Practice Test 2 Flashcards
Which of the following is most appropriate if you have limited external public IP addresses available, but a requirement to share those IP addresses with internal hosts that must connect to the public Internet?
A) DMZ
B) Router
C) DHCP server
D) NAT with a firewall
D) NAT with a firewall
Using network address translation (NAT) in conjunction with a firewall enables you to share one external address with multiple internal hosts that require external addresses for their connectivity.A DMZ can contain servers behind a firewall, allowing public access, but it does not inherently offer NAT services. DHCP is used to allocate internal IP addresses, and a router still requires NAT to perform address translation.
Which of the following are usually annoying advertisements that come in the form of pop-up messages in a user’s browser?
A) Trojan
B) Adware
C) Logic bomb
D) Virus
B) Adware
Adware is the usually annoying advertisements that come in the form of pop-up messages in a user?s browser.A virus is a piece of malicious software that must be propagated through a definite user action. A Trojan is a piece of software that seems to be of value to the user, but in reality is malware. A logic bomb is a script set to execute at a certain time, which is usually created by rogue administrators or disgruntled employees.
Which of the following attacks results in mathematical operations that the host or application cannot handle, causing them to fail?
A) SQL injection attack
B) LDAP injection attack
C) Directory traversal attack
D) Integer overflow attack
D) Integer overflow attack
An integer overflow attack is similar to a buffer overflow attack and results in mathematical operations that the host or application cannot handle, causing them to fail.A SQL injection attack targets relational databases that reside behind Web applications. An LDAP injection attack targets directory services databases, such as those used in X.500 implementations. A directory traversal attack targets non-secure directory structures on the host, such as folder structures.
Which of the following desired attributes would make an organization most likely to move to a cloud provider?
A) Accountability
B) Responsibility
C) Availability
D) Control
C) Availability
Availability is the most likely attribute gained through potential redundancy and continuity of operations planning that?s (hopefully) inherent within the cloud environment. Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures.Accountability and responsibility can be established through effective security controls and well-written service-level agreements. Users lose a large measure of control by moving to the cloud.
Which of the following terms describes someone who hacks into systems, with permission of the system?s owner, to discover exploitable vulnerabilities and help secure the system?
A) Black box tester
B) White hat hacker
C) Black hat hacker
D) Gray hat hacker
B) White hat hacker
White hat hackers use their skills to assist in securing systems. They are usually penetration testing professionals or ethical hackers.A gray hat hacker uses his or her skills for both good and evil purposes. A black box tester tests a system without any prior knowledge of the network or infrastructure. A black hat hacker uses his or her skills for malicious purposes.
Which of following uses geolocation features to ensure that a mobile device does not leave specific areas of corporate property?
A) Geofencing
B) Geolocation
C) Geotagging
D) Remote management
A) Geofencing
Geofencing is the use of geolocation features to ensure that a mobile device does not leave specific areas of corporate property.Remote management is the overall process of remotely managing and monitoring mobile devices that are used to connect to the corporate infrastructure. Geolocation is the use of a device?s GPS features to determine device location, locate points of interest, and find other useful information. Geotagging is the practice of marking media files, such as pictures and video, with relevant information such as geographic location (using the GPS features of the mobile device) and time. This information can be used by security professionals to track where and how a mobile device has been used.
A virtual LAN (VLAN) does NOT offer which of the following security controls?
A) Allows different security policies to be applied to different hosts
B) Allows physical segmentation of hosts by IP subnet
C) Creates broadcast domains
D) Allows logical segmentation of hosts by IP subnet
B) Allows physical segmentation of hosts by IP subnet
VLANS do not physically segment hosts; they logically segment them. VLANs break up broadcast domains from a single large one into smaller, logically separated ones. VLANS allow different segments to receive different security policies.
Which of the following regulations would guide a healthcare organization to protect the confidentiality of stored patient data adequately?
A) RMF
B) HIPAA
C) Sarbanes-Oxley
D) PCI
B) HIPAA
HIPAA regulates the protection of patient data in the healthcare and health insurance industry.RMF covers the risk management of U.S. Department of Defense systems; Sarbanes-Oxley and PCI are involved with financial data.
Which attack involves sending specially-crafted traffic to a wireless client and an access point?
A) Initialization vector attack
B) Spoofing attack
C) Deauthentication attack
D) Replay attack
C) Deauthentication attack
A deauthentication attack involves sending specially crafted traffic to a wireless client and an access point, in the hopes of causing them to deauthenticate with each other and disconnect.A spoofing attack involves impersonating a wireless client or access point through either its IP or its MAC address. A replay attack involves the reuse of intercepted non-secure credentials to gain access to a system or network. Initialization vector (IV) attacks involve attempting to break WEP keys by targeting their weak IVs.
Which of the following attacks targets relational databases that reside behind Web applications?
A) Directory traversal attack
B) Integer overflow attack
C) SQL injection attack
D) LDAP injection attack
C) SQL injection attack
A SQL injection attack targets relational databases that reside behind Web applications.An LDAP injection attack targets directory services databases, such as those used in X.500 implementations. A directory traversal attack targets non-secure directory structures on the host, such as folder structures. An integer overflow attack is similar to a buffer overflow attack and results in mathematical operations that the host or application cannot handle, causing them to fail.
Which of the following terms indicates the amount of time it takes for a hardware component to recover from failure?
A) Mean time to recovery
B) Mean time to failure
C) Mean time between failures
D) Mean time to replace
A) Mean time to recovery
Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from failure.Mean time between failures (MTBF) represents the manufacturer?s best guess (based on historical data) regarding how much time will pass between major failures of that component. This is assuming that more than one failure will occur, which means that the component will be repaired, rather than replaced. The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired. Mean time to replace is not a valid term.
