Practice Study 3

Question 1

A finance company is legally required to maintain seven years of tax
records for all of their customers. Which of the following would be the
BEST way to implement this requirement?
❍ A. Create an automated script to remove all tax information
more than seven years old
❍ B. Print and store all tax records in a seven-year cycle
❍ C. Allow users to download tax records from their account login
❍ D. Create a separate daily backup archive for all applicable tax records

Answer 1

D. Create a separate daily backup archive for all
applicable tax records

The important consideration for a data retention mandate is to always have
access to the information over the proposed time frame. In this example,
a daily backup would ensure that tax information is constantly archived
over a seven year period and could always be retrieved if needed. If data
was inadvertently deleted from the primary storage, the backup would still
maintain a copy.

The incorrect answers:
A. Create an automated script to remove all tax information
more than seven years old
The requirement is to maintain data for at least seven years, but there’s no
requirement to remove that data once it’s more than seven years old. For
example, some financial information may need to be retained well beyond
the seven year mandate.
B. Print and store all tax records in a seven-year cycle
Paper has its place, but creating physical output of tax records and storing
them for seven years would include a significant cost in time, materials,
and inventory space. The requirement to store data for seven years doesn’t
require the information to be stored in a physical form.
C. Allow users to download tax records from their account login
Including a feature to allow users access to their records is useful for the
user community, but it doesn’t provide any data protection for the seven
year retention period.

SY0-501, Objective 5.8 - Data Roles and Retention

Question 2

A system administrator is designing a data center for an insurance
company’s new private cloud. Which of the following technologies would
be commonly included in this design?
❍ A. SCADA
❍ B. HVAC
❍ C. SoC
❍ D. IoT

Answer 2

B. HVAC

An HVAC (Heating, Ventilation, and Air Conditioning) system would be an
important consideration for any data center environment.

The incorrect answers:
A. SCADA
A SCADA (Supervisory Control and Data Acquisition System) network
is often a dedicated network used exclusively to manage and control
manufacturing equipment, power generation equipment, water
management systems, and other industrial machines. A data center for an
insurance company would not require a SCADA network design.
C. SoC
An SoC (System on a Chip) consists of multiple components running on a
single chip. These are usually small form-factor devices that work best as
embedded systems. SoC systems would not commonly be associated with
cloud computing systems in the data center of an insurance company.
D. IoT
IoT (Internet of Things) devices are generally associated with home
automation and not with a data center deployment of a private cloud.

SY0-501, Objective 3.5 - Embedded Systems

Question 3

A security administrator is configuring a VPN concentrator with
centralized authentication for remote VPN users. The VPN concentrator
will authenticate users from a central LDAP database managed by the
Windows Active Directory domain. Access to the VPN will only be granted
if the user is a member of the authorized VPN group. Which of the
following LDAP syntax would provide this type of access?
❍ A. LDAP SERVER 10.10.11.1
❍ B. C=US, DC=domain, DC=local
❍ C. RADIUS SERVER 10.10.11.1
❍ D. CN=concentrator, OU=vpn, DC=domain, DC=local

Answer 3

D. CN=concentrator, OU=vpn, DC=domain, DC=local

The LDAP (Lightweight Directory Access Protocol) DN (Distinguished
Names) syntax provides a way to reference an LDAP database for specific
information. In this example, the CN (Common Name) is concentrator,
which references the name of the VPN (Virtual Private Network) device.
The OU (Organizational Unit) is VPN, and this associates the VPN group
with the LDAP query. The DC (Domain Component) attributes are
associated with the company’s domain name, domain.local.

The incorrect answers:
A. LDAP SERVER 10.10.11.1
Specifying the IP address of an LDAP server would not provide the
requested VPN group details.
B. C=US, DC=domain, DC=local
This LDAP DN syntax describes a country and a domain, but it doesn’t
make any reference to the VPN Active Directory group name.
C. RADIUS SERVER 10.10.11.1
The IP address of a RADIUS server may provide an address for
authentication, but it would not provide access to the Active Directory
VPN group.

SY0-501, Objective 4.2 - Identity and Access Services

Question 4

A security administrator has identified an internally developed application
that allows the modification of SQL queries through a web-based front-end.
To prevent this modification, the administrator has recommended that all
queries be completely removed from the application front-end and placed
onto the back-end of the application server. Which of the following would
describe this implementation?
❍ A. Input validation
❍ B. Code signing
❍ C. Stored procedures
❍ D. Obfuscation

Answer 4

C. Stored procedures

Stored procedures are SQL queries that execute on the server side instead
of the client application. The client application calls the stored procedure
on the server, and this prevents the client from making any changes to the
actual SQL queries.

The incorrect answers:
A. Input validation
Input validation would examine the input from the client and make sure
that it is expected. In this example, moving the SQL queries to the backend
server process would not require any validation of the SQL queries.
As a best practice, any additional input from the client would still need
validation.
B. Code signing
Code that has been digitally signed by the application developer can be
evaluated to ensure that nothing has changed with the application code
since it was published.
D. Obfuscation
Obfuscation makes something that is normally understandable very
difficult to understand. The move of SQL queries to the server changes the
processing of the application itself, but it isn’t a method of obfuscation.

SY0-501, Objective 3.6 - Secure Coding Techniques

Question 5

A system administrator is implementing a fingerprint scanner to provide
access to the data center. Which of these metrics would be the most
important to minimize so that unauthorized persons are prevented from
accessing the data center?
❍ A. TOTP (Time-based One-Time Password)
❍ B. FRR (False Rejection Rate)
❍ C. HOTP (HMAC-based One-Time Password)
❍ D. FAR (False Acceptance Rate)

Answer 5

D. FAR

FAR (False Acceptance Rate) is the likelihood that an unauthorized user
will be accepted. The FAR should be kept as close to zero as possible.

The incorrect answers:
A. TOTP
A TOTP (Time-based One-Time Password) is an algorithm that provides
a pseudo-random number as an authentication factor. A TOTP does not
describe the accuracy of a biometric system.
B. FRR
FRR (False Rejection Rate) is the likelihood that an authorized user will be
rejected. If the FRR is incrementing, then authorized users will not gain
access to the data center. This value is not associated with unauthorized
access.
C. HOTP
HOTP (HMAC-based One-Time Password) is an algorithm that provides
an authentication factor based on a one-time password. An HOTP does not
describe the accuracy of a biometric system.

SY0-501, Objective 4.3 - Access Control Technologies

Question 6

The IT department of a transportation company maintains an on-site
inventory of chassis-based network switch interface cards. If a failure
occurs with any of the interface cards in the company’s core switch, the
on-site technician can replace the interface card and have the system
running again in sixty minutes. Which of the following BEST describes
this recovery metric?
❍ A. MTBF (Mean Time Between Failures)
❍ B. MTTR (Mean Time To Restore)
❍ C. RPO (Recovery Point Objective)
❍ D. MTTF (Mean Time To Failure)

Answer 6

B. MTTR

MTTR (Mean Time To Restore) is the amount of time required to get back
up and running. This is sometimes called Mean Time To Repair.

The incorrect answers:
A. MTBF
MTBF (Mean Time Between Failures) is a prediction of how long the
system will be operational before a failure occurs.
C. RPO
An RPO (Recovery Point Objective) is a qualifier that determines when the
system is recovered. A recovered system may not be completely repaired,
but it will be running well enough to maintain a certain level of operation.
D. MTTF
An MTTF (Mean Time To Failure) is the expected lifetime of a nonrepairable
product or system.

SY0-501, Objective 5.2 - Business Impact Analysis

Question 7

A company maintains a server farm in a large data center. These servers
are for internal use only and are not accessible externally. Updates to
these servers are staged in groups to avoid any significant downtime. The
security team has discovered that a group of servers was breached before
the latest updates were applied. Breach attempts were not logged on any
other servers. Which of these threat actors would be MOST likely involved
in this breach?
❍ A. Competitor
❍ B. Insider
❍ C. Nation state
❍ D. Script kiddie

Answer 7

B. Insider

None of these servers were accessible from the outside, and the only
servers with any logged connections were those that also were susceptible
to the latest vulnerabilities. To complete this attack, you would need a very
specific knowledge of the exact systems that were vulnerable and a way to
communicate with those servers. For either of those reasons, the Insider
threat as would be the most likely from the available list.

The incorrect answers:
A. Competitor
Although an unethical competitor could be interested in disabling certain
systems, the specificity of this attack and the lack of accessibility to the
systems would seem to dismiss a competitor.
C. Nation state
A nation state would have the resources needed to attack a network, gain
access to the internal systems, and then somehow monitor the update
processes for each server. However, the scope and breadth of such an attack
would be complex, and this would make the nation state a very speculative
option and not the most likely option from the available list.
D. Script kiddie
Script kiddies don’t generally have access to an internal network, and they
aren’t discerning enough to track the status of which systems may have
been recently updated.

SY0-501, Objective 1.3 - Threat Actors

Question 8

An organization has contracted with a third-party to perform a
vulnerability scan of their Internet-facing web servers. The report shows
that the web servers have multiple Sun Java Runtime Environment (JRE)
vulnerabilities, but the server administrator has verified that JRE is not
installed. Which of the following would be the BEST way to handle this
report?
❍ A. Install the latest version of JRE on the server
❍ B. Quarantine the server and scan for malware
❍ C. Harden the operating system of the web server
❍ D. Ignore the JRE vulnerability alert

Answer 8

D. Ignore the JRE vulnerability alert

It’s relatively common for vulnerability scans to show vulnerabilities that
don’t actually exist, especially if the scans are not credentialed. An issue
that is identified but does not actually exist is a false positive, and it can be
dismissed once the alert has been properly researched.

The incorrect answers:
A. Install the latest version of JRE on the server
The system administrator verified that JRE was not currently installed
on the server, so it would not be possible for that vulnerability to actually
exist. Installing an unneeded version of JRE on the server could potentially
open the server to actual vulnerabilities.
B. Quarantine the server and scan for malware
The JRE false positive isn’t an indication of malware, and no mention is
made of the report including any additional vulnerabilities or reports of
malware.
C. Harden the operating system of the web server
Although it’s always a good best practice to harden the operating system of
an externally-facing server, this vulnerability scan report doesn’t indicate
any particular vulnerability with the operating system itself. If the scan
identified specific OS vulnerabilities, then additional hardening may be
required.

SY0-501, Objective 1.5 - Vulnerability Scanning

Question 9

A security administrator has received a help desk ticket that states a user
downloaded and installed a utility for compressing and decompressing
files. Immediately after installing the utility, the user’s overall workstation
performance degraded, and it now takes twice as much time to perform
any tasks on the computer. The compression utility does not appear on the
list of authorized company software. Which of the following is the BEST
description of this malware infection?
❍ A. Ransomware
❍ B. Adware
❍ C. Logic bomb
❍ D. Trojan

Answer 9

D. Trojan

A Trojan horse is malicious software that pretends to be something benign.
The user will install the software with the expectation that it will perform a
particular function, but in reality it is installing malware on the computer.

The incorrect answers:
A. Ransomware
Ransomware will lock a system and present a message to the user with
instructions on how to unlock the system. This usually involves sending the
attacker money in exchange for the unlock key.
B. Adware
Adware is obvious due to the increased number of advertisements that will
be displayed after the infection.
C. Logic bomb
A logic bomb will execute when a certain event occurs, such as a specific
date and time.

SY0-501, Objective 1.1 - Trojans and RATs

Question 10

A company has installed a computer in a public area that will allow anyone
to submit job applications. What operating system type should the security
administrator configure?
❍ A. Appliance
❍ B. Kiosk
❍ C. Network
❍ D. Workstation

Answer 10

B. Kiosk

An operating system running in kiosk mode has a locked-down operating
system and is designed to be used as a public device without any particular
security authentication requirements.

The incorrect answers:
A. Appliance
An appliance is usually a purpose-built piece of hardware that runs a
minimal operating system. For job application submissions, a specialized
piece of hardware is not necessary.
C. Network
A network operating system is a full-featured OS that supports servers,
workstations, and other network-connected devices. A network operating
system would be too specialized and insecure to use as a public computer.
D. Workstation
A workstation would provide extensive access to the operating system, and
would be inappropriate for such a public device.

