Practice Test 2 Flashcards
James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?
a. SLA
b. RTO
c. MTD
d. RPO
D. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.
Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred’s best choice?
a. A switch
b. A bridge
c. A gateway
d. A router
D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks were very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.
Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?
a. Black box
b. Crystal box
c. Gray box
d. Zero box
B. Crystal box penetration testing, which is also sometimes called white box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black and gray box testing can, and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.
Application banner information is typically recorded during what penetration testing phase?
a. Planning
b. Attack
c. Reporting
d. Discovery
D. The discovery phase includes activities like gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided.
What is the default subnet mask for a Class B network?
a. 255.0.0.0
b. 255.255.0.0
c. 255.254.0.0
d. 255.255.255.0
B. A class B network holds 2^16 systems, and its default network mask is 255.255.0.0.
Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?
a. Record the MAC address of each system.
b. Require users to fill out a form to register each system.
c. Scan each system using a port scanner.
d. Use device fingerprinting via a web-based registration system.
D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.
David works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level?
a. Data creator
b. Data owner
c. CISO
d. Data custodian
B. The data owner is normally responsible for classifying information at an appropriate level. This role is typically filled by a senior manager or director, who then delegates operational responsibility to a data custodian.
What type of inbound packet is characteristic of a ping flood attack?
a. ICMP echo request
b. ICMP echo reply
c. ICMP destination unreachable
d. ICMP route changed
A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.
Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?
a. More complex passwords
b. User education against social engineering
c. Multifactor authentication
d. Addition of security questions based on personal knowledge
C. While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.
The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept?
a. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols
b. FCoE, a converged protocol that allows common applications over Ethernet
c. SDN, a converged protocol that allows network virtualization
d. CDN, a converged protocol that makes common network designs accessible
C. Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. Content Distribution Network (CDN) is not a converged protocol, and FCoE is Fiber Channel over Ethernet, a converged protocol for storage.
Susan is preparing to decommission her organization’s archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed?
a. Degauss
b. Zero wipe
c. Pulverize
d. Secure erase
C. The best way to ensure that data on DVDs is fully gone is to destroy them, and pulverizing DVDs is an appropriate means of destruction. DVDs are write-only media, meaning that secure erase and zero wipes won’t work. Degaussing only works on magnetic media and cannot guarantee that there will be zero data remnance.
What is the final stage of the Software Capability Maturity Model (SW-CMM)?
a. Repeatable
b. Defined
c. Managed
d. Optimizing
D. The five stages of the SW-CMM are, in order, Initial, Repeatable, Defined, Managed, and Optimizing. In the Optimizing stage, a process of continuous improvement occurs.
Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet?
a. Packets with a source address from Angie’s public IP address block
b. Packets with a destination address from Angie’s public IP address block
c. Packets with a source address outside of Angie’s address block
d. Packets with a source address from Angie’s private address block
A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.
Matt is conducting a penetration test against a Linux server and successfully gained access to an administrative account. He would now like to obtain the password hashes for use in a brute-force attack. Where is he likely to find the hashes, assuming the system is configured to modern security standards?
a. /etc/passwd
b. /etc/hash
c. /etc/secure
d. /etc/shadow
D. Security best practices dictate the use of shadowed password files that move the password hashes from the widely accessible /etc/passwdfile to the more restricted /etc/shadow file.
Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?
a. Separation of duties
b. Two-person control
c. Least privilege
d. Job rotation
A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.
Which one of the following tools may be used to achieve the goal of nonrepudiation?
a. Digital signature
b. Symmetric encryption
c. Firewall
d. IDS
A. Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.
In the diagram of the TCP three-way handshake here, what should system A send to system B in step 3?
a. ACK
b. SYN
c. FIN
d. RST

A. System A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK.
What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?
a. RADIUS+
b. TACACS+
c. XTACACS
d. Kerberos
B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.
What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to?
a. DoS and malware
b. Worms and Trojans
c. DoS and host OS attacks
d. Host OS attacks and buffer overflows
C. Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the Internet or exchange data files; buffer overflows are usually aimed at specific applications or services.
Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?
a. Antivirus
b. Heuristic
c. Whitelist
d. Blacklist
C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech’s data center?
a. 2%
b. 20%
c. 100%
d. 200%
B. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $20 million in damage divided by the $100 million facility value, or 20%.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech’s data center?
a. 0.002
b. 0.005
c. 0.02
d. 0.05
B. The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen in any given year. In this case, the analysts expect floods once every 200 years, or 0.005 times per year.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech’s data center?
a. $40,000
b. $100,000
c. $400,000
d. $1,000,000
B. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000.
Which accounts are typically assessed during an account management assessment?
a. A random sample
b. Highly privileged accounts
c. Recently generated accounts
d. Accounts that have existed for long periods of time
B. The most frequent target of account management reviews are highly privileged accounts, as they create the greatest risk. Random samples are the second most likely choice. Accounts that have existed for a longer period of time are more likely to have a problem due to privilege creep than recently created accounts, but neither of these choices is likely unless there is a specific organizational reason to choose them.

