Which of the following processes uses auditing to ensure that users are traced to and held responsible for their actions?
A) Authentication
B) Authorization
C) Auditing
D) Accountability
D) Accountability
Accountability uses auditing to ensure that users are traced to and held responsible for their actions.Authorization is the process of controlling access to resources through methods that include permissions, rights, and privileges. Authentication is the process of validating that a user?s credentials are authentic, after they have presented them through the identification process. Auditing is the process of reviewing logs and other audit trails to determine what actions have been performed on systems and data.
Which of the following is an access control model based upon various access control rules that apply to users, objects, and actions?
A) Metadata table
B) Rule-based access control
C) Access control list
D) Access approval list
B) Rule-based access control
Rule-based access control is an access control model based upon various access control rules that apply to users, objects, and actions.An access control list (ACL) is a physical or logical list that details specific access levels individuals have to access objects. It is also used on network devices to determine which traffic from various users can enter and exit network devices and access internal hosts. Access approval lists and metadata tables are distractors and are not valid terms.
Scott is an outside specialist hired to audit a small, but suddenly fast-growing company. While performing a user audit, Scott notices that one user, Bradley, a sales intern who has worked for this company intermittently for three years, has the following permissions on the network:Member of Sales groupMember of Printer Administrators groupUser name/password on primary company Internet gatewayMember of Domain Admins for the company Active DirectoryShocked, Scott asks around the office how this intern has this level of access? It seems Bradley has substantial tech skills and the IT department gave him access to printers, gateway, and domain controllers so that he “could help with different problems” over the years. This is a classic example of which of the following?
A) Authentication failure
B) Privilege creep
C) Least privilege
D) False acceptance rate (FAR)
B) Privilege creep
Privilege creep. Bradley keeps getting new privileges, yet nothing is turned off.Authentication failure implies something has gone wrong. There has been no failure in authentication. The principle of least privilege means that administrators never give a user account more rights and permissions than is needed for the user to do his or her job. False acceptance rate indicates the level of errors that the system may generate indicating that unauthorized users are identified and authenticated as valid users in a biometric system.
In many cases a load balancer uses which of the following on a client’s browser to maintain session affinity?
A) Session lock
B) Cookies
C) TLS
D) Client-based code
B) Cookies
Cookies are saved and used by load balancers to maintain a connection between a specfic client and a specfic server, i.e. session affinity.TLS is an encryption method and session lock is an imaginary term. Client-based code could be used, but is not common.
Which of the following devices typically makes requests on behalf of internal clients?
A) Switch
B) Proxy
C) Firewall
D) Router
B) Proxy
A proxy is typically not used as a traffic-filtering device based upon port or protocol, but it makes requests on behalf of internal clients.A firewall is a more complex device, most often seen placed behind the border router. A switch does not filter traffic based upon port or protocol, since it works at a lower level in the OSI model. A router should be used as a first-level filtering device, because it has the ability to filter on basic characteristics of traffic such as port and protocol.
Which of the following 802.11 encryption protocols would you implement to provide the strongest encryption for communications across your wireless network?
A) WPA2
B) WPA
C) WEP
D) HTTPS
A) WPA2
WPA2 (Wi-Fi Protected Access version 2) currently provides the strongest available encryption for wireless networks.WPA and WEP are weaker protocols. HTTPS is a secure protocol for connecting on the Web, but not within your own network.
For which of the following should employees receive training to establish how to handle end-of-life and unnecessary data?
A) Clean desk policies
B) Information classification
C) Data disposal
D) Protection of personally identifiable information (PII) on social media
C) Data disposal
Data disposal guidelines explain how different classifications of data should be properly disposed of to ensure that data is not later pieced together or recovered and exploited.Clean desk policies often dictate how sensitive information should be stored after hours and while uncleared visitors are near the area. Protection of personally identifiable information on social media would be part of an organization?s social media policy. An organization?s information classification policy not only outlines what level of security protections certain data receives, but it also serves to instruct employees on how to treat sensitive data.
Which cryptography concept refers to the requirement for a trusted third party that can hold a special key (in addition to your private and public key pair) that is used to decrypt a stored backup copy of the private key if the original is lost?
A) CRL
B) Key escrow
C) Registrar
D) Certificate authority
B) Key escrow
Key escrow involves a third party that holds a special third key in addition to your private and public key pair.A CRL (certificate revocation list) is not valid in this scenario, as certificate authorities and registrars are used during the certificate life cycle to publish digital certificates.
Which of the following types of injections use standardized database interfaces to attack a Web application?
A) SQL injection
B) Relational injection
C) Hierarchical injection
D) MySQL injection
A) SQL injection
SQL injections inesrt unaticipated SQL commands to try to break the application. MySQL is one of many forms of SQL tools. Relational injection and Hierachal injection are nonsense terms.
Which of the following is used in Windows systems to identify a user account?
A) Security identifier (SID)
B) Access control entry (ACE)
C) Group identifier (GID)
D) User identifier (UID)
A) Security identifier (SID)
A security identifier (SID) is an unique number assigned to each individual user account. It?s never used, even when an account is deleted and re-created.Both a UID and GID refer to unique numbers in Linux and UNIX-based systems that identify users and groups. An access control entry (ACE) is a unique entry in an access control list (ACL) that describes a user?s permissions for accessing objects.
Which of the following security controls should be implemented to make sure that users require previous knowledge of the network identifier to join a network?
A) Change the transmitting frequencies
B) Disable SSID broadcasting
C) Add a VLAN
D) Use MAC address filtering
B) Disable SSID broadcasting
Disable Service Set Identifier (SSID) broadcasting if you?re not actively broadcasting your network name. When this control is implemented, a user must know the name of the network before he or she can connect to it.None of these options will control access with regard to the SSID.