SY0-501, Objective 3.3 - Operating System Security

Question 11

A security administrator has installed a new firewall to protect a web
server VLAN. The application owner requires that all web server sessions
communicate over an encrypted channel. Which of these rules should the
security administrator include in the firewall rulebase? (Select TWO)
❍ A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny
❍ B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny
❍ C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny
❍ D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow
❍ E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow

Answer 11

C. Source: ANY, Destination: ANY,
Protocol: TCP, Port: 80, Deny and
D. Source: ANY, Destination: ANY,
Protocol: TCP, Port: 443, Allow

Most web servers use tcp/80 for HTTP (Hypertext Transfer Protocol)
communication and tcp/443 for HTTPS (Hypertext Transfer Protocol
Secure). HTTP traffic sends traffic in the clear, so the first firewall rule
would block any tcp/80 traffic before it hits the web server. The second
rule allows HTTPS encrypted traffic to continue to the web server over
tcp/443.

The incorrect answers:
A. Source: ANY, Destination: ANY, Protocol: TCP,
Port: 23, Deny
The insecure Telnet protocol commonly uses tcp/23, but most web servers
would not be listening on tcp/23. An explicit tcp/23 deny rule would not
provide any additional web server security.
B. Source: ANY, Destination: ANY, Protocol: TCP,
Port: 443, Deny
The encrypted HTTPS protocol uses tcp/443, so the security administrator
would not want to deny that traffic through the firewall.
E. Source: ANY, Destination: ANY, Protocol: TCP,
Port: 80, Allow
Since the application owner requires encrypted communication, allowing
HTTP over tcp/80 should not be allowed through the firewall.

SY0-501, Objective 2.3 - Common Security Issues

Question 12

Which of these items would commonly be used by a field engineer to
provide multi-factor authentication?
❍ A. USB-connected storage drive with FDE
❍ B. Employee policy manual
❍ C. Null-modem serial cable
❍ D. Smart card with picture ID

Answer 12

D. Smart card with picture ID

A smart card commonly includes a certificate that can be used as a
multifactor authentication of something you have. These smart cards are
commonly combined with an employee identification card, and often
require a separate PIN (Personal Identification Number) as an additional
authentication factor.
The incorrect answers:
A. USB-connected storage drive with FDE
FDE (Full Disk Encryption) will protect the data on a drive, but it doesn’t
provide a factor of authentication.
B. Employee policy manual
Employee policy manuals aren’t commonly associated with a specific
individual, so they are not a good factor of authentication.
C. Null-modem serial cable
A null-modem serial cable is an important accessory for any field
technician, but it doesn’t provide any authentication factors.

SY0-501, Objective 4.1 - AAA and Authentication

Question 13

A security administrator is connecting two remote locations across the
Internet using an IPsec tunnel. The administrator would like the IPsec
tunnel to securely transfer symmetric keys between IPsec endpoints
during the tunnel initialization. Which of the following would provide this
functionality?
❍ A. Diffie-Hellman
❍ B. 3DES
❍ C. RC4
❍ D. AES
❍ E. Twofish

Answer 13

A. Diffie-Hellman
Diffie-Hellman is a method of securely exchanging encryption keys over an
insecure communications channel. DH uses asymmetric cryptography to
create an identical symmetric key between devices without ever sending
the symmetric key over the network.

The incorrect answers:
B. 3DES
3DES (Triple DES) is a symmetric encryption algorithm that encrypts,
decrypts, and encrypts again with different symmetric keys. 3DES does not
provide a method for secure key exchange.
C. RC4
RC4 (Rivest Cipher 4) is a symmetric encryption algorithm that was
common in wireless WEP encryption. RC4 does not provide a way to
securely exchange symmetric keys.
D. AES
AES (Advanced Encryption Standard) is a common symmetric encryption
standard and is used in WPA2 wireless encryption. AES does not provide a
way to securely exchange symmetric keys.
E. Twofish
Twofish is a public domain symmetric encryption method. Twofish does
not provide a way to securely exchange encryption keys.

SY0-501, Objective 6.2 - Asymmetric Algorithms

Question 14

A company’s security cameras have identified an unknown person walking
into a fenced disposal area in the back of the building and then leaving
with a box containing printed documents. Which of the following attacks
is this person attempting?
❍ A. Dumpster diving
❍ B. Shoulder surfing
❍ C. Tailgating
❍ D. Phishing

Answer 14

A. Dumpster diving

A company can often throw out useful information, and attackers will
literally climb through the trash bin to obtain this information.

The incorrect answers:
B. Shoulder surfing
Shoulder surfing is viewing someone else’s screen, which is effectively over
their shoulder.
C. Tailgating
If you follow someone through a locked door without providing any
credentials or using an access card, you would be tailgating.
D. Phishing
Phishing is the process of tricking someone into providing their personal
information.
SY0-501, Objective 1.2 - Dumpster Diving

Question 15

A technology company is manufacturing a military-grade radar tracking
system that can instantly identify any nearby unmanned aerial vehicles
(UAVs). The UAV detector must be able to instantly identify and react to
a vehicle without delay. Which of the following would BEST describe this
tracking system?
❍ A. RTOS (Real-Time Operating System)
❍ B. IoT (Internet of Things)
❍ C. ICS (Industrial Control System)
❍ D. MFD (A multifunction device)

Answer 15

A. RTOS

This tracking system requires an RTOS (Real-Time Operating System) that
can instantly react to input without any significant delays or queuing in
the operating system. Operating systems used by the military, automobile
manufacturers, and industrial equipment developers often use RTOS to
ensure that certain transactions can be processed without any significant
delays.

The incorrect answers:
B. IoT
IoT (Internet of Things) devices are generally associated with home
automation and do not have a requirement for real-time operation.
C. ICS
An ICS (Industrial Control System) is often a dedicated network used
exclusively to manage and control manufacturing equipment, power
generation equipment, water management systems, and other industrial
machines. Although some industrial control systems may use an RTOS,
using a real-time operating system is not a requirement of an ICS.
D. MFD
A multifunction device (MFD) is commonly associated with a device that
can print, scan, and fax. There are no real-time OS requirements in a
typical MFD.

SY0-501, Objective 3.5 - Embedded Systems

Question 16

A private company uses an SSL proxy to examine the contents of an
encrypted application during transmission. How could the application
developers prevent the use of this proxy examination in the future?
❍ A. OCSP stapling
❍ B. Offline CAs
❍ C. Certificate chaining
❍ D. Certificate pinning

Answer 16

D. Certificate pinning

Certificate pinning embeds or “pins” a certificate inside of an application.
When the application contacts a service, the service certificate will
be compared to the pinned certificate. If the certificates match, the
application knows that it can trust the service. If the certificates don’t
match, then the application can choose to shut down, show an error
message, or make the user aware of the discrepancy. An SSL proxy will use
a different certificate than the service certificate, so an application using
certificate pinning can identify and react to this situation.

The incorrect answers:
A. OCSP stapling
OCSP (Online Certificate Status Protocol) stapling is a method that has
the certificate holder verify their own certificate status. The OCSP status is
commonly “stapled” into the SSL handshake process.
B. Offline CAs
An offline CA (Certificate Authority) is a common way to prevent the
exploitation of a root authority. If the CA is offline, then you can’t hack it.
However, an online or offline CA won’t prevent the use of an SSL proxy.
C. Certificate chaining
Intermediate certificates are often listed between a web server’s SSL
certificate and the root certificate. This list of intermediate certificates is
called a “chain.” It’s important to configure web servers with the proper
chain, or the end user may receive an error in their browser that the server
can’t be trusted.

SY0-501, Objective 6.4 - PKI Concepts

Question 17

A security administrator is concerned that a user may have installed a
rogue access point on the corporate network. Which of the following
could be used to confirm this suspicion?
❍ A. UTM log (Unified Threat Management)
❍ B. WAF log (Web Application Firewall)
❍ C. Switch log
❍ D. DLP log (Data Loss Prevention)

Answer 17

C. Switch log

A rogue access point would be difficult to identify once it’s on the network,
but at some point the access point would need to physically connect to the
corporate network. An analysis of switch interface activity would be able to
identify any new devices and their MAC addresses.

The incorrect answers:
A. UTM log
A UTM (Unified Threat Management) gateway is an all-in-one device that
provides firewall services, URL filtering, spam filtering, and more. From
the UTM’s perspective, the traffic from a rogue access point would look
similar to all other traffic on the network.
B. WAF log
A WAF (Web Application Firewall) would not be able to determine if web
server traffic was from a rogue access point or a legitimate wired device.
D. DLP log
DLP (Data Loss Prevention) is important for stopping the transfer of
confidential data, but it would not be able to identify traffic from a rogue
access point.

SY0-501, Objective 2.4 - Analyzing Security Output

Question 18

During a ransomware outbreak, an organization was forced to rebuild
database servers from known good backup systems. In which of the
following incident response phases were these database servers brought
back online?
❍ A. Recovery
❍ B. Lessons learned
❍ C. Containment
❍ D. Identification

Answer 18

A. Recovery

The recovery phase focuses on getting things back to normal after an
attack. This is the phase that removes malware, fixes vulnerabilities, and
recovers the damaged systems.

The incorrect answers:
B. Lessons learned
Once an event is over, it’s useful to have a post-incident meeting to discuss
the things that worked and things that didn’t.
C. Containment
When an event occurs, it’s important to minimize the impact. Isolation and
containment can help to limit the spread and effect of an event.
D. Identification
Identifying the event is an important step that initiates the rest of the
incident response processes.

SY0-501, Objective 5.4 - Incident Response Process

Question 19

A transportation company has been using a logistics application for
many years on their local network. A researcher has been asked to test
the security of the application, but the uptime and availability of the
application is of primary importance. Which of the following techniques
would provide a list of application security issues without performing an
exploit?
❍ A. Penetration test
❍ B. Grey box test
❍ C. Vulnerability scan
❍ D. SQL injection

Answer 19

C. Vulnerability scan

A vulnerability scan is commonly performed as a minimally invasive scan,
and it avoids performing exploits on the target systems.

The incorrect answers:
A. Penetration test
A penetration test will attempt to exploit vulnerabilities, and the process
of running these exploits can have unpredictable results. Some systems
will crash or fail during a penetration test and will require a reboot before
normal operation can continue.
B. Grey box test
A grey box test describes the information provided to a penetration tester
prior to the actual attack. A grey box test provides some information
about the systems under attack, but not all information is disclosed to the
attacker.
D. SQL injection
A SQL injection is an exploit that injects code into website communication
to communicate directly to the underlying database.

SY0-501, Objective 1.5 - Vulnerability Scanning

Question 20

A network IDS has alerted on this SQL injection attack:
Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured
Ethernet II, Src: HewlettP_82:d8:31), Dst: Cisco_a1:b0:d1
Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244
Transmission Control Protocol, Src Port: 3863, Dst Port: 80
Hypertext Transfer Protocol,
http://www.example.com/index.php?option=com_
glossary&func=display&Itemid=s@bun&catid=-1%20union%20
select%201,username,password,4,5,6,7,8,9,10,11,12,13,14%20
from%20mos_users–]
The security administrator would like to protect against future attacks
from this IP address without interrupting service for other users. Which of
the following firewall rules would be the BEST choice for this
requirement?
❍ A. Source: 172.16.22.7, Destination: 10.8.122.244,
Protocol: TCP, Deny
❍ B. Source 172.16.22.0/24, Destination: 10.8.122.0/24,
Protocol: UDP, Deny
❍ C. Source: 172.16.22.7/32, Destination: ANY,
Protocol: IP, Deny
❍ D. Source: ANY, Destination: 10.8.122.244,
Protocol: TCP, Deny

Answer 20

C. Source: 172.16.22.7/32, Destination: ANY,
Protocol: IP, Deny

In this example, all future attacks from this IP address must be blocked,
regardless of the type of attack or the target of the attack. This rule would
effectively block all traffic from this source IP address, and it summarizes
this requirement by selecting just the single source of 172.16.22.7/32. The
/32 CIDR-block notation designates that this address range is for the single
IP of 172.16.22.7. Using the /32 option is optional for most firewalls, but
using /32 clearly shows that this rule will only affect one IP address. The
destination IP address of the rule is ANY, which prevents any future attacks
to any other device. Specifying the protocol as IP restricts both TCP- and
UDP-based attack types.

