Practice Test 2

Question 1

Which technology solution takes complex concepts and breaks them into simpler elements?

Answer 1

Deep Learning

Deep learning is a type of machine learning that de-constructs knowledge into a series of smaller, simpler parts. Complex concepts are broken down into simpler elements of knowledge so they can be used to interpret data.

Question 2

A security engineer looks to change the Extensible Authentication Protocol (EAP) authentication method between client workstations and server systems. If the current solution uses the Protected Access credential, which EAP implementation does the engineer look to replace?

Answer 2

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key.

Question 3

An engineer deploys a cloud access security broker (CASB) solution to mediate access to cloud services. The goal is for users’ local and cloud access to be in sync with one another. What solution describes the engineer’s deployment?

Answer 3

An API-based CASB brokers connections between the cloud service and the cloud consumer.

With an application programming interface (API), rather than placing a CASB appliance or host inline, an API-based CASB brokers connections between the cloud service and the cloud consumer.

Question 4

Security experts look to implement protection methods against distributed denial-of-service (DDoS) attacks at data facilities. Blackhole routing is implemented for one of the critical systems. What have the experts achieved with this configuration?

Answer 4

Traffic intended for the system is dropped.

Blackhole Routing takes all the traffic intended for an endpoint and essentially drops it. This approach drops both legitimate and malicious traffic.

Question 5

Network administrators look to harden a corporate network. Initial testing results in discovering that wireless signals from the private network extended further into a public area than expected. How have the administrators discovered this vulnerability?

Answer 5

Vulnerability scans

Vulnerability scans, such as a wireless scan, can identify the configuration and signal coverage of an organization’s wireless network, for example, to determine if the hardware is vulnerable to known attacks.

Question 6

Security engineers are engaged in threat intelligence training. They are focused on understanding the overarching objectives, intentions, and broader goals of potential threat actors. Which type of threat intelligence predominantly discusses this aspect of adversarial motivation?

Answer 6

Strategic

Strategic threat intelligence is focused on the big picture leadership-focused information typically associated with reports. The information is used to help identify the motivations, capabilities, and intentions of various threat actors.

Tactical threat intelligence is focused on the tactics, techniques, and procedures (TTPs) of a threat actor.

Operational threat intelligence is collected from the organization’s infrastructure and includes logs and the information reported by SIEM platforms.

Question 7

A security engineer utilizes the Extensible Authentication Protocol (EAP) between client workstations and server systems. If the solution uses public key certificates on both clients and servers, which EAP implementation does the engineer deploy?

Answer 7

EAP Transport Layer Security (EAP-TLS)

EAP Transport Layer Security (EAP-TLS) is one of the strongest types of authentication. An encrypted Transport Layer Security (TLS) tunnel is established between a client and a server using public-key certificates on the server and client.

Question 8

A server engineer improves a virtual server’s performance by adding additional resources such as memory and more processor cores. The engineer has used which scaling type?

Answer 8

Vertical

By scaling vertically, additional resources are added to an individual system, such as adding processors, memory, and storage to an existing server.

Question 9

A newly formed company has purchased .com, .cc, and .org domains to establish its presence online. The company would like to use a single certificate for all of the domains. Which field in a domain certificate can be used for this purpose?

Answer 9

Subject Alternative Name (SAN)

A certificate subject alternative name (SAN), provides a way to identify names other than what is identified in the common name (CN) so the certificate can be used with other domain names.

Question 10

An attacker gains access to a sensitive shared folder. What might a security engineer configure to directly mitigate the problem?

Answer 10

Adjust ACL rules

Modifying access control list (ACL) rules using access rules can block or limit access to resources, such as blocking access to files and folders or blocking write access from specific accounts.

Question 11

A critical system at an organization is placed on a subnet between two firewalls with one edge restricting access from a public network. Which solution protects this critical system?

Answer 11

By creating a screened subnet

A screened subnet uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ.

Question 12

When using a virtual private network (VPN) on a mobile device, which would provide always-on functionality?