Which of the following is a cryptographic representation of text, but not the text itself? (Choose two.)
A) Message digest
B) Plaintext
C) Ciphertext
D) Hash
A) Message digest
D) Hash
A hash or message digest is a cryptographic representation of variable length text, but it is not the text itself.Plaintext is unencrypted text. Ciphertext is a result of the encryption process and is encrypted text.
What type of evidence in a computer forensics investigation directly supports a particular assertion?
A) Inculpatory evidence
B) Demonstrative evidence
C) Documentary evidence
D) Exculpatory evidence
C) Documentary evidence
Documentary evidence directly supports or proves a definitive assertion.Exculpatory evidence proves innocence. Inculpatory evidence proves guilt. Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so forth, is used to help nontechnical people, such as the members of a jury, understand an event.
Which of the following attacks attempts to send unsolicited ARP messages to a client to add false entries to its ARP cache?
A) Smurf attack
B) ARP poisoning attack
C) Session hijacking attack
D) SYN flood
B) ARP poisoning attack
ARP poisoning is an attempt to send unsolicited ARP messages to a client to add false entries to its ARP cache.A session hijacking attack is an attempt to hijack a user?s Web browsing session by stealing cookies or using other network attack methods. A SYN flood uses TCP SYN segments in its attack, not ICMP. A smurf attack uses ICMP.
What is the last step in the incident response life cycle?
A) Containment, eradication, and recovery
B) Detection and analysis
C) Preparation
D) Post-incident activity
D) Post-incident activity
Post-incident activity is the last step of the incident response life cycle.In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
Before information is converted to an unreadable state using cryptography, in what form is the information?
A) Plaintext
B) Message digest
C) Hash
D) Ciphertext
A) Plaintext
Plaintext is unencrypted text. Ciphertext is a result of the encryption process and is encrypted text. A hash, or message digest, is a cryptographic representation of variable length text, but it is not the text itself.
Which of the following policy settings enforces the use of longer password lengths and character spaces to increase password strength?
A) Password history
B) Password complexity
C) Minimum password age
D) Maximum password age
B) Password complexity
Password complexity enforces the use of longer password lengths and character spaces to increase password strength.Password history records previous passwords so they cannot be reused in the system. The maximum password age is used to expire a password after a certain time period. The minimum password age setting is used to force users to use a password for a minimum amount of time before they are allowed to change it. This prevents them from rapidly cycling through the password history in order to reuse an older password.
Which of the following statements best describes an XML injection attack?
A) An attack that exceeds the memory allocated to an application for a particular function, causing it to crash
B) An attack that uses unexpected numerical results from a mathematical operation to overflow a buffer
C) An attack on a database through vulnerabilities in the web application, usually in user input fields
D) An attack that involves sending malicious XML content to a web application, taking advantage of any lack of input validation and XML parsing
D) An attack that involves sending malicious XML content to a web application, taking advantage of any lack of input validation and XML parsing
An XML injection attack involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing.A buffer overflow attack exceeds the memory allocated to an application for a particular function, causing it to crash. Although similar to a buffer overflow attack, answer B describes an integer overflow attack, which uses unexpected numerical results from a mathematical operation to overflow a buffer. A SQL injection attacks a database through vulnerabilities in the Web application, usually in user input fields.
Which of the following is a non-secure client-side e-mail protocol that uses TCP port 110?
A) SMTP
B) POP3
C) IMAP4
D) IMAPS
B) POP3
POP3 is a non-secure client-side e-mail protocol that uses TCP port 110.SMTP is a server-side e-mail protocol and is not used over SSL or TLS. SMTP uses TCP port 25. IMAPS is a secure version of the IMAP4 protocol and is used over SSL or TLS connections on TCP port 993. IMAP4 is a non-secure client-side e-mail protocol that uses TCP port 143.
Marisol needs to interconnect multiple VLANs in her production environment. Which of the following network devices would best address this issue?
A) Router
B) Layer 3 switch
C) Firewall
D) Layer 2 switch
B) Layer 3 switch
A layer 3 switch supports inter VLAN routing to interconnect disparate VLANs.A layer 2 switch could interconnect VLAN via trunk ports, but only to interconnect to other layer 2 switches. A router could interconnect two VLANs, but this would take substantial configuration. A firewall is not capable of interconnecting VLANs.
Which type of network intrusion detection system uses defined rule sets to determine when attacks may be occurring?
A) Signature-based system
B) Rule-based system
C) Anomaly-based system
D) Filter-based system
B) Rule-based system
Rule-based systems use predefined rule sets.An anomaly-based system detects unusual network traffic patterns based upon a baseline of normal network traffic. Signature-based systems use predefined traffic signatures, typically downloaded from a vendor. Filter-based systems, such as routers and firewalls, base detection on access control lists that specify traffic that is permitted and denied.
Which of the following is a rogue wireless access point set up to be nearly identical to a legitimate access point?
A) SSID cloaking
B) MAC spoofing
C) Evil twin
D) Jamming
C) Evil twin
An evil twin attack is a rogue wireless access point set up to be nearly identical to a legitimate access point.SSID cloaking is a weak security measure designed to hide the broadcasting of a wireless network?s Service Set Identifier. MAC spoofing is an attempt to impersonate another host by using its MAC address. Jamming is an intentional interference with the signal of a wireless network. It is often part of a DoS attack.
Mike has five Linux sysytems that need access to a shared folder with a Windows file server that’s part of an Active Directory (AD) domain. What can he do to give these systems access to the shared resource? (Choose two.)