The incorrect answers:
A. Source: 172.16.22.7, Destination: 10.8.122.244,
Protocol: TCP, Deny
Specifying the destination IP address would allow attacks to other IP
addresses, and limiting the protocol to TCP would allow UDP-based attacks
to pass through the firewall.
B. Source 172.16.22.0/24, Destination: 10.8.122.0/24,
Protocol: UDP, Deny
This rule broadens the source and destination range to the /24 subnet,
which may interrupt legitimate traffic flows. This rule also only includes
UDP, which would not block the original traffic flow.
D. Source: ANY, Destination: 10.8.122.244,
Protocol: TCP, Deny
This rule would effectively block all TCP traffic to the 10.8.122.244 server,
including the legitimate web server traffic flows.

SY0-501, Objective 2.4 - Analyzing Security Output

Question 21

Which of the following stores session information on a client device?
❍ A. Token-based authentication
❍ B. Federation
❍ C. Server-based authentication
❍ D. LDAP

Answer 21

A. Token-based authentication

Token-based authentication stores session information using a token that
is stored on the local client. The token is provided with each request to the
server, and the server validates the token before providing a response.

The incorrect answers:
B. Federation
Federation is used to provide network access using third-party
authentication. Federation doesn’t specify where session information is
stored after authentication is complete.
C. Server-based authentication
With server-based authentication, each session ID is stored and maintained
on the server.
D. LDAP
LDAP (Lightweight Directory Access Protocol) is a common protocol for
user and device authentication, but it does not specify the location of the
session identification once the authentication is complete.

SY0-501, Objective 4.2 - Federated Identities

Question 22

A system administrator has installed a new firewall between the corporate
user network and the data center network. When the firewall is turned
on, users complain that the application in the data center is no longer
working. The firewall is running with the default settings, and no
additional firewall rules have been added to the configuration. Which of
the following would be the BEST way to correct this application issue?
❍ A. Create a single firewall rule with an explicit deny
❍ B. Build a separate VLAN for the application
❍ C. Create firewall rules that match the application traffic flow
❍ D. Disable spanning tree protocol on the data center switches

Answer 22

C. Create firewall rules that match the application
traffic flow

By default, firewalls implicitly deny all traffic. Firewall rules must be built
that match the traffic flows, and only then will traffic pass through the firewall.

The incorrect answers:
A. Create a single firewall rule with an explicit deny
By default, the firewall has an implicit deny as the last policy in the firewall
rulebase. If traffic does not match any other firewall rule, then the implicit
deny drops that traffic. Manually configuring an explicit deny doesn’t
provide any additional traffic control because of the already-existing
implicit deny, and it doesn’t allow any traffic to pass through the firewall
because it’s a rule that denies all traffic.
B. Build a separate VLAN for the application
VLAN (Virtual Local Area Network) separation can be used to manage
traffic flows or provide additional security options, but a VLAN alone won’t
bypass an existing firewall deny rule.
D. Disable spanning tree protocol on the data center switches
Spanning tree protocol (STP) is configured on most switches to prevent
any layer 2 switching loops. Disabling spanning tree won’t bypass any
firewall security controls, and it would put the network at risk if a
misconfiguration creates a switching loop. A good best practice is to always
use STP on a switched network.
SY0-501, Objective 2.1 - Firewalls

Question 23

Which of these would be used to provide HA for a web-based database
application?
❍ A. SIEM (Security Information and Event Management)
❍ B. UPS (Uninterruptible Power Supply)
❍ C. DLP (Data Loss Prevention)
❍ D. VPN concentrator

Answer 23

B. UPS

HA (High Availability) means that the service should always be on and
available. The only device on this list that would provide HA is the UPS
(Uninterruptible Power Supply). If power is lost, the UPS will provide
electricity using battery power or a gas-powered generator.

The incorrect answers:
A. SIEM
A SIEM (Security Information and Event Management) system
consolidates data from devices on the network and provides log searching
and reporting features. A SIEM does not provide any HA functionality.
C. DLP
DLP (Data Loss Prevention) is a method of identifying and preventing the
transfer of personal or confidential information through the network. DLP
does not provide any HA functionality.
D. VPN concentrator
A VPN (Virtual Private Network) concentrator is used as an endpoint to
an endpoint VPN solution. VPN concentrators do not provide any HA
functionality.

SY0-501, Objective 3.8 - Redundancy, Fault Tolerance,

Question 24

An IT manager is building a quantitative risk analysis related to corporate
laptops used by the field engineering team. Each year, a certain number of
laptops are lost or stolen and must be replaced by the company. Which of
the following would describe the total cost the company spends each year
on laptop replacements?
❍ A. SLE (Single Loss Expectancy)
❍ B. SLA (Service Level Agreement)
❍ C. ALE (Annual Loss Expectancy)
❍ D. ARO (Annualized Rate of Occurrence)

Answer 24

C. ALE

The ALE (Annual Loss Expectancy) is the total amount of the loss over an entire year.

The Answer: C. ALE
The ALE (Annual Loss Expectancy) is the total amount of the loss over an
entire year.
The incorrect answers:
A. SLE
SLE (Single Loss Expectancy) describes the loss for a single incident.
B. SLA
SLA (Service Level Agreement) is a contractual agreement that specifies a
minimum service level.
D. ARO
An ARO (Annualized Rate of Occurrence) is the number of times an event
is expected to occur in a year.

SY0-501, Objective 5.3 - Risk Assessment

Question 25

A pentest engineer is using a banner grabbing utility on the local network.
Which of the following would be the MOST likely use of this utility?
❍ A. Create a list of open ports on a device
❍ B. Identify a web server version
❍ C. Create a honeypot
❍ D. Brute force the encryption key of a wireless network

Answer 25

B. Identify a web server version

A banner grabbing utility will show the banner information that’s
commonly only seen in the network packets. Many services will provide a
greeting banner that includes the name and version of the service, and this
information can provide useful reconnaissance.

The incorrect answers:
A. Create a list of open ports on a device
A port scanner or network scanner is commonly used to scan devices for
open ports. A banner grabber does not commonly provide any scanning for
open ports.
C. Create a honeypot
Honeypots are useful security tools that can entice and trap attackers
inside of a fake virtual network. Banner grabbing utilities do not commonly
provide any honeypot functionality.
D. Brute force the encryption key of a wireless network
There are many utilities that can be used to brute force local and wireless
passwords. A banner grabbing utility does not commonly includes any
brute force functionality.

SY0-501, Objective 2.2 - Software Security Tools

Question 26

Sam, a user in the purchasing department, would like to send an email to
Jack, a user in the manufacturing department. Which of these should Sam
do to allow Jack to verify that the email really came from Sam?
❍ A. Digitally sign it with Sam’s private key
❍ B. Digitally sign it with Sam’s public key
❍ C. Digitally sign it with Jack’s private key
❍ D. Digitally sign it with Jack’s public key

Answer 26

A. Digitally sign it with Sam’s private key

The sender of a message digitally signs with their own private key to ensure
integrity, authentication, and non-repudiation of the signed contents. The
digital signature is validated with the sender’s public key.

The incorrect answers:
B. Digitally sign it with Sam’s public key
Since everyone effectively has access to public keys, adding a digital
signature with a publicly available key doesn’t provide any security features.
C. Digitally sign it with Jack’s private key
Jack’s private key would only be available to Jack, so Sam could not possibly
use Jack’s private key when performing any cryptographic functions.
D. Digitally sign it with Jack’s public key
As with Sam’s public key that would be available to anyone, using Jack’s
public key would not provide any security features.

SY0-501, Objective 6.1 - Hashing and Digital Signatures

Question 27

The contract of a long-term temporary employee is ending. Which of these
would be the MOST important part of the off-boarding process?
❍ A. Perform an on-demand audit of the user’s privileges
❍ B. Archive the decryption keys associated with the user account
❍ C. Document the user’s outstanding tasks
❍ D. Obtain a signed copy of the Acceptable Use Policies

Answer 27

B. Archive the decryption keys associated with the
user account

Without the decryption keys, it will be impossible to access any of the
user’s protected files once they leave the company. Given the other possible
answers, this one is the only one that would result in unrecoverable data
loss if not properly followed.

The incorrect answers:
A. Perform an on-demand audit of the user’s privileges
The user’s account will be disabled once they leave the organization, so an
audit of their privileges would not be very useful.
C. Document the user’s outstanding tasks
Creating documentation is important, but it’s not as important as retaining
the user’s data with the decryption keys.
D. Obtain a signed copy of the Acceptable Use Policies
Acceptable Use Policies (AUPs) are usually signed during the on-boarding
process. You won’t need an AUP if the user is no longer accessing the
network.

SY0-501, Objective 4.4 - Account Management

Question 28

Sam, a cybersecurity analyst, has been asked to respond to a denial of
service attack against a web server. While gathering forensics data, Sam
first collects information in the ARP cache, then a copy of the server’s
temporary file system, and finally system logs from the web server. What
part of the forensics gathering process did Sam follow?
❍ A. Chain of custody
❍ B. Data hashing
❍ C. Legal hold
❍ D. Order of volatility

Answer 28

D. Order of volatility

Order of volatility ensures that data will be collected before it becomes
unrecoverable. For example, information stored in a router table is more
volatile than data stored on a backup tape, so the router table data will be
collected first and the backup tape data will be collected second.

The incorrect answers:
A. Chain of custody
Chain of custody ensures that the integrity of evidence is maintained. The
contents of the evidence are documented, and each person who contacts
the evidence is required to document their activity.
B. Data hashing
Data hashing creates a unique message digest based on stored data. If
the data is tampered with, a hash taken after the change will differ from
the original value. This allows the forensic engineer to identify that
information has been changed.
C. Legal hold
A legal hold is a legal technique to preserve relevant information. This will
ensure the data remains accessible for any legal preparation that needs to
occur prior to litigation.

SY0-501, Objective 5.5 - Gathering Forensics Data

Question 29

An attacker was able to download a list of ten thousand company
employee login credentials containing usernames and hashed passwords.
Less than an hour later, a list containing all ten thousand usernames and
passwords in plain text were posted to an online file storage repository.
Which of the following would BEST describe how this attacker was able to
post this information?
❍ A. Improper certificate management
❍ B. Phishing
❍ C. Untrained users
❍ D. Weak cipher suite

Answer 29

D. Weak cipher suite

Creating a password hash is a one-way process that can’t be reversed. If the
hash has not been salted, then a rainbow table lookup would be an easy way
to find the plaintext passwords. Since none of the answers in this question
included rainbow tables as an option, the most reasonable of the remaining
choices would be a weak cipher suite that allowed for a very fast brute
force attack of the password hashes. Of the available options, this is the
only choice that would BEST fit the results.

The incorrect answers:
A. Improper certificate management
Passwords are stored as a hash. As a best practice, passwords are never
stored or transmitted as plain text or in a form that could be recovered to
plain text. If a certificate was mis-managed, the attacker might be able to
decode network traffic or perform man-in-the-middle attacks. However,
they would not be able to view a user’s password, since those passwords
are already hashed. Since all ten thousand accounts were downloaded, it’s
unlikely the attacker collected them one user at a time over the network.
B. Phishing
Phishing is a useful attack for gathering information from one user at a
time, but it doesn’t scale when you need to collect data from ten thousand
accounts.
C. Untrained users
Individual users might accidentally disclose their password information,
but you would not expect ten thousand users to perform the same security
breach simultaneously.

SY0-501, Objective 1.6 - Vulnerability Types

Question 30

Which of the following would commonly be associated with an
application’s secure baseline?
❍ A. Secure baseline violations are identified in the IPS logs
❍ B. The baseline is based on the developer sandbox configurations
❍ C. Firewall settings are not included in the baseline
❍ D. Integrity measurements are used to validate the baseline

Answer 30

D. Integrity measurements are used to validate the baseline

It’s important to constantly audit the security of an application instance,
and the security baseline precisely defines the security settings for the
firewall, patch levels, operating system file versions, and more. Since
operating system patches are common, the secure baseline will tend to be
updated often.

The incorrect answers:
A. Secure baseline violations are identified in the IPS logs
An IPS would identify attacks against an application or device, but it would
not provide any proactive identification of security issues.
B. The baseline is based on the developer sandbox configurations
The developer sandbox is used to test code prior to deployment, and it
should not be considered a secure environment.
C. Firewall settings are not included in the baseline
Anything related to the security of the application instance are included in
the secure baseline, including firewall settings.

SY0-501, Objective 3.4 - Secure Deployments

Question 31

A server administrator is building a new web server and needs to provide
operating system access to the web server executable. Which of the
following account types should be configured?
❍ A. User
❍ B. Privileged
❍ C. Service
❍ D. Guest

Answer 31

C. Service

A service account is commonly used by local services on a system, but
service accounts are not generally enabled for interactive logins. Web
servers, database servers, and other local servers use service accounts.