Answer 12

Operating system

An operating system level VPN offers comprehensive protection of device traffic since they operate at a low level of the operating system and capture all device traffic as a result. OS level VPN can be configured to operate as “always-on.”

Question 13

Some protocol security methods can provide data integrity while others can provide confidentiality as well. An engineer chooses to implement a solution that does both. Which specific protocol does the engineer use that will encrypt a packet?

Answer 13

Encapsulating Security Payload (ESP)

The Encapsulating Security Payload (ESP) provides confidentiality and/or authentication and integrity. The TCP header and payload from the original packet are encapsulated within ESP and then encrypted to provide confidentiality.

Question 14

Which web traffic protection method is configured on an SSL/TLS web server to periodically obtain a time-stamped Online Certificate Status Protocol (OCSP) response from the certificate authority?

Answer 14

Certificate Stapling

Certificate stapling resolves certificate pinning issues by having a SSL/TLS web server periodically obtain a time-stamped OCSP response from the CA.

Question 15

Management at a law firm asks that IT implement a warning system if files are copied from internal servers without proper authorization. What solution does IT configure to satisfy this requirement?

Answer 15

Data loss prevention (DLP)

Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization.

Question 16

Security engineers perform threat intelligence training. Which approach uses threat intelligence in a practical and actionable way?

Answer 16

Emulation

Emulation exercises help teams test and improve their skills and capabilities and also force the interpretation and use of threat intelligence in a practical and actionable way.

Question 17

An organization performs a risk management exercise as it relates to server security. Experts examine a workflow that involves the replication of files from one server to another. The replication is found to not use any form of encryption for data. The experts document this finding during which phase of the exercise?

Answer 17

Identification of known vulnerabilities

Identification of any vulnerabilities for each function or workflow is useful in determining what risk exists and how to harden systems. Unencrypted data and communications is susceptible to an attack.

Question 18

A security expert examines a server system for malicious processes. Which tool will the experts find helpful in determining dependencies for a process?

Answer 18

ldd

The ldd utility can be used to display a program’s dependencies. For example, issuing the command sudo ldd /sbin/poweroff displays all of the shared libraries required by the Linux poweroff command.

Question 19

Developers test a newly developed software application for vulnerabilities by entering malformed data at data entry points. What vulnerability assessment method do the developers attempt with this approach?

Answer 19

Fuzz testing

Fuzz testing is a black-box testing method using specialty software tools designed to identify problems and issues with an application by purposely inputting malformed data.

Question 20

Servers at a data center are now protected with a data loss prevention (DLP). A remediation policy is configured such that any user is prevented from copying files, but access to read any files remains. What remediation policy is in place?

Answer 20

Block

A block policy prevents users from copying the original file but they retain access to it. Users may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine.

Question 21

Users at an organization access sensitive data throughout the business day. The IT department has concerns that while the data is in volatile memory it is at risk of compromise. Which data state is the IT department concerned with?

Answer 21

Data in use

Data in use is the state when data is present in volatile memory, such as system RAM or CPU registers and cache. Data that may be in use include documents open in a word processing application.

Question 22

A forensics team investigates a compromised server. The server is powered on and the team looks to do a live collection of real-time system information. Which tool does the team find suited for the task?

Answer 22

vmstat

The vmstat command-line utility is designed to display real-time information about system memory, running processes, interrupts, paging, and I/O statistics.

Question 23

An engineer discovers that an attack occurred on a system via a backdoor through a connected application. What enabled this form of attack?

Answer 23

API

APIs provide the core mechanisms that enable the integration and orchestration of application integration. APIs can be exploited to gain access to protected features of the underlying platform or used to extract sensitive data.

Question 24

An organization plans to configure several domain names to represent new product launches online. The organization goes through an extended validation process to prove its identity. What certificate feature is not possible when using extended validation?

Answer 24

Wildcard

Extended Validation (EV) is a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed. A drawback to EV certificates is that they cannot be issued for a wildcard domain.