A) Install and configure SAMBA on the Linux systems to access the AD
B) Configure access to the resource on the file server
C) Create new local users on the domain controller
D) Create user groups on all the Linux systems
A) Install and configure SAMBA on the Linux systems to access the AD
B) Configure access to the resource on the file server
Install and configure SAMBA on the Linux systems to access the AD and then set up access to the resources on the sharing sysytem (in this case the file server).Linux user groups are useless for accessing Windows resources. One should rarely create local users on a Windows server.
Which of the following is a legacy wireless encryption protocol that uses the RC4 streaming protocol?
A) WPA
B) WPA2
C) 802.1X
D) WEP
D) WEP
WEP is a legacy wireless encryption protocol that has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks.WPA2 is an advanced encryption protocol that uses AES. WPA was an interim protocol used to correct some of WEP’s weaknesses. It uses the TKIP protocol. 802.1X is a port-based authentication method, not a wireless encryption protocol.
Which of the following describes a false acceptance rate? (Choose two.)
A) The error caused when an unauthorized user is validated as authorized
B) Type 2 error (FAR)
C) Type 1 error (FRR)
D) The error caused from rejecting someone who is in fact an authorized user
A) The error caused when an unauthorized user is validated as authorized
B) Type 2 error (FAR)
A false acceptance rate (FAR) is the error caused when an unauthorized user is validated as authorized; it is also referred to as a Type II error.A false reject rate (FRR) is the error caused from rejecting an authorized user; it is also called a Type I error.
Which of the following are used to back up files that have changed since the last full backup of a virtual machine? (Choose two.)
A) Snapshot
B) Incremental backup
C) System state backup
D) Differential backup
B) Incremental backup
D) Differential backup
Differential and incremental backups apply to entire systems and are used to back up files that have changed since the last full backup.A snapshot is a quick backup of critical configuration files, used by the hypervisor to restore the virtual machine back to its point-in-time status should it become unstable or suffer other issues. The system state backup is a Microsoft Windows type of backup that backs up critical files used by the operating system to restore the system in the event of a system crash or other issue.
A password is an example of which of the following authentication factors?
A) Something you know
B) Something you are
C) Something you do
D) Something you have
A) Something you know
A password is memorized, therefore you know it.Something you do would be an action unique to you like a written signature. Something you have is an item on your person like an ID card. Something you are is an aspect of your physical person that’s unique to you like a finger print.
Disabling ________ will help prevent security issues caused by having ping and traceroute enabled.
A) SNMP
B) DNS
C) ICMP
D) NTP
C) ICMP
ICMP is the protocol used by the ping and traceroute utilities for network diagnostics, and it should be disabled unless it?s being used for important purposes.NTP is used by time services, DNS is used for IP/host name resolution, and SNMP enables network monitoring.
Which mobile device management deployment model uses corporate-owned devices where the corporation dictates the software installation and maintenance actions?
A) CYOD
B) BYOD
C) COBO
D) COPE
C) COBO
Company Owned, Business Only (COBO) devices are owned and controlled completely by the organization. Bring your own device (BYOD) means the employee owns the device. Choose your own device (CYOD) means the organization retains ownership, but employeess may install personal apps on the device. Company-issued, personally-enabled (COPE) is similar to CYOD, but employees are limited to installing only white-listed apps.
Which type of cloud service is for use by only one organization and is usually hosted by that organization’s infrastructure?
A) External
B) Public
C) Community
D) Private
D) Private
A private cloud is for use by only one organization and is usually hosted by that organization?s infrastructure.An external cloud is not a valid type of cloud and could be a public, private, or community cloud. A community cloud is for use by similar organizations or communities, such as universities or hospitals, that need to share common data. A public cloud is usually operated by a third-party provider that sells or rents ?pieces? of the cloud to different entities, such as small businesses or large corporations.
Which of the following is a software or a hardware appliance responsible for balancing user requests and network traffic among several different physical or virtualized hosts?
A) Load balancer
B) Hypervisor
C) Host operating system
D) Guest operating system
A) Load balancer
A load balancer is a piece of application software or a hardware appliance that is responsible for balancing user requests and network traffic among several different physical or virtualized hosts.The host operating system does not create or manage virtual machines; it merely shares resources with them. The hypervisor, also called a virtual machine monitor, is a piece of application software that is responsible for creating and managing virtual machines and their associated files on a host. The guest operating system is the virtual machine itself and is managed by a hypervisor.
Which of the following is a variant of a phishing attack that targets a particular type of user and includes specific information?
A) Vishing
B) Pharming
C) Spear phishing
D) Whaling
C) Spear phishing
Spear phishing involves sending e-mail to a particular type of user, regardless of rank in the organization, and basing the attack on more detailed, in-depth information to convince the target that the phishing e-mail is actually valid.Whaling is a social engineering attack that targets people in high-value positions, such as senior executives. It is a form of a phishing attack. Vishing is a form of phishing attack that takes place over Voice-over-IP (VoIP) telephone systems. Pharming is a form of DNS attack.
Which of the following access control models uses labels and security clearances to grant access to objects?
A) Discretionary access control model
B) Role-based access control model
C) Mandatory access control model
D) Rule-based access control model
C) Mandatory access control model
Mandatory access control models use labels and security clearances to grant access to objects.Rule-based access control models use a specific set of rules that control the interaction between users and objects. Role-based access control models use defined roles with specific rights and permissions assigned to those roles to control access to objects. Discretionary access control allows a user who has created or owns an object, such as a file or folder, the discretion to assign permissions for that object to anyone they choose.
Which is the most common public-private key generation algorithm used in public key cryptography?
A) AES
B) RSA
C) ECDH
D) SHA-2
B) RSA
RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. It is used to generate a public and private key pair.Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to negotiate, agree upon, and establish a secure session between two parties. AES is the Advanced Encryption Standard, which is not used in public key cryptography; it is a symmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.
Which of the following forms of authentication uses password hashes and challenge methods to authenticate to the system?