The incorrect answers:
A. User
A user account is associated with an interactive user or person. Because
user accounts have additional functionality over service accounts, the best
practice is to avoid assigning user account access to a service.
B. Privileged
A privileged account is an Administrator or root account, and it generally
has complete access to the operating system. This should be your most
protected account type, and you would not associate a privileged account to
a service.
D. Guest
A guest account often has very limited operating system access, so it would
not be a useful account type to use for a service.

SY0-501, Objective 4.4 - Account Types

Question 32

The manager of the corporate security team maintains a large storage
array of archived video from security cameras. Historically, the security
manager has been responsible for searching the video archive, but
he would now like to assign those responsibilities to others in his
department. Which of the following would allow the manager to limit
access to the video archive to members of the corporate security team
group?
❍ A. Mandatory access control
❍ B. Certificate-based authentication
❍ C. Role-based access control
❍ D. Attribute-based access control

Answer 32

C. Role-based access control

Role-based access control uses groups to control access for individual users.
Rights and permissions are associated with the group, and administrators
can add users to the group to provide access.

The incorrect answers:
A. Mandatory access control
Mandatory access control assigns a label to every object. For example, the
video archive files could be assigned a label of “confidential,” and all users
with confidential access would be able to view the files. The administrator
determines which users are associated with which security level.
B. Certificate-based authentication
The process of authenticating a user is different than the access control
associated with that user. Certificate-based authentication is useful to
verify a user’s identity, but it isn’t used to assign rights and permissions to
the user.
D. Attribute-based access control
Attribute-based access control combines a set of complex relationships to
applications and data, and access is commonly based on many different
criteria.

SY0-501, Objective 4.3 - Access Control Models

Question 33

A transportation company maintains a scheduling application and a
database in a virtualized cloud-based environment. Which of the following
would be the BEST way to backup these services?
❍ A. Full
❍ B. Snapshot
❍ C. Differential
❍ D. Incremental

Answer 33

B. Snapshot

Virtual machines (VMs) have a snapshot backup feature that can capture
both a full backup of the virtual system and incremental changes that occur
over time. It’s common to take a snapshot of a VM for backup purposes and
before making any significant changes to the VM. If the changes need to
be rolled back, a previous snapshot can be selected and instantly applied to
the VM.

The incorrect answers:
A. Full
A full backup is used to copy every file system object to the backup media.
To restore the operating system, the entire full backup session would be
restored to the file system. In a virtual environment, a partition of a virtual
machine is stored as a single file, so it’s much easier to back up that single
file as a snapshot than backing up the individual files that are stored inside
of that virtual partition.
C. Differential
A differential backup will copy all files that have been changed since the
last full backup. As mentioned above, using the snapshot feature of a VM is
much more efficient than copying individual files in the file system.
D. Incremental
An incremental backup will copy all files that have been changed since the
last incremental backup. The VM’s snapshot feature is much more efficient
way to backup and restore incremental changes to a virtual machine.

SY0-501, Objective 5.6 - Application Recovery

Question 34

In an environment using discretionary access controls, which of these
would control the rights and permissions associated with a file or
directory?
❍ A. Administrator
❍ B. Owner
❍ C. Group
❍ D. System

Answer 34

B. Owner

The owner of an object is the one who controls access in a discretionary
access control model. The object and type of access is at the discretion of
the owner, and they can determine who can access the file and the type of
access they would have.

The incorrect answers:
A. Administrator
Administrators generally label objects when using mandatory access
control, but they are not involved with discretionary access control.
C. Group
Assigning rights and permissions to a group and then assigning users to the
group are common when using role-based access control.
D. System
The system does not determine individual user rights and permissions
when using discretionary access control.

SY0-501, Objective 4.3 - Access Control Models

Question 35

A security administrator has installed a network-based DLP solution to
determine if file transfers contain PII. Which of the following describes
the data during the file transfer?
❍ A. In-use
❍ B. In-transit
❍ C. At-rest
❍ D. Highly available

Answer 35

B. In-transit

Data in-transit is data that is in the process of moving across the network.
As the information passes through switches and routers, it is considered to
be in-transit.

The incorrect answers:
A. In-use
Data in-use is in the memory of a system and is accessible to an application.
C. At-rest
Data at-rest resides on a storage device.
D. Highly available
High availability (HA) is usually associated with redundancy or faulttolerance.
Data moving through the network would not be considered
highly available.

SY0-501, Objective 6.1 - States of Data

Question 36

A medical imaging company is expanding to multiple cities, and it would
like to connect all remote locations together with high speed network
links. The network connections must maintain high throughput rates and
must always be available during working hours. In which of the following
should these requirements be enforced with the network provider?
❍ A. Service level agreement
❍ B. Interconnection security agreement
❍ C. Non-disclosure agreement
❍ D. Acceptable use policy

Answer 36

A. Service level agreement

A service level agreement (SLA) is used to contractually define the
minimum terms for services. In this example, the medical imaging
company would require an SLA from the network provide for the necessary
throughput and uptime metrics.

The incorrect answers:
B. Interconnection security agreement
An interconnection security agreement (ISA) is commonly used by the
United States federal government to define security controls between
organizations.
C. Non-disclosure agreement
A non-disclosure agreement (NDA) is used between entities to prevent the
use and dissemination of confidential information.
D. Acceptable use policy
An acceptable use policy (AUP) commonly details the rules of behavior for
employees using an organization’s network and computing resources.

SY0-501, Objective 5.1 - Agreement Types

Question 37

A security administrator would like to encrypt all telephone
communication on the corporate network. Which of the following
protocols would provide this functionality?
❍ A. TLS (Transport Layer Security)
❍ B. SRTP (Secure Real-Time Transport Protocol)
❍ C. SSH (Secure Shell)
❍ D. S/MIME (Secure/Multipurpose Internet Mail Extensions)

Answer 37

B. SRTP

SRTP (Secure Real-Time Transport Protocol) is an encrypted version of the
RTP (Real-Time Transport Protocol) VoIP (Voice over IP) protocol. SRTP
uses AES (Advanced Encryption Standard) to encrypt the voice and video
over a VoIP connection.

The incorrect answers:
A. TLS
TLS (Transport Layer Security) is the modern version of SSL (Secure
Sockets Layer), and it’s commonly used for encrypting communication to a
web server.
C. SSH
SSH (Secure Shell) is used to encrypt terminal communication. The best
practice is to use SSH instead of the insecure Telnet protocol.
D. S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides security
for the content of an email message.
SY0-501, Objective 2.6 - Secure Protocols

Question 38

A security administrator is preparing a phishing email that will be sent
to employees as part of the company’s periodic security test. The email
is spoofed to appear as an unknown third-party and asks employees to
immediately click a link or their state licensing will be revoked. Which of
these social engineering principles are used by this email?
❍ A. Familiarity
❍ B. Social Proof
❍ C. Authority
❍ D. Urgency

Answer 38

D. Urgency

The need to complete this task as quickly as possible (immediately) is
the primary social engineering principle in this description. Any task
that encourages a person to act quickly (instead of thinking about it) is
associated with urgency.

The incorrect answers:
A. Familiarity
If the email making this request was from someone we knew, then the
social engineering principle of familiarity would be included. In this
example, the email was from an unknown third-party.
B. Social Proof
Social proof encourages action by convincing the user that this is normally
expected. If the email stated that others have completed this task in the
past, social proof would imply that it’s perfectly acceptable for you to
complete this task as well.
C. Authority
In this example, the request was made by an unknown third-party. If the
request was from someone at a higher level in the company, then the social
engineering principle of authority would be used.

SY0-501, Objective 1.2 - Principles of Social Engineering

Question 39

A security administrator would like to minimize the number of certificate
status checks made by web site clients to the certificate authority. Which
of the following would be the BEST option for this requirement?
❍ A. OCSP stapling (Online Certificate Status Protocol)
❍ B. Certificate chaining
❍ C. CRL (Certificate Revocation List)
❍ D. Certificate pinning

Answer 39

A. OCSP stapling

OCSP (Online Certificate Status Protocol) stapling is a method of having
the certificate holder verify their own certificate status. The OCSP status is
commonly “stapled” into the SSL handshake process. Instead of contacting
the certificate authority to verify the certificate, the verification is part of
the initial network connection to the server.

The incorrect answers:
B. Certificate chaining
Intermediate certificates are often listed between a web server’s SSL
certificate and the root certificate. This list of intermediate certificates is
called a “chain.” It’s important to configure web servers with the proper
chain, or the end user may receive an error in their browser that the server
can’t be trusted. A certificate chain does not provide the end station with
any revocation information.
C. CRL
A CRL (Certificate Revocation List) is a list of revoked certificates that is
maintained by the certificate authority. An end-user client accessing a CA
to check the status of a certificate is commonly referencing the CRL.
D. Certificate pinning
Certificate pinning embeds or “pins” a certificate inside of an application.
When the application contacts a service, the service certificate will
be compared to the pinned certificate. If the certificates match, the
application knows that it can trust the service. If the certificates don’t
match, then the application can choose to shut down, show an error
message, or make the user aware of the discrepancy. Certificate pinning
checks to see if an expected certificate is in use, but it does not necessarily
provide any revocation checks.
SY0-501, Objective 6.4 - PKI Concepts

Question 40

A security administrator is configuring the encryption for a series of
web servers, and he has been provided with a password protected file
containing private and public X.509 key pairs. What type of certificate
format is MOST likely used by this file?
❍ A. PEM (Privacy-Enhanced Mail)
❍ B. PFX
❍ C. P7B (Public Key Cryptography Standards #7)
❍ D. CER (Certificate)

Answer 40

B. PFX

Microsoft PFX certificate file format is similar to the PKCS #12 (Public Key
Cryptography Standards #12), and the two standards are often referenced
interchangeably. PFX is a container format for many certificates, and it is
often used to transfer a public and private key pair. The container can be
password protected to provide additional security of the contents.

The incorrect answers:
A. PEM
The PEM (Privacy-Enhanced Mail) certificate format is a BASE64 encoded
DER certificate. This represents the certificate in an ASCII format with
letters and numbers, which makes it very easy format to email.
C. P7B
The PKCS #7 (Public Key Cryptography Standards #7) format is commonly
associated with the P7B file extension. This stores the certificate in a
human-readable ASCII format, and usually contains certificates and chain
certificates. Private keys are not included in a P7B file.
D. CER
The CER (Certificate) format is a Windows X.509 file extension that
usually contains a public key. It is a common format for Windows
certificates, and often has a CER file extension.

SY0-501, Objective 6.4 - Certificate File Formats

Question 41

To upgrade an internal application, the development team provides the
operations team with a patch executable and instructions for backing
up, patching, and reverting the patch if needed. The operations team
schedules a date for the upgrade, informs the business divisions, and tests
the upgrade process after completion. Which of the following describes
this process?
❍ A. Agile
❍ B. Continuity planning
❍ C. Usage auditing
❍ D. Change management

Answer 41

D. Change management

Change management is the process for making any type of change. This
could be a software upgrade, a hardware replacement, or any other type
of modification to the existing environment. Having a formal change
management process minimizes the risk of a change and makes everyone
aware of the changes as they occur.

The incorrect answers:
A. Agile
Agile is a systems development life cycle model that focuses on creating
content as quickly as possible and refining the content until the final
product is complete.
B. Continuity planning
Continuity planning focuses on keeping the business running when a
disruption occurs. Disaster recovery planning is a type of continuity plan.
C. Usage auditing
Usage auditing is used to determine how resources are used. For example,
a system administrator may perform a usage audit to determine which
resources are used with a particular application or service.

SY0-501, Objective 5.3 - Risk Assessment

Question 42

A company is implementing a public file-storage and cloud-based sharing
service, but does not want to build a separate authentication front-end.
Instead, the company would like users to authenticate with an existing
account on a trusted third-party web site. Which of the following should
the company implement?
❍ A. SSO
❍ B. Federated authentication
❍ C. Transitive trust
❍ D. X.509 certificates signed by a trusted CA

Answer 42

B. Federated authentication

Federation provides a way to authenticate and authorize between two
entities using a separate trusted authentication platform. For example, a
web site could allow authentication using an existing account on a thirdparty
social media site.

