, but
he would now like to assign those responsibilities to others in his
department. Which of the following would allow the manager to limit
access to the video archive to members of the corporate security team
group?
❍ A. Mandatory access control
❍ B. Certificate-based authentication
❍ C. Role-based access control
❍ D. Attribute-based access control
C. Role-based access control
Role-based access control uses groups to control access for individual users.
Rights and permissions are associated with the group, and administrators
can add users to the group to provide access.
The incorrect answers:
A. Mandatory access control
Mandatory access control assigns a label to every object. For example, the
video archive files could be assigned a label of “confidential,” and all users
with confidential access would be able to view the files. The administrator
determines which users are associated with which security level.
B. Certificate-based authentication
The process of authenticating a user is different than the access control
associated with that user. Certificate-based authentication is useful to
verify a user’s identity, but it isn’t used to assign rights and permissions to
the user.
D. Attribute-based access control
Attribute-based access control combines a set of complex relationships to
applications and data, and access is commonly based on many different
criteria.
SY0-501, Objective 4.3 - Access Control Models
A transportation company maintains a scheduling application and a
database in a virtualized cloud-based environment. Which of the following
would be the BEST way to backup these services?
❍ A. Full
❍ B. Snapshot
❍ C. Differential
❍ D. Incremental
B. Snapshot
Virtual machines (VMs) have a snapshot backup feature that can capture
both a full backup of the virtual system and incremental changes that occur
over time. It’s common to take a snapshot of a VM for backup purposes and
before making any significant changes to the VM. If the changes need to
be rolled back, a previous snapshot can be selected and instantly applied to
the VM.
The incorrect answers:
A. Full
A full backup is used to copy every file system object to the backup media.
To restore the operating system, the entire full backup session would be
restored to the file system. In a virtual environment, a partition of a virtual
machine is stored as a single file, so it’s much easier to back up that single
file as a snapshot than backing up the individual files that are stored inside
of that virtual partition.
C. Differential
A differential backup will copy all files that have been changed since the
last full backup. As mentioned above, using the snapshot feature of a VM is
much more efficient than copying individual files in the file system.
D. Incremental
An incremental backup will copy all files that have been changed since the
last incremental backup. The VM’s snapshot feature is much more efficient
way to backup and restore incremental changes to a virtual machine.
SY0-501, Objective 5.6 - Application Recovery
In an environment using discretionary access controls, which of these
would control the rights and permissions associated with a file or
directory?
❍ A. Administrator
❍ B. Owner
❍ C. Group
❍ D. System
B. Owner
The owner of an object is the one who controls access in a discretionary
access control model. The object and type of access is at the discretion of
the owner, and they can determine who can access the file and the type of
access they would have.
The incorrect answers:
A. Administrator
Administrators generally label objects when using mandatory access
control, but they are not involved with discretionary access control.
C. Group
Assigning rights and permissions to a group and then assigning users to the
group are common when using role-based access control.
D. System
The system does not determine individual user rights and permissions
when using discretionary access control.
SY0-501, Objective 4.3 - Access Control Models