A) EAP
B) PAP
C) MS-CHAP
D) CHAP
D) CHAP
Challenge-Handshake Authentication Protocol (CHAP) uses password hashes and challenge methods to authenticate to the system.The Password Authentication Protocol (PAP) is an older authentication method that passes usernames and passwords in clear text. For this reason, it is no longer used. Passwords are not passed in clear text with this protocol. MS-CHAP (Microsoft CHAP) is a Microsoft proprietary version of CHAP, native to Windows systems. The Extensible Authentication Protocol (EAP) is a modern authentication framework that can use various authentication methods. It also does not pass user name and password information in clear text.
Which of the following is a non-secure protocol used to copy files to and from Internet-based hosts?
A) FTPS
B) SCP
C) FTP
D) SFTP
C) FTP
FTP is a non-secure protocol used to copy files to and from Internet-based hosts.FTPS is a secure version of the non-secure FTP protocol, which is used over SSL or TLS connections to ensure security when transferring files to or from an Internet-based host. SCP is a secure copy protocol used to copy files securely to and from a networked host, and it uses SSH. SFTP is a secure file transfer protocol used to copy files to and from an Internet-based host, and it uses SSH.
Which of the following tools will help you track down a potential backdoor program allowing access into a host on your network?
A) Run a port scan on your firewall
B) Check the antimalware logs
C) Run a performance baseline test on the system
D) Monitor traffic from that specific computer with a protocol analyzer
D) Monitor traffic from that specific computer with a protocol analyzer
A protocol analyzer can intercept, log, and allow analysis to be conducted on network traffic, to include source and destination of the traffic.None of these options will help track down the information that might be transmitted by a backdoor tool.
Which of the following cryptography types do you use when you want to perform a one-time, single-key, encrypted transaction with another company?
A) Steganography
B) Symmetric
C) Hashing
D) Asymmetric
B) Symmetric
When using symmetric encryption, both the sender and receiver use the same key.Steganography hides data within photos or another piece of data. Hashing is used to verify data integrity. Asymmetric cryptography uses a public and private key pair for encryption, so it does not use the same key for both parties.
Which of the following methods involves sending individual characters of the key through an algorithm and using a mathematical XOR function to change the output?
A) Key repetition
B) Key exchange
C) Key streaming
D) Key stretching
C) Key streaming
Key streaming involves sending individual characters of the key through an algorithm and using a mathematical XOR function to change the output.Key repetition is not a valid answer or term. Key exchange involves generating and exchanging an asymmetric key used for a particular communications session, or exchanging public keys in order to use them for public key cryptography. Key stretching is a technique used to change a weak key to a stronger key by feeding it into an algorithm to produce an enhanced key.
You’ve discovered that a number of systems within your network have become infected with malware; it?s believed that all the affected users visited a common site during the previous week. What type of attack would this likely be?
A) Poisoned DNS server
B) Spoofing
C) SQL injection
D) Watering hole attack
D) Watering hole attack
A watering hole attack is designed to compromise a site that certain users are likely to use, rewarding them with malware for their visit.The other attacks are incorrect because they are not valid attacks in this situation.
Type the command to create an ACL entry that you would use to create an access rule on your router to prevent any telnet traffic from passing through to the destination network 192.168.21.0.
A) permit source all destination 192.168.21.0 tcp port 21
B) permit source 192.168.13.0 destination 192.168.21.0 tcp port 80
C) deny source all destination 192.168.21.0 tcp port 23
D) deny source 0.0.0.0 destination 192.168.21.0 udp port 123
C) deny source all destination 192.168.21.0 tcp port 23
The ACL should deny all traffic using TCP port 23. Ports 80, 21, and 123 are not related to telnet. You should also note that we want to ‘deny source all,’ not permit traffic or deny source 0.0.0.0.
Which of the following terms describes a security appliance that is usually installed on an individual device, usually as a chip on the system motherboard?
A) NAS
B) HSM
C) SAN
D) TPM
D) TPM
A Trusted Platform Module (TPM) is installed on an individual device, usually as a chip on the system motherboard.A hardware security module (HSM) is usually a hardware appliance or standalone device used to provide hardware encryption services for specific hosts. A SAN is a storage area network and is not typically a security device. A NAS, network attached storage, is not a security device.
Which of the following fire suppression chemicals widely replaced halon in data center fire suppression systems?
A) Water
B) Shalon
C) FM-200
D) Carbon dioxide
C) FM-200
FM-200 generally replaced halon in data center fire suppression systems.Water is still used to combat certain classes of fires, but it did not replace halon. Shalon doesn’t exist. Carbon dioxide is used to combat both liquid and electrical fires, but it did not replace halon.
The corporate IT manager wants you to implement a process that will allow administrators to restrict users from installing and executing certain applications on their mobile devices. Which of the following meets those goals?
A) Containerization
B) Whitelisting
C) Sandboxing
D) Blacklisting
D) Blacklisting
Blacklisting allows you to restrict users from installing and executing certain applications on their mobile devices.Whitelisting allows an administrator to determine which applications and other software the user is allowed to install and execute. Containerization is a technique used to separate different sensitivities of data, such as corporate and personal data, on a mobile device. Sandboxing separates applications from each other and does not allow them to share execution, user, or data space.
Which of the following is the most comprehensive and expensive form of disaster recovery exercise?
A) Full-scale test
B) Walkthrough test
C) Tabletop exercise
D) Documentation review
A) Full-scale test
In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently.A tabletop exercise is a type of group review. The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster.
Which of the following requires team members to go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster?
A) Walkthrough test
B) Documentation review
C) Tabletop exercise
D) Full-scale test
A) Walkthrough test
In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster.A tabletop exercise is a type of group review. The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently.