The incorrect answers:
A. SSO
SSO (Single Sign-On) does not inherently require authentication to be
processed by a third-party. SSO allows a user to authenticate one time
and gain access to all assigned resources. No additional authentication is
required after the initial SSO login process is complete.
C. Transitive trust
A transitive trust states that if Domain A trusts Domain B, and Domain B
trusts Domain C, then Domain A trusts Domain C. This trust relationship
is not associated with the authentication process that occurs in any of these
domains.
D. X.509 certificates signed by a trusted CA
Assigning a certificate to each user or device is commonly used as an
authentication factor, and this would require the company to implement
some type of authentication process to create and assign certificates.

SY0-501, Objective 4.1 - AAA and Authentication

Question 43

A system administrator is viewing this output from Microsoft’s
System File Checker:
15:43:01 - Repairing corrupted file C:\Windows\System32\kernel32.dll
15:43:03 - Repairing corrupted file C:\Windows\System32\netapi32.dll
15:43:07 - Repairing corrupted file C:\Windows\System32\user32.dll
15:43:43 - Repair complete
Which of the following malware types is the MOST likely cause of this
output?
❍ A. RAT
❍ B. Logic bomb
❍ C. Rootkit
❍ D. Bot

Answer 43

C. Rootkit

A rootkit modifies operating system files to become part of the core OS.
The kernel, user, and networking libraries in Windows are core operating
system files.

The incorrect answers:
A. RAT
A RAT (Remote Access Trojan) is a remote administration tool that
installs itself as a service or application on the host computer. RATs do not
commonly modify core operating system files.
B. Logic bomb
A logic bomb waits for a predefined event to begin operation. Logic bombs
do not commonly modify core operating system files.
D. Bot
Bot (robot) malware infects devices to make them part of a larger network
of bots. These infections do not commonly modify core operating system
files.

SY0-501, Objective 1.1 - Rootkits

Question 44

A systems engineer is running a vulnerability scan from a browser. What
type of vulnerability would be associated with the following code?
GET http://www.example.com/post.php?article=-1
UNION SELECT 1,pass,cc FROM users
❍ A. Buffer overflow
❍ B. SQL injection
❍ C. DoS
❍ D. Cross-site scripting

Answer 44

B. SQL injection

A SQL (Structured Query Language) injection commonly uses the
browser as an entry-point to the back-end SQL database. SQL commands
appended to vulnerable web server code can be used to query and
retrieve information from the database without any additional rights or
permissions. The UNION SQL command combines the results of a query,
and the SELECT SQL command returns a list of values from the database
tables.

The incorrect answers:
A. Buffer overflow
A buffer overflow would attempt to store information into an area of
memory that overflows the boundary of the buffer. The command in the
URL was retrieving information from the database and not storing any
data.
C. DoS
A DoS (Denial of Service) is designed to make a system or service
unavailable. Although running any unknown command can be
unpredictable, it would be unusual for a UNION or SELECT SQL command
to cause any downtime.
D. Cross-site scripting
A cross-site scripting attack would normally include a script that would
reference another site that was trusted by the browser. In this example,
the SQL commands were part of the URL and not part of a script, and the
commands appear to be related to the existing URL and not a third-party
site.

SY0-501, Objective 1.6 - Vulnerability Types

Question 45

A developer has created an application that will store password
information in a database. Which of the following BEST describes a way of
protecting these credentials by adding random data to the password?
❍ A. Hashing
❍ B. PFS
❍ C. Salting
❍ D. Asymmetric encryption

Answer 45

C. Salting

Passwords are often stored as hashes, but the hashes themselves are often
subject to brute force or rainbow table attacks. It’s common to add some
additional random data (a salt) to a password before the hashing process.
This ensures that each password is truly random when stored, and it makes
it more difficult for an attacker to discover all of the stored passwords.

The incorrect answers:
A. Hashing
Hashing is a one-way cryptographic function that takes an input, such as
a password, and creates a fixed size string of random information. The
process of adding additional information to the original data before the
hashing process is called salting.
B. PFS
PFS (Perfect Forward Secrecy) is a method of encryption that uses
temporary session keys for the encryption and decryption process. Once
the encrypted communication is complete, the session keys are discarded.
PFS is not used to add additional random information to a password
hashing process.
D. Asymmetric encryption
Asymmetric encryption is an encryption method that uses one key for
encryption and a different key for decryption. Asymmetric encryption does
not add additional random information to a hash.

SY0-501, Objective 6.1 - Randomizing Cryptography

Question 46

A company is writing a new application that will authenticate users over
TCP port 389. Which of the following would be the BEST choice for
securing this data?
❍ A. LDAPS
❍ B. HTTPS
❍ C. FTPS
❍ D. SSH

Answer 46

A. LDAPS

LDAP (Lightweight Directory Access Protocol) commonly uses TCP port
389 for non-encrypted directory and authentication requests. The secure
version of this protocol is LDAPS (LDAP Secure). LDAPS is commonly
used over TCP port 636, although it can sometimes also be found in use
over the original port 389.

The incorrect answers:
B. HTTPS
HTTPS (Hypertext Transfer Protocol Secure) is the encrypted form of
HTTP. HTTPS operates at TCP port 80, and HTTPS can be found at TCP
port 443.
C. FTPS
FTPS (File Transfer Protocol Secure) is the encrypted version of FTP and
generally operates in encrypted form as explicit FTPS over TCP port 21.
D. SSH
SSH (Secure Shell) is an encrypted terminal protocol and commonly
operates over TCP port 22.

SY0-501, Objective 2.6 - Secure Protocols

Question 47

A system administrator has added a new user to the network and has
categorized this user to have “secret” level access. With this setting, the
user will be able to access all files and folders with secret level access and
lower. Which of the following describes this access control method?
❍ A. Mandatory
❍ B. Role-based
❍ C. Discretionary
❍ D. Rule-based

Answer 47

A. Mandatory

Mandatory access controls provide access based on security clearance
levels. The operating system will limit the operation on an object to users
that meet the minimum clearance.

The incorrect answers:
B. Role-based
Role-based access would provide access based on a job role. For example, a
user in the human resources department would have access to the payroll
software, but someone in manufacturing would not have the same access.
C. Discretionary
Discretionary access controls give the owner of a file the discretion to
assign rights and permissions for others. The owner can modify these
access permissions at any time.
D. Rule-based
Rule-based access controls are determined by the system administrators,
and they are usually based on broad rules that are defined in an ACL
(Access Control List). An example of a rule-based access control is one
based on a time of day, the type of browser used, or the IP address of the
requesting device.

SY0-501, Objective 4.3 - Access Control Models

Question 48

A security administrator would like to implement an authentication
system that uses cryptographic tickets to validate users. Which of the
following would provide this functionality?
❍ A. RADIUS
❍ B. LDAP
❍ C. Kerberos
❍ D. TACACS

Answer 48

C. Kerberos

Kerberos is a network authentication protocol that provides single sign-on
and mutual authentication using cryptographic “tickets” for the behind the-
scenes authentication process.

The incorrect answers:
A. RADIUS
The RADIUS (Remote Authentication Dial-in User Service) authentication
protocol is commonly used across many different devices and operating
systems, but it does not use cryptographic tickets.
B. LDAP
LDAP (Lightweight Directory Access Protocol) is another common
standard that is often used for authentication, but LDAP does not use
cryptographic tickets.
D. TACACS
TACACS (Terminal Access Controller Access-Control System) is a flexible
remote authentication protocol, but it does not use cryptographic tickets
during the authentication process.

SY0-501, Objective 4.2 - Identity and Access Services

Question 49

Richard is reviewing this information from an IPS log:
MAIN_IPS: 22June2019 09:02:50 reject 10.1.111.7
Alert: HTTP Suspicious Webdav OPTIONS Method Request; Host: Server
Severity: medium; Performance Impact:3;
Category: info-leak; Packet capture; disable
Proto:tcp; dst:192.168.11.1; src:10.1.111.7
Which of the following can be associated with this log information?
(Select TWO)
❍ A. The attacker sent a non-authenticated BGP packet to trigger the IPS
❍ B. The source of the attack is 192.168.11.1
❍ C. The event was logged but no packets were dropped
❍ D. The source of the attack is 10.1.111.7
❍ E. The attacker sent an unusual HTTP packet to trigger the IPS

Answer 49

D. The source of the attack is 10.1.111.7 and
E. The attacker sent an unusual HTTP packet to trigger the IPS

The second line of the IPS log shows the type of alert, and this record
indicates that a suspicious HTTP packet was sent. The last line of the IPS
log shows the protocol, destination, and source IP address information.
The source IP address is 10.1.111.7.

The incorrect answers:
A. The attacker sent a non-authenticated BGP packet to trigger the IPS
The alert for this IPS log does not indicate any non-authenticated packets
or BGP packets.
B. The source of the attack is 192.168.11.1
The last line of the log identifies the protocol and IP addresses. The “src”
address is the source of the packet and is identified as 10.1.111.7.
C. The event was logged but no packets were dropped
The first line of the log shows the name of the IPS that identified the issue,
the date and time, and disposition. In this log entry, the packet was rejected
from IP address 10.1.111.7.

SY0-501, Objective 2.4 - Analyzing Security Output

Question 50

A company has contracted with a third-party to provide penetration
testing services. The service includes a port scan of each externally-facing
device. This is an
example of:
❍ A. Initial exploitation
❍ B. Escalation of privilege
❍ C. Pivot
❍ D. Active reconnaissance

Answer 50

D. Active reconnaissance

Active reconnaissance sends traffic across the network that can be viewed
and/or logged. Performing a port scan will send network traffic to a server,
and most port scan attempts can be identified and logged by an IPS.

The incorrect answers:
A. Initial exploitation
An exploit attempt is common when performing a penetration test, but a
port scan is not exploiting any vulnerabilities.
B. Escalation of privilege
If a penetration test is able to exploit a system and obtain a higher level of
rights and permissions, then the test is successful at escalating the access
privileges. A port scan does not gain access to a system, and it will not
provide any privilege escalation.
C. Pivot
Once a penetration test has exploited a vulnerability and gained access to
a system, the tester will use this foothold as a pivot point to access to other
devices. Since the inside of the network is usually less secure than the
perimeter, this pivot can often provide many more opportunities than the
initial exploitation.
SY0-501, Objective 1.4 - Penetration Testing

Question 51

An access point in a corporate headquarters office has the following
configuration:
IP address: 10.1.10.1
Subnet mask: 255.255.255.0
DHCPv4 Server: Enabled
SSID: Wireless
Wireless Mode: 802.11g
Security Mode: WEP-PSK
Frequency band: 2.4 GHz
Software revision: 2.1
MAC Address: 60:3D:26:71:FF:AA
IPv4 Firewall: Enabled
Which of the following would apply to this configuration?
❍ A. Invalid frequency band
❍ B. Weak encryption
❍ C. Incorrect IP address and subnet mask
❍ D. Invalid software version

Answer 51

B. Weak encryption

A common issue is weak or outdated security configurations. Older
encryptions such as DES and WEP should be updated to use newer and
stronger encryption technologies.

The incorrect answers:
A. Invalid frequency band
The 2.4 GHz frequency band is a valid frequency range for 802.11g
networks.
C. Incorrect IP address and subnet mask
None of the listed configuration settings show any issues with the IP
address or subnet mask.
D. Invalid software version
The software version of the access point does not have any configuration
options and would not be considered invalid.
SY0-501, Objective 2.3 - Common Security Issues

Question 52

When an application does not properly release unused memory and
eventually grows so large that it uses all available memory, it is called a(n):
❍ A. Integer overflow
❍ B. NULL pointer dereference
❍ C. Memory leak
❍ D. Data injection

Answer 52

C. Memory leak

A memory leak is when a poorly written application allocates memory for
use by the application, but then does not release that memory after it is no
longer needed. If the application runs on a system for an extended period
of time, this memory leak can grow so large that it eventually uses all
available memory and crashes the operating system.

The incorrect answers:
A. Integer overflow
An integer overflow attempts to store a large number into a smaller
sized memory space. This can sometimes improperly change the value of
memory areas that are outside of the smaller space.
B. NULL pointer dereference
If an application is written to reference a portion of memory, but nothing
is currently allocated to that area of memory, a NULL pointer dereference
will occur. This can cause the application to crash, display debug
information, or create a denial of service (DoS).
D. Data injection
The unwanted injection of data into a database, library, or any other data
flow is an injection attack. An application that does not properly release
sections of memory is a badly written application and would not be related
to a data injection attack.