Question 25

After a system compromise, a security engineer attempts to connect to an adversary’s system as a hack-back action. What incident type does the engineer respond to?

Answer 25

Data exfiltration

Data exfiltration playbooks include notification requirements and network forensic analysis. Deleting copies of data on an adversary’s system is considered to be a hack-back action and may only offer limited mitigation.

Question 26

An application specialist suggests using a particular application in a virtualized environment to avoid configuring additional workstations for the sake of using one piece of software. What does the specialist suggest using?

Answer 26

Containers

Application cell/container virtualization dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level. The OS defines isolated “cells” for each user instance to run in.

Question 27

The Lockheed Martin cyber kill chain outlines an adversary’s attack. During which phase would maintaining access to a system take place?

Answer 27

Installation

Installation describes the post-exploitation work needed in order to maintain access to a system, such as installing additional tools and/or modifying the device or environment.

Question 28

A penetration tester performs a vulnerability assessment and analysis at a manufacturing firm. The tester uses a packet capture utility to collect the state of an application as it operates. What approach does the tester use to collect information, even if it is encrypted?

Answer 28

Side-channel analysis

The side-channel analysis describes inspections of a system and/or software as it operates. Even if traffic is encrypted, information can be collected about the state of an application or information about the endpoints and/or users interacting with it.

Question 29

A security team looks to implement protection methods against distributed denial-of-service (DDoS) attacks at a server farm. Rate limiting is considered for one of the critical server systems. What will the experts achieve with this solution?

Answer 29

Rules dictate the amount of throughput

Rate Limiting can be used to reduce the amount of throughput available to the server or service being attacked.

Question 30

A sysadmin thinks a malicious process is preventing a service from starting on a Windows server. In which log would the event be recorded?

Answer 30

Application

The Windows Application Event log displays events generated by applications and services. This included information such as when a service cannot start properly.

Question 31

Management at a company looks to understand and implement embedded systems in a large facility that is under construction. With a goal of using sensors on a conveyor belt system that will send a trigger to the main system, which type does management consider?

Answer 31

Programmable Logic Controller (PLC)

Programmable Logic Controllers are used in industrial settings and are a form of digital computer designed to enable automation. PLCs interact with a wide range of sensors and can perform actions in response to triggers.

Question 32

A company requests that a newly implemented cloud presence be strengthened with a resilient architecture. Engineers suggest heterogeneity. If management at the company agrees, which solution will be implemented?

Answer 32

Using solutions from different vendors

Heterogeneous, or diverse, components are components that are not the same as or similar to each other. In an enterprise, these translate to the use of multiple vendor products in a security solution.

Question 33

A network administrator improves an application’s performance by adding additional servers to a cluster. The administrator has used which scaling type?

Answer 33

Horizontal

By scaling horizontally, additional capacity is achieved by adding servers to help process the same workload. Examples of this include adding nodes to a distributed system.

Question 34

Developers at a software publisher implement vulnerability analysis checks within the software development process. Which approach does the publisher use to identify any open source code within the software?

Answer 34

Software Composition Analysis

Software composition analysis involves the inspection of source code to identify any open source components, which can include open-source code itself.

Question 35

A user at a company has violated an internal acceptable use policy. The policy was broken when the user changed from the stock ROM on a company-owned Android tablet to a custom ROM. How did the user accomplish installing the custom ROM?

Answer 35

Rooting

Rooting is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their devices. For some devices, it is necessary to exploit a vulnerability or use custom firmware.

Question 36

When managing risk, experts refer to the four common phases of Identify, Assess, Control, and Review as which concept?

Answer 36

Lifecycle

Risk management tasks are defined by a life cycle. The four major phases common to all risk management life cycles include Identify, Assess, Control, and Review.

Question 37

A server engineer manages server certificates. Which action does the engineer take during the certification life cycle to document certificates in use?