Which type of assessment looks at events that could exploit vulnerabilities?
A) Vulnerability assessment
B) Risk assessment
C) Threat assessment
D) Penetration test
C) Threat assessment
A threat assessment looks at events that could exploit vulnerabilities.A vulnerability assessment looks for weaknesses in systems. A risk assessment is a combination of assessments and is designed to assess factors, including likelihood and impact that affect an asset. A penetration test attempts to exploit actual vulnerabilities found within the systems.
Three organizations require access to each other’s shared resources. To enable access, the three groups decide to use a single sign-on database that all three agree will handle authentication. What form of trust relationship is this?
A) One-way trust
B) Web of trust
C) Federated trust
D) Transitive trust
C) Federated trust
A federated system involves the use of a common authentication system and credentials database that multiple entities use and share.A web of trust isn’t a trust relationship, it is a method to handle trust for certificates. A one-way trust shows one party trusts another but not the reverse. A transitive trust is where if entity B trusts entity A and entity C trusts entity B than entity C trusts entity A.
Which of the following cannot identify patterns alone and requires other data and event sources to identify trends and patterns?
A) Qualitative analysis
B) Quantitative analysis
C) Trend analysis
D) Log analysis
D) Log analysis
A log analysis can’t identify patterns alone and requires other data and event sources to identify trends and patterns.Trend analysis involves looking at data from various sources, including device logs, to identify patterns over a period of time. Both qualitative and quantitative analyses are risk assessment techniques.
You are the security administrator for a small business. You want to provide your users with the ability to encrypt outbound e-mail messages, but the company cannot afford an expensive encryption solution. Which of the following is the best option?
A) WPA2
B) PGP/GPG
C) HTTPS
D) POP/IMAP
B) PGP/GPG
Pretty Good Privacy (or GNU Privacy Guard) is a low-cost solution that enables encrypted e-mail messages. HTTPS provides encryption for Web communications, not e-mail. POP/IMAP are unencrypted mail client access protocols. WPA2 provides encryption for wireless networks, not e-mail.
What type of evidence is generally in the form of charts, graphs, or drawings to help non-technical people?
A) Documentary evidence
B) Inculpatory evidence
C) Demonstrative evidence
D) Exculpatory evidence
C) Demonstrative evidence
Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so forth, is used to help non-technical people, such as the members of a jury, understand an event.Exculpatory evidence proves innocence. Inculpatory evidence proves guilt. Documentary evidence directly supports or proves a definitive assertion.
Which of the following are characteristics of hashing? (Choose all that apply.)
A) Hashing can be used to protect data integrity
B) Hashes are cryptographic representations of plaintext
C) Hashes produce fixed-length digests for variable-length test
D) Hashes are decrypted using the same algorithm and key that encrypted them
A) Hashing can be used to protect data integrity
B) Hashes are cryptographic representations of plaintext
C) Hashes produce fixed-length digests for variable-length test
All of these are characteristics of hashing except that hashes are produced from one-way mathematical functions and cannot be decrypted.
Which of the following best describes cookies?
A) Small text files stored on a browser that contain information about the web sites you visit
B) Objects that are particular to web sites that use the Adobe Flash player for certain content
C) An HTML file that comes attached to an email
D) HTTP request and response messages
A) Small text files stored on a browser that contain information about the web sites you visit
Small text files stored on a browser that contain information about the Web sites you visit are called cookies. In some cases, they are used to retain user preferences for the site, but they can contain sensitive information, such as user credentials or financial data (credit card information, for example) as well.HTTP request and response messages are sent back and forth between the Web application and the browser so the client can access content in the Web application. These HTTP requests and responses have headers that contain information such as commands, directives, and so on. An HTML file that comes attached to e-mail is an HTTP attachment. Locally shared objects (also called flash cookies) are objects that are particular to Web sites that use the Adobe Flash player for certain content.
Which of the following resides on network devices and filters traffic coming into and out of the device?
A) SNMP
B) SMTP
C) Syslog
D) ACL
D) ACL
An access control list (ACL) resides on network devices and filters traffic coming into and out of the device.SMTP, the Simple Mail Transport Protocol, is responsible for sending e-mail. The Simple Network Management Protocol (SNMP) uses a Management Information Base, or MIB, specific to each device to obtain device information from. Syslog is a log server found in UNIX and Linux systems.
Which of the following can be established in a cloud environment through effective security controls and well-written service-level agreements? (Choose two.)
A) Accountability
B) Control
C) Responsibility
D) Availability
A) Accountability
C) Responsibility
Accountability and responsibility can be established through effective security controls and well-written service-level agreements.Lack of control over data and the infrastructure is probably the greatest risk to cloud computing and cannot be completely managed through agreements. Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures.
Which of the following methods will help improve SNMP security?
A) Change the ‘public’ community name
B) Ensure the monitoring station is protected by a firewall
C) Disable ICMP
D) Close SNMP, TCP, and UDP port 161 on the client
A) Change the ‘public’ community name
Changing the community name for SNMP is the single most important thing you can do to ensure that any user cannot access your SNMP device.A firewall will not help protect the clients. Disabling SNMP on the client will cripple the SNMP functionality, and ICMP is unrelated.
Containerization is the process of virtualizing which of the following items?
A) Interface
B) Operating system
C) Hardware
D) Virtual machine
B) Operating system
Containerization is the process of virtualizing the operating system. Conatiners often use storage segmentation to separate senstitive and personal data.Virtual machines are not virtualized. Traditional virtualization, not containerization, virtualizes hardware; and while it can be argued that both traditional virtualization as well as containerization virtualize a sytem’s interface, that is not the best answer of the choices given.
Which of the following is a port-based authentication method?