SY0-501, Objective 1.6 - Vulnerability Types

Question 53

After exploiting a vulnerability to gain access to a web server, an attacker
created a user account on the server. Which of the following would
describe this activity?
❍ A. Persistence
❍ B. Credentialed scan
❍ C. Passive scanning
❍ D. Data injection

Answer 53

A. Persistence

It’s common for an attacker to build a backdoor after exploiting a system.
This persistent account would allow future access to the system if the
vulnerability is patched or mitigated.

The incorrect answers:
B. Credentialed scan
A vulnerability scan that uses a valid username and password is a
credentialed scan. This account was created after an exploit and the
account was not used during the scan process.
C. Passive scanning
A passive vulnerability scan uses gathers information using resources that
will avoid direct communication with the target systems. Exploiting a
vulnerability and creating an account are active processes that send traffic
over the network and appear in system logs.
D. Data injection
Data injection is an attack type that adds (or injects) additional code into
a data stream. In this example, the attack has already occurred and the
attacker is adding additional access for future use.

SY0-501, Objective 1.4 - Penetration Testing

Question 54

A penetration tester is researching a company using information gathered
from user profiles and posts on a social media site. Which of the following
would describe this activity?
❍ A. Pivot
❍ B. Passive reconnaissance
❍ C. White box testing
❍ D. Persistence

Answer 54

B. Passive reconnaissance

Passive reconnaissance gathers information from as many open sources
as possible without performing any vulnerability checks or scans. Passive
reconnaissance would include gathering information from social media,
online forums, or social engineering.

The incorrect answers:
A. Pivot
Once an exploit is successful, the attacker will use an exploited system as a
foothold point and pivot to other parts of the network from this point.
C. White box testing
Prior to performing a penetration test, an attacker may already have
information about the target network. If information on all of the devices
in the scope of the penetration test are made available to the attacker, the
test is considered to be a white box penetration test.
D. Persistence
If a system has been exploited, it’s common for the attacker to create a
normal user account or backdoor to maintain access if the vulnerability
becomes patched.

SY0-501, Objective 1.4 - Penetration Testing

Question 55

A system administrator is configuring an IPsec VPN to a remote location
and would like to ensure that the VPN provides confidentiality protection
for both the original IP header and the data. Which of the following
should be configured on the VPN?
❍ A. ECB (Electronic Codebook)
❍ B. AH (Authentication Header)
❍ C. PEAP (Protected Extensible Authentication Protocol)
❍ D. HMAC (Hash-based Message Authentication Code)
❍ E. ESP (Encapsulation Security Payload)

Answer 55

E. ESP

ESP (Encapsulation Security Payload) encrypts the data in the IP packet.
In IPsec (Internet Protocol Security) transport mode, the IP header is
not encrypted and is used for routing. In tunnel mode, both the original
IP header and data are encrypted and encapsulated within a separate IP
header.

The incorrect answers:
A. ECB
ECB (Electronic Codebook) is a block cipher mode where each block is
encrypted with the same key. For IPsec (and most use cases), ECB is too
simple to ensure data confidentiality.
B. AH
The AH (Authentication Header) contains a hash of the IPsec packet to
provide integrity protection of the data. The AH does not encrypt data.
C. PEAP
PEAP (Protected Extensible Authentication Protocol) is an authentication
protocol that encapsulates EAP in a TLS (Transport Layer Security) tunnel
to ensure a protected authentication process. PEAP is not used to protect
IPsec data.
D. HMAC
HMAC (Hash-based Message Authentication Code) is a hashing algorithm
commonly used with the AH field of IPsec. HMAC does not provide any
data confidentiality.

SY0-501, Objective 2.1 - VPN Concentrators

Question 56

Which of these cloud deployment models would BEST describe a company
that would build a cloud for their own use and would use systems and
storage platforms in their data center?
❍ A. Private
❍ B. Community
❍ C. Hybrid
❍ D. Public

Answer 56

A. Private

A private model requires that the end user purchase, install, and maintain
their own application hardware and software. This model also provides a high level of security.

The incorrect answers:
B. Community
A community cloud model allows multiple organizations to share the same
cloud resources. A cloud built in a company data center for personal use
would not provide any community cloud features.
C. Hybrid
A hybrid cloud model combines both private and public cloud
infrastructures. The description provided in the question does not include
any public resources.
D. Public
A public cloud is built on an infrastructure that would be open to all users
on the Internet.

SY0-501, Objective 3.7 - Cloud Deployment Models

Question 57

Which of the following malware types would cause a workstation to
participate in a DDoS?
❍ A. Bot
❍ B. Logic bomb
❍ C. Ransomware
❍ D. Keylogger

Answer 57

A. Bot

A bot (robot) is malware that installs itself on a system and then waits for
instructions. It’s common for botnets to use thousands of bots to perform
DDoS (Distributed Denial of Service) attacks.

The incorrect answers:
B. Logic bomb
A logic bomb waits for a predefined event to occur. The scope of devices
infected with a logic bomb are relatively small and localized as compared to
a botnet.
C. Ransomware
Ransomware locks a system and prevents it from operating. The locked
device does not commonly participate in a DDoS.
D. Keylogger
A keylogger will silently capture keystrokes and transmit an archive
of those keystrokes to a third-party. A keylogger does not commonly
participate in a DDoS.

SY0-501, Objective 1.1 - Bots and Botnets

Question 58

Which of these are used to force the preservation of data for later
use in court?
❍ A. Chain of custody
❍ B. Data loss prevention
❍ C. Legal hold
❍ D. Order of volatility

Answer 58

C. Legal hold

A legal hold is a legal technique to preserve relevant information. This
process will ensure the data remains accessible for any legal preparation
that occurs prior to litigation.

The incorrect answers:
A. Chain of custody
Chain of custody ensures that the integrity of evidence is maintained. The
contents of the evidence are documented, and each person who contacts
the evidence is required to document their activity.
B. Data loss prevention
Data loss prevention (DLP) is a technique for identifying sensitive
information transmitted across the network, such as Social Security
numbers, credit card numbers, and other PII (Personally Identifiable
Information). DLP is not a legal technique.
D. Order of volatility
The order of volatility is a list of how long data will remain available before
it is unrecoverable. For example, information stored in a router table is
more volatile than data stored on a backup tape.

SY0-501, Objective 5.5 - Gathering Forensics Data

Question 59

The clients in a small office authenticate to a secure wireless access
point using WPA2-Enterprise. Which of the following would be MOST
commonly associated with this connection?
❍ A. RC4
❍ B. AES
❍ C. IPsec
❍ D. 3DES

Answer 59

B. AES

WPA2 (Wi-Fi Protected Access II) is a wireless encryption protocol,
and WPA2-Enterprise indicates that the authentication to the WPA2-
protected wireless network uses a centralized authentication database
using a protocol such as RADIUS (Remote Authentication Dial-In User
Service). In this question, however, the answers focused on different
encryption protocols and their use, regardless of the authentication
method used. CCMP (Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol) and AES (Advanced Encryption Standard)
are the primary protocols used in WPA2.

The incorrect answers:
A. RC4
RC4 (Rivest Cipher 4) is a stream cipher commonly associated with the
older WEP (Wired Equivalent Privacy) encryption standard. RC4 is not
used with WPA2.
C. IPsec
IPsec (Internet Protocol Security) is a common protocol for connecting
host and site VPNs (Virtual Private Networks). IPsec is not part of WPA2
encryption.
D. 3DES
3DES (Triple Data Encryption Standard) is a symmetric encryption
protocol that is commonly used on IPsec and other VPN technologies.
3DES is not part of WPA2 encryption.

SY0-501, Objective 6.3 - Wireless Cryptographic Protocols

Question 60

A company would like to install an IPS that can observe normal network
activity and block any traffic that deviates from this baseline. Which of
these IPS types would be the BEST fit for this requirement?
❍ A. Heuristic
❍ B. Anomaly-based
❍ C. Behavior-based
❍ D. Signature-based

Answer 60

B. Anomaly-based

Anomaly-based detection will build a baseline of what it considers to be
normal. Once the baseline is established, the IPS (Intrusion Prevention
System) will then block any traffic that deviates from the baseline.

The incorrect answers:
A. Heuristic
Heuristic IPS technology uses artificial intelligence to identify attacks that
have no prior signature.
C. Behavior-based
Behavior-based IPS technology will alert if a particular type of bad behavior
occurs. For example, a URL with an apostrophe and SQL command would
indicate a SQL injection, and someone trying to view /etc/shadow would
indicate an attempt to gain access to a protected part of the file system.
This is universally considered to be bad behavior, and it would be flagged
by a behavior-based IPS.
D. Signature-based
A signature-based IPS is looking for a specific traffic flow pattern, and once
that traffic matches the signature the traffic can be blocked.

SY0-501, Objective 2.1 - Network Intrusion Detection

Question 61

A security engineer is capturing packets on an internal company network
and is documenting the IP addresses and MAC addresses associated with
the local network devices. Which of these commands would provide the
MAC address of the default gateway at 10.11.1.1?
❍ A. ping 10.11.1.1
arp -a
❍ B. tracert 10.11.1.1
❍ C. dig 10.11.1.1
❍ D. ipconfig /all

Answer 61

A. ping 10.11.1.1

arp -a
The arp (Address Resolution Protocol) command can be used to view the
local ARP cache. The cache contains a lookup table containing IP addresses
and their associated MAC (Media Access Control) address. If an engineer
pings a device on the local network and then views the ARP cache, they
will see the MAC address that was resolved during the ARP process.

The incorrect answers:
B. tracert 10.11.1.1
The tracert (traceroute) command will display the IP addresses of routers
between two devices. MAC addresses are not displayed in the traceroute
output.
C. dig 10.11.1.1
The dig (Domain Information Groper) command is used to gather
information from DNS (Domain Name System) servers. MAC address
information is not viewable with the dig command.
D. ipconfig /all
The ipconfig command will display IP address and MAC address
information for the local Windows computer, but it does not show the
MAC address information of the default gateway.

SY0-501, Objective 2.2 - Command Line Security Tools

Question 62

Daniel, a penetration tester, would like to gather some reconnaissance
information before the formal penetration test begins. To provide a more
focused test, Daniel would like to compile a list of open ports for each
server participating in the test. Which of these would be the BEST way to
gather this information?
❍ A. Capture network traffic with a protocol analyzer
❍ B. Send a phishing email with an application survey
❍ C. Use social engineering on the main switchboard operator
❍ D. Run a network scanner on each server’s IP address

Answer 62

D. Run a network scanner on each server’s IP address

A network scanner, or port scanner, is designed to query every possible
port on an IP address and log any ports that appear to be open. This can
sometimes be time consuming, so collecting this information prior to a
penetration test can decrease the timeframe required for the pentest.
The incorrect answers:
A. Capture network traffic with a protocol analyzer
If a packet capture would be possible, it would certainly contain a subset
of open ports on a server. Unfortunately, it would only show the ports that
were in use during the capture, and it would not provide a comprehensive
list of all open ports across all servers of interest.
B. Send a phishing email with an application survey
Asking the users for application information might provide some insight
into possible open ports, but it wouldn’t associate those applications
with any particular IP address. The survey would also not provide a
comprehensive list of all open ports across all servers.
C. Use social engineering on the main switchboard operator
Social engineering is useful for gathering information about people or
company processes, but it doesn’t help gather information about open ports
on an IP address.

SY0-501, Objective 2.2 - Software Security Tools

Question 63

A company has identified a web server data breach that resulted in the
theft of 150 million customer account records containing financial
information. A study of the events leading up to the breach show that a
security update to the company’s web server software was available for two
months prior to the breach. Which of the following would have prevented
this breach from occurring?
❍ A. Patch management
❍ B. Full disk encryption
❍ C. Disable unnecessary services
❍ D. Application whitelisting

Answer 63

A. Patch management

This question describes an actual breach that occurred in 2017 to web
servers at a large credit bureau. This breach resulted in the release of
almost 150 million customer names, Social Security numbers, addresses,
and birth dates. A web server vulnerability announced in March of 2017
was left unpatched, and attackers exploited the vulnerability two months
later in May. The attackers were in the credit bureau network for 76 days
before they were discovered. A formal patch management process would
have clearly identified this vulnerability and would have given the credit
bureau the opportunity to mitigate or patch the vulnerability well before it
would have been exploited.