Answer 37

Inventory

Inventorying certificates formally document certificates in use, including pertinent information to describe the certificate and its purpose, as well as issuance and expiration date.

Question 38

An engineer deploys a cloud access security broker (CASB) solution to mediate access to cloud services by users across all types of devices. As the engineer utilizes a reverse proxy in the deployment, how is the CASB configured?

Answer 38

A proxy positioned at the cloud network edge and directs traffic to cloud services.

A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This approach does not require configuration of users’ devices.

A forward proxy is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy.

A forward proxy requires configuration of users’ devices or installation of an agent. In this mode, the proxy can inspect all traffic in real-time.

Question 39

A security administrator establishes several certification authority servers on a private network. Part of the configuration utilizes cross-certification. How does this approach benefit from issuing a certificate?

Answer 39

Multiple departments are combining resources.

Cross certification describes when a certificate is used to establish a trust relationship between two different certification authorities (CA). This can be useful when different organizations are combining resources.

Question 40

A systems administrator looks o harden server systems by first identifying any available and unnecessary services. What solution can accomplish this task efficiently?

Answer 40

Port scanner

A port scanner is used to identify available services running on a device by determining its open ports. A port scanner can be used for network discovery tasks and security auditing.

Question 41

Security experts perform forensic activities on a compromised server. Two of the experts perform repeatable methods on data using the same software tools during the investigation. By doing so, the experts utilize best practices during which investigative phase?

Answer 41

Analysis

During evidence analysis, ensuring that a copy can be related directly to the primary evidence source is important. Using repeatable methods and tools to analyze the evidence ensures accurate results.

Question 42

Authentication to a large business network uses Kerberos authentication via a smart card login. When a user initiates a login with the smart card, which process occurs first?

Answer 42

The private key is used to create a Ticket Granting Ticket (TGT) request
When using a smart card with a correct password or PIN, the smart card’s cryptoprocessor uses its private key to create a Ticket Granting Ticket (TGT) request.

Question 43

An organization considers a federation approach when it comes to credential management. For what reason might the organization consider this solution?

Answer 43

A network needs to be accessible to more than just a well-defined group of employees.

Federation is the notion that a network needs to be accessible to more than just a well-defined group of employees. In business, a company might need to make parts of its network open to partners, suppliers, and customers.

Question 44

Which technology provides Quality of Service (QoS) features required by modern industrial applications?

Answer 44

Data Distribution Service (DDS)

Data Distribution Service (DDS) enables network interoperability for connected machines and facilitates the scalability, performance, and Quality of Service (QoS) features required by modern industrial applications.

Question 45

Systems administrators discover that a company server has file transfer protocol (FTP) services running. As FTP is not required on this server, how might the administrator harden the system with no disruption?

Answer 45

Disable ports

Application service ports allow client software to connect to applications over a network. In this case, the FTP port should either be disabled or blocked at a firewall if remote access is not required.

Question 46

Developers at an organization look to place security concerns at the forefront of application development. If the developers choose to utilize dynamic application testing, which element do they put in place?

Answer 46

Security as Code

Security as Code (SaC) is an element of SecDevOps that uses automated methods to introduce static code analysis testing and dynamic application testing (DAST) as applications are developed.

Question 47

An engineer discovers that an attack occurred on an array of integrated systems through separate management interfaces. What software solution was the target of the attack?

Answer 47

Middleware

Middleware describes more comprehensive software applications designed to integrate two systems. These systems can often be separately managed and controlled.

Question 48

Wireless engineers at a large communications provider rollout Wi-Fi Protected Access 3 (WPA3) at a client site. Which security features influence the decision to utilize WPA3 over WPA2?

Answer 48

Simultaneous Authentication of Equals (SAE) and AES Galois Counter Mode Protocol (GCMP)

With WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake, which has been found to be vulnerable to various attacks. SAE uses the Dragonfly handshake.

AES Galois Counter Mode Protocol (GCMP) replaces the AES CCMP mode of operation. Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit.