A) 802.1X
B) WPA2
C) WPA
D) WEP
A) 802.1X
802.1X is a port-based authentication method, not a wireless encryption protocol.WPA2 is an advanced encryption protocol, which uses AES. WEP is a legacy wireless encryption protocol, which has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks. WPA was an interim protocol used to correct some of WEP?s weaknesses. It uses the TKIP protocol.
Your company allows a number of employees to telecommute, and others travel extensively. You have been tasked with finding a centralized solution that will allow access to shared data over the Internet. Which of the following is best?
A) Cloud services
B) Subnetting
C) NAT
D) Virtualization
A) Cloud services
Cloud services can enable users to perform their work via a browser, from anywhere they have Internet connectivity. This can be configured either to allow a local copy along with the cloud copy of the data, or the data can be edited directly within the cloud.Virtualization allows multiple virtual machines to run on the same piece of hardware. Subnetting and network address translation (NAT) are important, but incorrect, security concepts.
During which type of assessment would penetration testers not have any knowledge about the network, while defenders are aware of their presence? (Choose two.)
A) Gray box test B) Blind test C) Unlimited test D) Black box test E) Double-blind test
B) Blind test
D) Black box test
In a black box test, the testers have no knowledge of details about the network configuration, but system defenders are aware of their presence. This type of test is also referred to as a blind test.In a double-blind test, testers have no prior knowledge of the network they are testing, and network defenders also have no knowledge of the test and aren’t aware of any attacks unless they can detect and defend against them. This test is designed to test the defenders’ abilities to detect and respond to attacks, as much is it is to test and exploit vulnerabilities on the network. In a gray box test, the penetration tester may have some limited knowledge of the network or systems, gained from the organization that wants the test. Unlimited test is not a real test in the Security+ arena.
Which of the following is normally the job of a senior leader within the incident response team?
A) Determining the initial scope and impact of the incident
B) Notifying the incident response team
C) Notifying and coordinating with senior management and law enforcement officials
D) Securing the scene
C) Notifying and coordinating with senior management and law enforcement officials
Notifying and coordinating with senior management and law enforcement officials is normally the job of a senior leader within the incident response team.The primary job of a first responder is to secure the scene. They are also responsible for notifying the incident response team and initially determining the scope, seriousness, and impact of the incident.
If a person does not know a control exists, and this control keeps her from performing a malicious act, what type of control would this be classified as?
A) Preventative control
B) Deterrent control
C) Compensating control
D) Corrective control
A) Preventative control
A preventative control keeps someone from performing a malicious act, provided that she doesn’t know the control is there and is not aware of the consequences for violating it.A corrective control is used to correct a condition when there is either no control at all or the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place. The difference between a deterrent control and a preventive control is that a deterrent control requires the person to have knowledge of the control in order for it to work. Users do not have to have knowledge of a preventative control for it to function. A compensating control assists and mitigates the risk an existing control is unable to mitigate.
Which of the following refers to the use of several different factors to authenticate to a system?
A) Pass-through authentication
B) Single sign-on
C) Single-factor authentication
D) Multifactor authentication
D) Multifactor authentication
Multifactor authentication refers to the use of several different factors to authenticate to a system, such as something you know, something you are, and something you have. Multifactor authentication can be used in a single sign-on environment, but is not necessarily required.Single-factor authentication uses only one factor, such as something you know, to authenticate to a system. It can also be used in a single sign-on environment but is not required. Single sign-on is a method of authentication that enables a user to provide one set of credentials and use them throughout an interconnected network. Both Kerberos and SESAME protocols allow single sign-on. Pass-through authentication can appear to be similar to single sign-on, but it requires all individual systems to accept credentials passed from another system without a unified approach.
Which of the following power devices do you install to enable the constant availability of critical servers during a power outage?
A) Generator
B) Battery backup
C) UPS
D) Power conditioner
A) Generator
To provide continuous power, you will need a generator, often gas-powered, that can provide power continuously until electrical power is restored. Be sure that you have enough gas! For very critical systems, multiple generators (tested regularly) are a common control.A power conditioner helps provide clean power that is less likely to harm systems; it has nothing to do with power outages. UPSes and battery backups are incorrect because they provide backup power for only a short period of time and are often used to allow a graceful shutdown of less critical systems.
Which of the following technologies enables communication between devices using a beam of light?
A) 802.11 wireless
B) Infrared
C) Bluetooth
D) Near Field Communication (NFC)
B) Infrared
Infrared enables communications between devices using a beam of light.Neither 802.11 wireless nor Bluetooth technologies perform in this manner. Near Field Communication is a newer technology in which devices send very low power radio signals to each other by using a special chip implanted in the device. It requires that the devices be extremely close or touching and is used for a variety of applications, including payments through NFC-enabled smartphones.
Travis just got promoted to network administrator after the previous administrator left rather abruptly. There are three new hires that need onboarding with user accounts. When Travis looks at all the existing account names, he notices there is no common naming system. Where should he look to try to give the new hires user accounts with proper naming conventions?
A) Microsoft best practices
B) The Sarbanes-Oxley regulation
C) The most pertinent FIPS documentation
D) The company’s account policy
D) The company’s account policy
The company’s account policy.Microsoft best practices as well as FIPS might give some good ideas, but there is no law (such as Sarbanes-Oxley) requiring a certian naming convention for user accounts.
Which of the following terms describes someone who hacks into a system for malicious purposes, without permission from the system?s owner, and shares the system hacking information with others?
A) Gray hat hacker
B) Black box tester
C) White hat hacker
D) Black hat hacker
D) Black hat hacker
A black hat hacker is someone who uses her skills for malicious purposes and often shares that information with others.A gray hat hacker uses her skills for both altruistic and malicious purposes, breaking into and exploiting a system without permission, but without sharing that information with others. A black box tester is someone who tests a system without any prior knowledge of the network or infrastructure; this person tests the system with the owner?s permission. A white hat hacker uses her skills to assist in securing systems; this type of hacker is usually a penetration testing professional or ethical hacker.