The incorrect answers:
B. Full disk encryption
Full disk encryption (FDE) would prevent unauthenticated access to the
data, but the web server would be an authorized user and would have
normal access to the areas of the operating system that are necessary for
normal operation. Enabling FDE would not provide any additional security
against a data breach.
C. Disable unnecessary services
It’s always a good best practice to disable unnecessary services, but this
breach attacked a very necessary web service.
D. Application whitelisting
Whitelisting applications would prevent unauthorized applications from
running, but it would not prevent an attack to the whitelisted web service
application.

SY0-501, Objective 3.3 - Operating System Security

Question 64

During a regional power outage, a company was unable to process credit
card transactions through the point of sale terminal. To work around this
issue, the cashiers manually recorded the card information and called
the credit card clearinghouse for approval. Which of these would BEST
describe this recovery process?
❍ A. Alternate business practice
❍ B. Tabletop exercise
❍ C. Failover
❍ D. Differential recovery

Answer 64

A. Alternate business practice

Modifying the normal business process for another working option is an
alternate business practice. This alternate can be less efficient, but it can
provide a useful option while the original business practice is unavailable.

The incorrect answers:
B. Tabletop exercise
Performing a full-scale disaster drill can be costly and time consuming.
Most of the logistics associated with the disaster recovery process can
instead be discussed in a conference room using a tabletop exercise. This
simulated disaster process is often used to work through logistics without
physically performing an actual drill.
C. Failover
A failover process allows for the normal recovery of a business process
without any significant change to normal operations. In this example, the
business process itself was significant affected by the power issues and a
failover did not appear to be in operation.
D. Differential recovery
A differential backup creates a copy of every file that has changed since
the last full backup. A differential recovery uses a full backup and each
differential backup to complete the recovery process.

SY0-501, Objective 5.6 - Continuity of Operation

Question 65

A system administrator has identified an unexpected username on a
database server, and can see that the user has been transferring database
files to an external server over the company’s Internet connection. The
administrator then performed these tasks:
• Physically disconnected the Ethernet cable on the database server
• Disabled the unknown account
• Configured a firewall rule to prevent file transfers from the server
Which of the following would BEST describe this part of the incident
response process?
❍ A. Eradication
❍ B. Containment
❍ C. Lessons learned
❍ D. Preparation

Answer 65

B. Containment

The containment phase isolates events that can quickly spread and get out
of hand. A file transfer from a database server can quickly be contained by
disabling any ability to continue the file transfer.

The incorrect answers:
A. Eradication
Eradication focuses on removing the cause of the event and restoring the
systems back to their non-compromised state.
C. Lessons learned
After the event is over, the lessons learned phase helps everyone learn and
improve the process for the next event.
D. Preparation
Before an event occurs, it’s important to have the contact numbers, tools,
and processes ready to go.
SY0-501, Objective 5.4 - Incident Response Process

Question 66

A recent audit has found that an internal company server is using
unencrypted FTP to transfer files from a building HVAC system. Which of
the following should be configured to provide secure data transfers?
❍ A. Require secure LDAP
❍ B. Install web services with HTTPS
❍ C. Create a DNSSEC record
❍ D. Install an SSL certificate for the FTP service

Answer 66

D. Install an SSL certificate for the FTP service

FTP (File Transfer Protocol) over SSL (Secure Sockets Layer) is the FTPS
(FTP over SSL) protocol. To enable SSL, the server will need to have an
SSL certificate that can be used by the FTP service.

The incorrect answers:
A. Require secure LDAP
LDAP is commonly used for authentication and directory services, so
securing LDAP would not provide any data confidentiality for FTP data
transfers.
B. Install web services with HTTPS
HTTPS would provide encrypted data transfers for web services, but it
would not provide any additional encryption capabilities for the FTP
protocol.
C. Create a DNSSEC record
DNSSEC (Domain Name Server Security Extensions) can be used to
validate DNS responses, but it does not provide any additional encryption
or confidentiality for FTP.

SY0-501, Objective 2.6 - Secure Protocols

Question 67

A technology startup has hired sales teams that will travel to different
cities for product demonstrations. Each salesperson will receive a laptop
with applications and data to support their sales efforts. The IT manager
would like to prevent third-parties from gaining access to this information
if the laptop is stolen. Which of the following would be the BEST way to
protect this data?
❍ A. Remote wipe
❍ B. Full disk encryption
❍ C. Biometrics
❍ D. BIOS user password

Answer 67

B. Full disk encryption

With full disk encryption, everything written to the laptop’s local drive is
stored as encrypted data. If the laptop was stolen, the thief would not have
the credentials to decrypt the drive data.

The incorrect answers:
A. Remote wipe
Although a remote wipe function is useful, it’s a reactive response that does
not provide any data protection prior to the wipe.
C. Biometrics
Biometric authentication can limit access to the operating system, but the
laptop’s storage drive can still be removed and read from another computer.
D. BIOS user password
Adding a power-on BIOS password would help prevent any unauthorized
access to the operating system, but the password doesn’t provide any
protection for the data on the laptop’s storage drive.

SY0-501, Objective 2.5 - Mobile Device Management

Question 68

A company often invites vendors for meetings in the corporate conference
room. During these meetings, the vendors often require an Internet
connection for demonstrations. Which of the following should the
company implement to maintain the security of the internal network
resources?
❍ A. NAT
❍ B. Ad hoc wireless workstations
❍ C. Intranet
❍ D. Guest network with captive portal

Answer 68

D. Guest network with captive portal

A guest network would allow access to the Internet but prevent any access
to the internal network. The captive portal would prompt each guest for
authentication or to agree to terms of use before granting access to the
network.

The incorrect answers:
A. NAT
NAT (Network Address Translation) is a method of modifying IP addresses
when traversing the network, but NAT itself does not provide any
additional security mechanisms.
B. Ad hoc wireless workstations
Ad hoc wireless devices are able to communicate with each other without
the use of an access point. There are no additional security features
included with an ad hoc connection.
C. Intranet
The intranet is a private internal network used by company employees. It’s
common to provide the highest protection to the intranet resources, so a
company would not commonly connect the intranet to a public conference
room.

SY0-501, Objective 3.2 - Secure Network Topologies

Question 69

Which of the following would be the BEST way for application developers
to test their code without affecting production systems?
❍ A. Use a firewall to separate the development network
❍ B. Configure the developer accounts for least functionality
❍ C. Run the applications in a sandbox
❍ D. Disable unnecessary services

Answer 69

C. Run the applications in a sandbox

A sandbox ensures that code will run in its own private environment
without any interaction with outside devices or services.

The incorrect answers:
A. Use a firewall to separate the development network
Although a firewall is a good best practice for separating networks, some
traffic may be able to traverse the firewall and could potentially impact the
production environment.
B. Configure the developer accounts for least functionality
All user accounts should be configured for least functionality, but running
and testing code is certainly part of an application developer’s primary
responsibilities. Configuring for least functionality would not limit or
restrict access to the production network.
D. Disable unnecessary services
Unnecessary services should always be disabled, but disabling those
services would not generally provide any protection to the production
network.

SY0-501, Objective 3.4 - Secure Deployments

Question 70

A set of corporate security policies is what kind of security control?
❍ A. Compensating
❍ B. Detective
❍ C. Administrative
❍ D. Physical

Answer 70

C. Administrative

An administrative control is a guideline that would control how people act,
such as security policies and standard operating procedures.

The incorrect answers:
A. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means. A security policy does not
provide a way to restore from an attack.
B. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts. Security policies do not provide any identification
or recording of intrusions.
D. Physical
A physical control would block access. For example, a door lock or security
guard would be a physical control.

SY0-501, Objective 5.7 - Security Controls

Question 71

Which of the following would be the MOST significant security concern
when protecting against organized crime?
❍ A. Prevent users from posting passwords near their workstations
❍ B. Require identification cards for all employees and guests
❍ C. Maintain reliable backup data
❍ D. Use mantraps at all data center locations

Answer 71

C. Maintain reliable backup data

Organized crime is often after data, and can sometimes encrypt or delete
data on a service. A good set of backups can often resolve these issues
quickly and without any ransomware payments to an organized crime
entity.

The incorrect answers:
A. Prevent users from posting passwords near their workstations
Organized crime members usually access systems remotely. Although
it’s important that users don’t write down their passwords, the organized
crime members aren’t generally in a position to see them.
B. Require identification cards for all employees and guests
Since the organized crime members rarely visit a site, having identification
for employees and visitors isn’t the largest concern associated with this
threat actor.
D. Use mantraps at all data center locations
Mantraps control the flow of people through an area, and organized crime
members aren’t usually visiting a data center.

SY0-501, Objective 1.3 - Threat Actors

Question 72

An application team has been provided with a hardened version of Linux
to use for a new application rollout, and they are installing a web service
and the application code on the server. Which of the following should the
application team implement to BEST protect the application from attacks?
❍ A. Build a backup server for the application
❍ B. Run the application in a cloud-based environment
❍ C. Implement a secure configuration of the web service
❍ D. Send application logs to the SIEM via syslog

Answer 72

C. Implement a secure configuration of the web service

The support pages for many services will include a list of hardening
recommendations. This hardening may include account restrictions, file
permission settings, internal service configuration options, and other
settings to ensure that the service is as secure as possible.

The incorrect answers:
A. Build a backup server for the application
Of course, you should always have a backup. Although the backup may
help recover quickly from an attack, the backup itself won’t protect the
application from attacks.
B. Run the application in a cloud-based environment
The location of the application service won’t provide any significant
protection against attacks. Some cloud-based services may include some
additional security features, but many do not. Given the options available,
running the application in the cloud would not be the best option available.
D. Send application logs to the SIEM via syslog
It’s always useful to have a consolidated set of logs, but the logs on the
SIEM (Security Information and Event Management) server won’t protect
the application from attacks.

SY0-501, Objective 3.1 - Secure Configuration Guides

Question 73

A system administrator has configured MAC filtering on the corporate
access point, but access logs show that unauthorized users are accessing
the network. The administrator has confirmed that the address filter
includes only authorized MAC addresses. Which of the following should
the administrator configure to prevent this authorized use?
❍ A. Enable WPA2 encryption
❍ B. Remove unauthorized MAC addresses from the filter
❍ C. Modify the SSID name
❍ D. Modify the channel

Answer 73

A. Enable WPA2 encryption

A MAC (Media Access Control) address can be spoofed on a remote
device, which means anyone within the vicinity of the access point can
view legitimate MAC addresses and spoof them to avoid the MAC filter. To
ensure proper authentication, the system administrator can enable WPA2
(Wi-Fi Protected Access version 2) and use a shared password or configure
802.1X to integrate with an existing name service.

The incorrect answers:
B. Remove unauthorized MAC addresses from the filter
Since MAC addresses are visible when capturing packets, any unauthorized
users affected by the removal of a MAC address would simply obtain the
remaining MAC addresses in use and spoof those addresses to gain access.
C. Modify the SSID name
The SSID (Service Set Identifier) is the name associated with the wireless
network. The name of the access point is not a security feature, so
changing the name would not provide any additional access control.
D. Modify the channel
The frequencies used by the access point are chosen to minimize
interference with nearby wireless devices. These wireless channels are not
security features and changing the frequency would not limit unauthorized
access.

SY0-501, Objective 2.1 - Access Points

Question 74

Walter, a security administrator, is evaluating a new application that uses
HTTPS to transfer information between a database and a web server.
Walter wants to ensure that this traffic flow will not be vulnerable to a
man-in-the-middle attack. Which of the following should Walter examine
while the application is executing to check for this type of vulnerability?
❍ A. The FQDN of the web server
❍ B. The IP address of the database server
❍ C. The digital signature on the web server certificate
❍ D. The session ID associated with the authenticated session

Answer 74

C. The digital signature on the web server certificate

The digital signature on the certificate is signed by a trusted certificate
authority (CA). If the certificate viewed in the browser is not signed by the
expected CA, then a man-in-the-middle attack may be in progress.