Question 49

Security experts perform forensic activities on a compromised server investigation. Which phase of the investigative process presents legal concerns for the experts?

Answer 49

Collection

During evidence collection, it is important to have the authorization to collect the evidence using tools and methods that will withstand legal scrutiny.

Question 50

An application server is the constant target of a buffer overflow exploit. To prevent further attacks, a systems administrator uses an operating system with data execution protection (DEP). How does this solution proactively help to prevent a buffer overflow?

Answer 50

Identify areas of memory that contain executable code

Data Execution Protection (DEP)—allows an operating system to identify areas of memory that contain executable code and areas of memory that do not.

Question 51

Developers that are working on a web application use coding practices to prevent insecure references. Several months after deployment of the application, testers discover that at times the application is running in a controlled state. What vulnerability have testers uncovered?

Answer 51

Poor exception handling

Poor exception handling describes when an application is not written to anticipate problems or safely manage them to leave the application in a controlled state.

Question 52

A company evaluates its risk management plan. As a start, the probability of a threat being realized is determined. What has the company established by using this approach?

Answer 52

Likelihood

The likelihood of occurrence is the probability of a threat being realized. The likelihood of the risk can be influenced by the value of the target.

Question 53

Security experts implement a Security Assertion Markup Language (SAML) implementation when it comes to credential management. What feature does this authentication mechanism provide?

Answer 53

The use of a digital signature allows the relying party to trust the identity provider.

With Security Assertion Markup Language (SAML), secure tokens are signed using the XML signature specification. The use of a digital signature allows the relying party to trust an identity provider.

Question 54

Experts perform risk management activities at an organization. During which phase are quantitative and qualitative methods useful?

Answer 54

Analysis of business impacts

The analysis of business impacts uses quantitative and qualitative methods to analyze impacts and likelihood of a risk.

Question 55

Systems administrators use a deceptive tool to lure an adversary into a trap that contains false information. What tool have the administrators utilized?

Answer 55

Decoy files

A decoy file can include honeytokens and/or canary traps. These decoy files contain data that would be appealing to an adversary but contain false information.

Question 56

A systems security engineer deploys several new workstations in an organization. While doing so, a hardware security module (HSM) is also deployed for security services. What solution has the engineer provided by utilizing the HSM?

Answer 56

An archive and escrow for keys

A hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices. It can act as an archive or escrow for keys in case of loss or damage.

Question 57

An application uses encrypted transactional data to record incoming and changing data sets. Which technology does the application use?

Answer 57

Blockchain

Blockchain describes an expanding list of transactional records which are secured using cryptography. Records are connected in a chain, and each record is referred to as a block.

Question 58

A development team integrates incremental and waterfall methods while managing a software development project. What approach does the team use to manage the project lifecycle?

Answer 58

Spiral method

With a spiral development model, teams combine several approaches to software development, such as incremental and waterfall, into a single hybrid method. Development is modified repeatedly in response to stakeholder feedback.

Question 59

Systems administrators hope to learn details about recent attacks on a portion of a company’s network. In doing so, which deceptive tool do the administrators utilize when tight control and monitoring is the goal?

Answer 59

Honeynet

A honeynet contains several honeypots attached to a tightly controlled and heavily monitored network.

Question 60

As part of a training exercise, the Lockheed Martin cyber kill chain is referenced by educators at a security firm. When explaining that an adversary’s tool was successfully delivered and resulted in successful access to a private system, what step in the chain do educators discuss?

Answer 60

Exploitation

Exploitation describes the step that results in a breach. Exploitation means that the tool was successfully delivered and resulted in successful access.

Question 61

A developer for an organization creates a mock SSH application on a website. The hope is to capture any malicious interactions through an alerting system in an effort to understand attack patterns. Which deceptive strategy does the developer configure?

Answer 61

Simulator

A simulator can be as simple as a software application designed to simulate common services such as ssh, email, web, or telnet. The simulator would alert and log any interactions.