Which of the following solutions allow applications that users can download, install, and execute to be added to a safe list?
A) Graylisting
B) Blacklisting
C) Whitelisting
D) Filtering
C) Whitelisting
Applications that users are allowed to download, install, and execute are added to a whitelist by an administrator; whitelisting is the opposite of blacklisting.Blacklisting involves an administrator adding undesirable or restricted software or applications to a list on content filtering devices, in group policy, or through some other type of mechanisms. This ensures that users are not allowed to download, install, or execute these particular applications. There is no such term as graylisting. Filtering typically involves checking traffic on a network device, based upon specific characteristics. The term normally does not apply to software or applications.
Which of the following is a key negotiation and agreement protocol used in public key cryptography?
A) DHE
B) OCSP
C) RSA
D) ECC
A) DHE
Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol used in public key cryptography.RSA is the de facto standard used to generate public and private key pairs in a PKI. The Online Certificate Status Protocol (OCSP) is used to obtain the revocation status of digital certificates. It is used as an alternative to certificate revocation lists, enabling clients to request and receive the electronic status of digital certificates automatically in real-time. Elliptic curve cryptography (ECC) is a public key cryptography protocol used on small mobile devices because of its low power and computing requirements.
Which of the following is a logging facility found in UNIX and Linux systems?
A) Decentralized
B) Syslog
C) Centralized
D) SIEM
B) Syslog
Syslog is a logging facility found in UNIX and Linux systems, which can be used on either a centralized or decentralized basis. Centralized log management involves collecting logs from across the network into on system and being able to review them as a group. Security Information Event Management (SIEM) is a centralized method of obtaining logs and other data from disparate devices across the network. Decentralized log management means that logs are managed and reviewed on a host-by-host basis, rather than as a centralized, consolidated group.
What is the third step in the incident response life cycle?
A) Preparation
B) Post-incident activity
C) Containment, eradication, and recovery
D) Detection and analysis
C) Containment, eradication, and recovery
Containment, eradication, and recovery is the third step of the incident response lifecycle. In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
Which of the following is the most common public-private key generation algorithm used in public key cryptography?
A) AES
B) ECDH
C) SHA-2
D) RSA
D) RSA
RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography.Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to initially negotiate, agree upon, and establish a secure session between two parties. AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is a symmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.
Which of the following terms represents the manufacturer’s best guess (based on historical data) regarding how much time will pass between major failures of a component produced by that manufacturer?
A) Mean time to replace
B) Mean time between failures
C) Mean time to recovery
D) Mean time to failure
B) Mean time between failures
Mean time between failures (MTBF) represents the manufacturer?s best guess (based on historical data) regarding how much time will pass between major failures of that component. This is assuming that more than one failure will occur, which means that the component will be repaired, rather than replaced.Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from a failure. The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired. Mean time to replace is not a valid term.
The United States Department of Defense uses a specific form of personal identification verificatication (PIV) card called?
A) CAC card
B) PAC card
C) HOTP card
D) RSA card
A) CAC card
CAC (common access control) card. RSA is a popular asymetric encryption. HOTP (HMAC-based one-time password) is an algorithm used to generate one-time passwords and a physical access control (PAC) describes the mechanisms for admitting and denying user access to your space.
What type of control assists and mitigates the risk an existing control is unable to mitigate?
A) Corrective control
B) Compensating control
C) Deterrent control
D) Preventative control
B) Compensating control
A compensating control assists and mitigates the risk an existing control is unable to mitigate.The difference between a deterrent control and a preventive control is that it is necessary to have knowledge of the deterrent control for it to work. Users do not need to have knowledge of a preventative control for it to function. A corrective control is used to correct a condition when there is either no control at all, or the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place. A deterrent control keeps someone from performing a malicious act, provided that they know the control is there and are aware of the consequences for violating it.
Which of the following algorithms was one of the five finalists for the U.S. government?sponsored competition to become the Advanced Encryption Standard (AES) competition, but did not win?
A) Blowfish
B) Twofish
C) RC4
D) Rijindael
B) Twofish
Twofish, a symmetric algorithm, was one of the five finalists for the competition, but it did not win.Rijindael was selected as the winner of the NIST competition and became the U.S. government?s Advanced Encryption Standard (AES). Blowfish is also a symmetric algorithm, but it was not considered in the competition to be the AES. RC4 is a symmetric streaming cipher commonly seen in WEP and SSL implementations. It was not one of the finalists involved in the AES competition.
Which of the following methods of strengthening weak keys involves generating and exchanging asymmetric keys within a particular communication session?
A) Key repetition
B) Key stretching
C) Key exchange
D) Key streaming
C) Key exchange
Key exchange involves generating and exchanging asymmetric keys used for a particular communication session, exchanging public keys in order to use them for public key cryptography.Key streaming involves sending individual characters of the key through an algorithm and using mathematical XOR function to change the output. Key repetition is not a valid answer or term. Key stretching is a technique used to change weak keys to stronger ones by feeding them into an algorithm to produce an enhanced key.
Which of the following answers best describes the one major advantage of TACACS+ over RADIUS?
A) TACACS+ uses RC4 encryption
B) TACACS+ is completely encrypted
C) Kerberos is a proprietary standard, making it less safe
D) TACACS+ is an open standard, making it more safe
B) TACACS+ is completely encrypted
TACACS+ encrypts everything between all connection points.Kerberos is an open standard as is TACACS+. Open standards are consided more safe than proprietary. TACACS+ doesn’t define what encryption to use, but RC4 is dated and insecure.