The incorrect answers:
A. The FQDN of the web server
The FQDN (Fully Qualified Domain Name) of the web server will show the
server name used by the application, but it won’t provide any notification
that a man-in-the-middle attack has occurred.
B. The IP address of the database server
The name and IP address of the end devices do not have to change for
a man-in-the-middle attack to occur. In some cases, there’s no obvious
difference between a normal traffic flow and a traffic flow that has been
subject to a man-in-the-middle attack.
D. The session ID associated with the authenticated session
A common client hijacking attack involves the use of valid session IDs.
This would allow a third-party to connect to a device without requiring any
additional authentication, but simply viewing the session ID would not
indicate a man-in-the-middle attack.
SY0-501, Objective 1.2 - Man-in-the-Middle

Question 75

During an initial network connection, a supplicant communicates to an
authenticator, which then sends an authentication request to an Active
Directory database. Which of the following would BEST describe this
authentication technology?
❍ A. RADIUS Federation
❍ B. AES
❍ C. 802.1X
❍ D. PKI

Answer 75

C. 802.1X

IEEE 802.1X is a standard for port-based network access control (NAC).
When 802.1X is enabled, devices connecting to the network do not
gain access until they provide the correct authentication credentials.
This 802.1X standard refers to the client as the supplicant, the switch
is commonly configured as the authenticator, and the back-end
authentication server is a centralized user database such as Active
Directory.

The incorrect answers:
A. RADIUS Federation
RADIUS (Remote Authentication Dial-In User Service) Federation is a
method of combining federation with the RADIUS protocol. This would
allow members of one organization to authenticate to the network of
another organization using their normal credentials.
B. AES
AES (Advanced Encryption Standard) is a common encryption protocol,
and it does not describe a supplicant, authenticator, or authentication
server.
D. PKI
PKI (Public Key Infrastructure) is a method of describing the public-key
encryption technologies and its supporting policies and procedures. PKI
does not require the use of supplicants, authenticators, or authentication
servers.

SY0-501, Objective 6.3 - Wireless Authentication Protocols

Question 76

A security administrator would like use employee-owned mobile phones
to unlock the door of the data center using a sensor on the wall. The users
would authenticate on their phones with a fingerprint before the door
would unlock. Which of the following features should the administrator
use? (Select TWO)
❍ A. NFC
❍ B. Remote wipe
❍ C. Containerization
❍ D. Biometrics
❍ E. Push notification

Answer 76

A. NFC and D. Biometrics

The wall sensor will be activated with the phone’s NFC (Near-field
Communication) electronics and would authenticate using the biometric
fingerprint reader on the phone.

The incorrect answers:
B. Remote wipe
Although remote wipe can be a useful management tool for a mobile
device, there’s no need to include remote wipe capabilities with this
particular application. The door unlocking process would still require
authentication using the user’s fingerprint if the phone was lost or stolen.
C. Containerization
This application doesn’t appear to store any confidential local data,
so keeping the enterprise data separate from the personal data isn’t a
significant concern.
E. Push notification
A push notification will cause alerts to appear on the phone without any
user intervention. In this app, all of the actions are initiated by the user.

SY0-501, Objective 2.5 - Mobile Device Management

Question 77

A server administrator would like to enable an encryption mechanism on
a web site that would also ensure non-repudiation. Which of the following
should be implemented on the web server?
❍ A. 3DES (Triple DES)
❍ B. MD5 (Message Digest version 5)
❍ C. ECB (Electronic Codebook)
❍ D. RSA (Rivest, Shamir, and Adelman)

Answer 77

D. RSA

RSA (Rivest, Shamir, and Adelman) asymmetric encryption includes
the ability to encrypt, decrypt, and digitally sign data to ensure nonrepudiation.
Non-repudiation would ensure that the information received
by a client can be verified as sent by the server.

The incorrect answers:
A. 3DES
3DES (Triple DES) is a symmetric encryption algorithm that encrypts,
decrypts, and encrypts again with different symmetric keys. 3DES does not
provide any method of non-repudiation.
B. MD5
MD5 (Message Digest version 5) is a hashing algorithm and not a method
of non-repudiation.
C. ECB
ECB (Electronic Codebook) is a block cipher used for simple encryption
tasks. ECB does not include a method for non-repudiation.

SY0-501, Objective 6.2 - Asymmetric Algorithms

Question 78

A manufacturing company is working with a third-party to perform a
vulnerability scan of their application services. The company would
like a list of vulnerabilities that employees could possibly exploit on the
company’s internal networks. Which of the following would be the BEST
way for the third-party to meet this requirement?
❍ A. Run a credentialed vulnerability scan
❍ B. Capture packets of the application traffic flows from
the internal network
❍ C. Identify an exploit and perform a privilege escalation
❍ D. Scan the network during normal working hours

Answer 78

A. Run a credentialed vulnerability scan

A credentialed scan would provide login access and allow the scan to run as
a standard user on the network.

The incorrect answers:
B. Capture packets of the application traffic flows from
the internal network
A non-intrusive packet capture would not provide any significant
vulnerability information, and it would not be possible to test for
additional vulnerabilities with just the packets.
C. Identify an exploit and perform a privilege escalation
There’s no guarantee that any of the systems will be vulnerable to an
exploit, and there’s also no guarantee that such an exploit would provide
any user access.
D. Scan the network during normal working hours
Scanning a network from the outside or without credentials would not
provide a list of vulnerabilities from the user’s perspective, regardless of the
time of day.

SY0-501, Objective 1.5 - Vulnerability Scanning

Question 79

A company has recently moved from one accounting system to another,
and the new system includes integration with many other divisions of the
organization. Which of the following would ensure that the correct access
has been provided to the proper employees in each division?
❍ A. Location-based policies
❍ B. On-boarding process
❍ C. Account deprovisioning
❍ D. Permission and usage audit

Answer 79

D. Permission and usage audit

A permission and usage audit will verify that all users have the correct
permissions and that all users meet the practice of least privilege.

The incorrect answers:
A. Location-based policies
Location-based policies would assign rights and permissions based on
physical location. For example, a location-based policy might allow users
to login from local IP address ranges but not from locations outside of the
corporate offices.
B. On-boarding process
The on-boarding process is used when a new person is hired or transferred
into the organization. In this example, none of the users were identified as
new employees.
C. Account deprovisioning
Account deprovisioning is the disabling of an account and archiving of user
information. This process usually occurs when an employee has left the
organization.

SY0-501, Objective 4.4 - Account Management

Question 80

An attacker has circumvented a web-based application to send commands
directly to a database. Which of the following would describe this attack
type?
❍ A. Session hijack
❍ B. SQL injection
❍ C. Cross-site scripting
❍ D. Man-in-the-middle

Answer 80

B. SQL injection

A SQL (Structured Query Language) injection takes advantage of poorly
written web applications. These web applications do not properly restrict
the user input, and the resulting attack bypasses the application and
“injects” SQL commands directly into the database itself.

The incorrect answers:
A. Session hijack
If a third-party obtained the session ID of an already-authenticated user,
they could effectively communicate directly to the application without
a username and password. A session hijack by itself would not allow for
direct database communication.
C. Cross-site scripting
A cross-site scripting attack commonly uses scripts at one web site to
execute commands on other sites. These types of attacks take advantage of
the trust of a local browser, but they don’t commonly have direct access to
a database.
D. Man-in-the-middle
A man-in-the-middle attack is often used to capture, monitor, or inject
information into an existing data flow. A man-in-the-middle attack is not
commonly used for SQL injection attacks.

SY0-501, Objective 1.2 - Data Injection

Question 81

Two companies have merged, but they will be maintaining separate
network infrastructures. However, the security administrators of both
companies would like to share information between the two companies.
If a user is properly authenticated on either network, they should
automatically gain access to resources on the other network without any
additional authentication. Which of the following would provide this
functionality?
❍ A. Two-way trust
❍ B. Multi-factor authentication
❍ C. Non-transitive trust
❍ D. Single-factor authentication

Answer 81

A. Two-way trust

A two-way trust creates a trust relationship between two domains that act
as peers. The two domains trust each other equally.

The incorrect answers:
B. Multi-factor authentication
A multi-factor authentication uses more than one factor to authenticate a
single user. The trust relationship described in the question describes the
access that is provided once the authentication is complete.
C. Non-transitive trust
Non-transitive trusts are specifically created and apply only to a single
domain.
D. Single-factor authentication
Single-factor authentication uses one factor during the authentication
process. The trust relationship in the question describes the access once
the authentication is complete.

SY0-501, Objective 4.1 - AAA and Authentication

Question 82

A development team has instituted a life-cycle that relies on a sequential
design process. Each step of the process must be completed before the
next step can begin. Which of the following life-cycle models is being used
by the developers?
❍ A. Agile
❍ B. Rapid
❍ C. Anamorphic
❍ D. Waterfall

Answer 82

D. Waterfall

The waterfall life-cycle of software development separates the process
into sequential phases where one phase occurs at a time, and the output
of that phase provides the deliverable for the next phase. For example, the
requirements process might occur first, and only after the requirements are
complete can the process continue to the analysis phase.

The incorrect answers:
A. Agile
The agile development model relies on the quick creation of code, ongoing
collaboration with the customer, and a quick response to change and
update the software as the project proceeds.
B. Rapid
The rapid, or rapid prototyping model, creates a working model of an
application that can then be examined and evaluated before any final code
is written.
C. Anamorphic
An anamorphic development model focuses on the scope of a project to
build multiple iterations of an application before a final version is created.

SY0-501, Objective 3.6 - Development Life-Cycle Models

Question 83

A company runs two separate applications out of their data center. The
security administrator has been tasked with preventing all communication
between these applications. Which of the following would be the BEST
way to implement this security requirement?
❍ A. Firewall
❍ B. Protected distribution
❍ C. Air gap
❍ D. VLANs

Answer 83

C. Air gap

An air gap is a physical separation between networks. Air gapped networks
are commonly used to separate networks that must never communicate to
each other.

The incorrect answers:
A. Firewall
A firewall would provide a method of filtering traffic between networks,
but firewalls can often be misconfigured and inadvertently allow some
traffic to pass. Although this is one option, it’s not the best option given the
alternative of an air gap.
B. Protected distribution
A protected distribution is a physically secure cabled network. This usually
consists of a sealed metal conduit to protect from taps and cable cuts. A
protected distribution does not restrict traffic between networks.
D. VLANs
A VLAN (Virtual Local Area Network) is a logical method of segmenting
traffic within network switches. Although this segmentation is effective, it’s
not as secure as an air gap.

SY0-501, Objective 3.9 - Physical Security Controls

Question 84

A receptionist at a manufacturing company recently received an email
from the CEO that asked for a copy of the internal corporate employee
directory. The receptionist replied to the email and attached a copy of
the directory. It was later determined that the email address was not sent
from the CEO and the domain associated with the email address was not
a corporate domain name. What type of training could help prevent this
type of situation in the future?
❍ A. Recognizing social engineering
❍ B. Using emails for personal use
❍ C. Proper use of social media
❍ D. Understanding insider threats

Answer 84

A. Recognizing social engineering

Impersonating the CEO is a common social engineering technique. There
are many ways to recognize a social engineering attack, and it’s important
to train everyone to spot these situations when they are occurring.

The incorrect answers:
B. Using emails for personal use
It’s important that everyone understands the proper use of email and avoid
personal use of the corporate email service. In this instance, however, the
receptionist was not using email for personal use.
C. Proper use of social media
The attack vector used in this situation was email. Social media sites were
not used in this particular example.
D. Understanding insider threats
Although the attacker wasn’t identified, we could assume that an employee
would already have access to the internal corporate employee directory.
SY0-501, Objective 2.3 - Common Security Issues

Question 85

A company’s security engineer is working on a project to simplify the
employee onboarding and offboarding process. One of the project goals is
to allow individuals to use their personal phones for work purposes. If the
user leaves the company, the company data will be removed but the user’s
data would remain intact. Which of these technologies would meet this
requirement?
❍ A. Policy management
❍ B. Geofencing
❍ C. Containerization
❍ D. Storage encryption

Answer 85

C. Containerization

The storage segmentation of containerization keeps the enterprise apps
and data separated from the user’s apps and data. During the offboarding
process, only the company information is deleted and the user’s personal
data is retained.

The incorrect answers:
A. Policy management
Policies can often be managed through a mobile device manager, allowing
the security administrator to limit the use of certain apps, camera
functions, or data storage. These management functions are important, but
they don’t necessarily affect the separation of storage or removal of data
inside of the mobile device.
B. Geofencing
Geofencing restricts or allows features when a mobile device is in a
particular location. Geofencing will not have any effect on the separation
of data inside of a mobile device.
D. Storage encryption
If a mobile device is lost or stolen, storage encryption ensures that the data
will remain confidential. The encryption process itself does not provide any
separation between enterprise data and user data.

SY0-501, Objective 2.5 - Mobile Device Management